[pve-devel] [PATCH pve-firewall 3/3] remove -m conntrack --ctstate INVALID from PVEFW-Drop/PVEFW-Reject chains

Fri Feb 15 10:48:03 CET 2019

We are check it on top of rules
---
 src/PVE/Firewall.pm | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 7890b51..8e057be 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -583,8 +583,6 @@ $pve_std_chains_conf->{4} = {
 	# ACCEPT critical ICMP types
 	{ action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' },
 	{ action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' },
-	# Drop packets with INVALID state
-	{ action => 'DROP', match => '-m conntrack --ctstate INVALID', },
 	# Drop Microsoft SMB noise
 	{ action => 'DROP', proto => 'udp', dport => '135,445' },
 	{ action => 'DROP', proto => 'udp', dport => '137:139' },
@@ -606,8 +604,6 @@ $pve_std_chains_conf->{4} = {
 	# ACCEPT critical ICMP types
 	{ action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' },
 	{ action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' },
-	# Drop packets with INVALID state
-	{ action => 'DROP', match => '-m conntrack --ctstate INVALID', },
 	# Drop Microsoft SMB noise
 	{ action => 'PVEFW-reject', proto => 'udp', dport => '135,445' },
 	{ action => 'PVEFW-reject', proto => 'udp', dport => '137:139'},
@@ -679,8 +675,6 @@ $pve_std_chains_conf->{6} = {
 	{ action => 'ACCEPT', proto => 'icmpv6', dport => 'destination-unreachable' },
 	{ action => 'ACCEPT', proto => 'icmpv6', dport => 'time-exceeded' },
 	{ action => 'ACCEPT', proto => 'icmpv6', dport => 'packet-too-big' },
-	# Drop packets with INVALID state
-	{ action => 'DROP', match => '-m conntrack --ctstate INVALID', },
 	# Drop Microsoft SMB noise
 	{ action => 'DROP', proto => 'udp', dport => '135,445' },
 	{ action => 'DROP', proto => 'udp', dport => '137:139'},
@@ -703,8 +697,6 @@ $pve_std_chains_conf->{6} = {
 	{ action => 'ACCEPT', proto => 'icmpv6', dport => 'destination-unreachable' },
 	{ action => 'ACCEPT', proto => 'icmpv6', dport => 'time-exceeded' },
 	{ action => 'ACCEPT', proto => 'icmpv6', dport => 'packet-too-big' },
-	# Drop packets with INVALID state
-	{ action => 'DROP', match => '-m conntrack --ctstate INVALID', },
 	# Drop Microsoft SMB noise
 	{ action => 'PVEFW-reject', proto => 'udp', dport => '135,445' },
 	{ action => 'PVEFW-reject', proto => 'udp', dport => '137:139' },
-- 
2.11.0


