[pve-devel] [PATCH docs] network: add note for possible fix/workaround in NAT setup
Alexandre DERUMIER
aderumier at odiso.com
Mon Feb 10 13:15:52 CET 2020
Hi,
>>apparently sometimes users have problems reaching outside internet with some network setups
if nat is used, it's really needed to get firewall working.
This is because, without a different conntrack zone, the nat is not evaluated.
(don't remember exactly, but it's not going to the prerouting/postrouting without it)
Maybe in the future, it could be great to add nat feature support in firewall. (like this we could also add this config)
----- Mail original -----
De: "Thomas Lamprecht" <t.lamprecht at proxmox.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>, "Stoiko Ivanov" <s.ivanov at proxmox.com>, "Oguz Bektas" <o.bektas at proxmox.com>
Envoyé: Lundi 10 Février 2020 11:47:28
Objet: Re: [pve-devel] [PATCH docs] network: add note for possible fix/workaround in NAT setup
On 2/5/20 5:14 PM, Stoiko Ivanov wrote:
> On Wed, 5 Feb 2020 15:57:13 +0100
> Oguz Bektas <o.bektas at proxmox.com> wrote:
>
>> apparently sometimes users have problems reaching outside internet with
>> some network setups. this is the workaround a user suggested that
>> we should add in the wiki.
>
> Thanks for the initiative - that does come up indeed every now and then in
> our various support channels (and it usually takes me quite a while to
> find the trustworthy forum-post by Alexandre (Thanks!!), which I quote on
> that ;)
>
> As an optional suggestion: I would try to add some more
> rationale, as to why users should put those iptables rules in their
> firewall - (maybe: due to the way packets are processed in the processed
> by netfilter and the rules created by pve-firewall?) - Also the following
> could be worth linking in the docs (or mentioning in the commit-message):
I agree with adding some rationale, Oguz, can you please followup on that in
a timely manner, thanks! :)
>
> [0] https://commons.wikimedia.org/wiki/File:Netfilter-packet-flow.svg
> [1] https://lwn.net/Articles/370152/ (patch from 2010 on netdev-list
> introducing the conntrack zones)
> [2] https://blog.lobraun.de/2019/05/19/prox/ (a blog post with a good
> explanation, by using the TRACE target in the raw table)
> [3]
> https://forum.proxmox.com/threads/firewall-stops-vm-ct-communication-also-have-to-reboot-to-fix.59811/#post-275921
> (the forum post I usually quote on those issues)
>
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list