[pve-devel] hetzner bug with pve-firewall

alexandre derumier aderumier at odiso.com
Fri Sep 10 12:31:17 CEST 2021


Hi,

multiple users have reported problems with hetzner in bridged mode this
week and pve-firewall
https://forum.proxmox.com/threads/proxmox-claiming-mac-address.52601/
https://forum.proxmox.com/threads/mac-address-abuse-report.95656/

Seem that hetzner have bugs or are under attack, but they are flooding
traffic to proxmox nodes with wrong mac/ip destination.

The problem is that if users use pve-firewall with reject rules, the
RST packet is send with the wrong mac/ip as source,

and then hertzner is blocking the server of the users ....


I'm looking to see if we could add filtering at ebtables level, to drop
wrong mac destination.

But they are also another problem, if user use DROP as default action,
 we have a default REJECT for whois port 53.

'PVEFW-Drop' => [
   # same as shorewall 'Drop', which is equal to DROP,
   # but REJECT/DROP some packages to reduce logging,
   # and ACCEPT critical ICMP types
   { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, #
REJECT 'auth'

Does somebody known why we do a reject here ?  could it be change to
drop ?






More information about the pve-devel mailing list