[pve-devel] applied: [PATCH proxmox-firewall 1/1] rules: allow vital ICMP(v6) types

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Jul 10 14:54:41 CEST 2024 

On June 10, 2024 2:52 pm, Stefan Hanreich wrote:
> There are certain ICMP messages that should always pass through a
> firewall irregardless of any other rules. This is particularly
> important for ICMPv6. While we already handled NDP, there are certain
> control messages that should always be able to pass through any
> firewall, according to RFC 4890.
> 
> For ICMP we additionally allow 'Source Quench' as well.
> 
> Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
> ---
> While Source Quench is deprecated, there might be niche use cases
> using it and allowing it shouldn't really hurt so I've thrown it into
> the mix as well.
> 
>  .../resources/proxmox-firewall.nft            | 22 +++++++++++++++++--
>  1 file changed, 20 insertions(+), 2 deletions(-)
> 
> diff --git a/proxmox-firewall/resources/proxmox-firewall.nft b/proxmox-firewall/resources/proxmox-firewall.nft
> index 537ba88..ea2cd7d 100644
> --- a/proxmox-firewall/resources/proxmox-firewall.nft
> +++ b/proxmox-firewall/resources/proxmox-firewall.nft
> @@ -16,6 +16,7 @@ add chain inet proxmox-firewall allow-ndp-out
>  add chain inet proxmox-firewall block-ndp-out
>  add chain inet proxmox-firewall block-conntrack-invalid
>  add chain inet proxmox-firewall block-smurfs
> +add chain inet proxmox-firewall allow-icmp
>  add chain inet proxmox-firewall log-drop-smurfs
>  add chain inet proxmox-firewall default-in
>  add chain inet proxmox-firewall default-out
> @@ -32,6 +33,7 @@ add chain bridge proxmox-firewall-guests allow-ndp-out
>  add chain bridge proxmox-firewall-guests block-ndp-out
>  add chain bridge proxmox-firewall-guests allow-ra-out
>  add chain bridge proxmox-firewall-guests block-ra-out
> +add chain bridge proxmox-firewall-guests allow-icmp
>  add chain bridge proxmox-firewall-guests do-reject
>  add chain bridge proxmox-firewall-guests vm-out {type filter hook prerouting priority 0; policy accept;}
>  add chain bridge proxmox-firewall-guests vm-in {type filter hook postrouting priority 0; policy accept;}
> @@ -47,6 +49,7 @@ flush chain inet proxmox-firewall allow-ndp-out
>  flush chain inet proxmox-firewall block-ndp-out
>  flush chain inet proxmox-firewall block-conntrack-invalid
>  flush chain inet proxmox-firewall block-smurfs
> +flush chain inet proxmox-firewall allow-icmp
>  flush chain inet proxmox-firewall log-drop-smurfs
>  flush chain inet proxmox-firewall default-in
>  flush chain inet proxmox-firewall default-out
> @@ -63,6 +66,7 @@ flush chain bridge proxmox-firewall-guests allow-ndp-out
>  flush chain bridge proxmox-firewall-guests block-ndp-out
>  flush chain bridge proxmox-firewall-guests allow-ra-out
>  flush chain bridge proxmox-firewall-guests block-ra-out
> +flush chain bridge proxmox-firewall-guests allow-icmp
>  flush chain bridge proxmox-firewall-guests do-reject
>  flush chain bridge proxmox-firewall-guests vm-out
>  flush chain bridge proxmox-firewall-guests vm-in
> @@ -175,9 +179,16 @@ table inet proxmox-firewall {
>          drop
>      }
>  
> +    chain allow-icmp {
> +        icmp type { destination-unreachable, source-quench, time-exceeded } accept
> +        # based on RFC 4890 - NDP is handled separately
> +        icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem } accept
> +    }
> +
>      chain default-in {
>          iifname "lo" accept
>  
> +        jump allow-icmp
>          ct state related,established accept
>  
>          meta l4proto igmp accept
> @@ -185,8 +196,6 @@ table inet proxmox-firewall {
>          tcp dport { 8006, 5900-5999, 3128, 22 } jump accept-management
>          udp dport 5405-5412 accept
>  
> -        meta l4proto icmp icmp type { destination-unreachable, time-exceeded } accept
> -
>          # Drop Microsoft SMB noise
>          udp dport { 135, 137-139, 445 } goto do-reject
>          udp sport 137 udp dport 1024-65535 goto do-reject
> @@ -203,6 +212,7 @@ table inet proxmox-firewall {
>      chain default-out {
>          oifname "lo" accept
>  
> +        jump allow-icmp
>          ct state vmap { invalid : drop, established : accept, related : accept }
>      }
>  
> @@ -284,6 +294,12 @@ table bridge proxmox-firewall-guests {
>          icmpv6 type { nd-router-advert, nd-redirect } drop
>      }
>  
> +    chain allow-icmp {
> +        icmp type { destination-unreachable, source-quench, time-exceeded } accept
> +        # based on RFC 4890 - NDP is handled separately
> +        icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem } accept
> +    }
> +
>      chain do-reject {
>          meta pkttype broadcast drop
>          ip saddr 224.0.0.0/4 drop
> @@ -297,12 +313,14 @@ table bridge proxmox-firewall-guests {
>  
>      chain vm-out {
>          type filter hook prerouting priority 0; policy accept;
> +        jump allow-icmp
>          ether type != arp ct state vmap { established : accept, related : accept, invalid : drop }
>          iifname vmap @vm-map-out
>      }
>  
>      chain vm-in {
>          type filter hook postrouting priority 0; policy accept;
> +        jump allow-icmp
>          ether type != arp ct state vmap { established : accept, related : accept, invalid : drop }
>          ether type arp accept
>          oifname vmap @vm-map-in
> -- 
> 2.39.2
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
>

More information about the pve-devel mailing list