[PVE-User] Ceph and firewalling

Thomas Lamprecht t.lamprecht at proxmox.com
Thu May 9 11:10:46 CEST 2019

On 5/9/19 10:09 AM, Mark Schouten wrote:
> On Thu, May 09, 2019 at 07:53:50AM +0200, Alexandre DERUMIER wrote:
>> But to really be sure to not have the problem anymore :
>> add in /etc/sysctl.conf
>> net.netfilter.nf_conntrack_tcp_be_liberal = 1
> This is very useful info. I'll create a bug for Proxmox, so they can
> consider it to set this in pve-firewall, which seems a good default if
> you ask me.

IMO this is not a sensible default, it makes conntrack almost void:

>	nf_conntrack_tcp_be_liberal - BOOLEAN
>		[...]
>		If it's non-zero, we mark *only out of window RST segments* as INVALID.

The more relevant flag, nf_conntrack_tcp_loose (If it is set to zero,
we disable picking up already established connections) is already on
(non-zero) by default.

The issue you ran into was the case where pve-cluster (pmxcfs) was
upgraded and restarted and pve-firewall thought that the user deleted
all rules and thus flushed them, is already fixed for most common cases
(package upgrade and normal restart of pve-cluster), so this shouldn't
be an issue with pve-firewall in version 3.0-20

But, Stoiko offered to re-take a look at this and try doing additional
error handling if the fw config read fails (as in pmxcfs not mounted)
and keep the current rules un-touched in this case (i.e., no remove,
no add) or maybe also moving the management rules above the conntrack,
but we need to take a close look here to ensure this has no non-intended
side effects.


More information about the pve-user mailing list