[PVE-User] Datacenter firewall rules vs Subnet Router Anycast Adress ping
Gilles Pietri
contact+dev at gilouweb.com
Thu Apr 2 22:38:32 CEST 2020
Le 02/04/2020 à 15:22, Tobias Böhm a écrit :
> Am 02.04.2020 um 04:10 schrieb Gilles Pietri:
> Hi,
>
> just stumbled across this rule as well, although in an IPv4 related
> issue.
>
>> A) Is it expected that such a rule be enabled for VM bridges, when
>> firewall is disabled for the VM?
>
> This rule is always there when PVE-Firewall is enabled for the cluster.
Hi,
It is, but should it be? It seemed to me that Datacenter rules were
meant to apply to hosts, not VMs ?
Because this means even though I disable the firewall on the VM, there
IS a firewall still filtering!
>
>> B) Can we plug ourself in somewhere to have a rule like:
>> -I PVEFW-FORWARD -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
>> included BEFORE the --ctstate INVALID one?
>>
>> I don't see any way to do that in the chain, but I may be missing something.
>
> There is an option to disable this rule at all. You can set
> "nf_conntrack_allow_invalid: 1" in the host specific config files at
> /etc/pve/nodes/<nodename>/host.fw. Apparently you'd want this to be in
> all of them. This directive is not visible in the panel but documented
> and works as intended on Proxmox 5 and 6:
> https://pve.proxmox.com/wiki/Firewall#pve_firewall_host_specific_configuration
Agreed (and confirmed), but that is not what I meant, there is a
perfectly valid reason to filter those on the hosts, while allowing this
specific echo reply to happen (especially to the VM, but that's point A
:P), but I can't find an easy way to hook myself here.
>
> Happy pinging,
> Tobias
Thanks for the feedback!
Gilles
More information about the pve-user
mailing list