[PVE-User] Datacenter firewall rules vs Subnet Router Anycast Adress ping

Gilles Pietri contact+dev at gilouweb.com
Thu Apr 2 22:38:32 CEST 2020

Le 02/04/2020 à 15:22, Tobias Böhm a écrit :
> Am 02.04.2020 um 04:10 schrieb Gilles Pietri:
> Hi,
> just stumbled across this rule as well, although in an IPv4 related
> issue.
>> A) Is it expected that such a rule be enabled for VM bridges, when
>> firewall is disabled for the VM?
> This rule is always there when PVE-Firewall is enabled for the cluster.


It is, but should it be? It seemed to me that Datacenter rules were
meant to apply to hosts, not VMs ?
Because this means even though I disable the firewall on the VM, there
IS a firewall still filtering!

>> B) Can we plug ourself in somewhere to have a rule like:
>> -I PVEFW-FORWARD -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
>> included BEFORE the --ctstate INVALID one?
>> I don't see any way to do that in the chain, but I may be missing something.
> There is an option to disable this rule at all. You can set
> "nf_conntrack_allow_invalid: 1" in the host specific config files at 
> /etc/pve/nodes/<nodename>/host.fw. Apparently you'd want this to be in
> all of them. This directive is not visible in the panel but documented
> and works as intended on Proxmox 5 and 6:
> https://pve.proxmox.com/wiki/Firewall#pve_firewall_host_specific_configuration

Agreed (and confirmed), but that is not what I meant, there is a
perfectly valid reason to filter those on the hosts, while allowing this
specific echo reply to happen (especially to the VM, but that's point A
:P), but I can't find an easy way to hook myself here.

> Happy pinging,
> Tobias

Thanks for the feedback!

More information about the pve-user mailing list