[PVE-User] Datacenter firewall rules vs Subnet Router Anycast Adress ping
Gilles Pietri
contact+dev at gilouweb.com
Fri Apr 3 07:09:21 CEST 2020
Le 02/04/2020 à 22:38, Gilles Pietri a écrit :
> Le 02/04/2020 à 15:22, Tobias Böhm a écrit :
>> Am 02.04.2020 um 04:10 schrieb Gilles Pietri:
Hi again!
>>> B) Can we plug ourself in somewhere to have a rule like:
>>> -I PVEFW-FORWARD -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
>>> included BEFORE the --ctstate INVALID one?
>>>
>>> I don't see any way to do that in the chain, but I may be missing something.
>>
>> There is an option to disable this rule at all. You can set
>> "nf_conntrack_allow_invalid: 1" in the host specific config files at
>> /etc/pve/nodes/<nodename>/host.fw. Apparently you'd want this to be in
>> all of them. This directive is not visible in the panel but documented
>> and works as intended on Proxmox 5 and 6:
>> https://pve.proxmox.com/wiki/Firewall#pve_firewall_host_specific_configuration
>
> Agreed (and confirmed), but that is not what I meant, there is a
> perfectly valid reason to filter those on the hosts, while allowing this
> specific echo reply to happen (especially to the VM, but that's point A
> :P), but I can't find an easy way to hook myself here.
>
Hmm, so it appears that this option... does in fact what we want, as you
pointed out, thanks!
Then it begs the question.. Why does it only disable the rules in
PVEFW-FORWARD then? The name implies that it would also remove the rule
in PVEFW-HOST-IN (it doesn't), but I'm glad it doesn't in that case :P
Cheers
Gilou
More information about the pve-user
mailing list