[PVE-User] Datacenter firewall rules vs Subnet Router Anycast Adress ping

Gilles Pietri contact+dev at gilouweb.com
Fri Apr 3 07:09:21 CEST 2020

Le 02/04/2020 à 22:38, Gilles Pietri a écrit :
> Le 02/04/2020 à 15:22, Tobias Böhm a écrit :
>> Am 02.04.2020 um 04:10 schrieb Gilles Pietri:

Hi again!

>>> B) Can we plug ourself in somewhere to have a rule like:
>>> -I PVEFW-FORWARD -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
>>> included BEFORE the --ctstate INVALID one?
>>> I don't see any way to do that in the chain, but I may be missing something.
>> There is an option to disable this rule at all. You can set
>> "nf_conntrack_allow_invalid: 1" in the host specific config files at 
>> /etc/pve/nodes/<nodename>/host.fw. Apparently you'd want this to be in
>> all of them. This directive is not visible in the panel but documented
>> and works as intended on Proxmox 5 and 6:
>> https://pve.proxmox.com/wiki/Firewall#pve_firewall_host_specific_configuration
> Agreed (and confirmed), but that is not what I meant, there is a
> perfectly valid reason to filter those on the hosts, while allowing this
> specific echo reply to happen (especially to the VM, but that's point A
> :P), but I can't find an easy way to hook myself here.

Hmm, so it appears that this option... does in fact what we want, as you
pointed out, thanks!

Then it begs the question.. Why does it only disable the rules in
PVEFW-FORWARD then? The name implies that it would also remove the rule
in PVEFW-HOST-IN (it doesn't), but I'm glad it doesn't in that case :P



More information about the pve-user mailing list