[PVE-User] Datacenter firewall rules vs Subnet Router Anycast Adress ping

Tobias Böhm tb at robhost.de
Thu Apr 2 15:22:10 CEST 2020


Am 02.04.2020 um 04:10 schrieb Gilles Pietri:
Hi,

just stumbled across this rule as well, although in an IPv4 related
issue.

> A) Is it expected that such a rule be enabled for VM bridges, when
> firewall is disabled for the VM?

This rule is always there when PVE-Firewall is enabled for the cluster.

> B) Can we plug ourself in somewhere to have a rule like:
> -I PVEFW-FORWARD -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
> included BEFORE the --ctstate INVALID one?
> 
> I don't see any way to do that in the chain, but I may be missing something.

There is an option to disable this rule at all. You can set
"nf_conntrack_allow_invalid: 1" in the host specific config files at 
/etc/pve/nodes/<nodename>/host.fw. Apparently you'd want this to be in
all of them. This directive is not visible in the panel but documented
and works as intended on Proxmox 5 and 6:
https://pve.proxmox.com/wiki/Firewall#pve_firewall_host_specific_configuration

Happy pinging,
Tobias


More information about the pve-user mailing list