[PVE-User] Solved: Firewall Filter ICMP types and connection limiting

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Feb 5 08:19:52 CET 2020

On February 5, 2020 2:35 am, Bryan Fields wrote:
> On 2/1/20 11:47 PM, Bryan Fields wrote:
>> greetings,
>> I have a policy in iptables for forwared traffic below :
>> iptables -t filter -A INPUT -j ACCEPT --in-interface $INET_IF --protocol \
>> icmp --icmp-type echo-request --match limit --limit 4/s --limit-burst 3
>> iptables -t filter -A INPUT -j log-and-drop --in-interface $INET_IF \
>> --protocol icmp --icmp-type echo-request
>> I've attempted to set this up in the gui, but there's no option to add the
>> ICMP type, only IP type, and nothing for the match option.  If I add this in
>> the config file, it's deleted upon the next time I look at it.
> I've found the following to be true with Proxmox:
> 1. The ICMP type can be put as text or numeric in the port field.
>      this is undocumented, but it is in the code at:
>      /usr/share/perl5/PVE/Firewall.pm

yes, that should probably be handled with better regards to usability ;)

> 2. ProxMox will respect any filters already loaded in ip/ip6tables.
>      This is really nice and props to the guys that coded this.
> As an example:
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> PVEFW-INPUT  all  --  
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> PVEFW-FORWARD  all  --  
> By default Proxmox will jump all traffic input into PVEFW-INPUT, and then
> chain it's stuff off there.  When installing/reseting/deleting/etc. Proxmox
> managed entries it does it all in it's own chain.  This means we can hook into
> it by making our own chain and installing it before it.  As Proxmox will not
> mess with this non-managed chain we can do anything we want in it, and so long
> as we don't do a drop all, traffic will flow into the Proxmox chains.
> What I did was to create a /etc/pve/localfirewall.sh script (is there a better
> place to put this?) and call it upon boot from /etc/network/interfaces:

if you have a cluster and want to sync it across the whole cluster, then 
you can put it into /etc/pve. that file system does have file size 
limits though and only comes up after networking, so if you don't need 
it, you might be better off putting it somewhere local (e.g., somewhere 
else in /etc).

> auto vmbr44
> iface vmbr44 inet manual
> 	bridge_ports eth0.41
> 	bridge_stp off
> 	bridge_fd 0
> 	up bash /etc/pve/localfirewall.sh
> I've attached my script for reference.
> Is there anything I'm missing here about this being a non-good solution?
> If not, I'd like to add this on the wiki, how does one go about getting an
> account?

if you need a wiki account, you can contact office at proxmox.com (we 
closed public registration because of spam). most of the documentation 
now lives in the admin guide[1] though, so it might be more worthwhile 
to generalize it and send a patch for inclusion to pve-devel[2]. the 
reference docs/admin guide is shipped with every installation, and 
heavily linked to from the web interface so lots more people read it :)

1: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#chapter_pve_firewall
2: https://pve.proxmox.com/wiki/Developer_Documentation

More information about the pve-user mailing list