[PVE-User] PVE-firewall and multicast with linux bridging
Bryan Fields
Bryan at bryanfields.net
Sun Jun 29 10:14:28 CEST 2025
I've got somewhat of a work around, as it needs to be applied manually each
time the firewall is reset.
Example here is the devices I want to have this enabled on, and then the first
command replaces the first rule and then the next insert the following rules
at 2 in the chain.
iptables -R PVEFW-FORWARD 1 -m conntrack --ctstate INVALID --in-interface vmbr8 -j DROP
iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID --in-interface vmbr44 -j DROP
iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID --in-interface vmbr45 -j DROP
iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID --in-interface vmbr192 -j DROP
iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID --in-interface vmbr199 -j DROP
As there's no way to exclude multiple interfaces on the iptables command, the
only way to do this is white list interfaces. This should really be how
proxmox does it, asking about connection tracking at the per bridge
level. I do want it on some of the bridges, but on others, it needs to be
optional.
I'm frankly surprised that there's no one else who's run into this as it
appears many issues are caused by this.
--
Bryan Fields
727-409-1194 - Voice
http://bryanfields.net
More information about the pve-user
mailing list