From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <l.stechauner@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 01C196BC7D
 for <pve-devel@lists.proxmox.com>; Thu,  5 Aug 2021 12:59:44 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id E0E9829D83
 for <pve-devel@lists.proxmox.com>; Thu,  5 Aug 2021 12:59:13 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 5ECA529D78
 for <pve-devel@lists.proxmox.com>; Thu,  5 Aug 2021 12:59:12 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 30AA842DF1
 for <pve-devel@lists.proxmox.com>; Thu,  5 Aug 2021 12:59:12 +0200 (CEST)
From: Lorenz Stechauner <l.stechauner@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Thu,  5 Aug 2021 12:59:03 +0200
Message-Id: <20210805105903.765052-1-l.stechauner@proxmox.com>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.494 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: [pve-devel] [PATCH firewall] fix #2721: remove reject tcp 43 from
 default drop and reject actions
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 05 Aug 2021 10:59:44 -0000

first, '43' is a typo, it should say '113' (if it really is like
legacy shorewall [0]). this tcp port corresponds to the ident or
authentication service protocol.

second, nowdays this reject is not included in shorewall anymore.
furthermore it would make no sense to reject specifically this
one port.

[0] https://gitlab.com/shorewall/code/-/blob/4.6.13/Shorewall/action.Drop#L66
    https://gitlab.com/shorewall/code/-/blob/4.6.13/Shorewall/Macros/macro.Auth

Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
---
 src/PVE/Firewall.pm | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index fc5c077..edc5336 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -592,7 +592,6 @@ $pve_std_chains_conf->{4} = {
 	# same as shorewall 'Drop', which is equal to DROP,
 	# but REJECT/DROP some packages to reduce logging,
 	# and ACCEPT critical ICMP types
-	{ action => 'PVEFW-reject',  proto => 'tcp', dport => '43' }, # REJECT 'auth'
 	# we are not interested in BROADCAST/MULTICAST/ANYCAST
 	{ action => 'PVEFW-DropBroadcast' },
 	# ACCEPT critical ICMP types
@@ -615,7 +614,6 @@ $pve_std_chains_conf->{4} = {
 	# same as shorewall 'Reject', which is equal to Reject,
 	# but REJECT/DROP some packages to reduce logging,
 	# and ACCEPT critical ICMP types
-	{ action => 'PVEFW-reject',  proto => 'tcp', dport => '43' }, # REJECT 'auth'
 	# we are not interested in BROADCAST/MULTICAST/ANYCAST
 	{ action => 'PVEFW-DropBroadcast' },
 	# ACCEPT critical ICMP types
-- 
2.30.2