From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 4CC651FF39E
	for <inbox@lore.proxmox.com>; Mon, 10 Jun 2024 14:52:38 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id DF18A17124;
	Mon, 10 Jun 2024 14:53:11 +0200 (CEST)
From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Mon, 10 Jun 2024 14:52:38 +0200
Message-Id: <20240610125238.328376-1-s.hanreich@proxmox.com>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.261 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery
 methods
 RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_NONE                0.001 SPF: sender does not publish an SPF Record
 T_SCC_BODY_TEXT_LINE    -0.01 -
Subject: [pve-devel] [PATCH proxmox-firewall 1/1] rules: allow vital
 ICMP(v6) types
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

There are certain ICMP messages that should always pass through a
firewall irregardless of any other rules. This is particularly
important for ICMPv6. While we already handled NDP, there are certain
control messages that should always be able to pass through any
firewall, according to RFC 4890.

For ICMP we additionally allow 'Source Quench' as well.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
While Source Quench is deprecated, there might be niche use cases
using it and allowing it shouldn't really hurt so I've thrown it into
the mix as well.

 .../resources/proxmox-firewall.nft            | 22 +++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/proxmox-firewall/resources/proxmox-firewall.nft b/proxmox-firewall/resources/proxmox-firewall.nft
index 537ba88..ea2cd7d 100644
--- a/proxmox-firewall/resources/proxmox-firewall.nft
+++ b/proxmox-firewall/resources/proxmox-firewall.nft
@@ -16,6 +16,7 @@ add chain inet proxmox-firewall allow-ndp-out
 add chain inet proxmox-firewall block-ndp-out
 add chain inet proxmox-firewall block-conntrack-invalid
 add chain inet proxmox-firewall block-smurfs
+add chain inet proxmox-firewall allow-icmp
 add chain inet proxmox-firewall log-drop-smurfs
 add chain inet proxmox-firewall default-in
 add chain inet proxmox-firewall default-out
@@ -32,6 +33,7 @@ add chain bridge proxmox-firewall-guests allow-ndp-out
 add chain bridge proxmox-firewall-guests block-ndp-out
 add chain bridge proxmox-firewall-guests allow-ra-out
 add chain bridge proxmox-firewall-guests block-ra-out
+add chain bridge proxmox-firewall-guests allow-icmp
 add chain bridge proxmox-firewall-guests do-reject
 add chain bridge proxmox-firewall-guests vm-out {type filter hook prerouting priority 0; policy accept;}
 add chain bridge proxmox-firewall-guests vm-in {type filter hook postrouting priority 0; policy accept;}
@@ -47,6 +49,7 @@ flush chain inet proxmox-firewall allow-ndp-out
 flush chain inet proxmox-firewall block-ndp-out
 flush chain inet proxmox-firewall block-conntrack-invalid
 flush chain inet proxmox-firewall block-smurfs
+flush chain inet proxmox-firewall allow-icmp
 flush chain inet proxmox-firewall log-drop-smurfs
 flush chain inet proxmox-firewall default-in
 flush chain inet proxmox-firewall default-out
@@ -63,6 +66,7 @@ flush chain bridge proxmox-firewall-guests allow-ndp-out
 flush chain bridge proxmox-firewall-guests block-ndp-out
 flush chain bridge proxmox-firewall-guests allow-ra-out
 flush chain bridge proxmox-firewall-guests block-ra-out
+flush chain bridge proxmox-firewall-guests allow-icmp
 flush chain bridge proxmox-firewall-guests do-reject
 flush chain bridge proxmox-firewall-guests vm-out
 flush chain bridge proxmox-firewall-guests vm-in
@@ -175,9 +179,16 @@ table inet proxmox-firewall {
         drop
     }
 
+    chain allow-icmp {
+        icmp type { destination-unreachable, source-quench, time-exceeded } accept
+        # based on RFC 4890 - NDP is handled separately
+        icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem } accept
+    }
+
     chain default-in {
         iifname "lo" accept
 
+        jump allow-icmp
         ct state related,established accept
 
         meta l4proto igmp accept
@@ -185,8 +196,6 @@ table inet proxmox-firewall {
         tcp dport { 8006, 5900-5999, 3128, 22 } jump accept-management
         udp dport 5405-5412 accept
 
-        meta l4proto icmp icmp type { destination-unreachable, time-exceeded } accept
-
         # Drop Microsoft SMB noise
         udp dport { 135, 137-139, 445 } goto do-reject
         udp sport 137 udp dport 1024-65535 goto do-reject
@@ -203,6 +212,7 @@ table inet proxmox-firewall {
     chain default-out {
         oifname "lo" accept
 
+        jump allow-icmp
         ct state vmap { invalid : drop, established : accept, related : accept }
     }
 
@@ -284,6 +294,12 @@ table bridge proxmox-firewall-guests {
         icmpv6 type { nd-router-advert, nd-redirect } drop
     }
 
+    chain allow-icmp {
+        icmp type { destination-unreachable, source-quench, time-exceeded } accept
+        # based on RFC 4890 - NDP is handled separately
+        icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem } accept
+    }
+
     chain do-reject {
         meta pkttype broadcast drop
         ip saddr 224.0.0.0/4 drop
@@ -297,12 +313,14 @@ table bridge proxmox-firewall-guests {
 
     chain vm-out {
         type filter hook prerouting priority 0; policy accept;
+        jump allow-icmp
         ether type != arp ct state vmap { established : accept, related : accept, invalid : drop }
         iifname vmap @vm-map-out
     }
 
     chain vm-in {
         type filter hook postrouting priority 0; policy accept;
+        jump allow-icmp
         ether type != arp ct state vmap { established : accept, related : accept, invalid : drop }
         ether type arp accept
         oifname vmap @vm-map-in
-- 
2.39.2


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel