From: W3Net Admin <admin@w3net.ca>
To: "pve-user@lists.proxmox.com" <pve-user@lists.proxmox.com>
Subject: Security Bug Identified - Firewall rules bypassed
Date: Mon, 2 Feb 2026 17:17:14 +0000 [thread overview]
Message-ID: <DM4PR10MB681549EE7B7B16F48F3C6E05829AA@DM4PR10MB6815.namprd10.prod.outlook.com> (raw)
Hello,
I have Identified a security bug at the DC firewall level where firewall rules are bypassed. I am concerned that this could be a zero day vulnerability. Based on the conditions below, any security group, in this case sg_pbs_stor_pbs is an empty group with NO rules, will hijack the traffic flow and stop FW filtering. If the drop rule was placed above security groups then it worked as expected. My test was pinging my host from a VM, the drop rule should have stopped the ping but if the vm was on the same host, the ping was acknowledged
This happens in a very specific scenario, the conditions to recreate are:
1. VM Must be running on its Host, this does not affect VM running on a different host.
2. A vlan based vnet is created and tagged
3. The host gets a static IP on the vnet
4. Default Input Policy: Drop
nano /etc/pve/firewall/cluster.fw
[group sg_pbs_stor_pbs] # PBS Rules #<-Empty Group, no rules
[RULES]
GROUP sg_pbs_stor_pbs -i vmbr1.2 #<-This will steal the traffic flow and processing will stop
IN DROP -i inf0nas -log nolog #<- it never makes it here
/etc/network/interfaces.d/sdn
auto inf0nas
iface inf0nas
bridge_ports vmbr1.14
bridge_stp off
bridge_fd 0
mtu 9000
alias NAS
/etc/network/interfaces
auto vmbr1
iface vmbr1 inet manual
bridge-ports enp12s0f0np0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 1-100
mtu 9000
auto inf0nas #<- notice the use of a vnet
iface inf0nas inet static
address 10.32.14.111/24
mtu 9000
Thanks,
W3Net Admin
next reply other threads:[~2026-02-02 17:33 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-02 17:17 W3Net Admin [this message]
2026-02-02 18:07 ` Stefan Hanreich
2026-02-02 18:09 ` Stefan Hanreich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DM4PR10MB681549EE7B7B16F48F3C6E05829AA@DM4PR10MB6815.namprd10.prod.outlook.com \
--to=admin@w3net.ca \
--cc=pve-user@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.