From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 8FDEE1FF143 for ; Mon, 02 Feb 2026 18:33:14 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 88FE4D0E6; Mon, 2 Feb 2026 18:33:26 +0100 (CET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Sz+O1qlt8PLlo5RmEsRELcpbCz6/cebS1OePq//SZebV/pdpS/OlHEFfpx9on4rPGqEfRcqiv9aYYxt19Hdk+fg5aEHhaiFgWm9MVEI2RhaDCZWo0Yw7aqiS5i1lM6xFkuatkxnGZuaF0i92WkExzGlOeCcVV0i8TafMX1hnqxzIxY/TSoP4PNKlBn1lWIjpzhGKA/LB5II1qRFqLCtI0ZxeIjFxHOrtkvOWAgPnW6r+Jq51TqaRgmzJC27I4UsI63olvGHqnCvFMEVTtTtCVMyd6vTY+Iu5LNYCoeChTDeERwC4ySiKrFwQjMHe0k59tW2OlQH+zM9/AaGnq0HsbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NSlQh9eHe5NBtsGkFDcaMY4ZnlGnT2EVd0clIm8LBGM=; b=jUI5VD6YwrqOpog50X8VBbePbStYsrE+De+ADGuTbn1+oKk3Q0wgD2HPQIYqQQNE3rJLvb4JaRPZA8gp/P4ZvgYlnloS5ENNHGVE6L7kLin7mPAXUIaEPmwSsNyMDwwRCc8gbfY1YFMD+8uy8iK1+rz6XBSg1jKRDU0UJivez56m31iAMQmm0j0WrzUIEw17CmYwY2C+YSJW6hSUvRJwljwJzmauxttUO93FPPK99tlb32cCCZNZM78+DWQVW+l3Kr5JORurdVfRKJtakM0c4tdDWDT9LPcu17xsrnpMQTEf2NEEa8CdosdJwxMr1pDxsExZmLbZH2fQ9FiMUmuXiw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=w3net.ca; dmarc=pass action=none header.from=w3net.ca; dkim=pass header.d=w3net.ca; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=harounnet.onmicrosoft.com; s=selector2-harounnet-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NSlQh9eHe5NBtsGkFDcaMY4ZnlGnT2EVd0clIm8LBGM=; b=QUBxnWFMS3Jkw4yg6cMyTnfD2flBN+vE3aSrDRwFkByBTEbPrLwj+66E7yTrdTT9ansLDTnb+2qzWFMitqwSZNZuFWqW3vlxEaMoiIDKsytJ5xK+4oMGkH0HDCuikjDYbw0izp8/wM2MS3JIJ3KCn6HZ5/O4QIbZyEJXkj4ytbs= From: W3Net Admin To: "pve-user@lists.proxmox.com" Subject: Security Bug Identified - Firewall rules bypassed Thread-Topic: Security Bug Identified - Firewall rules bypassed Thread-Index: AdyUZ8V4e60nNIPLT162UBWVpRoQ0Q== Date: Mon, 2 Feb 2026 17:17:14 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=w3net.ca; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: DM4PR10MB6815:EE_|CO1PR10MB4737:EE_ x-ms-office365-filtering-correlation-id: f9458191-2b5c-4c51-334d-08de627ee90a x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|366016|8096899003|7055299006|38070700021; x-microsoft-antispam-message-info: =?us-ascii?Q?FzlLJGxYf3EtnCpuFfSU4KXxEXRCEpUQa+Mt0SM828fwEPClFkjkcqWQ1w1E?= =?us-ascii?Q?/jqWFjXwmBfVxGMhN+cND/o/V8HGaxxU2DAc5Uouzc8G+tRGahyZncoSolY7?= =?us-ascii?Q?lAtoRLLk2qnOPy9bdOtlMTBZ1MWpHCX/xHzCl7Lf+8mEOymxerZfcOegzjud?= =?us-ascii?Q?1UN79+lQ8btafs4Y0zaoVU7jL+AQBlxaT6KYKQhHsPRDBP4B9wbpE+7W1+h7?= =?us-ascii?Q?5JEVo+s9zSgNaAwqzoxzPNihK7Bun8gNM93AtrFKh2+AVyLXgQ2M+Pa0IdhJ?= =?us-ascii?Q?c3B3uReYdBK1mvvTQ6jDfY6k3YCtf1ABuVPq9FTtgt9wmmLHeJM/xFULU7IH?= =?us-ascii?Q?itnIWKaX177oDIuXaz7aOA1dahn5HRUj/lstRqv4/E/lbjJ1PKeNcyIJvowE?= =?us-ascii?Q?7QK9jPw3GIhJHXeOn/5wOv4sm+QhndSyynpl8eQ1dIfY4M3M6J93noNpJma6?= =?us-ascii?Q?CHIl96pGZvgRtQc5gqhuhAifCrCYvrb36L4U7SYBIZdpkOtqllEzuePlPSyn?= =?us-ascii?Q?ce6/WvoaVXyRAqh84ff2GUfYT84BPt/YzAhJc1IWOsAib5GNshHlZIDAvzMA?= =?us-ascii?Q?TGt7TFrFhTbaf9vy1lXUSOWnv6Rebc+nkkhiBAWq4FOEPLWZlFdklCORe0Tq?= =?us-ascii?Q?LQY3OuGurLgo8b5Pbi8DKvfWsXSwWbEUnQFiNDJEGgVNGVH85+IAZX6Yfaxh?= =?us-ascii?Q?rCYNRGQPekFdcR2VSCEANVSKS5HtFDVdbUYdSq5K+RXpKEYrlezT9R38xbir?= =?us-ascii?Q?eJfVz2p/uBOBA8cO+lM3MjhAfap4bt7RZBB7D3T38wIiBpF4zVkgv6LYA35e?= =?us-ascii?Q?ftZIC4NVa22yl/IHIuURce+XK3PYY/HuDImZXr20YoMtUr74gfdiB7RutdXt?= =?us-ascii?Q?4kp42zKmmfnNTFu6r0Z1GmBwdg4EgynwOd/zXXhtV6y0+r44dSnoM1c7KHBx?= =?us-ascii?Q?Rwglqh+EGNcFyYgctJ1g8HuM3uWpI7y1ws/snqFAX5mzq44cXUYoiDy39/pX?= =?us-ascii?Q?s5hOdusdUIDtaXRmTVNFVmQDpQ2rtF6yM7XfQfM4MvTFwBZ1Fq/GjMRTrS7v?= =?us-ascii?Q?mo1K1M05DQsr7p8/8sClfWXKQSCzx4XkRhuD78aE+6FoQq1ORpDZmyjcAGDl?= =?us-ascii?Q?ZJJL/qcUy47DLACtxEWDCsAIhmqQGicfc9LJ3EjvgLjq1NRfuYaXtusbKH0/?= =?us-ascii?Q?UiZXolnT2U5Nqmv+pWPKjnYsyw88L222iYXtFGznN55f/MxxFWillnKMVpXw?= =?us-ascii?Q?aXMwMD/I1N5fbscaiOhe4JshfzzkiPEjG5G04poKD6HV/omSr+lQO+MZf/jT?= =?us-ascii?Q?I7xcMoRRtA9yWsdsY1RL4DLv7HNpuXFV7udTrY17hrSUhyTPXZfozTj0a2CL?= =?us-ascii?Q?L17Xkn4T+qI2KPy59AEPS7+V4a3zgVjTig/+INUJc7btUVr0hU1YiotZeX+3?= =?us-ascii?Q?+i1kyVhGcVuQbJQYFBmNGdPyQsJKWU0uhgxxjy7WKBG0qgOZqFC1i17SXyth?= =?us-ascii?Q?w8OkkZ8a7SzGbZ5B4NltcS8753VaL8wZ0RY25OHsPfB3vkmaz0AzGr3Bo/vP?= =?us-ascii?Q?4mQVL0zVIVXI89lgSmjVDVnlGZa6TL+Df9iLryyZWUnRpYCm7tg0yWNv7UxK?= =?us-ascii?Q?UqJhpO74ZZ2+8yKUKoVydWKer6E8wX2gGIoGrhAjIC1T?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR10MB6815.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(8096899003)(7055299006)(38070700021);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?ILVVsnmoZ33XJrUw52Ccve+jAeNQwiR/g4v7P783TNWIeuV6c/1KgRezIdaR?= =?us-ascii?Q?k76r/lEY9AylpgdzFCvv4+Mwk4i6TKQkC94AtxNxE3/dhFJFOV2AVQIL717d?= =?us-ascii?Q?Yj2hkmnS6kgDaS2jmnqQU8cSJxtdvc1NZc+054kbw4nsDfMHKt8AQdiL24/U?= =?us-ascii?Q?k9sJqELOhDCDiwy9gfU+ogUSPWZRneI7OMH1gjySKJ0/pZ3EEtZTirbJVOZE?= =?us-ascii?Q?QwloeroldjR4t0qlYtS5SeS97pOY9mk93GaD2c7iMaRWcOykmjcN/Hrr7yC6?= =?us-ascii?Q?/K+nz+yv8Q59G9HZ6hvAKLiVm68r+PX19iOmJe8dgtFoaaXx7gylgstWA3JQ?= =?us-ascii?Q?7+7tO1xhHhpm0UcZBqum1V5N6zzo/gSNhlHBnGkwGP28+SKHRtmXqazclbh3?= =?us-ascii?Q?ydrwPHKp5tjHwZj5mnyoHNtnwEAcq14C+P/odfYomAegXSqevbA+M4nkC9iC?= =?us-ascii?Q?TD6Lzia4PFePg/lBwnT6POwsMmqmF1z7FvdKjkl90L5uk2zDDkQM3cwPjhKI?= =?us-ascii?Q?nBR0aWlzBRRdb3cirE5b6dFfacXDKK+WZj1ux/8QM90K/hFLhHZFdz0ScbrH?= =?us-ascii?Q?wz97czYywC1HaFSFWA2cB2/SDeb3m7JQKJNO0g8Y1L4AcwE/0rWrWDTPNqWx?= =?us-ascii?Q?vryCyfQzwLZX4nR3b7WADhvbe6SmsVqpygcsEUFx1tSubbKKPTT+N9BcEBRW?= =?us-ascii?Q?AVwx42VSxeboFr5ycMD8OXEADYj+nusyYwfhbuBMA8RbhSXs86eaR1v3/hI0?= =?us-ascii?Q?7AVC2ZRhPZ9BJpUY0v7n6egJh0GfdbmYqAvrNL4RIhqUqGu+RDLUNt++gMoA?= =?us-ascii?Q?QBtAHs03WFQy824qox+lXcLS9V0CGJyJyYJelhuEE8QgCekROl0YP5gjX0Ns?= =?us-ascii?Q?IQRmV8CYM8zGNuJRWsR4bDSXI3oPrbVx8HCcE+qLvd10QYlKc+AqA7MyCjco?= =?us-ascii?Q?/xzwBcxt3sjzsp+m/uAdVJC2ht0RdcgRzrWjy2zCCmWJNULYwchnQbMku/lL?= =?us-ascii?Q?Xtx7PfiChG12lFPNc7ehWM6BnqlbQQl9LNm8jkp0iADegoH+xN/t20ywLnzE?= =?us-ascii?Q?d2D19II6oi5eq1tq8aND1OLpJ6gIcy08OZwVDGWAUxjYiaHfsoPuFYYw6X6B?= =?us-ascii?Q?6019MjYbn6PWFqRuIJKUS9EtqoBenRzX5zFAEYX3wGZ+rJDaPPZ5Rx0VHOrh?= =?us-ascii?Q?+UGYiuYaal07nXkp4vxiNUyj8pn/e36HbqjBqO04q5E2+yaiRunHT7a+ts+Y?= =?us-ascii?Q?uhPxXuy5pNbbE/aaC0ini6a+bw559+l6IkFc2UuZUajAE6pi4DaYk+Qvga1k?= =?us-ascii?Q?2b3Gxzcxp/dPybD1QhpXGPWvaQh96vUHub+EyqdGXphKDL2w3gG1t4nSvLD3?= =?us-ascii?Q?vaijcvPXysI0aaevTA1sPNCLckuS4RFaa8lz1dUi6EBhYVyhDEVFD9rHfRHm?= =?us-ascii?Q?vcjFFNUJpFNZz/5sVjn78o2B4IHRFkwQhABUhXVYry0PseLg2kZ7/rUAU9SF?= =?us-ascii?Q?9+sYd23cMHbx3HKT9aPQfvEOUJ8LNNckI+S1TwfQADC+bXCyZMpCUJ4boWm0?= =?us-ascii?Q?Evgf9lZJbmJb9VLPCJRBKeAFaIyuNvUVmNVcuoOseFmLW3aKMQa/DowIMUOG?= =?us-ascii?Q?3xi5Ulpjbvs/CkY+zdy/pl/cBCY4s6OTFdOJO2TmjK9aWTbBNsMt9g5sr+Gr?= =?us-ascii?Q?m5SOJzkNItX631kHqzVlQk28lAkTyVhaQj9zTtpP/A9ka2oZ?= MIME-Version: 1.0 X-OriginatorOrg: w3net.ca X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM4PR10MB6815.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: f9458191-2b5c-4c51-334d-08de627ee90a X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Feb 2026 17:17:14.7802 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 56035821-b710-4821-a3d7-5915629e3876 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: up5Mj+YJ5Cf2JMLcE9glfUySS7O4Do3iI93vFsK5+NGsqMYnOeUagNAV9TOOrb4B X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR10MB4737 X-SPAM-LEVEL: Spam detection results: 0 ARC_SIGNED 0.001 Message has a ARC signature ARC_VALID 0.001 Message has a valid ARC signature AWL -0.001 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_INVALID 0.1 DKIM or DK signature exists, but is not valid DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DMARC_MISSING 0.1 Missing DMARC policy HTML_MESSAGE 0.001 HTML included in message KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust SPF_HELO_PASS -0.001 SPF: HELO matches SPF record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: 2PTVS4LWX4GLIFPYP43DV6WUBFQWDSYT X-Message-ID-Hash: 2PTVS4LWX4GLIFPYP43DV6WUBFQWDSYT X-MailFrom: admin@w3net.ca X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii" X-Content-Filtered-By: Mailman/MimeDel 3.3.10 X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE user list List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Hello, I have Identified a security bug at the DC firewall level where firewall rules are bypassed. I am concerned that this could be a zero day vulnerability. Based on the conditions below, any security group, in this case sg_pbs_stor_pbs is an empty group with NO rules, will hijack the traffic flow and stop FW filtering. If the drop rule was placed above security groups then it worked as expected. My test was pinging my host from a VM, the drop rule should have stopped the ping but if the vm was on the same host, the ping was acknowledged This happens in a very specific scenario, the conditions to recreate are: 1. VM Must be running on its Host, this does not affect VM running on a different host. 2. A vlan based vnet is created and tagged 3. The host gets a static IP on the vnet 4. Default Input Policy: Drop nano /etc/pve/firewall/cluster.fw [group sg_pbs_stor_pbs] # PBS Rules #<-Empty Group, no rules [RULES] GROUP sg_pbs_stor_pbs -i vmbr1.2 #<-This will steal the traffic flow and processing will stop IN DROP -i inf0nas -log nolog #<- it never makes it here /etc/network/interfaces.d/sdn auto inf0nas iface inf0nas bridge_ports vmbr1.14 bridge_stp off bridge_fd 0 mtu 9000 alias NAS /etc/network/interfaces auto vmbr1 iface vmbr1 inet manual bridge-ports enp12s0f0np0 bridge-stp off bridge-fd 0 bridge-vlan-aware yes bridge-vids 1-100 mtu 9000 auto inf0nas #<- notice the use of a vnet iface inf0nas inet static address 10.32.14.111/24 mtu 9000 Thanks, W3Net Admin