Re: [PVE-User] PVE-firewall and multicast with linux bridging - g.husson_proxmox-pve-user--- via pve-user

From: "g.husson_proxmox-pve-user--- via pve-user" <pve-user@lists.proxmox.com>
To: pve-user@lists.proxmox.com
Cc: g.husson_proxmox-pve-user@liberasys.com
Subject: Re: [PVE-User] PVE-firewall and multicast with linux bridging
Date: Mon, 30 Jun 2025 08:16:48 +0200	[thread overview]
Message-ID: <mailman.725.1751264740.395.pve-user@lists.proxmox.com> (raw)
In-Reply-To: <c617d4af-f8a8-4a84-bbc3-0b7f76fbaf72@bryanfields.net>

[-- Attachment #1: Type: message/rfc822, Size: 5471 bytes --]

From: g.husson_proxmox-pve-user@liberasys.com
To: pve-user@lists.proxmox.com
Subject: Re: [PVE-User] PVE-firewall and multicast with linux bridging
Date: Mon, 30 Jun 2025 08:16:48 +0200
Message-ID: <e9552fb7-d058-4f60-8709-48a2a07dcac3@liberasys.com>

Hello Bryan,

"It is not a bug, it is a feature" :-)
Look at the documentation :
===
The following traffic is dropped, but not logged even with logging enabled:
- Broadcast, multicast and anycast traffic not related to corosync, 
i.e., not coming through ports 5405-5412
===

Again, from the documentation :
===
proxmox-firewall will create two tables that are managed by the 
proxmox-firewall service: proxmox-firewall and proxmox-firewall-guests. 
If you want to create custom rules that live outside the Proxmox VE 
firewall configuration you can create your own tables to manage your 
custom firewall rules. proxmox-firewall will only touch the tables it 
generates, so you can easily extend and modify the behavior of the 
proxmox-firewall by adding your own tables.
===

Now you can use rc.local, or crontab @reboot or better a systemd file 
that chains after proxmox VE firewall start in order to apply the manual 
rules you found.

Best regards,
Gautier Husson.

On 29/06/2025 10:14, Bryan Fields wrote:
> I've got somewhat of a work around, as it needs to be applied manually 
> each
> time the firewall is reset.
>
> Example here is the devices I want to have this enabled on, and then 
> the first
> command replaces the first rule and then the next insert the following 
> rules
> at 2 in the chain.
>
> iptables -R PVEFW-FORWARD 1 -m conntrack --ctstate INVALID 
> --in-interface vmbr8 -j DROP
> iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID 
> --in-interface vmbr44 -j DROP
> iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID 
> --in-interface vmbr45 -j DROP
> iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID 
> --in-interface vmbr192 -j DROP
> iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID 
> --in-interface vmbr199 -j DROP
>
> As there's no way to exclude multiple interfaces on the iptables 
> command, the
> only way to do this is white list interfaces.  This should really be how
> proxmox does it, asking about connection tracking at the per bridge
> level.  I do want it on some of the bridges, but on others, it needs 
> to be
> optional.
>
> I'm frankly surprised that there's no one else who's run into this as it
> appears many issues are caused by this.

[-- Attachment #2: Type: text/plain, Size: 157 bytes --]

_______________________________________________
pve-user mailing list
pve-user@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user