public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] hetzner bug with pve-firewall
@ 2021-09-10 10:31 alexandre derumier
  2021-09-10 10:43 ` Fabian Grünbichler
  2021-09-10 10:53 ` Josef Johansson
  0 siblings, 2 replies; 11+ messages in thread
From: alexandre derumier @ 2021-09-10 10:31 UTC (permalink / raw)
  To: pve-devel

Hi,

multiple users have reported problems with hetzner in bridged mode this
week and pve-firewall
https://forum.proxmox.com/threads/proxmox-claiming-mac-address.52601/
https://forum.proxmox.com/threads/mac-address-abuse-report.95656/

Seem that hetzner have bugs or are under attack, but they are flooding
traffic to proxmox nodes with wrong mac/ip destination.

The problem is that if users use pve-firewall with reject rules, the
RST packet is send with the wrong mac/ip as source,

and then hertzner is blocking the server of the users ....


I'm looking to see if we could add filtering at ebtables level, to drop
wrong mac destination.

But they are also another problem, if user use DROP as default action,
 we have a default REJECT for whois port 53.

'PVEFW-Drop' => [
   # same as shorewall 'Drop', which is equal to DROP,
   # but REJECT/DROP some packages to reduce logging,
   # and ACCEPT critical ICMP types
   { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, #
REJECT 'auth'

Does somebody known why we do a reject here ?  could it be change to
drop ?






^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2021-10-12 12:41 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-10 10:31 [pve-devel] hetzner bug with pve-firewall alexandre derumier
2021-09-10 10:43 ` Fabian Grünbichler
2021-09-13 17:43   ` alexandre derumier
2021-09-10 10:53 ` Josef Johansson
2021-09-10 12:34   ` Josef Johansson
2021-09-10 16:18   ` alexandre derumier
2021-09-12 10:37     ` Josef Per Johansson
2021-09-14  0:27       ` alexandre derumier
2021-09-14  7:21         ` Josef Per Johansson
2021-10-01 15:19           ` Josef Johansson
2021-10-12 12:41             ` Josef Johansson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal