From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 345251FF2C6
	for <inbox@lore.proxmox.com>; Wed, 10 Jul 2024 14:54:26 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 730D19861;
	Wed, 10 Jul 2024 14:54:47 +0200 (CEST)
Date: Wed, 10 Jul 2024 14:54:41 +0200
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
References: <20240610125238.328376-1-s.hanreich@proxmox.com>
In-Reply-To: <20240610125238.328376-1-s.hanreich@proxmox.com>
MIME-Version: 1.0
User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid)
Message-Id: <1720616074.rw29f4wcsv.astroid@yuna.none>
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.050 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [proxmox.com]
Subject: [pve-devel] applied: [PATCH proxmox-firewall 1/1] rules: allow
 vital ICMP(v6) types
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

On June 10, 2024 2:52 pm, Stefan Hanreich wrote:
> There are certain ICMP messages that should always pass through a
> firewall irregardless of any other rules. This is particularly
> important for ICMPv6. While we already handled NDP, there are certain
> control messages that should always be able to pass through any
> firewall, according to RFC 4890.
> 
> For ICMP we additionally allow 'Source Quench' as well.
> 
> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
> ---
> While Source Quench is deprecated, there might be niche use cases
> using it and allowing it shouldn't really hurt so I've thrown it into
> the mix as well.
> 
>  .../resources/proxmox-firewall.nft            | 22 +++++++++++++++++--
>  1 file changed, 20 insertions(+), 2 deletions(-)
> 
> diff --git a/proxmox-firewall/resources/proxmox-firewall.nft b/proxmox-firewall/resources/proxmox-firewall.nft
> index 537ba88..ea2cd7d 100644
> --- a/proxmox-firewall/resources/proxmox-firewall.nft
> +++ b/proxmox-firewall/resources/proxmox-firewall.nft
> @@ -16,6 +16,7 @@ add chain inet proxmox-firewall allow-ndp-out
>  add chain inet proxmox-firewall block-ndp-out
>  add chain inet proxmox-firewall block-conntrack-invalid
>  add chain inet proxmox-firewall block-smurfs
> +add chain inet proxmox-firewall allow-icmp
>  add chain inet proxmox-firewall log-drop-smurfs
>  add chain inet proxmox-firewall default-in
>  add chain inet proxmox-firewall default-out
> @@ -32,6 +33,7 @@ add chain bridge proxmox-firewall-guests allow-ndp-out
>  add chain bridge proxmox-firewall-guests block-ndp-out
>  add chain bridge proxmox-firewall-guests allow-ra-out
>  add chain bridge proxmox-firewall-guests block-ra-out
> +add chain bridge proxmox-firewall-guests allow-icmp
>  add chain bridge proxmox-firewall-guests do-reject
>  add chain bridge proxmox-firewall-guests vm-out {type filter hook prerouting priority 0; policy accept;}
>  add chain bridge proxmox-firewall-guests vm-in {type filter hook postrouting priority 0; policy accept;}
> @@ -47,6 +49,7 @@ flush chain inet proxmox-firewall allow-ndp-out
>  flush chain inet proxmox-firewall block-ndp-out
>  flush chain inet proxmox-firewall block-conntrack-invalid
>  flush chain inet proxmox-firewall block-smurfs
> +flush chain inet proxmox-firewall allow-icmp
>  flush chain inet proxmox-firewall log-drop-smurfs
>  flush chain inet proxmox-firewall default-in
>  flush chain inet proxmox-firewall default-out
> @@ -63,6 +66,7 @@ flush chain bridge proxmox-firewall-guests allow-ndp-out
>  flush chain bridge proxmox-firewall-guests block-ndp-out
>  flush chain bridge proxmox-firewall-guests allow-ra-out
>  flush chain bridge proxmox-firewall-guests block-ra-out
> +flush chain bridge proxmox-firewall-guests allow-icmp
>  flush chain bridge proxmox-firewall-guests do-reject
>  flush chain bridge proxmox-firewall-guests vm-out
>  flush chain bridge proxmox-firewall-guests vm-in
> @@ -175,9 +179,16 @@ table inet proxmox-firewall {
>          drop
>      }
>  
> +    chain allow-icmp {
> +        icmp type { destination-unreachable, source-quench, time-exceeded } accept
> +        # based on RFC 4890 - NDP is handled separately
> +        icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem } accept
> +    }
> +
>      chain default-in {
>          iifname "lo" accept
>  
> +        jump allow-icmp
>          ct state related,established accept
>  
>          meta l4proto igmp accept
> @@ -185,8 +196,6 @@ table inet proxmox-firewall {
>          tcp dport { 8006, 5900-5999, 3128, 22 } jump accept-management
>          udp dport 5405-5412 accept
>  
> -        meta l4proto icmp icmp type { destination-unreachable, time-exceeded } accept
> -
>          # Drop Microsoft SMB noise
>          udp dport { 135, 137-139, 445 } goto do-reject
>          udp sport 137 udp dport 1024-65535 goto do-reject
> @@ -203,6 +212,7 @@ table inet proxmox-firewall {
>      chain default-out {
>          oifname "lo" accept
>  
> +        jump allow-icmp
>          ct state vmap { invalid : drop, established : accept, related : accept }
>      }
>  
> @@ -284,6 +294,12 @@ table bridge proxmox-firewall-guests {
>          icmpv6 type { nd-router-advert, nd-redirect } drop
>      }
>  
> +    chain allow-icmp {
> +        icmp type { destination-unreachable, source-quench, time-exceeded } accept
> +        # based on RFC 4890 - NDP is handled separately
> +        icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem } accept
> +    }
> +
>      chain do-reject {
>          meta pkttype broadcast drop
>          ip saddr 224.0.0.0/4 drop
> @@ -297,12 +313,14 @@ table bridge proxmox-firewall-guests {
>  
>      chain vm-out {
>          type filter hook prerouting priority 0; policy accept;
> +        jump allow-icmp
>          ether type != arp ct state vmap { established : accept, related : accept, invalid : drop }
>          iifname vmap @vm-map-out
>      }
>  
>      chain vm-in {
>          type filter hook postrouting priority 0; policy accept;
> +        jump allow-icmp
>          ether type != arp ct state vmap { established : accept, related : accept, invalid : drop }
>          ether type arp accept
>          oifname vmap @vm-map-in
> -- 
> 2.39.2
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel