From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 01C196BC7D for ; Thu, 5 Aug 2021 12:59:44 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id E0E9829D83 for ; Thu, 5 Aug 2021 12:59:13 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 5ECA529D78 for ; Thu, 5 Aug 2021 12:59:12 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 30AA842DF1 for ; Thu, 5 Aug 2021 12:59:12 +0200 (CEST) From: Lorenz Stechauner To: pve-devel@lists.proxmox.com Date: Thu, 5 Aug 2021 12:59:03 +0200 Message-Id: <20210805105903.765052-1-l.stechauner@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.494 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH firewall] fix #2721: remove reject tcp 43 from default drop and reject actions X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Aug 2021 10:59:44 -0000 first, '43' is a typo, it should say '113' (if it really is like legacy shorewall [0]). this tcp port corresponds to the ident or authentication service protocol. second, nowdays this reject is not included in shorewall anymore. furthermore it would make no sense to reject specifically this one port. [0] https://gitlab.com/shorewall/code/-/blob/4.6.13/Shorewall/action.Drop#L66 https://gitlab.com/shorewall/code/-/blob/4.6.13/Shorewall/Macros/macro.Auth Signed-off-by: Lorenz Stechauner --- src/PVE/Firewall.pm | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index fc5c077..edc5336 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -592,7 +592,6 @@ $pve_std_chains_conf->{4} = { # same as shorewall 'Drop', which is equal to DROP, # but REJECT/DROP some packages to reduce logging, # and ACCEPT critical ICMP types - { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth' # we are not interested in BROADCAST/MULTICAST/ANYCAST { action => 'PVEFW-DropBroadcast' }, # ACCEPT critical ICMP types @@ -615,7 +614,6 @@ $pve_std_chains_conf->{4} = { # same as shorewall 'Reject', which is equal to Reject, # but REJECT/DROP some packages to reduce logging, # and ACCEPT critical ICMP types - { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth' # we are not interested in BROADCAST/MULTICAST/ANYCAST { action => 'PVEFW-DropBroadcast' }, # ACCEPT critical ICMP types -- 2.30.2