[pve-devel] [PATCH proxmox-firewall 1/1] rules: allow vital ICMP(v6) types

From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH proxmox-firewall 1/1] rules: allow vital ICMP(v6) types
Date: Mon, 10 Jun 2024 14:52:38 +0200	[thread overview]
Message-ID: <20240610125238.328376-1-s.hanreich@proxmox.com> (raw)

There are certain ICMP messages that should always pass through a
firewall irregardless of any other rules. This is particularly
important for ICMPv6. While we already handled NDP, there are certain
control messages that should always be able to pass through any
firewall, according to RFC 4890.

For ICMP we additionally allow 'Source Quench' as well.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
While Source Quench is deprecated, there might be niche use cases
using it and allowing it shouldn't really hurt so I've thrown it into
the mix as well.

 .../resources/proxmox-firewall.nft            | 22 +++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/proxmox-firewall/resources/proxmox-firewall.nft b/proxmox-firewall/resources/proxmox-firewall.nft
index 537ba88..ea2cd7d 100644
--- a/proxmox-firewall/resources/proxmox-firewall.nft
+++ b/proxmox-firewall/resources/proxmox-firewall.nft
@@ -16,6 +16,7 @@ add chain inet proxmox-firewall allow-ndp-out
 add chain inet proxmox-firewall block-ndp-out
 add chain inet proxmox-firewall block-conntrack-invalid
 add chain inet proxmox-firewall block-smurfs
+add chain inet proxmox-firewall allow-icmp
 add chain inet proxmox-firewall log-drop-smurfs
 add chain inet proxmox-firewall default-in
 add chain inet proxmox-firewall default-out
@@ -32,6 +33,7 @@ add chain bridge proxmox-firewall-guests allow-ndp-out
 add chain bridge proxmox-firewall-guests block-ndp-out
 add chain bridge proxmox-firewall-guests allow-ra-out
 add chain bridge proxmox-firewall-guests block-ra-out
+add chain bridge proxmox-firewall-guests allow-icmp
 add chain bridge proxmox-firewall-guests do-reject
 add chain bridge proxmox-firewall-guests vm-out {type filter hook prerouting priority 0; policy accept;}
 add chain bridge proxmox-firewall-guests vm-in {type filter hook postrouting priority 0; policy accept;}
@@ -47,6 +49,7 @@ flush chain inet proxmox-firewall allow-ndp-out
 flush chain inet proxmox-firewall block-ndp-out
 flush chain inet proxmox-firewall block-conntrack-invalid
 flush chain inet proxmox-firewall block-smurfs
+flush chain inet proxmox-firewall allow-icmp
 flush chain inet proxmox-firewall log-drop-smurfs
 flush chain inet proxmox-firewall default-in
 flush chain inet proxmox-firewall default-out
@@ -63,6 +66,7 @@ flush chain bridge proxmox-firewall-guests allow-ndp-out
 flush chain bridge proxmox-firewall-guests block-ndp-out
 flush chain bridge proxmox-firewall-guests allow-ra-out
 flush chain bridge proxmox-firewall-guests block-ra-out
+flush chain bridge proxmox-firewall-guests allow-icmp
 flush chain bridge proxmox-firewall-guests do-reject
 flush chain bridge proxmox-firewall-guests vm-out
 flush chain bridge proxmox-firewall-guests vm-in
@@ -175,9 +179,16 @@ table inet proxmox-firewall {
         drop
     }
 
+    chain allow-icmp {
+        icmp type { destination-unreachable, source-quench, time-exceeded } accept
+        # based on RFC 4890 - NDP is handled separately
+        icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem } accept
+    }
+
     chain default-in {
         iifname "lo" accept
 
+        jump allow-icmp
         ct state related,established accept
 
         meta l4proto igmp accept
@@ -185,8 +196,6 @@ table inet proxmox-firewall {
         tcp dport { 8006, 5900-5999, 3128, 22 } jump accept-management
         udp dport 5405-5412 accept
 
-        meta l4proto icmp icmp type { destination-unreachable, time-exceeded } accept
-
         # Drop Microsoft SMB noise
         udp dport { 135, 137-139, 445 } goto do-reject
         udp sport 137 udp dport 1024-65535 goto do-reject
@@ -203,6 +212,7 @@ table inet proxmox-firewall {
     chain default-out {
         oifname "lo" accept
 
+        jump allow-icmp
         ct state vmap { invalid : drop, established : accept, related : accept }
     }
 
@@ -284,6 +294,12 @@ table bridge proxmox-firewall-guests {
         icmpv6 type { nd-router-advert, nd-redirect } drop
     }
 
+    chain allow-icmp {
+        icmp type { destination-unreachable, source-quench, time-exceeded } accept
+        # based on RFC 4890 - NDP is handled separately
+        icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem } accept
+    }
+
     chain do-reject {
         meta pkttype broadcast drop
         ip saddr 224.0.0.0/4 drop
@@ -297,12 +313,14 @@ table bridge proxmox-firewall-guests {
 
     chain vm-out {
         type filter hook prerouting priority 0; policy accept;
+        jump allow-icmp
         ether type != arp ct state vmap { established : accept, related : accept, invalid : drop }
         iifname vmap @vm-map-out
     }
 
     chain vm-in {
         type filter hook postrouting priority 0; policy accept;
+        jump allow-icmp
         ether type != arp ct state vmap { established : accept, related : accept, invalid : drop }
         ether type arp accept
         oifname vmap @vm-map-in
-- 
2.39.2


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

