* [pve-devel] [PATCH proxmox-firewall 1/1] rules: allow vital ICMP(v6) types
@ 2024-06-10 12:52 Stefan Hanreich
2024-07-10 12:54 ` [pve-devel] applied: " Fabian Grünbichler
0 siblings, 1 reply; 2+ messages in thread
From: Stefan Hanreich @ 2024-06-10 12:52 UTC (permalink / raw)
To: pve-devel
There are certain ICMP messages that should always pass through a
firewall irregardless of any other rules. This is particularly
important for ICMPv6. While we already handled NDP, there are certain
control messages that should always be able to pass through any
firewall, according to RFC 4890.
For ICMP we additionally allow 'Source Quench' as well.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
While Source Quench is deprecated, there might be niche use cases
using it and allowing it shouldn't really hurt so I've thrown it into
the mix as well.
.../resources/proxmox-firewall.nft | 22 +++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/proxmox-firewall/resources/proxmox-firewall.nft b/proxmox-firewall/resources/proxmox-firewall.nft
index 537ba88..ea2cd7d 100644
--- a/proxmox-firewall/resources/proxmox-firewall.nft
+++ b/proxmox-firewall/resources/proxmox-firewall.nft
@@ -16,6 +16,7 @@ add chain inet proxmox-firewall allow-ndp-out
add chain inet proxmox-firewall block-ndp-out
add chain inet proxmox-firewall block-conntrack-invalid
add chain inet proxmox-firewall block-smurfs
+add chain inet proxmox-firewall allow-icmp
add chain inet proxmox-firewall log-drop-smurfs
add chain inet proxmox-firewall default-in
add chain inet proxmox-firewall default-out
@@ -32,6 +33,7 @@ add chain bridge proxmox-firewall-guests allow-ndp-out
add chain bridge proxmox-firewall-guests block-ndp-out
add chain bridge proxmox-firewall-guests allow-ra-out
add chain bridge proxmox-firewall-guests block-ra-out
+add chain bridge proxmox-firewall-guests allow-icmp
add chain bridge proxmox-firewall-guests do-reject
add chain bridge proxmox-firewall-guests vm-out {type filter hook prerouting priority 0; policy accept;}
add chain bridge proxmox-firewall-guests vm-in {type filter hook postrouting priority 0; policy accept;}
@@ -47,6 +49,7 @@ flush chain inet proxmox-firewall allow-ndp-out
flush chain inet proxmox-firewall block-ndp-out
flush chain inet proxmox-firewall block-conntrack-invalid
flush chain inet proxmox-firewall block-smurfs
+flush chain inet proxmox-firewall allow-icmp
flush chain inet proxmox-firewall log-drop-smurfs
flush chain inet proxmox-firewall default-in
flush chain inet proxmox-firewall default-out
@@ -63,6 +66,7 @@ flush chain bridge proxmox-firewall-guests allow-ndp-out
flush chain bridge proxmox-firewall-guests block-ndp-out
flush chain bridge proxmox-firewall-guests allow-ra-out
flush chain bridge proxmox-firewall-guests block-ra-out
+flush chain bridge proxmox-firewall-guests allow-icmp
flush chain bridge proxmox-firewall-guests do-reject
flush chain bridge proxmox-firewall-guests vm-out
flush chain bridge proxmox-firewall-guests vm-in
@@ -175,9 +179,16 @@ table inet proxmox-firewall {
drop
}
+ chain allow-icmp {
+ icmp type { destination-unreachable, source-quench, time-exceeded } accept
+ # based on RFC 4890 - NDP is handled separately
+ icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem } accept
+ }
+
chain default-in {
iifname "lo" accept
+ jump allow-icmp
ct state related,established accept
meta l4proto igmp accept
@@ -185,8 +196,6 @@ table inet proxmox-firewall {
tcp dport { 8006, 5900-5999, 3128, 22 } jump accept-management
udp dport 5405-5412 accept
- meta l4proto icmp icmp type { destination-unreachable, time-exceeded } accept
-
# Drop Microsoft SMB noise
udp dport { 135, 137-139, 445 } goto do-reject
udp sport 137 udp dport 1024-65535 goto do-reject
@@ -203,6 +212,7 @@ table inet proxmox-firewall {
chain default-out {
oifname "lo" accept
+ jump allow-icmp
ct state vmap { invalid : drop, established : accept, related : accept }
}
@@ -284,6 +294,12 @@ table bridge proxmox-firewall-guests {
icmpv6 type { nd-router-advert, nd-redirect } drop
}
+ chain allow-icmp {
+ icmp type { destination-unreachable, source-quench, time-exceeded } accept
+ # based on RFC 4890 - NDP is handled separately
+ icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem } accept
+ }
+
chain do-reject {
meta pkttype broadcast drop
ip saddr 224.0.0.0/4 drop
@@ -297,12 +313,14 @@ table bridge proxmox-firewall-guests {
chain vm-out {
type filter hook prerouting priority 0; policy accept;
+ jump allow-icmp
ether type != arp ct state vmap { established : accept, related : accept, invalid : drop }
iifname vmap @vm-map-out
}
chain vm-in {
type filter hook postrouting priority 0; policy accept;
+ jump allow-icmp
ether type != arp ct state vmap { established : accept, related : accept, invalid : drop }
ether type arp accept
oifname vmap @vm-map-in
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread* [pve-devel] applied: [PATCH proxmox-firewall 1/1] rules: allow vital ICMP(v6) types
2024-06-10 12:52 [pve-devel] [PATCH proxmox-firewall 1/1] rules: allow vital ICMP(v6) types Stefan Hanreich
@ 2024-07-10 12:54 ` Fabian Grünbichler
0 siblings, 0 replies; 2+ messages in thread
From: Fabian Grünbichler @ 2024-07-10 12:54 UTC (permalink / raw)
To: Proxmox VE development discussion
On June 10, 2024 2:52 pm, Stefan Hanreich wrote:
> There are certain ICMP messages that should always pass through a
> firewall irregardless of any other rules. This is particularly
> important for ICMPv6. While we already handled NDP, there are certain
> control messages that should always be able to pass through any
> firewall, according to RFC 4890.
>
> For ICMP we additionally allow 'Source Quench' as well.
>
> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
> ---
> While Source Quench is deprecated, there might be niche use cases
> using it and allowing it shouldn't really hurt so I've thrown it into
> the mix as well.
>
> .../resources/proxmox-firewall.nft | 22 +++++++++++++++++--
> 1 file changed, 20 insertions(+), 2 deletions(-)
>
> diff --git a/proxmox-firewall/resources/proxmox-firewall.nft b/proxmox-firewall/resources/proxmox-firewall.nft
> index 537ba88..ea2cd7d 100644
> --- a/proxmox-firewall/resources/proxmox-firewall.nft
> +++ b/proxmox-firewall/resources/proxmox-firewall.nft
> @@ -16,6 +16,7 @@ add chain inet proxmox-firewall allow-ndp-out
> add chain inet proxmox-firewall block-ndp-out
> add chain inet proxmox-firewall block-conntrack-invalid
> add chain inet proxmox-firewall block-smurfs
> +add chain inet proxmox-firewall allow-icmp
> add chain inet proxmox-firewall log-drop-smurfs
> add chain inet proxmox-firewall default-in
> add chain inet proxmox-firewall default-out
> @@ -32,6 +33,7 @@ add chain bridge proxmox-firewall-guests allow-ndp-out
> add chain bridge proxmox-firewall-guests block-ndp-out
> add chain bridge proxmox-firewall-guests allow-ra-out
> add chain bridge proxmox-firewall-guests block-ra-out
> +add chain bridge proxmox-firewall-guests allow-icmp
> add chain bridge proxmox-firewall-guests do-reject
> add chain bridge proxmox-firewall-guests vm-out {type filter hook prerouting priority 0; policy accept;}
> add chain bridge proxmox-firewall-guests vm-in {type filter hook postrouting priority 0; policy accept;}
> @@ -47,6 +49,7 @@ flush chain inet proxmox-firewall allow-ndp-out
> flush chain inet proxmox-firewall block-ndp-out
> flush chain inet proxmox-firewall block-conntrack-invalid
> flush chain inet proxmox-firewall block-smurfs
> +flush chain inet proxmox-firewall allow-icmp
> flush chain inet proxmox-firewall log-drop-smurfs
> flush chain inet proxmox-firewall default-in
> flush chain inet proxmox-firewall default-out
> @@ -63,6 +66,7 @@ flush chain bridge proxmox-firewall-guests allow-ndp-out
> flush chain bridge proxmox-firewall-guests block-ndp-out
> flush chain bridge proxmox-firewall-guests allow-ra-out
> flush chain bridge proxmox-firewall-guests block-ra-out
> +flush chain bridge proxmox-firewall-guests allow-icmp
> flush chain bridge proxmox-firewall-guests do-reject
> flush chain bridge proxmox-firewall-guests vm-out
> flush chain bridge proxmox-firewall-guests vm-in
> @@ -175,9 +179,16 @@ table inet proxmox-firewall {
> drop
> }
>
> + chain allow-icmp {
> + icmp type { destination-unreachable, source-quench, time-exceeded } accept
> + # based on RFC 4890 - NDP is handled separately
> + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem } accept
> + }
> +
> chain default-in {
> iifname "lo" accept
>
> + jump allow-icmp
> ct state related,established accept
>
> meta l4proto igmp accept
> @@ -185,8 +196,6 @@ table inet proxmox-firewall {
> tcp dport { 8006, 5900-5999, 3128, 22 } jump accept-management
> udp dport 5405-5412 accept
>
> - meta l4proto icmp icmp type { destination-unreachable, time-exceeded } accept
> -
> # Drop Microsoft SMB noise
> udp dport { 135, 137-139, 445 } goto do-reject
> udp sport 137 udp dport 1024-65535 goto do-reject
> @@ -203,6 +212,7 @@ table inet proxmox-firewall {
> chain default-out {
> oifname "lo" accept
>
> + jump allow-icmp
> ct state vmap { invalid : drop, established : accept, related : accept }
> }
>
> @@ -284,6 +294,12 @@ table bridge proxmox-firewall-guests {
> icmpv6 type { nd-router-advert, nd-redirect } drop
> }
>
> + chain allow-icmp {
> + icmp type { destination-unreachable, source-quench, time-exceeded } accept
> + # based on RFC 4890 - NDP is handled separately
> + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem } accept
> + }
> +
> chain do-reject {
> meta pkttype broadcast drop
> ip saddr 224.0.0.0/4 drop
> @@ -297,12 +313,14 @@ table bridge proxmox-firewall-guests {
>
> chain vm-out {
> type filter hook prerouting priority 0; policy accept;
> + jump allow-icmp
> ether type != arp ct state vmap { established : accept, related : accept, invalid : drop }
> iifname vmap @vm-map-out
> }
>
> chain vm-in {
> type filter hook postrouting priority 0; policy accept;
> + jump allow-icmp
> ether type != arp ct state vmap { established : accept, related : accept, invalid : drop }
> ether type arp accept
> oifname vmap @vm-map-in
> --
> 2.39.2
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-07-10 12:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-06-10 12:52 [pve-devel] [PATCH proxmox-firewall 1/1] rules: allow vital ICMP(v6) types Stefan Hanreich
2024-07-10 12:54 ` [pve-devel] applied: " Fabian Grünbichler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox