From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 91A896973C for ; Mon, 13 Sep 2021 19:44:01 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 854072D245 for ; Mon, 13 Sep 2021 19:44:01 +0200 (CEST) Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 1FE322D21D for ; Mon, 13 Sep 2021 19:44:00 +0200 (CEST) Received: by mail-ed1-x52f.google.com with SMTP id q3so15570426edt.5 for ; Mon, 13 Sep 2021 10:44:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=odiso-com.20150623.gappssmtp.com; s=20150623; h=message-id:subject:from:to:date:in-reply-to:references:user-agent :mime-version; bh=wTUc8az/0TkCKK41raxJYw+eiDA5RBhwir3+Uu6H6wg=; b=1zapg2dTSJPbFk3VUTzQnaMpASd7XrFUipDJtKsY4oDhSub/Nu/66yvNSYQRr7X4Mg 3a7PqBh36kAzMaxWpDmbnI0wkdsMSLwRGptzYV1kqtyevJB0FyYZP4xq9X8mN7gQPfS8 ESfG2StA/Jl6ffHU/rjKZ0X9E7qXP5c/ezgGuSdg7zUJS2DC3yuUcfy0G2Ll+CdPK5q+ ON+5S/5yJRrwDK+SpY77k/YsuuDeoSSRUeDmLrQ0puOcrcSFpIIhi73ev3/WD4UjsUVx JFY6YcrrpbofxabUBHhDIDcBn8w7zxua1c18lMyVkOJlsOXfbEvMftwQeLybJjkLj7Xd i4jg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to :references:user-agent:mime-version; bh=wTUc8az/0TkCKK41raxJYw+eiDA5RBhwir3+Uu6H6wg=; b=OnVBzPR9+pjLh3fEZ/YrqvAUzjqzXwc980dBQgkPGsDGwsexX91CPfEkCaPqWoIBXw 0pMnkOsSv9+JUFB3jTHL9tIUCevAHoQ30BadDMI9lYFvj13pxaZoHOo9zHA0lJR/+zlY zBQNa/zuqUpGRR8lmQSYmNodqbrpXjfz+hTj5tijOA0fK+TZNVnJ44JBnH/Dzx3vhCzq Df6UonL42Fj4SK5jWqiF4aTsLiJ4nBu5de2ILSHpXF9L5eqPPkNKazL3WhTSQVUoAadV wGV84NXyNznH2A/GgERpbDgiWvobjyCDzcQsTOvzQ6hZTzdMOxM80Wn6/eIQcNZt1FIY as4g== X-Gm-Message-State: AOAM5303tB6ycqJI01a2RNDRn3avpeD4cWgMf7oMn1KtsyJya6YFn0P4 EQTbdvX1YgRXo52kfqu34OjiS1lfeVDMO5o1 X-Google-Smtp-Source: ABdhPJy+5gBBX2Zpu2j5iFAinQgc/S/fnlG55mIMcRF6LsXfXTKl4JED8g+HC60Wh5+ouz/AJNqNiw== X-Received: by 2002:a05:6402:1808:: with SMTP id g8mr14115180edy.188.1631555034481; Mon, 13 Sep 2021 10:43:54 -0700 (PDT) Received: from [192.168.178.50] ([79.132.253.106]) by smtp.gmail.com with ESMTPSA id ba29sm2815041edb.5.2021.09.13.10.43.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Sep 2021 10:43:54 -0700 (PDT) Message-ID: From: alexandre derumier To: Proxmox VE development discussion , pve-devel Date: Mon, 13 Sep 2021 19:43:53 +0200 In-Reply-To: <1631270573.jrcuq0ah6s.astroid@nora.none> References: <1631270573.jrcuq0ah6s.astroid@nora.none> User-Agent: Evolution 3.40.4 MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.667 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature HTML_MESSAGE 0.001 HTML included in message RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.29 Subject: Re: [pve-devel] hetzner bug with pve-firewall X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2021 17:44:01 -0000 Hi, >   > https://git.proxmox.com/?p=pve-firewall.git;a=commit;h=d9e7522b561ceb323e93affb29c9fced89fed967 > > would just require a bump + upload is it possible to backport it to pve 6 ? (I have seen 2 users on the forum requesting it ) Le vendredi 10 septembre 2021 à 12:43 +0200, Fabian Grünbichler a écrit : > On September 10, 2021 12:31 pm, alexandre derumier wrote: > > Hi, > > > > multiple users have reported problems with hetzner in bridged mode > > this > > week and pve-firewall > > https://forum.proxmox.com/threads/proxmox-claiming-mac-address.52601/ > > https://forum.proxmox.com/threads/mac-address-abuse-report.95656/ > > > > Seem that hetzner have bugs or are under attack, but they are > > flooding > > traffic to proxmox nodes with wrong mac/ip destination. > > > > The problem is that if users use pve-firewall with reject rules, > > the > > RST packet is send with the wrong mac/ip as source, > > > > and then hertzner is blocking the server of the users .... > > > > > > I'm looking to see if we could add filtering at ebtables level, to > > drop > > wrong mac destination. > > > > But they are also another problem, if user use DROP as default > > action, > >  we have a default REJECT for whois port 53. > > > > 'PVEFW-Drop' => [ > >    # same as shorewall 'Drop', which is equal to DROP, > >    # but REJECT/DROP some packages to reduce logging, > >    # and ACCEPT critical ICMP types > >    { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # > > REJECT 'auth' > > > > Does somebody known why we do a reject here ?  could it be change > > to > > drop ? > >   > https://git.proxmox.com/?p=pve-firewall.git;a=commit;h=d9e7522b561ceb323e93affb29c9fced89fed967 > > would just require a bump + upload > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel