From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 8107268AFE for ; Fri, 10 Sep 2021 12:31:57 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 6D1EA12C40 for ; Fri, 10 Sep 2021 12:31:27 +0200 (CEST) Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id C574712C2C for ; Fri, 10 Sep 2021 12:31:25 +0200 (CEST) Received: by mail-wm1-x32e.google.com with SMTP id 192-20020a1c04c9000000b002f7a4ab0a49so807501wme.0 for ; Fri, 10 Sep 2021 03:31:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=odiso-com.20150623.gappssmtp.com; s=20150623; h=message-id:subject:from:to:date:user-agent:mime-version; bh=g+lS09xL5/0hcMoS4ThEBoSw+XG2gjPkMLyHXHutzxU=; b=TuVZFNWeH6UiJcL2q1ZVTGGxFQZ1tsHemwp7uWcJ/0uGjGiF0eRqVSpMDKHqXrP9XZ FPwvDryb6MxqJyi0IE0+5sjwoYv5qmyN/I9i7nh38QYa6JwaZlXdtFagiFKsyxoAxTWb fdSm3uK7oeY4dawbgYdmgCPmNBBQ9tuRJH1D7KAH0sXMkP2LOjiCiFNiHBTUg+UAdFxC jkIgWdECW0sdJHeYpuzJFHnwlTfQXSq4z1bOzaAdidsrbTXiubvNL76+QnloiRH1ui3M z7aSY4xqdi6rW9AIShldb0L74r9BQpK77FFOY5Pe3CeavwRD0dmwNRgUKN4JxIiaR3Il i+zA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:date:user-agent :mime-version; bh=g+lS09xL5/0hcMoS4ThEBoSw+XG2gjPkMLyHXHutzxU=; b=P2+c/qSsGCkKxJwz+b0go+Dhfpn3kmbXsEEz8m9WE3gqCPdDvdY3EN5nM6sXyQV2iJ Lre9fSGaovBCWXm2MsOzvahhO/MIhFsoU1s8I6daEoLYrB5y18u4Gouh3+A7kWb+4xYv PcgJZH5BS/gnlI9oBZH3fjlmClsYz19P+JIigtX7tTp/hOZMYt91k5MKlwbZDmL9Jkls NE8qGoSHaaiF4nFY2tgJvJSFuB5zEXIZ/Zn+XRJDZ/P8FuBJAPcUYRn7Vde3L2BBfXFu G0FF0T5FWhqlXKMJuaxCTbw7nPpZgKBQTKemoK9joGLH5DFGhSbPLslVWnm3SS4no6eq CSfw== X-Gm-Message-State: AOAM532DkFNWRJX3ILEH11TewY30NfNtELBCzTvMz5jHYQj7llN05OY5 YG2xk2mHI1cjGXc2O7Xj4ffwQFacX0SCmQ== X-Google-Smtp-Source: ABdhPJzE40Rt/D7PT19ElDGIccqE05iqMc2g8sDvjYKO+u6wITnL9xG0Sjn8u0hkyndf4EOtF6w2Ew== X-Received: by 2002:a1c:d2:: with SMTP id 201mr7384552wma.67.1631269879193; Fri, 10 Sep 2021 03:31:19 -0700 (PDT) Received: from ?IPv6:2a0a:1580:0:1::100c? (ovpn1.odiso.net. [2a0a:1580:2000::3f]) by smtp.gmail.com with ESMTPSA id 129sm3874061wmz.26.2021.09.10.03.31.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Sep 2021 03:31:18 -0700 (PDT) Message-ID: From: alexandre derumier To: pve-devel Date: Fri, 10 Sep 2021 12:31:17 +0200 User-Agent: Evolution 3.40.4 MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.706 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature HTML_MESSAGE 0.001 HTML included in message RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.29 Subject: [pve-devel] hetzner bug with pve-firewall X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Sep 2021 10:31:57 -0000 Hi, multiple users have reported problems with hetzner in bridged mode this week and pve-firewall https://forum.proxmox.com/threads/proxmox-claiming-mac-address.52601/ https://forum.proxmox.com/threads/mac-address-abuse-report.95656/ Seem that hetzner have bugs or are under attack, but they are flooding traffic to proxmox nodes with wrong mac/ip destination. The problem is that if users use pve-firewall with reject rules, the RST packet is send with the wrong mac/ip as source, and then hertzner is blocking the server of the users .... I'm looking to see if we could add filtering at ebtables level, to drop wrong mac destination. But they are also another problem, if user use DROP as default action,  we have a default REJECT for whois port 53. 'PVEFW-Drop' => [    # same as shorewall 'Drop', which is equal to DROP,    # but REJECT/DROP some packages to reduce logging,    # and ACCEPT critical ICMP types    { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth' Does somebody known why we do a reject here ?  could it be change to drop ?