From: Bryan Fields <Bryan@bryanfields.net>
To: pve-user@lists.proxmox.com
Subject: Re: [PVE-User] PVE-firewall and multicast with linux bridging
Date: Sun, 29 Jun 2025 04:14:28 -0400 [thread overview]
Message-ID: <c617d4af-f8a8-4a84-bbc3-0b7f76fbaf72@bryanfields.net> (raw)
In-Reply-To: <8308d4c1-c352-4df2-bd34-9f004f7b3a21@bryanfields.net>
I've got somewhat of a work around, as it needs to be applied manually each
time the firewall is reset.
Example here is the devices I want to have this enabled on, and then the first
command replaces the first rule and then the next insert the following rules
at 2 in the chain.
iptables -R PVEFW-FORWARD 1 -m conntrack --ctstate INVALID --in-interface vmbr8 -j DROP
iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID --in-interface vmbr44 -j DROP
iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID --in-interface vmbr45 -j DROP
iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID --in-interface vmbr192 -j DROP
iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID --in-interface vmbr199 -j DROP
As there's no way to exclude multiple interfaces on the iptables command, the
only way to do this is white list interfaces. This should really be how
proxmox does it, asking about connection tracking at the per bridge
level. I do want it on some of the bridges, but on others, it needs to be
optional.
I'm frankly surprised that there's no one else who's run into this as it
appears many issues are caused by this.
--
Bryan Fields
727-409-1194 - Voice
http://bryanfields.net
_______________________________________________
pve-user mailing list
pve-user@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user
next prev parent reply other threads:[~2025-06-29 8:14 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-22 6:22 Bryan Fields
2025-06-23 3:53 ` Bryan Fields
2025-06-29 8:14 ` Bryan Fields [this message]
2025-06-30 6:16 ` g.husson_proxmox-pve-user--- via pve-user
2025-07-11 15:10 ` Bryan Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c617d4af-f8a8-4a84-bbc3-0b7f76fbaf72@bryanfields.net \
--to=bryan@bryanfields.net \
--cc=pve-user@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox