From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id CBDDA1FF168 for ; Sun, 29 Jun 2025 10:14:15 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id AA296A33D; Sun, 29 Jun 2025 10:14:43 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.10.3 morty.keekles.org DEFFA19E1D8A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bryanfields.net; s=909DCF92-EFE7-11EB-9235-648EB8AF1B81; t=1751184869; bh=sXGxZiq3KR4PiFoRYgxf2wwjDEyb6G6B94m7F5OKClw=; h=Message-ID:Date:MIME-Version:To:From; b=LMq9SOBRb0vR3aVgKRBLWfeb54d+6m1YQnGN2ijk/p4ONOMJfoQdIL0pRZrwDgPFC X7HlCkA2xr+ALswn2Zvd26xv1r3pfE/kFgc2u8sdS8VHfHrOOoZGCu1rGsgxIPglOM Uo6OGRwa0ZBVv6GDdwGZ2R9GiI5HT4RPVWe/wqzr55zBZz0qIfxbxLl4e1yLnFBQCp 3qeFnYYeFy6qSvMWx542LFb825ArvInFhiNMQDqlbbhvm36Rjz4w9pypfKuB4Lwo4F roj4US8bOVFkJGhc687glo7UjuOFOO3qlC8AR4pra8AZIXkn+jgy+vWLGRwqhlfPMW gzqQulEMGrC6w== X-Virus-Scanned: amavis at morty.keekles.org Message-ID: Date: Sun, 29 Jun 2025 04:14:28 -0400 MIME-Version: 1.0 User-Agent: Mutt/1.12.0 (2019-05-25) To: pve-user@lists.proxmox.com References: <1d20bc9d-b794-4124-bd47-f7586ab1ccd7@bryanfields.net> <8308d4c1-c352-4df2-bd34-9f004f7b3a21@bryanfields.net> Content-Language: en-US From: Bryan Fields Autocrypt: addr=Bryan@bryanfields.net; keydata= xsFNBFaW5aYBEAC6uM1IbtChDLC2cT+v2uP5AMIJyzjFFh0e6BkCeyqTupw1459dBQlRrgsr WNBFAAzUoqWiGT8xb3CUS9y7CS3cfUL06TIUbDVUcytOPS71Z5YbSICShe8cFOzqdXlvWYQR HbAP2enVeBqLyCtwBfaKwCjgUdwR/qmD/jIIOaDBxuxVmvs4ivIRdEqVJFXOIUaeKPSA8PPD eLBuaAlHhLBKXGNDjgf3EzfWiZiCkZ7vkPaVHJ7PYV+3eazeTahyvuYD1KzNaIlOy0XyKksO EmqPO0H5Qsu9ZpQEPd5qzm20tov9hA4F91tl1NX2OcZV3FqxAZ7hA8n+OmW8ep90T6e8H7UR 3l+DtGGrBmaNqJDx8cH0qQv2x+NmieNdaKiLhdgBAeTgBC2wgJ3j8xetHIEsr6pBJQWFPs4i ZsNMHGNP2qJxRTG17O2GIPlcQUIm7Nnk3vG5QvejdPS+7ULprMTDCYVcNydJ9Ar3WJawAkvZ Ombg4Of0Has7/0eNEczJIl56+EoKNKxF74LxnFx+XLOJSBUMsyQr76VE7dG1PuYiTziA8Yb5 P4vt7YJSvbn1x/BhRUuQhxFHc6cQgIfytsUusbt04EwoH3CK2O6EVIsMKhvjdKgjiKWuY4Hl zSpiDBuqg36ppqr2GrGDngYERPiB86FGgGtqyS+fnMysu/okqQARAQABzTtCcnlhbiBGaWVs ZHMgKEJyeWFuIEZpZWxkcyBOZXcgS2V5KSA8QnJ5YW5AYnJ5YW5maWVsZHMubmV0PsLBfgQT AQIAKAUCVpblpgIbIwUJEswDAAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQYTmgYVLG kUDExw//Y91BqsMNUnC51+Yl6z3N5Xxkt6xRvyHDekz0oQyZTEjMSonFlZK6T+IDRGwjkRFI GhiLF805+L2Vx0g5+N3S5TlW1BW3o3DlvmAdRZXCqSi6zK8xFxxhrq5OfQyr2f4aG38qmCA1 bhgYFUamxOmneQI1/yZayl6ZIlESsZ70TtRADBl0KPYaDTh/xU26ywQemKlbW1R2LeAquiSn OweC1huw6wLC0nQcO3j/83ZFZmHGyhNV8yfU1hAl94MurRy2I/jpXGtTkkkSBKotb9dPkf0P hXfVnhTIVMwj6YfwtTT7Fz7u24WSauxGfO5nq7PJfs/wdqcrgYzXa3ax8q6qQai3GdUyP0Zg HPLm7PsWTY9OT/MU61QH+PZHU2GHodofF03XSlCsebX770GMZcgBESBHNyAVfJb9cfdzqpl9 AKlIhfvwqYp3NeXfBZPXPN5kWHUVCRhhgUahLtIUDiNJE0beiQhqSo6/SBZOJI1DBCovhCQZ mv8dmERl/L8jesZhO+vHk1t8BW6cUaZIeKe7Di/F+84T0GKsyIXUVoZvmAnCs9XaF/BS7746 CbTHrIum45xYTPOAfr3VAgZ+Fe/hxLZ8YZsfyYrWayS0dxOvy/V7QeP3ZnBdAqgyXhWpTYRi x5mJpV49ZESKOMo2NZKZUGG6fchYdAvN4mZBUkkqsF7OwU0EVpblpgEQAMpXB+O2fPI7/HVU lM95Ifn0bl9mc1gQ0mBYkt60pNMc89L0Ej0CEDymRk/vAcoyTRPuUC7+c/EbV3fL59NXn3xY q5NQD+DVyoBcr3gU1ybgYdqdvuvdY07LOdQWwCPcDzc6HN/PxVKglyFKyUvvhIkdm3G+j8Zx jVCtiWhXcKXWY55wga7CPebqZZ5IzoLwDbR7BWNx6ACgD/W2FxKS9DitWqVQ+oAoUvsV682j vQojt4Jz59FqDqgNpkmoQeTIkulGmfjCZVPUIcd0+Vhn3PBgt+Td10l6bx6FJsM/Wp1hDLq8 AA8IqVGUZgvdzXRw0XGQN1sQZiECi77msr/n7v/+xelLex/B0eSnZUtE6TnHPNgUrrfaRwAJ O2uoX/zbmVvRgPThgrzaj75HJmuKOraJst0s5rAipaiXZdB5kbHsi/uBI7MEsSIc0auyy7lQ Vrc2P3Mb1CznZGX0Wk6E1Ovyl4AMQHsGCXJLHUTYV/dulsh0aLDKdyx3GQPjr0Q3l0OhudCb 6tHCWBJ/gAEvINRttaVswMKMCrMvcLfH+quGJFEm9Nmo0kDXa7+CuAITZT4hhDOakV2ghAa/ 9Psj6ylfpJk2Zsg+XMuhsPtMHxXXBk/akkB6VDoix94ADemXANdw8hQAOT3krASxv1hSZvJW 4CClxanP9WI5imhUT0gPABEBAAHCwWUEGAECAA8FAlaW5aYCGwwFCRLMAwAACgkQYTmgYVLG kUAvTA//f5o34tYC6yy3VMbEvwJNs93ij45csdnaZuFjoETiBjt6pTL0Gp8IMTjVHsMWNmB2 sbqlz5F/2fwaMFq/3WoJqwumZu2du/+Jqql3b/ydg9gKQaKeQdHTjwdEjH54JY+dpQbl/Y7V jHRzOcSlR4WgZ0/gAIlbKCV5OQvP/6HwGFIgN83MmPhHvYIUdus3tcDxf74uq4wo6vLtEFLY mbJZs1oRl/bzyok0ZvdmII4xhnyVieX98uyAFgWewHvSg1hFPHAtX6GxLFRR2Xz3df7dA60A BSupmW2C1km82Ionna5xUUQ+XBmjoVRE7wYiUg68/O4KCQv54vR7HcH6uEAWOI3eTpSkn6OF 1u4mNZexLJ/LF86DRYYRtYHTpEAxPsYy/idOt8oWWaR/L9aAEnWnWi3G462zfa+2XollAwBG 2oQmazAKwQasdi2W37OXKywSePuUOaQf7PSm3Uy/PVLR86RJaBfQ8IjkU7qlFrGrCN4NM4Sk CtqY84HtlsDY0ZuIg+gJCb13RT0b/HYWk11VRoeC1ys4E+3bOcSXxiyMaLz+Jwy2EJjsCixa jHmJOY69icegMGLQiHnfx3WlFewy+mQRJl+4gkA1VWyxLwwQmMqOaTQ79bF9GoF6qXROXo9b 9rT3q8jorgOm+1x6PsqQ9M0QL+qshhal/EIaMaOdoN0= In-Reply-To: <8308d4c1-c352-4df2-bd34-9f004f7b3a21@bryanfields.net> X-SPAM-LEVEL: Spam detection results: 0 BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain DMARC_MISSING 0.1 Missing DMARC policy RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [bryanfields.net] Subject: Re: [PVE-User] PVE-firewall and multicast with linux bridging X-BeenThere: pve-user@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE user list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE user list Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: pve-user-bounces@lists.proxmox.com Sender: "pve-user" I've got somewhat of a work around, as it needs to be applied manually each time the firewall is reset. Example here is the devices I want to have this enabled on, and then the first command replaces the first rule and then the next insert the following rules at 2 in the chain. iptables -R PVEFW-FORWARD 1 -m conntrack --ctstate INVALID --in-interface vmbr8 -j DROP iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID --in-interface vmbr44 -j DROP iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID --in-interface vmbr45 -j DROP iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID --in-interface vmbr192 -j DROP iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID --in-interface vmbr199 -j DROP As there's no way to exclude multiple interfaces on the iptables command, the only way to do this is white list interfaces. This should really be how proxmox does it, asking about connection tracking at the per bridge level. I do want it on some of the bridges, but on others, it needs to be optional. I'm frankly surprised that there's no one else who's run into this as it appears many issues are caused by this. -- Bryan Fields 727-409-1194 - Voice http://bryanfields.net _______________________________________________ pve-user mailing list pve-user@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user