From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id B29B71FF187 for ; Mon, 30 Jun 2025 08:25:06 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 5635613834; Mon, 30 Jun 2025 08:25:41 +0200 (CEST) Date: Mon, 30 Jun 2025 08:16:48 +0200 To: pve-user@lists.proxmox.com References: <1d20bc9d-b794-4124-bd47-f7586ab1ccd7@bryanfields.net> <8308d4c1-c352-4df2-bd34-9f004f7b3a21@bryanfields.net> In-Reply-To: MIME-Version: 1.0 Message-ID: List-Id: Proxmox VE user list List-Post: From: "g.husson_proxmox-pve-user--- via pve-user" Precedence: list Cc: g.husson_proxmox-pve-user@liberasys.com X-Mailman-Version: 2.1.29 X-BeenThere: pve-user@lists.proxmox.com List-Subscribe: , List-Unsubscribe: , List-Archive: Reply-To: Proxmox VE user list List-Help: Subject: Re: [PVE-User] PVE-firewall and multicast with linux bridging Content-Type: multipart/mixed; boundary="===============3406471111588267158==" Errors-To: pve-user-bounces@lists.proxmox.com Sender: "pve-user" --===============3406471111588267158== Content-Type: message/rfc822 Content-Disposition: inline Return-Path: X-Original-To: pve-user@lists.proxmox.com Delivered-To: pve-user@lists.proxmox.com Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 45F71D29B2 for ; Mon, 30 Jun 2025 08:25:40 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 26FD813758 for ; Mon, 30 Jun 2025 08:25:40 +0200 (CEST) Received: from mailgw1.liberasys.com (mailgw1.liberasys.com [163.172.126.100]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 30 Jun 2025 08:25:39 +0200 (CEST) Received: from mailgw1.liberasys.com (localhost.localdomain [127.0.0.1]) by mailgw1.liberasys.com (Proxmox) with ESMTP id C584810A0D28 for ; Mon, 30 Jun 2025 08:16:49 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=liberasys.com; h=cc:content-transfer-encoding:content-type:content-type:date :from:from:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=liberasysdkim; bh=MMsyw2G8RWf 17yMt56qo9WFxthsUGsw2BAiffHJKW2w=; b=U4TU0WIcvSnhcKx8KmKaGVlT01b rg11wIBBdppJZ74JgiD//jL5CE7e/5HvbP+orZ4Vfp1Mt6T+GkTP8NkH+HVJSDrD 3oOQ9tammPr4+F8W1MsXBSGz8brtcurF6tecO3YvSPjMOeBNoKohH82avT97WNzi 09w2r4EGpynFu2GJ+yPXURl8uPoonDJWDDx9zgpXRvCRFq8zLD2MdCE/AbRFywit A7JmRiAwG6eIrpyC2ij13JR6KjxXfJMZ8McF41KnwZhw+6q9sVQOvIlXhZxvDlbJ Wa2wVLrdYaObuUfUi+21ZEztTSm9EmtJp+iSHutwz4n9cUsiHcMts6DVjnA== Message-ID: Date: Mon, 30 Jun 2025 08:16:48 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PVE-User] PVE-firewall and multicast with linux bridging To: pve-user@lists.proxmox.com References: <1d20bc9d-b794-4124-bd47-f7586ab1ccd7@bryanfields.net> <8308d4c1-c352-4df2-bd34-9f004f7b3a21@bryanfields.net> Content-Language: fr From: g.husson_proxmox-pve-user@liberasys.com In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain DMARC_PASS -0.1 DMARC pass policy SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Hello Bryan, "It is not a bug, it is a feature" :-) Look at the documentation : === The following traffic is dropped, but not logged even with logging enabled: - Broadcast, multicast and anycast traffic not related to corosync, i.e., not coming through ports 5405-5412 === Again, from the documentation : === proxmox-firewall will create two tables that are managed by the proxmox-firewall service: proxmox-firewall and proxmox-firewall-guests. If you want to create custom rules that live outside the Proxmox VE firewall configuration you can create your own tables to manage your custom firewall rules. proxmox-firewall will only touch the tables it generates, so you can easily extend and modify the behavior of the proxmox-firewall by adding your own tables. === Now you can use rc.local, or crontab @reboot or better a systemd file that chains after proxmox VE firewall start in order to apply the manual rules you found. Best regards, Gautier Husson. On 29/06/2025 10:14, Bryan Fields wrote: > I've got somewhat of a work around, as it needs to be applied manually > each > time the firewall is reset. > > Example here is the devices I want to have this enabled on, and then > the first > command replaces the first rule and then the next insert the following > rules > at 2 in the chain. > > iptables -R PVEFW-FORWARD 1 -m conntrack --ctstate INVALID > --in-interface vmbr8 -j DROP > iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID > --in-interface vmbr44 -j DROP > iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID > --in-interface vmbr45 -j DROP > iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID > --in-interface vmbr192 -j DROP > iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID > --in-interface vmbr199 -j DROP > > As there's no way to exclude multiple interfaces on the iptables > command, the > only way to do this is white list interfaces.  This should really be how > proxmox does it, asking about connection tracking at the per bridge > level.  I do want it on some of the bridges, but on others, it needs > to be > optional. > > I'm frankly surprised that there's no one else who's run into this as it > appears many issues are caused by this. --===============3406471111588267158== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ pve-user mailing list pve-user@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user --===============3406471111588267158==--