Problems with pve-firewall

cesarpk

Well-Known Member
Mar 31, 2012
770
3
58
Hi everybody

I have a problem with pve-firewall and need help.

A question:
Can work "pve-firewall" with OVS + network bonding + KVM VMs?

By other hand, this is my problem:
Into the PVE GUI i have changed in the pve-firewall all policies by default to "accept" (datacenter, PVE hosts, and VMs), finally, into the configuration of network of a KVM VM, i have enabled the firewall option.

Unfortunately after of this, the VM can not do or receive ping, ie the VM is totally isolated, until I have disabled the firewall in the virtual NIC.

My target really is very simple, that the VMs have no communication with the PVE hosts nor with the IP address of the corosync cluster, and from the beginning of the configuration, I get these strange problems.

Some data of my setup:
- I have configured 2 NICs with OVS with active-backup bonding.
- The same NICs for the PVE host must be used for the network of the VMs.

Can anybody help me?

Best regards
Cesar
 
Hi everybody

About of my previous post, i was thinking that other possible solution can be to use of "ACLs" in OVS, the idea is that the ACL is based in IP address, for after add restrictive rules in OVS based on these ACLs.

But unfortunately i don't know how do it, i was searching these documentations since many ago days without any successful.

Can anybody tell me how do it?

Best regards
Cesar
 
Hi,

Yes the firewall is working with OVS without any problem.

(in the background, a special linux bridge is create, something like OVS BRIDGE (vmbr)----linux bridge (fwbr) ----vm tap interface).

can you send the result of

#ovs-vsctl show

#brctl show

#iptables-save


and tell what is your vmid.
 
Hi spirit

Thanks for your answer, but i have a serious problem, please read above in this thread, the underlined text that say "By other hand, this is my problem:" and next text lines.

Best regards
Cesar

Re-edited:
Excuse my distractibility, my vmid is 100 (I am testing)

And these are the results of the commands:
shell> ovs-vsctl show
89ba5791-1bf4-435c-b850-ac1e24d808ea
Bridge "vmbr0"
Port "vmbr0"
Interface "vmbr0"
type: internal
Port management
Interface management
type: internal
Port "bond0"
Interface "eth1"
Interface "eth0"
ovs_version: "2.3.0"

shell> brctl show
bridge name bridge id STP enabled interfaces
fwbr101i0 8000.0afe7ed9c851 no fwln101o0
tap101i0

shell> iptables-save
Code:
# Generated by iptables-save v1.4.14 on Mon Oct 27 11:51:50 2014
*mangle
:PREROUTING ACCEPT [39799:7349287]
:INPUT ACCEPT [39759:7341181]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [41144:10044644]
:POSTROUTING ACCEPT [41144:10044644]
COMMIT
# Completed on Mon Oct 27 11:51:50 2014
# Generated by iptables-save v1.4.14 on Mon Oct 27 11:51:50 2014
*filter
:INPUT ACCEPT [27:1626]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [145:18235]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-VENET-IN - [0:0]
:PVEFW-VENET-OUT - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
:tap101i0-IN - [0:0]
:tap101i0-OUT - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:zfGV4KTPaxGVOCwRUVqqqbR0IhM"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-0-venet0 src -j PVEFW-VENET-OUT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -o venet0 -m set --match-set PVEFW-0-venet0 dst -j PVEFW-VENET-IN
-A PVEFW-FORWARD -m comment --comment "PVESIG:EqTnWXObv/2sm0UCQAKlplAl6+Y"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap101i0 --physdev-is-bridged -j tap101i0-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:dI33MxJuclqV5jHvm1O7Pltown0"
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap101i0 --physdev-is-bridged -j tap101i0-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:z927+M+xgUHDc7LMmZ4kxp7luto"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -s 10.0.0.0/24 -d 10.0.0.0/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 10.0.0.0/24 -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -m comment --comment "PVESIG:DSpIVSMjTabTu95UQLLHuUHFBXU"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d 10.0.0.0/24 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 10.0.0.0/24 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 10.0.0.0/24 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 10.0.0.0/24 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -d 10.0.0.0/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:6+2NqGrC481bKcNjgNFtnnOo86I"
-A PVEFW-INPUT -i venet0 -m set --match-set PVEFW-0-venet0 src -j PVEFW-VENET-OUT
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:BzyYmT9DMHVl0mK5gEk9RnLGABY"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -o venet0 -m set --match-set PVEFW-0-venet0 dst -j PVEFW-VENET-IN
-A PVEFW-OUTPUT -m comment --comment "PVESIG:XDfaZCom19bXI72jfvIdmv5V9DM"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:3gYHaSHlZx5luiKyM0oCsTVaXi4"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x1/0xffffffff
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:+w0L1XZmxcTeIy7fBeEAzPUQMiY"
-A PVEFW-VENET-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-VENET-IN -m comment --comment "PVESIG:TVxJ2yaUbjuO4uGIEwWIkLrzqXo"
-A PVEFW-VENET-OUT -m comment --comment "PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:ewllejV/lK5Rjmt/E3xIODQgfYg"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:KM/fOv4KvGn8XvMqxoiRCdvlji8"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:k8rhuGB1IUidugKwAufSGGgKAZ4"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A tap101i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap101i0-IN -j ACCEPT
-A tap101i0-IN -m comment --comment "PVESIG:vFRc81J//67r5K5o3Acn3Vgqfh0"
-A tap101i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap101i0-OUT -m mac ! --mac-source 06:3C:9C:D0:68:2D -j DROP
-A tap101i0-OUT -j MARK --set-xmark 0x0/0xffffffff
-A tap101i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap101i0-OUT -m comment --comment "PVESIG:AwulBy9gkfWQh8IlNTB7nQA+VEY"
COMMIT
# Completed on Mon Oct 27 11:51:50 2014
 
Last edited:
Hi Spirit

In the previous post, i have responded to all your questions.

But now i have a new questions (apart of the more important that is above) about of the iptables in PVE:
2) What does "PVEFW-Drop" mean? (ie, is it for input and output network packets in the PVE host?
3) As i see a rule that says "PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP", should i think that if i want to share folders in my Windows system workstation (for example a ISO file), and want to do a copy in my PVE host, I will can not perform never this task?, or can i add a rule by the PVE GUI for accept this communication and get a succesful copy (of my ISO file in this case)?
4) If i don't want that my VMs receive the packets multicast of the PVE cluster, should i add the rule?, or Is this rule added in the pve-firewall?, and if is correct, ¿which is this rule?
5) Can you or somebody add to the wiki of pve-firewall the complete list of rules that by default are in drop mode?, and how fix it in special cases of some need specifies where a rule of accept is necessary, and have it enabled in permanent mode?

Best regards
Cesar
 
Last edited:
Hello Cesar

My target really is very simple, that the VMs have no communication with the PVE hosts nor with the IP address of the corosync cluster, and from the beginning of the configuration, I get these strange problems.

Some data of my setup:
- I have configured 2 NICs with OVS with active-backup bonding.
- The same NICs for the PVE host must be used for the network of the VMs.

What I understand is you want to have something like separate networks:

- one for cluster and Proxmox host communication
- one for (communication between) VMs

To make just this (without thinking about other networks, see below) you can connect the VMs to a VLAN which runs tagged across the physical NICs and untagged to virtual NICs of the VMs. Add the virtual network cards to the OVS bridge and specify a vlan number. Important: your network infrastructure (switches) must support vlan tags!

Remains the question if and how these both networks have to communicate with other / external networks (internet). For this a firewall will be useful, but how to configure depends on details how your both mentioned above networks are routed to these networks. Generally spoken I think it´s sufficient to activate the firewall for Datacenter and Host but not for VMs (you want to restrict access to hosts from VMs and not the other way round).

Kind regards

Mr.Holmes
 
Hello Cesar
What I understand is you want to have something like separate networks:
- one for cluster and Proxmox host communication
- one for (communication between) VMs

To make just this (without thinking about other networks, see below) you can connect the VMs to a VLAN which runs tagged across the physical NICs and untagged to virtual NICs of the VMs. Add the virtual network cards to the OVS bridge and specify a vlan number. Important: your network infrastructure (switches) must support vlan tags!

Remains the question if and how these both networks have to communicate with other / external networks (internet). For this a firewall will be useful, but how to configure depends on details how your both mentioned above networks are routed to these networks. Generally spoken I think it´s sufficient to activate the firewall for Datacenter and Host but not for VMs (you want to restrict access to hosts from VMs and not the other way round).

Kind regards
Mr.Holmes

Hi Mr.Holmes
Thanks for your reply

I have a set of problems:

1) If i want to enable the firewall in the virtual nic of the VM is because i want to avoid these things:
1A) The VMs receive the packets multicast of the PVE hosts.
1B) For security reasons, avoid the network communication between PVE hosts and the VMs.

Thinking, for be easy add these firewall rules to the VM (combined with ipsets), is that i think the firewall rules should be added to the VM and not to the PVE host.

2) For other hand, when i add the VLAN1 to the PVE host (By Web GUI), this PVE host is completely isolated, and my Switch have all ports in VLAN1, so i don't understand what is going?.

For be more clear, now these are my setups:
- In Switches: all ports are in VLAN1.
- In Servers: VMs and PVE hosts are coming out for the same physical NICs and without VLAN configuration.

And these are my targets:
- VMs don't receive the packets multicast of the PVE hosts (i know the ports number and the IP address of PVE cluster for do the restrictive rule).
- Workstations of the LAN don't receive the packets multicast of the PVE hosts (i have it solved with configurations in the Switch).
- PVE hosts must receive the packets multicast of the PVE hosts (i have it solved with configurations in the Switch).
- Avoid network communication between PVE Hosts and VMs of all park of servers (i believe that IPset in the datacenter will be a great help for simplify the work).
- All the WorkStations of the LAN should to have network communication with all PVE Hosts and VMs.

A target that can be exclusionary: That i can do all configurations by PVE GUI (of this mode, will be more easy to do the controls).

If you can help me with this targets, I'll be extremely grateful.

Best regards
Cesar Peschiera
 
Hello,

I also have problems with the firewall settings of a virtual maschine.
The cluster and node firewalls are working as expected.
The VM is completely blocked when I activate the firewall under "VM/hardware/network device".
No rules are accepted. Accepting the input policy under "firewall/options/input policy" is not successfull.
I also use the OVS.

Any ideas?

fluxx
 
shell> ovs-vsctl show
89ba5791-1bf4-435c-b850-ac1e24d808ea
Bridge "vmbr0"
Port "vmbr0"
Interface "vmbr0"
type: internal
Port management
Interface management
type: internal
Port "bond0"
Interface "eth1"
Interface "eth0"
ovs_version: "2.3.0"

shell> brctl show
bridge name bridge id STP enabled interfaces
fwbr101i0 8000.0afe7ed9c851 no fwln101o0
tap101i0



I'm not sure, but something seem to be missing.

when enabling firewall with ovs, it's create a linux bridge connected to the ovs through a new ovsint port

vmbr0 (ovs bridge)-------fwln101o0 (ovsintport)------fwbr101i0 (linux bridge)-----tap101i0



I don't see the
fwln101o0 in ovs-vsctl show ?????
 
Hello,

I also have problems with the firewall settings of a virtual maschine.
The cluster and node firewalls are working as expected.
The VM is completely blocked when I activate the firewall under "VM/hardware/network device".
No rules are accepted. Accepting the input policy under "firewall/options/input policy" is not successfull.
I also use the OVS.

Any ideas?

fluxx

Same than for Cesar,

please post output of

#iptables-save
#ovs-vsctl show
#brctl show

and tell me your vmid
 
Hi spirit,

the VMID is 103. Thank you.

fluxx

# Generated by iptables-save v1.4.14 on Sun Nov 2 21:26:45 2014
*mangle
:PREROUTING ACCEPT [69234:22316233]
:INPUT ACCEPT [68854:22129063]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [90006:24924061]
:POSTROUTING ACCEPT [90006:24924061]
COMMIT
# Completed on Sun Nov 2 21:26:45 2014
# Generated by iptables-save v1.4.14 on Sun Nov 2 21:26:45 2014
*filter
:INPUT ACCEPT [4:188]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:240]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-VENET-IN - [0:0]
:PVEFW-VENET-OUT - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
:fail2ban-proxmox3 - [0:0]
:fail2ban-ssh - [0:0]
:tap103i0-IN - [0:0]
:tap103i0-OUT - [0:0]
-A INPUT -p tcp -m multiport --dports 443,80,8006 -j fail2ban-proxmox3
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:ff"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:ff"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-0-venet0 src -j PVEFW-VENET-OUT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -o venet0 -m set --match-set PVEFW-0-venet0 dst -j PVEFW-VENET-IN
-A PVEFW-FORWARD -m comment --comment "PVESIG:ff"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap103i0 --physdev-is-bridged -j tap103i0-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:ff"
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap103i0 --physdev-is-bridged -j tap103i0-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:ff"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p icmp -m icmp --icmp-type 8 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -s 192.168.147.0/24 -d 192.168.147.0/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 192.168.147.0/24 -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:ff"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d 192.168.147.0/24 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.147.0/24 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.147.0/24 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.147.0/24 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.147.0/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:ff"
-A PVEFW-INPUT -i venet0 -m set --match-set PVEFW-0-venet0 src -j PVEFW-VENET-OUT
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:ff"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -o venet0 -m set --match-set PVEFW-0-venet0 dst -j PVEFW-VENET-IN
-A PVEFW-OUTPUT -m comment --comment "PVESIG:ff"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:ff"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x1/0xffffffff
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:ff"
-A PVEFW-VENET-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-VENET-IN -m comment --comment "PVESIG:ff"
-A PVEFW-VENET-OUT -m comment --comment "PVESIG:ff"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:ff"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:ff"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:ff"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:ff"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:ff"
-A fail2ban-proxmox3 -j RETURN
-A fail2ban-ssh -j RETURN
-A tap103i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap103i0-IN -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A tap103i0-IN -j ACCEPT
-A tap103i0-IN -m comment --comment "PVESIG:ff"
-A tap103i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap103i0-OUT -j MARK --set-xmark 0x0/0xffffffff
-A tap103i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap103i0-OUT -m comment --comment "PVESIG:ff"
COMMIT
# Completed on Sun Nov 2 21:26:45 2014

ovs-vsctl show:

Bridge "vmbr0"
Port "tap102i0"
Interface "tap102i0"
Port "vmbr0"
Interface "vmbr0"
type: internal
Port "tap101i0"
Interface "tap101i0"
Port "eth0"
Interface "eth0"
Port "fwln103o0"
Interface "fwln103o0"
type: internal
Bridge "vmbr1"
Port "tap100i0"
Interface "tap100i0"
Port "vmbr1"
Interface "vmbr1"
type: internal
Port "eth1"
Interface "eth1"
ovs_version: "2.3.0"

brctl show:

bridge name bridge id STP enabled interfaces
fwbr103i0 8000.ff no fwln103o0
tap103i0
 
Hi spirit,

the VMID is 103. Thank you.

fluxx

Ok, the ovs-vsctl show and brctl show seem to be ok

Code:
[COLOR=#333333][I]vmbr0(ovs)<---[/I][/COLOR][COLOR=#333333][I]fwln103o0(ovs intport)--->[/I][/COLOR][COLOR=#333333][I]fwbr103i0 (linux bridge)<-----tap103i0[/I][/COLOR]

Now for the vm rules, the chain list is:

Code:
[COLOR=#333333][I]-A FORWARD -j PVEFW-FORWARD
[/I][/COLOR][COLOR=#333333][I]     -A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
[/I][/COLOR][COLOR=#333333][I]                  -A PVEFW-FWBR-IN -m physdev --physdev-out tap103i0 --physdev-is-bridged -j tap103i0-IN[/I][/COLOR]
[COLOR=#333333][I]                               -A tap103i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT[/I][/COLOR]
[COLOR=#333333][I]                               -A tap103i0-IN -p icmp -m icmp --icmp-type 8 -j ACCEPT[/I][/COLOR]
[COLOR=#333333][I]                               -A tap103i0-IN -j ACCEPT[/I][/COLOR]


[COLOR=#333333][I]     -A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT[/I][/COLOR]
[COLOR=#333333][I]                  -A PVEFW-FWBR-OUT -m physdev --physdev-in tap103i0 --physdev-is-bridged -j tap103i0-OUT
[/I][/COLOR][COLOR=#333333][I]                            -A tap103i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK[/I][/COLOR]
[COLOR=#333333][I]                           -A tap103i0-OUT -j MARK --set-xmark 0x0/0xffffffff[/I][/COLOR]
[COLOR=#333333][I]                           -A tap103i0-OUT -g PVEFW-SET-ACCEPT-MARK[/I][/COLOR]
[COLOR=#333333][I]                     
[/I][/COLOR]

So all seem to be ok, in default rule is ACCEPT.

Which kernel do you use ? 2.6.32 or 3.10 ?

could be a ovs bug with 2.6.32.
 
Unfortunately no bug with kernel 2.6.32.
The update of the kernel to version 3.10 brought no success. Same behaviour.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!