Can not block ping?

ozgurerdogan

Renowned Member
May 2, 2010
604
5
83
Bursa, Turkey, Turkey
Why not blocking ping:

1.1.1.1 is ip in kvm guest and 2.2.2.2 is ip that I want to block ping from. But ping is always avaliable.

Code:
[OPTIONS]

log_level_in: debug
enable: 1
policy_in: ACCEPT
log_level_out: debug

[RULES]

IN Ping(REJECT) -i net0 -source 1.1.1.1 -dest 2.2.2.2 
OUT Ping(REJECT) -i net0 -source 1.1.1.1 -dest 2.2.2.2 
IN Ping(REJECT) -i net0 -source 2.2.2.2 -dest 1.1.1.1 
OUT Ping(REJECT) -i net0 -source 2.2.2.2 -dest 1.1.1.1


Code:
root@vztl3:~# pve-firewall status
Status: disabled/running
 
Last edited:
After that I lost all connection to node. Is that because default in policy is reject?


you can stop the firewall with /etc/init.d/pve-firewall stop


you can disable host firewall, in host->firewall->options , then enable datacenter->firewall-options.

datacenter rules are applied to all host firewalls of the cluster, but you can manage each rules on each host if you want.
 
Last edited:
Ok now, Datacenter level it is enabled. and default policy for in and out is ACCEPT
At node level it is disabled because I want to enable firewall for one kvm only.


On kvm level, I enabled at network options, and added these rules. But I can still ping kvm.

Code:
[OPTIONS]

enable: 1
log_level_in: debug
policy_in: ACCEPT
log_level_out: debug

[RULES]

OUT Ping(DROP) -i net0 -source 1.1.1.1 -dest 2.2.2.2
OUT Ping(DROP) -i net0 -source 2.2.2.2 -dest 1.1.1.1
IN Ping(DROP) -i net0 -source 1.1.1.1 -dest 2.2.2.2
IN Ping(DROP) -i net0 -source 2.2.2.2 -dest 1.1.1.1
 
Yes I enabled for network interface. Lots of these string. But I do not see ip for the pc that I ping from. So strange...

Code:
107 7 tap107i0-IN 10/Oct/2014:17:59:20 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=8.0.16.136 DST=1.1.1.1 LEN=79 TOS=0x00 PREC=0x00 TTL=48 ID=12193 PROTO=UDP SPT=42186 DPT=53 LEN=59
107 7 tap107i0-IN 10/Oct/2014:17:59:20 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=212.72.53.207 DST=1.1.1.1 LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=41420 PROTO=UDP SPT=26901 DPT=53 LEN=56
107 7 tap107i0-IN 10/Oct/2014:17:59:20 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=5.46.120.110 DST=1.1.1.1 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=41908 DF PROTO=TCP SPT=6007 DPT=80 SEQ=221237477 ACK=0 WINDOW=65535 SYN
107 7 tap107i0-IN 10/Oct/2014:17:59:21 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=74.125.183.145 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=35 ID=63248 PROTO=UDP SPT=36587 DPT=53 LEN=40
107 7 tap107i0-IN 10/Oct/2014:17:59:21 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=74.125.72.17 DST=1.1.1.1 LEN=82 TOS=0x00 PREC=0x00 TTL=33 ID=22780 PROTO=UDP SPT=62111 DPT=53 LEN=62
107 7 tap107i0-IN 10/Oct/2014:17:59:21 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=173.194.90.146 DST=1.1.1.1 LEN=71 TOS=0x00 PREC=0x00 TTL=33 ID=11827 PROTO=UDP SPT=49975 DPT=53 LEN=51
107 7 tap107i0-IN 10/Oct/2014:17:59:21 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=74.125.72.16 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=33 ID=33986 PROTO=UDP SPT=43946 DPT=53 LEN=40
107 7 tap107i0-IN 10/Oct/2014:17:59:21 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=173.194.90.80 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=33 ID=20628 PROTO=UDP SPT=52752 DPT=53 LEN=40
107 7 tap107i0-IN 10/Oct/2014:17:59:21 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=173.194.90.18 DST=1.1.1.1 LEN=71 TOS=0x00 PREC=0x00 TTL=33 ID=62856 PROTO=UDP SPT=62473 DPT=53 LEN=51
107 7 tap107i0-IN 10/Oct/2014:17:59:21 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=173.194.90.144 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=33 ID=11336 PROTO=UDP SPT=39200 DPT=53 LEN=40
107 7 tap107i0-IN 10/Oct/2014:17:59:21 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=173.194.90.19 DST=1.1.1.1 LEN=71 TOS=0x00 PREC=0x00 TTL=33 ID=64845 PROTO=UDP SPT=37439 DPT=53 LEN=51
107 7 tap107i0-IN 10/Oct/2014:17:59:21 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=74.125.73.146 DST=1.1.1.1 LEN=73 TOS=0x00 PREC=0x00 TTL=42 ID=33189 PROTO=UDP SPT=38173 DPT=53 LEN=53
 
1. What do I enter in interface section. It seems to only accept net0

2. And also what should I choose at log level?

3. Is it ok to disable firewall at node level but enable at datacenter AND kvm level?

4. Do I need to restart anything to make changes ?
 
Last edited:
1. What do I enter in interface section. It seems to only accept net0

nothing

2. And also what should I choose at log level?

info

3. Is it ok to disable firewall at node level but enable at datacenter AND kvm level?

yes, should work.

4. Do I need to restart anything to make changes ?

no (only if you set firewall flag on network inferface, you need to restart the VM). But
rules are applied automatically.


For testing, I would start with a simple rule:

[RULES]
IN Ping(DROP)
 
Ok I restarted vm after firewall enabled at network interface. Btw it is realtek not Virtio.

Yes I am trying to test it. But no way I can ping the vm. I can not block it. I can provide you Pve details if you want to check.

I can not see any log in pve > vm > firewall log section.
 
Last edited:
You need to 'Stop' the VM, then start again - a restart is not enough.

Please post the outout of

# brctl show

Stop and Start did not help.

Code:
root@vztl4:~# brctl show
bridge name     bridge id               STP enabled     interfaces
fwbr107i0               8000.22f2d7b5e5dc       no              fwln107i0
                                                        tap107i0
vmbr0           8000.3c4a92f75a92       no              eth0
                                                        fwpr107p0
                                                        tap101i0
                                                        tap203i0
                                                        tap300i0
                                                        tap303i0
 
Last edited:
An what is the output of

# iptables-save

Code:
root@vztl4:~# iptables-save
# Generated by iptables-save v1.4.14 on Sat Oct 11 20:59:32 2014
*mangle
:PREROUTING ACCEPT [686161221:991265241388]
:INPUT ACCEPT [661629980:972738307695]
:FORWARD ACCEPT [23634080:18464932755]
:OUTPUT ACCEPT [576414196:577359302517]
:POSTROUTING ACCEPT [599819047:595797073440]
COMMIT
# Completed on Sat Oct 11 20:59:32 2014
# Generated by iptables-save v1.4.14 on Sat Oct 11 20:59:32 2014
*filter
:INPUT ACCEPT [121:6335]
:FORWARD ACCEPT [1659:112643]
:OUTPUT ACCEPT [52:3852]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-VENET-IN - [0:0]
:PVEFW-VENET-OUT - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
:tap107i0-IN - [0:0]
:tap107i0-OUT - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:zfGV4KTPaxGVOCwRUVqqqbR0IhM"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-0-venet0 src -j PVEFW-VENET-OUT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -o venet0 -m set --match-set PVEFW-0-venet0 dst -j PVEFW-VENET-IN
-A PVEFW-FORWARD -m comment --comment "PVESIG:EqTnWXObv/2sm0UCQAKlplAl6+Y"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap107i0 --physdev-is-bridged -j tap107i0-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:nHQe8qukPbOjuo/KP4en9yZ5GKE"
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap107i0 --physdev-is-bridged -j tap107i0-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:NnZctJoRZI5u3HSJEVXQVIlLJ3U"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -s 93.186.125.192/26 -d 93.186.125.192/26 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 93.186.125.192/26 -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -m comment --comment "PVESIG:HYg34Bd+DD9UyKqc6IXjGl7WTTo"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d 93.186.125.192/26 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 93.186.125.192/26 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 93.186.125.192/26 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 93.186.125.192/26 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -d 93.186.125.192/26 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:4ZcWIVUQ7wS7Vivu/IrwIUcFDVQ"
-A PVEFW-INPUT -i venet0 -m set --match-set PVEFW-0-venet0 src -j PVEFW-VENET-OUT
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:BzyYmT9DMHVl0mK5gEk9RnLGABY"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -o venet0 -m set --match-set PVEFW-0-venet0 dst -j PVEFW-VENET-IN
-A PVEFW-OUTPUT -m comment --comment "PVESIG:XDfaZCom19bXI72jfvIdmv5V9DM"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:3gYHaSHlZx5luiKyM0oCsTVaXi4"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x1/0xffffffff
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:+w0L1XZmxcTeIy7fBeEAzPUQMiY"
-A PVEFW-VENET-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-VENET-IN -m comment --comment "PVESIG:TVxJ2yaUbjuO4uGIEwWIkLrzqXo"
-A PVEFW-VENET-OUT -m comment --comment "PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:ewllejV/lK5Rjmt/E3xIODQgfYg"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:KM/fOv4KvGn8XvMqxoiRCdvlji8"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:k8rhuGB1IUidugKwAufSGGgKAZ4"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A tap107i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap107i0-IN -p icmp -m icmp --icmp-type 8 -j DROP
-A tap107i0-IN -j ACCEPT
-A tap107i0-IN -m comment --comment "PVESIG:FjwaOqWpm9O38UYHbQet4f7XshI"
-A tap107i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap107i0-OUT -m mac ! --mac-source 6A:B1:C3:FA:C3:D2 -j DROP
-A tap107i0-OUT -j MARK --set-xmark 0x0/0xffffffff
-A tap107i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap107i0-OUT -m comment --comment "PVESIG:QWOKaXsoHqpBB2A33ZzIdpstPPo"
COMMIT


There I see:
-A tap107i0-IN -p icmp -m icmp --icmp-type 8 -j DROP

In fact, after leaving pc and come back couple of hours later, I saw that ping was being blocked at ping window. And I tried disabling rule this time ping was successful. But re-enabling rule did not again block ping. So disabling rule took effect right away but enabling it did not.
 
If I stop pinging and logout proxmox gui and wait couple of seconds while rule is enabled, it works fine. So I have to stop ping and restart it again after a short while. Disabling rule does not need ping to be stopped but enabling it need ping stop and start with a short while between.
 
If I stop pinging and logout proxmox gui and wait couple of seconds while rule is enabled, it works fine. So I have to stop ping and restart it again after a short while.

A existing connection (even a PING) is not affected when you change firewall rules. This feature is called connection tracking.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!