Conntrack leaving traffic up for a long time

[mhentrich]

Apologize if this is a dumb or often asked question, I'm just now experimenting with Proxmox firewalls. I noticed that if I enable a rule on a VM firewall that, say, allows ICMP, I'm able to ping it pretty quickly, but if I disable that rule again, the pings don't stop for a really, really long time. I take this to be an intentional feature of some sort, that active connections aren't dropped when a FW rule that disallows them is enabled? But at least in my case, I can sit there and stop ping/start pings over and over again and they almost never seem to stop, even with a rule explicitly blocking them, unless I run something on the host like conntrack -D -p -d icmp my-vm-ip-address

This is a problem for us, I'd like to know that when I disallow traffic, that traffic is disallowed and connections are dropped, just like a normal firewall would. Is there a way to do that?

Thanks!
Matt H

 

[Onslow]

Hi, @mhentrich
I remember a similar issue reported in the Forum. Unfortunately I don't remember the outcome and have no time to search for that thread in the moment, but knowing you're not the first reporting it, maybe you'll be able to find it

P.S. I think I've found it:

B

Thread 'Guest firewall letting blocked packets hit guest VM during fail over'

Jan 26, 2026

I have an odd firewall glitch I hope to figure out a workaround for.

I'm deploying a 5 node cluster to be used in a live production environment. I've configured a test VM which is set for high availability. I added a firewall to the guest in proxmox which appears to work as expected. It has a default drop policy and allows only certain IPs through. When I ping the VM from an external host I'm blocked as expected.

The issue crops up when I migrate the VM to another node. If I have a ping running against the VM's IP it's blocked until the migration completes, then I start getting pings...

• bobf
• Replies: 6
• Forum: Proxmox VE: Networking and Firewall