I've been trying to improve my firewall configuration in PVE recently and have therefore been spending more time looking at the logs.
I have noticed that some of my containers are seeing packets that are addressed to other containers. Take the following firewall log entry for example (truncated for brevity):
101 6 veth101i0-IN <...> policy REJECT: IN= <...> MAC=49-95-ca-41-b9-e0:8a-f6-0d-15-7d-7a SRC=192.168.50.102 DST=192.168.1.50.103 <...>
CT 101 is receiving and rejecting traffic bound from CT 102 to CT 103.
I only noticed this because I have logging switched on and a rule rejecting this traffic (HTTPS) on CT 101, also logging.
I'm imagining this has something to do with the virtual bridge sending packets to the wrong interface, so that would be the first problem. As the bridge and the host are both configured by PVE, the bridge knows exactly which interface the correct host is on surely?
In any case, I would expect the virtual host (container) to silently drop any packet that is not addressed to it before it reaches the firewall. This is not a firewalling task but a switching/routing/interface task is it not?
What happens if the firewall is not configured to block this particular traffic? The wrong container will respond to the packet and possibly leak information?
I guess I'm just looking for some reassurance that this is known/expected behaviour and that I haven't misconfigured my cluster somehow.
I have noticed that some of my containers are seeing packets that are addressed to other containers. Take the following firewall log entry for example (truncated for brevity):
101 6 veth101i0-IN <...> policy REJECT: IN= <...> MAC=49-95-ca-41-b9-e0:8a-f6-0d-15-7d-7a SRC=192.168.50.102 DST=192.168.1.50.103 <...>
CT 101 is receiving and rejecting traffic bound from CT 102 to CT 103.
I only noticed this because I have logging switched on and a rule rejecting this traffic (HTTPS) on CT 101, also logging.
I'm imagining this has something to do with the virtual bridge sending packets to the wrong interface, so that would be the first problem. As the bridge and the host are both configured by PVE, the bridge knows exactly which interface the correct host is on surely?
In any case, I would expect the virtual host (container) to silently drop any packet that is not addressed to it before it reaches the firewall. This is not a firewalling task but a switching/routing/interface task is it not?
What happens if the firewall is not configured to block this particular traffic? The wrong container will respond to the packet and possibly leak information?
I guess I'm just looking for some reassurance that this is known/expected behaviour and that I haven't misconfigured my cluster somehow.
Last edited:
