DC - Node Firewall - settings change ingest + refresh behavior anomaly

[N0AGI]

hi Proxmox community,

First a disclaimer - I may be not fully understanding this and may be is an operator's fault.

I thought I'd share a weird Firewall behavior.

Summary of steps in my example:

1. DC Firewall enabled w/o ICMP rule
2. Node Firewall enabled w/ initially ALLOW / Enabled ICMP rule
3. Client starts ping - ping passes through as expected
4. Node Firewall ICMP rule is disabled to in effect DROP ICMP requests
5. Client still keeps passing through w/ its ICMP traffic
6. Within SSH to Proxmox server,
   1. tried each of these steps separately - "reset" and restarting the pve-firewall.service
7. Step #5 behavior is still true

Please see the short video here

thanks for any feedback or insights if I am missing something here.

 

[N0AGI]

hey everyone, just a friendly nudge if anyone has any feedback or guidance here. Thanks

 

[N0AGI]

following up to see if anyone in the product team had any feedback or suggestions here. Thanks

 

[shanreich]

This behaviour is due to conntrack. As soon as a connection is established it gets inserted into the conntrack table and we automatically allow all established connections. This is how stateful firewalling usually works, if you want to prevent this behaviour you can flush the conntrack table after updating your firewall rules - but please note that this might also cause disruption to existing connections that should actually pass through the firewall.

 

[N0AGI]

This behaviour is due to conntrack. As soon as a connection is established it gets inserted into the conntrack table and we automatically allow all established connections. This is how stateful firewalling usually works, if you want to prevent this behaviour you can flush the conntrack table after updating your firewall rules - but please note that this might also cause disruption to existing connections that should actually pass through the firewall.

got it - thank you.