Firewall - conntrack question

[thierrykaya]

PVE stack: 6.4-13 (running kernel: 5.4.128-1-pve)

How do I define a firewall rule, via the PVE firewall web frontend, that restricts incoming packets to tagged connections(conntrack)
for a specific security group?

A iptables rule equivalent would be:

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Cheers,

 

[ph0x]

You can't, pve-firewall is stateless.

 

[thierrykaya]

You can't, pve-firewall is stateless.

Hi,

Will setting up this rule enable this filter at the PVE's firewall level?

Cheers,

 

[ph0x]

What?

 

[thierrykaya]

What?

Hi,
Sorry multitasking mangled my post . I meant:

Will setting up this rule at the iptables level,save this rule at the system level (OS)?

Cheers,

Reply

 

[ph0x]

I don't really know. Pve-firewall gets reloaded every few seconds, maybe you can setup a hook.
There are a lot more competent guys around here than me, though.

 

[thierrykaya]

Ok, much appreciated your assistance though.

Bye for now.