Firewall ipfilter

[JustDanMan]

Hello!

First sorry for my broken english, I hope you understand me
I have tested the new firewall in Proxmox. There is a feature named "ipfilter". When I add a IP address to this ip-set then the firewall block outgoing traffic from all other ips. (I can just generate outgoing traffic from IPs in the ip-set) So but now the problem: Incomming traffic works from IP there aren't in the ip-set, too. I must set the input policy to DROP and create a rule "IN ACCEPT destination --> +ip-filter-net0" Is this so intentional? In my opinion this group shall drop incoming and outgoing traffic from all IPs there aren't in the ip-set.

Thanks!

Daniel

 

[spirit]

Hi, the current code is

if ($direction eq 'OUT') {
if ($ipfilter_ipset) {
ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src -j DROP");
}
}


This is to avoid ip spoofing.

This allow only ip(s) address defined for the specific vm nic to going out.

I don't remember why we have only implemented it for outgoing traffic.

 

[JustDanMan]

Yes, I will use it for this scenario, to avoid ip spoofing. But when I set the incoming policy to allow an create the ip-set I can't ping anything from the VM but all can access e.g. the website on this server. So a other VM can "cache" the IP and can create a fake website. I think a good way is to implement it for "IN", too.