Firewall still allowing Ping after disabling ICMP rule

S

seanhdka

New Member
May 1, 2023
5
0
1
So i'm currently learning proxmox on a mini pc at home, with the intention of deploying on a root server in the future.

i was trying out the proxmox firewall function on datacenter and pve1 layer.

i have a rule on the datacenter allowing tcp traffic on port 8006 for the web interface, same goes for pve1.
on pve1 i have a accept rule with the macro ping, which works splendidly. problem is, once i disable the ping rule, i can still ping the pve1?
same goes if a accept everything but drop ping requests, once i disable the rule, i still can't ping pve1.

i then have to disable the firewalls on datacenter and pve1 then enable them on pve1 and datacenter in that order (i also switch menus a bunch for good measure), for it to work again.

when i do this workaround, and have the ping rule disabled, i can enable it no problem, once i disable it again i'm still able to ping.

this isn't desirable behaviour, am i doing it wrong?
 
Hi, if you keep pinging, the traffice will be allowed by the iptables RELATED,ESTABLISHED state policy rule, you should try stop the ping for a while after firewall rules changed. You may see this policy with command:
Code: 
iptables -n -v -L PVEFW-HOST-IN
 
  • Like
Reactions: seanhdka
chengkinhung said:
Hi, if you keep pinging, the traffice will be allowed by the iptables RELATED,ESTABLISHED state policy rule, you should try stop the ping for a while after firewall rules changed. You may see this policy with command:
Code: 
iptables -n -v -L PVEFW-HOST-IN
Click to expand...
ahh i see so since the session is open it still goes through. once the session is closed i shouldn't be able to ping it anymore. i'll test it after work and update here.
 
chengkinhung said:
Hi, if you keep pinging, the traffice will be allowed by the iptables RELATED,ESTABLISHED state policy rule, you should try stop the ping for a while after firewall rules changed. You may see this policy with command:
Code: 
iptables -n -v -L PVEFW-HOST-IN
Click to expand...

thanks this seems to work the way you described.

can i just disable that RELATED,ESTABLISHED rule? for me it's important that a connection may only be made if the corresponding rule is present and active. or would disabling this have some unforeseen effects?
 
Never disable that rule, its basic and important rule. If you really need to disable ping immediately,just add policy to drop ping and make that rule on the top.
 
Last edited:
chengkinhung said:
Never disable that rule, its basic and important rule. If you really need to disable ping immediately,just add policy to drop ping and make that rule on the top.
Click to expand...
i do not need to drop ping immediately, i want to drop any incoming connection as soon as the policy explicitly allowing it is disabled. i do not understand why it does not work like that. i am no expert, but that seems like a risk to me and i am not familiar with this behaviour from standalone firewalls.

i understand now that the RELATED,ESTABLISHED rule is also used for outbound request responses so i won't be disabling that.
 
The "pve-firewall restart" will also not reset the established connections, but you may try the conntrack command to check and flush current established connections:
Code: 
conntrack -L
conntrack -F
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back