Firewall syslog problem

C

Christian Blatzheim

Member
Nov 17, 2016
3
0
6
51
proxmox-ve: 4.3-71 (running kernel: 4.4.21-1-pve) pve-manager: 4.3-10 (running version: 4.3-10/7230e60f)

Hi there,

Noob Question: As soon as i activate the Cluster-Firewall I get the following error in the syslog:

proxmox pve-firewall[2686]: status update error: ipset_restore_cmdlist: ipset v6.23: Error in line 3: The value of the CIDR parameter of the IP address is invalid

I've looked into the various configuration files (cluster.fw, host.fw and <vm>.fw) but I didn't find any wrong configuration. All configuration files are empy except the "[options] enable:1" statement. What am I missing?

My /etc/network/interfaces-File:

auto lo
iface lo inet loopback
iface lo inet6 loopback

# device: eth0
auto eth0
iface eth0 inet static
address x.x.x.113
netmask 255.255.255.255
pointopoint x.x.x.97
gateway x.x.x.97
up route add -net x.x.x.96 netmask 255.255.255.224 gw x.x.x.97 eth0

iface eth0 inet6 static
address xxx
netmask 128
gateway fe80::1
up sysctl -p

auto vmbr0
iface vmbr0 inet static
address x.x.x.113
netmask 255.255.255.255
bridge_ports none
bridge_stp off
bridge_fd 0
up ip route add x.x.x.125/32 dev vmbr0


auto vmbr1
iface vmbr1 inet static
address 10.0.0.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
 
"pve-firewall compile" will output the commands it uses, please post that ;)
 
Hi Fabian,

Part 1 of output:

ipset cmdlist:
create PVEFW-0-management-v4 (wUkb5FpQvEqpMcadyVEXs1Pr/dU)
create PVEFW-0-management-v4 hash:net family inet hashsize 64 maxelem 64
create PVEFW-0-management-v6 (Per5AMTg8GrGEmJXUrvK94+SG4A)
create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64
add PVEFW-0-management-v6 ::/0

iptables cmdlist:
create PVEFW-Drop (zfGV4KTPaxGVOCwRUVqqqbR0IhM)
-A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp --dport 1024:65535 --sport 137 -j DROP
-A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp --sport 53 -j DROP
create PVEFW-DropBroadcast (NyjHNAtFbkH7WGLamPpdVnxHy4w)
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
create PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
create PVEFW-FWBR-IN (/naDZxJ06t8Dx9DQtmus9NvdHEA)
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap100i0 -j tap100i0-IN
create PVEFW-FWBR-OUT (wA3mj3VIKyC/rlY95PCFN7paR5s)
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap100i0 -j tap100i0-OUT
create PVEFW-INPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
create PVEFW-OUTPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
create PVEFW-Reject (3gYHaSHlZx5luiKyM0oCsTVaXi4)
-A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 1024:65535 --sport 137 -j PVEFW-reject
-A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp --sport 53 -j DROP
create PVEFW-SET-ACCEPT-MARK (K9jRaFw5I2si1xj1eGi18ZF/Ng0)
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
create PVEFW-logflags (ewllejV/lK5Rjmt/E3xIODQgfYg)
-A PVEFW-logflags -j DROP
create PVEFW-reject (KM/fOv4KvGn8XvMqxoiRCdvlji8)
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
create PVEFW-smurflog (k8rhuGB1IUidugKwAufSGGgKAZ4)
-A PVEFW-smurflog -j DROP
create PVEFW-smurfs (HssVe5QCBXd5mc9kC88749+7fag)
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
create PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
create tap100i0-IN (NojMqRwli9IqGAXKxiVqfR5LMCU)
-A tap100i0-IN -p udp --dport 68 --sport 67 -j ACCEPT
-A tap100i0-IN -j ACCEPT
create tap100i0-OUT (MkPaCKv6YwhdrweLr4RfzQE3PG0)
-A tap100i0-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -m mac ! --mac-source F6:BE:ED:3B:23:22 -j DROP
-A tap100i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK

ip6tables cmdlist:
create PVEFW-Drop (6rTP78QJYMPsnyC3qqgpc6EzqdI)
-A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp --dport 1024:65535 --sport 137 -j DROP
-A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp --sport 53 -j DROP
create PVEFW-DropBroadcast (8Krk5Nh8pDZOOc7BQAbM6PlyFSU)
-A PVEFW-DropBroadcast -d ff00::/8 -j DROP
create PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
create PVEFW-FWBR-IN (wjGAwD1weFxDIbPrFybsxrVCysU)
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap100i0 -j tap100i0-IN
create PVEFW-FWBR-OUT (wA3mj3VIKyC/rlY95PCFN7paR5s)
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap100i0 -j tap100i0-OUT
create PVEFW-INPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
create PVEFW-OUTPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
create PVEFW-Reject (c1gnTzuLzZ58B3YP36bkBEsyxpQ)
-A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 1024:65535 --sport 137 -j PVEFW-reject
-A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp --sport 53 -j DROP
create PVEFW-SET-ACCEPT-MARK (K9jRaFw5I2si1xj1eGi18ZF/Ng0)
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
create PVEFW-logflags (ewllejV/lK5Rjmt/E3xIODQgfYg)
-A PVEFW-logflags -j DROP
 
And part 2:

create PVEFW-reject (TeZhczhc17LK2pqE7UkGmRMJLNU)
-A PVEFW-reject -p icmpv6 -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
create PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
create tap100i0-IN (EMACXFAF3n6YW1MZ0lImz53cLEY)
-A tap100i0-IN -p udp --dport 546 --sport 547 -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-A tap100i0-IN -j ACCEPT
create tap100i0-OUT (zLopwbaXLAveSzPVXJ0KKybxtZw)
-A tap100i0-OUT -p udp --dport 547 --sport 546 -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -m mac ! --mac-source F6:BE:ED:3B:23:22 -j DROP
-A tap100i0-OUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
-A tap100i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap100i0-OUT -p icmpv6 --icmpv6-type router-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
detected changes


(2 Posts because 1000 character limitation)
 
Seems to be a bug with /128 prefix addresses on the host. Will be fixed with the next pve-firewall package updates.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back