Firewall syslog problem

C

Christian Blatzheim

Member
Nov 17, 2016
3
0
6
51
proxmox-ve: 4.3-71 (running kernel: 4.4.21-1-pve) pve-manager: 4.3-10 (running version: 4.3-10/7230e60f)

Hi there,

Noob Question: As soon as i activate the Cluster-Firewall I get the following error in the syslog:

proxmox pve-firewall[2686]: status update error: ipset_restore_cmdlist: ipset v6.23: Error in line 3: The value of the CIDR parameter of the IP address is invalid

I've looked into the various configuration files (cluster.fw, host.fw and <vm>.fw) but I didn't find any wrong configuration. All configuration files are empy except the "[options] enable:1" statement. What am I missing?

My /etc/network/interfaces-File:

auto lo
iface lo inet loopback
iface lo inet6 loopback

# device: eth0
auto eth0
iface eth0 inet static
address x.x.x.113
netmask 255.255.255.255
pointopoint x.x.x.97
gateway x.x.x.97
up route add -net x.x.x.96 netmask 255.255.255.224 gw x.x.x.97 eth0

iface eth0 inet6 static
address xxx
netmask 128
gateway fe80::1
up sysctl -p

auto vmbr0
iface vmbr0 inet static
address x.x.x.113
netmask 255.255.255.255
bridge_ports none
bridge_stp off
bridge_fd 0
up ip route add x.x.x.125/32 dev vmbr0


auto vmbr1
iface vmbr1 inet static
address 10.0.0.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
 
"pve-firewall compile" will output the commands it uses, please post that ;)
 
Hi Fabian,

Part 1 of output:

ipset cmdlist:
create PVEFW-0-management-v4 (wUkb5FpQvEqpMcadyVEXs1Pr/dU)
create PVEFW-0-management-v4 hash:net family inet hashsize 64 maxelem 64
create PVEFW-0-management-v6 (Per5AMTg8GrGEmJXUrvK94+SG4A)
create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64
add PVEFW-0-management-v6 ::/0

iptables cmdlist:
create PVEFW-Drop (zfGV4KTPaxGVOCwRUVqqqbR0IhM)
-A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp --dport 1024:65535 --sport 137 -j DROP
-A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp --sport 53 -j DROP
create PVEFW-DropBroadcast (NyjHNAtFbkH7WGLamPpdVnxHy4w)
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
create PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
create PVEFW-FWBR-IN (/naDZxJ06t8Dx9DQtmus9NvdHEA)
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap100i0 -j tap100i0-IN
create PVEFW-FWBR-OUT (wA3mj3VIKyC/rlY95PCFN7paR5s)
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap100i0 -j tap100i0-OUT
create PVEFW-INPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
create PVEFW-OUTPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
create PVEFW-Reject (3gYHaSHlZx5luiKyM0oCsTVaXi4)
-A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 1024:65535 --sport 137 -j PVEFW-reject
-A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp --sport 53 -j DROP
create PVEFW-SET-ACCEPT-MARK (K9jRaFw5I2si1xj1eGi18ZF/Ng0)
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
create PVEFW-logflags (ewllejV/lK5Rjmt/E3xIODQgfYg)
-A PVEFW-logflags -j DROP
create PVEFW-reject (KM/fOv4KvGn8XvMqxoiRCdvlji8)
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
create PVEFW-smurflog (k8rhuGB1IUidugKwAufSGGgKAZ4)
-A PVEFW-smurflog -j DROP
create PVEFW-smurfs (HssVe5QCBXd5mc9kC88749+7fag)
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
create PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
create tap100i0-IN (NojMqRwli9IqGAXKxiVqfR5LMCU)
-A tap100i0-IN -p udp --dport 68 --sport 67 -j ACCEPT
-A tap100i0-IN -j ACCEPT
create tap100i0-OUT (MkPaCKv6YwhdrweLr4RfzQE3PG0)
-A tap100i0-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -m mac ! --mac-source F6:BE:ED:3B:23:22 -j DROP
-A tap100i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK

ip6tables cmdlist:
create PVEFW-Drop (6rTP78QJYMPsnyC3qqgpc6EzqdI)
-A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp --dport 1024:65535 --sport 137 -j DROP
-A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp --sport 53 -j DROP
create PVEFW-DropBroadcast (8Krk5Nh8pDZOOc7BQAbM6PlyFSU)
-A PVEFW-DropBroadcast -d ff00::/8 -j DROP
create PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
create PVEFW-FWBR-IN (wjGAwD1weFxDIbPrFybsxrVCysU)
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap100i0 -j tap100i0-IN
create PVEFW-FWBR-OUT (wA3mj3VIKyC/rlY95PCFN7paR5s)
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap100i0 -j tap100i0-OUT
create PVEFW-INPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
create PVEFW-OUTPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
create PVEFW-Reject (c1gnTzuLzZ58B3YP36bkBEsyxpQ)
-A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 1024:65535 --sport 137 -j PVEFW-reject
-A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp --sport 53 -j DROP
create PVEFW-SET-ACCEPT-MARK (K9jRaFw5I2si1xj1eGi18ZF/Ng0)
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
create PVEFW-logflags (ewllejV/lK5Rjmt/E3xIODQgfYg)
-A PVEFW-logflags -j DROP
 
And part 2:

create PVEFW-reject (TeZhczhc17LK2pqE7UkGmRMJLNU)
-A PVEFW-reject -p icmpv6 -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
create PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
create tap100i0-IN (EMACXFAF3n6YW1MZ0lImz53cLEY)
-A tap100i0-IN -p udp --dport 546 --sport 547 -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-A tap100i0-IN -j ACCEPT
create tap100i0-OUT (zLopwbaXLAveSzPVXJ0KKybxtZw)
-A tap100i0-OUT -p udp --dport 547 --sport 546 -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -m mac ! --mac-source F6:BE:ED:3B:23:22 -j DROP
-A tap100i0-OUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
-A tap100i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap100i0-OUT -p icmpv6 --icmpv6-type router-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
detected changes


(2 Posts because 1000 character limitation)
 
Seems to be a bug with /128 prefix addresses on the host. Will be fixed with the next pve-firewall package updates.
 
You must log in or register to reply here.
Top Bottom