I noticed that when I make a restrictive change to a firewall, the traffic keeps coming through.
Example:
It is interesting that when I try the same thing on ICMP (pings), conntrack -F does cut it off
It is also interesting to see that iptables changes happen almost right away, and yet those correct rules are obviously not being followed.
Unless I'm using the system completely wrong, this is a security vulnerability. In any scenario where the goal is to disable an ACCEPT rule to cut off existing undesirable traffic, then the firewall has zero effect. What's more, it gives the administrator a false sense of confidence because when they disable a rule, there is no indication in the GUI that the rule was disabled only for new connections, and that current connections will be maintained indefinitely (they even survive a network disconnection!)
The only workaround I found was to reboot the VM.
There must be a better solution than this.
My environment:
- pve-manager/7.0-11/63d82f4e
- 2 node cluster
- Linux bridge networking on single subnet
Example:
- Enable firewall (cluster,host,vm,network interface)
- Create firewall entry for vm:
- Line 0: dport TCP: 22 ACCEPT
- Input policy: DROP
- Connect to the host protected by this firewall on port 22
- Disable line 0 rule (by unchecking checkbox), so that all inbound traffic is dropped by default
- This works, but only for brand new connections. Existing connections are never(?) cut. (I tried waiting as long as 2 hours)
- To cut the connection I tried to do "conntrack -F" but even this doesn't cut it.
- pve-firewall restart #doesn't help either
pve-firewall status
Status: enabled/running (pending changes) - I even tried disconnecting the VM network for 5 minutes, and then connecting it back, even like that the connection is not cut and just resumes where it left off (still logged into SSH)
It is also interesting to see that iptables changes happen almost right away, and yet those correct rules are obviously not being followed.
Unless I'm using the system completely wrong, this is a security vulnerability. In any scenario where the goal is to disable an ACCEPT rule to cut off existing undesirable traffic, then the firewall has zero effect. What's more, it gives the administrator a false sense of confidence because when they disable a rule, there is no indication in the GUI that the rule was disabled only for new connections, and that current connections will be maintained indefinitely (they even survive a network disconnection!)
The only workaround I found was to reboot the VM.
There must be a better solution than this.
My environment:
- pve-manager/7.0-11/63d82f4e
- 2 node cluster
- Linux bridge networking on single subnet
Last edited:
