IPv6 Firewalling in PVE

Code: 
cat /etc/pve/firewall/cluster.fw
[OPTIONS]

enable: 1
policy_forward: DROP
policy_in: DROP

[IPSET internal-pub-ipv6]

2000:000:000:3f8b::/64 # host ipv6 hetzner
2000:000:000:e700::/56 # routed ipv6

[IPSET trusted-ips]

111.243.25.152/29
122.76.244.88/29
133.251.176.35
172.31.254.0/24
172.31.255.0/24
144.0.0.0/13
155.155.15.15
4.114.0.0/16
2001:111::366::/64
2001:111::/48
2001:112::/64
2001:113:110::/48
217.14.111.11
2a00:111:0:3001::/64
2a00:111:0:3004::/64
2a01:111:111:29a::/64
2a01:111:111:f800::/56
79.192.0.0/10
87.128.0.0/11
fd45:2cf8:ad5e::/48

[RULES]

GROUP icmp # ICMP + ICMPv6 Allow
IN ACCEPT -source ##############700::/56 -log info
IN ACCEPT -source 172.31.254.0/24 -log info # Install-Net
OUT ACCEPT -source #################::/64 -log info
OUT ACCEPT -source #################::/56 -log info
GROUP trusted-incoming # Allowed IPs Imcoming  allow-all
FORWARD ACCEPT -source 172.31.255.0/24 -log info # Install-Net
FORWARD ACCEPT -source #################::/56 -log info # routed /56 2a01:4f8:231:e700::/56
FORWARD ACCEPT -source ##################:2 -log info
FORWARD ACCEPT -source ############## -log info
IN ACCEPT -source 172.31.255.0/24 -log info # Install-Net
|IN ACCEPT -log info
IN DROP -dest #################::/56 -log info # Drop-Incoming
IN DROP -dest #################::2 -log info # Drop-Incoming
FORWARD DROP -dest #################::/56 -log info # Drop-Incoming
IN DROP -dest ############## -log info # Drop-Incoming

[group icmp] # ICMP + ICMPv6

FORWARD ACCEPT -p icmp -log nolog -icmp-type any
FORWARD ACCEPT -p ipv6-icmp -log nolog
OUT ACCEPT -p icmp -log nolog -icmp-type any
OUT ACCEPT -p ipv6-icmp -log nolog
IN ACCEPT -p ipv6-icmp -log nolog
IN ACCEPT -p icmp -log nolog -icmp-type any

[group trusted-incoming] #

IN ACCEPT -source 111.222.176.35/32 -log info
IN ACCEPT -source 111.22.244.88/29 -log info
IN ACCEPT -source 111.222.25.152/29 -log info
IN ACCEPT -source 2000:000:000:f800::/56 -log info
IN ACCEPT -source 2000:000:000:29a::/64 -log info
IN ACCEPT -source 111.111.111.27 -log info
IN ACCEPT -source 2000:000:0:0001:0:0:0:0/64 -log nfo
IN ACCEPT -source 2000:000:0:0004:0:0:0:0/64 -log info
IN ACCEPT -source 2000:70:71b0::/48 -log info
IN ACCEPT -source 2000:000:0000:366::/64 -log info
IN ACCEPT -source 2000:000:0000::/48 -log info
IN ACCEPT -source 2000:000:00:5c0::/64 -log info
IN ACCEPT -source 2.164.0.0/16 -log info
IN ACCEPT -source 79.192.0.0/10 -log info
IN ACCEPT -source 87.128.0.0/11 -log info
IN ACCEPT -source 100.100.76.74/32 -log info
IN ACCEPT -source 217.7.77.7/32 -log info


An "anonymize IPs" Button in the forum would be nice ;-)

Yes it exists:

1754680889646.png
 
Last edited:
Thanks for the information!
I'll have to take a closer look on Monday and see if I can find the issue and fix it - for now it might be best to revert to the old firewall.
 
for now it might be best to revert to the old firewall.

thats what I thought as well :-)

Thank you for your help.

Cheers,

4920441
 
Hi again,
after winding back to iptables at least the host ipv6 net is firewalled again.
But what I just reconed, that is not correct:

In the webinterface input and forward is default drop, and with a ip(6)tables-save it is both set to ACCEPT.... that is not right:

1754682279548.png
 
There is no support for forward chain firewalling in the iptables firewall, so this is expected. I will look into the issue you ran with the nftables firewall, so you can switch over to using that with the forward chain firewalling (note again that it is still tech preview).
 
Last edited:
You must log in or register to reply here.
Top Bottom