Possible Bug in Firewall (ipv6)?

Virtualizer

Active Member
Dec 19, 2011
90
5
28
This problem exists in V4.4 and V5.1.x !

Host-Firewall is running
Network-Card is on Firewall ON
General Option for Container - Firewall ON
General Option for Container - Firewall Block Traffic incomming ALL
Without firewall rule, they come no traffic

Then I add a firewall security group - their are only in IPs they in internal use with /32 max /29 reds - so all IPv4!
No open for IPv6 !!!
Speecialist in security group ::1 incomming is DROP!

And I see massive incomming IPv6 connections in this and other containers! They are containers only for internal nameserver resolutions!

Ok, then I have change the nameserver-settings, that only IPv4 Requests are allowed and then I see in the log files, that are IPv4 requests are comming in, but they are not in the allowed list (the security group)!
 
This is the cut of the iptables in the host for expl. 1 of this containers:


Chain veth118i0-IN (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
GROUP-intred-IN all -- anywhere anywhere
ACCEPT all -- anywhere anywhere mark match 0x80000000/0x80000000
PVEFW-Drop all -- anywhere anywhere
DROP all -- anywhere anywhere
all -- anywhere anywhere /* PVESIG:x42HoTzKmDhMo3wUQFEsRjBxGI0 */

Chain veth118i0-OUT (1 references)
target prot opt source destination
PVEFW-SET-ACCEPT-MARK udp -- anywhere anywhere [goto] udp spt:bootpc dpt:bootps
DROP all -- anywhere anywhere MAC ! D6:B3:43:A4:76:D8
DROP all -- anywhere anywhere ! match-set PVEFW-118-ipfilter-net0-v4 src
MARK all -- anywhere anywhere MARK and 0x7fffffff
GROUP-intred-OUT all -- anywhere anywhere
RETURN all -- anywhere anywhere mark match 0x80000000/0x80000000
PVEFW-SET-ACCEPT-MARK all -- anywhere anywhere [goto]
all -- anywhere anywhere /* PVESIG:O/YD+qtLt63JqLure4nOIDiEUek */
 
I am not sure, but I thing so, that has something to doe with IPv6 !!! Possible that IPv6 will not filter when the container has only an IPv4 and not an IPv6 address! Shortly when I have change the internal nameservers (with normal IPs) to only IPv4 mode, the fantasma will finished, but I cant understand why! So why the ipfilter - firewall let pass IPv6, when in intred are only defined to pass only IPv4 segments?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!