Problem firewall dropping packet

root@FRI-KVM-50:~# systemctl status proxmox-firewall
● proxmox-firewall.service - Proxmox nftables firewall
Loaded: loaded (/lib/systemd/system/proxmox-firewall.service; enabled; preset: enabled)
Active: active (running) since Tue 2024-08-13 22:47:04 CEST; 3 weeks 1 day ago
Main PID: 2176 (proxmox-firewal)
Tasks: 1 (limit: 57394)
Memory: 2.7M
CPU: 21min 1.881s
CGroup: /system.slice/proxmox-firewall.service
└─2176 /usr/libexec/proxmox/proxmox-firewall

Aug 13 22:47:04 FRI-KVM-50 systemd[1]: Started proxmox-firewall.service - Proxmox nftables firewall.
root@FRI-KVM-50:~#





No firewall enabled at the VM level!
Shutting down the VM and started the VM and now the problem remain the same!
 
Can you check the MTU settings inside the VM?
 
Interesting, I'd have to take another look. Does your software provide any settings for MTU / packet size? It still seems suspicious that all packets, but the ones >1500 bytes, pass through so I'm almost positive it has to do with MTU handling somewhere. It's a bit weird that the packet is not sent fragmented in the first place - which leads me to believe that the server is not set up properly.

Curious as to why this only poses a problem when the firewall is active though.
 
Finally the workaround was to add this:

nf_conntrack_allow_invalid: 1

into the /etc/pve/nodes/"HOST"/host.fw

and reboot the node!

But there is a serious issue into the proxmox firewall....

Founded the workaround with this thread: https://forum.proxmox.com/threads/enabling-firewall-breaks-connection-to-all-vms.128946/

THis workaround need to be really temporary and the cause need to be fixed by ProxMox team urgently because this workaround can create big security breach into the system!
 
Last edited:
shanreich said:
Interesting, I'd have to take another look. Does your software provide any settings for MTU / packet size? It still seems suspicious that all packets, but the ones >1500 bytes, pass through so I'm almost positive it has to do with MTU handling somewhere. It's a bit weird that the packet is not sent fragmented in the first place - which leads me to believe that the server is not set up properly.

Curious as to why this only poses a problem when the firewall is active though.
Click to expand...
Hello!

Do you have some news for me?

This workaround is absolutly not a solution a long term....

Thank you
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back