Pve Firewall droppt traffic

void

New Member
Feb 12, 2021
18
1
3
39
Wo kommt eigentlich das hier her



Steht das in der Firewall Config von der VM?

Ich frage weil das Netzwerkdevice ja eigentlich net1 heißt und nicht tap112i1.
Ich glaube wir beide stochern ganz schön im dunkeln :) Sorry
So wie ich das verstanden habe werden für jedes Netzwerkdevice ein Tap device generiert. Hier verweist Tap112i1 auf Tap der VM 112, Interface 1.
Es sind keine Regeln in der FW vorhanden! Ausser Accept All!!
Somit brauch ich da nix erstellen wenns leer ist.
 
Last edited:

Leon Gaultier

Well-Known Member
Mar 14, 2019
840
102
48
44
Aber wenn keine Regeln definiert sind wo kommen dann die
exists tap112i1-IN (F8SD1truu+3VhsbTQOESYGz04io)
-A tap112i1-IN -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A tap112i1-IN -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A tap112i1-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A tap112i1-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-A tap112i1-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix ":112:7:tap1
12i1-IN: ACCEPT: "
-A tap112i1-IN -j ACCEPT
-A tap112i1-IN -j ACCEPT
exists tap112i1-OUT (8lS5A6MTGPmW5r5KGssrtFObyXM)
-A tap112i1-OUT -m mac ! --mac-source 4E:BC:CD:B9:09:25 -j DROP
-A tap112i1-OUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
-A tap112i1-OUT -m set ! --match-set PVEFW-112-ipfilter-net1-v6 src -j DROP
-A tap112i1-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap112i1-OUT -p icmpv6 --icmpv6-type router-solicitation -g PVEFW-SET-AC
CEPT-MARK
-A tap112i1-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -g PVEFW-SET-
ACCEPT-MARK
-A tap112i1-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -g PVEFW-SET
-ACCEPT-MARK
-A tap112i1-OUT -m limit --limit 1/sec -j NFLOG --nflog-prefix ":112:7:tap
112i1-OUT: PVEFW-SET-ACCEPT-MARK: "
-A tap112i1-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap112i1-OUT -g PVEFW-SET-ACCEPT-MARK
her.
Ich frage nur weil mich das Thema interessiert und ich das verstehen will. Ich dachte das diese Zeilen auch in der FW Config stehen.
 

void

New Member
Feb 12, 2021
18
1
3
39
Aber wenn keine Regeln definiert sind wo kommen dann die

her.
Ich frage nur weil mich das Thema interessiert und ich das verstehen will. Ich dachte das diese Zeilen auch in der FW Config stehen
In der Gui config stehen sie nicht, die werden von pve generiert, je nach dem was du in der gui wählst. Bestes beispiel ist der Mac Filter.
Wenn du ihn in der Ui wählst wird die korrespondierende Zeile generiert,
-A tap112i1-OUT -m mac ! --mac-source ...
 

Leon Gaultier

Well-Known Member
Mar 14, 2019
840
102
48
44
Interessant. Ich habe für einen LXC MAC Filter aktiv, aber in der Firewall Konfig für den LXC steht davon nichts drin. Wie gesagt ich habe unter Options lediglich MAC filter auf Yes stehen.
 

void

New Member
Feb 12, 2021
18
1
3
39
Interessant. Ich habe für einen LXC MAC Filter aktiv, aber in der Firewall Konfig für den LXC steht davon nichts drin. Wie gesagt ich habe unter Options lediglich MAC filter auf Yes stehen.
Schau dir entweder pve-firewall compile oder iptables an, dann findest du es.
 
  • Like
Reactions: Leon Gaultier

void

New Member
Feb 12, 2021
18
1
3
39
Was ich noch vergessen habe zu erwähnen, ist dass das Interface der VM auf einer Bridge terminiert.
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
7,861
1,505
164
kannst du jetzt noch mal deine aktuellen firewall config und die generierten regeln posten? danke!
 

void

New Member
Feb 12, 2021
18
1
3
39
@fabian
VM FW Config zur VM 112:
Code:
[OPTIONS]

policy_in: ACCEPT
enable: 1
log_level_out: debug
macfilter: 0
ipfilter: 0
dhcp: 0
log_level_in: debug

[RULES]

|OUT ACCEPT -i net1 -log debug
|IN ACCEPT -i net1 -log debug

pve-firewall compile:
Code:
ipset cmdlist:
exists PVEFW-0-management-v4 (18beyoXOE3m4WmJuahn8nk7kBHk)
        create PVEFW-0-management-v4 hash:net family inet hashsize 64 maxelem 64
        add PVEFW-0-management-v4 127.0.0.0/8
exists PVEFW-0-management-v6 (H5WO/Pkuyz4e7OLB2uiMpG0Bsn0)
        create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64

iptables cmdlist:
exists PVEFW-Drop (WDy2wbFe7jNYEyoO3QhUELZ4mIQ)
        -A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
        -A PVEFW-Drop  -j PVEFW-DropBroadcast
        -A PVEFW-Drop -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
        -A PVEFW-Drop -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
        -A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
        -A PVEFW-Drop -p udp --dport 137:139 -j DROP
        -A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
        -A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
        -A PVEFW-Drop -p udp --dport 1900 -j DROP
        -A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
        -A PVEFW-Drop -p udp --sport 53 -j DROP
exists PVEFW-DropBroadcast (NyjHNAtFbkH7WGLamPpdVnxHy4w)
        -A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
        -A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
        -A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
        -A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
        -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
        -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
exists PVEFW-FWBR-IN (Vh3AxWXNpUya3Lc7frOs2PpuhjQ)
        -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
        -A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap112i1 -j tap112i1-IN
exists PVEFW-FWBR-OUT (ymtH8PBoBsgSbrXVrcuRg3wIjh8)
        -A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap112i1 -j tap112i1-OUT
exists PVEFW-HOST-IN (T/kFobtpR9eMlx0CzW98vtR1Z3E)
        -A PVEFW-HOST-IN -i lo -j ACCEPT
        -A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
        -A PVEFW-HOST-IN -p igmp -j RETURN
        -A PVEFW-HOST-IN  -j RETURN
        -A PVEFW-HOST-IN  -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 8006 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 5900:5999 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 3128 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 22 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 60000:60050 -j RETURN
        -A PVEFW-HOST-IN  -j RETURN
exists PVEFW-HOST-OUT (JKxB5+XN1l37R4E9P9NWiO0HTRs)
        -A PVEFW-HOST-OUT -o lo -j ACCEPT
        -A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-HOST-OUT -p igmp -j RETURN
        -A PVEFW-HOST-OUT  -j RETURN
        -A PVEFW-HOST-OUT  -j RETURN
        -A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp --dport 8006 -j RETURN
        -A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp --dport 22 -j RETURN
        -A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp --dport 5900:5999 -j RETURN
        -A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp --dport 3128 -j RETURN
        -A PVEFW-HOST-OUT  -j RETURN
exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
        -A PVEFW-INPUT -j PVEFW-HOST-IN
exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
        -A PVEFW-OUTPUT -j PVEFW-HOST-OUT
exists PVEFW-Reject (CZJnIN6rAdpu+ej59QPr9+laMUo)
        -A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
        -A PVEFW-Reject  -j PVEFW-DropBroadcast
        -A PVEFW-Reject -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
        -A PVEFW-Reject -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
        -A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
        -A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
        -A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
        -A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
        -A PVEFW-Reject -p udp --dport 1900 -j DROP
        -A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
        -A PVEFW-Reject -p udp --sport 53 -j DROP
exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
        -A PVEFW-SET-ACCEPT-MARK  -j MARK --set-mark 0x80000000/0x80000000
exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
        -A PVEFW-logflags  -j DROP
exists PVEFW-reject (Jlkrtle1mDdtxDeI9QaDSL++Npc)
        -A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
        -A PVEFW-reject -s 224.0.0.0/4 -j DROP
        -A PVEFW-reject -p icmp -j DROP
        -A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
        -A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
        -A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
        -A PVEFW-reject  -j REJECT --reject-with icmp-host-prohibited
exists PVEFW-smurflog (2gfT1VMkfr0JL6OccRXTGXo+1qk)
        -A PVEFW-smurflog  -j DROP
exists PVEFW-smurfs (HssVe5QCBXd5mc9kC88749+7fag)
        -A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
        -A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
        -A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
exists tap112i1-IN (Yb1Sntdwb66e9S9TIMgq+mP0lTo)
        -A tap112i1-IN  -j ACCEPT
exists tap112i1-OUT (hXQUyK4RSrIacwXYg9Wu+Nc1oJE)
        -A tap112i1-OUT -j MARK --set-mark 0x00000000/0x80000000
        -A tap112i1-OUT  -g PVEFW-SET-ACCEPT-MARK

ip6tables cmdlist:
exists PVEFW-Drop (Jb79Uw7z1vZglIcV7QXA5uY/nbk)
        -A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
        -A PVEFW-Drop  -j PVEFW-DropBroadcast
        -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
        -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
        -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
        -A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
        -A PVEFW-Drop -p udp --dport 137:139 -j DROP
        -A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
        -A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
        -A PVEFW-Drop -p udp --dport 1900 -j DROP
        -A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
        -A PVEFW-Drop -p udp --sport 53 -j DROP
exists PVEFW-DropBroadcast (8Krk5Nh8pDZOOc7BQAbM6PlyFSU)
        -A PVEFW-DropBroadcast -d ff00::/8 -j DROP
exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
        -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
        -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
exists PVEFW-FWBR-IN (znZSnk7p/ZwoP/MtUT4spgnhJws)
        -A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap112i1 -j tap112i1-IN
exists PVEFW-FWBR-OUT (ymtH8PBoBsgSbrXVrcuRg3wIjh8)
        -A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap112i1 -j tap112i1-OUT
exists PVEFW-HOST-IN (infEBvq4vvz72HcLaaGD828wR5w)
        -A PVEFW-HOST-IN -i lo -j ACCEPT
        -A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-solicitation -j RETURN
        -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-advertisement -j RETURN
        -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
        -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
        -A PVEFW-HOST-IN -p igmp -j RETURN
        -A PVEFW-HOST-IN  -j RETURN
        -A PVEFW-HOST-IN  -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 8006 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 5900:5999 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 3128 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 22 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 60000:60050 -j RETURN
        -A PVEFW-HOST-IN  -j RETURN
exists PVEFW-HOST-OUT (R+hTO16riAUExEzE7d2uOlILnzg)
        -A PVEFW-HOST-OUT -o lo -j ACCEPT
        -A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type router-solicitation -j RETURN
        -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
        -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
        -A PVEFW-HOST-OUT -p igmp -j RETURN
        -A PVEFW-HOST-OUT  -j RETURN
        -A PVEFW-HOST-OUT  -j RETURN
        -A PVEFW-HOST-OUT  -j RETURN
exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
        -A PVEFW-INPUT -j PVEFW-HOST-IN
exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
        -A PVEFW-OUTPUT -j PVEFW-HOST-OUT
exists PVEFW-Reject (aL1nrxJk/u3XmTb3Am2eaM/3yCM)
        -A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
        -A PVEFW-Reject  -j PVEFW-DropBroadcast
        -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
        -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
        -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
        -A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
        -A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
        -A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
        -A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
        -A PVEFW-Reject -p udp --dport 1900 -j DROP
        -A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
        -A PVEFW-Reject -p udp --sport 53 -j DROP
exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
        -A PVEFW-SET-ACCEPT-MARK  -j MARK --set-mark 0x80000000/0x80000000
exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
        -A PVEFW-logflags  -j DROP
exists PVEFW-reject (etEECUYcgUdzuuO+LDP83pu0S8Y)
        -A PVEFW-reject -p icmpv6 -j DROP
        -A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
        -A PVEFW-reject -p udp -j REJECT --reject-with icmp6-port-unreachable
        -A PVEFW-reject  -j REJECT --reject-with icmp6-adm-prohibited
exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
exists tap112i1-IN (GYvoMYJ5rXQd6HVK8U/6d0qADOY)
        -A tap112i1-IN -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
        -A tap112i1-IN -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
        -A tap112i1-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
        -A tap112i1-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
        -A tap112i1-IN  -j ACCEPT
exists tap112i1-OUT (qwl7dRIoRDSmuPX5NnUUMhPTXoA)
        -A tap112i1-OUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
        -A tap112i1-OUT -j MARK --set-mark 0x00000000/0x80000000
        -A tap112i1-OUT -p icmpv6 --icmpv6-type router-solicitation -g PVEFW-SET-ACCEPT-MARK
        -A tap112i1-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -g PVEFW-SET-ACCEPT-MARK
        -A tap112i1-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -g PVEFW-SET-ACCEPT-MARK
        -A tap112i1-OUT  -g PVEFW-SET-ACCEPT-MARK

ebtables cmdlist:
exists PVEFW-FORWARD (ULtZ6lqjrD/jAKLY+OZo3BbXs9k)
        -A PVEFW-FORWARD -p IPv4 -j ACCEPT
        -A PVEFW-FORWARD -p IPv6 -j ACCEPT
        -A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT
exists PVEFW-FWBR-OUT (qoyWXX42KrlFLzxojJ0FQ3kGr8o)
        -A PVEFW-FWBR-OUT -i tap112i1 -j tap112i1-OUT
exists tap112i1-OUT (jBNazickFqAZQS/su2g9tWldCJk)
        -A tap112i1-OUT -j ACCEPT
ignore FORWARD (zuQi5YOvmMWiM9zohnQw/qWemOA)
ignore INPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
ignore OUTPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)

iptables table raw cmdlist:

ip6tables table raw cmdlist:
no changes
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
7,861
1,505
164
could you post the output of iptables-save as well?
 

void

New Member
Feb 12, 2021
18
1
3
39
Code:
# Completed on Tue Feb 16 13:23:35 2021
# Generated by iptables-save v1.8.2 on Tue Feb 16 13:23:35 2021
*filter
:INPUT ACCEPT [12940:3056050]
:FORWARD ACCEPT [497779:130532424]
:OUTPUT ACCEPT [475:35844]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
:VIA-IN - [0:0]
:VIA-OUT - [0:0]
:tap112i1-IN - [0:0]
:tap112i1-OUT - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:WDy2wbFe7jNYEyoO3QhUELZ4mIQ"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap112i1 --physdev-is-bridged -j tap112i1-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:Vh3AxWXNpUya3Lc7frOs2PpuhjQ"
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap112i1 --physdev-is-bridged -j tap112i1-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:ymtH8PBoBsgSbrXVrcuRg3wIjh8"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -m comment --comment "PVESIG:T/kFobtpR9eMlx0CzW98vtR1Z3E"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:JKxB5+XN1l37R4E9P9NWiO0HTRs"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:CZJnIN6rAdpu+ej59QPr9+laMUo"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A tap112i1-IN -j ACCEPT
-A tap112i1-IN -m comment --comment "PVESIG:Yb1Sntdwb66e9S9TIMgq+mP0lTo"
-A tap112i1-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap112i1-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap112i1-OUT -m comment --comment "PVESIG:hXQUyK4RSrIacwXYg9Wu+Nc1oJE"
COMMIT
# Completed on Tue Feb 16 13:23:35 2021
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
7,861
1,505
164
also das einzige was diese regeln noch blocken sind laut conntrack invalide verbindungen.. eventuell stimmt was mit forwarding nicht? (der unterschied zwischen firewall an oder nicht ist naemlich nicht nur dass dann firewall regeln greifen, sondern dass ein level an netzwerk devices dazwischen liegt auf dem die firewall filtert..)
 

void

New Member
Feb 12, 2021
18
1
3
39
Das werde ich bei gelegenheit mal genauer durchsehen. Habe als Workaround ein Networkdevice via PCI Passthrough reingeschliffen und terminiere direkt auf einem Switch.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!