Pve Firewall droppt traffic

Wo kommt eigentlich das hier her



Steht das in der Firewall Config von der VM?

Ich frage weil das Netzwerkdevice ja eigentlich net1 heißt und nicht tap112i1.
Ich glaube wir beide stochern ganz schön im dunkeln :) Sorry
So wie ich das verstanden habe werden für jedes Netzwerkdevice ein Tap device generiert. Hier verweist Tap112i1 auf Tap der VM 112, Interface 1.
Es sind keine Regeln in der FW vorhanden! Ausser Accept All!!
Somit brauch ich da nix erstellen wenns leer ist.
 
Last edited:
Aber wenn keine Regeln definiert sind wo kommen dann die
exists tap112i1-IN (F8SD1truu+3VhsbTQOESYGz04io)
-A tap112i1-IN -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A tap112i1-IN -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A tap112i1-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A tap112i1-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-A tap112i1-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix ":112:7:tap1
12i1-IN: ACCEPT: "
-A tap112i1-IN -j ACCEPT
-A tap112i1-IN -j ACCEPT
exists tap112i1-OUT (8lS5A6MTGPmW5r5KGssrtFObyXM)
-A tap112i1-OUT -m mac ! --mac-source 4E:BC:CD:B9:09:25 -j DROP
-A tap112i1-OUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
-A tap112i1-OUT -m set ! --match-set PVEFW-112-ipfilter-net1-v6 src -j DROP
-A tap112i1-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap112i1-OUT -p icmpv6 --icmpv6-type router-solicitation -g PVEFW-SET-AC
CEPT-MARK
-A tap112i1-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -g PVEFW-SET-
ACCEPT-MARK
-A tap112i1-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -g PVEFW-SET
-ACCEPT-MARK
-A tap112i1-OUT -m limit --limit 1/sec -j NFLOG --nflog-prefix ":112:7:tap
112i1-OUT: PVEFW-SET-ACCEPT-MARK: "
-A tap112i1-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap112i1-OUT -g PVEFW-SET-ACCEPT-MARK
her.
Ich frage nur weil mich das Thema interessiert und ich das verstehen will. Ich dachte das diese Zeilen auch in der FW Config stehen.
 
Aber wenn keine Regeln definiert sind wo kommen dann die

her.
Ich frage nur weil mich das Thema interessiert und ich das verstehen will. Ich dachte das diese Zeilen auch in der FW Config stehen
In der Gui config stehen sie nicht, die werden von pve generiert, je nach dem was du in der gui wählst. Bestes beispiel ist der Mac Filter.
Wenn du ihn in der Ui wählst wird die korrespondierende Zeile generiert,
-A tap112i1-OUT -m mac ! --mac-source ...
 
Interessant. Ich habe für einen LXC MAC Filter aktiv, aber in der Firewall Konfig für den LXC steht davon nichts drin. Wie gesagt ich habe unter Options lediglich MAC filter auf Yes stehen.
 
Interessant. Ich habe für einen LXC MAC Filter aktiv, aber in der Firewall Konfig für den LXC steht davon nichts drin. Wie gesagt ich habe unter Options lediglich MAC filter auf Yes stehen.
Schau dir entweder pve-firewall compile oder iptables an, dann findest du es.
 
  • Like
Reactions: CoolTux
Was ich noch vergessen habe zu erwähnen, ist dass das Interface der VM auf einer Bridge terminiert.
 
kannst du jetzt noch mal deine aktuellen firewall config und die generierten regeln posten? danke!
 
@fabian
VM FW Config zur VM 112:
Code:
[OPTIONS]

policy_in: ACCEPT
enable: 1
log_level_out: debug
macfilter: 0
ipfilter: 0
dhcp: 0
log_level_in: debug

[RULES]

|OUT ACCEPT -i net1 -log debug
|IN ACCEPT -i net1 -log debug

pve-firewall compile:
Code:
ipset cmdlist:
exists PVEFW-0-management-v4 (18beyoXOE3m4WmJuahn8nk7kBHk)
        create PVEFW-0-management-v4 hash:net family inet hashsize 64 maxelem 64
        add PVEFW-0-management-v4 127.0.0.0/8
exists PVEFW-0-management-v6 (H5WO/Pkuyz4e7OLB2uiMpG0Bsn0)
        create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64

iptables cmdlist:
exists PVEFW-Drop (WDy2wbFe7jNYEyoO3QhUELZ4mIQ)
        -A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
        -A PVEFW-Drop  -j PVEFW-DropBroadcast
        -A PVEFW-Drop -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
        -A PVEFW-Drop -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
        -A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
        -A PVEFW-Drop -p udp --dport 137:139 -j DROP
        -A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
        -A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
        -A PVEFW-Drop -p udp --dport 1900 -j DROP
        -A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
        -A PVEFW-Drop -p udp --sport 53 -j DROP
exists PVEFW-DropBroadcast (NyjHNAtFbkH7WGLamPpdVnxHy4w)
        -A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
        -A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
        -A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
        -A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
        -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
        -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
exists PVEFW-FWBR-IN (Vh3AxWXNpUya3Lc7frOs2PpuhjQ)
        -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
        -A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap112i1 -j tap112i1-IN
exists PVEFW-FWBR-OUT (ymtH8PBoBsgSbrXVrcuRg3wIjh8)
        -A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap112i1 -j tap112i1-OUT
exists PVEFW-HOST-IN (T/kFobtpR9eMlx0CzW98vtR1Z3E)
        -A PVEFW-HOST-IN -i lo -j ACCEPT
        -A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
        -A PVEFW-HOST-IN -p igmp -j RETURN
        -A PVEFW-HOST-IN  -j RETURN
        -A PVEFW-HOST-IN  -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 8006 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 5900:5999 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 3128 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 22 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 60000:60050 -j RETURN
        -A PVEFW-HOST-IN  -j RETURN
exists PVEFW-HOST-OUT (JKxB5+XN1l37R4E9P9NWiO0HTRs)
        -A PVEFW-HOST-OUT -o lo -j ACCEPT
        -A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-HOST-OUT -p igmp -j RETURN
        -A PVEFW-HOST-OUT  -j RETURN
        -A PVEFW-HOST-OUT  -j RETURN
        -A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp --dport 8006 -j RETURN
        -A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp --dport 22 -j RETURN
        -A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp --dport 5900:5999 -j RETURN
        -A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp --dport 3128 -j RETURN
        -A PVEFW-HOST-OUT  -j RETURN
exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
        -A PVEFW-INPUT -j PVEFW-HOST-IN
exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
        -A PVEFW-OUTPUT -j PVEFW-HOST-OUT
exists PVEFW-Reject (CZJnIN6rAdpu+ej59QPr9+laMUo)
        -A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
        -A PVEFW-Reject  -j PVEFW-DropBroadcast
        -A PVEFW-Reject -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
        -A PVEFW-Reject -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
        -A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
        -A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
        -A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
        -A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
        -A PVEFW-Reject -p udp --dport 1900 -j DROP
        -A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
        -A PVEFW-Reject -p udp --sport 53 -j DROP
exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
        -A PVEFW-SET-ACCEPT-MARK  -j MARK --set-mark 0x80000000/0x80000000
exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
        -A PVEFW-logflags  -j DROP
exists PVEFW-reject (Jlkrtle1mDdtxDeI9QaDSL++Npc)
        -A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
        -A PVEFW-reject -s 224.0.0.0/4 -j DROP
        -A PVEFW-reject -p icmp -j DROP
        -A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
        -A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
        -A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
        -A PVEFW-reject  -j REJECT --reject-with icmp-host-prohibited
exists PVEFW-smurflog (2gfT1VMkfr0JL6OccRXTGXo+1qk)
        -A PVEFW-smurflog  -j DROP
exists PVEFW-smurfs (HssVe5QCBXd5mc9kC88749+7fag)
        -A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
        -A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
        -A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
exists tap112i1-IN (Yb1Sntdwb66e9S9TIMgq+mP0lTo)
        -A tap112i1-IN  -j ACCEPT
exists tap112i1-OUT (hXQUyK4RSrIacwXYg9Wu+Nc1oJE)
        -A tap112i1-OUT -j MARK --set-mark 0x00000000/0x80000000
        -A tap112i1-OUT  -g PVEFW-SET-ACCEPT-MARK

ip6tables cmdlist:
exists PVEFW-Drop (Jb79Uw7z1vZglIcV7QXA5uY/nbk)
        -A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
        -A PVEFW-Drop  -j PVEFW-DropBroadcast
        -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
        -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
        -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
        -A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
        -A PVEFW-Drop -p udp --dport 137:139 -j DROP
        -A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
        -A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
        -A PVEFW-Drop -p udp --dport 1900 -j DROP
        -A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
        -A PVEFW-Drop -p udp --sport 53 -j DROP
exists PVEFW-DropBroadcast (8Krk5Nh8pDZOOc7BQAbM6PlyFSU)
        -A PVEFW-DropBroadcast -d ff00::/8 -j DROP
exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
        -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
        -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
exists PVEFW-FWBR-IN (znZSnk7p/ZwoP/MtUT4spgnhJws)
        -A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap112i1 -j tap112i1-IN
exists PVEFW-FWBR-OUT (ymtH8PBoBsgSbrXVrcuRg3wIjh8)
        -A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap112i1 -j tap112i1-OUT
exists PVEFW-HOST-IN (infEBvq4vvz72HcLaaGD828wR5w)
        -A PVEFW-HOST-IN -i lo -j ACCEPT
        -A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-solicitation -j RETURN
        -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-advertisement -j RETURN
        -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
        -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
        -A PVEFW-HOST-IN -p igmp -j RETURN
        -A PVEFW-HOST-IN  -j RETURN
        -A PVEFW-HOST-IN  -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 8006 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 5900:5999 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 3128 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 22 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 60000:60050 -j RETURN
        -A PVEFW-HOST-IN  -j RETURN
exists PVEFW-HOST-OUT (R+hTO16riAUExEzE7d2uOlILnzg)
        -A PVEFW-HOST-OUT -o lo -j ACCEPT
        -A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type router-solicitation -j RETURN
        -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
        -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
        -A PVEFW-HOST-OUT -p igmp -j RETURN
        -A PVEFW-HOST-OUT  -j RETURN
        -A PVEFW-HOST-OUT  -j RETURN
        -A PVEFW-HOST-OUT  -j RETURN
exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
        -A PVEFW-INPUT -j PVEFW-HOST-IN
exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
        -A PVEFW-OUTPUT -j PVEFW-HOST-OUT
exists PVEFW-Reject (aL1nrxJk/u3XmTb3Am2eaM/3yCM)
        -A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
        -A PVEFW-Reject  -j PVEFW-DropBroadcast
        -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
        -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
        -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
        -A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
        -A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
        -A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
        -A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
        -A PVEFW-Reject -p udp --dport 1900 -j DROP
        -A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
        -A PVEFW-Reject -p udp --sport 53 -j DROP
exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
        -A PVEFW-SET-ACCEPT-MARK  -j MARK --set-mark 0x80000000/0x80000000
exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
        -A PVEFW-logflags  -j DROP
exists PVEFW-reject (etEECUYcgUdzuuO+LDP83pu0S8Y)
        -A PVEFW-reject -p icmpv6 -j DROP
        -A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
        -A PVEFW-reject -p udp -j REJECT --reject-with icmp6-port-unreachable
        -A PVEFW-reject  -j REJECT --reject-with icmp6-adm-prohibited
exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
exists tap112i1-IN (GYvoMYJ5rXQd6HVK8U/6d0qADOY)
        -A tap112i1-IN -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
        -A tap112i1-IN -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
        -A tap112i1-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
        -A tap112i1-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
        -A tap112i1-IN  -j ACCEPT
exists tap112i1-OUT (qwl7dRIoRDSmuPX5NnUUMhPTXoA)
        -A tap112i1-OUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
        -A tap112i1-OUT -j MARK --set-mark 0x00000000/0x80000000
        -A tap112i1-OUT -p icmpv6 --icmpv6-type router-solicitation -g PVEFW-SET-ACCEPT-MARK
        -A tap112i1-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -g PVEFW-SET-ACCEPT-MARK
        -A tap112i1-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -g PVEFW-SET-ACCEPT-MARK
        -A tap112i1-OUT  -g PVEFW-SET-ACCEPT-MARK

ebtables cmdlist:
exists PVEFW-FORWARD (ULtZ6lqjrD/jAKLY+OZo3BbXs9k)
        -A PVEFW-FORWARD -p IPv4 -j ACCEPT
        -A PVEFW-FORWARD -p IPv6 -j ACCEPT
        -A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT
exists PVEFW-FWBR-OUT (qoyWXX42KrlFLzxojJ0FQ3kGr8o)
        -A PVEFW-FWBR-OUT -i tap112i1 -j tap112i1-OUT
exists tap112i1-OUT (jBNazickFqAZQS/su2g9tWldCJk)
        -A tap112i1-OUT -j ACCEPT
ignore FORWARD (zuQi5YOvmMWiM9zohnQw/qWemOA)
ignore INPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
ignore OUTPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)

iptables table raw cmdlist:

ip6tables table raw cmdlist:
no changes
 
could you post the output of iptables-save as well?
 
Code:
# Completed on Tue Feb 16 13:23:35 2021
# Generated by iptables-save v1.8.2 on Tue Feb 16 13:23:35 2021
*filter
:INPUT ACCEPT [12940:3056050]
:FORWARD ACCEPT [497779:130532424]
:OUTPUT ACCEPT [475:35844]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
:VIA-IN - [0:0]
:VIA-OUT - [0:0]
:tap112i1-IN - [0:0]
:tap112i1-OUT - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:WDy2wbFe7jNYEyoO3QhUELZ4mIQ"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap112i1 --physdev-is-bridged -j tap112i1-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:Vh3AxWXNpUya3Lc7frOs2PpuhjQ"
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap112i1 --physdev-is-bridged -j tap112i1-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:ymtH8PBoBsgSbrXVrcuRg3wIjh8"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -m comment --comment "PVESIG:T/kFobtpR9eMlx0CzW98vtR1Z3E"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:JKxB5+XN1l37R4E9P9NWiO0HTRs"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:CZJnIN6rAdpu+ej59QPr9+laMUo"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A tap112i1-IN -j ACCEPT
-A tap112i1-IN -m comment --comment "PVESIG:Yb1Sntdwb66e9S9TIMgq+mP0lTo"
-A tap112i1-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap112i1-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap112i1-OUT -m comment --comment "PVESIG:hXQUyK4RSrIacwXYg9Wu+Nc1oJE"
COMMIT
# Completed on Tue Feb 16 13:23:35 2021
 
also das einzige was diese regeln noch blocken sind laut conntrack invalide verbindungen.. eventuell stimmt was mit forwarding nicht? (der unterschied zwischen firewall an oder nicht ist naemlich nicht nur dass dann firewall regeln greifen, sondern dass ein level an netzwerk devices dazwischen liegt auf dem die firewall filtert..)
 
Das werde ich bei gelegenheit mal genauer durchsehen. Habe als Workaround ein Networkdevice via PCI Passthrough reingeschliffen und terminiere direkt auf einem Switch.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!