Why I don't see DROP logs at HOST level?

O

openaspace

Active Member
Sep 16, 2019
486
13
38
Italy
Hi!
In a new host with firewall enabled at datacenter and host level I don't see any DROP notice in the firewall logs when there are unwanted communications to the PROXMOX HOST. The proxmox host is configurated to allow access only from my static ip.

The firewall rules are set only on the DATACENTER and the firewall enabled also at the NODE level.

For the other VM I use a firewall VM (with proxmox firewall disabled) on the the vbr0 with separated public ip with virtual mac on Hetzner and the private virtual net on the vmbr1

I see only logs like this:
0 6 PVEFW-HOST-IN 11/Jan/2020:00:24:57 +0100 IN=vmbr0 PHYSIN=enp4s0 MAC=xxxxxxx:yyyyyyyyy SRC=RANDOM-REMOTE-IP DST=PROMOX-HOST-IP LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=44660 PROTO=TCP SPT=54588 DPT=9800 SEQ=4161427585 ACK=0 WINDOW=1024 SYN

Any full scan from non-my static ip with ZenMap, return no opened port on the main host and the VPS firewall on the second public ip works also correctly.

I see drops log etc.. only for VM and CT outside the virtual net behind the VM firewall.

Am I doing something wrong?

v3 - Proxmox Virtual Environment 9 .png
v3 - Proxmox Virtual Environment (10).png
 
Last edited:
yes is the same in "info" mode.

I see only IN log like the screenshot.. no drop..
it's normal?

With network scanner, the host is completely hidden and answer only to my static ip address.

v3 - Proxmox Virtual Environment.png
 
Hi,
please post the (public ip redacted if necc.) output of iptables-save in order to see what is going on. It seems that the packets are logged and dropped but we miss the drop action in the log.
 
Really thank you.


Rules are set at datacenter level and firewall enabled on the host.

Code: 
# Generated by iptables-save v1.8.2 on Tue Jan 28 16:23:45 2020
*raw
:PREROUTING ACCEPT [7161678217:6663297566149]
:OUTPUT ACCEPT [2360782358:12839479130279]
COMMIT
# Completed on Tue Jan 28 16:23:45 2020
# Generated by iptables-save v1.8.2 on Tue Jan 28 16:23:45 2020
*filter
:INPUT ACCEPT [6:384]
:FORWARD ACCEPT [49:2468]
:OUTPUT ACCEPT [0:0]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:WDy2wbFe7jNYEyoO3QhUELZ4mIQ"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:Ka4S8B0HM4A1RRtoso/euMz41l8"
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -s MY-1st-OFFICE-IP -j RETURN
-A PVEFW-HOST-IN -s MY-1st-OFFICE-IP -p icmp -j RETURN
-A PVEFW-HOST-IN -s MY-2nd-OFFICE-IP -p icmp -j RETURN
-A PVEFW-HOST-IN -s MY-1st-OFFICE-IP -d PROXMOX-HOST-IP/32 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -s MY-2nd-OFFICE-IP -d PROXMOX-HOST-IP/32 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -s MY-1st-OFFICE-IP -d PROXMOX-HOST-IP/32 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p icmp -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:6:PVEFW-HOST-IN: "
-A PVEFW-HOST-IN -p icmp -j DROP
-A PVEFW-HOST-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:6:PVEFW-HOST-IN: "
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:6:PVEFW-HOST-IN: policy DROP: "
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:Ox6liegQuXSic/OqO6GRjS1MLPE"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -s PROXMOX-HOST-IP/32 -d MY-1st-OFFICE-IP -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -s PROXMOX-HOST-IP/32 -d MY-1st-OFFICE-IP -j RETURN
-A PVEFW-HOST-OUT -d HETZNER BROADCAST/24 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d HETZNER BROADCAST/24 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d HETZNER BROADCAST/24 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d HETZNER BROADCAST/24 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:Fxwk1tK7dQKh3u2IEyGNmUOj/Wk"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:CZJnIN6rAdpu+ej59QPr9+laMUo"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
-A PVEFW-logflags -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:6:PVEFW-logflags: DROP: "
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:3UjKviTKl2xDmoLvcZjFtc0vR7k"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
-A PVEFW-smurflog -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:6:PVEFW-smurflog: DROP: "
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:JhBBKO0ZdEYs+TntUvpoaDnKPVY"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
COMMIT
# Completed on Tue Jan 28 16:23:45 2020
 
Last edited:
  • Like
Reactions: Chris
openaspace said:
Really thank you.


Rules are set at datacenter level and firewall enabled on the host.

Code: 
# Generated by iptables-save v1.8.2 on Tue Jan 28 16:23:45 2020
*raw
:PREROUTING ACCEPT [7161678217:6663297566149]
:OUTPUT ACCEPT [2360782358:12839479130279]
COMMIT
# Completed on Tue Jan 28 16:23:45 2020
# Generated by iptables-save v1.8.2 on Tue Jan 28 16:23:45 2020
*filter
:INPUT ACCEPT [6:384]
:FORWARD ACCEPT [49:2468]
:OUTPUT ACCEPT [0:0]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:WDy2wbFe7jNYEyoO3QhUELZ4mIQ"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:Ka4S8B0HM4A1RRtoso/euMz41l8"
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -s MY-1st-OFFICE-IP -j RETURN
-A PVEFW-HOST-IN -s MY-1st-OFFICE-IP -p icmp -j RETURN
-A PVEFW-HOST-IN -s MY-2nd-OFFICE-IP -p icmp -j RETURN
-A PVEFW-HOST-IN -s MY-1st-OFFICE-IP -d PROXMOX-HOST-IP/32 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -s MY-2nd-OFFICE-IP -d PROXMOX-HOST-IP/32 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -s MY-1st-OFFICE-IP -d PROXMOX-HOST-IP/32 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p icmp -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:6:PVEFW-HOST-IN: "
-A PVEFW-HOST-IN -p icmp -j DROP
-A PVEFW-HOST-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:6:PVEFW-HOST-IN: "
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:6:PVEFW-HOST-IN: policy DROP: "
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:Ox6liegQuXSic/OqO6GRjS1MLPE"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -s PROXMOX-HOST-IP/32 -d MY-1st-OFFICE-IP -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -s PROXMOX-HOST-IP/32 -d MY-1st-OFFICE-IP -j RETURN
-A PVEFW-HOST-OUT -d HETZNER BROADCAST/24 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d HETZNER BROADCAST/24 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d HETZNER BROADCAST/24 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d HETZNER BROADCAST/24 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:Fxwk1tK7dQKh3u2IEyGNmUOj/Wk"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:CZJnIN6rAdpu+ej59QPr9+laMUo"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
-A PVEFW-logflags -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:6:PVEFW-logflags: DROP: "
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:3UjKviTKl2xDmoLvcZjFtc0vR7k"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
-A PVEFW-smurflog -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:6:PVEFW-smurflog: DROP: "
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:JhBBKO0ZdEYs+TntUvpoaDnKPVY"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
COMMIT
# Completed on Tue Jan 28 16:23:45 2020
Click to expand...
It turns out that as expected this is a minor bug in the logging, were we missed the action in the message:
Code: 
-A PVEFW-HOST-IN -p icmp -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:6:PVEFW-HOST-IN: "
-A PVEFW-HOST-IN -p icmp -j DROP
-A PVEFW-HOST-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:6:PVEFW-HOST-IN: "
-A PVEFW-HOST-IN -j DROP
As you can see from the output, the rules were applied correctly nevertheless.
I just sent out a patch which fixes the log message, see https://pve.proxmox.com/pipermail/pve-devel/2020-January/041418.html
Thanks for reporting this!
 
  • Like
Reactions: mrg and openaspace
Hello.
I have upgraded to the latest kernel and with the upgrades of this bug fix.

But I continue to see the same kind of log without the DROP messages.
:oops:

Any feedback?
 
openaspace said:
Hello.
I have upgraded to the latest kernel and with the upgrades of this bug fix.

But I continue to see the same kind of log without the DROP messages.
:oops:

Any feedback?
Click to expand...
This is not kernel related, this is part of the pve-firewall.
The patch I sent was applied yesterday and will go through our usual testing and no-subscription repo cycle.
But as stated before, this is cosmetics only, the actual firewall rule is applied, independed of the log message!
So no worries there.
 
Yes I know that the rules are applied..
but I think that a big hypervisor with all this web interface that not show clearly on the fly that the firewall is working correctly is all little bit Incomprehensible....

Wonderful web interfaces and for an important security configuration like the main firewall of the host... it's not clear at the first impression and the user will need to verify from terminal that all is working as expected?

Thank you.
 
openaspace said:
Yes I know that the rules are applied..
but I think that a big hypervisor with all this web interface that not show clearly on the fly that the firewall is working correctly is all little bit Incomprehensible....

Wonderful web interfaces and for an important security configuration like the main firewall of the host... it's not clear at the first impression and the user will need to verify from terminal that all is working as expected?

Thank you.
Click to expand...
Yes,
I agree that this was a bug and it will be patched in upcoming package versions.
 
Hi.
Deleting the last rules:
DROP IN
DROP IN ICMP

i see the drop logs, but after a port scan from another ip , I see that ports 80 and 443 are opened..
this is the output

Code: 
# iptables-save
# Generated by iptables-save v1.8.2 on Sat Feb 15 00:15:53 2020
*raw
:PREROUTING ACCEPT [18724:5266752]
:OUTPUT ACCEPT [7619:3988632]
COMMIT
# Completed on Sat Feb 15 00:15:53 2020
# Generated by iptables-save v1.8.2 on Sat Feb 15 00:15:53 2020
*filter
:INPUT ACCEPT [84:5376]
:FORWARD ACCEPT [3296:173451]
:OUTPUT ACCEPT [101:6252]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:WDy2wbFe7jNYEyoO3QhUELZ4mIQ"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:Ka4S8B0HM4A1RRtoso/euMz41l8"
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -s MYSTATIC-IP -j RETURN
-A PVEFW-HOST-IN -s MYSTATIC-IP -p icmp -j RETURN
-A PVEFW-HOST-IN -s MYSTATIC-IP -p icmp -j RETURN
-A PVEFW-HOST-IN -s MYSTATIC-IP -d PROXMOX-HOST -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -s MYSTATIC-IP -d PROXMOX-HOST -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -s MYSTATIC-IP -d PROXMOX-HOST -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:6:PVEFW-HOST-IN: policy DROP: "
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:nJLsrN7BC3jJqbF8oNIwV7WNOkk"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d PROXMXOX-NET -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d PROXMXOX-NET -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d PROXMXOX-NET -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d PROXMXOX-NET -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:8hx+EM6cT1qq3R3lCYy9rFTItV0"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:CZJnIN6rAdpu+ej59QPr9+laMUo"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
-A PVEFW-logflags -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:6:PVEFW-logflags: DROP: "
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:3UjKviTKl2xDmoLvcZjFtc0vR7k"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
-A PVEFW-smurflog -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:6:PVEFW-smurflog: DROP: "
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:JhBBKO0ZdEYs+TntUvpoaDnKPVY"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
COMMIT
# Completed on Sat Feb 15 00:15:53 2020
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom