I've got somewhat of a work around, as it needs to be applied manually each time the firewall is reset.
Example here is the devices I want to have this enabled on, and then the first command replaces the first rule and then the next insert the following rules at 2 in the chain. iptables -R PVEFW-FORWARD 1 -m conntrack --ctstate INVALID --in-interface vmbr8 -j DROP iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID --in-interface vmbr44 -j DROP iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID --in-interface vmbr45 -j DROP iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID --in-interface vmbr192 -j DROP iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID --in-interface vmbr199 -j DROP As there's no way to exclude multiple interfaces on the iptables command, the only way to do this is white list interfaces. This should really be how proxmox does it, asking about connection tracking at the per bridge level. I do want it on some of the bridges, but on others, it needs to be optional. I'm frankly surprised that there's no one else who's run into this as it appears many issues are caused by this. -- Bryan Fields 727-409-1194 - Voice http://bryanfields.net _______________________________________________ pve-user mailing list pve-user@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user
