--- Begin Message ---
Hello Bryan,
"It is not a bug, it is a feature" :-)
Look at the documentation :
===
The following traffic is dropped, but not logged even with logging enabled:
- Broadcast, multicast and anycast traffic not related to corosync,
i.e., not coming through ports 5405-5412
===
Again, from the documentation :
===
proxmox-firewall will create two tables that are managed by the
proxmox-firewall service: proxmox-firewall and proxmox-firewall-guests.
If you want to create custom rules that live outside the Proxmox VE
firewall configuration you can create your own tables to manage your
custom firewall rules. proxmox-firewall will only touch the tables it
generates, so you can easily extend and modify the behavior of the
proxmox-firewall by adding your own tables.
===
Now you can use rc.local, or crontab @reboot or better a systemd file
that chains after proxmox VE firewall start in order to apply the manual
rules you found.
Best regards,
Gautier Husson.
On 29/06/2025 10:14, Bryan Fields wrote:
I've got somewhat of a work around, as it needs to be applied manually
each
time the firewall is reset.
Example here is the devices I want to have this enabled on, and then
the first
command replaces the first rule and then the next insert the following
rules
at 2 in the chain.
iptables -R PVEFW-FORWARD 1 -m conntrack --ctstate INVALID
--in-interface vmbr8 -j DROP
iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID
--in-interface vmbr44 -j DROP
iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID
--in-interface vmbr45 -j DROP
iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID
--in-interface vmbr192 -j DROP
iptables -I PVEFW-FORWARD 2 -m conntrack --ctstate INVALID
--in-interface vmbr199 -j DROP
As there's no way to exclude multiple interfaces on the iptables
command, the
only way to do this is white list interfaces. This should really be how
proxmox does it, asking about connection tracking at the per bridge
level. I do want it on some of the bridges, but on others, it needs
to be
optional.
I'm frankly surprised that there's no one else who's run into this as it
appears many issues are caused by this.
--- End Message ---
_______________________________________________
pve-user mailing list
pve-user@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user
