Le 02/04/2020 à 15:22, Tobias Böhm a écrit : > Am 02.04.2020 um 04:10 schrieb Gilles Pietri: > Hi, > > just stumbled across this rule as well, although in an IPv4 related > issue. > >> A) Is it expected that such a rule be enabled for VM bridges, when >> firewall is disabled for the VM? > > This rule is always there when PVE-Firewall is enabled for the cluster.
Hi, It is, but should it be? It seemed to me that Datacenter rules were meant to apply to hosts, not VMs ? Because this means even though I disable the firewall on the VM, there IS a firewall still filtering! > >> B) Can we plug ourself in somewhere to have a rule like: >> -I PVEFW-FORWARD -p icmpv6 --icmpv6-type echo-reply -j ACCEPT >> included BEFORE the --ctstate INVALID one? >> >> I don't see any way to do that in the chain, but I may be missing something. > > There is an option to disable this rule at all. You can set > "nf_conntrack_allow_invalid: 1" in the host specific config files at > /etc/pve/nodes/<nodename>/host.fw. Apparently you'd want this to be in > all of them. This directive is not visible in the panel but documented > and works as intended on Proxmox 5 and 6: > https://pve.proxmox.com/wiki/Firewall#pve_firewall_host_specific_configuration Agreed (and confirmed), but that is not what I meant, there is a perfectly valid reason to filter those on the hosts, while allowing this specific echo reply to happen (especially to the VM, but that's point A :P), but I can't find an easy way to hook myself here. > > Happy pinging, > Tobias Thanks for the feedback! Gilles _______________________________________________ pve-user mailing list email@example.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user