Le 02/04/2020 à 22:38, Gilles Pietri a écrit : > Le 02/04/2020 à 15:22, Tobias Böhm a écrit : >> Am 02.04.2020 um 04:10 schrieb Gilles Pietri:
Hi again! >>> B) Can we plug ourself in somewhere to have a rule like: >>> -I PVEFW-FORWARD -p icmpv6 --icmpv6-type echo-reply -j ACCEPT >>> included BEFORE the --ctstate INVALID one? >>> >>> I don't see any way to do that in the chain, but I may be missing something. >> >> There is an option to disable this rule at all. You can set >> "nf_conntrack_allow_invalid: 1" in the host specific config files at >> /etc/pve/nodes/<nodename>/host.fw. Apparently you'd want this to be in >> all of them. This directive is not visible in the panel but documented >> and works as intended on Proxmox 5 and 6: >> https://pve.proxmox.com/wiki/Firewall#pve_firewall_host_specific_configuration > > Agreed (and confirmed), but that is not what I meant, there is a > perfectly valid reason to filter those on the hosts, while allowing this > specific echo reply to happen (especially to the VM, but that's point A > :P), but I can't find an easy way to hook myself here. > Hmm, so it appears that this option... does in fact what we want, as you pointed out, thanks! Then it begs the question.. Why does it only disable the rules in PVEFW-FORWARD then? The name implies that it would also remove the rule in PVEFW-HOST-IN (it doesn't), but I'm glad it doesn't in that case :P Cheers Gilou _______________________________________________ pve-user mailing list pve-user@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
