[pve-devel] firewall option nosmurfs and tcpflags

Alexandre DERUMIER aderumier at odiso.com
Fri Apr 18 10:09:15 CEST 2014


I mean, I we have a bad packet (smurf or bad tcpflags) attack,

for each packet it need to go to the whole chains (vmbrxxx,tapxxx,..) to match the nosmurf or tcpflag block rule.


just put the rule in PVEFW-FORWARD, after

-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT



-A PVEFW-FORWARD -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FORWARD -p tcp -j PVEFW-tcpflags


----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Vendredi 18 Avril 2014 09:01:43 
Objet: RE: firewall option nosmurfs and tcpflags 

> Yes, I think it's ok. It could also improve performance, for bad packets, less 
> lookups in vmbr, tap chains. 

oh, how can we improve performance? 


More information about the pve-devel mailing list