[pve-devel] pve-firewall / current git master

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Mon Feb 6 15:59:40 CET 2017


Hi,

sorry don't know how to teach thunderbird to not break lines. But i
could sent the mail again using pastebin. Just request. Sorry again.

Am 06.02.2017 um 14:59 schrieb Wolfgang Bumiller:
> First a general note (for everyone on the list actually):
> Please don't let your mail clients line-break command outputs, it steals
> way too much of my time reading this :-\.
> (And please prefer iptables-save style output over iptables -L...,
> iptables -L is just horrible. I'm so looking forward to when we can
> finally use `nft list ruleset` instead...)
> 
> Reply inline:
> 
> On Mon, Feb 06, 2017 at 11:25:44AM +0100, Stefan Priebe - Profihost AG wrote:
>> Hi,
>>
>> after upgrading my test cluster to latest git versions from 4.3. I've no
>> working firewall rules anymore. All chains contain an ACCEPT rule. But
>> i'm not sure whether this was also the case with 4.3. But it breaks the
>> rules.
>>
>> The chains is this one:
>> # iptables -L tap137i0-IN -vnx
>> Chain tap137i0-IN (1 references)
>>     pkts      bytes target     prot opt in     out     source
>>    destination
>>        0        0 DROP       udp  --  *      *       0.0.0.0/0 0.0.0.0/0            udp dpt:67
>>        0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            match-set PVEFW-0-officeips-v4 src tcp dpt:443
>>        1       52 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            match-set PVEFW-0-ph-networks-v4 src tcp dpt:22
>>       66     3040 GROUP-ph_default_group-IN  all  --  *      * 0.0.0.0/0            0.0.0.0/0
>>       33     1716 ACCEPT     all  --  *      *       0.0.0.0/0 0.0.0.0/0            mark match 0x80000000/0x80000000
>>        0        0 PVEFW-Drop  all  --  *      *       0.0.0.0/0 0.0.0.0/0
>>        0        0 DROP       all  --  *      *       0.0.0.0/0 0.0.0.0/0
>>        0        0            all  --  *      *       0.0.0.0/0 0.0.0.0/0            /* PVESIG:zR5Xk5kxEPWmHBeoIDiNXxCERrg */
>>
>> But all packets get accepted by:
>>       33     1716 ACCEPT     all  --  *      *       0.0.0.0/0 0.0.0.0/0            mark match 0x80000000/0x80000000
>>
>> what is this?
> 
> Our "sub"-chains (like groups) generally avoid using ACCEPT directly and
> instead set a mark and RETURN. (In many cases this is not strictly
> necessary but it is more flexible and could potentially allow more
> complex rules (like nesting groups or something, if we ever want that)).
> So the input rules of ph_default_group would be responsible for setting
> this bit in your case above.

Mhm that's even more strange. The default group is this one:
http://pastebin.com/raw/HAxJkhv7

So there's even a drop at the end of this group. So ACCEPT should not be
reachable at all.

My test is a tcp connect to port 3306 which works just fine.

Here both again:
Group:
http://pastebin.com/raw/HAxJkhv7

monitoring list:
http://pastebin.com/raw/4QeCYEVe

iptables tap in:
http://pastebin.com/raw/1QVTJG8K

Greets,
Stefan

> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 



More information about the pve-devel mailing list