[pve-devel] [PATCH pve-firewall 2/3] PVEFW-reject ipv4 : remove icmp drop rule
Alexandre Derumier
aderumier at odiso.com
Fri Feb 15 10:48:02 CET 2019
or we can't never match the next icmp reject rules
---
src/PVE/Firewall.pm | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 61d5599..7890b51 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -568,7 +568,6 @@ $pve_std_chains_conf->{4} = {
# same as shorewall 'reject'
{ action => 'DROP', dsttype => 'BROADCAST' },
{ action => 'DROP', source => '224.0.0.0/4' },
- { action => 'DROP', proto => 'icmp' },
{ match => '-p tcp', target => '-j REJECT --reject-with tcp-reset' },
{ match => '-p udp', target => '-j REJECT --reject-with icmp-port-unreachable' },
{ match => '-p icmp', target => '-j REJECT --reject-with icmp-host-unreachable' },
--
2.11.0
More information about the pve-devel
mailing list