[PVE-User] ipfilter functionality
Wolfgang Bumiller
w.bumiller at proxmox.com
Fri Apr 13 08:31:53 CEST 2018
On Wed, Apr 11, 2018 at 04:02:05PM +0200, Mark Schouten wrote:
> Hi,
>
> We've been struggling with ipfilter for a few days, thinking it doesn't
> work, because inbound connections kept working, even though there was
> not a single IP in the ipfilter-net0 IPSet.
>
> But, it looks like only outbound connections are dropped, but inbound
> connections work. While this is functional, it doesn't prevent anyone
> from spoofing a neighbours address, so it's not completely functional.
This is currently due to the connection tracking rules happening too
early. Similarly MAC filtering only happens for IP packets.
If you do not need to disable MAC filtering you can try the
pve-firewall >= 3.0-8 package from pvetest which will setup ebtables for
MAC filtering, that should help. But to make it work completely as most
users expect it we'll have to move the conntrack rules from the forward
chain into the device specific chains.
It's on my todo list along with another round of nftables testing.
@Tom: not sure if you're currently doing anything in the firewall code,
but I thought I'd ping/Cc you to let you know the ebtables patch set
landed in pvetest.
More information about the pve-user
mailing list