[PVE-User] ipfilter functionality
Mark Schouten
mark at tuxis.nl
Fri Apr 13 10:08:31 CEST 2018
On Fri, 2018-04-13 at 08:31 +0200, Wolfgang Bumiller wrote:
> This is currently due to the connection tracking rules happening too
> early. Similarly MAC filtering only happens for IP packets.
> If you do not need to disable MAC filtering you can try the
> pve-firewall >= 3.0-8 package from pvetest which will setup ebtables
> for
> MAC filtering, that should help. But to make it work completely as
> most
> users expect it we'll have to move the conntrack rules from the
> forward
> chain into the device specific chains.
> It's on my todo list along with another round of nftables testing.
It's not really MAC filtering I'm looking for. But wouldn't this be
fixed if the connection inbound would be filtered as well as outbound?
So add the ipfilter-rules to $interface-IN as well?
--
Kerio Operator in de Cloud? https://www.kerioindecloud.nl/
Mark Schouten | Tuxis Internet Engineering
KvK: 61527076 | http://www.tuxis.nl/
T: 0318 200208 | info at tuxis.nl
More information about the pve-user
mailing list