5
0
mirror of git://git.proxmox.com/git/pve-firewall.git synced 2025-01-09 01:18:04 +03:00
Commit Graph

803 Commits

Author SHA1 Message Date
Lorenz Stechauner
d9e7522b56 fix #2721: remove reject tcp 43 from default drop and reject actions
first, '43' is a typo, it should say '113' (if it really is like
legacy shorewall [0]). this tcp port corresponds to the ident or
authentication service protocol.

second, nowdays this reject is not included in shorewall anymore.
furthermore it would make no sense to reject specifically this
one port.

[0] https://gitlab.com/shorewall/code/-/blob/4.6.13/Shorewall/action.Drop#L66
    https://gitlab.com/shorewall/code/-/blob/4.6.13/Shorewall/Macros/macro.Auth

Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
2021-08-06 14:03:52 +02:00
Thomas Lamprecht
dcdbb55932 bump version to 4.2-2
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-21 11:31:47 +02:00
Stoiko Ivanov
c7e6b30c81 set sysctls on every apply
setting the sysctls needed on every run should not be too costly
(the original implementation used a `system` invocation, which was
far more expensive), and reduce the chances for side-effects.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
2021-05-26 17:31:58 +02:00
Thomas Lamprecht
b5787a56be buildsys: change upload/repo dist to bullseye
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-05-24 11:39:09 +02:00
Thomas Lamprecht
3cab23d0eb d/rules: cleanup systemd overrides
both, `override_dh_systemd_enable` and `override_dh_systemd_start`
are ignored with current compat level 12, and will become an error in
level >= 13, so drop them and use `override_dh_installsystemd` for
both of the previous uses.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-05-24 11:16:11 +02:00
Thomas Lamprecht
ce9cfab89a bump version to 4.2-1
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-05-12 20:33:13 +02:00
Thomas Lamprecht
6dfe6a22a0 debian: run wrap-and-sort -abt
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-05-12 20:31:52 +02:00
Thomas Lamprecht
1761e70e54 install pvefw-logger.service in multi-user.target
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-05-12 20:31:52 +02:00
Thomas Lamprecht
156178627c d/control: bump debhelper compat to >= 12
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-05-12 20:22:32 +02:00
Thomas Lamprecht
59992ae7be fw logger: cosmetic fixes
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-05-12 19:58:46 +02:00
Aaron Lauterer
12d3b75f1a fix #967: source: dest: limit length
iptables-restore has a buffer limit of 1024 for paramters [0].

If users end up adding a long list of IPs in the source or dest field
they might reach this limit. The result is that the rule will not be
applied and pve-firewall will show some error in the syslog which will
be "hidden" for most users.

Enforcing a smaller limit ourselves should help to avoid any such
situation. 512 characters should help to not run into any problems that
stem from differences in what counts as character. If people need longer
lists, using IP sets are the better approach anyway.

[0] http://git.netfilter.org/iptables/tree/iptables/xshared.c?h=v1.8.7#n469

Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
2021-04-22 17:49:44 +02:00
Mira Limbeck
ab9a6ae6fc fix #2358: allow --<opt> in firewall rule config files
The docs mention --<opt> as valid syntax for firewall rules, but the
code that parses the .fw files only accepts -<opt>. To make it
consistent with the docs and the API, also accept --<opt>.

In addition allow 'proto' as option, not only '-p'.

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
2021-02-22 14:42:23 +01:00
Thomas Lamprecht
8a4e5b696d bump version to 4.1-3
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-09-18 16:51:40 +02:00
Thomas Lamprecht
cf051802e6 improve log burst property description
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-09-18 16:39:08 +02:00
Thomas Lamprecht
e1bfce947d various typo fixes
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-09-18 16:37:06 +02:00
Mira Limbeck
72194c7c6e introduce new icmp-type parameter
Currently icmp types are handled via 'dport'. This is not documented
anywhere except for a single line of comment in the code. To untangle
the icmp-type handling from the dport handling a new 'icmp-type'
parameter is introduced.

The valid 'icmp-type' values are limited to the names
(icmp[v6]_type_names hash in the code, same as ip[6]tables provides).
Type[/Code] values are not supported.

Support for ipv6-icmp is added to icmp-type parameter handling. This makes it
possible to specify icmpv6 types via the GUI.

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
2020-09-09 20:56:05 +02:00
Stoiko Ivanov
e410833b00 fix #2773: ebtables: keep policy of custom chains
currently all ebtalbes chains are created with a hardcoded policy of ACCEPT.
This patch changes the functionality to store the configured policy of a
chain while reading the 'ebtables-save' output and uses this policy when
creating the command list.

This is only relevant for ebtablers chains not generated by pve-firewall (the
ones having an action of 'ignore' in the status-hash).

Reported on the pve-user list:
https://pve.proxmox.com/pipermail/pve-user/2020-May/171731.html

Minimally tested with the example from the thread.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
2020-07-01 10:37:45 +02:00
Thomas Lamprecht
70718917e6 bump version to 4.1-2
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-05-06 17:41:46 +02:00
Thomas Lamprecht
14f7c4fd15 Revert "rules: verify referenced security group exists"
This could never work, we do not have the groups parsed at this
point..

This reverts commit 312ae5161f.
2020-05-06 17:40:33 +02:00
Thomas Lamprecht
c5530455c4 bump version to 4.1-1
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-05-04 15:02:40 +02:00
Thomas Lamprecht
0588bf2aa6 add dport: factor out ICMP-type validity checking
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-05-04 14:13:30 +02:00
Thomas Lamprecht
88614d7216 icmp: allow to specify the echo-reply (0) type as integer
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-05-04 14:13:02 +02:00
Thomas Lamprecht
1978585a40 fix typo: s/ICPM/ICMP/
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-05-04 14:12:13 +02:00
Thomas Lamprecht
29e5ce1536 test/simulator: add very basic ICMP type functionallity
For now without integer to full-name, and vice versa, mapping of
ICMP types.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-05-04 14:10:55 +02:00
Thomas Lamprecht
430a2be282 fwtester: reduce extra empty lines a bit
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-05-04 14:09:53 +02:00
Thomas Lamprecht
e7b37bc345 test/README: whitespace fixes and slight rewording
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-05-04 13:52:44 +02:00
Mira Limbeck
d676aa18e2 fix wrong icmpv6 types
This removes icmpv6-type 'any' as it is not supported by ip6tables. Also
introduced new icmpv6 types 'beyond-scope', 'failed-policy' and
'reject-route'. These values were taken from 'ip6tables -p icmpv6 -h'.

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
2020-05-04 12:08:59 +02:00
Mira Limbeck
be99c6a0e9 fix iptables-restore failing if icmp-type value > 255
This has to be done in both icmp and icmpv6 cases. Currently if
'ipv6-icmp' is set via the GUI ('icmpv6' is not available there) there
is no icmp-type handling. As this is meant to fix the iptables-restore
failure if an icmp-type > 255 is specified, no ipv6-icmp handling is
introduced.

These error messages are not logged as warnings are ignored. To get
these messages you have to run pve-firewall compile and look at the
output.

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
2020-05-04 12:08:59 +02:00
Thomas Lamprecht
1c49d333d7 d/control: bump pve-cluster dependency for new lock methods
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-05-02 19:05:49 +02:00
Fabian Grünbichler
312ae5161f rules: verify referenced security group exists
while this was already handled properly (as empty rules), adding this as
error makes it much more visible (in the GUI as well).

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-05-02 19:05:49 +02:00
Fabian Grünbichler
644b5fc95a configs: warn about duplicate ipset entries
instead of silently dropping them when writing the config out.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-05-02 19:05:49 +02:00
Fabian Grünbichler
891545e828 api/ipsets: parse_cidr before checking for duplicates
for example, the config parser drops a trailing /32 for IPv4, so we
should do the same here.  otherwise we can have one entry for $IP and
one for $IP/32 with different properties until the next R-M-W cycle
drops one of them again.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-05-02 19:05:49 +02:00
Fabian Grünbichler
9388a8f47a clone_vmfw_conf: lock new config
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-05-02 19:05:49 +02:00
Fabian Grünbichler
a38849e650 api: lock configs
wherever we have a r-m-w cycle.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-05-02 19:05:49 +02:00
Fabian Grünbichler
0549601776 api: add locking helpers
for ipset, rules and alias API generation modules.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-05-02 19:05:49 +02:00
Fabian Grünbichler
fab41100e1 configs: add locking helpers
to allow some level of safe concurrent config modification, instead of
the current free for all.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-05-02 19:05:49 +02:00
Mira Limbeck
c5a10084b3 fix #2686: don't add arp-ip-src filter for dhcp
When the IPFilter setting is enabled and the container has DHCP
configured on an interface no 'arp-ip-src' filter should be added as we
don't have an IP address.
Previously '--arp-ip-src dhcp' was passed to ebtables which led to an error.

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
2020-05-02 18:52:12 +02:00
Christian Ebner
4fed896bb1 logging: Add missing logmsg for inbound rules
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
2020-02-05 20:23:55 +01:00
Thomas Lamprecht
56a4714097 bump version to 4.0-10
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-01-27 19:25:53 +01:00
Christian Ebner
870223fd40 macros: add macro for Proxmox Mail Gateway web interface
Macro to allow access to the PMG web interface when hosted on PVE.

Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
2020-01-25 16:22:21 +01:00
Thomas Lamprecht
fdbdbf6010 fwtester: sort and group module usage
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-01-09 13:03:52 +01:00
Thomas Lamprecht
f78c7ca05b api node: always pass cluster conf to node FW parser
As else the parsing may lead to "false positive" errors, as cluster
wide aliases and other definitions are seemingly missing.

Reproducer:
* add *cluster* alias
* add+enable *host* rule using that alias
* enable FW on DC and node level
* go to Node -> FW -> Options
* check journal/syslog for error like:
> pveproxy[1339680]: /etc/pve/nodes/dev6/host.fw (line 3) - errors in rule parameters: IN ACCEPT -source test123 -p tcp -sport 22 -log nolog
> pveproxy[1339680]:   source: no such alias 'test123'

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-01-09 12:55:15 +01:00
Thomas Lamprecht
75a12a9d84 grammar fix: s/does not exists/does not exist/g
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-12-13 12:07:16 +01:00
Thomas Lamprecht
5162c268e4 bump version to 4.0-9
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-12-03 08:12:23 +01:00
Christian Ebner
94e4ec75ca rules: allow connections on port range 60000:60050 in management network for migration
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
2019-12-03 06:15:37 +01:00
Wolfgang Bumiller
5ac03b1cb9 bump version to 4.0-8
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2019-11-18 13:51:46 +01:00
Alexandre Derumier
ac5dd88e97 add synflood protection
Currently, a virtio-net + vhost-net can handle between 200-300 kpps for each vm (with 1core/queue=1).
That mean than a vm can easily overloaded with a simple synflood (hping3 --flood -p 80 -S targetip).
Also the conntrack of the host can be saturated easily.

This patch introduce a new option, enable rate limiting of syn/s by src ip (protection_synflood:1).

rate limit can be set with : protection_synflood_rate  (default 200 syn/s)
with an extra burst: protection_synflood_rate (default 1000).

It's also possible to reduce conntrack syn timeout: nf_conntrack_tcp_timeout_syn_recv (default 60).

with default values, a src ip can take around (60 * 200 = 12000 conntrack entries).

The iptables rules are done in raw table, before reaching the conntrack.

This protection works fine for non-spoofed src ip.
For spoofed src ip, the only way could be to implement SYNPROXY,
but this only works for routed/nat setup. (The host need to be able to reply
with the src ip the vm)

Some good information about synflood protections
https://2014.rmll.info/slides/356/day_1-1400-Jesper_Brouer-DDoS_protection_using_Netfilter_iptables.pdf

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2019-11-18 13:48:09 +01:00
Alexandre Derumier
64e0adf411 iptables : add raw table support
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2019-11-18 13:48:09 +01:00
Fabian Grünbichler
09b3ece43e d/control: add (build-)depends on libpve-cluster-perl
since it contains PVE::Corosync now

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2019-11-18 12:50:28 +01:00
Thomas Lamprecht
e1639957a4 fw schemas: add defaults and improve some descriptions
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-10-22 11:14:44 +02:00