Hi,
> > https://git.proxmox.com/?p=pve-firewall.git;a=commit;h=d9e7522b561ceb323e93affb29c9fced89fed967 > > would just require a bump + upload is it possible to backport it to pve 6 ? (I have seen 2 users on the forum requesting it ) Le vendredi 10 septembre 2021 à 12:43 +0200, Fabian Grünbichler a écrit : > On September 10, 2021 12:31 pm, alexandre derumier wrote: > > Hi, > > > > multiple users have reported problems with hetzner in bridged mode > > this > > week and pve-firewall > > https://forum.proxmox.com/threads/proxmox-claiming-mac-address.52601/ > > https://forum.proxmox.com/threads/mac-address-abuse-report.95656/ > > > > Seem that hetzner have bugs or are under attack, but they are > > flooding > > traffic to proxmox nodes with wrong mac/ip destination. > > > > The problem is that if users use pve-firewall with reject rules, > > the > > RST packet is send with the wrong mac/ip as source, > > > > and then hertzner is blocking the server of the users .... > > > > > > I'm looking to see if we could add filtering at ebtables level, to > > drop > > wrong mac destination. > > > > But they are also another problem, if user use DROP as default > > action, > > we have a default REJECT for whois port 53. > > > > 'PVEFW-Drop' => [ > > # same as shorewall 'Drop', which is equal to DROP, > > # but REJECT/DROP some packages to reduce logging, > > # and ACCEPT critical ICMP types > > { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # > > REJECT 'auth' > > > > Does somebody known why we do a reject here ? could it be change > > to > > drop ? > > > https://git.proxmox.com/?p=pve-firewall.git;a=commit;h=d9e7522b561ceb323e93affb29c9fced89fed967 > > would just require a bump + upload > > > _______________________________________________ > pve-devel mailing list > [email protected] > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
