+ { match => '-s 0.0.0.0/32', target => '-j RETURN' }, # allow DHCP
+ { match => '-m addrtype --src-type BROADCAST', target => '-g PVEFW-smurflog' },
+ { match => '-s 224.0.0.0/4', target => '-g PVEFW-smurflog' },
+ ],
+ 'PVEFW-smurflog' => [
+ { action => 'DROP', logmsg => 'DROP: ' },
+ ],
+ 'PVEFW-logflags' => [
+ { action => 'DROP', logmsg => 'DROP: ' },
+ ],
+};
+
+$pve_std_chains_conf->{6} = {
+ 'PVEFW-SET-ACCEPT-MARK' => [
+ { target => "-j MARK --set-mark $FWACCEPTMARK_ON" },
+ ],
+ 'PVEFW-DropBroadcast' => [
+ # same as shorewall 'Broadcast'
+ # simply DROP BROADCAST/MULTICAST/ANYCAST
+ # we can use this to reduce logging
+ #{ action => 'DROP', dsttype => 'BROADCAST' }, #no broadcast in ipv6
+ # ipv6 addrtype does not work with kernel 2.6.32
+ #{ action => 'DROP', dsttype => 'MULTICAST' },
+ #{ action => 'DROP', dsttype => 'ANYCAST' },
+ { action => 'DROP', dest => 'ff00::/8' },
+ #{ action => 'DROP', dest => '224.0.0.0/4' },
+ ],
+ 'PVEFW-reject' => [
+ # same as shorewall 'reject'
+ #{ action => 'DROP', dsttype => 'BROADCAST' },
+ #{ action => 'DROP', source => '224.0.0.0/4' },
+ { action => 'DROP', proto => 'icmpv6' },
+ { match => '-p tcp', target => '-j REJECT --reject-with tcp-reset' },
+ #"-p udp -j REJECT --reject-with icmp-port-unreachable",
+ #"-p icmp -j REJECT --reject-with icmp-host-unreachable",
+ #"-j REJECT --reject-with icmp-host-prohibited",
+ ],
+ 'PVEFW-Drop' => [
+ # same as shorewall 'Drop', which is equal to DROP,
+ # but REJECT/DROP some packages to reduce logging,
+ # and ACCEPT critical ICMP types
+ { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth'
+ # we are not interested in BROADCAST/MULTICAST/ANYCAST
+ { action => 'PVEFW-DropBroadcast' },
+ # ACCEPT critical ICMP types
+ { action => 'ACCEPT', proto => 'icmpv6', dport => 'destination-unreachable' },
+ { action => 'ACCEPT', proto => 'icmpv6', dport => 'time-exceeded' },
+ { action => 'ACCEPT', proto => 'icmpv6', dport => 'packet-too-big' },
+ # Drop packets with INVALID state
+ { action => 'DROP', match => '-m conntrack --ctstate INVALID', },
+ # Drop Microsoft SMB noise
+ { action => 'DROP', proto => 'udp', dport => '135,445' },
+ { action => 'DROP', proto => 'udp', dport => '137:139'},
+ { action => 'DROP', proto => 'udp', dport => '1024:65535', sport => 137 },
+ { action => 'DROP', proto => 'tcp', dport => '135,139,445' },
+ { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP
+ # Drop new/NotSyn traffic so that it doesn't get logged
+ { action => 'DROP', match => '-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN' },
+ # Drop DNS replies
+ { action => 'DROP', proto => 'udp', sport => 53 },
+ ],
+ 'PVEFW-Reject' => [
+ # same as shorewall 'Reject', which is equal to Reject,
+ # but REJECT/DROP some packages to reduce logging,
+ # and ACCEPT critical ICMP types
+ { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth'
+ # we are not interested in BROADCAST/MULTICAST/ANYCAST
+ { action => 'PVEFW-DropBroadcast' },
+ # ACCEPT critical ICMP types
+ { action => 'ACCEPT', proto => 'icmpv6', dport => 'destination-unreachable' },
+ { action => 'ACCEPT', proto => 'icmpv6', dport => 'time-exceeded' },
+ { action => 'ACCEPT', proto => 'icmpv6', dport => 'packet-too-big' },
+ # Drop packets with INVALID state
+ { action => 'DROP', match => '-m conntrack --ctstate INVALID', },
+ # Drop Microsoft SMB noise
+ { action => 'PVEFW-reject', proto => 'udp', dport => '135,445' },
+ { action => 'PVEFW-reject', proto => 'udp', dport => '137:139' },
+ { action => 'PVEFW-reject', proto => 'udp', dport => '1024:65535', sport => 137 },
+ { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445' },
+ { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP
+ # Drop new/NotSyn traffic so that it doesn't get logged
+ { action => 'DROP', match => '-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN' },
+ # Drop DNS replies
+ { action => 'DROP', proto => 'udp', sport => 53 },
+ ],
+ 'PVEFW-tcpflags' => [
+ # same as shorewall tcpflags action.
+ # Packets arriving on this interface are checked for som illegal combinations of TCP flags
+ { match => '-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG', target => '-g PVEFW-logflags' },
+ { match => '-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE', target => '-g PVEFW-logflags' },
+ { match => '-p tcp -m tcp --tcp-flags SYN,RST SYN,RST', target => '-g PVEFW-logflags' },
+ { match => '-p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN', target => '-g PVEFW-logflags' },
+ { match => '-p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN', target => '-g PVEFW-logflags' },
+ ],
+ 'PVEFW-logflags' => [
+ { action => 'DROP', logmsg => 'DROP: ' },