# same as shorewall 'Drop', which is equal to DROP,
# but REJECT/DROP some packages to reduce logging,
# and ACCEPT critical ICMP types
- { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth'
# we are not interested in BROADCAST/MULTICAST/ANYCAST
{ action => 'PVEFW-DropBroadcast' },
# ACCEPT critical ICMP types
# same as shorewall 'Reject', which is equal to Reject,
# but REJECT/DROP some packages to reduce logging,
# and ACCEPT critical ICMP types
- { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth'
# we are not interested in BROADCAST/MULTICAST/ANYCAST
{ action => 'PVEFW-DropBroadcast' },
# ACCEPT critical ICMP types
}
# core functions
-my $bridge_firewall_enabled = 0;
sub enable_bridge_firewall {
- return if $bridge_firewall_enabled; # only once
PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-iptables", "1");
PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-ip6tables", "1");
# make sure syncookies are enabled (which is default on newer 3.X kernels anyways)
PVE::ProcFSTools::write_proc_entry("/proc/sys/net/ipv4/tcp_syncookies", "1");
- $bridge_firewall_enabled = 1;
}
sub iptables_restore_cmdlist {