API tools faq
paste
Guest User

pve-firewall compile

a guest
Aug 6th, 2021
267
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.02 KB | None | 0 0
raw download clone embed print report
  1. ipset cmdlist:
  2.  
  3. update PVEFW-0-management-v4 (18beyoXOE3m4WmJuahn8nk7kBHk)
  4.  
  5. create PVEFW-0-management-v4 hash:net family inet hashsize 64 maxelem 64
  6.  
  7. add PVEFW-0-management-v4 127.0.0.0/8
  8.  
  9. update PVEFW-0-management-v6 (H5WO/Pkuyz4e7OLB2uiMpG0Bsn0)
  10.  
  11. create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64
  12.  
  13.  
  14.  
  15. iptables cmdlist:
  16.  
  17. exists GROUP-proxmox-IN (6v1kdZWg42I+KyVK4u5/+KQ8AKw)
  18.  
  19. -A GROUP-proxmox-IN -j MARK --set-mark 0x00000000/0x80000000
  20.  
  21. -A GROUP-proxmox-IN -p tcp --dport 8006 -g PVEFW-SET-ACCEPT-MARK
  22.  
  23. -A GROUP-proxmox-IN -p tcp --dport 22 -g PVEFW-SET-ACCEPT-MARK
  24.  
  25. -A GROUP-proxmox-IN -p tcp --dport 25 -g PVEFW-SET-ACCEPT-MARK
  26.  
  27. -A GROUP-proxmox-IN -p tcp --dport 465 -g PVEFW-SET-ACCEPT-MARK
  28.  
  29. -A GROUP-proxmox-IN -p tcp --dport 587 -g PVEFW-SET-ACCEPT-MARK
  30.  
  31. -A GROUP-proxmox-IN -p tcp --dport 5900:5999 -g PVEFW-SET-ACCEPT-MARK
  32.  
  33. -A GROUP-proxmox-IN -p udp --dport 111 -g PVEFW-SET-ACCEPT-MARK
  34.  
  35. -A GROUP-proxmox-IN -p tcp --dport 3128 -g PVEFW-SET-ACCEPT-MARK
  36.  
  37. -A GROUP-proxmox-IN -p udp --dport 5404:5405 -g PVEFW-SET-ACCEPT-MARK
  38.  
  39. -A GROUP-proxmox-IN -p tcp --dport 60000:60050 -g PVEFW-SET-ACCEPT-MARK
  40.  
  41. -A GROUP-proxmox-IN -p icmp -g PVEFW-SET-ACCEPT-MARK
  42.  
  43. exists GROUP-proxmox-OUT (tZr2a960IhOJdtNbHplv0z6TvE0)
  44.  
  45. -A GROUP-proxmox-OUT -j MARK --set-mark 0x00000000/0x80000000
  46.  
  47. exists PVEFW-Drop (WDy2wbFe7jNYEyoO3QhUELZ4mIQ)
  48.  
  49. -A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
  50.  
  51. -A PVEFW-Drop -j PVEFW-DropBroadcast
  52.  
  53. -A PVEFW-Drop -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
  54.  
  55. -A PVEFW-Drop -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
  56.  
  57. -A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
  58.  
  59. -A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
  60.  
  61. -A PVEFW-Drop -p udp --dport 137:139 -j DROP
  62.  
  63. -A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
  64.  
  65. -A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
  66.  
  67. -A PVEFW-Drop -p udp --dport 1900 -j DROP
  68.  
  69. -A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
  70.  
  71. -A PVEFW-Drop -p udp --sport 53 -j DROP
  72.  
  73. exists PVEFW-DropBroadcast (NyjHNAtFbkH7WGLamPpdVnxHy4w)
  74.  
  75. -A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
  76.  
  77. -A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
  78.  
  79. -A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
  80.  
  81. -A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
  82.  
  83. exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
  84.  
  85. -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
  86.  
  87. -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  88.  
  89. -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
  90.  
  91. -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
  92.  
  93. exists PVEFW-FWBR-IN (Ijl7/xz0DD7LF91MlLCz0ybZBE0)
  94.  
  95. -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
  96.  
  97. exists PVEFW-FWBR-OUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
  98.  
  99. exists PVEFW-HOST-IN (93o6Enok0Qo1oibCoQmMopO17Tw)
  100.  
  101. -A PVEFW-HOST-IN -i lo -j ACCEPT
  102.  
  103. -A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
  104.  
  105. -A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  106.  
  107. -A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
  108.  
  109. -A PVEFW-HOST-IN -p igmp -j RETURN
  110.  
  111. -A PVEFW-HOST-IN -i vmbr0 -j GROUP-proxmox-IN
  112.  
  113. -A PVEFW-HOST-IN -m mark --mark 0x80000000/0x80000000 -j RETURN
  114.  
  115. -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 8006 -j RETURN
  116.  
  117. -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 5900:5999 -j RETURN
  118.  
  119. -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 3128 -j RETURN
  120.  
  121. -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 22 -j RETURN
  122.  
  123. -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 60000:60050 -j RETURN
  124.  
  125. -A PVEFW-HOST-IN -j PVEFW-Drop
  126.  
  127. -A PVEFW-HOST-IN -j DROP
  128.  
  129. exists PVEFW-HOST-OUT (5ArqJGaAsz2ybN1lcuXFbZNExLE)
  130.  
  131. -A PVEFW-HOST-OUT -o lo -j ACCEPT
  132.  
  133. -A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
  134.  
  135. -A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  136.  
  137. -A PVEFW-HOST-OUT -p igmp -j RETURN
  138.  
  139. -A PVEFW-HOST-OUT -o vmbr0 -j GROUP-proxmox-OUT
  140.  
  141. -A PVEFW-HOST-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
  142.  
  143. -A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp --dport 8006 -j RETURN
  144.  
  145. -A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp --dport 22 -j RETURN
  146.  
  147. -A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp --dport 5900:5999 -j RETURN
  148.  
  149. -A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp --dport 3128 -j RETURN
  150.  
  151. -A PVEFW-HOST-OUT -j RETURN
  152.  
  153. exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
  154.  
  155. -A PVEFW-INPUT -j PVEFW-HOST-IN
  156.  
  157. exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
  158.  
  159. -A PVEFW-OUTPUT -j PVEFW-HOST-OUT
  160.  
  161. exists PVEFW-Reject (CZJnIN6rAdpu+ej59QPr9+laMUo)
  162.  
  163. -A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
  164.  
  165. -A PVEFW-Reject -j PVEFW-DropBroadcast
  166.  
  167. -A PVEFW-Reject -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
  168.  
  169. -A PVEFW-Reject -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
  170.  
  171. -A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
  172.  
  173. -A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
  174.  
  175. -A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
  176.  
  177. -A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
  178.  
  179. -A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
  180.  
  181. -A PVEFW-Reject -p udp --dport 1900 -j DROP
  182.  
  183. -A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
  184.  
  185. -A PVEFW-Reject -p udp --sport 53 -j DROP
  186.  
  187. exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
  188.  
  189. -A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
  190.  
  191. exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
  192.  
  193. -A PVEFW-logflags -j DROP
  194.  
  195. exists PVEFW-reject (Jlkrtle1mDdtxDeI9QaDSL++Npc)
  196.  
  197. -A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
  198.  
  199. -A PVEFW-reject -s 224.0.0.0/4 -j DROP
  200.  
  201. -A PVEFW-reject -p icmp -j DROP
  202.  
  203. -A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
  204.  
  205. -A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
  206.  
  207. -A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
  208.  
  209. -A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
  210.  
  211. exists PVEFW-smurflog (2gfT1VMkfr0JL6OccRXTGXo+1qk)
  212.  
  213. -A PVEFW-smurflog -j DROP
  214.  
  215. exists PVEFW-smurfs (HssVe5QCBXd5mc9kC88749+7fag)
  216.  
  217. -A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
  218.  
  219. -A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
  220.  
  221. -A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
  222.  
  223. exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
  224.  
  225. -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
  226.  
  227. -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
  228.  
  229. -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
  230.  
  231. -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
  232.  
  233. -A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
  234.  
  235.  
  236.  
  237. ip6tables cmdlist:
  238.  
  239. exists GROUP-proxmox-IN (pWEVPl+vestmqZiaCTU1BEnclr0)
  240.  
  241. -A GROUP-proxmox-IN -j MARK --set-mark 0x00000000/0x80000000
  242.  
  243. -A GROUP-proxmox-IN -p tcp --dport 8006 -g PVEFW-SET-ACCEPT-MARK
  244.  
  245. -A GROUP-proxmox-IN -p tcp --dport 22 -g PVEFW-SET-ACCEPT-MARK
  246.  
  247. -A GROUP-proxmox-IN -p tcp --dport 25 -g PVEFW-SET-ACCEPT-MARK
  248.  
  249. -A GROUP-proxmox-IN -p tcp --dport 465 -g PVEFW-SET-ACCEPT-MARK
  250.  
  251. -A GROUP-proxmox-IN -p tcp --dport 587 -g PVEFW-SET-ACCEPT-MARK
  252.  
  253. -A GROUP-proxmox-IN -p tcp --dport 5900:5999 -g PVEFW-SET-ACCEPT-MARK
  254.  
  255. -A GROUP-proxmox-IN -p udp --dport 111 -g PVEFW-SET-ACCEPT-MARK
  256.  
  257. -A GROUP-proxmox-IN -p tcp --dport 3128 -g PVEFW-SET-ACCEPT-MARK
  258.  
  259. -A GROUP-proxmox-IN -p udp --dport 5404:5405 -g PVEFW-SET-ACCEPT-MARK
  260.  
  261. -A GROUP-proxmox-IN -p tcp --dport 60000:60050 -g PVEFW-SET-ACCEPT-MARK
  262.  
  263. exists GROUP-proxmox-OUT (tZr2a960IhOJdtNbHplv0z6TvE0)
  264.  
  265. -A GROUP-proxmox-OUT -j MARK --set-mark 0x00000000/0x80000000
  266.  
  267. exists PVEFW-Drop (Jb79Uw7z1vZglIcV7QXA5uY/nbk)
  268.  
  269. -A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
  270.  
  271. -A PVEFW-Drop -j PVEFW-DropBroadcast
  272.  
  273. -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
  274.  
  275. -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
  276.  
  277. -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
  278.  
  279. -A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
  280.  
  281. -A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
  282.  
  283. -A PVEFW-Drop -p udp --dport 137:139 -j DROP
  284.  
  285. -A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
  286.  
  287. -A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
  288.  
  289. -A PVEFW-Drop -p udp --dport 1900 -j DROP
  290.  
  291. -A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
  292.  
  293. -A PVEFW-Drop -p udp --sport 53 -j DROP
  294.  
  295. exists PVEFW-DropBroadcast (8Krk5Nh8pDZOOc7BQAbM6PlyFSU)
  296.  
  297. -A PVEFW-DropBroadcast -d ff00::/8 -j DROP
  298.  
  299. exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
  300.  
  301. -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
  302.  
  303. -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  304.  
  305. -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
  306.  
  307. -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
  308.  
  309. exists PVEFW-FWBR-IN (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
  310.  
  311. exists PVEFW-FWBR-OUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
  312.  
  313. exists PVEFW-HOST-IN (f9964YEWHC8PLlIXqwuCVilosns)
  314.  
  315. -A PVEFW-HOST-IN -i lo -j ACCEPT
  316.  
  317. -A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
  318.  
  319. -A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  320.  
  321. -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-solicitation -j RETURN
  322.  
  323. -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-advertisement -j RETURN
  324.  
  325. -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
  326.  
  327. -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
  328.  
  329. -A PVEFW-HOST-IN -p igmp -j RETURN
  330.  
  331. -A PVEFW-HOST-IN -i vmbr0 -j GROUP-proxmox-IN
  332.  
  333. -A PVEFW-HOST-IN -m mark --mark 0x80000000/0x80000000 -j RETURN
  334.  
  335. -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 8006 -j RETURN
  336.  
  337. -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 5900:5999 -j RETURN
  338.  
  339. -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 3128 -j RETURN
  340.  
  341. -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 22 -j RETURN
  342.  
  343. -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 60000:60050 -j RETURN
  344.  
  345. -A PVEFW-HOST-IN -j PVEFW-Drop
  346.  
  347. -A PVEFW-HOST-IN -j DROP
  348.  
  349. exists PVEFW-HOST-OUT (J6Kq8kq43CTWLrmXDFqQI1td3uE)
  350.  
  351. -A PVEFW-HOST-OUT -o lo -j ACCEPT
  352.  
  353. -A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
  354.  
  355. -A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  356.  
  357. -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type router-solicitation -j RETURN
  358.  
  359. -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
  360.  
  361. -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
  362.  
  363. -A PVEFW-HOST-OUT -p igmp -j RETURN
  364.  
  365. -A PVEFW-HOST-OUT -o vmbr0 -j GROUP-proxmox-OUT
  366.  
  367. -A PVEFW-HOST-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
  368.  
  369. -A PVEFW-HOST-OUT -j RETURN
  370.  
  371. exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
  372.  
  373. -A PVEFW-INPUT -j PVEFW-HOST-IN
  374.  
  375. exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
  376.  
  377. -A PVEFW-OUTPUT -j PVEFW-HOST-OUT
  378.  
  379. exists PVEFW-Reject (aL1nrxJk/u3XmTb3Am2eaM/3yCM)
  380.  
  381. -A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
  382.  
  383. -A PVEFW-Reject -j PVEFW-DropBroadcast
  384.  
  385. -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
  386.  
  387. -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
  388.  
  389. -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
  390.  
  391. -A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
  392.  
  393. -A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
  394.  
  395. -A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
  396.  
  397. -A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
  398.  
  399. -A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
  400.  
  401. -A PVEFW-Reject -p udp --dport 1900 -j DROP
  402.  
  403. -A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
  404.  
  405. -A PVEFW-Reject -p udp --sport 53 -j DROP
  406.  
  407. exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
  408.  
  409. -A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
  410.  
  411. exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
  412.  
  413. -A PVEFW-logflags -j DROP
  414.  
  415. exists PVEFW-reject (etEECUYcgUdzuuO+LDP83pu0S8Y)
  416.  
  417. -A PVEFW-reject -p icmpv6 -j DROP
  418.  
  419. -A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
  420.  
  421. -A PVEFW-reject -p udp -j REJECT --reject-with icmp6-port-unreachable
  422.  
  423. -A PVEFW-reject -j REJECT --reject-with icmp6-adm-prohibited
  424.  
  425. exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
  426.  
  427. -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
  428.  
  429. -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
  430.  
  431. -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
  432.  
  433. -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
  434.  
  435. -A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
  436.  
  437.  
  438.  
  439. ebtables cmdlist:
  440.  
  441. exists PVEFW-FORWARD (ULtZ6lqjrD/jAKLY+OZo3BbXs9k)
  442.  
  443. -A PVEFW-FORWARD -p IPv4 -j ACCEPT
  444.  
  445. -A PVEFW-FORWARD -p IPv6 -j ACCEPT
  446.  
  447. -A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT
  448.  
  449. exists PVEFW-FWBR-OUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
  450.  
  451. ignore FORWARD (zuQi5YOvmMWiM9zohnQw/qWemOA)
  452.  
  453. ignore INPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
  454.  
  455. ignore OUTPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
  456.  
  457.  
  458.  
  459. iptables table raw cmdlist:
  460.  
  461.  
  462.  
  463. ip6tables table raw cmdlist:
  464.  
  465. detected changes
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!