Skip to content
/ vzfirewall Public
forked from dimikot/vzfirewall

vzfirewall is an extremely simple tool to configure opened ports and hosts for incoming connections in OpenVZ environment

dklab.ru/lib/dklab_vzfirewall/

License

LGPL-2.1 license
0 stars 6 forks Branches Tags Activity
Star

CoreTex/vzfirewall

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

56 Commits
README.txt
README.txt
 
 
license.txt
license.txt
 
 
vps.premount
vps.premount
 
 
vzfirewall
vzfirewall
 
 
vzfirewall.conf
vzfirewall.conf
 
 
vzfirewall6
vzfirewall6
 
 

Repository files navigation

vzfirewall: an extremely simple tool to configure opened ports
            and hosts for incoming connections in OpenVZ environment
(C) dkLab, http://en.dklab.ru/lib/dklab_vzfirewall/


Vzfirewall tool allows you to open/close ports for incoming connections
with no dependencies to foreign IP addresses. E.g. you may allow a hostname
release.prod.example.com to connect to port 5432 of VE 1234 and leave all
other ports closed by modifying 1234.conf file adding multiline FIREWALL
directive into it - see SYNOPSIS below.

You must then run vzfirewall -a on your hardware node to apply changes
made in *.conf.

Note that it is recommended to use hostnames instead of IP addresses here,
so the configuration is persistent for VE movements to different IP-address:
you just need to run vzfirewall -a again after movement. It is also
reboot-safe, because applied to /etc/sysconfig/iptables (at RHEL systems).


INSTALLATION
------------

cd /usr/sbin
wget http://github.com/DmitryKoterov/vzfirewall/raw/master/vzfirewall
chmod +x vzfirewall

# Optional:  vps.premount action script to ensure vzfirewall is run
# (handy when you vzmigrate containers)

cd /etc/vz/conf
(test -f vps.premount && echo "vps.premount exists, manual integration required") || ( \
    wget http://github.com/DmitryKoterov/vzfirewall/raw/master/vps.premount; \
    chmod +x vps.premount )


SYNOPSIS
--------

1. Modify the file e.g. /etc/vz/conf/4.conf (note that the whole FIREWALL
   directive is prefixed by "#" character, because else OpenVZ issues
   warnings about multi-line directives which are not supported):
   ...
   #FIREWALL="
   #   host.allowed.to.every.port
   #   yet.another.host
   #   * # means "any host"
   #
   #   [25]
   #   host.allowed.to.access.smtp
   #   * # means "any"
   #
   #   [80,443]
   #   hosts.allowed.to.access.two.ports
   #
   #   [udp:53]
   #    *
   #
   #   [CUSTOM]
   #   # You may use "$THIS" macro which is replaced by this machine IP
   #   # (and, if the machine has many IPs, it will be multiplicated).
   #   -A INPUT -i eth2 -d $THIS -j ACCEPT
   #   # Or you may use commands with no references to $THIS (only
   #   # such commands are allowed for 0.conf file).
   #   -A INPUT -i eth1 -j ACCEPT
   #"
   ...
   We use FIREWALL directive in plain VE configs, not in separate files,
   to allow to vzmigrate it easily from one node to another. Note the "#"
   characters again.

2. Run:
   # vzfirewall -a     - to apply rules
   # vzfirewall -t     - to test rules with no application
   # vzfirewall -h -v  - vzfirewall documentation

About

vzfirewall is an extremely simple tool to configure opened ports and hosts for incoming connections in OpenVZ environment

dklab.ru/lib/dklab_vzfirewall/

Resources

Readme

License

LGPL-2.1 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Perl 100.0%