HTTPS clone URL
Subversion checkout URL
vzfirewall is an extremely simple tool to configure opened ports and hosts for incoming connections in OpenVZ environment
Fetching latest commit...
Cannot retrieve the latest commit at this time.
|Failed to load latest commit information.|
vzfirewall: extremely simple tool which configures opened ports and hosts for incoming connections in OpenVZ environment (C) dkLab, http://en.dklab.ru/lib/dklab_vzfirewall/ Vzfirewall tool allows you to open/close ports for incoming connections with no dependencies to foreign IP addresses. E.g. you may allow a hostname release.prod.example.com to connect to port 5432 of VE 1234 and leave all other ports closed by modifying 1234.conf file adding multiline FIREWALL directive into it - see SYNOPSIS below. You must then run vzfirewall -a on your hardware node to apply changes made in *.conf. Note that it is recommended to use hostnames instead of IP addresses here, so the configuration is persistent for VE movements to different IP-address: you just need to run vzfirewall -a again after movement. It is also reboot-safe, because applied to /etc/sysconfig/iptables (at RHEL systems). INSTALLATION ------------ cd /usr/sbin wget http://github.com/DmitryKoterov/vzfirewall/raw/master/vzfirewall chmod +x vzfirewall SYNOPSIS -------- 1. Modify the file e.g. /etc/vz/conf/4.conf (note that the whole FIREWALL directive is prefixed by "#" character, because else OpenVZ issues warnings about multi-line directives which are not supported): ... #FIREWALL=" # host.allowed.to.every.port # yet.another.host # * # means "any host" # #  # host.allowed.to.access.smtp # * # means "any" # # [80,443] # hosts.allowed.to.access.two.ports # # [udp:53] # * # # [CUSTOM] # # You may use "$THIS" macro which is replaced by this machine IP # # (and, if the machine has many IPs, it will be multiplicated). # -A INPUT -i eth2 -d $THIS -j ACCEPT # # Or you may use commands with no references to $THIS (only # # such commands are allowed for 0.conf file). # -A INPUT -i eth1 -j ACCEPT #" ... We use FIREWALL directive in plain VE configs, not in separate files, to allow to vzmigrate it easily from one node to another. Note the "#" characters again. 2. Run: # vzfirewall -a - to apply rules # vafirewall -t - to test rules with no application