Skip to content
vzfirewall is an extremely simple tool to configure opened ports and hosts for incoming connections in OpenVZ environment
Find file
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


vzfirewall: extremely simple tool which configures opened ports 
            and hosts for incoming connections in OpenVZ environment 
(C) dkLab,

Vzfirewall tool allows you to open/close ports for incoming connections 
with no dependencies to foreign IP addresses. E.g. you may allow a hostname to connect to port 5432 of VE 1234 and leave all 
other ports closed by modifying 1234.conf file adding multiline FIREWALL 
directive into it - see SYNOPSIS below.

You must then run vzfirewall -a on your hardware node to apply changes 
made in *.conf.

Note that it is recommended to use hostnames instead of IP addresses here, 
so the configuration is persistent for VE movements to different IP-address: 
you just need to run vzfirewall -a again after movement. It is also 
reboot-safe, because applied to /etc/sysconfig/iptables (at RHEL systems).


cd /usr/sbin
chmod +x vzfirewall


1. Modify the file e.g. /etc/vz/conf/4.conf (note that the whole FIREWALL
   directive is prefixed by "#" character, because else OpenVZ issues
   warnings about multi-line directives which are not supported):
   #   * # means "any host"
   #   [25]
   #   * # means "any"
   #   [80,443]
   #   [udp:53]
   #    *
   #   [CUSTOM]
   #   # You may use "$THIS" macro which is replaced by this machine IP
   #   # (and, if the machine has many IPs, it will be multiplicated).
   #   -A INPUT -i eth2 -d $THIS -j ACCEPT
   #   # Or you may use commands with no references to $THIS (only
   #   # such commands are allowed for 0.conf file).
   #   -A INPUT -i eth1 -j ACCEPT
   We use FIREWALL directive in plain VE configs, not in separate files,
   to allow to vzmigrate it easily from one node to another. Note the "#"
   characters again.

2. Run:
   # vzfirewall -a  - to apply rules
   # vafirewall -t  - to test rules with no application
Something went wrong with that request. Please try again.