vzfirewall is an extremely simple tool to configure opened ports and hosts for incoming connections in OpenVZ environment
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


vzfirewall: an extremely simple tool to configure opened ports
            and hosts for incoming connections in OpenVZ environment
(C) dkLab, http://en.dklab.ru/lib/dklab_vzfirewall/

Vzfirewall tool allows you to open/close ports for incoming connections
with no dependencies to foreign IP addresses. E.g. you may allow a hostname
release.prod.example.com to connect to port 5432 of VE 1234 and leave all
other ports closed by modifying 1234.conf file adding multiline FIREWALL
directive into it - see SYNOPSIS below.

You must then run vzfirewall -a on your hardware node to apply changes
made in *.conf.

Note that it is recommended to use hostnames instead of IP addresses here,
so the configuration is persistent for VE movements to different IP-address:
you just need to run vzfirewall -a again after movement. It is also
reboot-safe, because applied to /etc/sysconfig/iptables (at RHEL systems).


cd /usr/sbin
wget http://github.com/DmitryKoterov/vzfirewall/raw/master/vzfirewall
chmod +x vzfirewall

# Optional:  vps.premount action script to ensure vzfirewall is run
# (handy when you vzmigrate containers)

cd /etc/vz/conf
(test -f vps.premount && echo "vps.premount exists, manual integration required") || ( \
    wget http://github.com/DmitryKoterov/vzfirewall/raw/master/vps.premount; \
    chmod +x vps.premount )


1. Modify the file e.g. /etc/vz/conf/4.conf (note that the whole FIREWALL
   directive is prefixed by "#" character, because else OpenVZ issues
   warnings about multi-line directives which are not supported):
   #   host.allowed.to.every.port
   #   yet.another.host
   #   * # means "any host"
   #   [25]
   #   host.allowed.to.access.smtp
   #   * # means "any"
   #   [80,443]
   #   hosts.allowed.to.access.two.ports
   #   [udp:53]
   #    *
   #   [CUSTOM]
   #   # You may use "$THIS" macro which is replaced by this machine IP
   #   # (and, if the machine has many IPs, it will be multiplicated).
   #   -A INPUT -i eth2 -d $THIS -j ACCEPT
   #   # Or you may use commands with no references to $THIS (only
   #   # such commands are allowed for 0.conf file).
   #   -A INPUT -i eth1 -j ACCEPT
   We use FIREWALL directive in plain VE configs, not in separate files,
   to allow to vzmigrate it easily from one node to another. Note the "#"
   characters again.

2. Run:
   # vzfirewall -a     - to apply rules
   # vzfirewall -t     - to test rules with no application
   # vzfirewall -h -v  - vzfirewall documentation