Linux-Firewall will not 'Activate at Boot' in VPS

6 posts / 0 new
Last post
#1 Sat, 06/06/2009 - 01:34
chriswayg

Linux-Firewall will not 'Activate at Boot' in VPS

Hi,

Webmin's Linux-Firewall will not 'Activate at Boot' inside a Virtuozzo/OpenVZ VPS when running on Debian Lenny. I was surprised to find out, that my firewall had disappeared even after setting it in Webmin to start automatically during reboot. This has changed from Debian 4 to Debian 5, and may apply to other distros.

The setting will be lost after reboot due to interference from Virtuozzo/OpenVZ. The setting is recorded inside the file /etc/network/interfaces (as marked):

# This configuration file is auto-generated.
# WARNING: Do not edit this file, otherwise your changes will be lost.
# Please edit template /etc/network/interfaces.template instead.

auto lo
iface lo inet loopback
address 127.0.0.1
netmask 255.0.0.0
broadcast 127.255.255.255
up ip route replace 127.0.0.0/8 dev lo
post-up iptables-restore < /etc/iptables.up.rules
# Auto generated venet0 interfaces
auto venet0
...

In Virtuozzo/OpenVZ, the file is overwritten at each reboot, as documented here: http://wiki.vpslink.com/Differences_between_Virtual_Private_Servers_and_Dedicated_Servers

Webmin does not take this into account, as it has no awareness of the VPS environment. As a result the Webmin setting cannot be used inside the VPS. A workaround is to manually append the setting to /etc/network/interfaces.template in the applicable location:

post-up iptables-restore < /etc/iptables.up.rules

I believe this is a bug in Webmin and should be filed as a bug report, if not already done.

Christian

Sat, 06/06/2009 - 03:08
ronald
ronald's picture

Imo there is no use for a firewall in a VPS environment. You can't manipulate kernel network filters on a VPS (you can do some on a Xen based vps though)&lt;br&gt;&lt;br&gt;Post edited by: ronald, at: 2009/06/06 03:09

Sat, 06/06/2009 - 04:47 (Reply to #2)
chriswayg

<b>ronald wrote:</b>
<div class='quote'>Imo there is no use for a firewall in a VPS environment. You can't manipulate kernel network filters on a VPS (you can do some on a Xen based vps though)&lt;br&gt;&lt;br&gt;Post edited by: ronald, at: 2009/06/06 03:09</div>

Could you clarify what you mean by 'manipulate kernel network filters'?

Certainly you can setup iptable rules. The iptables firewall works and has been working just fine for 2 years on Debian 4 with Webmin.

Use cases? There are plenty, just a few examples:
- Running a web-app behind Apache in a protected directory, without wanting to expose the port to all the world (Splunk, Plone ZMI, etc.)
- PSAD (Port Scan Attack Detector) requires a firewall for its operation

The only limitation I experienced, was that fwsnort requires the iptables string match module, which was not available in the VZ kernel.

Sat, 06/06/2009 - 05:27 (Reply to #3)
ronald
ronald's picture

ah, if iptables support is not compiled into the VPS kernel you cannot activate the iptables firewall yourself
I figured that would have been the issue (your link is pointing to virtualmin.com btw)

Sat, 06/06/2009 - 06:17 (Reply to #4)
chriswayg

Well, Ronald, apparently some people had problems with OpenVZ support for iptables. Virtuozzo 3 &amp; 4, which has been used by my provider has had good iptables support and I never had a problem with the basic firewall functionality. Maybe some hosting companies do not enable iptables modules for the VZ containers.

The issue described above is solely related to the way, that Webmin handles the config files. It should modify the interfaces.template file (if found), but it fails to do that.

(the VPS-link has been fixed)

Christian

Sat, 06/06/2009 - 12:35
Joe
Joe's picture

I'm not sure I understand what Webmin needs to do to work with this particular VPS type (or why the VPS doesn't work with standard iptables configuration files, if it allows iptables rules to be used). The link you've provided doesn't include anything about iptables that I can see.

So, what is &quot;/etc/network/interfaces.template&quot;? Is that a standard iptables save file? (If so, why doesn't OpenVZ use the standard Debian iptables save files?)

We can probably make this work, but at the moment I don't understand what Webmin needs to do to work the way OpenVZ expects.

--

Check out the forum guidelines!

Topic locked