Vzfirewall and its documentation are available at.
It is also reboot-safe, as the rules are applied to /etc/sysconfig/iptables (at RHEL systems). Note that it is recommended to use hostnames instead of IP addresses here, so the configuration is persistent for VE movements to different IP-address: you just need to run vzfirewall -a again after movement. You must then run vzfirewall -a on your hardware node to apply changes made in *.conf. # Allow access to PostgreSQL port only from release.prod you may allow a hostname to connect to port 5432 of VE 1234 and leave all other ports closed by modifying nf file adding multiline FIREWALL directives into it: Vzfirewall tool allows you to open/close ports for incoming connections with no dependencies to foreign IP addresses. Simple firewall configuration independent of IP addresses: vzfirewall We use it as a caching nameserver for our containers and also to host DNS for a few customer domain. The exception to this is the nameserver, which we want open to the world. As such, our scenario is one in which the HN must be protected from all access (even from the containers) except for a few trusted hosts (e.g.
The containers are leased to customers, who can't entirely be trusted, especially if they get hacked.
For example, the HN acts as a backup server, runs Nagios for health monitoring, has a webserver for managing the 3ware RAID controller, etc. On our systems, we use the HN to provide privileged services which are not appropriate for access by the containers. 5 Setting up a firewall that allows per-container configuration.3 An alternative from the author of Shorewall.2 Simple firewall configuration independent of IP addresses: vzfirewall.
0 kommentar(er)
