CFS or Firewalld

Discussion in 'Networking Questions' started by KrazyBob, Apr 4, 2017.

  1. KrazyBob

    KrazyBob Mega Poster

    I have a current network that sits behind a smart firewall. Expensive to own but well worth the money. I am adding another location just for dedicated servers where I won't be behind a firewall. I prefer to load Virtuozzo as a buffer between the world and the server. For example, if a hacker gets in and issues a crond -r and empties the cron that runs an app looking for a hack I'm vulnerable. But if I run it from the HN as a superuser (/vz/private/110/var/spool/crond...) they can't get to it. Sneaky, I know. I am actually preconfigured for certain BOTS being uploaded to /tmp and I check each minute for their presence.

    At any rate, I won't have a hardware firewall at that location for some time. Non-contiguous IPs and no NATing. This means that I'll need to install CFS or Firewalld for the customer. I'll be installing Plesk as well. As I understand it if I run CFS or Firewalld on the HN it 'should' globally block the individual container(s). Is this correct? Should I load CFS/firewalld in each container following the commands for doing this? Which is a better choice? CFS, Firewalld, Plesk's own use of iptables and APF/BFD? I realize Baath this is Virtuozzo being supported here.

    I am asking instead of experimenting because I won't have the ability to experiment at a remote location 2500 miles away. Those that have already learned this I would be grateful to.
  2. Pavel

    Pavel A.I. Auto-Responder Staff Member

    Hello Bob,

    Answer to your question highly depends on what network mode you use in containers.
    If it's host-routed - node's "FORWARD" chain will control containers traffic.
    If it's bridged - traffic will not be controlled in iptables' "filter", and installing 3rd-party firewall management solution should not affect it.

    AFAIK cfs blocks Forward traffic by default, some clients managed to install on HN and find their CT networking dead a minute after.

    Main concern about CFS-like solutions is that they are not Virtuozzo-aware, they do not expect much real traffic in "FORWARD", and mostly just control "INPUT" which might be either insufficient, or too restrictive.
    I am not aware of clients who successfully used 3rd-party firewall management solutions on a HN itself, thus I cannot share any real experience.

    If it was for me to decide I'd go with "installing it inside of a container", blocking just the "INPUT" on a node, and allowing containers to handle traffic themselves(allowing entire FORWARD traffic).
    Since you use Plesk in the container you should probably consult with Plesk folks, whether Plesk firewall engine will be OK with cfs/apf/whateverelse installed alongside.

Share This Page