OpenVZ Forum


Home » General » Support » Firewall on boot
Firewall on boot [message #3011] Sat, 06 May 2006 20:59 Go to next message
ferp2 is currently offline  ferp2
Messages: 29
Registered: May 2006
Junior Member
Hello,

I've set up a vps running debian 3.1 minimal. I have a firewall I want brought up on boot. Debian no longer has an init script for booting iptables; instead you have to add "pre-up /etc/rc.firewall" in /etc/network/interfaces to get the firewall running at boot time. The problem is /etc/network/interfaces is created dynamically, so it's recommended to edit /etc/network/interfaces.template. So what I did is copy interfaces to interfaces.template, added "pre-up /etc/rc.firewall" and rebooted the vps. It doesn't work. Does someone know how to add the pre-up command to interfaces.template so that the system reboots with the firewall turned on.

Thanks
Re: Firewall on boot [message #3013 is a reply to message #3011] Sun, 07 May 2006 14:20 Go to previous messageGo to next message
ferp2 is currently offline  ferp2
Messages: 29
Registered: May 2006
Junior Member
Here is the auto generated /etc/network/interfaces

===========================================
# This configuration file is auto-generated.
# WARNING: Do not edit this file, otherwise your changes will be lost.
# Please edit template /etc/network/interfaces.template instead.

# Auto generated venet0 interfaces
auto venet0 lo
iface venet0 inet static
address 127.0.0.1
netmask 255.255.255.255
broadcast 0.0.0.0
up route add -net 191.255.255.1 netmask 255.255.255.255 dev venet0
up route add default gw 191.255.255.1
iface lo inet loopback

auto venet0:0
iface venet0:0 inet static
address 192.168.0.102
netmask 255.255.255.255
broadcast 0.0.0.0
###pre-up /etc/firewall.sh###
===========================================

It is impossible to add "pre-up /etc/firewall.sh", to /etc/interfaces.template so that it appears after "broadcast 0.0.0.0" in the auto generated /etc/network/interfaces. This is because the contents of /etc/network/interfaces.template get added **before** the auto generated content of /etc/network/interfaces takes place. This causes the venet0:0 to malfunction.

Thank you
Re: Firewall on boot [message #3016 is a reply to message #3013] Mon, 08 May 2006 07:35 Go to previous messageGo to next message
Vasily Tarasov is currently offline  Vasily Tarasov
Messages: 1345
Registered: January 2006
Senior Member
In openVZ debian template /etc/network/interfaces.template file isn't necessary.
Dynamic creation of /etc/network/interfaces file is performed by
/etc/sysconfig/vz-scripts/dists/scripts/debian-add_ip.sh script on host machine. So, please, edit this script by adding line
pre-up /etc/rc.firewall" >> ${CFGFILE}.bak
in appropriate place of the script.

/etc/rc.firewall should be inside VPS.

And, please, don't forget to delete etc/network/interfaces.template file inside VPS, otherwise you will have problems.

Good Luck.
Re: Firewall on boot [message #3017 is a reply to message #3016] Mon, 08 May 2006 12:22 Go to previous messageGo to next message
ferp2 is currently offline  ferp2
Messages: 29
Registered: May 2006
Junior Member
Thank you for your reply. Perhaps I should have mentioned that my host system is running debian with the 2.6.8-022stab064-up kernel. On my system, debian-add_ip.sh is found in /usr/share/vz/dists/scripts. I added your statement and it works fine.

Thanks
Re: Firewall on boot [message #3019 is a reply to message #3011] Mon, 08 May 2006 12:45 Go to previous messageGo to next message
ferp2 is currently offline  ferp2
Messages: 29
Registered: May 2006
Junior Member
I put the following in /usr/share/vz/dists/scripts/debian-add_ip.sh:

if [ -f ${CFGFILE}.firewall ]; then
FWALL=`cat ${CFGFILE}.firewall`
echo -e "pre-up ${FWALL}" >> ${CFGFILE}.bak
fi

Also, there's a typo in the script. Search for /dev/nul. It should be /dev/null.
Re: Firewall on boot [message #3020 is a reply to message #3019] Mon, 08 May 2006 12:49 Go to previous message
Vasily Tarasov is currently offline  Vasily Tarasov
Messages: 1345
Registered: January 2006
Senior Member
> Also, there's a typo in the script. Search for /dev/nul. It should be /dev/null.

Please, fill the BUG in bugzilla.openvz.org!

Thanks for your attention.
Previous Topic: Config a custom Kernel from the given src.rpm
Next Topic: VPS Problem -- Users logged in
Goto Forum:
  


Current Time: Tue Nov 19 00:05:35 GMT 2024

Total time taken to generate the page: 0.03039 seconds