ufw support in OpenVZ ubuntu container. [message #37013] |
Tue, 11 August 2009 20:00 |
piplite
Messages: 27 Registered: March 2008
|
Junior Member |
|
|
I have been googling problem with setting up ufw (Ubuntu FireWall) for hours now and no success answer anywaere.
I also searched this place and no answer so far.
So heres a problem.
Installation goes perfectly fine. Im able to add rules and so on but problem comes when im trying to enable firewall:
root@piplite:/# ufw enable
ERROR: problem running init script
and more
root@piplite:/# ufw enable
Firewall started and enabled on system startup
root@piplite:/# sudo /etc/init.d/ufw force-reload
* Stopping firewall: ufw... [ OK ]
* Starting firewall: ufw... iptables-restore: line 71 failed
* Problem running '/etc/ufw/before.rules'... iptables-restore: line 34 failed
* Problem running '/etc/ufw/after.rules'... error: "Operation not permitted" setting key "net.ipv6.conf.all.accept_redirects"
error: "Operation not permitted" setting key "net.ipv6.conf.default.accept_redirects"
error: "Operation not permitted" setting key "net.ipv4.icmp_echo_ignore_broadcasts"
error: "Operation not permitted" setting key "net.ipv4.icmp_ignore_bogus_error_responses"
error: "Operation not permitted" setting key "net.ipv4.icmp_echo_ignore_all"
error: "Operation not permitted" setting key "net.ipv4.tcp_syncookies"
error: "Operation not permitted" setting key "net.ipv4.tcp_sack"
[fail]
Its also been asked here: https://answers.launchpad.net/ufw/+question/63832 but no answer.
If anybody knows how to make it work, please advice.
Beforehand thanks.
|
|
|
|
|
|
Re: ufw support in OpenVZ ubuntu container. [message #39555 is a reply to message #37013] |
Mon, 10 May 2010 16:07 |
|
bodhi.zazen
Messages: 3 Registered: April 2009 Location: Montana
|
Junior Member |
|
|
UFW does not seem to run properly in openvz (Ubuntu) templates.
Part of the problem is that ufw calls modprobe, which will fail.
As a partial work around you can remove modprobe and replace it with a link to /bin/true.
rm /sbin/modprobe
ln -s /bin/true /sbin/modprobe
A second problem is that rsyslog does not run well in openvz templates (rsyslog will not log iptables or ufw). A potential work around is to use syslog-ng
apt-get purge rsyslog
apt-get install syslog-ng
syslog-ng will log to /var/log/messages and /var/log/kern.log but not /var/log/ufw.log
With those work arounds, you can try ufw. You will still get some error messages from ufw-init re: iptables-restore. I do not know how to fix that.
That is about as far as I can get you if you want to use UFW as I personally use iptables.
Others have suggested using shorewall as an alternate (to ufw).
http://www.shorewall.net/OpenVZ.html
With ufw you sometimes need to toggle the defaults, then ufw will start:
ufw default allow
ufw default deny
ufw enable
I highly suggest you use iptables (keep in mind you may need to edit /etc/vz/vz.conf on the HOST) and iptables is not fully functional in openvz guests (the basic functions and logging work, but some functions such as conntrack may not).
To log use iptables + syslog-ng ( /var/log/kern.log is fairly clean).
If you have a busy server, and do not want to review hundreds of thousands of logs, consider using snort or psad.
[Updated on: Mon, 10 May 2010 16:09] Report message to a moderator
|
|
|
|