Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Approximate patch to make ufw work under OpenVZ with kernel 2.6.32-042stab078.26
From eccc80a754273641c2e0532be98987c8e89e960e Mon Sep 17 00:00:00 2001
From: root <root@nexus.frozenliquid.net>
Date: Fri, 28 Jun 2013 20:38:12 +0400
Subject: [PATCH] ufw: Initial firewall config on OpenVZ VPS
* OpenVZ vps doesn't have all the kernel features needed by
Ubuntu 12.04 LTS, disable unsupported features so firewall
starts cleanly.
---
default/ufw | 4 ++--
ufw/after.rules | 2 +-
ufw/before.rules | 16 ++++++++++------
ufw/ufw.conf | 2 +-
5 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/default/ufw b/default/ufw
index bbe4842..728e682 100644
--- a/default/ufw
+++ b/default/ufw
@@ -4,7 +4,7 @@
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
-IPV6=yes
+IPV6=no
# Set the default input policy to ACCEPT, ACCEPT_NO_TRACK, DROP, or REJECT.
# ACCEPT enables connection tracking for NEW inbound packets on the INPUT
@@ -45,5 +45,5 @@ IPT_SYSCTL=/etc/ufw/sysctl.conf
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
-IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
+#IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
diff --git a/ufw/after.rules b/ufw/after.rules
index 0d6c646..8d84cf4 100644
--- a/ufw/after.rules
+++ b/ufw/after.rules
@@ -24,7 +24,7 @@
-A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input
# don't log noisy broadcast
--A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
+#-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
diff --git a/ufw/before.rules b/ufw/before.rules
index bc11f36..3ea3d1d 100644
--- a/ufw/before.rules
+++ b/ufw/before.rules
@@ -42,20 +42,20 @@
#
# ufw-not-local
#
--A ufw-before-input -j ufw-not-local
+#-A ufw-before-input -j ufw-not-local
# if LOCAL, RETURN
--A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
+#-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
--A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
+#-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
--A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
+#-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
# all other non-local packets are dropped
--A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
--A ufw-not-local -j DROP
+#-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
+#-A ufw-not-local -j DROP
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
@@ -65,5 +65,9 @@
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
+#
+# OpenVZ has issues the "-m comment" args that ufw adds, so do this manually
+-A ufw-before-input -p tcp --dport 22 -j ACCEPT
+
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
diff --git a/ufw/ufw.conf b/ufw/ufw.conf
index 8336b91..28fe534 100644
--- a/ufw/ufw.conf
+++ b/ufw/ufw.conf
@@ -3,7 +3,7 @@
# Set to yes to start on boot. If setting this remotely, be sure to add a rule
# to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp'
-ENABLED=no
+ENABLED=yes
# Please use the 'ufw' command to set the loglevel. Eg: 'ufw logging medium'.
# See 'man ufw' for details.
--
1.7.9.5
@lagrz

This comment has been minimized.

Copy link

commented Mar 22, 2014

thanks this helped me with my ufw issues

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.