Virtuozzo Firewall

Vertigo · #1 (**permalink**) 06-16-09, 08:06

I noticed a firewall setting under the VPS Services group in Virtuozzo, and it had the following options when I clicked on it:

Quote:

Normal firewall mode
Advanced firewall mode with default policy Accept
Advanced firewall mode with default policy Drop

Any idea what that's about? It's currently set to normal firewall mode. What's the difference between the "accept" and "drop" policies?

JeremyWJ · #2 (**permalink**) 06-16-09, 14:28

Although I'm not fully sure what firewall that actually controls...

default drop means if its not specifically allowed by any rules, it is dropped.

Default allow means if its not specifically denied by any rules, it is allowed.

Most of them work this way:

Your firewall will have a list of rules, it keeps going down the list until it finds one that applies to the current situation then applies it and stops.

So like...

Deny Port 80 FROM 34.12.74.23
Allow Port 80 from any address
Allow port 22 from 123.123.123.123
Drop All

In the above example if you were trying to use FTP (port 21) it would not match the first three so it would hit "drop all" and be thrown away. However if you were trying to access port 80 from any address besides 34.12.74.23 then it would be allowed by the second rule and it would never hit the "drop all" at the bottom. If the last one was changed to Allow All, then the only thing that would ever be denied is 34.12.74.23 trying to access port 80.

Basically Deny All is better in most cases. With it you only have to define what is really allowed. However, if you only want to block off a few things, then Allow All would save you some time.

JeremyWJ · #3 (**permalink**) 06-16-09, 18:49

Hey, I went ahead and played with this and enabled it on mine.

As I expected, its just an easy (very good way) to control your software firewall on your machine.

For Centos it enables and configures iptables.

For winblows (I mean Windows) it probably configures the windows firewall.

Jenny Walker · #4 (**permalink**) 06-16-09, 23:22

Is it okay to just leave it at the normal mode? That's where it is on mine, too, and I'm worried that if I try to play around with it, I could mess things up. Like, maybe lock myself out of the VPS or something. >_<

gazzie · #5 (**permalink**) 06-17-09, 01:48

You don't need to worry about the firewall settings, Jenny. For most users, leaving the firewall in normal is completely fine. It's only when you need to fine tune the firewall settings will you need to use the advanced mode. Anyway, since BODhost is a managed service, I'm sure they would be more than happy to help you with your firewall setup when you need it.

JeremyWJ · #6 (**permalink**) 06-17-09, 02:12

Quote:

Originally Posted by Jenny Walker

Is it okay to just leave it at the normal mode? That's where it is on mine, too, and I'm worried that if I try to play around with it, I could mess things up. Like, maybe lock myself out of the VPS or something. >_<

You can't lock yourself out of the Parallels Panel to control the firewall. Therefor, you can't lock yourself out as you could get back there and remove it. Of course bodhost support is always available.

For me advanced mode with default policy drop works best. You'll notice if you switch to it that it is very easy to configure.

Spooky · #7 (**permalink**) 06-17-09, 07:58

Is Virtuozzo's firewall any better than CSF? It's what I'm currently using for the firewall. Both CSF and (as you say) the Virtuozzo firewall are front ends for iptables, but if Virtuozzo's is easier to manage, then it might be worth switching to.

JeremyWJ · #8 (**permalink**) 06-17-09, 15:35

Quote:

Originally Posted by Spooky

Is Virtuozzo's firewall any better than CSF? It's what I'm currently using for the firewall. Both CSF and (as you say) the Virtuozzo firewall are front ends for iptables, but if Virtuozzo's is easier to manage, then it might be worth switching to.

You could try it out. I would backup your iptables config first before you activate the Virtuozzo control because it might change it. I think its pretty easy. I have never used CSF so I can't comment on that.

Vertigo · #9 (**permalink**) 06-17-09, 16:27

Thanks for the explanation, Jeremy! I guess I'll play around with the VZPP firewall configuration a bit more. It looks easier to use than the alternative, anyway.

angelad · #10 (**permalink**) 06-17-09, 17:08

Quote:

Originally Posted by Spooky

Is

Virtuozzo's firewall any better than CSF? It's what I'm currently using for the firewall. Both CSF and (as you say) the Virtuozzo firewall are front ends for iptables, but if Virtuozzo's is easier to manage, then it might be worth switching to.

Might as well play around with it. I'd say management aspect would be big with me too. You don't want to dedicate too much time to handling firewalls.