13.4. Managing Container Firewall

A firewall is part of your OS and its security. Its main function is to block or permit traffic between two systems or two parts of a network. The Virtuozzo software has a built-in firewall that can be managed through Virtuozzo Automator. Along with - and apart from - the Virtuozzo Automator web interface, the command line is an effective tool to manage a firewall. Here are the basic principles that make a firewall work.

A firewall applies a control policy over the firewalled system. There are three policies:

  • accept the packet: if the packet is accepted, it gains access to the system;
  • drop the packet: if the policy is to drop the packet, the packet is denied access to the system;
  • reject the packet: the system does not let the packet in, notifying the sender of the fact.

You can set one of the three policies when creating or editing an access rule in the advanced mode (see Adding Rules in Advanced Mode or Editing Rules in Advanced Mode).

The policies, along with ports and protocols, are chains’ attributes. A chain is a list (or a chain) of rules grouped by the criterion of what type of packets they process. There are three packets types:

  • input;
  • output;
  • forward.

Therefore we can create three chains - the Input chain, the Output chain and the Forward chain. The Input chain examines the incoming packets. If there is a rule to process a packet, the latter is either let in (accept policy) or not (drop/reject policy). Otherwise, the packet is examined by the next rule. If, finally, there is not any rule to match, the default system policy is applied. The first rule applied to a packet is the first one on the list that forms a chain.

If a packet is created inside the system, it is sent to the Output chain.

Packets that pass through the system, traverse the Forward chain.

When configuring a firewall, you can change a rule’s position on the list, delete a rule from the list, create, edit and add rules to the list.

To configure the firewall, click Configure > Firewall on the container toolbar.

13.4.1. Configuring Firewall in Normal Mode

In the normal mode, the rules you delete or add are called access rules. The Container access rules are pre-set groups of standard firewall rules. Each access rule refers to a most widely used service and corresponds to a number of standard firewall rules that ensure the availability of this service. In the normal mode, each access rule is dealt with as a single entity. This implies that enabling or disabling an access rule results in enabling or disabling all the standard firewall rules it corresponds to. By default, 8 preset access rules are active:

  1. Access to outer world;
  2. DNS server;
  3. Internal Services;
  4. Mail server;
  5. Plesk service;
  6. POP3 server;
  7. SSH server;
  8. WEB server.

The remaining access rules that are not enabled by default can be added on the page, which you can access by clicking Add Access Rule.

To delete a rule, select one of the check boxes on the right of the screen, click Delete over the check boxes, and then OK to confirm. To delete all the rules, select the uppermost check box, click Delete over the check boxes, and then OK to confirm. Note that no access rules can be permanently deleted from the system. A deleted rule is, in fact, temporarily disabled and can be enabled back as described in Adding Access Rule in Normal Mode.

To change the mode, click Firewall Setup.

Note

If this page informs you that you cannot manage firewall on this container, refer to the Dealing With Misconfigured Firewall subsection.

13.4.1.1. Dealing With Misconfigured Firewall

If your firewall has not been configured yet, you will most probably have the page informing you of the fact. The page can also appear if you did misconfigure your firewall. The common way to misconfigure a firewall is to add or edit your own specific rules in the advanced mode and then switch to the normal mode without deleting these rules first.

At this point you will have to decide upon one of two basic strategies: to select the normal mode or to select the advanced mode:

  • select the normal mode to deny all services except those critical to connecting to the Internet. To select the normal mode, click Switch the firewall back to the normal mode.
  • select the advanced mode to create a rule to permit, deny, or monitor the access to or from the system for each service you need. If you are going to separately edit each rule, click Select the advanced firewall mode.

13.4.2. Adding Access Rule in Normal Mode

To open this page, follow the Add Access Rule link on the Firewall page. Here you have the rules that have not been included into the list of active rules you can see on the Firewall page. To add a rule here means actually to enable it. To add a rule, select a check box on the opposite and click Submit - or Cancel if you want to restore the firewall settings prior to the last action.

13.4.3. Selecting Mode

If you have only just started using the firewall by clicking Configure > Firewall on the container toolbar, the Firewall Setup page is the first one you have displayed.

On the Firewall Setup page, you can choose one of the following modes your firewall operates in:

  • The normal mode. If the security strategy you are planning out does not require a complicated system of specific rules and all you are going to do is as simple as providing your system with access to the Internet and the maximum safety, then the best option is the normal mode. Hence, select the normal mode to configure your firewall using the 8 built-in access rules (see Configuring Firewall in Normal Mode) or to fix the firewall rules settings corrupted either in the advanced mode or in the normal mode.
  • The advanced firewall mode with default policy Accept, or the advanced firewall mode with default policy Drop. The advanced mode takes more time and experience to configure, but then there is more flexibility and potential in it to make use of.

Besides, the Firewall Setup page can be reached with the Firewall Setup link from both advanced and normal mode pages. If so, the choice is quite the same. The only difference is that in this case the normal mode can also be used as an option if you want to roll back the changes in the firewall rule(s) settings you have made.

After selecting a mode, click Submit. Click Cancel to return to the previous screen.

13.4.4. Building Input Chain

To build and edit the Input Chain, select the Input tab. When you click either Advanced firewall mode with default policy Accept or Advanced firewall mode with default policy Drop, on the page described in Selecting Mode, the first chain of rules is the Input Chain. The Input Chain is a set of rules for the incoming traffic. If you once applied Normal firewall mode before selecting Advanced firewall mode with default policy Accept/Drop, the input chain consists of 13 default rules. If you selected Advanced firewall mode with default policy Accept/Drop while configuring the container firewall at the first time, the input chain has the default system policy access rule only.

Here you can edit, add, delete, enable, disable, filter or change its position in the list of any of the default rules. In case you need to come back to the original advanced mode settings, the default rules are:

  1. Web server input;
  2. SSH server input;
  3. Mail server input;
  4. POP3 server input;
  5. DNS server tcp input;
  6. DNS server udp input;
  7. All tcp input for hi port allowed;
  8. All udp input for hi port allowed;
  9. Plesk Panel proxy input;
  10. Plesk Panel direct input;
  11. Loopback tcp input;
  12. Loopback udp input;
  13. Default system policy.

The table below describes the attributes of the rules in the chain:

Name Description
Name The name of a specific web service this rule applies to.
Policy One of three policies: Accept, Drop or Reject (see Managing Container Firewall).
Protocol One of two protocols used for package transmission - Transmission Control Protocol (TCP), defined by IETF RFC793 or User Datagram Protocol (UDP), defined by IETF RFC768.
Source Address The internal address of the packets (e.g.: IPv4 or IPv6 address, the name of a network interface, etc.).
Source Port The internal port of the packets.
Destination Address The address where the packets are sent to.
Destination Port The port where the packets are sent to.
Enabled The current status of the rule (Enabled/Disabled). The green circle with a tick stands for “enabled”, the red circle with a cross stands for “disabled”.
Move Moving the rule a level up or a level down from its current position.

The default system policy access rule cannot be changed as this rule decides the packet’s destiny - to accept or to drop - when the packet has not any other rule to be processed by.

To edit a rule, click its name in the Name column. To add - or replace - a specific rule, click New Rule. To disable, enable or delete a rule, select its check box and then click Disable, Enable or Delete. To move a rule a level up, click the up arrow icon. To move a rule a level down, click the down arrow icon. You can also filter the rules shown in the table. To do that, click Show Search, enter search patterns in the search fields, and click Search. To change what search fields are displayed, click Customize. To have the full list of rules back, click Reset Results. To show or hide columns, click Select Columns and set or clear the respective checkboxes.

You can also switch to the normal mode by clicking Firewall setup and selecting normal mode there.

13.4.5. Building Output Chain

To build and edit the Output Chain, select the Output tab. The output chain regulates the outbound access. If you once applied Normal firewall mode before selecting Advanced firewall mode with default policy Accept/Drop, the output chain consists of 13 default rules. If you selected Advanced firewall mode with default policy Accept/Drop while configuring the Container firewall at the first time, the output chain has the default system policy access rule only.

The default rules list is the same as in Building Input Chain, the only difference being the output, instead of the input characteristic of the rules. The list of rules on this page is this:

  1. Web server output;
  2. SSH server output;
  3. Mail server output;
  4. POP3 server output;
  5. DNS server tcp output;
  6. DNS server udp output;
  7. All tcp output allowed;
  8. All udp output allowed;
  9. Plesk Panel proxy output;
  10. Plesk Panel direct output;
  11. Loopback tcp output;
  12. Loopback udp output;
  13. Default system policy.

The default system policy access rule cannot be changed as this rule decides the packet’s destiny - to accept or to drop - when the packet has not any other rule to be processed by.

If, for some reason, you need to have this rule set back, click Firewall setup and select the Normal firewall mode radio button.

The attributes of the rules in the chain are described in Building Input Chain.

Here you can edit, add, delete, enable, disable, filter or move in the list any or all of the 13 default rules the output chain consists of. To edit a rule, click its name in the name column. To add a specific rule, click New Rule in the Actions group. To disable, enable or delete a rule select its check box and then click Disable, Enable or Delete. To move a rule a level up, click the up arrow icon. To move a rule a level down, click the down arrow icon. You can also filter the rules shown in the table. To do that, click Show Search, enter search patterns in the search fields, and click Search. To change what search fields are displayed, click Customize. To have the full list of rules back, click Reset Results. To show or hide columns, click Select Columns and set or clear the respective checkboxes..

You can also switch to the normal mode by clicking Firewall Setup and selecting normal mode there.

13.4.6. Building Forward Chain

To build and edit the Forward chain, select the Forward tab. Unlike the Input and Output chains, the only default rule the forward chain has is Default system policy. Conceivably, this one is not to be edited or deleted. Instead, you are free to decide upon any number and kinds of specific rules to create and add to the Forward chain by clicking on the New Rule link in the Actions group.

After the number of rules in your Forward chain becomes bigger, you may need to sort them out. To do that, click Show Search, enter search patterns in the search fields, and click Search. To change what search fields are displayed, click Customize. To have the full list of rules back, click Reset Results. To show or hide columns, click Select Columns and set or clear the respective checkboxes. Click the up arrow icon to take a rule a level up its current position in the chain, or the down arrow icon to relocate it a level down. If two or more rules can be applied to the given packet, the uppermost rule takes priority.

The attributes of the rules in the chain are described in Building Input Chain.

To switch to the normal mode of managing the firewall, click Firewall Setup link in the Actions group.

The default forward chain policy is the policy selected on the Firewall Setup menu (see Selecting Mode).

13.4.7. Adding Rules in Advanced Mode

To get to this page, click the Add Rule icon on the Input Chain, Output Chain, or Forward Chain pages. On this page, you can elaborate your own specific rule. Below are the basics of the advanced mode rules adding:

  • the Name field is marked because this field is an obligatory one;
  • select one of three policies: Accept, Drop or Reject;
  • select one of two protocols for package transmission - Transmission Control Protocol (TCP), defined by IETF RFC793 or User Datagram Protocol (UDP), defined by IETF RFC768;
  • Source Address and Netmask, Source Port or Port Range, Destination Address and Netmask and Destination Port or Port Range fields are left to your own discretion, but in case of an error there is a pink stripe over the field that has to be corrected;
  • the standard format for Source/Destination Address and Netmask field is 1.2.3.4/255.255.23.4;
  • the standard Port range format is 80-123;
  • to enable a rule, select the Enable check box;
  • if you are creating this rule for future purposes, clear this box;
  • to include the rule into one of three chains, select Input, Output, or Forward on the drop-down menu;
  • on the The rule’s position in the chain drop-down menu you are to decide what priority this rule will have in its chain. There are two options for you to choose between: the bottom and the top of the chain;
  • for the changes you have made to become operational, click Submit, to undo the changes and return to the previous page, click Cancel.

13.4.8. Editing Rules in Advanced Mode

The main difference here from the operations described in Adding Rules in Advanced Mode is that the rules you edit are not those you create as you deem it expedient. If you edit a rule (with the exception of renaming it), the rule changes and works differently from the way it did. Before submitting the new settings make sure they meet your security strategy. Otherwise, click Cancel.

The other detail to be aware of is the possible consequences of changing the initial (default) firewall settings. If you feel your expertise in the security area permits some future development, do not change them at all. Applying the changes you are not completely certain of may decrease your system’s security.