DevOps Zone is brought to you in partnership with:

I have been working for almost two years now on infrastructure and deployment automation, exploring programmatic solutions to traditional systems administration problems and configuration management. I'm fanatical about testing, the scientific method and building good tools to support awesome   Oliver is a DZone MVB and is not an employee of DZone and has posted 29 posts at DZone. You can read more from them at their website. View Full User Profile

Command-line firewall management still sucks

12.07.2013
| 8026 views |
  • submit to reddit

And now a break from my usual programming-related posts to bring you something back on the sysadmin side of the fence, for a change. I’m in the process of setting up a new VPS for myself, and probably will move my blog over to it when it is all set up. I say VPS, but really it is an OpenVZ container (which I guess passes for VPS just about as well). The critical difference is that you are running under the steam of the host system’s kernel, and there are numerous kernel-related changes you just cannot make. Frankly, I’m glad – I don’t particularly feel like managing the entire system down to kernel tunables.

Sadly this particular VPS comes with no external firewall management, so I’m back in the land of having to ensure at least a small amount of basic protection. I definitely don’t want to write my own ruleset (especially not properly stateful rules), Filtergen is acceptable but really outdated, and the last time I was using Ubuntu on my day to day laptop, I was using UFW (which is simple, but also not very nice). I really don’t want to go for one of these completely integrated systems with a control panel.

So I have settled on UFW for the time being. Sadly, it seems to completely fail in this OpenVZ environment due to numerous modules that cannot be inserted into the running kernel, some sysctl settings etc. You can find a reasonable summary of that here. For now, I’ve run through removing all the unnecessary cruft and have a just-working ruleset. It does sadden me that there isn’t anything better, although to be fair, I’ve been completely ignoring any developments here for the last year and a half.

IS there anything better? Drop me a comment if you have any good suggestions.

Published at DZone with permission of Oliver Hookins, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)