Softaculous

Topic : virtualizor restart clear iptables rules even if you are not using the built-in firewall

Posted By: uname-r on October 18, 2013, 5:42 pm

a virtualizor restart should not clear the iptables rules if we are not using the built-in firewall. ..it does right now!

If virtualizor is updated, then the iptables rules are flushed, and we need to restart them manualy.

automatic updates are secure on the side of the update, but insecure on the side of the firewall.

..possible for the virtualizor developers to improve a little on that side? I opened this as a bug, because i saw few times than our iptables rules were cleared by just leaving the automatic update on.

Posted By: uname-r on October 18, 2013, 5:44 pm | Post: 1

STEPS TO REPRODUCE :

- just stop using the built-in firewall : disable ip.

- setup your own rules with lot's of care

- restart virtualizor, or complete an upgrade

- do an iptables -L : magic... ...your rules dissapeard, so you need to login to the server to restart iptables after each virtualizor updates.

I bet there are lot's of peoples having absolutely no rules active on their server for this reason

Posted By: andresadanmx on August 9, 2014, 4:51 pm | Post: 2

No response after a long time and the bug still persists.
That happened to me but did not understand why.
Sometimes I noticed that the server firewall rules had "disappeared" magically, I had to make a script that regenerated the rules every time it happened. ;-D

-----------------------
Web hosting confiable - VPS hosting México

Posted By: manekari on August 11, 2014, 7:43 am | Post: 3

Hello,

Sir, Virtualizor restarts its service while updating to new version. This makes iptables to stop. This happens while you update the VIrtualizor to new version, restart the Virtualizor service manually, or reboot the main server.

We are investigating on this issue and will come with an solution.

Please let us know if you need any further information.

Regards,
Virtualizor Team.

Posted By: uname-r on August 13, 2014, 6:56 pm | Post: 4

Hi,

We are using CSF Firewall on Virtualizor now, and it work nicely since months now.

I would suggest to add an integration of CSF to Virtualizor : would be just much better. The firewall that comes with Virtualizor is a little too minimal imho.

The Virtualzior Firewall have never stopped to shut off at every updates, and also at every reboots.

Posted By: MarmottesB&D on September 5, 2014, 9:57 pm | Post: 5

Quote From : uname-r August 13, 2014, 6:56 pm

Hi,

We are using CSF Firewall on Virtualizor now, and it work nicely since months now.

Hi,

Could you post your csf.conf ?

Thanks

Posted By: quickbooks2018 on November 18, 2017, 9:03 am | Post: 6

Dear Support Team,

I installed csf running successfully, I allowed the port 4085.

but is not working,

when I stop the csf and lfd ALL IS WELL.

Regards

Posted By: wolke on September 20, 2018, 10:03 am | Post: 7

Special care should be taken with csf on kvm nodes!
If you do a csf -r (or csf -x && csf -e) all guest vm immediately loses connectivity if they are using NAT IP. You need to restart libvirtd manually after issuing the above csf commands.
libvirtd adds own NAT rules to IPtable which can´t be currently managed by csf.
So if you are using NAT IP you should create a script to restart csf, for example
/usr/local/sbin/csfrestart

Code
#!/bin/bash

csf -x

csf -e

service libvirtd restart

You need to make it chmod +x
I really would appreciate too, if csf would be fully assimilated into virtualizor as the only point of iptables management.

Edited by wolke : September 20, 2018, 10:04 am

Posted By: wolke on September 20, 2018, 10:10 am | Post: 8

Quote From : quickbooks2018 November 18, 2017, 9:03 am

I installed csf running successfully, I allowed the port 4085.

At each slave use /etc/csf/csf.ignore and enter your IP of the master.At the master add all slave IP into csf.ignore.
That´s the easy way, not the most secure one, but just opening ports (for everybody!) isn´t too.
Another solution is to use csf.ignore to restrict IP AND Ports. (See csf docs) but many people claim that it isn´t working.