11
edits
Changes
no edit summary
The exception to this is the nameserver, which we want open to the world. We use it as a caching nameserver for our containers and also to host DNS for a few customer domain.
== Simple firewall configuration independent to IP addresses ==
''Vzfirewall'' tool allows you to open/close ports for incoming connections with no dependencies to foreign IP addresses. E.g. you may allow a hostname ''release.prod.example.com'' to connect to VE 1234 by modifying 1234.conf file adding multiline ''FIREWALL'' directive into it:
<pre>
...
PRIVVMPAGES="300000:300000"
HOSTNAME="example.com"
...
FIREWALL="
...
# Allow access to PostgreSQL port only from release.prod machine.
# Note that you may use domain names here.
[5432]
release.prod.example.com
release.test.example.com
...
"
</pre>
Note that you may use hostnames instead of IP addresses, so the configuration is persistent fore VE movements to different IP-address.
Vzfirewall and its documentation tool is available at [http://en.dklab.ru/lib/dklab_vzfirewall/ vzfirewall homepage.
== An alternative from the author of Shorewall ==
