11
edits
Changes
m
→Simple firewall configuration independent to IP addresses
The exception to this is the nameserver, which we want open to the world. We use it as a caching nameserver for our containers and also to host DNS for a few customer domain.
== Simple firewall configuration independent to IP addresses : vzfirewall ==
''Vzfirewall'' tool allows you to open/close ports for incoming connections with no dependencies to foreign IP addresses. E.g. you may allow a hostname ''release.prod.example.com'' to connect to port 5432 of VE 1234 by modifying 1234.conf file adding multiline ''FIREWALL'' directive into it:
<pre>
</pre>
You must then run ''vzfirewall -a'' on your hardware node to apply changes made in *.conf. Note that you may it is recommended to use hostnames instead of IP addresseshere, so the configuration is persistent fore VE movements to different IP-address.
Vzfirewall and its documentation tool is available at [http://en.dklab.ru/lib/dklab_vzfirewall/].
