OACI VE firewall feature does not work for VZ7 VEs

Modified on: Thu, 23 Jan, 2020 at 5:16 AM

Operations Automation Operations Automation:7.1 Operations Automation:7.2 Operations Automation:7.3 Operations Automation:7.4 Operations Automation:7.x

Symptoms

After adding a firewall rule for an OACI Virtual Environment, located on a Virtuozzo 7 hardware node, the rule is not applied, and the connection is still (im)possible (depending on the rule being added).

For example, setting the rule to allow only SSH traffic will not block HTTP/FTP/etc traffic to the VE.

The same steps work fine for Virtual Environments located on Virtuozzo 6 nodes.

Cause

By default, bridge-nf-call-* sysctl settings are turned off on Virtuozzo 7 nodes.

Resolution

Enable the sysctl settings on all Virtuozzo nodes in OACI:

# echo "net.bridge.bridge-nf-call-ip6tables = 1" >> /etc/sysctl.conf
# echo "net.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.conf
# sysctl -p

Internal content

Did you find it helpful? Yes No