[Users] default packet filtering rules on openvz7

Dmitry Konstantinov barmaley at barmaley.net
Wed Mar 11 21:08:11 MSK 2020 

firewalld is disabled. That's among the very first things I do on
servers. Search for 'virbr' and 'FORWARD' under /etc /usr /var
/opt (find /$path -type f -print0 | xargs -0 grep -i virbr) doesn't
return anything that might set up these rules.

On Wed, 11 Mar 2020 17:22:03 +0300
Konstantin Khorenko <khorenko at virtuozzo.com> wrote:

> On 03/09/2020 04:12 PM, Dmitry Konstantinov wrote:
> > Hello,
> >
> > I've noticed that after a fresh install I have few filtering rules
> > that I do not need and would like to get rid of:
> >
> >
> > [root at localhost ~]# iptables -n -L -v
> > Chain INPUT (policy ACCEPT 2353 packets, 161K bytes)  pkts bytes
> > target     prot opt in     out     source destination
> > 0 0 ACCEPT     udp  --  virbr0 * 0.0.0.0/0  0.0.0.0/0 udp dpt:53
> > 0 0 ACCEPT tcp  --  virbr0 *     0.0.0.0/0  0.0.0.0/0 tcp dpt:53
> > 0 0 ACCEPT     udp  --  virbr0 * 0.0.0.0/0  0.0.0.0/0 udp dpt:67
> > 0 0 ACCEPT tcp  --  virbr0 *     0.0.0.0/0  0.0.0.0/0 tcp dpt:67
> >
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> >  pkts bytes target     prot opt in     out     source
> > destination
> > 0 0 ACCEPT  all  --  virbr0 virbr0 0.0.0.0/0  0.0.0.0/0
> > 0 0 REJECT  all  --  * virbr0  0.0.0.0/0 0.0.0.0/0 reject-with
> > icmp-port-unreachable 0 0 REJECT  all  --  virbr0 *  0.0.0.0/0
> > 0.0.0.0/0 reject-with icmp-port-unreachable
> >
> > Chain OUTPUT (policy ACCEPT 1547 packets, 356K bytes)
> >  pkts bytes target     prot opt in     out     source
> > destination
> > 0 0 ACCEPT  udp  --  * virbr0  0.0.0.0/0  0.0.0.0/0 udp dpt:68
> > [root at localhost ~]#
> >
> > I failed to find anything that adds these rules. Is it hardcoded? If
> > not, how do I disable them without writing a script to flush
> > iptables?  
> 
> Hi,
> 
> i guess rules are created upon firewalld configuration.
> 
>  > not, how do I disable them without writing a script to flush
>  > iptables?  
> may be just disable firewalld service.
> 
> --
> Best regards,
> 
> Konstantin Khorenko,
> Virtuozzo Linux Kernel Team
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users

More information about the Users mailing list