D
Dragonchaser
Guest
We have Proxmox and we use the BlueOnyx Virtual Appliance:
http://pve.proxmox.com/wiki/BlueOnyx
In BlueOnyx we tried to install the Advanced Policy Firewall (APF) and Brute Force Detector (BFD):
http://www.solarspeed.net/cart.php?target=product&product_id=16282
But we encountered a problem with the APF firewall. When APF is started, it throws the following error message:
iptables: Unknown error 4294967295
We've seen this problem before on OpenVZ VPS's. It usually happens if ...
1.) numiptent: The parameter "numiptent" for that VPS must be set to 1000 to make sure that the firewall can create 1000 IPtables rules.
2.) vz.conf: In /etc/vz/vz.conf on the master node you must have the following IPtables related line:
IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"
That defines which IPtables related kernel features are available inside VPS's. It does not appear as if all of them are allowed at the moment, so APF will not work. Therefore we disabled the APF firewall for now as it otherwise would cause problems.
What do we do now? Do we just edit vz.conf on the node as described in point 2 above?
What happens if we edit vz.conf and then upgrade from 1.5 to 1.6? First upgrade, then edit vz.conf and pay attention during future upgrades?
Any suggestions?
http://pve.proxmox.com/wiki/BlueOnyx
In BlueOnyx we tried to install the Advanced Policy Firewall (APF) and Brute Force Detector (BFD):
http://www.solarspeed.net/cart.php?target=product&product_id=16282
But we encountered a problem with the APF firewall. When APF is started, it throws the following error message:
iptables: Unknown error 4294967295
We've seen this problem before on OpenVZ VPS's. It usually happens if ...
1.) numiptent: The parameter "numiptent" for that VPS must be set to 1000 to make sure that the firewall can create 1000 IPtables rules.
2.) vz.conf: In /etc/vz/vz.conf on the master node you must have the following IPtables related line:
IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"
That defines which IPtables related kernel features are available inside VPS's. It does not appear as if all of them are allowed at the moment, so APF will not work. Therefore we disabled the APF firewall for now as it otherwise would cause problems.
What do we do now? Do we just edit vz.conf on the node as described in point 2 above?
What happens if we edit vz.conf and then upgrade from 1.5 to 1.6? First upgrade, then edit vz.conf and pay attention during future upgrades?
Any suggestions?
