[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#631234: marked as done (OpenVZ firewall issue)

Your message dated Wed, 10 Jul 2013 20:08:31 +0200
with message-id <20130710180831.GA6890@pisco.westfalen.local>
and subject line Closing OpenVZ related bugs
has caused the Debian Bug report #631234,
regarding OpenVZ firewall issue
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
631234: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631234
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: linux-image-openvz-686
Version: 2.6.32+29

I have one Dell server, running Debian 6 with only one network port
connected to my test LAN (eth0), and two test containers, also running
Debian 6. On those containers I have installed Shorewall 4.4.11.6 from
the Debian repositories and configured it as described in the attached
files. The physical server doesn't have Shorewall installed. This is a
clean install, the only modifications I made from the base install was
installing the OpenVZ kernel and userland utilities. I have tested these
same configuration files on a VMware virtual machine and it worked
without any problems.

Now for the problem:

Whenever I enable shorewall (shorewall safe-start or boot), it allows
SSH and MySQL from the LAN, but it's impossible to access anything from
within the container to the outside world. Simply disabling shorewall,
or setting ALLOW in the net section of /etc/shorewall/policy resolves
the problem. I have tested this by using PING and SSH to the IP
addresses of other machines on the LAN, the other OpenVZ container and
the physical server.

--

I've reported this issue on the Shorewall mailing list and received the
folowing response from Tom Eastep

I looked at this exact same problem with another user recently. The
problem is that the OpenVZ kernel is miss-categorizing incoming
packets.

Look at this:

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
  585 45057 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED
  585 45057 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
    9   790 Drop       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Not one packet has matched the 'cstate RELATED,ESTABLISHED' rule.
Incoming SSH works but all outgoing connections all fail because the
response packets are dropped.

I took a quick look at the Debian Bugtrack system and didn't see any
reports against the kernel package you are using but I would have
thought that the user I tried to help earlier would have filed a report
so you might want to poke around there.

Attachment: shorewall.tar.gz
Description: application/gzip


--- End Message ---
--- Begin Message --- 
Hi,
your bug has been filed against the "linux-2.6" source package and was filed for
a kernel older than the recently released Debian 7.x.

As already announced in the release notes of Debian 6, the kernel from Debian 7.x
no longer includes support for openvz (due to the openvz changes not being part of
the upstream kernel).

We're closing this bug now, the Debian wiki contains some information on running
Debian 7.x with openvz: http://wiki.debian.org/OpenVz

Cheers,
        Moritz

--- End Message ---
Reply to: