LxCenter Forum: HyperVM KB » APF and HyperVM

Members

Help

Home

Home » LxCenter Knowledge Base » HyperVM KB » APF and HyperVM (Firewall - IPTables)

Show: Today's Messages :: Show Polls :: Message Navigator

APF and HyperVM [message #4134]

Mon, 05 March 2007 15:46

Lxhelp
Messages: 23701
Registered: July 2006

Masters

Customers who have installed Apf (Advanced policy Firewall) on their servers will run into random blockage of vps and hyperVM ports. The thing is, even if you disable apf and reboot the server, while the ports will be open for sometime, they will suddenly again get closed at some random time later. The culprit here is actually a specific design on the part of the apf, that is, they refresh their iptables ruleset every day, and for that purpose they have added cron.daily entry.

a) If you haven't added 8889 port to the apf set of rules, master/slave communication will get blocked, and you will start getting 'connot connect to the server', the connections may just hang.

b) HyperVM uses iptables to measure the traffic generated by openvz vpses, and the complete reset of iptable rules everyday by apf will completely skewer the traffic calculation. You need to create the iptables rules after the fw restarts. Just add this to the /etc/cron.daily/fw

 

/etc/init.d/apf restart
(cd /usr/local/lxlabs/hypervm/httpdocs/ ; lphp.exe ../bin/misc/openvz-iptables-traffic.php)

This will make sure that the traffic calculation rules are added to after the firewall restarts.

Thanks.

[Updated on: Sun, 25 April 2010 12:23] by Moderator

Report message to a moderator

Re: APF and hyperVM [message #37252 is a reply to message #4134]

Wed, 10 September 2008 11:34

markb14391

Messages: 239
Registered: June 2008

Senior Member

Hi,

Does this issue just refer to using APF on the node, or is it also a problem when APF is used in a VPS?

Also, you have mentioned that the node is generally safe since no services are active except those needed for HyperVM. Therefore, is APF even needed on the node?

Thanks.

Report message to a moderator

Re: APF and hyperVM [message #37260 is a reply to message #37252]

Wed, 10 September 2008 13:28

Lxhelp
Messages: 23701
Registered: July 2006

Masters

Only on the node. No, generally APF is not necessary.

On Wed, Sep 10, 2008 at 03:34:31PM -0000, Mark Bailey wrote:
>
>
> Hi,
>
> Does this issue just refer to using APF on the node, or is it also a problem when APF is used in a VPS?
>

Report message to a moderator

Re: APF and hyperVM [message #51953 is a reply to message #4134]

Tue, 30 December 2008 08:54

Cyberdevil
Messages: 12
Registered: October 2008

Member

This fix for APF is only for OpenVZ nodes right?

I'm using APF on my Xen node and I've opened the ports 8887, 8888, 8889 and 5558.

IG_TCP_CPORTS="22,5558,8887,8888,8889"
IG_UDP_CPORTS="5558,8887,8888,8889"

I don't know which ports are TCP and UDP so I've set them both.

Are there any Xen issues with the APF firewall ?

Thanks

Report message to a moderator

Re: APF and hyperVM [message #72574 is a reply to message #4134]

Thu, 21 January 2010 09:54

queenlee

Messages: 3
Registered: January 2010

Member

Hi im having problem on my hypervm openvz. i tried to add a vps on it but the result is:

Alert: A vps with the id 110 already exists on the system. This either means this was created outside of hyperVM or else it got orphaned because hyperVM was interrupted forcibly in the midst of a migration. You can either a) Login manually and delete the vps. or b) Use our import facility to import this vps into hyperVM. Sorry for the inconvenience.

i type: vzlist -a on my root and the result is

vzlist -a
CTID NPROC STATUS IP_ADDR HOSTNAME
0 - stopped - -

i dont have an idea if whats the problem is..

Report message to a moderator