Page tree
Skip to end of metadata
Go to start of metadata

Container server functionality is currently in beta.

With OnApp you can set firewall rules for the network interfaces of container servers. There are two types of firewall rule:

  • ACCEPT – defines the packets that will be accepted by the firewall
  • DROP – defines the packets that will be rejected by the firewall

Ensure that the following permissions are enabled before setting firewall rules for your container server:

  • Create own firewall rules
  • Destroy own firewall rules
  • Read own firewall rules
  • Update own firewall rules
  • Update own container server
  • Read own container server

You cannot apply firewall rules to container servers which are parts of a blueprint.

You can set the following:

Add a specific firewall rule

To configure a firewall rule:

  1. Go to your Control Panel's Container Servers menu.
  2. Click the label of the servers for which you want to configure a firewall rule.
  3. Click the Networking tab, then click Firewall.
  4. On the page that appears, set the following:
    1. Choose the network interface.
    2. Specify if the rule defines requests that should be accepted or dropped.
    3. Set the IP address for which this rule is active.
      • Leave the empty field to apply this rule to all IPs
      • Enter hyphen-separated IPs to apply the rule to an IP range (e.g. 192.168.1.1-192.168.1.10)
      • Enter the IPs with slash to apply the rule to CIDR (e.g. 192.168.1.1/24)
    4. Set the port for which this rule is effective.
      • Leave the empty field to apply the rule to all ports
      • Enter colon-separated ports to apply the rule to a port range (e.g. 1024:1028)
      • Enter comma-separated ports to apply the rule to the list of ports (e.g. 80,443,21)
    5. Protocol type (for ICMP protocol only) - indicate a type of the ICMP protocol (range from 0 to 255)
    6. Choose the protocol (TCP, UDP, DCCP, SCTP or ICMP). 
  5. Save the rule by clicking the Add Rule button. The rule will be saved in the UI, but the transaction won't be started until you click the Apply Firewall Rules button.
  6. To start the transaction which runs firewall rules for a container server, click Apply firewall rules button.
  7. Use Up and Down arrow buttons in the left column to change firewall rule position.
  8. To edit or delete a firewall rule click the appropriate icon in the last column.

Default firewall rules

To set default firewall rules for a network interface:

  1. Go to your Control Panel's Container Servers menu.
  2. Click the label of the container server for which you want to configure a firewall rule.
  3. Click the Networking tab, then click Firewall.
  4. On the page that appears, go to Default firewall rules section.
  5. Choose ACCEPT or DROP command next to the network interface and click Save Default Firewall Rules. The rule will be saved in the UI, but the transaction won't be started until you click the Apply Firewall Rules button.

Example:

The Int1 ACCEPT 122.158.111.21 22 TCP firewall rule means that the Int1 network interface will accept all requests and packets addressed from 122.158.111.21 using the TCP protocol on port 22.
The Int2 DROP 122.158.111.21 22 UDP firewall rule means that the Int2 network interface will reject all requests and packets from 122.158.111.21 using the UDP protocol on port 22.

If you reboot a Xen-based container server from the console, the firewall rules for this container server will be lost, and you will need to update the firewall rules again.

 

Protocols:

For IPv4, only the ICMP, IPV6-ICMP, TCP, UDP, DCCP, SCTP protocols are available by default. However, if required, you can enable other protocols for IPv4.

  1. Go to the /onapp/interface/config/network_protocols.yml file.
  2. The list contains all protocols available (IPv4). Set 'true' for the required protocols.
  3. Restart httpd by running one of the following commands:

    service httpd restart

    or

    /etc/init.d/httpd restart
  4. The protocols you have enabled are now available at Control Panel > Container Servers > Label > Networking tab > Firewall while adding new firewall rules.

The following protocols can be enabled in the /onapp/interface/config/network_protocols.yml file:

  • IP

  • HOPOPT

  • ICMP

  • IGMP

  • GGP

  • IP-ENCAP

  • ST

  • TCP

  • CBT

  • EGP

  • IGP

  • BBN-RCC-MON

  • NVP-II

  • PUP

  • ARGUS

  • EMCON

  • XNET

  • CHAOS

  • UDP

  • MUX

  • DCN-MEAS

  • HMP

  • PRM

  • XNS-IDP

  • TRUNK-1

  • TRUNK-2

  • LEAF-1

  • LEAF-2

  • RSVP-E2E-IGNORE
  • FC
  • SCTP
  • IPLT
  • RDP

  • IRTP

  • ISO-TP4

  • NETBLT

  • MFE-NSP

  • MERIT-INP

  • DCCP

  • 3PC

  • IDPR

  • XTP

  • DDP

  • IDPR-CMTP

  • TP

  • IL

  • SDRP

  • IDRP

  • RSVP

  • GRE

  • DSR

  • BNA

  • ESP

  • AH

  • I-NLSP

  • SWIPE

  • NARP

  • MOBILE

  • HIP
  • manet
  • MPLS-in-IP
  • UDPLite
  • PIPE
  • SSCOPMCE
  • TLSP

  • SKIP

  • CFTP

  • SAT-EXPAK

  • KRYPTOLAN

  • RVD

  • IPPC

  • SAT-MON

  • VISA

  • IPCV

  • CPNX

  • CPHB

  • WSN

  • PVP

  • BR-SAT-MON

  • SUN-ND

  • WB-MON

  • WB-EXPAK

  • ISO-IP

  • VMTP

  • SECURE-VMTP

  • VINES

  • TTP

  • NSFNET-IGP

  • DGP, TCF

  • EIGRP

  • OSPFIGP

  • Sprite-RPC

  • LARP

  • MTP

  • SPS
  • CRUDP
  • AX.25

  • IPIP

  • MICP

  • SCC-SP

  • ETHERIP

  • ENCAP

  • GMTP

  • IFMP

  • PNNI

  • PIM

  • ARIS

  • SCPS

  • QNX

  • A/N

  • IPComp

  • SNP

  • Compaq-Peer

  • IPX-in-IP

  • VRRP

  • PGM

  • L2TP

  • DDX

  • IATP

  • STP

  • SRP

  • UTI

  • SMP

  • SM

  • PTP

  • ISIS

  • FIRE

  • CRTP