Article ID: 123460, created on Nov 8, 2014, last review on Jun 17, 2016

  • Applies to:
  • Virtuozzo
  • Virtuozzo containers for Linux
  • Virtuozzo hypervisor


New connections from a node are dropped if CSF (Config Server Firewall) is installed.

E.g. ping returns Operation not permitted when trying to access another host:

[root@pcs ~]# ping IP.ADD.RE.SS
PING IP.ADD.RE.SS (IP.ADD.RE.SS) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

(Replace "IP.ADD.RE.SS" with some an IP address of some well known public service.)

Meanwhile, connections from containers where CSF is installed are working properly.


CSF brings rules that drop packets with INVALID state:

Chain INVALID (2 references)
target     prot opt source               destination
INVDROP    all  --             state INVALID
INVDROP    tcp  --             tcp flags:0x3F/0x00
INVDROP    tcp  --             tcp flags:0x3F/0x3F
INVDROP    tcp  --             tcp flags:0x03/0x03
INVDROP    tcp  --             tcp flags:0x06/0x06
INVDROP    tcp  --             tcp flags:0x05/0x05
INVDROP    tcp  --             tcp flags:0x11/0x01
INVDROP    tcp  --             tcp flags:0x18/0x08
INVDROP    tcp  --             tcp flags:0x30/0x20
INVDROP    tcp  --             tcp flags:!0x17/0x02 state NEW

Chain INVDROP (10 references)
target     prot opt source               destination
DROP       all  --  

However, to be able to track packets state it's necessary to have conntracks module enabled. Since conntracks are disabled on a hardware node by default, all connections will be getting "INVALID" state as it's impossible to track the state (as long as conntracks are disabled):

The INVALID state means that the packet can't be identified or that it does not have any state. This may be due to several reasons, such as the system running out of memory or ICMP error messages that do not respond to any known connections.


There are two options out of this situation:

  1. [RECOMMEDNED] Do not use state-based rules on a hardware node
  2. Enable connection tracking on a hardware node according to the following article:

    113000 - Issues with firewall on HW Node - Impossible to use ip_nat and ipt_state modules

    NOTE: This option is not recommended because enabling conntracks on a host might lead to performance issues. Learn more about this fact in the above-mentioned article.

Search Words

Operation not permitted


a26b38f94253cdfbf1028d72cf3a498b 2897d76d56d2010f4e3a28f864d69223 e8e50b42231236b82df27684e7ec0beb d02f9caf3e11b191a38179103495106f 0dd5b9380c7d4884d77587f3eb0fa8ef

Email subscription for changes to this article
Save as PDF