Article ID: 124854, created on Mar 13, 2015, last review on Oct 26, 2015

  • Applies to:
  • Virtuozzo 6.0
  • Virtuozzo containers for Linux
  • Virtuozzo hypervisor


Is it safe to use firewall scripts like a CSF, APF or LFD on a Hardware Node?


Yes it is safe to use them, but there is one limitation.

Traffic for containers configured in host-routed mode is passed through the node - it works as a router for them, traffic is entering containers through FORWARD chain on the hardware node.
Firewall scripts often include rules for FORWARD chain - if there are any restrictive rules it might affect containers network connectivity.

E.g. CSF configures default policy for FORWARD chain to DROP:

Chain FORWARD (policy DROP)
target     prot opt source               destination

Before using any firewall script make sure there are no restrictive rules in FORWARD, and default policy is ACCEPT - that way containers traffic won't be affected.

If the node is a member of Virtuozzo storage, it is recommended to use a separate network for cluster communication. It is necessary to allow any traffic over the storage network. It is not recommended to apply granular firewall rules to pstorage traffic, since it may reduce networking performance. However, if it is necessary to block other traffic on pstorage interface, make sure that the following list of ports is opened

Search Words


hardware node firewall

enabling firewall on hw node blocks traffic to ves


a26b38f94253cdfbf1028d72cf3a498b 2897d76d56d2010f4e3a28f864d69223 d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb 0dd5b9380c7d4884d77587f3eb0fa8ef c62e8726973f80975db0531f1ed5c6a2

Email subscription for changes to this article
Save as PDF