Is it safe to use firewall scripts like a
LFD on a Hardware Node?
Yes it is safe to use them, but there is one limitation.
Traffic for containers configured in host-routed mode is passed through the node - it works as a router for them, traffic is entering containers through
FORWARD chain on the hardware node.
Firewall scripts often include rules for
FORWARD chain - if there are any restrictive rules it might affect containers network connectivity.
CSF configures default policy for
FORWARD chain to
Chain FORWARD (policy DROP) target prot opt source destination
Before using any firewall script make sure there are no restrictive rules in
FORWARD, and default policy is
ACCEPT - that way containers traffic won't be affected.
If the node is a member of Virtuozzo storage, it is recommended to use a separate network for cluster communication. It is necessary to allow any traffic over the storage network. It is not recommended to apply granular firewall rules to pstorage traffic, since it may reduce networking performance. However, if it is necessary to block other traffic on pstorage interface, make sure that the following list of ports is opened