2

I have apf installed on a OpenVZ container (proxmox 2.1). The config is pretty much vanilla and things are working. My external services like ssh and http are working. My problem is that all outbound traffic on http/https is blocked. How do I allow all outbound traffic for http/https.

If I change EGF to 1 like this, all inbound and outbound traffic gets blocked

EGF="1"
EG_TCP_CPORTS="21,25,80,443,43,53"
EG_UDP_CPORTS="20,21,53"
EG_ICMP_TYPES="all"

I opened a single outbound rule with the following

# /usr/local/sbin/apf -a downloads.wordpress.org

How do I allow all outbound traffic on http/https without blocking all traffic? Why would I allow all inbound ssh/http traffic and block all outbound traffic?

David
  • 123
  • 6

2 Answers2

3

I had the same issue - using an OpenVZ container, outbound HTTP and HTTPS were blocked when the inbound filter was on; everything was blocked when the egress filter was on.

The solution is to set the IPTABLES configuration of your container from your hardware. On my server, the default was (in /etc/vz/vz.conf on the hardware):

IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length"

I overwrote this in my container's configuration (/etc/vz/conf/CONTAINERNUMBER.conf on the hardware)

IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state  ipt_helper  iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT"

Not sure exactly which one did it, but after setting this and restarting the container, APF worked exactly as expected.

jb_314
  • 161
  • 6
2

That's to prevent unwanted outbound traffic to bypass your firewall and consume unnecessary bandwidth, etc.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
oBarlas
  • 21
  • 3