pibby · March 26, 2014 02:37
diff --git a/0001-ufw-Initial-firewall-config-on-OpenVZ-VPS.patch b/0001-ufw-Initial-firewall-config-on-OpenVZ-VPS.patch
 From eccc80a754273641c2e0532be98987c8e89e960e Mon Sep 17 00:00:00 2001
 From: root <[email protected]>
 Date: Fri, 28 Jun 2013 20:38:12 +0400
 Subject: [PATCH] ufw: Initial firewall config on OpenVZ VPS

 * OpenVZ vps doesn't have all the kernel features needed by
  Ubuntu 12.04 LTS, disable unsupported features so firewall
  starts cleanly.
 ---
 default/ufw      |    4 ++--
 ufw/after.rules  |    2 +-
 ufw/before.rules |   16 ++++++++++------
 ufw/ufw.conf     |    2 +-
 5 files changed, 15 insertions(+), 11 deletions(-)

 diff --git a/default/ufw b/default/ufw
 index bbe4842..728e682 100644
 --- a/default/ufw
 +++ b/default/ufw
 @@ -4,7 +4,7 @@
 # Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
 # accepted). You will need to 'disable' and then 'enable' the firewall for
 # the changes to take affect.
 -IPV6=yes
 +IPV6=no
 
 # Set the default input policy to ACCEPT, ACCEPT_NO_TRACK, DROP, or REJECT.
 # ACCEPT enables connection tracking for NEW inbound packets on the INPUT
 @@ -45,5 +45,5 @@ IPT_SYSCTL=/etc/ufw/sysctl.conf
 # nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
 # nf_conntrack_ftp, nf_nat_ftp: active FTP support
 # nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
 -IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
 +#IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
 
 diff --git a/ufw/after.rules b/ufw/after.rules
 index 0d6c646..8d84cf4 100644
 --- a/ufw/after.rules
 +++ b/ufw/after.rules
 @@ -24,7 +24,7 @@
 -A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input
 
 # don't log noisy broadcast
 --A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
 +#-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
 
 # don't delete the 'COMMIT' line or these rules won't be processed
 COMMIT
 diff --git a/ufw/before.rules b/ufw/before.rules
 index bc11f36..3ea3d1d 100644
 --- a/ufw/before.rules
 +++ b/ufw/before.rules
 @@ -42,20 +42,20 @@
 #
 # ufw-not-local
 #
 --A ufw-before-input -j ufw-not-local
 +#-A ufw-before-input -j ufw-not-local
 
 # if LOCAL, RETURN
 --A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
 +#-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
 
 # if MULTICAST, RETURN
 --A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
 +#-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
 
 # if BROADCAST, RETURN
 --A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
 +#-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
 
 # all other non-local packets are dropped
 --A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
 --A ufw-not-local -j DROP
 +#-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
 +#-A ufw-not-local -j DROP
 
 # allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
 # is uncommented)
 @@ -65,5 +65,9 @@
 # is uncommented)
 -A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
 
 +#
 +# OpenVZ has issues the "-m comment" args that ufw adds, so do this manually
 +-A ufw-before-input -p tcp --dport 22 -j ACCEPT
 +
 # don't delete the 'COMMIT' line or these rules won't be processed
 COMMIT
 diff --git a/ufw/ufw.conf b/ufw/ufw.conf
 index 8336b91..28fe534 100644
 --- a/ufw/ufw.conf
 +++ b/ufw/ufw.conf
 @@ -3,7 +3,7 @@
 
 # Set to yes to start on boot. If setting this remotely, be sure to add a rule
 # to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp'
 -ENABLED=no
 +ENABLED=yes
 
 # Please use the 'ufw' command to set the loglevel. Eg: 'ufw logging medium'.
 # See 'man ufw' for details.
 -- 
 1.7.9.5
	From eccc80a754273641c2e0532be98987c8e89e960e Mon Sep 17 00:00:00 2001
	From: root <[email protected]>
	Date: Fri, 28 Jun 2013 20:38:12 +0400
	Subject: [PATCH] ufw: Initial firewall config on OpenVZ VPS

	* OpenVZ vps doesn't have all the kernel features needed by
	Ubuntu 12.04 LTS, disable unsupported features so firewall
	starts cleanly.
	---
	default/ufw \| 4 ++--
	ufw/after.rules \| 2 +-
	ufw/before.rules \| 16 ++++++++++------
	ufw/ufw.conf \| 2 +-
	5 files changed, 15 insertions(+), 11 deletions(-)

	diff --git a/default/ufw b/default/ufw
	index bbe4842..728e682 100644
	--- a/default/ufw
	+++ b/default/ufw
	@@ -4,7 +4,7 @@
	# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
	# accepted). You will need to 'disable' and then 'enable' the firewall for
	# the changes to take affect.
	-IPV6=yes
	+IPV6=no

	# Set the default input policy to ACCEPT, ACCEPT_NO_TRACK, DROP, or REJECT.
	# ACCEPT enables connection tracking for NEW inbound packets on the INPUT
	@@ -45,5 +45,5 @@ IPT_SYSCTL=/etc/ufw/sysctl.conf
	# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
	# nf_conntrack_ftp, nf_nat_ftp: active FTP support
	# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
	-IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
	+#IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"

	diff --git a/ufw/after.rules b/ufw/after.rules
	index 0d6c646..8d84cf4 100644
	--- a/ufw/after.rules
	+++ b/ufw/after.rules
	@@ -24,7 +24,7 @@
	-A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input

	# don't log noisy broadcast
	--A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
	+#-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input

	# don't delete the 'COMMIT' line or these rules won't be processed
	COMMIT
	diff --git a/ufw/before.rules b/ufw/before.rules
	index bc11f36..3ea3d1d 100644
	--- a/ufw/before.rules
	+++ b/ufw/before.rules
	@@ -42,20 +42,20 @@
	#
	# ufw-not-local
	#
	--A ufw-before-input -j ufw-not-local
	+#-A ufw-before-input -j ufw-not-local

	# if LOCAL, RETURN
	--A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
	+#-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

	# if MULTICAST, RETURN
	--A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
	+#-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

	# if BROADCAST, RETURN
	--A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
	+#-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

	# all other non-local packets are dropped
	--A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
	--A ufw-not-local -j DROP
	+#-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
	+#-A ufw-not-local -j DROP

	# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
	# is uncommented)
	@@ -65,5 +65,9 @@
	# is uncommented)
	-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

	+#
	+# OpenVZ has issues the "-m comment" args that ufw adds, so do this manually
	+-A ufw-before-input -p tcp --dport 22 -j ACCEPT
	+
	# don't delete the 'COMMIT' line or these rules won't be processed
	COMMIT
	diff --git a/ufw/ufw.conf b/ufw/ufw.conf
	index 8336b91..28fe534 100644
	--- a/ufw/ufw.conf
	+++ b/ufw/ufw.conf
	@@ -3,7 +3,7 @@

	# Set to yes to start on boot. If setting this remotely, be sure to add a rule
	# to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp'
	-ENABLED=no
	+ENABLED=yes

	# Please use the 'ufw' command to set the loglevel. Eg: 'ufw logging medium'.
	# See 'man ufw' for details.
	--
	1.7.9.5