Command-line firewall management still sucks
And now a break from my usual programming-related posts to bring you something back on the sysadmin side of the fence, for a change. I’m in the process of setting up a new VPS for myself, and probably will move my blog over to it when it is all set up. I say VPS, but really it is an OpenVZ container (which I guess passes for VPS just about as well). The critical difference is that you are running under the steam of the host system’s kernel, and there are numerous kernel-related changes you just cannot make. Frankly, I’m glad – I don’t particularly feel like managing the entire system down to kernel tunables.
Sadly this particular VPS comes with no external firewall management, so I’m back in the land of having to ensure at least a small amount of basic protection. I definitely don’t want to write my own ruleset (especially not properly stateful rules), Filtergen is acceptable but really outdated, and the last time I was using Ubuntu on my day to day laptop, I was using UFW (which is simple, but also not very nice). I really don’t want to go for one of these completely integrated systems with a control panel.
So I have settled on UFW for the time being. Sadly, it seems to completely fail in this OpenVZ environment due to numerous modules that cannot be inserted into the running kernel, some sysctl settings etc. You can find a reasonable summary of that here. For now, I’ve run through removing all the unnecessary cruft and have a just-working ruleset. It does sadden me that there isn’t anything better, although to be fair, I’ve been completely ignoring any developments here for the last year and a half.
IS there anything better? Drop me a comment if you have any good suggestions.