Page 1 of 1

Virtuozzo warning

Posted: 16 Jul 2013, 00:54
by kir
CSF (servercheck.pm) produces a big fat warning when running under OpenVZ/Virtuozzo:
Since the Virtuozzo VPS iptables ip_conntrack_ftp kernel module
is currently broken you have to open a PASV port hole in iptables for
incoming FTP connections to work correctly. See the csf readme.txt
under 'A note about FTP Connection Issues' on how to do this.
I have checked that ip_conntrack_ftp is working fine under the current stable OpenVZ kernel (RHEL6-based, 2.6.32).Apparently, it was fixed in 2.6.27 OpenVZ kernel in May 2010 (http://git.openvz . org/?p=linux-2.6.27-openvz;a=commit;h=b1a1a2481d6ecf5843104f81b2c334bc0eb3c1f2 <-- remove spaces between openvz and org to view the link)

That makes this warning useless. More to say, it forces people to create less secure setup by opening a passive port range.

I suggest to modify the check to take kernel version number into account and disable the warning for 2.6.x and 3.y kernels (where x > 27 and y is any number).

Re: Virtuozzo warning

Posted: 01 Aug 2013, 09:41
by ForumAdmin
We'll look at adding a check for the kernel version.

Re: Virtuozzo warning

Posted: 01 Aug 2013, 15:48
by ForumAdmin
This has been added to csf v6.27:
http://blog.configserver.com/?p=1889