Moving to Future Hosting, Part IV
This installment was supposed to be about getting ffmpeg built with all the necessary libraries, but I ran into something else that pre-empted that topic. As I attempted to do an svn checkout of the ffmpeg source tree on lio, SVN kept failing with a timeout. I recall Yousif claiming to have this problem on his FutureHosting VPS box, which I wrote off as User Error, but this was too much of a coincidence. I tried the same svn checkout on my personal machine, and it worked fine, confirming the ffmpeg SVN server was indeed up.
I immediately suspected a firewall issue, since I did opt for the free security lock-down service on setup of my account. I know outbound HTTP requests work as I’ve done wget alot already, but maybe the firewall allows outbound connections on known ports only. To answer the question, I sought out the firewall configuration, which was easier said than done.
At first I looked at /etc/sysconfig/iptables-config, but it was just the stock configuration. Then I remembered reading in one of the welcome docs from FutureHosting that they installed and configured the APF firewall. I looked into that a bit, and found that it’s config files are in /etc/apf. However, the config files are much more complicated, and I couldn’t find any rules passing outbound http, or blocking other outbound traffic.
Then I went to the Virtuozzo Power Panel for lio, which had a ‘Firewall’ link on it. Unfortunately, the firewall configuration left a bit to be desired. Nothing in the output indicated that rules were in force at the time, so I couldn’t tell what the problem was. Therefore, I ran the firewall setup, and chose to use the ‘Normal’ firewall rules, and checked the box to reset the firewall configuration. After that I got a list of stock rules that were in place, like ‘Allow Outbound Connections’ (this was enabled after the reset), ‘Allow DNS’, ‘Allow POP3′, etc. I deleted the rules for services I’m not hosting on lio, but left ‘Allow Outbound Connections’ enabled.
After that, lo! and behold, svn checkout worked. The lesson there is FutureHosting’s locked-down firewall config is locked down, to the point of uselessness, and there’s no obvious way to tune the lockdown params; you just reset them all. Nice.
I’m sure I could’ve opened a support ticket to get this resolved, but I want to know how this stuff works on my VPS box. I must admit to being no closer to an understanding, I still can’t match the firewall rules displayed in the Power Panel to the /etc/apf/ config files. I guess the important thing is that it’s working now.