I had to use DISABLE_FIREWALL=1 on my OpenVZ installation.
Since the machine still has a public ip exposed to the internet, I wonder if I’m fine. Specifically, if the box is purposefully designed in such a way that only the necessary services bind to the public interface.
I did a port scan, which gives me this, which appears to be fine:
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
443/tcp open https
587/tcp open submission
993/tcp open imaps
4190/tcp open sieve
But I am concerned that future updates might not be. Is DISABLE_FIREWALL officially supported in that sense?