HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=25)
-   -   Bastille Firewall problems (http://www.howtoforge.com/forums/showthread.php?t=45563)

itsnedkeren 2nd May 2010 21:11

Bastille Firewall problems
 
Hi all.

First off I'm running Ubuntu 9.10 x64 with ISPC 3.0.2.1.

I have always used Ubuntu's UFW firewall, for the easy interface, but recently I'm running into problems using it along side ISPC's Bastille firewall :(

My UFW is always active, reporting that it's running as it should, BUT when Bastille is also active only the common ports (80,21, etc) are open. When I then issue the /etc/init.d/bastille-firewall stop command, my user-defined ports in UFW is once again open for business :confused:

The logical thing would just be to disable Bastille-firewall, and Indeed thats what I did. BUT now the fun starts!

When Bastille is stopped, and UFW is active, yes active. There is absolutely NO firewall enabled on the server. I have tested with another server from another IP, which is NOT listed as allow anywhere, and that computer has access to all ports :(

Code:

output of IPTABLES -L:

root@xxxx:~# iptables -L
Chain INPUT (policy ACCEPT)
target    prot opt source              destination

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination

Chain fail2ban-ssh (0 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere

Chain ufw-after-forward (0 references)
target    prot opt source              destination

Chain ufw-after-input (0 references)
target    prot opt source              destination
RETURN    udp  --  anywhere            anywhere            udp dpt:netbios-ns
RETURN    udp  --  anywhere            anywhere            udp dpt:netbios-dgm
RETURN    tcp  --  anywhere            anywhere            tcp dpt:netbios-ssn
RETURN    tcp  --  anywhere            anywhere            tcp dpt:microsoft-ds
RETURN    udp  --  anywhere            anywhere            udp dpt:bootps
RETURN    udp  --  anywhere            anywhere            udp dpt:bootpc
RETURN    all  --  anywhere            anywhere            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (0 references)
target    prot opt source              destination
LOG        all  --  anywhere            anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] '

Chain ufw-after-logging-input (0 references)
target    prot opt source              destination
LOG        all  --  anywhere            anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] '

Chain ufw-after-logging-output (0 references)
target    prot opt source              destination

Chain ufw-after-output (0 references)
target    prot opt source              destination

Chain ufw-before-forward (0 references)
target    prot opt source              destination
ufw-user-forward  all  --  anywhere            anywhere

Chain ufw-before-input (0 references)
target    prot opt source              destination
ACCEPT    all  --  anywhere            anywhere
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ufw-logging-deny  all  --  anywhere            anywhere            state INVALID
DROP      all  --  anywhere            anywhere            state INVALID
ACCEPT    icmp --  anywhere            anywhere            icmp destination-unreachable
ACCEPT    icmp --  anywhere            anywhere            icmp source-quench
ACCEPT    icmp --  anywhere            anywhere            icmp time-exceeded
ACCEPT    icmp --  anywhere            anywhere            icmp parameter-problem
ACCEPT    icmp --  anywhere            anywhere            icmp echo-request
ACCEPT    udp  --  anywhere            anywhere            udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere            anywhere
ACCEPT    all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
ACCEPT    all  --  anywhere            BASE-ADDRESS.MCAST.NET/4
ufw-user-input  all  --  anywhere            anywhere

Chain ufw-before-logging-forward (0 references)
target    prot opt source              destination

Chain ufw-before-logging-input (0 references)
target    prot opt source              destination

Chain ufw-before-logging-output (0 references)
target    prot opt source              destination

Chain ufw-before-output (0 references)
target    prot opt source              destination
ACCEPT    all  --  anywhere            anywhere
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ufw-user-output  all  --  anywhere            anywhere

Chain ufw-logging-allow (0 references)
target    prot opt source              destination
LOG        all  --  anywhere            anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW ALLOW] '

Chain ufw-logging-deny (2 references)
target    prot opt source              destination
LOG        all  --  anywhere            anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] '

Chain ufw-not-local (1 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere            ADDRTYPE match dst-type LOCAL
RETURN    all  --  anywhere            anywhere            ADDRTYPE match dst-type MULTICAST
RETURN    all  --  anywhere            anywhere            ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere            anywhere            limit: avg 3/min burst 10
DROP      all  --  anywhere            anywhere

Chain ufw-reject-forward (0 references)
target    prot opt source              destination

Chain ufw-reject-input (0 references)
target    prot opt source              destination

Chain ufw-reject-output (0 references)
target    prot opt source              destination

Chain ufw-track-input (0 references)
target    prot opt source              destination

Chain ufw-track-output (0 references)
target    prot opt source              destination
ACCEPT    tcp  --  anywhere            anywhere            state NEW
ACCEPT    udp  --  anywhere            anywhere            state NEW

Chain ufw-user-forward (1 references)
target    prot opt source              destination

Chain ufw-user-input (1 references)
target    prot opt source              destination

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:smtp
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:imap2
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:https
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:pop3
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:imaps
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:pop3s
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:www
ACCEPT    tcp  --  anywhere            anywhere            tcp spt:8000
ACCEPT    udp  --  anywhere            anywhere            udp spt:8000
ACCEPT    tcp  --  anywhere            anywhere            tcp spt:8001
ACCEPT    udp  --  anywhere            anywhere            udp spt:8001
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ssmtp

Chain ufw-user-limit (0 references)
target    prot opt source              destination
LOG        all  --  anywhere            anywhere            limit: avg 3/min burst 5 LOG level warning prefix `[UFW LIMIT BLOCK] '
REJECT    all  --  anywhere            anywhere            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target    prot opt source              destination
ACCEPT    all  --  anywhere            anywhere

Chain ufw-user-logging-forward (0 references)
target    prot opt source              destination

Chain ufw-user-logging-input (0 references)
target    prot opt source              destination

Chain ufw-user-logging-output (0 references)
target    prot opt source              destination

Chain ufw-user-output (1 references)
target    prot opt source              destination


Can anyone please assist me with this, having an open system is not great :(

Best regards
Jim

till 2nd May 2010 22:11

You should never run more then one firewall at a time, so if you want to use ufw instead of bastille. make sure that you disabled bastille and restarted the server afterwards.

Fail2ban interacts with iptables too. You should reconfigure fail2ban to use the route command instead of iptables:

http://www.faqforge.com/linux/contro...k-connections/

If you installed your server as described in the perfect setup, then it does not make a big difference if you run a firewall or not as your system runs only services that shall be accessible from outside anyway and no other services are listening to any ports.

itsnedkeren 2nd May 2010 22:20

Hi Till.

Thanks for the swift reply.

I've tried disabling Bastille, but everytime I reboot, it comes back :(

Best regards
Jim

till 2nd May 2010 22:24

Have you deleted the firewall record in ispconfig?

itsnedkeren 2nd May 2010 22:25

1 Attachment(s)
There is none, see picture.

EDIT: I have now done the Fail2ban changes you suggested.

itsnedkeren 2nd May 2010 22:46

Rebooting the server again, seemed to have solved the problem, but it has solved it before, so I'm not sure the cause of the problem is solved.

Is there anyway I can "uninstall" or disable the Bastille Firewall?

Thanks again.

till 2nd May 2010 22:46

Please run:

update-rc.d -f bastille-firewall remove

to disable the bastille firewall permanently.

itsnedkeren 2nd May 2010 22:55

Code:

Removing any system startup links for /etc/init.d/bastille-firewall ...
Thanks a million Till :)


All times are GMT +2. The time now is 19:05.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.