Originally Posted by keybd_user
Yeah, I noticed that the iptables --list did show the rules set up correclty so it obviously must start in the middle of the ISPConfig scripts.
I added some more ports to make a backup sshd service with a different sshd config file.
So the issue is this one:
If the ISPConfig scripts starts the firewall then I think we have a problem.
In the startup order ISPConfig is the last to start.
And, for example the NTP service takes a long time to connect to ntp servers and start and this happens Before we have the ISPConfig => Firewall activated.
All other services are up ...
That is why I wonder if it is not better to start the iptables Before ISPConfig and disable in ISPConfig the firewall.
It will be there on the runlevel we wich on the order we determine and is best suited.
In case of need we can use ISPConfig interface to change the firewall rules only (they do not change that often anyway ... ).
In a datacenter environment a long start without firewal can be complicated ...
What is your opinion.
I agree in case you run services that shall not be available for external users.
But normally you run on a webserver only services like apache, pop3, imap, smtp that shall be used from outside, so these ports are open anyway. It makes no big difference if the firewall is on or not, as these ports are open anyway for all running services.
This does not apply for firewalls for a network or a firewall on a desktop that shall not accept connections from outside.