Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 2nd May 2010, 22:11
itsnedkeren itsnedkeren is offline
Senior Member
 
Join Date: May 2009
Location: Denmark
Posts: 128
Thanks: 32
Thanked 10 Times in 10 Posts
Unhappy Bastille Firewall problems

Hi all.

First off I'm running Ubuntu 9.10 x64 with ISPC 3.0.2.1.

I have always used Ubuntu's UFW firewall, for the easy interface, but recently I'm running into problems using it along side ISPC's Bastille firewall

My UFW is always active, reporting that it's running as it should, BUT when Bastille is also active only the common ports (80,21, etc) are open. When I then issue the /etc/init.d/bastille-firewall stop command, my user-defined ports in UFW is once again open for business

The logical thing would just be to disable Bastille-firewall, and Indeed thats what I did. BUT now the fun starts!

When Bastille is stopped, and UFW is active, yes active. There is absolutely NO firewall enabled on the server. I have tested with another server from another IP, which is NOT listed as allow anywhere, and that computer has access to all ports

Code:
output of IPTABLES -L:

root@xxxx:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain ufw-after-forward (0 references)
target     prot opt source               destination

Chain ufw-after-input (0 references)
target     prot opt source               destination
RETURN     udp  --  anywhere             anywhere            udp dpt:netbios-ns
RETURN     udp  --  anywhere             anywhere            udp dpt:netbios-dgm
RETURN     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn
RETURN     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds
RETURN     udp  --  anywhere             anywhere            udp dpt:bootps
RETURN     udp  --  anywhere             anywhere            udp dpt:bootpc
RETURN     all  --  anywhere             anywhere            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] '

Chain ufw-after-logging-input (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] '

Chain ufw-after-logging-output (0 references)
target     prot opt source               destination

Chain ufw-after-output (0 references)
target     prot opt source               destination

Chain ufw-before-forward (0 references)
target     prot opt source               destination
ufw-user-forward  all  --  anywhere             anywhere

Chain ufw-before-input (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ufw-logging-deny  all  --  anywhere             anywhere            state INVALID
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere             anywhere
ACCEPT     all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
ACCEPT     all  --  anywhere             BASE-ADDRESS.MCAST.NET/4
ufw-user-input  all  --  anywhere             anywhere

Chain ufw-before-logging-forward (0 references)
target     prot opt source               destination

Chain ufw-before-logging-input (0 references)
target     prot opt source               destination

Chain ufw-before-logging-output (0 references)
target     prot opt source               destination

Chain ufw-before-output (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ufw-user-output  all  --  anywhere             anywhere

Chain ufw-logging-allow (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW ALLOW] '

Chain ufw-logging-deny (2 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] '

Chain ufw-not-local (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere            ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere            ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere            ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere            limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere

Chain ufw-reject-forward (0 references)
target     prot opt source               destination

Chain ufw-reject-input (0 references)
target     prot opt source               destination

Chain ufw-reject-output (0 references)
target     prot opt source               destination

Chain ufw-track-input (0 references)
target     prot opt source               destination

Chain ufw-track-output (0 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            state NEW
ACCEPT     udp  --  anywhere             anywhere            state NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination

Chain ufw-user-input (1 references)
target     prot opt source               destination

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap2
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:8000
ACCEPT     udp  --  anywhere             anywhere            udp spt:8000
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:8001
ACCEPT     udp  --  anywhere             anywhere            udp spt:8001
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssmtp

Chain ufw-user-limit (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning prefix `[UFW LIMIT BLOCK] '
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination

Chain ufw-user-output (1 references)
target     prot opt source               destination

Can anyone please assist me with this, having an open system is not great

Best regards
Jim
Reply With Quote
Sponsored Links
  #2  
Old 2nd May 2010, 23:11
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 37,015
Thanks: 840
Thanked 5,651 Times in 4,461 Posts
Default

You should never run more then one firewall at a time, so if you want to use ufw instead of bastille. make sure that you disabled bastille and restarted the server afterwards.

Fail2ban interacts with iptables too. You should reconfigure fail2ban to use the route command instead of iptables:

http://www.faqforge.com/linux/contro...k-connections/

If you installed your server as described in the perfect setup, then it does not make a big difference if you run a firewall or not as your system runs only services that shall be accessible from outside anyway and no other services are listening to any ports.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 2nd May 2010, 23:20
itsnedkeren itsnedkeren is offline
Senior Member
 
Join Date: May 2009
Location: Denmark
Posts: 128
Thanks: 32
Thanked 10 Times in 10 Posts
Default

Hi Till.

Thanks for the swift reply.

I've tried disabling Bastille, but everytime I reboot, it comes back

Best regards
Jim
Reply With Quote
  #4  
Old 2nd May 2010, 23:24
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 37,015
Thanks: 840
Thanked 5,651 Times in 4,461 Posts
Default

Have you deleted the firewall record in ispconfig?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 2nd May 2010, 23:25
itsnedkeren itsnedkeren is offline
Senior Member
 
Join Date: May 2009
Location: Denmark
Posts: 128
Thanks: 32
Thanked 10 Times in 10 Posts
Default

There is none, see picture.

EDIT: I have now done the Fail2ban changes you suggested.
Attached Images
 
Reply With Quote
  #6  
Old 2nd May 2010, 23:46
itsnedkeren itsnedkeren is offline
Senior Member
 
Join Date: May 2009
Location: Denmark
Posts: 128
Thanks: 32
Thanked 10 Times in 10 Posts
Default

Rebooting the server again, seemed to have solved the problem, but it has solved it before, so I'm not sure the cause of the problem is solved.

Is there anyway I can "uninstall" or disable the Bastille Firewall?

Thanks again.
Reply With Quote
  #7  
Old 2nd May 2010, 23:46
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 37,015
Thanks: 840
Thanked 5,651 Times in 4,461 Posts
Default

Please run:

update-rc.d -f bastille-firewall remove

to disable the bastille firewall permanently.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following 2 Users Say Thank You to till For This Useful Post:
dynamind (14th July 2013), itsnedkeren (2nd May 2010)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Disabling Bastille firewall via a config file? ninjao Installation/Configuration 3 5th October 2009 13:02
Bastille Firewall Nw01f Installation/Configuration 5 5th August 2009 10:36
Finetuning Bastille firewall bolero Installation/Configuration 2 11th July 2008 17:08
ISPConfig Firewall Bastille udp port range stefanr Installation/Configuration 6 31st January 2008 18:45
bastille firewall help needed daveb Server Operation 2 28th March 2007 21:27


All times are GMT +2. The time now is 00:46.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.