Firewall down?

[ispconfig_question]

Hello,

I have two ISPconfig boxes, both have the same settings in ISPconfig in System-Firewall-Basic:

Code:

20,21,22,25,53,80,110,143,443,465,587,993,995,3306,8080,8081,10000
53,3306

But when I click Monitor-Logfiles-Show IPtables, I have totally different outputs.

Box1:

Code:

iptables -S (ipv4)
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-SSH
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH 
-A fail2ban-SSH -j RETURN 


ip6tables -S (ipv6)
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

Box2:

Code:

iptables -S (ipv4)
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N INT_IN
-N INT_OUT
-N PAROLE
-N PUB_IN
-N PUB_OUT
-N fail2ban-SSH
-A INPUT -d 127.0.0.0/8 ! -i lo -p tcp -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -s 224.0.0.0/4 -j DROP 
-A INPUT -i eth+ -j PUB_IN 
-A INPUT -i ppp+ -j PUB_IN 
-A INPUT -i slip+ -j PUB_IN 
-A INPUT -i venet+ -j PUB_IN 
-A INPUT -i bond+ -j PUB_IN 
-A INPUT -j DROP 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -j DROP 
-A OUTPUT -o eth+ -j PUB_OUT 
-A OUTPUT -o ppp+ -j PUB_OUT 
-A OUTPUT -o slip+ -j PUB_OUT 
-A OUTPUT -o venet+ -j PUB_OUT 
-A OUTPUT -o bond+ -j PUB_OUT 
-A INT_IN -p icmp -j ACCEPT 
-A INT_IN -j DROP 
-A INT_OUT -p icmp -j ACCEPT 
-A INT_OUT -j ACCEPT 
-A PAROLE -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A PUB_IN -p tcp -m tcp --dport 20 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 21 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 22 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 25 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 53 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 80 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 110 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 143 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 443 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 465 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 587 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 993 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 995 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 3306 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 8080 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 8081 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 10000 -j PAROLE 
-A PUB_IN -p udp -m udp --dport 53 -j ACCEPT 
-A PUB_IN -p udp -m udp --dport 3306 -j ACCEPT 
-A PUB_IN -p icmp -j DROP 
-A PUB_IN -j DROP 
-A PUB_OUT -j ACCEPT 
-A fail2ban-SSH -j RETURN 


ip6tables -S (ipv6)
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

Does it mean I have no firewall at all on Box1 (everything passes)? (It is perfectly possible I have turned it off accidentally and I don't remember it now, it is already some time I have configured the first box.)

Is there some setting in ISPConfig how to turn it back on? As I have read on this forum, modifying IPtables directly is not the preferred method as it might interfere with Bastille.

Is it default configuration of ISPconfig to have all ports open over IPv6, or have I messed up something even on the Box2 (the newly installed one)?

I have observed no problems with the Box1 for all the months the firewall was down. Is it a real threat to have all the ports open?

[till]

The firewall on box 1 is down. Generally it does not matter much because on a normal ispconfog server, you run only the services that shall be accessible anyway. So if the firewall is on or off does not make any difference.

Quote:

Is there some setting in ISPConfig how to turn it back on? As I have read on this forum, modifying IPtables directly is not the preferred method as it might interfere with Bastille.

Restart bastille by running the bastille firewall init script.

Quote:

Is it default configuration of ISPconfig to have all ports open over IPv6, or have I messed up something even on the Box2 (the newly installed one)?

Bastille does not suppport ipv6 (biút a firewall is normally not nescessary anyway like I pointed out above). With ispconfig 3.0.5, there is also support for ufw builtin which supports ipv4 and ipv6.

Quote:

I have observed no problems with the Box1 for all the months the firewall was down. Is it a real threat to have all the ports open?

No.

[ispconfig_question]

Thanks alot for response. I have restarted bastille. (Is there any difference in issuing "service xxx restart" and "/etc/init.d/xxx restart" commands? The first one didn't work for me with bastille-firewall.)
The firewall seems to be on now, but the FTP service stopped to work. It seems there is a problem with passive transfer - it needs the whole port range open on firewall. Do I have to add this range to the list of open ports? I suppose the answer is yes, because you have already stated it is no major risk to have ports open.

[till]

Quote:

Do I have to add this range to the list of open ports

Yes. Port ranges are defined with -. Example:

50-100

to open port 50 to 100 in the firewall.

[ispconfig_question]

Thank you, I'll do it this way.