Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 24th June 2006, 22:15
keybd_user keybd_user is offline
Member
 
Join Date: Apr 2006
Location: Coimbra, Portugal
Posts: 39
Thanks: 0
Thanked 1 Time in 1 Post
Default Bastille - firewall in ISPConfig.

Hi,

I installed ISPConfig lattest version in a X86_64 mean machine and everything is perfect. (a dauting task
Looking at the startup message I can see that ISPConfig in the boot System V sequence starts after the network has been initiated, after some other stuff has also been started.
(network S05network and S07ispconfig_server in runlevel 3).
I can perfectly see in the log file that ispconfig_server starts and his own instance of apache is also up and running.
My question is When does the firewall start.
I followed the perfect setup but I can not see when the iptables rules are set.
The script bastille-firewall does not show in the init.d rc levels.
Also using
# iptables --list
The rules appear to be there correctly setup.
But It does show up in yast2 runlevel editor and it is not possible to make it "active".

Should I just make

chkconfig bastille-firewall --add
chkconfig bastille-firewall on --level 3,5

Coments?

Regards,
Pedro
Reply With Quote
Sponsored Links
  #2  
Old 25th June 2006, 17:58
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,804
Thanks: 840
Thanked 5,613 Times in 4,424 Posts
Default

No, dont add Bastille in the runlevels, it is controlled and started be ythe ISPConfig startscript.

Just enable the Firewall under management > server > services.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 25th June 2006, 20:34
keybd_user keybd_user is offline
Member
 
Join Date: Apr 2006
Location: Coimbra, Portugal
Posts: 39
Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by till
No, dont add Bastille in the runlevels, it is controlled and started be ythe ISPConfig startscript.

Just enable the Firewall under management > server > services.
Hi Till,

Yeah, I noticed that the iptables --list did show the rules set up correclty so it obviously must start in the middle of the ISPConfig scripts.
I added some more ports to make a backup sshd service with a different sshd config file.
So the issue is this one:
If the ISPConfig scripts starts the firewall then I think we have a problem.
In the startup order ISPConfig is the last to start.
And, for example the NTP service takes a long time to connect to ntp servers and start and this happens Before we have the ISPConfig => Firewall activated.
All other services are up ...
That is why I wonder if it is not better to start the iptables Before ISPConfig and disable in ISPConfig the firewall.
It will be there on the runlevel we wich on the order we determine and is best suited.
In case of need we can use ISPConfig interface to change the firewall rules only (they do not change that often anyway ... ).
In a datacenter environment a long start without firewal can be complicated ...
What is your opinion.

Regards,
Pedro
Reply With Quote
  #4  
Old 26th June 2006, 09:38
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,804
Thanks: 840
Thanked 5,613 Times in 4,424 Posts
Default

Quote:
Originally Posted by keybd_user
Hi Till,

Yeah, I noticed that the iptables --list did show the rules set up correclty so it obviously must start in the middle of the ISPConfig scripts.
I added some more ports to make a backup sshd service with a different sshd config file.
So the issue is this one:
If the ISPConfig scripts starts the firewall then I think we have a problem.
In the startup order ISPConfig is the last to start.
And, for example the NTP service takes a long time to connect to ntp servers and start and this happens Before we have the ISPConfig => Firewall activated.
All other services are up ...
That is why I wonder if it is not better to start the iptables Before ISPConfig and disable in ISPConfig the firewall.
It will be there on the runlevel we wich on the order we determine and is best suited.
In case of need we can use ISPConfig interface to change the firewall rules only (they do not change that often anyway ... ).
In a datacenter environment a long start without firewal can be complicated ...
What is your opinion.
I agree in case you run services that shall not be available for external users.

But normally you run on a webserver only services like apache, pop3, imap, smtp that shall be used from outside, so these ports are open anyway. It makes no big difference if the firewall is on or not, as these ports are open anyway for all running services.

This does not apply for firewalls for a network or a firewall on a desktop that shall not accept connections from outside.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 26th June 2006, 13:19
keybd_user keybd_user is offline
Member
 
Join Date: Apr 2006
Location: Coimbra, Portugal
Posts: 39
Thanks: 0
Thanked 1 Time in 1 Post
 
Default

Quote:
Originally Posted by till
I agree in case you run services that shall not be available for external users.

But normally you run on a webserver only services like apache, pop3, imap, smtp that shall be used from outside, so these ports are open anyway. It makes no big difference if the firewall is on or not, as these ports are open anyway for all running services.

This does not apply for firewalls for a network or a firewall on a desktop that shall not accept connections from outside.
Hi Till,

I fully agree with your point.
But that is only valid if you know in advance exactly what services (and ports they are using) are running in the server at boot time.
But if one day by any change (and trust me, this things happen) I forget a service startup that has a vulnerability of some sort (and they are so many to mention ... ) that could be a serious problem.
Moreover, my server is used by other programmers that have repositories with their development ... I fully and totally trust them ... but has we all know us Java Developers, are know to make "imaginative" server-side programs ... sometimes to save a login under ssh ...
Go figure.

Well ... I do not expect a lot of reboots ... so this should not be a problem.
Anyhow, it is too late now to make this things wait any longer.
I simply have to be more cautious.
I will change the ntp startup order for after the ISPConfig (it is the one that takes longer this will dramatically reduce any type of attack attempt).

Regards,
Pedro
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Maybe ISPConfig firewall problem? DennisDee General 1 21st June 2006 12:55
ISPConfig - Behind Hardware Firewall RunneR General 4 30th May 2006 04:54
SP-Server Setup - Ubuntu 5.10 "Breezy Badger" - Page 6 (changes) LuisC-SM HOWTO-Related Questions 0 21st April 2006 16:16
ISPConfig Security - Firewall cybereatl Installation/Configuration 5 2nd April 2006 18:02
ISPConfig firewall issue dwyoung Installation/Configuration 5 12th December 2005 11:26


All times are GMT +2. The time now is 05:57.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.