Firewall ports & setup on multi server environment

Discussion in 'Installation/Configuration' started by Stelios, Oct 24, 2020.

  1. Stelios

    Stelios Member HowtoForge Supporter

    Hi all,

    Assuming I didn't miss anything, can someone confirm please that the following are the required ports on a multi-server setup that needs to be opened?

    1. Controlpanel server with PHPMyAdmin/Roundcube/webFTP installed on it to communicate with the other servers
    TCP ports: 21,22,80,53,443,8080
    UDP ports: 53

    2. Web servers
    TCP ports: 20,21,22,53,80,443,40110:40210 (for passive ftp)
    UDP ports: 53

    3. Email servers
    TCP ports: 22,53,110,143,443,993,995
    UDP ports: 53

    3. DB servers
    TCP ports: 22,53
    UDP ports: 53

    4. DNS servers
    TCP ports: 22,53
    UDP ports: 53

    Questions:
    I don't want MySQL accessible outside of my IPs/private network (10.0.0.0/16) and this is why I didn't include the 3306 port under the above listing on DB servers. How & where can I put a rule on ISPconfig to achieve this?
    I don't want to limit access by editing MySQL users, need through the firewall.

    Is there a way also to add 3 IPs (not within my private network) to bypass any firewall rule?

    Last but not least, if I want to replace ufw firewall which is currently installed with CSF apart from removing it via apt-get & also deleting the rules through the ISPconfig interface, do I need to do anything else?
    For example, is somehow fail2ban related to it? Do I need to remove that too?

    Thanks
     
    Last edited: Oct 24, 2020
    ahrasis likes this.
  2. ahrasis

    ahrasis Well-Known Member

    You know you don't need port 8080 for all servers and just the master for ISPConfig GUI if you use it, right?

    For database, which should be there on each server, if I'm not mistaken, only they shall have access to master (and not vice versa) and to limit this acess, you need to add their ip manually to the master server firewall rules.
     
    Last edited: Oct 24, 2020
    Jesse Norell likes this.
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Let's start with a short list of ports and what they are for:
    SSH: 22 (TCP)
    HTTP(S) (web traffic): 80, 443 (TCP)
    ISPConfig GUI: 8080, 8081 (TCP) (I don't use 8081 personally and you can leave it closed)
    MySQL DB: 3306 (TCP)
    DNS: 53 (TCP and UDP)
    FTP: 20, 21 (TCP) (and your passive ports ofcourse)
    SMTP: 25 (TCP), 465 (SSL submission) (TCP), 587 (TLS submission) (TCP)
    IMAP: 143 (non-encrypted) (TCP), 993 (SSL) (TCP)
    POP3: 110 (non-encrypted) (TCP), 995 (SSL) (TCP)

    I personally don't use ISPConfig to manage my firewall rules. If you use UFW, you can allow only a local range for the database using this command:
    Code:
    ufw allow from 10.0.0.0/16 to any port 3306 proto tcp
    This has to be done on every server. Remember to add the local adresses along with the hostname to your /etc/hosts file, so your servers connect internally instead of through the public IP address.

    This should be the config for your server.
    1. Controlpanel server with PHPMyAdmin/Roundcube/webFTP installed on it to communicate with the other servers
    TCP ports: 22,80,443,8080

    2. Web servers
    TCP ports: 20,21,22,80,443,40110:40210 (for passive ftp)

    3. Email servers
    TCP ports: 22,25,110,143,465,587,993,995

    3. DB servers
    TCP ports: 22

    4. DNS servers
    TCP ports: 22,53
    UDP ports: 53


    Yes, using UFW:
    Code:
    ufw allow from 8.8.8.8
    Replace 8.8.8.8 with the correct IP

    No, I don't think so. But afaik CSF is not supported by ISPConfig, so you'd have to configure it through the CLI. I like UFW personally, it's easy to use and works well.
     
  4. ahrasis

    ahrasis Well-Known Member

    Is this really has to be done if we are using the lastest ISPConfig 3.2?
     
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    It is currently not necessary for ISPConfig but I do it as I trust my local network and some applications do need access to a DB on a slave server.

    So you can leave it out for every server except the master and database server(s), but I would add it.
     
    ahrasis likes this.
  6. Stelios

    Stelios Member HowtoForge Supporter

    @Th0m thank you for the very detailed answer.

    My /etc/hosts contain both IPs, the public and the internal like:

    10.0.0.6 dns1.mydomain.com dns1
    88.198.1.1 dns1.mydomain.com dns1

    Would that cause a problem in resolving? I guess no?
     
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    No problem :)

    You should remove the second entry just to be sure, because if the server would connect to your public IP, it would not be able to go through your firewall rule for 3306.
     
  8. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    A couple corrections to your initial list, you don't need to allow incoming port 20 anywhere; it is used as the server's source port when originating active mode connections, nothing every connects *to* port 20; you also don't need port 53 opened on all your servers, only those which accept DNS queries from other machines (ie. typically just your public dns servers).

    For security, limit all incoming port 22 connections to your admin addresses if you can, only opening 22 to the internet for web servers, so your clients can connect and manage files, etc. Same idea with port 3306, I only open it where it's needed/used.
     
  9. ahrasis

    ahrasis Well-Known Member

  10. Stelios

    Stelios Member HowtoForge Supporter

    Thanks for all the posts.

    SSH is accessible only with a private key so no need to change any port.

    This is what I currently have in terms of firewall rules:

    1. Controlpanel server
    with PHPMyAdmin/Roundcube/webFTP installed on it to communicate with the other servers
    TCP ports: 22,80,443,8080

    2. Web servers
    TCP ports: 21,22,80,443,40110:40210

    3. Email servers
    TCP ports: 22,25,110,143,465,587,993,995

    3. DB servers
    TCP ports: 22

    4. DNS servers
    TCP ports: 22,53
    UDP ports: 53

    MySQL is accessible from outside my local network only through 3 specific IPs from a VPN.

    Kind regards
     
    ahrasis and Th0m like this.
  11. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    There's also tcp port 4190 on mail servers for managesieved if you want to use that.
     
    ahrasis and Th0m like this.

Share This Page