Robust firewall rules

Discussion in 'Installation/Configuration' started by tom@ttucker.com, Sep 13, 2005.

  1. tom@ttucker.com

    tom@ttucker.com New Member

    Absolutely one of the BEST tools I have found!!

    Thanks for all the great work.

    Is there a way to set more robust firewall rules with ISPConfig?

    For instance, I want to limit access to mysql to only a specific subnet say 198.168.1.224/28 Or allow all traffic from a subnet.

    Tom
     
  2. till

    till Super Moderator

    You can edit the bastille-firewall config in /etc/Bastille/bastille-firewall.cfg and the master template that ISPConfig uses to generate the config file: /root/ispconfig/isp/conf/bastille-firewall.cfg.master amnually.

    If this solution is not flexible enough for you, disable the firewall in ISPConfig and setup another firewall software that is more advanced.
     
  3. tom@ttucker.com

    tom@ttucker.com New Member

    Thanks for the instantaneous response! WOW!

    Will edits to /etc/Bastille/bastille-firewall.cfg be overwritten with an upgrade to ISPConfig?
     
  4. till

    till Super Moderator

    If you update the firewall in the web-interface, /etc/Bastille/bastille-firewall.cfg will be overwritten with /root/ispconfig/isp/conf/bastille-firewall.cfg.master
    If you upgrade ISPConfig, both files will be overwritten.
     
  5. falko

    falko Super Moderator

    Therefore you should edit /root/ispconfig/isp/conf/bastille-firewall.cfg.master. :)
     
  6. rdmandel

    rdmandel New Member

    More on ISPConfig Firewall rules

    I have just started with ISPConfig and it seems to run VERY nicely out of the box, but I am having trouble with passive mode ftp.

    Behind a router with ports 49152-65534 opened, uncommented the line in ProFTP conf "PassivePorts 49152 65534", but can not find a way to make the firewall accept a port range. Whatever I try I get a message in German saying the port number must be between 0 and 65000.

    To make it work, I have to turn the firewall OFF for ftp, but that worries me, even if I am behind the router with NAT.

    Any ideas?
     
  7. till

    till Super Moderator

    You can not open port ranges in the ISPConfig firewall. When your server is behoind a router, you can switch of the ISPConfig firewall.
     
  8. rdmandel

    rdmandel New Member

    port ranges not allowed in ISP Config firewall

    that's was I figured, but it might be something for future versions. If I were not behind a router, this would be a real problem for ftp passive mode.

    thanks for your attention to these forums. You and Falko are really great.

    richard
     
  9. Craig

    Craig New Member

    A better way, , ,

    Totally firewall MySQL and then set up a secure tunnel using Putty.

    I use this to great effect using putty and MySQL Administrator.

    Normally, from a remote connection, MySQL Administrator can not access various functions, like setting user/passwords and permissions as well as setting startup settings but with a putty tunnel, MySQL Administrator is seen as connecting locally, localhost, so not only are all MySQL Administrator functions and features are enabled but you end up with the most secure MySQL server possible. :)

    If anyone wants it, I could add a mini-howto or maybe it should be called a micro-mini-howto as it is only 2 steps. :D
     
  10. falko

    falko Super Moderator

    That would be great. Maybe you can make it up a little bit, e.g. write a short introduction and something about your motivation so that other people understand easily what this is about. :)
     

Share This Page