UFW used by ISP but disabled

Discussion in 'Installation/Configuration' started by Poliman, Feb 9, 2017.

  1. Poliman

    Poliman Member

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That's just the firewall type selector, it does not indicate if you have an active firewall. Did you setup a firewall under System > Firewall ?
     
  3. Poliman

    Poliman Member

    Thank You for answer. I haven't anything in System -> Firewall. After click "Add firewall record" I see two inputs with allowed/opened tcp and udp ports and active checkbox. Does it enable the ufw firewall? I only saw adding some rules in console like ex.
    sudo ufw enable
    sudo ufw allow 22
    sudo ufw allow proto tcp from 192.168.0.2 to any port 22
     
  4. Poliman

    Poliman Member

    I added default record for firewall under ISP, ufw was enabled, ufw status output:
    Code:
    Status: active
    
    To                         Action      From
    --                         ------      ----
    20/tcp                     ALLOW       Anywhere
    21/tcp                     ALLOW       Anywhere
    22/tcp                     ALLOW       Anywhere
    25/tcp                     ALLOW       Anywhere
    53/tcp                     ALLOW       Anywhere
    80/tcp                     ALLOW       Anywhere
    110/tcp                    ALLOW       Anywhere
    143/tcp                    ALLOW       Anywhere
    443/tcp                    ALLOW       Anywhere
    587/tcp                    ALLOW       Anywhere
    993/tcp                    ALLOW       Anywhere
    995/tcp                    ALLOW       Anywhere
    3306/tcp                   ALLOW       Anywhere
    8080/tcp                   ALLOW       Anywhere
    8081/tcp                   ALLOW       Anywhere
    10000/tcp                  ALLOW       Anywhere
    53/udp                     ALLOW       Anywhere
    3306/udp                   ALLOW       Anywhere
    20/tcp (v6)                ALLOW       Anywhere (v6)
    21/tcp (v6)                ALLOW       Anywhere (v6)
    22/tcp (v6)                ALLOW       Anywhere (v6)
    25/tcp (v6)                ALLOW       Anywhere (v6)
    53/tcp (v6)                ALLOW       Anywhere (v6)
    80/tcp (v6)                ALLOW       Anywhere (v6)
    110/tcp (v6)               ALLOW       Anywhere (v6)
    143/tcp (v6)               ALLOW       Anywhere (v6)
    443/tcp (v6)               ALLOW       Anywhere (v6)
    587/tcp (v6)               ALLOW       Anywhere (v6)
    993/tcp (v6)               ALLOW       Anywhere (v6)
    995/tcp (v6)               ALLOW       Anywhere (v6)
    3306/tcp (v6)              ALLOW       Anywhere (v6)
    8080/tcp (v6)              ALLOW       Anywhere (v6)
    8081/tcp (v6)              ALLOW       Anywhere (v6)
    10000/tcp (v6)             ALLOW       Anywhere (v6)
    53/udp (v6)                ALLOW       Anywhere (v6)
    3306/udp (v6)              ALLOW       Anywhere (v6)
    
    but after turn on firewall I can't get into ftp under filezilla. I have message "listing directories" and after 20s I got error that it can't listing directories. After turn off ufw I can normally log in to ftp and get list of directories.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    You have to configure the passive port range in pure-ftpd and in the firewall.
     
  6. Poliman

    Poliman Member

    Thank Till. Seriosly I thought I should add ports 20 and 21 to UDP line in firewall in ISP. Where setup port range in pure-ftpd? How it should looks in firewall in ISP?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

  8. Poliman

    Poliman Member

    I would like to know why I have to setup port range if I use ftp on one (default) port? And why exactly that range not another?
    PS
    I can't send emails too using dovecot with these default ufw open tcp/udp ports.
     
    Last edited: Feb 15, 2017
  9. Jesse Norell

    Jesse Norell Well-Known Member

    The server listens on a default/well-known port for the control connect, but ftp protocol uses other ports for data connections, which are specified in the control connection. Stateful firewalls and nats have to see that control connection traffic in order to know what ports should be opened - if the control connection is encrypted (ftps), they can't see that.

    Any open/unused range above 1024 would work.

    dovecot is an imap/pop server, for receiving, not sending, email; sending would use postfix, typically on port 587. Is postfix listening on port 587? can you connect to 587 from your client? if so you should be able to submit email, at which point check mail logs to see why it's not delivering.
     
  10. Poliman

    Poliman Member

    When I turn off ufw in ISP panel I haven't problem with sending email. I don't remove/add extra ports in ufw open tcp and open udp ports - it's default config.
     
  11. Jesse Norell

    Jesse Norell Well-Known Member

    Sounds like you need to add some ports there, then. I don't remember what the default config is, no ports are opened, or ?
     
  12. Poliman

    Poliman Member

    Default config - ufw is disabled. :)
     

Share This Page