UFW used by ISP but disabled

Discussion in 'Installation/Configuration' started by Poliman, Feb 9, 2017.

  1. Poliman

    Poliman Member

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That's just the firewall type selector, it does not indicate if you have an active firewall. Did you setup a firewall under System > Firewall ?
     
  3. Poliman

    Poliman Member

    Thank You for answer. I haven't anything in System -> Firewall. After click "Add firewall record" I see two inputs with allowed/opened tcp and udp ports and active checkbox. Does it enable the ufw firewall? I only saw adding some rules in console like ex.
    sudo ufw enable
    sudo ufw allow 22
    sudo ufw allow proto tcp from 192.168.0.2 to any port 22
     
  4. Poliman

    Poliman Member

    I added default record for firewall under ISP, ufw was enabled, ufw status output:
    Code:
    Status: active
    
    To                         Action      From
    --                         ------      ----
    20/tcp                     ALLOW       Anywhere
    21/tcp                     ALLOW       Anywhere
    22/tcp                     ALLOW       Anywhere
    25/tcp                     ALLOW       Anywhere
    53/tcp                     ALLOW       Anywhere
    80/tcp                     ALLOW       Anywhere
    110/tcp                    ALLOW       Anywhere
    143/tcp                    ALLOW       Anywhere
    443/tcp                    ALLOW       Anywhere
    587/tcp                    ALLOW       Anywhere
    993/tcp                    ALLOW       Anywhere
    995/tcp                    ALLOW       Anywhere
    3306/tcp                   ALLOW       Anywhere
    8080/tcp                   ALLOW       Anywhere
    8081/tcp                   ALLOW       Anywhere
    10000/tcp                  ALLOW       Anywhere
    53/udp                     ALLOW       Anywhere
    3306/udp                   ALLOW       Anywhere
    20/tcp (v6)                ALLOW       Anywhere (v6)
    21/tcp (v6)                ALLOW       Anywhere (v6)
    22/tcp (v6)                ALLOW       Anywhere (v6)
    25/tcp (v6)                ALLOW       Anywhere (v6)
    53/tcp (v6)                ALLOW       Anywhere (v6)
    80/tcp (v6)                ALLOW       Anywhere (v6)
    110/tcp (v6)               ALLOW       Anywhere (v6)
    143/tcp (v6)               ALLOW       Anywhere (v6)
    443/tcp (v6)               ALLOW       Anywhere (v6)
    587/tcp (v6)               ALLOW       Anywhere (v6)
    993/tcp (v6)               ALLOW       Anywhere (v6)
    995/tcp (v6)               ALLOW       Anywhere (v6)
    3306/tcp (v6)              ALLOW       Anywhere (v6)
    8080/tcp (v6)              ALLOW       Anywhere (v6)
    8081/tcp (v6)              ALLOW       Anywhere (v6)
    10000/tcp (v6)             ALLOW       Anywhere (v6)
    53/udp (v6)                ALLOW       Anywhere (v6)
    3306/udp (v6)              ALLOW       Anywhere (v6)
    
    but after turn on firewall I can't get into ftp under filezilla. I have message "listing directories" and after 20s I got error that it can't listing directories. After turn off ufw I can normally log in to ftp and get list of directories.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    You have to configure the passive port range in pure-ftpd and in the firewall.
     
  6. Poliman

    Poliman Member

    Thank Till. Seriosly I thought I should add ports 20 and 21 to UDP line in firewall in ISP. Where setup port range in pure-ftpd? How it should looks in firewall in ISP?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

  8. Poliman

    Poliman Member

    I would like to know why I have to setup port range if I use ftp on one (default) port? And why exactly that range not another?
    PS
    I can't send emails too using dovecot with these default ufw open tcp/udp ports.
     
    Last edited: Feb 15, 2017
  9. Jesse Norell

    Jesse Norell Well-Known Member

    The server listens on a default/well-known port for the control connect, but ftp protocol uses other ports for data connections, which are specified in the control connection. Stateful firewalls and nats have to see that control connection traffic in order to know what ports should be opened - if the control connection is encrypted (ftps), they can't see that.

    Any open/unused range above 1024 would work.

    dovecot is an imap/pop server, for receiving, not sending, email; sending would use postfix, typically on port 587. Is postfix listening on port 587? can you connect to 587 from your client? if so you should be able to submit email, at which point check mail logs to see why it's not delivering.
     
  10. Poliman

    Poliman Member

    When I turn off ufw in ISP panel I haven't problem with sending email. I don't remove/add extra ports in ufw open tcp and open udp ports - it's default config.
     
  11. Jesse Norell

    Jesse Norell Well-Known Member

    Sounds like you need to add some ports there, then. I don't remember what the default config is, no ports are opened, or ?
     
  12. Poliman

    Poliman Member

    Default config - ufw is disabled. :)
     
  13. Paul Crown

    Paul Crown New Member

    I normally can find what I need without having to ask. So, I don't know whether to take over this thread or start new.
    I'm on ISPConfig3 + Postfix + Dovecot. Just like the op above, ufw is enabled and the relative ports are open.
    With an email client sending directly through this server, I can send out to anyone. (And, can receive email from anyone else sending through this server). But, with ufw enabled other mail hosts can't send email to this server. I have tried to follow iptables and compared the diff between ufw enabled vs disabled, and I am stumped.
    Code:
    iptables -L # with ufw enabled: http://paste.ubuntu.com/24457693/
    iptables -L # with ufw disabled: http://paste.ubuntu.com/24457695/
    I recognize this is not a ISPConfig problem; I am sure it is something simple with ufw, but it alludes me. This is where I get all my other answers from, so I am hoping you can shed some light for me.
    Thanks.
     
  14. Jesse Norell

    Jesse Norell Well-Known Member

    You allow "submission" (port 587), but not "smtp" (port 25), which is what mail servers send on. Allow port 25 and you should be good.
     
    ahrasis likes this.
  15. Paul Crown

    Paul Crown New Member

    Thanks, I did not realize that other servers would still be looking to port 25, but that makes sense. I have now opened port 25/tcp and all works. Thanks again.
     

Share This Page