Unexpected firewall behavier !

Discussion in 'Installation/Configuration' started by Keoz, Apr 25, 2020.

  1. Keoz

    Keoz Member


    Another technical representative of my hosting provider redirected me to a Ubuntu webpage (link below) from where I can get instructions to manage “iptables“ and prevent firewall to block necessary ports :

    He said that among many possible reasons why ports gets “FILTERED“ after ISPConfig installation, could be the upgrade of ISPConfig to a new version…. Should I have this and the LE check box failure in mind if I eventually need to contact ISPConfig business support ?

  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Cool. At Step 2 of that document you will run a command that shows what you have already pasted in this thread - ie. you have absolutely no firewall rules active except for a hook for fail2ban, and a default ACCEPT policy. Take that output back to this technical representative and show him that the problem is not the firewall in your server's OS.

    You do not have any firewall rules active. ISPConfig does not install a firewall upon installation nor upon upgrade. This "could be" a candidate for creating the issue if you don't look at your actual firewall rules, nor understand what happens when ISPConfig is installed, which seems to be the case with your provider's technical representatives. That is not the case with those helping you in this forum thread.

    The above link would not be needed, just explain what the problem is.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    No, this can not happen due to installing a new ISPConfig version or by running an update. I mentioned it earlier that I have doubts that this whole firewall thing is related to your initial issue with LE at all. Ask an experienced admin who also knows ISPConfig in detail to look at your server directly and let him just check why the LE cert can not be created. If this is some from ISPConfig support or someone else does not matter, but it should be an admin who knows ISPConfig as I've got the feeling that the guys from ovh you talked to don't really know what's this all about and especially have no clue on ISPConfig or the setup behind it. @Jesse Norell , fail2ban came to my mind to and it's very likely that you are right, so getting back to the original issue and not talking about Firewall at all makes more sense.
  4. Keoz

    Keoz Member


    I agree with your opinion Till, and I will follow up on your recommendations. In this purpose, how do I get in touch with an ISPConfig business support representative ?

    However I also have to reply to some other forumers.

    Please find right hereafter a sample of the ISPConfig 3 automated installation that I processed, and as you can see it, a firewall installation (UFW) is included, although I was told the opposite here…!!!

    *** sample start ***
    Updating Freshclam Antivirus Database. Please Wait... ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
    ERROR: initialize: libfreshclam init failed.
    ERROR: Initialization error!
    ERROR: /var/log/clamav/freshclam.log is locked by another process

    Restarting ClamAV... [DONE]
    Installing DNS server (Bind)... [DONE]
    Installing Statistics (Vlogger, Webalizer and AWStats)... [DONE]
    Installing Intrusion protection (Fail2Ban)... [DONE]
    Installing Firewall (UFW)... [DONE]
    Restarting Fail2Ban... [DONE]
    Installing ISPConfig3...
    Create INI file
    *** sample end ***

    This should lead me to listen more closely to my hosting provider when he says that this firewall may filter ports 80, 443, and 8080….

    You may then understand that since a few days I feel like a ball in a ping-pong game between forumers and hosting provider…! But thanks to Till, the situation is now about to evolve positively.

    I liked to use ISPConfig until now, and my wish is to continue and to explore it further….

  5. till

    till Super Moderator Staff Member ISPConfig Developer

  6. nhybgtvfr

    nhybgtvfr Active Member

    if you're referring to this:
    iptables and ufw are installed automatically as part of the OS installation, ufw is not enabled, and iptables will be using a default set of rules
    ufw is really only a front end to iptables, to make it easier to use. and if you check on a new clean server you'll find that it's not enabled, if you check again just after ispconfig had been installed, you'll find that it's still not enabled.
    it is enabled and working ONLY if you manually enable it, or if you create a firewall rule for that server in the ispconfig control panel.
    it cannot be used as an excuse for not being able to connect to a freshly installed machine, as your hosting provider appears to be doing.
  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  8. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Sorry about that, it is of course not the position we want to put you in (nor your hosting provider, I'm sure).

    And another apology is in order, I completely missed that you were not using a normal ISPConfig installation, but apparently an autoinstaller from your hosting provider:
    It is entirely possible that their autoinstaller would enable a firewall upon installation, even though a normal installation does not. Your firewall rules which you posted earlier indicate this is not the case, but I'll have to retract my claim about your installation having the ability to setup a firewall. @nhybgtvfr is correct that installing ufw (as your installer indicates) does not equate to enabling a firewall. A normal installation per the Perfect Server guides also installs ufw.

    It does not, per the iptables rules you posted. As you were able to configure websites using the ISPConfig interface, you yourself have demonstrated that this does not happen by the very use of the server (unless you also have a non-standard way of access it via your hosting provider?).

    In any case, sorry to give you the run-around, as @till mentioned the whole firewall/filtered ports issue seems to be a diversion from your actual issue. Your hosting provider is probably the best place to get help with the auto installer they provide; and of course business support from Florian should be quite helpful to logging in and work on things.
  9. Keoz

    Keoz Member


    I am happy to close this thread !

    I have reminded my hosting provider that during the very first days of use of this new VPS (as per testing new web apps), I received an email message from support to alert me that due to an attack, my VPS was put in mitigation…. Next I reinstalled the VPS without paying any more attention to this message, because I thought that the mitigation would end with the reinstallation. I have learned today that it was not the case (reason why I faced issues...), and my hosting provider has done what necessary to process the mitigation ending. Since then, I reinstalled the VPS and ISPConfig, and all works fine now !

    In any case, thanks to all those that have attempted to help me !

    Last edited: May 1, 2020
    Jesse Norell and till like this.

Share This Page