Hi all. First off I'm running Ubuntu 9.10 x64 with ISPC 3.0.2.1. I have always used Ubuntu's UFW firewall, for the easy interface, but recently I'm running into problems using it along side ISPC's Bastille firewall My UFW is always active, reporting that it's running as it should, BUT when Bastille is also active only the common ports (80,21, etc) are open. When I then issue the /etc/init.d/bastille-firewall stop command, my user-defined ports in UFW is once again open for business The logical thing would just be to disable Bastille-firewall, and Indeed thats what I did. BUT now the fun starts! When Bastille is stopped, and UFW is active, yes active. There is absolutely NO firewall enabled on the server. I have tested with another server from another IP, which is NOT listed as allow anywhere, and that computer has access to all ports Code: output of IPTABLES -L: root@xxxx:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain ufw-after-forward (0 references) target prot opt source destination Chain ufw-after-input (0 references) target prot opt source destination RETURN udp -- anywhere anywhere udp dpt:netbios-ns RETURN udp -- anywhere anywhere udp dpt:netbios-dgm RETURN tcp -- anywhere anywhere tcp dpt:netbios-ssn RETURN tcp -- anywhere anywhere tcp dpt:microsoft-ds RETURN udp -- anywhere anywhere udp dpt:bootps RETURN udp -- anywhere anywhere udp dpt:bootpc RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] ' Chain ufw-after-logging-input (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] ' Chain ufw-after-logging-output (0 references) target prot opt source destination Chain ufw-after-output (0 references) target prot opt source destination Chain ufw-before-forward (0 references) target prot opt source destination ufw-user-forward all -- anywhere anywhere Chain ufw-before-input (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ufw-logging-deny all -- anywhere anywhere state INVALID DROP all -- anywhere anywhere state INVALID ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc ufw-not-local all -- anywhere anywhere ACCEPT all -- BASE-ADDRESS.MCAST.NET/4 anywhere ACCEPT all -- anywhere BASE-ADDRESS.MCAST.NET/4 ufw-user-input all -- anywhere anywhere Chain ufw-before-logging-forward (0 references) target prot opt source destination Chain ufw-before-logging-input (0 references) target prot opt source destination Chain ufw-before-logging-output (0 references) target prot opt source destination Chain ufw-before-output (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ufw-user-output all -- anywhere anywhere Chain ufw-logging-allow (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW ALLOW] ' Chain ufw-logging-deny (2 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] ' Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10 DROP all -- anywhere anywhere Chain ufw-reject-forward (0 references) target prot opt source destination Chain ufw-reject-input (0 references) target prot opt source destination Chain ufw-reject-output (0 references) target prot opt source destination Chain ufw-track-input (0 references) target prot opt source destination Chain ufw-track-output (0 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere state NEW ACCEPT udp -- anywhere anywhere state NEW Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- anywhere anywhere tcp spt:8000 ACCEPT udp -- anywhere anywhere udp spt:8000 ACCEPT tcp -- anywhere anywhere tcp spt:8001 ACCEPT udp -- anywhere anywhere udp spt:8001 ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix `[UFW LIMIT BLOCK] ' REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination Can anyone please assist me with this, having an open system is not great Best regards Jim
You should never run more then one firewall at a time, so if you want to use ufw instead of bastille. make sure that you disabled bastille and restarted the server afterwards. Fail2ban interacts with iptables too. You should reconfigure fail2ban to use the route command instead of iptables: http://www.faqforge.com/linux/contr...ute-instead-of-iptables-to-block-connections/ If you installed your server as described in the perfect setup, then it does not make a big difference if you run a firewall or not as your system runs only services that shall be accessible from outside anyway and no other services are listening to any ports.
Hi Till. Thanks for the swift reply. I've tried disabling Bastille, but everytime I reboot, it comes back Best regards Jim
Rebooting the server again, seemed to have solved the problem, but it has solved it before, so I'm not sure the cause of the problem is solved. Is there anyway I can "uninstall" or disable the Bastille Firewall? Thanks again.
I prefer to use Bastille with ISPConfig and removed and purged ufw which I had installed prior to ISPConfig. It is posible to have now a minimal clean set of rules? (My iptables -L output have strange rows). Thanks.
run: iptables --flush to remove all rules, then restart fail2ban and the bastille firewall to get a clean iptables rule set.
/etc/init.d/bastille-firewall restart ISPConfig is not a daemon, so there is no need to restart it (and it cant be restarted).
port 8080 does not get added to the firewall, it is closed. How do I add port 8080 in Bastille firewall?
hi Jesse, when I do ( iptables -L) I get : ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:webcache port 8080 is used by something called (webcache) do you know what that is? I have centos 7.1 installed with openvz containers on the server
The name of port 8080 is webcache, the output of iptables shows ports with their names and not numbers. So what the lien above means is that port 8080 is open.
