I got a running production system and under [Server Config] -> [Firewall], it is pointing to "bastille". The "System" -> "Firewall" is empty in ispconfig now. I already have a firewall setup manually by ufw. What exactly can I do from preventing ispconfig from changing my firewall setting? I am afraid ispconfig somehow will trigger the changes by "resync" or if accidentally clicking the "System" -> "Firewall". What will happen if I click save in "Server Config" now if I change the [Firewall] setting from "bastille" to "ufw"?
Nothing, because ISPConfig is not doing that anyway unless you add a firewall under System > Firewall in ISPConfig. Nothing will change unless you use ISPConfig firewall under system > Firewall.
It would be a help to have an option to disable the ISPConfig firewall control for those who know enough about security and want to self manage that. Leave it on by default, but have a disable firewall tickbox (or toggle on/off is better) option on the server configuration page, with a nice warning that you're responsible when the admin tries to disable the firewall. I'm also needing custom firewall rules and find the situation nerve racking that ISPConfig could nuke my custom firewall rules. ... or maybe an ISPConfig custom firewall file that is applied, after the ISPConfig rules are applied?
The firewall is off by default. So there is nothing that you must do if you want to manage the firewall yourself. Just do not add a server record under System > Firewall, that's all. Please read the posts of the thread before posting, as your question has been answered in #2 above already. This can not happen with ISPConfig as ISPConfig does not touch the firewall at all unless you explicitly do it yourself. The only way to make this happen is that you manually overwrite your custom firewall rules. ISPConfig on its own won't do that.
Just don't add your servers under System > Firewall as @till mentioned in post #2 and manage your firewalls yourselve. Edit: @till was quicker with a responce And told the same.
@remkoh I have no idea why people these days seemingly are not able to read posts anymore. They just read the headline and then add a new post with a complaint. While there is nothing to complain about, as the firewall is not even on by default, and even then, only a manual action of the administrator would override any rules.
Yeah it's getting worse and worse by the day. Also I blame AI partly as more and more people are trying to use AI to solve a problem without having any clue at all of what they're doing / AI is telling them and making things worse before they come knocking here. Besides that is an admin perfectly able to add his/her own custom rules next to ispconfig's rules. I have several custom rules for vrrp / keepalived for example next to the rules that have been created in ispconfig to open several tcp and udp ports.
Sorry I misread this, attribute that to tired eyes. I did search the forum and read a half dozen posts and this was the last I came to and I'm a detailed oriented person meaning unless it's spelt out with a diagram and point by point instructions it may not register as exactly the same situation. I've always assumed the firewall was on by default and there is no complaint and having followed prior instructions so having added a firewall rule previously I had forgotten that. I give suggestions a lot as am continuous improvement minded, but yes I made the assumption. Context is king and what one person writes it does not always translate into what another person can comprehend, even for intelligent people. So I gather if I click the 'trash' icon for the firewall rule (that is already present in System --> Firewall), then nothing will happen and it's 100% manual mode from there on. I am a bit surprised the firewall is off by default, leaving a host potentially vulnerable.
Yes it's than manual. Not sure what it will do to current ispconfig rules. Maybe disable the firewall first to prevent a possible lockout maybe.
Yes, AI is definitely a big part of the issue. AI is great if you know how to use it and how far you can trust it. In the forum, we had an issue in the past few days where a user claimed the autoinstaller was not working. However, in the end, I found out that he had manually installed various things upfront because the AI had instructed him to do so, rather than starting from an empty system as our installation guide recommends. Just following the official install guide then resulted in a working system right away. The problem with ISPConfig installations and AI is that some AIs mix classic manual installation and autoinstaller, which must fail, as you can't first manually install half of the system and then run the autoinstaller afterwards.
The default setup starts and configures services only that shall be publicly available and that are securely configured. If ports are not open, you don't have to close them with a firewall.
Note: Tested and confirmed in 3.3.0p3 When deleting the sole ISPConfig firewall rule, ISPConfig does make a change which has security implications for the host. My prior policy had the default INPUT chain policy action set to 'Drop'. Immediately after deleting the firewall rule, ISPConfig changed the default INPUT chain policy action set to 'Accept'. Thus ISPConfig did make a change. Prior to ISPConfig Firewall rule removal: Code: Chain INPUT (policy DROP) Immediately after to ISPConfig Firewall rule removal: Code: Chain INPUT (policy ACCEPT) This change is not mentioned previously in this thread.
Of course it does, as you told ISPConfig to do so. Its the purpose of a control panel to do the actions that you as an administrator, tell it. Or do you expect ISPConfig to malfunction and not remove and open the firewall when you tell it to remove and open the firewall? The thread clearly mentions NOT to enable the firewall and add a firewall record if you do not want to use it. So you did not follow the advice to NOT add a firewall record, then you removed it, which of course opened the firewall, as that's the purpose when you tell it to do so, and then report here. And it is mentioned on post #4 btw. See the part of the sentence I marked in bold: Which you did. Or do you want to claim ISPConfig clicked on delete firewall on its own without you moving your cursor above the button and then clicking?
