I went to add 514 to my firewall for rsysloig and when I saved it - my whole server would not respond. logged in at console and did systemctl stop iptables.service and server was back! went into ispconfig, saved firewall back, did ./bastille-firewall restart - and again NOTHING. http dead, ssh dead. not sure why on earth suddenly its unreachable. is there a log somewhere? I ran ./bastille-firewall restart and did a quick iptables -L and it produced: ----snip---- Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- anywhere loopback/8 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere DROP all -- base-address.mcast.net/4 anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere Chain INT_IN (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain INT_OUT (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain PAROLE (20 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain PUB_IN (6 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp echo-request PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data PAROLE tcp -- anywhere anywhere tcp dpt:ftp PAROLE tcp -- anywhere anywhere tcp dpt:ssh PAROLE tcp -- anywhere anywhere tcp dpt:smtp PAROLE tcp -- anywhere anywhere tcp dpt:domain PAROLE tcp -- anywhere anywhere tcp dpt:http PAROLE tcp -- anywhere anywhere tcp dptop3 PAROLE tcp -- anywhere anywhere tcp dpt:imap PAROLE tcp -- anywhere anywhere tcp dpt:https PAROLE tcp -- anywhere anywhere tcp dpt:submission PAROLE tcp -- anywhere anywhere tcp dpt:imaps PAROLE tcp -- anywhere anywhere tcp dptop3s PAROLE tcp -- anywhere anywhere tcp dpt:atmtcp PAROLE tcp -- anywhere anywhere tcp dpt:mysql PAROLE tcp -- anywhere anywhere tcp dpt:webcache PAROLE tcp -- anywhere anywhere tcp dpt:tproxy PAROLE tcp -- anywhere anywhere tcp dpt:ndmp PAROLE tcp -- anywhere anywhere tcp dpt:atmtcp PAROLE tcp -- anywhere anywhere tcp dpt:27017 PAROLE tcp -- anywhere anywhere tcp dpts:ndmps:50000 ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:mysql DROP icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain PUB_OUT (6 references) target prot opt source destination ACCEPT all -- anywhere anywhere ----snip---- but as soon as I start it - system unreachable. ./bastille-firewall stop - system ok. what am I missing? dont see anything obviously wrong in the setup. thanks cdb.
one last question - I've got the server behind a peplink balance router that has a built in (rather good) iptables based firewall itself. in theory, I should not need ispconfig to maintain a software firewall should I? only real risk would be an attack from inside my network since the firewall in the peplink should block things itself. (I forward all the relevant ports to the ispconfig server now and a few more going elsewhere.
negatory on the above comment - of course if the firewall is turned off on the server - fail2ban/bandaemon etc cannot block hacking attempts! so I really need to understand why turning on the bastille script makes server unreachable!
FIREWALLHORROR out --- geez maybe this might be an issue. my public interface is em1 (..em4). and although I've been running ispconfig forever and did a perfectserver install and migrated it (migration-tool - excellent!) to a new box - all was working. BUT somehow I did something (or caused something to be done) to the bastille-firewall.cfg file and the PUBLIC_INTERFACES line had 'eth+ ... and others' - but it NEVER had 'em+'. adding 'em+' on this line and ./bastille-firewall restart - voila working firewall! I have NO idea how this worked without the em+ line.
sorry PUBLIC_IFACES line.... and per till comment on another thread you have to copy /usr/local/ispconfig/server/conf/bastille-firewall.cfg.master to /usr/local/ispconfig/server/conf-custom/bastille-firewall.cfg.master then edit it there! firewall all happy again. restarted bandaemon for good measure hopefully fire is OUT!