How did Bastille-Firewall get onto my system, and how to remove it completely?

Discussion in 'Installation/Configuration' started by Nap, Mar 30, 2016.

  1. Nap

    Nap Member

    I am totally confused. In my endeavours to remove Bastille-Firewall, I've looked everywhere on the net and I see that Bastille development ceases in U12, yet I have it installed on my U14 server and it is the default firewall even though I have UFW selected in my ISPConfig panel. How did it get there?
    I did not install it manually, therefore it either came with the OS install or through ISPConfig.
    To determine where it came from, I just did a vanilla U14.04.3 install and only added openSSH. Bastille was not installed in the process. This leaves ISPConfig as the possible source. So I've searched through the ISPConfig source code, and can't find any references to an apt-get install command that acutally installs it, and all the references to bastille pertain to managing port settings. I did find bastille-firewall.cfg.master, where a reference exists to a CVS repository but that is only in a comment. I've also checked my backed up dbispconfig data to see it it was loaded through a db record, but found nothing.

    How did Bastille get onto my system? What binary/source/meta package did it arrive in?

    I have disabled it using update-rc.d -f bastille-firewall remove but I could still use service bastille-firewall status. So I've moved the references to bastille that are iin init.d out of that folder. However I still have bastille files in a bunch of other places on my system:

    RevertBastille returns command not found.
    Manually deleting files with 'bastille' in their name/path is easy, but what other files came with the package?

    Can anyone help me with this please?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Bastille is the default Firewall of ISPConfig and is part of ISPConfig. Bastille is just a shell script to write iptables rules, so there is no further development needed in its scripts as long as the Linux kernel supports iptables. If you don't want to use it, simply install ispconfig in expert mode and chose UFW as firewall. If you installed ispconfig already, then all you have to do is to use insserv or update-rc.d to remove it from boot sequence.
  3. Nap

    Nap Member

    Thanks Till. I've got my server using UFW now.

    The reason for wanting to use UFW is because Squid3 was able to open a port on my server that Bastille could not close. See the Make SQUID invisible to unauthorised users thread.
    I setup Squid to only listen on localhost, however squid was able to open port 3128 even though I did not have that port allowed in ISPConfig. The consequence of this was that anyone who scanned my ports would see that I have squid installed, and browsing my site on the that port would return a different error than a non-responsive port would.
    Now that I have UFW running, browsing my squid port returns the same error as any other invalid access.

    This behaviour could be attributed to the 'wrong' firewall being used. My ISPConfig had been set to UFW, but my server was actually using Bastille. All my port settings were being implemented, and I wasn't concerned about this until the Squid problem. Now it's fixed. The fact that Squid was able to open its own port and that Bastille was not able to prevent it leaves me less than impressed on their security concerns and capabilities.

    ahrasis likes this.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess that squid bound itself to IPv6 then as I don't see a way how Squid could get around iptables otherwise. Bastille is an IPv4 only firewall, if you use IPv4 and IPv6 on your server then UFW should be installed.

    So it was probably a config issue. Changing the firewalls elector has no effect on the used firewall, it has just an effect on the firewall that gets configured by ispconfig. so by changing the selector to UFW you told ispconfig that you removed bastille and installed ufw instead and ispconfig put the rules in UFW. In fact, bastille was not removed before you installed UFW but bastille did not receive any config changes form ispconfig anymore due to the change of the selector to UFW
    Nap likes this.
  5. Nap

    Nap Member

    Yes, you are right. It was IP6. (Though in my case, I've removed a bunch of things related to Bastille.)

Share This Page