I added 2 nameservers to a 3.1 multiserver installation, and those servers already had ufw configured in them prior to installing ispconfig, with the simple rules below. I chose `Configure Firewall Server: y` during install, and the Server Config is set to ufw fireall, but any changes to firewall records for these servers do not propogate to the live firewall rules. Any pointers on how to get ispconfig's ufw rules to take over the locally configured rules? I did run server.sh in debug mode and it shows changes propogate to the database (port 1234 is test): Code: root@ns2:/etc/bind# /usr/local/ispconfig/server/server.sh 09.08.2016-09:41 - DEBUG - Found 1 changes, starting update process. 09.08.2016-09:41 - DEBUG - Replicated from master: REPLACE INTO `firewall` (`firewall_id`,`sys_userid`,`sys_groupid`,`sys_perm_user`,`sys_perm_group`,`sys_perm_other`,`server_id`,`tcp_port`,`udp_port`,`active`) VALUES ('11','1','1','riud','riud','','8','22,53,1234','53','y') 09.08.2016-09:41 - DEBUG - Processed datalog_id 2624 09.08.2016-09:41 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock finished. But they don't show ip in iptables or ufw status: Code: # ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere DNS ALLOW Anywhere 22 ALLOW Anywhere (v6) DNS (v6) ALLOW Anywhere (v6) Code: # iptables -L -n -v | grep 1234 # I don't know if having used the 'DNS' app name, rather than just port 53, throws it off?
Please check if the firewall_plugin.inc.php is enabled in /usr/local/ispconfig/server/plugins-enabled/
Indeed it was/is not on these two servers. It seems inconsistent among the 5 ispconfig servers I have; what creates that symlink? I'm sure I did something wrong... but one thing that seems curious is at one time I had a combined ispconfig control panel + web server, I cloned that container and split the two functions and now one of the cloned containers has firewall_plugin.in.php enabled, while the other doesn't. I've done separate ispconfig_update.sh runs for each container of course, but I know for sure they both had the Firewall enabled on the initial install, as it was before cloning the container.
I just re-ran an update, chose to reconfigure selected services, and saying 'n' there doesn't remove the firewall plugin, nor does saying 'y' there add it. So no idea why those are inconsistent, but it's an easy clean/fix.
A note for any incorporating ispconfig with an existing ufw firewall, in a little testing it seems ispconfig can manage (add/remove) only ufw rules that have a port number and protocol set, so if your existing firewall uses the 'DNS' app profile, you cannot remove that, or if your existing rules allow just port '53' it likewise cannot be removed, for either case just remove the rule and ad 53/tcp and 53/udp, and ispconfig will be able to manage those (though it doesn't read in the list of currently allowed ports).
The firewall addon gets always enabled on "standard" installs. In expert mode, the installer asks if it shall be enabled or not. An update does not activate or deactivate modules. Regarding services names: Yes, that's possible, ispconfig has no list of service names with their correspnding ports, it uses only port numbers.
