My server has UFW and Bastille installed, and I would like to use UFW, and have my ISPConfig Service Config -> Firewall set to UFW. I only use ISPConfig to update my firewall settings, however, none of my firewall rules exist in the /etc/ufw/after.rules or /etc/ufw/after6.rules files. All my rules are all in Bastille/bastille-firewall.cfg. Has anyone else seen this problem? How can I fix it without exposing my server to risk? Is it as simple as changing the setting in ISPConfig? Cheers, Nap
I haven't tested this, but I would recommend to disable the firewall or to delete the whole firewall record, then change the switch and enable it again.
I have finally managed to remove Bastille (Louis XVI would be envious) and have UFW installed. Here is a link to instructions on removing Bastille. When first booted, I had the firewall on, but with no rules (I deleted all the rules after removing Bastille). The ISPConfig rules were not applied and I was confused. So I added a few rules manually to the INPUT chain using iptables and saved them using invoke-rc.d iptables-persistent save ... and rebooted only to find that my rules were gone. To cut a long story short.... I've worked out now that manually added rules need to be placed in the PUB_IN chain. So I have added a minimum set (DNS, SSH, ISPConfig port) to this group and they have been persistent throughout my endeavours to get the rest working. In /etc/network/if-pre-up.d, I have a script containing Code: #!/bin/sh /sbin/iptables-restore < /root/firewall_rules.txt which loads the iptables for me. On startup, I noticed that there is a sizable delay before iptables are loaded from the if-pre-up.d script. I noticed this by simply typing iptables -L immediately when the prompt was shown and the response was an empty ruleset with default ACCEPT policy for the 3 default chains. To fix this, I used the Ubuntu IptablesHowTo guide to speed up the loading process by loading iptables from the /etc/network/interfaces file. Now my iptables are loaded with my rules (defaults don't appear at all) but after about 30 seconds, the rules I saved using invoke-rc.d iptables-persistent save overwrite my rules. And then it stays this way until I use ufw enable. To get the rules I've setup in my ISPConfig panel to load I need to type ufw enable into the console each time I reboot. There are two problems; 1) How/what causes the rules to be overwritten (after the initial load from the /etc/network/interfaces file) ? 2) How can I get ufw enable activated ASAP after bootup? (and can the "Command may disrupt existing ssh connections. Proceed with operation (y|n)?" prompt be silenced?) Cheers, Nap PS.. Once I get the rules auto-load working on this test server, I will convert my other test server before I try this on my live server... lol