ISPConfig Server Config says UFW, but Bastille is actually in use.

Discussion in 'Installation/Configuration' started by Nap, Feb 24, 2016.

  1. Nap

    Nap Member

    My server has UFW and Bastille installed, and I would like to use UFW, and have my ISPConfig Service Config -> Firewall set to UFW.
    I only use ISPConfig to update my firewall settings, however, none of my firewall rules exist in the /etc/ufw/after.rules or /etc/ufw/after6.rules files. All my rules are all in Bastille/bastille-firewall.cfg.

    Has anyone else seen this problem? How can I fix it without exposing my server to risk?
    Is it as simple as changing the setting in ISPConfig?

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I haven't tested this, but I would recommend to disable the firewall or to delete the whole firewall record, then change the switch and enable it again.
  3. Nap

    Nap Member

    I have finally managed to remove Bastille (Louis XVI would be envious) and have UFW installed. Here is a link to instructions on removing Bastille.

    When first booted, I had the firewall on, but with no rules (I deleted all the rules after removing Bastille). The ISPConfig rules were not applied and I was confused.
    So I added a few rules manually to the INPUT chain using iptables and saved them using invoke-rc.d iptables-persistent save ... and rebooted only to find that my rules were gone.
    To cut a long story short....
    I've worked out now that manually added rules need to be placed in the PUB_IN chain. So I have added a minimum set (DNS, SSH, ISPConfig port) to this group and they have been persistent throughout my endeavours to get the rest working.
    In /etc/network/if-pre-up.d, I have a script containing
    /sbin/iptables-restore < /root/firewall_rules.txt
    which loads the iptables for me.

    On startup, I noticed that there is a sizable delay before iptables are loaded from the if-pre-up.d script. I noticed this by simply typing iptables -L immediately when the prompt was shown and the response was an empty ruleset with default ACCEPT policy for the 3 default chains. To fix this, I used the Ubuntu IptablesHowTo guide to speed up the loading process by loading iptables from the /etc/network/interfaces file.

    Now my iptables are loaded with my rules (defaults don't appear at all) but after about 30 seconds, the rules I saved using invoke-rc.d iptables-persistent save overwrite my rules. And then it stays this way until I use ufw enable.

    To get the rules I've setup in my ISPConfig panel to load I need to type ufw enable into the console each time I reboot.

    There are two problems;
    1) How/what causes the rules to be overwritten (after the initial load from the /etc/network/interfaces file) ?
    2) How can I get ufw enable activated ASAP after bootup? (and can the "Command may disrupt existing ssh connections. Proceed with operation (y|n)?" prompt be silenced?)


    PS.. Once I get the rules auto-load working on this test server, I will convert my other test server before I try this on my live server... lol
    Last edited: Mar 4, 2016

Share This Page