Issue with UFW and ISPConfig

Discussion in 'General' started by kbrown.it, Jun 22, 2016.

  1. kbrown.it

    kbrown.it New Member

    I am having an issue with UFW and ISPConfig. When I setup the server like the Perfect Server Howto for Debian (the only deviation from it is that I am using 3 servers; one for Web, DB, and Mail, the other two are DNS servers), I was able to create firewall rules for the server. I was troubleshooting an issue and disabled the firewall through ISPConfig. I confirmed it was disabled by running "ufw status", which returned inactive. When I was ready to enable the firewall I checked the box to make it active and now I can't access the server remotely. All the ports are blocked including SSH, ISPConfig web site, and any other ports that I had open. The only way I have found to fix the issue is to delete the firewall entry in ISPConfig, purge UFW from the system, clear out any chains in iptables left over, and open it wide up. Then I can reinstall UFW and setup the firewall rules in ISPConfig and it appears to set it up correctly (in that the ports are working). Any thoughts on why this is happening?

    iptables -L (similar on the other two servers, just less ports opened)
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I haven't seen that yet but I'll try to reproduce it here on my test servers.
     
  3. kbrown.it

    kbrown.it New Member

    I am running Debian 8.5, ISPConfig 3.0.5.4p9, iptables v1.4.21, and ufw 0.33-2.
     
  4. julienl

    julienl New Member

    Any news ?
    I've the same error on a virtual machine (kvm on proxmox), the VM has Debian 8.5 & ISPConfig, both up to date.
    I've removed firewall rules, switched to ufw and activated the rules. and all port are blocked (apache, ssh…).
    If I run "ufw status" :
    Code:
    Status: active
    
    To                         Action      From
    --                         ------      ----
    20/tcp                     ALLOW       Anywhere
    21/tcp                     ALLOW       Anywhere
    22/tcp                     ALLOW       Anywhere
    25/tcp                     ALLOW       Anywhere
    53/tcp                     ALLOW       Anywhere
    80/tcp                     ALLOW       Anywhere
    110/tcp                    ALLOW       Anywhere
    143/tcp                    ALLOW       Anywhere
    443/tcp                    ALLOW       Anywhere
    587/tcp                    ALLOW       Anywhere
    993/tcp                    ALLOW       Anywhere
    995/tcp                    ALLOW       Anywhere
    3306/tcp                   ALLOW       Anywhere
    8080/tcp                   ALLOW       Anywhere
    8081/tcp                   ALLOW       Anywhere
    10000/tcp                  ALLOW       Anywhere
    53/udp                     ALLOW       Anywhere
    3306/udp                   ALLOW       Anywhere
    20/tcp                     ALLOW       Anywhere (v6)
    21/tcp                     ALLOW       Anywhere (v6)
    22/tcp                     ALLOW       Anywhere (v6)
    25/tcp                     ALLOW       Anywhere (v6)
    53/tcp                     ALLOW       Anywhere (v6)
    80/tcp                     ALLOW       Anywhere (v6)
    110/tcp                    ALLOW       Anywhere (v6)
    143/tcp                    ALLOW       Anywhere (v6)
    443/tcp                    ALLOW       Anywhere (v6)
    587/tcp                    ALLOW       Anywhere (v6)
    993/tcp                    ALLOW       Anywhere (v6)
    995/tcp                    ALLOW       Anywhere (v6)
    3306/tcp                   ALLOW       Anywhere (v6)
    8080/tcp                   ALLOW       Anywhere (v6)
    8081/tcp                   ALLOW       Anywhere (v6)
    10000/tcp                  ALLOW       Anywhere (v6)
    53/udp                     ALLOW       Anywhere (v6)
    3306/udp                   ALLOW       Anywhere (v6)
    
    I must disable the firewall to have access to the server again.
     
  5. nanni85

    nanni85 New Member

    Same problem for me.....
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    I tested UFW today in the current ISPConfig 3.1dev version and it works without issues.
     
  7. nanni85

    nanni85 New Member

    i tried with Debian 8.5 & Ubuntu 16.04 with ISPCONFIG 3.1RC1 & ISPCONFIG 3.1-dev with no success, ispconfig recognize UFW but when i set a rule from the web panel, the rules not applied...
     
    Last edited: Aug 18, 2016
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    I just tested it today with 3.1dev and rules get properly applied in UFW, so there is no problem in the ispconfig code. Maybe you missed to enable the firewall during installation? Check in /usr/local/ispconfig/server/plugins-enabled/ if the firewall plugin is enabled there.

    Here is the debug output from today which shows that UFW rules get applied properly:

    Code:
    18.08.2016-07:09 - DEBUG - Calling function 'insert' from plugin 'firewall_plugin' raised by event 'firewall_insert'.
    18.08.2016-07:09 - DEBUG - ufw allow 20/tcp
    18.08.2016-07:09 - DEBUG - ufw allow 21/tcp
    18.08.2016-07:09 - DEBUG - ufw allow 22/tcp
    18.08.2016-07:09 - DEBUG - ufw allow 25/tcp
    18.08.2016-07:09 - DEBUG - ufw allow 53/tcp
    18.08.2016-07:09 - DEBUG - ufw allow 80/tcp
    18.08.2016-07:09 - DEBUG - ufw allow 110/tcp
    18.08.2016-07:09 - DEBUG - ufw allow 143/tcp
    18.08.2016-07:09 - DEBUG - ufw allow 443/tcp
    18.08.2016-07:09 - DEBUG - ufw allow 587/tcp
    18.08.2016-07:09 - DEBUG - ufw allow 993/tcp
    18.08.2016-07:09 - DEBUG - ufw allow 995/tcp
    18.08.2016-07:09 - DEBUG - ufw allow 3306/tcp
    18.08.2016-07:09 - DEBUG - ufw allow 8080/tcp
    18.08.2016-07:09 - DEBUG - ufw allow 8081/tcp
    18.08.2016-07:09 - DEBUG - ufw allow 10000/tcp
    18.08.2016-07:09 - DEBUG - ufw allow 53/udp
    18.08.2016-07:09 - DEBUG - ufw allow 3306/udp
    18.08.2016-07:09 - DEBUG - Starting the firewall
    18.08.2016-07:09 - DEBUG - Processed datalog_id 527
    
     
  9. nanni85

    nanni85 New Member

    hello, i have tried another time the installation:
    # ufw status
    Status: active
    # php -q install.php
    . . .
    Configuring Ubuntu Firewall
    . . .
    Restarting services ...
    Installation completed.
    # ufw status
    Status: active

    no firewall plugin in /usr/local/ispconfig/server/plugins-enabled
    no work...
     
  10. nanni85

    nanni85 New Member

  11. till

    till Super Moderator Staff Member ISPConfig Developer

    I've tested this on Debian 8 and Ubuntu 16.04 with the UFW versions that ship with that OS at the moment.
     
  12. nanni85

    nanni85 New Member

    ok, i think the problem are in permission of UFW folder, if i try to change 777 ispconfig upgrade ufw.conf, user.rules user6.rules and enable ufw.
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPconfig runs the ufw command as root user to add and remove ports, it does not touch ufw.conf or any other ufw config file directly.
     
  14. nanni85

    nanni85 New Member

    problem solved!
    i followed this step:
    create a symlink of firewall plugin from plugin-avaible to /usr/local/ispconfig/server/plugins-enabled
    go to web page on firewall settings and enable firewall, i need to remove ALL default rules with only one rule (for example i add only a 22tcp port), and save configuration.
    Then after this disabled ufw from shell and edit the firewall configuration from ispconfig web interface, i add all port 20,21,22,25,53,80,110,143,443,587,993,995,3306,8080,8081,10000 tcp and 53 udp and saved configuration.
    the file user.rules and user6.rules correct update with new settings.
    after this re enable firewall from shell: ufw enable
    all works now.
    i dont know why the installer dont add the firewall plugin on plugin enabled (in the two installation debian and ubuntu, ufw was installed).
     
  15. ustoopia

    ustoopia Member

    Thanks. This workaround worked for me and it's how I got it running on ubuntu 15.10 ISPConfig 3.1
     
  16. sunghost

    sunghost Member

    Hello,
    i want today open a port and got the same problems. The port wont opened. But to be sure i want to ask if thats the same problem for ufw like yours. the status says inactiv, in panel firwall is active und defaults ports are open - right? so is that the same behavior as yours and the correct way is as nanni85 described?
     
    Last edited: Sep 9, 2016
  17. cat1510

    cat1510 New Member

    I got same error. Firewall_plugin link isn't created during installation.
    Worked with Ubuntu 16.04.1 LTS - ufw 0.35 - Perfect Server Howto

    For others as reference: If the firewall service is not activated on one of your machines do the following:
    1. Install ufw firewall
    2. enable ufw firewall (ufw enable)
    # cd /usr/local/ispconfig/server/plugins-enabled/
    # ln -s /usr/local/ispconfig/server/plugins-available/firewall_plugin.inc.php ./firewall_plugin.inc.php
    4. create firewall record for server in ispconifg (or remove and create a new one if already existing)
    5. check on "new" server if everything is fine:
    ufw status


    Thanks Till keep up ur excellent work! The new interface is really smart. On tablets too. :)
     
  18. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    @cat1510, what 3.1 code did you install, git-stable, 3.1rc2, or something older? There have been enough people having this problem (missing firewall_plugin.inc.php symlink) that I imagine there is some scenario that's not caught by the installer. Maybe not having ufw when running ispconfig installer, and adding it later is the problem (ie. maybe the updater doesn't catch that ufw is available and creates the symlink). For sure if you say 'yes' to enable the firewall service, you don't want it silently running without a firewall.
     
  19. cat1510

    cat1510 New Member

  20. Today I installed the stable ISPConfig 3 (which happened to be 3.1) on a fresh Debian 8.6 install. After everything was configured I noted the iptables output was not correct - fail2ban rules were listed but nothing else.

    As others have reported here I found there was not a symlink to firewall_plugin.inc.php. Should there also be a symlink to iptables_plugin.inc.php?

    I linked firewall_plugin.inc.php and then recreated my firewall rule to find myself locked out. Not sure what happened and not much useful was output to ispconfig debug log.
     
    Last edited: Oct 8, 2016

Share This Page