Changing Webmin/Usermin ports not synced with iptables

Submitted by jasongayson on Thu, 01/31/2013 - 04:18

After using the Webmin configuration interface to move Webmin from 10000 to 10100 and Usermin from 20000 to 20100, these are the iptables rules (all of which were auto-managed by Webmin, I haven't added any of this myself):

1718  158K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:10000:10010
6376  631K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:10100:10110
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:20000
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:10000

The issues:

  • Webmin automatically added the new Webmin ports (10100-10110) to iptables: OK.

  • Webmin did not remove the old Webmin ports (10000-10010) from iptables: BAD.

  • Webmin did not add the new Usermin port (20100) to iptables: BAD.

  • Webmin did not remove the old Usermin port (20000) from iptables: BAD.

Status: 
Closed (fixed)

Comments

Submitted by jasongayson on Thu, 01/31/2013 - 04:30

This inconsistency extends to other daemons. For instance, going into Servers: SSH Server: Networking and changing the SSH port still keeps the old iptables entry and doesn't add a new one.

It's not hard for you to make Webmin a bit smarter than that, so that it adds/deletes rules to keep it up-to-date as service ports are modified.

Submitted by JamieCameron on Thu, 01/31/2013 - 17:09

In general, Webmin doesn't automatically update firewall rules when you change daemon ports. In fact, this would be a bad idea as some admins prefer to keep servers like SSHd on a port that is blocked from some external addresses..

Submitted by jasongayson on Fri, 02/01/2013 - 00:52

That is a very good point. I didn't think of the case when someone has more advanced rules for a certain port.

Maybe an "[x] Add to iptables" checkbox to the right of every Port/bind field in every Virtualmin/Webmin module? Which by default is off, and only adds rules, never deletes old rules?

Or maybe that's too much. At that point, users may as well manage the iptables themselves.

What really got me to write this report was that Webmin DID add its RPC ports to the firewall automatically. I guess that's only because most people don't even know about the existence of the RPC port range.

I guess you can close this as wontfix, because I pretty much agree with you now, that iptables shouldn't be managed by Webmin, or at least not unless a very smart updating system is created which avoids messing up clever, custom rules that people have created.

tpnsolutions's picture
Submitted by tpnsolutions on Fri, 02/01/2013 - 02:09

Hi,

From what I've seen, when making a change to the Webmin port, the new port range is added to iptables automatically, however I am still required to remove the old port range manually.

-Peter

Submitted by JamieCameron on Fri, 02/01/2013 - 15:46

Yes, I think it doesn't make much sense to open up ports for other services. I only did it for Webmin to protect the user from locking himself out..

Submitted by jasongayson on Sat, 02/02/2013 - 04:05

Yeah, the chosen behavior makes complete sense. I am closing this ticket.