These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for Firewall or other security on the new forum.
Hi All, I've been running a server with virtualmin installed for a good while now with very few issues.
I'm running CentOS 7 64 bit.
I'm just making sure I'm secure really so have a question.
When I check out Networking -> Linux Firewall, I get taken to a screen that says "No iptables bootup action was found, indicating that the IPtables package is not installed on your system".
If I choose FirewallD, it says: Failed to list zones : [91mFirewallD is not running[00m
Can I ask for advice on what is the best thing I can do to secure the server as much as possible?
Thanks in advance, Craig
So, you've got a couple of obvious options. One would be to setup iptables (more flexible and, I think, more useful, on servers, but also more complicated), the other would be to start firewalld. Webmin has a module for either; there's also a CSF module for Webmin, but that may be overkill for your needs. I usually use iptables, because I know it really well, and it is flexible and powerful enough for everything I need.
Firewalld is the new management service used, by default, in CentOS 7 and recent versions of Fedora. It is integrated with systemd, which allows it to dynamically apply rules based on what's running, and the network your system is connected to (e.g. if you have a wired network at work and a wifi network at home, the firewall can act differently in either case). But, for servers, the additional features are pretty much extraneous and may even get in the way. For a server, you mostly just want to say, "Open these ports, and leave them open forever, because I have services running on them."
I'm surprised firewalld isn't already running; I though it was on by default on a CentOS 7 system. The fact that it's not running might mean it didn't get new rules added when Virtualmin was installed. Our installation detects which firewall you have (whether iptables or firewalld on CentOS) and inserts the rules in needs for all of the services it manages. You can, of course, customize those rules at any time in the Linux Firewall or Firewalld module.
Here's a good post about iptables on CentOS 7, if you want to go with iptables:
http://stackoverflow.com/questions/24756240/how-can-i-use-iptables-on-ce...
If you wan to use firewalld, just restart the firewalld service. Webmin should then let you edit the rules normally.
Anyway, when turning on a firewall for the first time, you should make sure it's not going to lock you out; at the very least, make sure the starting rules are going to allow you to login via ssh, so you can fix it if anything goes wrong. ;-)
--
Check out the forum guidelines!
Hi Joe, Thanks for the reply! I think I'll go down the FirewallD route.
So I can easily enable this I think by using systemctl enable firewalld and systemctl start firewalld, however, I'm a bit bothered about your last paragraph about locking myself out! How can I prevent that?
I've altered the default webmin port so do I need to add this somewhere?
Thanks very much, Craig
You can use the firewall-offline-cmd to work with firewalld rules when the service is not running. I'm pretty confident port 22 (ssh) is open, no matter what, in a default configuration, so that's probably not a big fear...but, just in case.
https://twoerner.fedorapeople.org/firewalld/doc/firewall-offline-cmd.html
You could also just start the service without enabling it. Then, if you got locked out, you could have your server rebooted and get back in with the firewall not running again, presumably.
--
Check out the forum guidelines!
you may have look at this as well.. https://www.virtualmin.com/comment/759610#comment-759610 ...I mean you can apply few steps from that list as an prevention ;)
Configuring/troubleshooting Debian servers is always great fun
Hi there, I enabled firewalld, but it stopped all websites from working, they just timed out. I presume I have to make some configuration through webmin, but even this started to time out.
For now, I've had to disable it.
Any tips? Thanks, Craig