CSF and IP Tables missing module

Hi. I have been getting my Config Server Firewall disabling itself quite often recently (every day or so). It did this over the last year or so intermittently too. I restarted it but it stopped again, so today I reset it back to ‘factory’ settings and then put a few config tweaks back in such as ports etc…
It seems to be running fine, but I have a few issues:

  1. IP Tables is not installed as a module in Webmin. I’m not sure how to get this installed, CSF says it is necessary though.
  2. I can’t see where to disable IPv6, most online help references Network Settings in Webmin, but it looks to have changed location?

Thanks in advance.

SYSTEM INFORMATION
OS type and version Alma 8.10
Virtualmin version 7.30.3
Webmin version 2.202

That can’t be the actual error. What is the actual error?

Do you see IPtables in the unused module section? It should be working its just in the wrong section.

I just had a look, the module is called Linux Firewall in the menu list and Linux IPTables Firewall in the header. If you look in there and its enable you should see the firewall list (unlike my screenshot)

may this installation does not have IPtables install but has NFtables installed instead ? Or is firewalld still running, which stops webmin displaying the IPtables module under Networking, but as pointed out, it is displayed in the unused modules section

I’m not going to make wild guesses. If they won’t give us real information to work with, we can’t help. What they said happened can’t be what happened (the IPTables module is a standard module in Webmin, and has nothing to do with whether nftables is installed on the system), so I’m going to wait until they tell us what actually happened.

Thanks for the replies so far everyone.

First off, for relevancy, I’m running this as a server to host about 20 websites.

My understanding is that I should run iptables as a default firewall and then CSF is good to have on top as a GUI with a lot of nice features like login/intrusion/flood detection. I had this on previous cPanel servers, so I know it well. Please let me know if you think this shouldn’t be the case, but it’s reassuring to have a basic firewall turned on in case CSF drops out on me, which it has several times.

@stefan1959 - Yes, I see ‘Linux IPTables Firewall’ in the header and it shows ‘there is no bootup action, indicating the IPTables package is not installed on your system’.

So I looked in terminal:

I tried iptables-legacy but it said ‘command not found’.

@jimr1 - firewall.d appears to be ‘loaded but masked’

@Joe - I searched IPTables in Webmin and found nothing, and it wasn’t there in unused modules. I didn’t realise it was called Linux Firewall. The main issue for me is CSF dropping out and also not getting any notifications when it does. If it is known to play up with Webmin or adds too much load then I’d consider dropping it, but would like to set a firewall up as securely as possible of course.

CSF is running at the moment but what is best to do from here as I haven’t setup Linux Firewall? Should I ‘unmask’ that somehow (and does that just mean it isn’t running)?

You’re still talking around the problem.

What is the actual error that had you looking for the IPtables module in Webmin? CSF does not depend on anything in Webmin.

CSF manages the firewall and there is a Webmin module for CSF. What does the Webmin iptables module have to do with anything?

Have you installed CSF? Have you installed the CSF Webmin module?

That has nothing to do with Webmin. CSF is not part of Webmin, it does not depend on Webmin or anything in Webmin. There is a Webmin module for managing CSF, but if CSF isn’t working correctly, it’s a misconfiguration in CSF or a bug in CSF, and has nothing to do with Webmin (though maybe, if you have the Webmin CSF module, you used Webmin to configure it).

Nobody said anything of the sort. But, you seem to be misunderstanding something somewhere because you’re doing a bunch of stuff completely unrelated to CSF. You can use any firewall you want. I don’t care, I’m not making any recommendations.

Now, knowing that we don’t maintain CSF, and CSF is not part of Webmin, we can safely say you do not need the Webmin iptables module in order to use CSF.

So what problem are you actually trying to solve? (Keeping in mind, I don’t use CSF and we are not the maintainers of CSF, and while there is a CSF module for Webmin, we’re probably not the people to ask about most CSF problems.)

Have you installed CSF? Have you installed the CSF Webmin module?

Yes, CSF is installed but kept stopping with a ‘Firewall not running’ message (or similar) in the main Webmin Dashboard.

What makes you believe that has anything to do with Webmin or the Webmin iptables firewall module?

I have never had CSF stop on multiple cPanel servers before, so I’m asking in case it’s a known issue with the Webmin integration or others might have experienced it.

Nobody said anything of the sort.

I didn’t say anyone did Joe, I was just asking for advice as it is a module rather than Webmin/Virtualmin code.

But, you seem to be misunderstanding something somewhere because you’re doing a bunch of stuff completely unrelated to CSF. You can use any firewall you want.

Is it okay to use Linux firewall with the CSF module? If CSF fails again then at least I get basic protection.
If not, what do I need to disable from a default Webmin installation to be able to use CSF without conflicts?

So what problem are you actually trying to solve?

I’m trying to prevent my CSF firewall module from stopping and causing security issues.

It is not a known issue. CSF doesn’t depend on Webmin, so if CSF is stopping, it has nothing to do with Webmin. There are many people using the Webmin module (as I understand it, it is maintained by the CSF developers, so I would think it would be the best GUI option for managing CSF).

If you’re using CSF, CSF manages the firewall. I don’t know if you can directly manage the iptables rules, too (again, I don’t use CSF…some people here do, maybe they have thoughts on that).

Unless CSF is literally being shut down, I can’t imagine the firewall rules it put in place disappear when the service stops doing what you expect.

Maybe define what you mean by “CSF stops”

Nothing. Installing Webmin does not create a firewall, nor does it install any firewalls. Webmin does nothing without being told to do something.

Or, do you have Virtualmin? Using the Virtualmin installer sets up firewalld and fail2ban to work with firewalld, which conflicts with CSF, but I believe CSF removes those when you install it.

OK, tell us what that looks like. Why do you think it’s stopping?

Sorry I was wrong, just testing and iptables can’t be managed via the IPtables module.
I installed the iptables.service and it caused issues.

There is a option to reinstall in the Fix common problems section

I haven’t used CFS in years. I do remember it used some sort of masquerading for the Ethernet interface. I once stopped the firewall and immediately lost connection to the server. May be different now.

Testing on rocky 8 for a few hours now and seems to work fine, but the bans so far are only SSH, from memory the OS logs location need to be tweaked. But that getting off topic.

We are still waiting for relevant log entries.

Its been discussed in previous posts like here

1 Like

There was a message in the Webmin dashboard under System information > Firewall version that said something to the effect of “Stopped” or “Disabled”, but can’t screenshot it now. I had to enter the CSF settings area to re-enable it on a few occasions. This time I did a reset from within the CSF page and re-entered the relevant settings. It has now remained up for a few days, so fingers crossed.

Yes, I’m using Virtualmin. Firewall.d says it isn’t running but I can’t work out whether Fail2Ban is (says ‘loaded’ and ‘active’ but what does the code=exited relate to below?)

Your explanation of Webmin not creating a firewall, just hooking into the existing one made sense. I just presumed it came with its own firewall.

I’m up and running again, so thanks all for your help. Have a great new year!

You should disable fail2ban at bootup, its configured for Firewalld and is not need with CSF.

If CSF is working you see bans happening.

Thanks @stefan1959

I just had a notification message in my browser from Webmin/Virtualmin:

‘Firewall danger. It appears that Config Server firewall is not running or has been stopped’

There was nothing showing in the Webmin dashboard to that effect this time.

I have taken your advice and stopped the Fail2Ban service (and also disabled it at boot). Will see if that was the reason why CSF stopped.

Can’t see anything untoward in the CSF logs, are there any others I should be looking at to see what happened?

Check its status. CSF installs in test mode, you have turned off test mode.

CSF have there own forum, sign-up there, there have alot more knowledge on the software then here.
https://forum.configserver.com/

Thanks, I did make sure test mode was off each time I altered the csf.conf file.

@Volt31, what was your reason for using CSF instead of the default firewalls? I used CSF years ago, but finally tired of the constant upkeep of it. I can’t remember why I started using it now, something about blocking countries I think…