My firewalld isn't working - what is the correct FirewallBackend? Please check yours for me?

MrPete · April 8, 2022, 9:52pm

Gaaaah. No wonder I’m having trouble with attacks…
I haven’t touched FirewallD at all. My firewalld.conf has this final line: FirewallBackend=iptables

Yet…

I don’t have iptables active (it IS installed).
FirewallD is running everything. The service is running.
firewall-cmd appears to be the correct shell UI.
fail2ban is updating the ipSets correctly, but they aren’t being used anywhere that I can see.

What should that line in firewalld.conf say?

Please … could someone simply do this?

tail /etc/firewalld/firewalld.conf

SYSTEM INFORMATION
Operating system	Debian Linux 10
Webmin version	1.990
Usermin version	1.834
Virtualmin version	6.17-3
Authentic theme version	19.85.1

stefan1959 · April 9, 2022, 6:20am

Use this site to check if any ports are open

Steve

MrPete · April 9, 2022, 6:25am

I know how to deal with ports and such.

My question is what is the correct config information for the VirtualMin default (FirewallD) firewall?
Mine is not working at all… presumably because it is set to use iptables but iptables isn’t installed (and there are many docs here saying you get to choose between iptables and FirewallD… but FirewallD is the default.)

If nobody knows, I’m confused.

stefan1959 · April 9, 2022, 6:37am

This is default public rules, why do think its not working?

MrPete · April 9, 2022, 8:00am

@stefan1959 why do I think it is not working?

Because fail2ban blocked IP’s are still getting through, even though listed in IPsets
Because FirewallBackend is set to iptables, yet:
- FirewallD supposedly replaces iptables
- iptables is not active (apparently?)
- and I don’t have any ACTUAL rules functioning (looking with firewall-cmd)

Just because the GUI lists some rules doesn’t mean they are actually functioning in a system.

(At breakfast yesterday, a sysadmin friend described a scenario where a crucial tracking report was giving bogus data… because the underlying API had been replaced. It was giving old bad data NOT connected to an actual system.

It was an entire year before anyone noticed!)

MrPete · April 9, 2022, 8:01am

So, what does tail /etc/firewalld/firewalld.conf look like on your server… and is iptables also installed together with firewallD?

stefan1959 · April 9, 2022, 8:12am

user:~# tail /etc/firewalld/firewalld.conf

# Older versions of firewalld had undocumented behavior known as "zone
# drifting". This allowed packets to ingress multiple zones - this is a
# violation of zone based firewalls. However, some users rely on this behavior
# to have a "catch-all" zone, e.g. the default zone. You can enable this if you
# desire such behavior. It's disabled by default for security reasons.
# Note: If "yes" packets will only drift from source based zones to interface
# based zones (including the default zone). Packets never drift from interface
# based zones to other interfaces based zones (including the default zone).
# Possible values; "yes", "no". Defaults to "yes".
AllowZoneDrifting=yes

stefan1959 · April 9, 2022, 8:16am

fail2ban works on mysystem because it blocked myself once and I had to use the unblock command to alow a pop3 connection on my IP.

Steve

stefan1959 · April 9, 2022, 8:18am

Ilia · April 9, 2022, 11:28am

Debian 10 firewalld.conf file (2.1 KB)

FirewallD is just a front end for iptables/nftables. It does nothing on its own.

What is the output of the following commands? Do you have iptables package installed?

apt list --installed |grep -i tables
which iptables
whereis iptables

MrPete · April 9, 2022, 9:18pm

Thanks, @Ilia … That’s the sense I am getting. I was headed down the wrong path by statements such as this one:

FirewallD is an IPv6 compatible firewall mechanism used in recent Linux distributions (RedHat/Fedora/CentOS) replacing good old iptables.

I now understand that statement is misleading at best.

So I do have iptables installed. That confusion continued as I searched for a solution to my issue:

the bootup/shutdown list doesn’t list iptables but does list firewalld
The way this is all being used, in particularly by fail2ban in Webmin, firewall-cmd doesn’t see firewall details on the surface. (ACTUALLY, they are all there now! The needed commands are a bit obscure – see below.)

Here’s my new understanding of the reality:

FirewallD (and firewall-cmd) is not a firewall at all. It is a UI for a backend firewall, either the older iptables or newer nftables packet filters, and other associated bits.
iptables refers to two entirely separate things (managed by the netfilter.org project)
- a kernel packet filtering technology (being replaced by the nftables packet filter)
- the iptables firewall definition command utility (nft is the equivalent for nftables architecture)
Because the actual packet filters are built into the kernel, there’s no visible iptables or nftables process.

So in simple terms:

FirewallD is a front end that currently uses iptables as its backend.
Here are some handy commands for viewing and managing fail2ban firewall info.
- NOTE: firewall rules and IPset tables are only created once there is something to be banned.
- NOTE: “direct” rules do not display in the Webmin GUI. Yet that’s how fail2ban functions. Perhaps someday this can be added…

# firewall-cmd --direct --get-all-rules   
# ipset list -t    //list all IP sets: names and entry counts
# ipset list       // list all IP addresses as well

And for diagnosing and detecting any issues, here’s how to temporarily log banned packets (without logging ALL drops. You don’t wanna do that ) … There’s probably a way to do this with firewall-cmd but I haven’t deciphered it yet…

// Create a chain to log, then reject with appropriate packet for tcp and all others
// NOTE if you forget "-p tcp" the new nf_iptables backend gives a useless error message. I wasted too much time finding that ;)
iptables -N LOG_Reject
iptables -A LOG_Reject -j LOG --log-prefix "f2b reject " --log-level 6
iptables -A LOG_Reject -p tcp -j REJECT -reject-with tcp-reset
iptables -A LOG_Reject -j REJECT

And now, to replace a rule with a logging rule

// List the direct firewall rules, incl rule line number
iptables --line-numbers -vnL INPUT_direct

// An example: to log all hits on the postfix_sasl IPset...
// It's rule #4 in the list we displayed above
// Safest careful way: append a new rule, then delete the old
iptables -A INPUT_direct -m multiport -p tcp --destination-port 25,465,587,143,993,110,995 -m set --match-set f2b-postfix-sasl src -j LOG_Reject
// (Now list again and ensure the new rule is what you want)
// Now delete the old
iptables -D INPUT_direct 4

(After all that, it appears I may have found a bug in fail2ban. It does block for a little while but the bantime specified is kinda-sorta ignored.)

Joe · April 9, 2022, 10:25pm

You’re right, the Webmin Firewalld module is pretty limited (and Firewalld is kinda confusing, I have to read the docs every time I touch anything…I wish it weren’t the best option, but it pretty much is, at least for our needs and our users most common use cases). I’ll make a ticket about adding support for showing direct and rich rules (I hate that they don’t have a simpler abstraction for something as simple as blocking an IP address, too).

Worth noting that not all systems use direct rules (this is the first I’ve heard of it, but I trust you as it looks like you’ve done your homework…on my CentOS/Rocky 8 systems fail2ban is using rich rules). I don’t know what the difference is, but the firewalld docs suggest direct rules should be a last resort after rich rules. I guess direct rules are at the lowest level of abstraction.

Ticket is here: Would be nice for Firewalld to be able to list rich rules and direct rules · Issue #1622 · webmin/webmin · GitHub

MrPete · April 11, 2022, 1:42am

Thanks, @Joe … more homework still to be done.

~~My current suspicion: direct rules being used so that ipSets can be used. Not sure if Rich Rules can access ipSets.~~
UPDATE: Rich Rules absolutely can work with ipSets … not sure why F2B uses direct rules (unless it’s a carryover from pure iptables.)

ramones79 · April 13, 2022, 11:17am

Many of us, VM users would highly appreciate that - a simple way to add an IP or two on a permanent ban.

jaldeguer · April 13, 2022, 12:35pm

I would highly recommend using CSF firewall. It even comes with a Webmin module. It is well documented and an excellent tool to limit or stop attacks. I have been using it for years now.

Here is a good tutorial to use - How to Install CSF Firewall on Ubuntu 20.04 | Atlantic.Net. I know it works on Ubuntu 18.04 too.

If you want to block an IP or a CIDR block it is as easy as adding into this text field.

When you want to limit access to your server to only a select country on countries you can do it too.

There is so much more you can do using CSF firewall. I have stopped using Fail2ban, etc after discovering this amazing tool. My server has 16GB of ram. I have used it for servers running with only 4GB of ram and it works well too.

ramones79 · April 13, 2022, 12:50pm

Didn’t know VM supports CSF. I’ve only used it on cPanel servers.
Will check that for sure.
Thanks!

jotst · April 13, 2022, 1:27pm

It works for years here CSF, take care of enable ports 10000 and 20000

Also some configs for the logs needed not to have them “full” in no time, in manual you can find those.

I also have ftp ports and ftp disabled at vmin box.

ipv6 blocks hmm, they (scammmers) switch very fast there.

Joe · April 13, 2022, 7:53pm

There is very good support for CSF in Virtualmin/Webmin and Authentic Theme. But, I don’t like that sort of firewall and don’t recommend it on servers. It’s very easy to get bogged down in the minutiae of complicated rules that don’t make sense on a web server. But, Ilia likes CSF, so there’s good support for it.

But, Ilia has been doing a lot of work on the Firewalld module, so it’s going to get some upgrades in the next Webmin release.

MrPete · April 14, 2022, 6:56am

@jaldeguer , @ramones79 , @joe I have learned some lessons about use of “permanent” IP bans: you really do not want to do this. The issue: IP assignments are not forever.

I blocked some ranges due to flooding attacks from certain parts of the world. So nice.
Then later, legitimate sources could not connect.
Why? In the meantime, those IP blocks changed hands and now are used by 100% legit sources.

This is why dynamic blockers such as fail2ban are needed… particularly in the upcoming 0.11 version, with auto-scaling block times.

jaldeguer · April 14, 2022, 12:19pm

Having set the country blocks in my experience has significantly reduced attacks. In the years of using CSF, I still have to encounter the problem you described. What’s nice about having this feature it’s up to the organization or individual to enable or disable it.

CSF Firewall comes with a feature called Login Failure Blocking if you do not want to use permanent blocking.