Dear Virtualmin-Experts,
I`m new to Webmin/Virtualmin, coming from Plesk.
So far I`m impressed about the functionality and did a setup of a new server with Ubuntu 16.04 and running the install.sh of virtualmin to have a clean install.
Everything works, except the fail2ban security. On my old server its setup with iptables, so I checked with iptables -L, but even after 6 or 7 forced wrong logins I couldn´t find my ip. So I searched for the firewall and found, that FirewallD is installed, together with iptables, called Linux Firewall in Webmin.
When I open Linux Firewall (iptables) I see this warning:
External managed rules detected. Activate "Directly edit firewall rules" or your firewall rules may break. Warning! It appears that FirewallD is being used to generate your system's firewall. Maybe you should use the FirewallD module instead.
How can I resolve this apparent conflict?
Hope you can help me on this topic.
Why are we using firewalld on ubuntu with virtualmin?
Firewalld is a centos default firewall isnt it? Ubuntu firewall is ufw. Why does virtualmin not use ubuntus native UFW?
There is a topic about them both on ubuntu forums...https://ubuntuforums.org/showthread.php?t=2319464
I also found this article (https://www.ctrl.blog/entry/ufw-vs-firewalld) that talks about fail2ban integrating with firewalld in order to perform its tasks with iptables on fedora at least...not sure if its the same on ubuntu?
Anyway, Here is what i have on my system...
I also get the warning you are talking about in webmin>networking>linux firewall. It just means that virtualmin is using firewalld i believe (so probably nothing to worry about)
By default it appears to me that virtualmin installs linux firewall and firewalld. I have them both on my system however, FirewallD is the active one (see webmin tab>system>bootup and shutdown> (scroll down to see if firewalld is set to start at boot and is running), and also Webmin>system>running processes (scroll down to see firewalld is running.
Also, i thought the usual method was ether iptables OR ufw/firewalld not both? Using both would create a conflict potentially, so i guess you need to choose which one you are going to use...if iptables/linux firewall then disable firewalld and set linux firewall to active and also to start at boot...otherwise copy your iptables rules configuration across into firewalld.
For those who use ubuntu and havent already, add the "ask ubuntu" (on stack exchange) and also "ubuntuforums.org" to your browser favourites. they are a great place for problem solving ubuntu issues.
UFW and GUFW (the gui interface for ufw) are both installable onto virtualmin via webmin>system>software packages>Install a new package>search apt>enter "ufw" into "Search Apt..." popup box.
Kind regards Adam
https://ajecreative.com.au
Thank you for your reply, Adam.
I wasn´t aware that firewalld is a frontend of iptables.
Firewalld is running and set to start at boot and I cannot find iptables or another firewall running or on the page bootup and shutdown.
It´s a little confusing, but perhabs its ok like it is?
Operating system Debian Linux 9 | Webmin version 1.891 | Usermin version 1.741 | Virtualmin version 6.03
iptables is the firewall for ubuntu.
Firewallld is just scripts that manage the firewall. Default for redhat and centos but works on many debian distributions. UFW is also just scripts that manage the firewall. Default for ubuntu desktop if installed. For a server its command line only. Although you could create commands in the webmin, other, custom commands for things you use all the time.
You can remove firewalld and just manage iptables on your own through the webmin, networking, firewall. The good thing about firewalld is that it manages ipv4 and v6. Where as if managed through iptables, you'd have to mange each separately.
Another good "manager" for linux firewalls is CSF. Config server firewall. Little more complicated to setup and get used to, but worth it. Manages firewall and bans abusers. After having used/tried all the above, Ive gone to CSF. Mainly because of clustering, and ability to handle repeat offenders. An IP can be automatically banned across all servers, not just the server where the attempt happened. And the ability to temp ban, then permanently ban repeat offenders. Where as fail2ban, when I used it, would constantly ban and release the same IPs over and over.
I chose Firewalld not because I love it, but because it's good enough and common across all distributions. We can install it on any systemd based distribution and know it'll work the same across all of them.
It isn't mandatory; you can use whatever firewall you prefer, and Webmin even has a module for a few of them (iptables, CSF, etc.), but we needed something that was simple, reliable, and consistent across all of the distributions we support. Firewalld isn't a CentOS/RHEL/Fedora thing. It is its own open source project, independent of any distribution or vendor, which was also really important in my decision-making process. ufw is an Ubuntu project. We don't really do that kind of distro specific thing; we use the conventions of the distro for config files, but we don't use distro-specific programs, as it would lock users into that distribution (the lock-in probably isn't a big problem with regard to a firewall, but still a concern).
I'm also not a fan of firewall generation tools that abstract away the specific rules...firewalld is borderline, but it's basically a thin wrapper over iptables that uses D-Bus rather than a monolith that spits out firewalls based on a configuration file. It's working directly on the firewall rules, which is a subtle distinction, but matters to me. So, ufw has two strikes against it (it is distro-specific, and it is a rules generator rather than a tool for working directly with the firewall).
So, for folks who want something simple that Just Works out of the box and looks the same on any supported distribution, FirewallD is great. It does the thing, provides some abstraction of some complex topics, and will smooth over migration pain in the transition to nftables in the future (which I keep hoping will start happening any day now, because nftables is sweet). I was torn about using firewalld vs. iptables and was leaning strongly toward iptables until a user kinda pushed back and wanted firewalld and so I did some more research and found there are some good arguments for choosing firewalld.
And, yes, to be clear: If you are using firewalld to manage your firewall you would not use any other tools to manage the firewall.
Firewalld "owns" the firewall on the system, and all management should be done using the firewalld commands or the Webmin firewalld module. If you don't want to use the firewalld tools, you need to disable the firewalld service, and switch to the service you do want to use and recreate your rules. There is a
virtualmin config-system
command that will initialize an iptables firewall, and can also setup fail2ban to use iptables (though switching after installation hasn't been tested...you'll want to check the configs it generates and make sure it's actually working).Something like (assuming firewalld has been stopped and disabled, and fail2ban has, as well):
# virtualmin config-system --include Firewall Fail2ban
The Firewalld versions of those config-system plugins are
Firewalld
andFail2banFirewalld
.I have vague feelings that while the iptables firewall will work without any poking after doing this, the fail2ban config will probably need a little bit of human attention...since iptables would be a blank slate while fail2ban would already have some config from the initial installation configuration, and for now the config-system command assumes a fresh install of the services it configures (I'm working on rollback functionality for Virtualmin 7, so you can undo what the installer changes, but it's not in there yet).
But, really, unless you have specific firewall needs, just use the defaults and add whatever extra rules you need using the firewalld module. Most servers don't need and aren't well-served by complicated firewalls. They just tend to confuse your future self with unnecessary complexity. A world-facing server has a different security profile and process than a private network with client systems and maybe a DMZ or similar (where firewalls serve an important purpose and may need to be quite complex).
If I can impart any wisdom here, it's this: If you're worrying about what firewall is running beyond needing to know which tools to use to manage it, you're probably spending too much time/effort on the firewall. It probably isn't doing anything useful for the security of your server and your time would be better spent making sure you're up to date, you've disabled services you don't need/use, you've got strong passwords, and your custom applications are constructed with care. Firewalls on servers are generally not very useful, except for dealing with specific problems (fail2ban automates handling one kind of specific problem, and you can also address things like DoS attacks at the firewall level), but you can't prevent an exploit of an unpatched service with a firewall without turning off access to the service (in which case, turning off the service would be even more effective).
--
Check out the forum guidelines!
Joe, thank you very much for your comprehensive and detailed answer. Fail2ban is working and I guess the setup is OK as it is. So I will not change anything and will ignore the warnings.
Operating system Debian Linux 9 | Webmin version 1.891 | Usermin version 1.741 | Virtualmin version 6.03
Virtualmin won't let you do the whole installation process because of Firewalld! I never used in Debian Firewalld, why it is installed by default and cannot be skipped? Fail2ban has an issue with Firewalld and will break the installation process. Please remove Firewalld from default installation in Debian. Even I am a system administrator I cannot do anything to install Virtualmin. The only thing is to block installation of Firewalld by for sure the installation script will provide an error.
I don't want to get by default Firewalld installed. How can I skip that?