Univention Bugzilla – Bug 50130
Somethings restarts (broken) firewall
Last modified: 2020-05-05 17:50:56 CEST
It happened multiple times by know that something restarted the Univention Paket filter and dropped my rules: - The VM is a base system without univention-apache. Still I have security/packetfilter/package/univention-apache/tcp/443/all/en: HTTPS security/packetfilter/package/univention-apache/tcp/443/all: ACCEPT security/packetfilter/package/univention-apache/tcp/80/all/en: HTTP security/packetfilter/package/univention-apache/tcp/80/all: ACCEPT - Therefore I manually opened TCP port 80 via UCRV: security/packetfilter/tcp/80/all: ACCEPT - I later disabled the full packet filter: security/packetfilter/disabled: true - Over the last weekend something touched the firewall setting and now I have: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT udp -- anywhere anywhere udp dpts:32765:32769 ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:ntp ACCEPT tcp -- anywhere anywhere tcp dpt:sunrpc ACCEPT tcp -- anywhere anywhere tcp dpts:32765:32769 ACCEPT udp -- anywhere anywhere udp dpt:sunrpc ACCEPT tcp -- anywhere anywhere tcp dpt:7777 ACCEPT udp -- anywhere anywhere udp dpt:7777 ACCEPT udp -- anywhere anywhere udp dpt:nfs ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:nfs REJECT all -- anywhere anywhere reject-with icmp-port-unreachable I have no idea where that comes from; in the past I have already flushed the rules doing iptables -P INPUT ACCEPT iptables -F INPUT This lead to the WWW server not being reachable. # journalctl -u univention-firewall > -- No entries -- # tail security/packetfilter.d/10_univention-firewall_start.sh > iptables --wait -A INPUT -p "tcp" --dport 443 -j ACCEPT > ip6tables --wait -A INPUT -p "tcp" --dport 443 -j ACCEPT > > # univention-base-files[en]: SSH > iptables --wait -A INPUT -p "tcp" --dport 22 -j ACCEPT > ip6tables --wait -A INPUT -p "tcp" --dport 22 -j ACCEPT > > iptables --wait -A INPUT -p "tcp" --dport 80 -j ACCEPT > ip6tables --wait -A INPUT -p "tcp" --dport 80 -j ACCEPT
Again.
30+ minutes lost searching for errors with the service and webserver configs