Behavior of firewall records + Bastille-firewall
In ISPConfig3 you can enter firewall records to open TCP/UDP ports. By default no records are listed.
Because I had to add a port range (to support TLS+passive FTP) I looked around how to implement that. Solution is to append it to the listed ports: (first):(last) . And add passive port range to Pure-FTPD configuration.
I got confused by the configuration file /etc/Bastille/bastille-firewall.cfg. (TCP|UDP)_PUBLIC_SERVICES ports are space seperated, not comma seperated.
Let's say you want to have ports: 20,21,[...],8080,2525,3389
The next lines will tell what ISPconfig3 does:
- In case you change every comma to space, only the first value is set in bastille-firewall.cfg. ISPConfig3 does not respond because it's port is blocked. You have to manually fix that by editing configuration and add port 8080 there. Then service bastille-firewall restart. Then ISPConfig3 response again.
- In case you change every comma to space, and append 6500:6600 to it, every port between first-value (20) and last-value (6600) is opened. Oops. And ISPConfig3 is unusable again. Fix by step above.
- Even if you order ports in right order, it acts like above. It preferes the range (20:6600).
The big lesson in here: Only when you comma seperated values in port numbers, it works. But most problematic thing is, ISPConfig3 accepts it and doesn't warn you for this dangerous behavior. The worst thing is that you don't have access to ssh (which runs on port 22), so falling back to console (or driving to DC/remote hands) is the only option.