Using Firewall with directadmin

S

slasi.net

Verified User
Joined
Nov 13, 2005
Messages
15
hi,

i would like to open a discssion on on the security posebileties i can use while using directadmin.
the problem is that i canot use strong external firewall if i choose to use directadmin, what are my possebileties to overcome this security problem ?

thanks
 
I use a Cisco PIX 506 in front of my server w/o issue. I could use a CheckPoint, Netscreen or Sidewinder if I wanted to. Even with a hardware firewall, I still use IPTables for additional granularity. There's no problem using a firewall. I think there might be a NAT issue w/ DA but I could be wrong there. That's ok, I'm not using NAT on my PIX.

As long as TCP 22, 80, 443 and 2222 are open to your server, you'll have full shell and DA access. I added 20,21 and FTP proxy/fixup so that I can FTP to my server through the firewall. So yes, you can use a complex firewall provided you don't lock yourself out.

So what do you mean "I can't use a strong firewall"?
 
i am using nat system based on shered FW
what are the posebileties to setup DA on with this system ?
 
you'd have to ask DA directly about NAT. I remember reading that NAT is a no-no and I'm sure it's because it's tied to the license. The license is tied to your global address however your machine is running on a local address. So if your global IP was 212.1.2.3 but your local IP was 192.168.1.2, DA license would be for the global IP. When the license gets installed, it wouldn't match your local IP, now your install is broken.

I would open up a support ticket might get a faster reply.
 
i have asked and nat is not posible to use.

i hope mark can change his system in a way that we can use nat.

thanks
 
slasi.net said:
i hope mark can change his system in a way that we can use nat.
Click to expand...
This has been discussed several times and it's unlikely it'll happen.

Jeff
 
Hi everyone,

I’m new to DA as I installed it for testing few days ago. So far, it seems to be very nice and flexible control panel.
RE installation on NAT environment, my test system is totally behind NAT, sitting on private IP address with necessary port being forwarded.
Yes, it true a standard DA installation does not allow this, but with few OS and routing changes it’s working absolutely fine. Network structure is very simple, just a ADSL router holding public IP with NAT translation. Although, such a configuration is not recommended on live environment, for people who just want to test DA – don’t see a reason why not. So even if you are behind NAT/Firewall, have access to change rules and routing, and at least one public static IP, you can do it :)

To be honest, don’t know if someone’s done it before. Just thought I will share...

Pielciu
 
Let's make this a bit more clear:

DirectAdmin is licensed on a static routable IP#. It won't run on an IP# not in the license.

So I'm presuming what you're doing is letting your router do NAT, port forwarding necessary ports (80, 20, 21, 22, 25, 53, 110, 143, 443, 2222, etc.) to the static non-routable IP# assigned to your server, and then in your firewall redirecting at least port 2222 so it looks like it's coming from your public IP#s.

And of course you still need that one public static IP#.

Not for the faint of heart.

Jeff
 
Yes, having one static public IP (licensed by DA) is mandatory for DA to run J This thing cannot be changes no matter how hard you try...
Yes, router does NAT, port forwarding etc to the private non-routable IP...

Forwarding port 2222 will not do the job as most of conf files in DA are set to use IP-based configuration, so a public IP is needed on the server as well, otherwise, major changes are needed (like proftpd.conf, httpd.conf - virtualhost etc...) . My plan for the future is to setup DA in cluster environment with load balancers controlling the traffic, and that involves more configuration files changes...

What I did (and before I start, I know it’s against TCP/IP specification) but as long as you control your routing in a way I does not cause any issues in the network, for testing purpose is fine.

1. Server IP 192.168.1.50 (this allows you to install DA as long as you public IP is licensed)
2. NAT / DMZ / port forwarding on the ADSL router (whatever you prefer)
3. Added public IP on the server as well on second interface. This is the point at issue, as you should not use same IP on 2 different devices in the same network...but...in this scenario this is a different segment, and as long as you set the routing in a way there is no loop and packets are not confused, this will work with no issues
4. As the router is forwarding traffic to the private IP, I added iptables rule on the server so all packets are routed to the second interface with public IP (this is for standard DA IP-based virtuals configuration to work). But before that, make sure default routing for public IP from the server, stays on the server!
5. Last thing to do is swap private IP to public IP in configuration files, as during installation, DA setup.sh set it to 192.168.1.50

This was the easiest and quickest solution for me, without getting into DA configuration too much. I will definitely revise it and try to modify DA to run based on domain names, but before that need find out how DA works in the background.

I find DA a really go package, but the only missing thing for me is not to be able to run DA in cluster mode (straight off the shelf)....but this where IT knowledge comes handy and what we (IT people) are for :)
 
Yes, having one static public IP (licensed by DA) is mandatory for DA to run.
This thing cannot be changes no matter how hard you try...
Yes, router does NAT, port forwarding etc to the private non-routable IP...

Forwarding port 2222 will not do the job as most of conf files in DA are set to use IP-based configuration, so a public IP is needed on the server as well, otherwise, major changes are needed (like proftpd.conf, httpd.conf - virtualhost etc...) My plan for the future is to setup DA in cluster environment with load balancers controlling the traffic, and that involves more configuration files changes...

What I did (and before I start, I know it’s against TCP/IP specification) but as long as you control your routing in a way I does not cause any issues in the network, for testing purpose is fine.

1. Server IP: any private (this allows you to install DA as long as you public IP is licensed)
2. NAT / DMZ / port forwarding on the ADSL router (whatever you prefer)
3. Added public IP on the server as well on second interface. This is the point at issue, as you should not use same IP on 2 different devices in the same network...but...in this scenario this is a different segment, and as long as you set the routing in a way there is no loop and packets are not confused, this will work with no issues
4. As the router is forwarding traffic to the private IP, I added iptables rule on the server so all packets are routed to the second interface with public IP (this is for standard DA IP-based virtuals configuration to work). But before that, make sure default routing for public IP from the server, stays on the server!
5. Last thing to do is swap private IP to public IP in configuration files (ipswap.sh?)

This was the easiest and quickest solution for me, without getting into DA configuration too much. I will definitely revise it and try to modify DA to run based on domain names, but before that need find out how DA works in the background.

I find DA a really go package, but the only missing thing for me is not to be able to run DA in cluster mode (straight off the shelf)....but this where IT knowledge comes handy and what we (IT people) are for.
 
You must log in or register to reply here.
Back
Top