• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk 12.5 PSA-Firewall Custom Rules add unnecessary DROP rules.

P

paulieG

Regular Pleskian
Hi,
Testing Plesk 12.5 firewall.

If I create custom rule :


Test Allow incoming from XXX.XXX.XXX.XXX on all ports

Then the following iptables rules are generated :

/sbin/iptables -A INPUT -p udp -s XXX.XXX.XXX.XXX -j ACCEPT
/sbin/iptables -A INPUT -p udp -j DROP
/sbin/iptables -A INPUT -p tcp -s XXX.XXX.XXX.XXX -j ACCEPT
/sbin/iptables -A INPUT -p tcp -j DROP
/sbin/ip6tables -A INPUT -p udp -s ::ffff:XXX.XXX.XXX.XXX -j ACCEPT
/sbin/ip6tables -A INPUT -p udp -j DROP
/sbin/ip6tables -A INPUT -p tcp -s ::ffff:XXX.XXX.XXX.XXX -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp -j DROP


This is is a bit of a problem is it not? When can we see a fix?

Paul.
 
I can't reproduce this issue on my default test Plesk 12.5 installation.
Could you please provide more detail? Step-by-step instruction for reproducing would be great.
 
Hi.

I have same issue.
When you add custom rules into the firewall, and if in rules present source ip - rules created wrong:
as example from "preview":
/sbin/iptables -A INPUT -p udp -s 40.40.40.40 -j ACCEPT
/sbin/iptables -A INPUT -p udp -j DROP
/sbin/iptables -A INPUT -p tcp -s 40.40.40.40 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -j DROP
/sbin/ip6tables -A INPUT -p udp -s ::ffff:40.40.40.40 -j ACCEPT
/sbin/ip6tables -A INPUT -p udp -j DROP
/sbin/ip6tables -A INPUT -p tcp -s ::ffff:40.40.40.40 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp -j DROP

/sbin/iptables -A INPUT -p tcp --dport 100 -s 50.50.50.50 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 100 -j DROP
/sbin/ip6tables -A INPUT -p tcp --dport 100 -s ::ffff:50.50.50.50 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 100 -j DROP



I added 2 custom rules:
first: allow tcp 100 from 50.50.50.50
second: allow all from 40.40.40.40

If rules applied - all traffic will block.

Please help us to resolve this issue.
 
I have a similar related issue on a fresh install exactly the same set up (CentOS 6 Plesk 12.5). Upon adding a custom rule in Plesk firewall (opening passive FTP ports), all connections Pop and Imap via ports 995 and 993 are denied, and despite them being indicated as open using SSH root command openssl s_client -showcerts -connect mail.mydomain.tld:995
I tried adding a custom rule in /etc/sysconfig/iptables and restart but this just blocked all ports
It looks as if iptables (and ip6tables) are not actually started as a service??
 
You must log in or register to reply here.

Similar threads

S
Issue Cant activate the plesk firewall
Replies
5
Views
819
martinez.marcias@gmai
M
Liwindo
Input New Firewall App 18.0.52
Replies
4
Views
1K
Liwindo
Liwindo
N
Resolved Plesk Firewall Import create double entries
Replies
1
Views
474
NormanHuth
N
J
Question Plesk Firewall is blocking requests even with configured rules
Replies
2
Views
349
Johnny9977
J
S
Question Plesk Firewall do not block connections to Docker container
Replies
0
Views
1K
shopuser
S
Back
Top