After upgrade to Plesk 10.3 the firewall module is broken

[RichardZ]

After upgrading from 10.2 to 10.3, the firewall module gives this error upon attempting any change/activation:

Error: Could not activate firewall configuration:

safeact: safeact: /opt/psa/var/modules/firewall/firewall-new.sh failed:
ip6tables v1.4.4: invalid mask `' specified
Try `ip6tables -h' or 'ip6tables --help' for more information.


proc_close() failed: Declaration of Skin::initFromSubmit() should be compatible with that of cObject::initFromSubmit()


This occurs on systems running Ubuntu 10.04.


Any assistance?

 

[BettaC]

Same for me..... Plesk 10.3, Ubuntu 10.04 64Bit

this fixed it... (i'm not using IPv6 on this box)

mv /sbin/ip6tables /sbin/ip6tables.org

Cheers Mate, Bruce

 

[metalalisa]

bad solution. After it my server became unreachable.

 

[BettaC]

bad solution. After it my server became unreachable.

I have 4 production plesk servers and this solution worked on all of them. I didn't loose connection to any of them.

 

[metalalisa]

I have 4 production plesk servers and this solution worked on all of them. I didn't loose connection to any of them.

what iptables version you have?
And Plesk

 

[GeertL]

After upgrading from 10.2 to 10.3, the firewall module gives this error upon attempting any change/activation:

Error: Could not activate firewall configuration:

safeact: safeact: /opt/psa/var/modules/firewall/firewall-new.sh failed:
ip6tables v1.4.4: invalid mask `' specified
Try `ip6tables -h' or 'ip6tables --help' for more information.

This occurs on systems running Ubuntu 10.04.

Same problem here (also Ubuntu 10.04). Havent had time to find a fix. But hopefully it will be fixed a.s.a.p. Problem exists in Plesk 10.4.4 MU#5.

 

[metalalisa]

Parallels said that it will be fixed in next microupdates. Need to wait

 

[GeertL]

Parallels said that it will be fixed in next microupdates. Need to wait

Seems to not have been fixed with the 10.4.4 #6 update - and cant see it planned to be fixed in the #7 update article... :-///

 

[GeertL]

Seems to not have been fixed with the 10.4.4 #6 update - and cant see it planned to be fixed in the #7 update article... :-///

But at least I had time to inspect the problem now. It seems that the Firewall module writes a **** ip6tables statement on certain network masks.

Ie. I had a deny rule for the mask: 193.105.210.0/24

This will make the module write the follwing in the firewall activation script:

/sbin/iptables -A INPUT -p udp -s 193.105.210.0/24 -j DROP
/sbin/ip6tables -A INPUT -p udp -s / -j DROP

The ip6tables line is (of course) invalid and seems to have not been parsed correct by the Firewall module.

If you remove it via Firewall module from the ruleset - a correct script will be written and module will work again. However - the module will not alowed the above mask if you try to enter it in the ruleset again.

So you gotta track all the ip6tables lines that look like above - and find the corrosponding iptables line (in the same block) and remove these from your Firewall module setup.

Im no network expert - but cant seem to understand why the 193.105.210.0/24 mask is invalid?