Firewall configuration changes not applied

[Michele.mc2]

Hello!

After upgrading to version 11.5, when I make changes to the firewall configuration and try to save them by clicking on "Apply Configuration", everything seems to be going as it should, but the changes are not saved and do not appear in the description of the rules below.

If I click again on "Edit Firewall Configuration", it is immediately shown the button "Apply Configuration", although I have not made ​​any further changes.

Is there any log file on which to start looking for clues to the cause of the problem?

Can this problem be somehow connected to the other problem encountered after the upgrade and illustrated in the post http://forum.parallels.com/showthread.php?289800-Subdomain-creation-problem?

Thanks for any advice!

 

[IgorG]

Try to find something useful in logs after clicking on button with help of

# plesk log --all

 

[Michele.mc2]

Thank you Igor for your assistance!

In /usr/local/psa/admin/logs/panel.log I found a lot of

2013-08-21T20:52:12+02:00 ERR (3)  [panel]: SQLSTATE[HY000] [1045] Access denied for user 'admin'@'localhost' (using password: YES)

(first occurence on 2013-08-06)

and a lot of

2013-08-22T01:17:59+02:00 ERR (3)  [panel]: Error during calculation disk usage for mailnames on service node local : Unable to calculate Maildir++ size: No such file or directory
System error 2: No such file or directory
Unable to calculate Maildir++ size: No such file or directory
System error 2: No such file or directory

(first occurence on 2012-08-01)

In /usr/local/psa/admin/logs/httpsd_access_log I found

<my ip> - - [22/Aug/2013:10:53:15 +0200] "POST /plesk/modules/firewall/edit/activate/ HTTP/1.1" 200 5177 "https://<my server ip>:8443/plesk/modules/firewall/edit/activate/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0" "-"'/plesk.php' '' '/usr/local/psa/admin/htdocs'
<my ip> - - [22/Aug/2013:10:53:16 +0200] "GET /theme/css/common.css?1375697394 HTTP/1.1" 304 0 "https://<my server ip>:8443/plesk/modules/firewall/edit/activate/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0" "-"'/theme/css/common.css' '' '/usr/local/psa/admin/htdocs'
<my ip> - - [22/Aug/2013:10:53:16 +0200] "GET /theme/css/main.css?1375697394 HTTP/1.1" 304 0 "https://<my server ip>:8443/plesk/modules/firewall/edit/activate/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0" "-"'/theme/css/main.css' '' '/usr/local/psa/admin/htdocs'
<my ip> - - [22/Aug/2013:10:53:16 +0200] "GET /javascript/prototype.js?1375938255 HTTP/1.1" 304 0 "https://<my server ip>:8443/plesk/modules/firewall/edit/activate/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0" "-"'/javascript/prototype.js' '' '/usr/local/psa/admin/htdocs'
<my ip> - - [22/Aug/2013:10:53:16 +0200] "GET /theme/css/main-buttons.css?1375697394 HTTP/1.1" 304 0 "https://<my server ip>:8443/plesk/modules/firewall/edit/activate/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0" "-"'/theme/css/main-buttons.css' '' '/usr/local/psa/admin/htdocs'
<my ip> - - [22/Aug/2013:10:53:17 +0200] "GET /theme/css/custom.css?1375697394 HTTP/1.1" 304 0 "https://<my server ip>:8443/plesk/modules/firewall/edit/activate/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0" "-"'/theme/css/custom.css' '' '/usr/local/psa/admin/htdocs'
<my ip> - - [22/Aug/2013:10:53:17 +0200] "GET /javascript/common.js?1375938254 HTTP/1.1" 304 0 "https://<my server ip>:8443/plesk/modules/firewall/edit/activate/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0" "-"'/javascript/common.js' '' '/usr/local/psa/admin/htdocs'
<my ip> - - [22/Aug/2013:10:53:17 +0200] "GET /javascript/main.js?1375938254 HTTP/1.1" 304 0 "https://<my server ip>:8443/plesk/modules/firewall/edit/activate/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0" "-"'/javascript/main.js' '' '/usr/local/psa/admin/htdocs'
<my ip> - - [22/Aug/2013:10:53:17 +0200] "GET /javascript/chk.js?1375938254 HTTP/1.1" 304 0 "https://<my server ip>:8443/plesk/modules/firewall/edit/activate/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0" "-"'/javascript/chk.js' '' '/usr/local/psa/admin/htdocs'
<my ip> - - [22/Aug/2013:10:53:17 +0200] "GET /javascript/tooltip.js?1375938255 HTTP/1.1" 304 0 "https://<my server ip>:8443/plesk/modules/firewall/edit/activate/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0" "-"'/javascript/tooltip.js' '' '/usr/local/psa/admin/htdocs'
<my ip> - - [22/Aug/2013:10:53:17 +0200] "GET /javascript/jsw.js?1375938254 HTTP/1.1" 304 0 "https://<my server ip>:8443/plesk/modules/firewall/edit/activate/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0" "-"'/javascript/jsw.js' '' '/usr/local/psa/admin/htdocs'

In /var/log/sw-cp-server/error_log I found, for different domains,

2013/08/20 13:24:54 [error] 9290#0: *558 open() "/usr/local/psa/admin/htdocs/robots.txt" failed (2: No such file or directory), client: 66.249.72.81, server: , request: "GET /robots.txt HTTP/1.1", host: "www.mcdue.info:8443"
2013/08/20 18:26:55 [error] 9290#0: *564 open() "/usr/local/psa/admin/htdocs/robots.txt" failed (2: No such file or directory), client: 66.249.78.116, server: , request: "GET /robots.txt HTTP/1.1", host: "www.certibiz.it:8443"
2013/08/20 19:14:14 [error] 9290#0: *567 open() "/usr/local/psa/admin/htdocs/robots.txt" failed (2: No such file or directory), client: 66.249.78.33, server: , request: "GET /robots.txt HTTP/1.1", host: "www.addobbipermatrimoni.it:8443"
2013/08/21 00:55:38 [error] 15100#0: *53 open() "/usr/local/psa/admin/htdocs/robots.txt" failed (2: No such file or directory), client: 66.249.78.153, server: , request: "GET /robots.txt HTTP/1.1", host: "brt-motorsport.it:8443"
2013/08/21 13:13:55 [error] 15100#0: *96 open() "/usr/local/psa/admin/htdocs/robots.txt" failed (2: No such file or directory), client: 66.249.73.211, server: , request: "GET /robots.txt HTTP/1.1", host: "www.mcdue.info:8443"
2013/08/21 18:59:22 [error] 15100#0: *255 open() "/usr/local/psa/admin/htdocs/robots.txt" failed (2: No such file or directory), client: 157.55.33.146, server: , request: "GET /robots.txt HTTP/1.1", host: "www.mcdue.info"
2013/08/21 20:54:59 [error] 15100#0: *258 open() "/usr/local/psa/admin/htdocs/robots.txt" failed (2: No such file or directory), client: 178.154.160.30, server: , request: "GET /robots.txt HTTP/1.1", host: "www.mcdue.info:8443"
2013/08/22 07:20:31 [error] 7495#0: *199 open() "/usr/local/psa/admin/htdocs/robots.txt" failed (2: No such file or directory), client: 66.249.78.33, server: , request: "GET /robots.txt HTTP/1.1", host: "www.addobbipermatrimoni.it:8443"
2013/08/22 07:24:03 [error] 7495#0: *202 open() "/usr/local/psa/admin/htdocs/robots.txt" failed (2: No such file or directory), client: 66.249.78.158, server: , request: "GET /robots.txt HTTP/1.1", host: "cooperativasocialemignanego.it:8443"

In addition I get this

Results of running Plesk Webserver Configuration Checker

[2013-08-22 10:48:21][INFO] ==> STEP 8: Checking for system users home directories consistency...
[2013-08-22 10:48:21][INFO] There is missing Document Root directory /var/www/vhosts/tatoom.it/sara.tatoom.it for domain sara.tatoom.it on the filesystem for system user tatoom
[2013-08-22 10:48:21][INFO] There is missing Document Root directory /var/www/vhosts/tatoom.it/unitresara.tatoom.it for domain unitresara.tatoom.it on the filesystem for system user tatoom
[2013-08-22 10:48:21][INFO] There is missing Document Root directory /var/www/vhosts/mcdue.net/test for domain test.mcdue.net on the filesystem for system user mcdue
[2013-08-22 10:48:21][WARNING] There are some inconsistencies in the Parallels Plesk Panel system users.
Please check http://kb.parallels.com/113490 for solution and log file /usr/local/psa/tmp/webserver_configuration_issues.log for details.
[2013-08-22 10:48:21][INFO] Result: Warning

I'm not sure this last one is useful for this thread; perhaps it could be useful for my problem with subdomain creation...

Thank you again!

 

[Michele.mc2]

Hello everyone!

No update on this issue?

Any suggestions?

 

[TSCADFX]

Michele,

Is this a virtual machine in a Virtuozzo container? If it is make sure that the firewall in the VZ Control Panel is disabled. Enabling them both will cause neither of them to work. We noticed that this was happening on some of our clients VPS servers in the 11.0 series.

If this isn't the case or doesn't work give us the result of:

iptables -V

and the contents of:

/etc/sysconfig/iptables-config

/usr/local/psa/var/modules/firewall/firewall-active.sh

You can also try manually restarting the firewall for Plesk with:

/etc/init.d/psa-firewall restart

 

[Michele.mc2]

Hello TSCADFX!

And thank you for your assistance.

Here is what you asked:

iptables v1.3.5

/etc/sysconfig/iptables-config (without most of comment texts):

# Load additional iptables modules (nat helpers)
IPTABLES_MODULES="ip_conntrack_netbios_ns"

# Unload modules on restart and stop
IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
IPTABLES_SAVE_ON_RESTART="no"

# Save (and restore) rule and chain counter.
IPTABLES_SAVE_COUNTER="no"

# Numeric status output
IPTABLES_STATUS_NUMERIC="yes"

# Verbose status output
IPTABLES_STATUS_VERBOSE="no"

# Status output with numbered lines
IPTABLES_STATUS_LINENUMBERS="yes"

and /usr/local/psa/var/modules/firewall/firewall-active.sh is attached (to long to post here). No: for some reason attachment button pop-up a blank-page window.
I'll try to sent it to you via PM.

/etc/init.d/psa-firewall restart response:

psa-firewall: firewall successfully disabled
psa-firewall: service is disabled

Thank you again for your time on this issue!

Michele

 

[TSCADFX]

Michele,

What version and OS are you using? That version of iptables is from 2006.

Are you attempting to track connections of netbios sessions? Seems odd that the module is enabled. If this is something that you didn't intend I would disable it my changing it to:

IPTABLES_MODULES=""

The file that you sent via PM looks fine. I would normally suggest that you just re-install the firewall extension but it looks like you have hundreds of blocked IPs. Personally, and possibly for future reference, I would create a file for all of those IP addresses that loads upon start of iptables. This would allow you to diagnose issues easier and would also make it so that the file could be exported to another machine etc. Either that or just use the iptables save command.

For now delete that module, let me know what OS you are on in order to determine weather a safe update to iptables can be done and also you never answered if you are in a VZ container.