Issue Firewall disabled?

[Azurel]

Server operating system version

AlmaLinux 8.7

Plesk version and microupdate number

Version 18.0.51 Update #1

I was very long time not in firewall-extension. Something changed here over time for /plesk/modules/firewall/ firewall-extension? I want add a IP-Range to block and see now here a green icon with "Enable Firewall Rules Management", so my firewall is offline? Shocking.

https://cdn.discordapp.com/attachments/352403408264757248/1104041051196493854/image.png

In the past I also had a custom rule in here that was supposed to block all incoming traffic for different ip/ranges, this custom rule has disappeared.

I checked the manual (Plesk for Linux) The Plesk Firewall and I see the hint with firewalld:

Caution: Both the Plesk Firewall and firewalld are tools for managing the iptables firewall. Using both tools simultaneously can result in conflicts and in ports required for Plesk to operate being closed. We recommend only using one tool at a time.

so I checked it

# firewall-cmd --state
running

Okay, the server use now firewalld, but why is there (in GUI) no hint that firewalld is instead runnging? Thats very tricky for me. My first panic thinking was to click and enable firewall again, but I should not, because firewalld is here running? Is there no GUI in plesk for firewalld and his rules?

I read that firewall-extension get in version 52 a country block, only possible with firewall-extension not firewalld?

I'm super lost here. What happend here, why I now with firewalld, why my custom rule is gone? Can I switch back safely? How?

Which one is better? firewalld or firewall-extension?

 

[Peter Debik]

Please update to the latest version of the firewall extension. The issue has been fixed in it. It's available for update since last night.

 

[Peter Debik]

I am not sure about the other issue you describe that existing rules have changed. There have not been such reports here. The only change that was brought about was that Plesk Firewall is not a component any longer, but an extension. But the content should not have changed.

 

[Azurel]

Thank for your answer, however, I do not fully understand them

I updated today to Version 52 and now firewall extension is version 2.0.2 and look little different, but in the end it is still disabled and firewalld is running.

Its confusing that firewall extension nothing say for what it is, because firewalld is probably not recognized and not managed with it and nothing indicates that.

 

[VNick]

There's quite a few system firewall implementations out there. Plesk Firewall extension works only with iptables or those that provide compatibility layer for iptables (such as nft). Other implementations (such as firewalld) should be turned off before enabling Plesk Firewall.

 

[Azurel]

Okay, but what is now the best way to change back to iptables (firewall extension)? For example: What about Fail2ban? Isn't that connected to firewalld? I have in fail2ban nearly 3000 banned ips. What happens to this banned ips if I change the firewall now?

What would be the steps to check and do now?

Only stop and disable firewalld and after this start plesk firewall in gui?
1. # firewall-cmd stop && firewall-cmd disable
2. Start Plesk Firewall in GUI?

 

[VNick]

fail2ban in default configuration doesn't work well with non-iptables firewalls anyway.

Loosing bans from fail2ban is not critical, since all of the bans are temporary anyway. And recent versions of fail2ban persist them, so if you need to restore lost bans, just restart the fail2ban service.

Stopping and disabling via systemctl would be sufficient. See the RH article. Then just enable Plesk Firewall via GUI.

 

[Azurel]

There are mainly many bans that are set via custom jails and ban for months. So they were inserted manually a lot. Losing them would not be so optimal.

And recent versions of fail2ban persist them

That would be great. The version that is currently available in plesk?

Installed is Fail2ban 0.11.2-2.redhat.8+p18.0.53.0+t230424.1457 in Plesk Version 52

 

[sergej-wv]

Hello,

please correct me If I am wrong but to my knowledge fail2ban preserves the banned IP addresses across restart. I tested it by stopping and starting the fail2ban service (not restart). Therefor I would suggest to go ahead.
As a backup method you can save the firewalld rules using the iptables-save command to a file. Firewalld uses iptables in background. Might also work with nftables because it has a legacy interface for iptables rules.
A possible way could be:

systemctl stop firewalld
systemctl disable firewalld
# safety measure
systemctl mask firewalld

Then enable the Plesk extension and restart fail2ban. If you have custom firewall rules you have to merge these by hand after Plesk takes the control over.

 

[VNick]

please correct me If I am wrong but to my knowledge fail2ban preserves the banned IP addresses across restart

Yes, recent versions (including the one shipped with Plesk Obsidian) do this.

There are mainly many bans that are set via custom jails and ban for months. So they were inserted manually a lot.

Seems like a misuse of fail2ban. Why not just use firewall for that (if these bans are effectively persistent)?