• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue Firewall disabled?

Azurel

Azurel

Silver Pleskian
Server operating system version
AlmaLinux 8.7
Plesk version and microupdate number
Version 18.0.51 Update #1
I was very long time not in firewall-extension. Something changed here over time for /plesk/modules/firewall/ firewall-extension? I want add a IP-Range to block and see now here a green icon with "Enable Firewall Rules Management", so my firewall is offline? Shocking.

In the past I also had a custom rule in here that was supposed to block all incoming traffic for different ip/ranges, this custom rule has disappeared.

I checked the manual (Plesk for Linux) The Plesk Firewall and I see the hint with firewalld:
Caution: Both the Plesk Firewall and firewalld are tools for managing the iptables firewall. Using both tools simultaneously can result in conflicts and in ports required for Plesk to operate being closed. We recommend only using one tool at a time.
Click to expand...
so I checked it
# firewall-cmd --state
running
Click to expand...

Okay, the server use now firewalld, but why is there (in GUI) no hint that firewalld is instead runnging? Thats very tricky for me. My first panic thinking was to click and enable firewall again, but I should not, because firewalld is here running? Is there no GUI in plesk for firewalld and his rules?

I read that firewall-extension get in version 52 a country block, only possible with firewall-extension not firewalld?

I'm super lost here. What happend here, why I now with firewalld, why my custom rule is gone? Can I switch back safely? How?

Which one is better? firewalld or firewall-extension?
 
Please update to the latest version of the firewall extension. The issue has been fixed in it. It's available for update since last night.
 
I am not sure about the other issue you describe that existing rules have changed. There have not been such reports here. The only change that was brought about was that Plesk Firewall is not a component any longer, but an extension. But the content should not have changed.
 
Thank for your answer, however, I do not fully understand them :)

I updated today to Version 52 and now firewall extension is version 2.0.2 and look little different, but in the end it is still disabled and firewalld is running.

Its confusing that firewall extension nothing say for what it is, because firewalld is probably not recognized and not managed with it and nothing indicates that.
 
There's quite a few system firewall implementations out there. Plesk Firewall extension works only with iptables or those that provide compatibility layer for iptables (such as nft). Other implementations (such as firewalld) should be turned off before enabling Plesk Firewall.
 
Okay, but what is now the best way to change back to iptables (firewall extension)? For example: What about Fail2ban? Isn't that connected to firewalld? I have in fail2ban nearly 3000 banned ips. What happens to this banned ips if I change the firewall now?

What would be the steps to check and do now?

Only stop and disable firewalld and after this start plesk firewall in gui?
1. # firewall-cmd stop && firewall-cmd disable
2. Start Plesk Firewall in GUI?
 
fail2ban in default configuration doesn't work well with non-iptables firewalls anyway.

Loosing bans from fail2ban is not critical, since all of the bans are temporary anyway. And recent versions of fail2ban persist them, so if you need to restore lost bans, just restart the fail2ban service.

Stopping and disabling via systemctl would be sufficient. See the RH article. Then just enable Plesk Firewall via GUI.
 
There are mainly many bans that are set via custom jails and ban for months. So they were inserted manually a lot. Losing them would not be so optimal.

And recent versions of fail2ban persist them
Click to expand...
That would be great. The version that is currently available in plesk?

Installed is Fail2ban 0.11.2-2.redhat.8+p18.0.53.0+t230424.1457 in Plesk Version 52
 
Hello,

please correct me If I am wrong but to my knowledge fail2ban preserves the banned IP addresses across restart. I tested it by stopping and starting the fail2ban service (not restart). Therefor I would suggest to go ahead.
As a backup method you can save the firewalld rules using the iptables-save command to a file. Firewalld uses iptables in background. Might also work with nftables because it has a legacy interface for iptables rules.
A possible way could be:
systemctl stop firewalld
systemctl disable firewalld
# safety measure
systemctl mask firewalld
Click to expand...
Then enable the Plesk extension and restart fail2ban. If you have custom firewall rules you have to merge these by hand after Plesk takes the control over.
 
sergej-wv said:
please correct me If I am wrong but to my knowledge fail2ban preserves the banned IP addresses across restart
Click to expand...
Yes, recent versions (including the one shipped with Plesk Obsidian) do this.
Azurel said:
There are mainly many bans that are set via custom jails and ban for months. So they were inserted manually a lot.
Click to expand...
Seems like a misuse of fail2ban. Why not just use firewall for that (if these bans are effectively persistent)?
 
You must log in or register to reply here.

Similar threads

C
Question Securing Docker ports to local access only with firewalld
Replies
8
Views
5K
captainhook
C
P
Issue plesk firewall 2.1.5-412 still has problems
2
Replies
20
Views
2K
PeterKi
P
E
Resolved NGinx deny rules and Firewall (iptables?)
Replies
4
Views
1K
epertinez
E
brother4
Issue Failed to apply the firewall configuration - [ext-firewall] set to 40 seconds
2
Replies
22
Views
3K
Peter Debik
P
K
Resolved Firewall disabled
2 3
Replies
40
Views
7K
sjhshheuhje
S
Back
Top