When I install the firewall module (Plesk 10.3.1 with the all micro updates applied) and set the 'System policy for incoming traffic' to 'Allow incoming from all' then the end of the generated firewall script looks like this:
It looks like all udp and tcp traffic is dropped (/sbin/iptables -A INPUT -p udp -j DROP and /sbin/iptables -A INPUT -p tcp -j DROP) before 'all other traffic' is allowed (/sbin/iptables -A INPUT -j ACCEPT), which doesn't leave too much 'other traffic'.
I guess this is a bug in the Plesk firewall module or am I misunderstanding this setting?
/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
/sbin/ip6tables -A INPUT -p udp --dport 53 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p udp -j DROP
/sbin/iptables -A INPUT -p tcp -j DROP
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 134/0 -j DROP
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 135/0 -j DROP
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 136/0 -j DROP
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 137/0 -j DROP
/sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 128/0 -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 129/0 -j ACCEPT
/sbin/iptables -A INPUT -j ACCEPT
/sbin/ip6tables -A INPUT -j ACCEPT
/sbin/iptables -A OUTPUT -j ACCEPT
/sbin/ip6tables -A OUTPUT -j ACCEPT
/sbin/iptables -A FORWARD -j DROP
/sbin/ip6tables -A FORWARD -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /usr/local/psa/var/modules/firewall/ip_forward.active
chmod 644 /usr/local/psa/var/modules/firewall/ip_forward.active
#
# End of script
#
It looks like all udp and tcp traffic is dropped (/sbin/iptables -A INPUT -p udp -j DROP and /sbin/iptables -A INPUT -p tcp -j DROP) before 'all other traffic' is allowed (/sbin/iptables -A INPUT -j ACCEPT), which doesn't leave too much 'other traffic'.
I guess this is a bug in the Plesk firewall module or am I misunderstanding this setting?
Last edited: