Firewall module ignores system policy for incoming traffic

[breun]

When I install the firewall module (Plesk 10.3.1 with the all micro updates applied) and set the 'System policy for incoming traffic' to 'Allow incoming from all' then the end of the generated firewall script looks like this:

/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
/sbin/ip6tables -A INPUT -p udp --dport 53 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 53 -j ACCEPT

/sbin/iptables -A INPUT -p udp -j DROP
/sbin/iptables -A INPUT -p tcp -j DROP
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 134/0 -j DROP
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 135/0 -j DROP
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 136/0 -j DROP
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 137/0 -j DROP

/sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 128/0 -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 129/0 -j ACCEPT

/sbin/iptables -A INPUT -j ACCEPT
/sbin/ip6tables -A INPUT -j ACCEPT

/sbin/iptables -A OUTPUT -j ACCEPT
/sbin/ip6tables -A OUTPUT -j ACCEPT

/sbin/iptables -A FORWARD -j DROP
/sbin/ip6tables -A FORWARD -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /usr/local/psa/var/modules/firewall/ip_forward.active
chmod 644 /usr/local/psa/var/modules/firewall/ip_forward.active
#
# End of script
#

It looks like all udp and tcp traffic is dropped (/sbin/iptables -A INPUT -p udp -j DROP and /sbin/iptables -A INPUT -p tcp -j DROP) before 'all other traffic' is allowed (/sbin/iptables -A INPUT -j ACCEPT), which doesn't leave too much 'other traffic'.

I guess this is a bug in the Plesk firewall module or am I misunderstanding this setting?

 

[105547111]

Interesting, I will play and see if I can duplicate it.