Firewall Module on Plesk 8.3.0

[parallelandy]

I have just purchased a VPN solution from a service provider and am using Plesk 8.3 and Virtuozzo.

In the modules section of the Plesk admin - it lists the installed firewall module.

1. How good is the firewall module on plesk ? Is a hardware firewall outside of the machine any better. I am only doing simple operations on the server - mainly being used as a www web server.

2. Here is my firewall setup. I use the server as a very simple web server. Some web pages send mail using PHP and the smtp mail server.

Is my configuration here the best configuration in terms of balance and security access.
Also if i deny access to the plesk control panel and SSH - would i completely loose contact with the server with no hope of restoration?

PLESK FIREWALL SETUP


Plesk administrative interface - Allow incoming from all
I am keeping this allowed so that I do not loose access to Plesk control.
If plesk and SSh were to be turned off i would technically loose all access to the server ?

WWW server - Allow incoming from all
Allowed because I am serving web pages.


FTP server - Allow incoming from all
Allowed because I need to FTP web pages from different networks.


SSH (secure shell) server - Allow incoming from all
Allowed because sometimes i access the server via the shell. I need access from wherever i am.


SMTP (submission port) server - Allow incoming from all
I do not send out emails but my website does - so i am keeping this allowed.


SMTP (mail sending) server - Allow incoming from all
I do not send out emails but my website does - so i am keeping this allowed.


POP3 (mail retrieval) server - Deny incoming from all
I do not use this server as a mail server. Therefore i have denied it.

IMAP (mail retrieval) server - Deny incoming from all
I do not use this server as a mail server. Therefore i have denied it.

Mail password change service - Deny incoming from all
I do not use this server as a mail server. Therefore i have denied it.


MySQL server - Allow incoming from all
Plesk requires the MySQl database - so i think i need to keep this alive


PostgreSQL server - Deny incoming from all
No needed - not used

Tomcat administrative interface - Deny incoming from all
Not needed - not used


Samba (file sharing in Windows networks) Deny incoming from all
Not needed - not used

Plesk VPN Allow incoming from all
What is this? - i don't think i need it.

Domain name server Deny incoming from all
Not needed - not used - another machine does my dns

Ping service Deny incoming from all
Not needed - not used




Thanks

al

 

[faris]

A hardware firewall running separately may have some interesting extra features, like DDoS mitigation and possibly some form of intelligence that might detect port scans, known attack signatures and so on.

I have no knowledge on the subject of such hardware firewalls -- I'd love to have some views on that.

But back to using software firewalls -- there's nothing wrong with the Plesk one - it basically just helps you automatically configure iptables, which is a built-in firewall "building-block" technology in Linux.

And back to your configuration.....

The Plesk Firewall, by default, only stops data from getting in to your server.

This means you can close smtp if it never receives email from outside. Similarly MySQL.

There's one other thing though --- the final rule in Plesk, which is the default policy for all other ports, by default is set to allow. You should really set this to deny. This may cause problems with FTP if you have a Mac though (you can get round it but....)

And yes, if you make a mistake and lock yourself out somehow, you'll need someone at your data centre to login locally to your box and flush the firewall for you.

The alternative is to install something like AFP (Advanced Policy Firewall) which has no gui but is much more useful/functional.

Faris.