Firewall not working as expected

[RaymondR]

I have to identical installations of plesk 12.5 witch have the same unexpected reproducable firewall behaviour;

Version Plesk v12.5.30_build1205150826.19 os_CentOS 7
OS CentOS Linux 7.1.1503 (Core)

1. I always add full access to my company IP-address to the firewall rules, so under firewall i add custom rule
   1. Match incoming
   2. Action allow
   3. Ports (leave empty) so any port allowed
   4. IP adresses or network: 1.2.3.4/29 (i have a subnet of 8 IP-adresses add my office, so I add that)
   When I do this, I have full access from 1.2.3.4/29 on all ports, so that works, only after adding this rule, all IP-adresses witch are not in 1.2.3.4/29 dont have access anymore to ports that are defined as allow. For example, the default rule
   WWW server Allow incoming from all
   is not working anymore, nobody can visit websites anymore exept from within the 1.2.3.4/29 range
   As a workaround I now edited default rule to only apply to 1.2.3.4/29 for examle
   SSH (secure shell) server Allow incoming from 1.2.3.4/29
2. Passive FTP cannot get to work with firewall on.
   1. In my /etc/proftpd.conf I have this set:
      # Use the IANA registered ephemeral port range
      PassivePorts 49152 65534
   2. I have added firewall rule:
      PASSIVE FTP Allow incoming from all on port 49152-65534/tcp
   3. I cannot connect using these settings.
   4. When I change this default rule
      System policy for incoming traffic Deny all other incoming traffic
      to System policy for incoming traffic Allow all other incoming traffic
   5. I can connect to FTP.

What is going wrong????

My current active Plesk Firewall config is (my priority is to solve problem #2) (for now I don't have full access to 1.2.3.4/29 enabled because that one blocks access to the outside world).

PASSIVE FTP    Allow incoming from all on port 49152-65534/tcp
TLS 587    Allow incoming from all on port 587/tcp
ZABBIX    Allow incoming from all on port 10050/tcp
Customer & Business Manager payment gateways    Allow incoming from all
Single Sign-On    Allow incoming from all
Plesk Installer    Allow incoming from all
Plesk administrative interface    Allow incoming from all
WWW server    Allow incoming from all
FTP server    Allow incoming from all
SSH (secure shell) server    Allow incoming from 1.2.3.4/29
SMTP (submission port) server    Allow incoming from all
SMTP (mail sending) server    Allow incoming from all
POP3 (mail retrieval) server    Allow incoming from all
IMAP (mail retrieval) server    Allow incoming from all
Mail password change service    Allow incoming from all
MySQL server    Allow incoming from 1.2.3.4/29
PostgreSQL server    Deny incoming from all
Tomcat administrative interface    Deny incoming from all
Samba (file sharing in Windows networks)    Deny incoming from all
Plesk VPN    Deny incoming from all
Domain name server    Allow incoming from all
IPv6 Neighbor Discovery    Allow incoming from all
Ping service    Allow incoming from all
System policy for incoming traffic    Deny all other incoming traffic
System policy for outgoing traffic    Allow all other outgoing traffic
System policy for forwarding of traffic    Deny forwarding of all other traffic

This is how iptables -L looks like with this config;

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:49152:65534
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:zabbix-agent
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:12443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:11443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:11444
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8447
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pcsync-https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:cddbp-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
ACCEPT     tcp  --  1.2.3.4/29  anywhere             tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:urd
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:poppassd
ACCEPT     tcp  --  1.2.3.4/29  anywhere             tcp dpt:mysql
DROP       tcp  --  anywhere             anywhere             tcp dpt:mysql
DROP       tcp  --  anywhere             anywhere             tcp dpt:postgres
DROP       tcp  --  anywhere             anywhere             tcp dpt:ogs-server
DROP       tcp  --  anywhere             anywhere             tcp dpt:glrpc
DROP       udp  --  anywhere             anywhere             udp dpt:netbios-ns
DROP       udp  --  anywhere             anywhere             udp dpt:netbios-dgm
DROP       tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
DROP       tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
DROP       udp  --  anywhere             anywhere             udp dpt:openvpn
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     icmp --  anywhere             anywhere             icmptype 8 code 0
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain FWDI_public (0 references)
target     prot opt source               destination
FWDI_public_log  all  --  anywhere             anywhere
FWDI_public_deny  all  --  anywhere             anywhere
FWDI_public_allow  all  --  anywhere             anywhere

Chain FWDI_public_allow (1 references)
target     prot opt source               destination

Chain FWDI_public_deny (1 references)
target     prot opt source               destination

Chain FWDI_public_log (1 references)
target     prot opt source               destination

Chain FWDO_public (0 references)
target     prot opt source               destination
FWDO_public_log  all  --  anywhere             anywhere
FWDO_public_deny  all  --  anywhere             anywhere
FWDO_public_allow  all  --  anywhere             anywhere

Chain FWDO_public_allow (1 references)
target     prot opt source               destination

Chain FWDO_public_deny (1 references)
target     prot opt source               destination

Chain FWDO_public_log (1 references)
target     prot opt source               destination

 

[RaymondR]

Has nobody experienced problems with the firewall???

 

[dalydesign]

I've had similar issues and discovered that after every reboot I had to manually restart psa-firewall in ssh via...

# /etc/init.d/psa-firewall restart

Likewise sometimes I had to do the same with 'named' as this sometimes would not load after reboot as I could not get the DNS running. I've had the issue on 2 servers.

 

[bmartin]

I ran into this, too. With Plesk 12.5, when you add a rule allowing access to specific IP addresses, Plesk has started inserting a trailing rule saying to reject that access to anyone else. For example, in pseudo-code, granting access to port 22 for IP address 1.2.3.4 used to look like this:

Grant 1.2.3.4 access to port 22

But now looks like this:

Grant 1.2.3.4 access to port 22
Deny everyone else access to port 22

I guess those are harmless generally, but if you have a rule saying to allow a specific IP addresses to *everything* this also now generates a trailing rule to reject anyone else to *everything*. This occurs even if a following rules says to grant access. To expand on the above example, what used to look like:

Grant 6.7.8.9 access to everything
Grant 1.2.3.4 access to port 22

now looks like:

Grant 6.7.8.9 access to everything
Deny everyone else access to everything
Grant 1.2.3.4 access to port 22
Deny everyone else access to port 22

In this case, 1.2.3.4 gets rejected for access to port 22 because the second rule preempts the third rule. Essentially, with the new Plesk version, you can't write rules allowing access to everything to specific IPs unless that one rule is supposed to cover all access of any kind on the machine.

As a matter of personal opinion, I think that was a thoroughly clueless change to make.

 

[RaymondR]

I made a support case, it is confirmed to be a bug:

Response from Odin

Here, I have try to add a new rule to allow all port to our local IP 1.2.3.4. Then the firewall rule is looks as below:

+++++++++++

[root@hosting ~]# iptables -nL --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
5 ACCEPT udp -- 1.2.3.4/29 0.0.0.0/0
6 DROP udp -- 0.0.0.0/0 0.0.0.0/0

Corresponding rule is:
-A INPUT -s 1.2.3.4/29 -p udp -j ACCEPT
-A INPUT -p udp -j DROP
-A INPUT -s 1.2.3.4/29 -p tcp -j ACCEPT
-A INPUT -p tcp -j DROP

+++++++++++

This rule explains that connection to the server will allow only to the particular IP range (1.2.3.4/29) and all others are filtered at the server. If we add any rule after this and due to the priority of (DROP rule) all will get dropped at the server.

It is due to this you are not able to access server/any services from other location after adding the rule for 1.2.3.4/29. We have already notified this issue with our Plesk service team and created bug for the same. Bug ID is PPPM-3499.

Currently, our Plesk Service Team is working on the same issue. However there is no exact ETA, because our service team is working on this issue.

As a workaround for this issue I would suggest you to remove the DROP rule manually from the server backend. You can follow the steps below to delete the DROP rule.

+++++++++++++

1) Find the iptable rule with line numbers using command


>>>>> iptables -nL --line-numbers
2) Find the Iptable chain (INPUT/OUTPUT/FORWARD) with line number for the DROP rule from the above result
3) Use the following command to delete the DROP rule


>>>>> iptables -D INPUT 6 , here 6th rule in the INPUT chain is drop
+++++++++++++

 

[Will-NYESDigital]

we experinced the same and also put in a support case

there are 2 other threads on this...

http://talk.plesk.com/threads/plesk...stom-rules-add-unnecessary-drop-rules.334277/
http://talk.plesk.com/threads/plesk-12-5-3-firewall-rule.335315/

 

[bmartin]

Thanks for the info. My apologies to the Plesk developers for my prior opinion. They weren't clueless; they just made a coding mistake. We all do that.

 

[RaymondR]

It seems that the bug should be fixed in the update of yesterday:

http://docs.plesk.com/release-notes/12.5/change-log/#12530-mu11

 

[Will-NYESDigital]

We ahve installed and tested the upagde #11 and it appears to be working ok after our first set of tests

 

[RaymondR]

Anyone knows how to force update check? Plesk does not seems to find the new update here.

 

[Will-NYESDigital]

Click Add or Remove Components on the homepage of plesk, it should launch you intyo a new window with the upgrade available. Other wise (we did this on a couple) Tools & Setting > Updates and Upgrades

The update takes about 10 minutes and looks like its finished at one point with a congratulations..we wlet it run on and eventurally it completed.

 

[RaymondR]

Hmm, stays here on "The system is up-to-date; last checked at Nov 10, 2015 03:40 AM"

 

[Will-NYESDigital]

It did that on a c ouple of ours and we found going in via Tools & Setting > Updates and Upgrades made it work !

 

[RaymondR]

Here "Install or Upgrade ProductInstall a new product or upgrade an existing one" stays grayed out after going in via Tools & Setting > Updates and Upgrades

 

[juandelmoralito]

Same thing: after every reboot I have to restart the firewall rules activation