Facebook
Twitter
P
P. Marian
Guest
I have recentlly updated my Plesk Panel installation from version 10.3.1 to 10.4.4. After playing with my Server I have realized that my server is accepting connection to all TCP ports on which I have not explicitly denied access. This situation seems to occur only when "IPv6 Neighbor Discovery" service is ALLOWed to pass the firewall.
Can you please check and eventually provide an update?
---------------------------------------------------------------
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Plesk 10.4.4, openSUSE 11.4, i386
PROBLEM DESCRIPTION AND STEPS TO REPRODUCE
1) Open plesk, goto Firewall
2) remove all access rules to port <80> (or another port). When I said remove, it means DELETE. Take another port if possible.
3) enable "IPv6 Neighbor Discovery"
4) deny "System policy for incoming traffic"
ACTUAL RESULT
access to port <80> (or another) is allowed !!!
EXPECTED RESULT
access to port <80> should be denied.
ANY ADDITIONAL INFORMATION
it seems that there is no plesk-firewall program anymore, instead plesk interface is settings only the iptables. After checking the commands used to configure the firewall rules, I have realized that after "firewall-active.sh" is created (script which simulates the plesk-firewall), when enabling (ACCEPT) the "IPv6 Neighbor Discovery" settings, we will have something like this:
...
/usr/sbin/iptables -A INPUT -p udp -j ACCEPT/DROP
/usr/sbin/iptables -A INPUT -p tcp -j ACCEPT/DROP
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 134/0 -j ACCEPT/DROP
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 135/0 -j ACCEPT/DROP
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 136/0 -j ACCEPT/DROP
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 137/0 -j ACCEPT/DROP
...
Well, I have reasons to believe, that first two commands are wrong.
--------------------------------------------------------------
Can you please check and eventually provide an update?
---------------------------------------------------------------
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Plesk 10.4.4, openSUSE 11.4, i386
PROBLEM DESCRIPTION AND STEPS TO REPRODUCE
1) Open plesk, goto Firewall
2) remove all access rules to port <80> (or another port). When I said remove, it means DELETE. Take another port if possible.
3) enable "IPv6 Neighbor Discovery"
4) deny "System policy for incoming traffic"
ACTUAL RESULT
access to port <80> (or another) is allowed !!!
EXPECTED RESULT
access to port <80> should be denied.
ANY ADDITIONAL INFORMATION
it seems that there is no plesk-firewall program anymore, instead plesk interface is settings only the iptables. After checking the commands used to configure the firewall rules, I have realized that after "firewall-active.sh" is created (script which simulates the plesk-firewall), when enabling (ACCEPT) the "IPv6 Neighbor Discovery" settings, we will have something like this:
...
/usr/sbin/iptables -A INPUT -p udp -j ACCEPT/DROP
/usr/sbin/iptables -A INPUT -p tcp -j ACCEPT/DROP
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 134/0 -j ACCEPT/DROP
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 135/0 -j ACCEPT/DROP
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 136/0 -j ACCEPT/DROP
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 137/0 -j ACCEPT/DROP
...
Well, I have reasons to believe, that first two commands are wrong.
--------------------------------------------------------------
