Resolved No Firewall changes possible with 18.0.52

[Liwindo]

Server operating system version

Ubuntu 20.04.6 LTS

Plesk version and microupdate number

Plesk Obsidian v18.0.52_build1800230421.10 os_Ubuntu 20.04

Hi all,
after the upgrade to 18.0.52 I tried to confirm the Firewall changes but I get always the following issue:


Also deleting all manual added rules and just deploying the standard settings is no longer possible.
Anyone else with the same issue?

 

[Liwindo]

After deleting the app the standard could be applied again but any changes end with the same error message.

 

[scsa20]

Is Ubuntu's firewall or firewalld enabled? (Since you're using ubuntu you shouldn't have firewalld but you might want to check to make sure).

basically check by connecting via ssh and check with:

sudo ufw status
sudo systemctl status firewalld

If any of them is active/on, disable it

sudo ufw disable
sudo systemctl stop firewalld
sudo systemctl disable firewalld

Those other firewalls can cause conflicts with how the iptables are applied when used with plesk firewalls (since firewalld also applies iptables, ufw does things a bit differently but basically same concept and can still cause conflicts).

 

[Liwindo]

For the ufw command I got that it could not be found and for firewalld: "Unit firewalld.service could not be found".

 

[Liwindo]

Copying the generated script and executing it via root is working, afterwards the Firewall is also able to be activated via GUI again and all rules are present in iptables. But any change in the GUI creates the same error again and iptables is afterwards flushed.

 

[Liwindo]

But if adding any change to the configured script, e.g. denying MySQL access from outside the activating in the GUI isn't working while executing it via Script is. So I'm pretty sure at this point that it's a bug. But since I have no idea what kind of log files are related to that I can't create a meaningful bug report.

 

[Kaspar]

Having a dysfunctional firewall isn't particular helpful in protecting your server of course. Best suggestion I can give is to contact Plesk support so they can investigate the issue on your server directly.

 

[VNick]

Firewall 2.0.2 was released. It includes a number of improvements to address activation issues you've encountered. See also its changelog for instructions on increasing confirmation timeout in case simple extension update will not resolve the issue in your case.

The root cause in each investigated case was not in the Firewall itself, but in some other issue on the server - typically an excessively slow service restart or slow iptables operation. It's best to resolve them as well.

 

[Liwindo]

I can confirm that it is now working for me. Thx for fixing it. Please focus for upcomming versions to overcome the manual approch for running services like SSH on a different port.

 

[PeterKi]

I am faced with the same problem.
This thread says resolved but: What is the solution?
I am running SSH on a different port for security reasons, and I haven't changed the firewall config for more than a month.
With the latest update, the GUI has changed to become worse and I cannot do any changes to the firewall anymore.
I did increase the timeout to 20 seconds in panel.ini, but it did not help.
If I run iptables -L -n I even do not see any of my rules from the plesk GUI.
There is a warning from the above command saying: Warning: iptables-legacy tables present, use iptables-legacy to see them
But iptables-legacy -L -n does not show any rules at all.

 

[PeterKi]

Things have become even worse after I did find https://support.plesk.com/hc/en-us/...irewall-rules-management-has-not-been-enabled
I did remove and re-install the firewall component and now the firewall admin page is not even found anymore.
I also did a reboot of my Ubuntu 22.04.2 LTS server.
A click on the search results for 'firewall' always comes back with an error page
Server Error

404 Page Not Found​

This page either doesn't exist, or it moved somewhere else.
Need help resolving the issue? Visit Plesk Help Center.
That's what you can do

 

[Peter Debik]

This thread says resolved but: What is the solution?

The initial topic of the thread was solved by updating the extension to the latest version.

 

[PeterKi]

Strange !
As I wrote I have removed and installed the firewall extension so I guess I have the latest extension in place but now I do not even get the firewall GUI page anymore.

 

[Peter Debik]

Things have become even worse after I did find https://support.plesk.com/hc/en-us/...irewall-rules-management-has-not-been-enabled
I did remove and re-install the firewall component and now the firewall admin page is not even found anymore.
I also did a reboot of my Ubuntu 22.04.2 LTS server.
A click on the search results for 'firewall' always comes back with an error page
Server Error

404 Page Not Found​

This page either doesn't exist, or it moved somewhere else.
Need help resolving the issue? Visit Plesk Help Center.
That's what you can do

When you go to the "Extensions" menu and > "My Extension", do you see the Firewall extension listed there? If not have you tried to add it through extensions search?

 

[PeterKi]

What I did from the given support thread was
plesk installer remove --components psa-firewall
plesk installer add --components psa-firewall
and after your post, I also went to the extension catalog and installed the firewall extension from there.
This brought back the GUI, but the initial error is still there.
I. e. I cannot activate the firewall which always comes back with:
Failed to apply the firewall configuration.

• Command '['/usr/local/psa/var/modules/firewall/firewall-new.sh']' timed out after 19.999517679214478 seconds

 

[Peter Debik]

Do you have firewalld running on your system? Can you disable that?

 

[PeterKi]

Update:
I did copy the script which was shown in the web gui into /tmp/firewall.sh and ran it from the ssh console.
Result was that my server became inaccessible from ssh and from the plesk gui and I am now in the process of restoring it from the latest backup on yesterday 22:00

 

[Kaspar]

Strange !
[...]

Not really. The topic was marked solved as the initial issue posted by the topic starter was solved. Your issue might be similar but may require a different solution to solve.

[...]
Failed to apply the firewall configuration.

• Command '['/usr/local/psa/var/modules/firewall/firewall-new.sh']' timed out after 19.999517679214478 seconds

If the firewall configuration fails after a timeout try to increase the timeout value to an even higher value.

 

[PeterKi]

After my server was restored, I added the following timeouts to /opt/psa/admin/conf/panel.ini
[ext-firewall]
confirmTimeout = 45
confirmTimeoutCli = 60

Alas, I still get the timeout error after 5s

I did also check the processor load during run of the firewall script and I don't see any bottlenecks:

Here is the script which is prepared by the firewall extension, which also doesn't show any problems to me:
#!/bin/bash
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

set -e

([ -f /var/lock/subsys/ipchains ] && /etc/init.d/ipchains stop) >/dev/null 2>&1 || true
(rmmod ipchains) >/dev/null 2>&1 || true

apply_rule()
{
local iptables_bin="$1"
shift

local iptables_version
iptables_version="`"$iptables_bin" --version | awk '{print $2}' | awk -F. '{printf "%d%02d\n", $2, $3}'`"

# Use the native --wait option since v1.4.20
if [ "$iptables_version" -gt 420 ]; then
"$iptables_bin" -w "$@" 2>/dev/null
return $?
fi

# Emulate --wait for older versions
for i in `seq 10`; do
"$iptables_bin" "$@" 2>&1 | grep -q xtable || return 0
sleep 1
done

return 1
}

# Start of /usr/sbin/iptables setup

/usr/sbin/iptables-save -t filter | grep -- "-A INPUT" | grep -v "fail2ban-\|f2b-" | sed -e "s#^-A#apply_rule /usr/sbin/iptables -D#g" | while read -r cmd; do ${cmd} || true; done

apply_rule /usr/sbin/iptables -F FORWARD
apply_rule /usr/sbin/iptables -F OUTPUT
apply_rule /usr/sbin/iptables -Z FORWARD
apply_rule /usr/sbin/iptables -Z OUTPUT

apply_rule /usr/sbin/iptables -P INPUT DROP
apply_rule /usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /usr/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /usr/sbin/iptables -A INPUT -m state --state INVALID -j DROP
apply_rule /usr/sbin/iptables -P OUTPUT DROP
apply_rule /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /usr/sbin/iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /usr/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
apply_rule /usr/sbin/iptables -P FORWARD DROP
apply_rule /usr/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /usr/sbin/iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /usr/sbin/iptables -A FORWARD -m state --state INVALID -j DROP

apply_rule /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
apply_rule /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
apply_rule /usr/sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT

apply_rule /usr/sbin/iptables -t mangle -F
apply_rule /usr/sbin/iptables -t mangle -Z
apply_rule /usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
apply_rule /usr/sbin/iptables -t mangle -P OUTPUT ACCEPT
apply_rule /usr/sbin/iptables -t mangle -P INPUT ACCEPT
apply_rule /usr/sbin/iptables -t mangle -P FORWARD ACCEPT
apply_rule /usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT

apply_rule /usr/sbin/iptables -t nat -F
apply_rule /usr/sbin/iptables -t nat -Z
apply_rule /usr/sbin/iptables -t nat -P PREROUTING ACCEPT
apply_rule /usr/sbin/iptables -t nat -P OUTPUT ACCEPT
apply_rule /usr/sbin/iptables -t nat -P POSTROUTING ACCEPT

# Start of /usr/sbin/ip6tables setup

/usr/sbin/ip6tables-save -t filter | grep -- "-A INPUT" | grep -v "fail2ban-\|f2b-" | sed -e "s#^-A#apply_rule /usr/sbin/ip6tables -D#g" | while read -r cmd; do ${cmd} || true; done

apply_rule /usr/sbin/ip6tables -F FORWARD
apply_rule /usr/sbin/ip6tables -F OUTPUT
apply_rule /usr/sbin/ip6tables -Z FORWARD
apply_rule /usr/sbin/ip6tables -Z OUTPUT

apply_rule /usr/sbin/ip6tables -P INPUT DROP
apply_rule /usr/sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /usr/sbin/ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /usr/sbin/ip6tables -A INPUT -m state --state INVALID -j DROP
apply_rule /usr/sbin/ip6tables -P OUTPUT DROP
apply_rule /usr/sbin/ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /usr/sbin/ip6tables -A OUTPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /usr/sbin/ip6tables -A OUTPUT -m state --state INVALID -j DROP
apply_rule /usr/sbin/ip6tables -P FORWARD DROP
apply_rule /usr/sbin/ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /usr/sbin/ip6tables -A FORWARD -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /usr/sbin/ip6tables -A FORWARD -m state --state INVALID -j DROP

apply_rule /usr/sbin/ip6tables -A INPUT -i lo -j ACCEPT
apply_rule /usr/sbin/ip6tables -A OUTPUT -o lo -j ACCEPT
apply_rule /usr/sbin/ip6tables -A FORWARD -i lo -o lo -j ACCEPT

apply_rule /usr/sbin/ip6tables -t mangle -F
apply_rule /usr/sbin/ip6tables -t mangle -Z
apply_rule /usr/sbin/ip6tables -t mangle -P PREROUTING ACCEPT
apply_rule /usr/sbin/ip6tables -t mangle -P OUTPUT ACCEPT
apply_rule /usr/sbin/ip6tables -t mangle -P INPUT ACCEPT
apply_rule /usr/sbin/ip6tables -t mangle -P FORWARD ACCEPT
apply_rule /usr/sbin/ip6tables -t mangle -P POSTROUTING ACCEPT

apply_rule /usr/sbin/ip6tables -t nat -F
apply_rule /usr/sbin/ip6tables -t nat -Z
apply_rule /usr/sbin/ip6tables -t nat -P PREROUTING ACCEPT
apply_rule /usr/sbin/ip6tables -t nat -P OUTPUT ACCEPT
apply_rule /usr/sbin/ip6tables -t nat -P POSTROUTING ACCEPT

# Start of /usr/sbin/iptables rules

apply_rule /usr/sbin/iptables -A INPUT -p udp --dport 68 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -s 165.22.211.113 -j DROP
apply_rule /usr/sbin/iptables -A INPUT -s 177.223.175.170 -j DROP
apply_rule /usr/sbin/iptables -A INPUT -s 185.180.143.8 -j DROP
apply_rule /usr/sbin/iptables -A INPUT -s 186.211.1.7 -j DROP
apply_rule /usr/sbin/iptables -A INPUT -s 194.61.24.0/24 -j DROP
apply_rule /usr/sbin/iptables -A INPUT -s 212.70.149.0/24 -j DROP
apply_rule /usr/sbin/iptables -A INPUT -s 45.134.144.119 -j DROP
apply_rule /usr/sbin/iptables -A INPUT -s 46.148.40.0/24 -j DROP
apply_rule /usr/sbin/iptables -A INPUT -s 5.34.205.0/24 -j DROP
apply_rule /usr/sbin/iptables -A INPUT -s 5.34.207.0/24 -j DROP
apply_rule /usr/sbin/iptables -A INPUT -s 94.232.47.0/24 -j DROP

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 106 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 5432 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p udp --dport 137 -j ACCEPT
apply_rule /usr/sbin/iptables -A INPUT -p udp --dport 138 -j ACCEPT
apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 139 -j ACCEPT
apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 445 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p udp --dport 53 -j DROP
apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 53 -j DROP

apply_rule /usr/sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -j ACCEPT

apply_rule /usr/sbin/iptables -A OUTPUT -j ACCEPT

apply_rule /usr/sbin/iptables -A FORWARD -j DROP

# End of /usr/sbin/iptables rules

# Start of /usr/sbin/ip6tables rules

apply_rule /usr/sbin/ip6tables -A INPUT -p udp --dport 546 -j ACCEPT

apply_rule /usr/sbin/ip6tables -A INPUT -p tcp --dport 8443 -j ACCEPT
apply_rule /usr/sbin/ip6tables -A INPUT -p tcp --dport 8880 -j ACCEPT

apply_rule /usr/sbin/ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
apply_rule /usr/sbin/ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT

apply_rule /usr/sbin/ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT

apply_rule /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT

apply_rule /usr/sbin/ip6tables -A INPUT -p tcp --dport 25 -j ACCEPT
apply_rule /usr/sbin/ip6tables -A INPUT -p tcp --dport 465 -j ACCEPT

apply_rule /usr/sbin/ip6tables -A INPUT -p tcp --dport 110 -j ACCEPT
apply_rule /usr/sbin/ip6tables -A INPUT -p tcp --dport 995 -j ACCEPT

apply_rule /usr/sbin/ip6tables -A INPUT -p tcp --dport 143 -j ACCEPT
apply_rule /usr/sbin/ip6tables -A INPUT -p tcp --dport 993 -j ACCEPT

apply_rule /usr/sbin/ip6tables -A INPUT -p tcp --dport 106 -j ACCEPT

apply_rule /usr/sbin/ip6tables -A INPUT -p tcp --dport 3306 -j DROP

apply_rule /usr/sbin/ip6tables -A INPUT -p tcp --dport 5432 -j ACCEPT

apply_rule /usr/sbin/ip6tables -A INPUT -p udp --dport 137 -j ACCEPT
apply_rule /usr/sbin/ip6tables -A INPUT -p udp --dport 138 -j ACCEPT
apply_rule /usr/sbin/ip6tables -A INPUT -p tcp --dport 139 -j ACCEPT
apply_rule /usr/sbin/ip6tables -A INPUT -p tcp --dport 445 -j ACCEPT

apply_rule /usr/sbin/ip6tables -A INPUT -p udp --dport 53 -j DROP
apply_rule /usr/sbin/ip6tables -A INPUT -p tcp --dport 53 -j DROP

apply_rule /usr/sbin/ip6tables -A INPUT -j ACCEPT

apply_rule /usr/sbin/ip6tables -A OUTPUT -j ACCEPT

apply_rule /usr/sbin/ip6tables -A FORWARD -j DROP

# End of /usr/sbin/ip6tables rules

#
# End of script
#

 

[Kaspar]

That's a bummer

Only suggestion I have left is to contact Plesk support so they can investigate the issue on your server.