• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Plesk 12 Firewall problem / stops working

W

WalkerSky

New Pleskian
Hello,

I ran into the the following problem.

I've activated the Firewall (ipchains) in Plesk "Security" -> "Firewall".
After this I added some new rules via the "Add Custom Rule" button.
Then I clicked on "Apply Changes" and activated them.

So far so good... the firewall is working incl. my own rules BUT every day at 7:05pm I can't access pop3, ftp, teamspeak any more.
My actual solution is: I've to disable the firewall and enable the firewall to get it working again.
Unfortunately the next day at 7:05pm the same problem occurs.

I hope someone can help me. Is there any cronjob which cause this problem or is this a bug?

PS: I don't want to disable the firewall completely!


INFO: I'm using the following Plesk Version = Parallels Plesk v12.0.18_build1200140606.15 os_SuSE 13.1

Here's my actual IPchains config.
Code: 
#!/bin/sh
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

set -e

echo 0 > /proc/sys/net/ipv4/ip_forward
([ -f /var/lock/subsys/ipchains ] && /etc/init.d/ipchains stop) >/dev/null 2>&1 || true
(rmmod ipchains) >/dev/null 2>&1 || true
/usr/sbin/iptables-save  -t filter | grep -- "-A INPUT" |  grep -v fail2ban | sed -e "s#^-A#/usr/sbin/iptables -D#g" | sh
/usr/sbin/iptables -F FORWARD
/usr/sbin/iptables -F OUTPUT
/usr/sbin/iptables -Z FORWARD
/usr/sbin/iptables -Z OUTPUT
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
/usr/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/usr/sbin/iptables -P OUTPUT DROP
/usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A OUTPUT -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
/usr/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A FORWARD -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
/usr/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/usr/sbin/iptables -A INPUT -i lo  -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/usr/sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
/usr/sbin/iptables -t mangle -F
/usr/sbin/iptables -t mangle -Z
/usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
/usr/sbin/iptables -t mangle -P OUTPUT ACCEPT
/usr/sbin/iptables -t mangle -P INPUT ACCEPT
/usr/sbin/iptables -t mangle -P FORWARD ACCEPT
/usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT
/usr/sbin/ip6tables-save  -t filter | grep -- "-A INPUT" |  grep -v fail2ban | sed -e "s#^-A#/usr/sbin/ip6tables -D#g" | sh
/usr/sbin/ip6tables -F FORWARD
/usr/sbin/ip6tables -F OUTPUT
/usr/sbin/ip6tables -Z FORWARD
/usr/sbin/ip6tables -Z OUTPUT
/usr/sbin/ip6tables -P INPUT DROP
/usr/sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
/usr/sbin/ip6tables -A INPUT -m state --state INVALID -j DROP
/usr/sbin/ip6tables -P OUTPUT DROP
/usr/sbin/ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/ip6tables -A OUTPUT -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
/usr/sbin/ip6tables -A OUTPUT -m state --state INVALID -j DROP
/usr/sbin/ip6tables -P FORWARD DROP
/usr/sbin/ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/ip6tables -A FORWARD -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
/usr/sbin/ip6tables -A FORWARD -m state --state INVALID -j DROP
/usr/sbin/ip6tables -A INPUT -i lo  -j ACCEPT
/usr/sbin/ip6tables -A OUTPUT -o lo -j ACCEPT
/usr/sbin/ip6tables -A FORWARD -i lo -o lo -j ACCEPT
/usr/sbin/ip6tables -t mangle -F
/usr/sbin/ip6tables -t mangle -Z
/usr/sbin/ip6tables -t mangle -P PREROUTING ACCEPT
/usr/sbin/ip6tables -t mangle -P OUTPUT ACCEPT
/usr/sbin/ip6tables -t mangle -P INPUT ACCEPT
/usr/sbin/ip6tables -t mangle -P FORWARD ACCEPT
/usr/sbin/ip6tables -t mangle -P POSTROUTING ACCEPT
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -t nat -Z
/usr/sbin/iptables -t nat -P PREROUTING ACCEPT
/usr/sbin/iptables -t nat -P OUTPUT ACCEPT
/usr/sbin/iptables -t nat -P POSTROUTING ACCEPT

/usr/sbin/iptables -A INPUT -p tcp --dport 2008 -j ACCEPT
/usr/sbin/iptables -A INPUT -p udp --dport 2010 -j ACCEPT
/usr/sbin/iptables -A INPUT -p udp --dport 9987 -j ACCEPT
/usr/sbin/iptables -A INPUT -p udp --dport 9988 -j ACCEPT
/usr/sbin/iptables -A INPUT -p udp --dport 9989 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 10011 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 30033 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 41144 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 2008 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p udp --dport 2010 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p udp --dport 9987 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p udp --dport 9988 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p udp --dport 9989 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 10011 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 30033 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 41144 -j ACCEPT

/usr/sbin/iptables -A INPUT -p tcp --dport 65000:65534 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 65000:65534 -j ACCEPT

/usr/sbin/iptables -A INPUT -p tcp --dport 12443 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 12443 -j ACCEPT

/usr/sbin/iptables -A INPUT -p tcp --dport 11443 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 11444 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 11443 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 11444 -j ACCEPT

/usr/sbin/iptables -A INPUT -p tcp --dport 8447 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 8447 -j ACCEPT

/usr/sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 8443 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 8880 -j ACCEPT

/usr/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT

/usr/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT

/usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT

/usr/sbin/iptables -A INPUT -p tcp --dport 587 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 587 -j ACCEPT

/usr/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 25 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 465 -j ACCEPT

/usr/sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 110 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 995 -j ACCEPT

/usr/sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 143 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 993 -j ACCEPT

/usr/sbin/iptables -A INPUT -p tcp --dport 106 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 106 -j ACCEPT

/usr/sbin/iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 3306 -j ACCEPT

/usr/sbin/iptables -A INPUT -p tcp --dport 5432 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 5432 -j ACCEPT

/usr/sbin/iptables -A INPUT -p tcp --dport 9008 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 9080 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 9008 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 9080 -j ACCEPT

/usr/sbin/iptables -A INPUT -p udp --dport 137 -j ACCEPT
/usr/sbin/iptables -A INPUT -p udp --dport 138 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 139 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 445 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p udp --dport 137 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p udp --dport 138 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 139 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 445 -j ACCEPT

/usr/sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p udp --dport 1194 -j ACCEPT

/usr/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p udp --dport 53 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p tcp --dport 53 -j ACCEPT

/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 134/0 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 135/0 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 136/0 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 137/0 -j ACCEPT

/usr/sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 128/0 -j ACCEPT
/usr/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 129/0 -j ACCEPT

/usr/sbin/iptables -A INPUT -j DROP
/usr/sbin/ip6tables -A INPUT -j DROP

/usr/sbin/iptables -A OUTPUT -j ACCEPT
/usr/sbin/ip6tables -A OUTPUT -j ACCEPT

/usr/sbin/iptables -A FORWARD -j DROP
/usr/sbin/ip6tables -A FORWARD -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward
#
# End of script
#
 
Last edited:
Today I had the same issue at 7:05pm. This time only POP-Connections weren't reachable (WWW, TS3 worked normal (FTP not tested)) until I stopped and restarted the Firewall (via Plesk) again. I tried restarting only the POP-Service before I restarted the Firewall but this didn't help.
 
Last edited:
Same today at 7:05pm. Today "FTP, TS3, SMTP, POP3" connections were affected. I disabled the Firewall yesterday, seems this doesn't help.

I completly deinstalled the "Firewall" Extions now. Tomorrow I'll see if this is working.
 
Same problem here. I can't proof it startet 7:05, but the day before yesterday, I had to activate the Firewall, in order to get SMTP open, today it was closed again and I had to disable and reenable firewall module to reopen it + POP & IMAP.

Did reinstallation help in your case?

Version Parallels Plesk v12.0.18_build1200140606.15 os_SuSE 13.1
OS openSUSE 13.1
 
Last edited:
I had the same problem yesterday (same time). Once again FTP, SMTP, POP3 and TS3 were affected.

Note: WWW & SSH service is not affected (what a luck).

parallel_rw said:
Did reinstallation help in your case?
Click to expand...
Unfortunately deinstallation didn't help :(. Also new installation of the Plesk Firewall Modul didn't solve the problem.

It seems we've to wait for a fix... do we've to open a "bug ticket"?
 
I'm a bit further already.

For me monitoring check on smtp failed at 0:50, which seems related to cron.daily lastrun 0:45 (10min check interval). While looking through all cron.daily is doing I found, although probably unrelated, that if-up.d for example refreshes "a" firewall via:

Code: 
# /sbin/SuSEfirewall2 -q start

This actually cleans up iptables and you end up with blocked services. But why is http, 8443 and ssh still open? Well this magic happens in

Code: 
/etc/sysconfig/SuSEfirewall2:FW_SERVICES_EXT_TCP="ssh http 8443 8447"

So Plesk is modifying the SuSEfirewall, but what about the additional services. Well, Plesk is putting them in /etc/sysconfig/SuSEfirewall2.d/services but doesn't seem to refer them correctly in the config:

Code: 
## Type:        string
#
# Which services _on the firewall_ should be accessible from
# untrusted networks?
#
# Packages can drop a configuration file that specifies all required
# ports into /etc/sysconfig/SuSEfirewall2.d/services. That is handy for
# services that require multiple ports or protocols. Enter the space
# separated list of configuration files you want to load.
#
# The content of those files is merged into
# FW_SERVICES_$zone_$protocol, ie has precedence over
# FW_SERVICES_ACCEPT_*
#
# Example: "samba-server nfs-kernel-server"
FW_CONFIGURATIONS_EXT=""

In addition to SuSEfirewall, there is a plesk firewall set up under /etc/init.d/psa-firewall which brings up all rules as expected, or better said, as the Firewall module in Plesk Frontend configures it.

So I'm probably going with disabling the SuSEfirewall completely, as it is redundant. I hope this disables its involvement in network services as well.

Best,
René
 
Hi René,

thanks for posting this information here:D!

parallel_rw said:
...So I'm probably going with disabling the SuSEfirewall completely, as it is redundant. I hope this disables its involvement in network services as well.
Click to expand...

I've done it via "YaST Security & Users -> Firewall -> deactivate firewall"

When open "YaST Security & Users -> Firewall" AGAIN I receive the following error/warning message.

Another Firewall Active
Another kind of firewall is active in your system.
If you continue, SuSEfirewall2 may produce undefined errors.
It would be better to remove the other firewall before
configuring SuSEfirewall2.
Continue with configuration?
Click to expand...

So I think our problem should be solved now :).
 
Last edited:
I did it via:
Code: 
# /sbin/SuSEfirewall2 off
But obviously, the effect is the same.

The Plesk Firewall can be stopped via:
Code: 
# /etc/init.d/psa-firewall stop

Removing SuSEfirewall2 solved the problem for me too. The cron.daily did not enable it again. Whew!
 
You must log in or register to reply here.

Similar threads

Liwindo
Input New Firewall App 18.0.52
Replies
4
Views
804
Liwindo
Liwindo
E
Issue IPv6 - unreachable domain
Replies
6
Views
1K
mow
M
Sailorhost
Question IPv6 unreachable
Replies
4
Views
1K
Sailorhost
Sailorhost
ChrisMonder
Question How to ignore/block POP3/IMAP login attempts for a non existent domain in my server?
Replies
4
Views
2K
ChrisMonder
ChrisMonder
T
Issue Can't Update Plesk Firewall
Replies
2
Views
1K
brother4
brother4
Back
Top