• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue plesk firewall 2.1.5-412 still has problems

I finally managed to get rid of the plesk firewall extension and to use ipset to manage by blacklists.
For that I ran an ssh session, copied plesk's initial firewall script and installed the ipset package.
cp /opt/psa/var/modules/firewall/firewall-active.sh /usr/local/bin/loadIPtables.sh apt -y install ipset
I then removed the plesk-firewall extension and added 2 iptables rules to the load script,
right after the "Start of /usr/sbin/iptables rules" section
apply_rule /usr/sbin/iptables -A INPUT -m set --match-set blacklistedAddrs src -j DROP apply_rule /usr/sbin/iptables-A INPUT -m set --match-set blacklistedRanges src -j DROP
For the startup I use a simple cronjob
crontab -e @reboot /usr/local/bin/createIPsets.sh && /usr/local/bin/loadIPtables.sh
The createIPsets.sh commands is quite simple:
ipset create blacklistedRange hash:net ipset add blacklistedRange 46.184.40.0/24 . . . ipset create blacklistedAddrs hash:ip . . .
With this setup, I can change my blacklist sets without the need to change any iptables rules commands.
I just create a temporary ipset of the desired type like shown below and swap it in place with ipset swap command.
ipset create ipsetTMP hash:net ipset add ipsetTMP 46.184.40.0/24 ipset add ipsetTMP 11.222.33.0/24 ipset swap ipsetTMP blacklistedRange

Of course, I also need to update the startup script for my ipsets, so that they are created properly at boot.
With this setup, I regard my firewall issue as solved.
 
Back
Top