• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • The ImunifyAV extension is now deprecated and no longer available for installation.
    Existing ImunifyAV installations will continue operating for three months, and after that will automatically be replaced with the new Imunify extension. We recommend that you manually replace any existing ImunifyAV installations with Imunify at your earliest convenience.

Issue plesk firewall 2.1.5-412 still has problems

I finally managed to get rid of the plesk firewall extension and to use ipset to manage by blacklists.
For that I ran an ssh session, copied plesk's initial firewall script and installed the ipset package.
cp /opt/psa/var/modules/firewall/firewall-active.sh /usr/local/bin/loadIPtables.sh apt -y install ipset
I then removed the plesk-firewall extension and added 2 iptables rules to the load script,
right after the "Start of /usr/sbin/iptables rules" section
apply_rule /usr/sbin/iptables -A INPUT -m set --match-set blacklistedAddrs src -j DROP apply_rule /usr/sbin/iptables-A INPUT -m set --match-set blacklistedRanges src -j DROP
For the startup I use a simple cronjob
crontab -e @reboot /usr/local/bin/createIPsets.sh && /usr/local/bin/loadIPtables.sh
The createIPsets.sh commands is quite simple:
ipset create blacklistedRange hash:net ipset add blacklistedRange 46.184.40.0/24 . . . ipset create blacklistedAddrs hash:ip . . .
With this setup, I can change my blacklist sets without the need to change any iptables rules commands.
I just create a temporary ipset of the desired type like shown below and swap it in place with ipset swap command.
ipset create ipsetTMP hash:net ipset add ipsetTMP 46.184.40.0/24 ipset add ipsetTMP 11.222.33.0/24 ipset swap ipsetTMP blacklistedRange

Of course, I also need to update the startup script for my ipsets, so that they are created properly at boot.
With this setup, I regard my firewall issue as solved.
 
Back
Top