Question Plesk firewall and preventing clashes with firewalld

I

iainh

Basic Pleskian
Server operating system version
AlmaLinux 9.8 (Olive Jaguar)
Plesk version and microupdate number
Plesk Obsidian 18.0.79
I have my Plesk firewall set to only permit privileged service access only from my own IP (using the "Allow from selected sources, deny from others" rule option and listing my IP). This applies to the rules for "Plesk administrative interface" (and HTTP/3 equivalent) which I take to mean port 8443, SSH, FTP etc., however, I'm seeing failed login attempts as root against 'panel' which should be there give the above rules.

A deal of digging has found that the Plesk firewall UI is simply controlling nftables (previously iptables) which I was aware of, but that firewalld is also running (confirmed via systemctl status firewalld), and that the two compete and conflict in making (nftables) updates, and that firewalld will win rendering the Plesk rules irrelevant. Suddenly what I am seeing is explained, if not making sense (why is firewalld left running when the Plesk firewall is enabled?).

There's an article on this at Plesk for Linux and firewalld Compatibility which warns: "Both firewalld and the Plesk Firewall extension are tools for managing the iptables firewall. Using both tools simultaneously can result in conflicts and in ports required for Plesk to operate being closed. We recommend only using one tool at a time."
Google further advises: "If firewalld (on RHEL/AlmaLinux/Rocky) or ufw (on Ubuntu/Debian) is active, it will override or bypass the script Plesk uses (psa-firewall) to push rules into iptables. Plesk requires these native OS services to be completely disabled so it can manage iptables natively."

Okay, so there's my answer, I need to disable firewalld, so why don't you get on with it and why am I posting here? Becasue, Google references a Plesk Talk article Firewall suddenly took Plesk down overnight which cautions: "Some providers install correctly plesk with almalinux and firewalld is disabled while all needed ports are already at iptables via plesk firewall, at others firewalld is enabled with open only ssh dhcp and cokpit and need to open manually the others.
At these configurations if you disabled firewalld you will be locked out from ssh as iptable entries will be erased."

Right, so the solution is NOT to plough in with:
Code: 
sudo systemctl stop firewalld
sudo systemctl disable firewalld
unless I want to lock myself out of my VPS. I guess I can ensure my virtual console is working okay and with that working, then go about disabling firewalld, but it would seem this needs a little thought and consideration if I'm not to give myself a world of pain.

So why post this here?
  1. Becasue the discovery that simply enabling the Plesk firewall and setting access may not be providing the protection you are expecting may be of use to others, and
  2. Maybe some wiser soul than me has been here, done all this, and has some advice on the correct steps to take to disable firewalld and get the Plesk firewall working as expected without too much pain on the way
Here's hoping for some great advice from those that know much more than me
 
I don't see how removing firewalld while using DHCP could lock you out of your server. Maybe @manos could elaborate on that a bit more. What I suspect is meant here is that some providers configure a base rule in iptables/nftables to block all traffic and use firewalld to open specific ports, such as port 22 for SSH. When stopping firewalld, all associated rules are purged/flushed, but the base rule remains in place, blocking all traffic. (But I don't see how this relates to DHCP.) It's an unlikely scenario to me, as this is how firewalld (and the Plesk firewall, for that matter) operates in the first place. By default, almost all firewalls use a base rule to block all traffic and then use additional rules to open specific ports (or allow specific traffic).

If you want to circumvent this scenario, you could simply flush nftables directly after stopping firewalld, like so:
Code: 
sudo systemctl stop firewalld && sudo nft flush ruleset
sudo systemctl disable firewalld

In my experience, however, as someone who mainly uses RHEL derivatives (such as AlmaLinux), stopping and removing firewalld has never caused any issues. If you're still concerned about getting locked out, you might want to check whether your provider offers some sort of (virtual) console to access your server in case you can no longer connect via SSH. That way, you'll always have a way to access your server and restore or change the firewall configuration.
 
You must log in or register to reply here.

Similar threads

Azurel
Question Block country without extension "firewall"?
Replies
3
Views
2K
Azurel
Azurel
Z
Issue Firewall stopped working after update to Plesk Obsidian v18.0.77 on Debian 11.11
Replies
12
Views
2K
Kaspar
K
QWeb Ric
Question Custom IPTables chains and Plesk firewall management
Replies
2
Views
2K
QWeb Ric
QWeb Ric
K
Question Error applying firewall configuration despite of changing almost nothing
Replies
2
Views
1K
Kaspar
K
D
Issue Plesk Firewall does not add changes to zone (CloudLinux)
Replies
4
Views
2K
Kaspar@Plesk
Kaspar@Plesk
Back
Top