• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx

  • We are developing a new feature in Plesk that will help you promote your websites or business on social media. We want to conduct a one-hour online UX test to present the prototype and collect feedback. If you are interested in the feature, please book a meeting via this link.
    Thank you in advance!
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk Firewall Extension and Almalinux 8.10 Network Issue

WebHostingAce

Silver Pleskian
Username:

TITLE

Plesk Firewall Extension and Almalinux 8.10 Network Issue

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Almalinux 8.10
Plesk Obsidian
Version 18.0.62 Update #1

PROBLEM DESCRIPTION

When you install and activate Plesk Firewall extension. The network almost become non-responsive.

For an example - #ping google.com will take about 5-10 seconds to start pinging.

STEPS TO REPRODUCE

Please make sure the firewalld is active and running.

#systemctl start firewalld
#systemctl enable firewalld

(My Almalinux image came with the firewalld active and running)

Install the Plesk Firewall Extension and Enable it.

Reboot the system.

try to #ping google.com

ACTUAL RESULT

#ping google.com will take about 5-10 seconds to start.

EXPECTED RESULT

To network to behave normally with the Plesk Firewall enabled.

ANY ADDITIONAL INFORMATION

I was able to overcome this issue by,

#systemctl stop firewalld
#systemctl disable firewalld
#reboot

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
Thank you for your reply.

My VM has a IPv6 address by default and I added an extra one as well. So could you please add a IPv6 address and try again?

I can recreate this issue every time. Also I'm happy to give you access to a freshly created VM with issue.

It took me some time to figure out this issue. Would it be possible to check and disable the firewalld (If enabled and running) when installing the Plesk Firewall?
 
It took me some time to figure out this issue.
I had the same thing recently when upgrading from CentOS to Alma. Took me about half an hour to realize that firewalld was playing tricks on me :eek:

I can recreate this issue every time. Also I'm happy to give you access to a freshly created VM with issue.
Only our support engineers are allowed to access customers servers. You are welcome to open an support ticket off course. But I think this is expected behavior and outside the scope of Plesk. I mean running multiple firewall applications can cause conflicts (as is evident from your issue).

Would it be possible to check and disable the firewalld (If enabled and running) when installing the Plesk Firewall?
That's more of a feature request rather than a bug. Good suggestion though.
 
Would it be possible to check and disable the firewalld (If enabled and running) when installing the Plesk Firewall?

I believe there is no need to disable the firewalld when installing the extension, as it creates a new firewalld zone:

"Plesk applies the configuration to the firewalld zone called “plesk” and sets that zone as the default one. Runtime firewall rules added before installing Plesk are lost. Permanent rules are not affected."

Reference:
 
Objection, sir @Maarten! ;)
Indeed on Alma I can strongly recommend to disable firewalld. It's either iptables or firewalld, not both. Running both will most definitely cause issues. The problem I believe is that both utilities utilize Kernel processes to filter network traffic. They just get in the way of each other.
 
Thank you Everyone!

That's more of a feature request rather than a bug. Good suggestion though.

A warning that firewalld is running when enabling the Plesk Firewall extension would have saved at least 3 hours for me. :D

Most of the Almalinux 8 images I have worked with came the firewalld disabled. Unfortunately this hosting company image had the firewalld enabled by default. I wasn't aware of it and started looking at other things. :D
 
Objection, sir @Maarten! ;)
Indeed on Alma I can strongly recommend to disable firewalld. It's either iptables or firewalld, not both. Running both will most definitely cause issues. The problem I believe is that both utilities utilize Kernel processes to filter network traffic. They just get in the way of each other.

I agree, but why does it create its own zone if it can cause conflicts in the end?
 
Maybe Plesk wanted to have this for future freedom of choice. What's defined within the scope of firewalld however has no impact on iptables and vice versa. It's kind of a different layer of the process we're talking about when talking about certain zones. But this gives me to think that I should start testing scenarios with firewalld instead of having my focus on iptables here.
 
I agree, but why does it create its own zone if it can cause conflicts in the end?
Firewalld is (was?) enabled by default on many RHEL distros. Plesk creates the firewall zone during the installation process (if firewalld is already installed) to make sure the default services on Plesk aren't blocked and ready to use after installation. Since the Plesk Firewall exstention isn't installed by default there should be not conflict. But these can occure when the Plesk firewall gets installed and firewalld (or any orther firewall for that matter) is still running.
 
Firewalld is (was?) enabled by default on many RHEL distros. Plesk creates the firewall zone during the installation process (if firewalld is already installed) to make sure the default services on Plesk aren't blocked and ready to use after installation. Since the Plesk Firewall exstention isn't installed by default there should be not conflict. But these can occure when the Plesk firewall gets installed and firewalld (or any orther firewall for that matter) is still running.

Okay, so instead of creating the extra "plesk" zone, it should warn the administrator while installing the extension and give the administrator the option to continue or abort the installation. Wouldn't that be the preferred way to handle this case? Because currently it creates the zone, and at the same time, the docs warn you that you should be careful using the Firewall extension in combination with firewalld.
Or at least add a warning with a link to the docs before continuing to install the extension.
 
The zone creation still serves it purpose, regardless of the Plesk firewall. So I would say not instead of the zone creation on Firewalld, but rather as an addition to the Plesk Firewall. I think that's similar to what WebHostingAce suggested too. Which is a good suggestion :)
 
I just bumped my head on this problem while trying to give remote mySQL access to a couple of IP addresses. Brand new Plesk install on AlmaLinux 8.6, with Plesk Firewall extension active and configured.

Realized it was firewalld that was stopping my mySQL connection attempts. Tried to stop firewalld with:

systemctl stop firewalld

the entire server became unreachable via SSH, web and Plesk panel ports. Had to reboot to regain access.

Then did:

systemctl disable firewalld

And rebooted again, and all was well. Plesk firewall rules I had configured were working correctly, and firewalld was disabled and not interfering.

Need better doc for this for the AlmaLinux crowd.
 
Back
Top