• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Plesk Firewall ip6tables

Brujo

Brujo

Silver Pleskian
Plesk Guru
Plesk Onyx - Version 17.5.3 Update #38
Ubuntu 16.04.3 LTS

usually I change on the Plesk firewall the "System policy for outgoing traffic - Allow all other outgoing traffic" from allow -> deny and allow only defined outgoing ports.

But on a new Ubuntu System as soon as I change the outgoing policy from "allow -> deny" and activate then the firewall in plesk, Services like ping, ftp from external stops and also access to websites (http & https) from external via ipv6. Ping, ftp and website access over ipv4 from external still works as expected. It seems ip6table blocks everything then from external.

the difference between allow / deny of the outgoing policy is only in the last line

ACCEPT all anywhere anywhere (ping and access from external works)
DROP all anywhere anywhere (ping and access from external not working)

the complete output of the not working ip6tables -L
Code: 
Chain INPUT (policy DROP)
target     prot opt source               destination  
ACCEPT     all      anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp      anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP       all      anywhere             anywhere             state INVALID
ACCEPT     all      anywhere             anywhere    
ACCEPT     tcp      anywhere             anywhere             tcp dpt:ftps
DROP       tcp      anywhere             anywhere             tcp dpt:12443
DROP       tcp      anywhere             anywhere             tcp dpt:11443
DROP       tcp      anywhere             anywhere             tcp dpt:11444
ACCEPT     tcp      anywhere             anywhere             tcp dpt:8447
ACCEPT     tcp      anywhere             anywhere             tcp dpt:8443
ACCEPT     tcp      anywhere             anywhere             tcp dpt:8880
ACCEPT     tcp      anywhere             anywhere             tcp dpt:http
ACCEPT     tcp      anywhere             anywhere             tcp dpt:https
ACCEPT     tcp      anywhere             anywhere             tcp dpt:ftp
ACCEPT     tcp      anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp      anywhere             anywhere             tcp dpt:submission
ACCEPT     tcp      anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp      anywhere             anywhere             tcp dpt:urd
ACCEPT     tcp      anywhere             anywhere             tcp dpt:pop3
ACCEPT     tcp      anywhere             anywhere             tcp dpt:pop3s
ACCEPT     tcp      anywhere             anywhere             tcp dpt:imap2
ACCEPT     tcp      anywhere             anywhere             tcp dpt:imaps
ACCEPT     tcp      anywhere             anywhere             tcp dpt:poppassd
DROP       tcp      anywhere             anywhere             tcp dpt:mysql
DROP       tcp      anywhere             anywhere             tcp dpt:postgresql
DROP       tcp      anywhere             anywhere             tcp dpt:9008
DROP       tcp      anywhere             anywhere             tcp dpt:9080
DROP       udp      anywhere             anywhere             udp dpt:netbios-ns
DROP       udp      anywhere             anywhere             udp dpt:netbios-dgm
DROP       tcp      anywhere             anywhere             tcp dpt:netbios-ssn
DROP       tcp      anywhere             anywhere             tcp dpt:microsoft-ds
DROP       udp      anywhere             anywhere             udp dpt:eek:penvpn
ACCEPT     udp      anywhere             anywhere             udp dpt:domain
ACCEPT     tcp      anywhere             anywhere             tcp dpt:domain
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 134 code 0
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 135 code 0
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 136 code 0
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 137 code 0
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 128 code 0
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 129 code 0
DROP       all      anywhere             anywhere    

Chain FORWARD (policy DROP)
target     prot opt source               destination  
ACCEPT     all      anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp      anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP       all      anywhere             anywhere             state INVALID
ACCEPT     all      anywhere             anywhere    
DROP       all      anywhere             anywhere    

Chain OUTPUT (policy DROP)
target     prot opt source               destination  
ACCEPT     all      anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp      anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP       all      anywhere             anywhere             state INVALID
ACCEPT     all      anywhere             anywhere    
ACCEPT     tcp      anywhere             anywhere             tcp dpts:ftp-data:ssh
ACCEPT     tcp      anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp      anywhere             anywhere             tcp dpt:whois
ACCEPT     tcp      anywhere             anywhere             tcp dpt:domain
ACCEPT     udp      anywhere             anywhere             udp dpt:domain
ACCEPT     udp      anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp      anywhere             anywhere             tcp dpt:http
ACCEPT     udp      anywhere             anywhere             udp dpt:ntp
ACCEPT     tcp      anywhere             anywhere             tcp dpt:https
ACCEPT     tcp      anywhere             anywhere             tcp dpt:urd
DROP       all      anywhere             anywhere


any hint would be appreciated, or where to start to dig into the issue
 
Last edited:
Same problem on my CentOS 7 Server with Plesk Onyx Version 17.5.3 Update #39. I think I'll contact the Plesk support today about this issue.
 
Hm... I think the ruleset may be false here.. you allow incoming icmp for example but don't allow it outgoing so of course the server doesn't respond.

Same goes for ftp / http .... you allow the basic ports but I think especially ftp requires also ports in the high range, linke 30k-35k to function properly. Also I don't know for sure but since nginx is used for proxy purposes, port 7080 also needs to be allowed to transfer data and that is also missing. Seems to me your rules are just not right.
 
as speedbird mentioned before, the problem is that the block all outgiung traffic rule blocks the icmp rules for IPv6. Plesk Support suggested me to define some rules manually because they can't defined over the Plesk firewall configuration.


Adding the rules manually to ip6tables:

1. We remove the existing drop rule:
# ip6tables -D OUTPUT -j DROP

2. We add the new rules to allow ipv6-icmp
# ip6tables -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
# ip6tables -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
# ip6tables -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
# ip6tables -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
# ip6tables -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j ACCEPT
# ip6tables -A OUTPUT -j DROP

3. Save the new rules
#ip6tables-save

Unfortunately, the rules will be overwritten as soon as you change the firewall configuration through Plesk or when you reboot the server. I think this can be solved with some scripts and a cronjob or something...
 
thank you all for discussion and for sharing your suggestions.

Well the KB Article is a good starting point will try
 
Last edited:
You must log in or register to reply here.

Similar threads

J
Resolved 25: Connection timed out - Almalinux 9.4 x86_64 | 18.0.61.1
Replies
2
Views
921
josemanuuxd
J
Z
Resolved Docker is unable to connect to the internet
Replies
2
Views
17K
zZeepo
Z
A
Resolved Plesk Firewall and Samba
2
Replies
22
Views
1K
Raul A.
R
C
Issue 38080 connection refused, plesk FW setup
Replies
1
Views
699
chester_e
C
Liwindo
Input New Firewall App 18.0.52
Replies
4
Views
1K
Liwindo
Liwindo
Back
Top