Resolved plesk firewall not enabled after restart centos 7

[sergiomb]

• OS: ‪CentOS Linux 7.9.2009 (Core)‬
• Product: Plesk Obsidian 18.0.32 Update #2

We have this plesk running for almost 4 years , I noticed, since the beginning, after restart, firewall is not enabled , I have go to https://myhost:8443(plesk/modules/firewall/ and disable and enable firewall to enable firewall .
I saw this firewall configuration is based on iptables , should I check if iptables start on boot ? or something like that .

Thank you

 

[Bitpalast]

On CentOS, it is optional to run iptables as a service. There is no requirement. Plesk firewall module should be active either way.

In a Google search I see that some users have reported the same issue a few years ago, that after a reboot, the Plesk firewall remains disabled. However, the support articles on it are no longer (publicly) available. Maybe this question needs to be directed to Plesk support.

 

[sergiomb]

yes Firewall rules not applied after reboot is the same question

 

[Nik G]

hello @sergiomb ,
could you please show output of

systemctl status psa-firewall.service

?

Is there any errors shown by

journalctl -xe -u psa-firewall.service

?

how may firewall rules you have ?

 

[sergiomb]

systemctl status psa-firewall.service
● psa-firewall.service - LSB: Plesk firewall
Loaded: loaded (/etc/rc.d/init.d/psa-firewall; bad; vendor preset: disabled)
Active: active (exited) since Dom 2021-02-07 02:16:42 WET; 3 months 9 days ago
Docs: man:systemd-sysv-generator(8)

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

journalctl -xe -u psa-firewall.service
-- No entries --

chkconfig 

Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.

If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.

netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
psa-firewall    0:off   1:off   2:on    3:on    4:on    5:on    6:off

xinetd based services:
chargen-dgram:  off
chargen-stream: off
daytime-dgram:  off
daytime-stream: off
discard-dgram:  off
discard-stream: off
echo-dgram:     off
echo-stream:    off
ftp_psa:        on
poppassd_psa:   on
tcpmux-server:  off
time-dgram:     off
time-stream:    off

 

[Nik G]

@sergiomb ,
we did not able to reproduce the problem on cos7 with all updates and the latest Plesk Obsidian.
btw, you did not answered how many rules in your firewall.

however I'd suggest you to fill ticket to the technical support to more deeply investigation.

 

[sergiomb]

Thanks for replying , sorry I hadn't read all the questions, here it is the answer

Total Firewall rules: 21   

     Single Sign-On    Deny incoming from all   
     Plesk Installer    Allow incoming from all   
     Plesk administrative interface    Allow incoming from all   
     WWW server    Allow incoming from all   
     FTP server    Deny incoming from all   
     SSH (secure shell) server    Allow incoming from all   
     SMTP (submission port) server    Allow incoming from all   
     SMTP (mail sending) server    Allow incoming from all   
     POP3 (mail retrieval) server    Allow incoming from all   
     IMAP (mail retrieval) server    Allow incoming from all   
     Mail password change service    Allow incoming from all   
     MySQL server    Deny incoming from all   
     PostgreSQL server    Deny incoming from all   
     Samba (file sharing in Windows networks)    Deny incoming from all   
     Domain name server    Deny incoming from all   
     IPv6 Neighbor Discovery    Allow incoming from all   
     Ping service    Allow incoming from all   
     System policy for incoming traffic    Deny all other incoming traffic   
     System policy for outgoing traffic    Allow all other outgoing traffic   
     System policy for forwarding of traffic    Deny forwarding of all other traffic   

    Total Firewall rules: 21

 

[sergiomb]

I rebooted the system today and it worked , I don't know what to say , it is fixed now.
Thank you.

journalctl --no-pager -xe -u psa-firewall.service

-- Reboot --
Mai 21 22:28:04 ecosphere-consult.com systemd[1]: Starting LSB: Plesk firewall...
-- Subject: Unit psa-firewall.service has begun start-up
-- Defined-By: systemd
-- Support: systemd-devel Info Page
--
-- Unit psa-firewall.service has begun starting up.
Mai 21 22:28:06 ecosphere-consult.com psa-firewall[1060]: psa-firewall: firewall configuration successfully applied
Mai 21 22:28:06 ecosphere-consult.com systemd[1]: Started LSB: Plesk firewall.
-- Subject: Unit psa-firewall.service has finished start-up
-- Defined-By: systemd
-- Support: systemd-devel Info Page
--
-- Unit psa-firewall.service has finished starting up.
--
-- The start-up result is done.

 

[Nik G]

I rebooted the system today and it worked , I don't know what to say , it is fixed now.
Thank you.

well, I glad to hear that the problem is solved.can't say that I understand how but.. it is good in any way )

 

[sergiomb]

It happened again , psa-firewall disappeared from the list of chkconfig :
Centos 7 updated

chkconfig
Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration. If you want to list systemd services use 'systemctl list-unit-files'. To see services enabled on particular target use 'systemctl list-dependencies [target]'. netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off xinetd based services: chargen-dgram: off chargen-stream: off daytime-dgram: off daytime-stream: off discard-dgram: off discard-stream: off echo-dgram: off echo-stream: off ftp_psa: on poppassd_psa: on tcpmux-server: off time-dgram: off time-stream: off