• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Plesk Firewall question

A

AndiC_UK

Guest
will the plesk firewall block by default remote desktop/terminal services ?

that remote admin needs to configure servers.

has anyone got around this?

at the moment i configure RRAS myself however its going to be a pain when i increase my number of ip addresses.:rolleyes:

i have also tried IPSEC easier for multiple ip's however i had problems eg it would not let port 8443 past :mad:

AndiC
 
Bump!

I'd like to know this too - I like the idea of the plesk firewall but we need to use remote desktop.
 
I tried the plesk firewall and this stopped my remote access via TS and VNC. However, I switched this off again and I could gain access again.

Although not ideal, but you could enable the firewall and only disable it if needing remote access. Of course this is only a good idea if you have some other firewall in operation...
 
You have a good point, Its easy to enable / disable the firewall from a control panel login. Better done that way than not at all imho.
 
I just tested it and was able to connect to the box with Plesk via Remote Desktop when the firewall is turned on. You can check that Remote Desktop port is open by opening a command-line window and running the following command:

netsh routing ip show filter "Local Area Connection"

(change the interface name if it is different on your system).

You should see the list of open ports, and it should include 3389, the port used by RDP protocol. If port 3389 does not show, or you are still unable to connect via remote desktop, email me, we will find the solution.
 
Originally posted by addstravel
I tried the plesk firewall and this stopped my remote access via TS and VNC. However, I switched this off again and I could gain access again.

Although not ideal, but you could enable the firewall and only disable it if needing remote access. Of course this is only a good idea if you have some other firewall in operation...
Click to expand...

TS access should work if it is enabled in Windows - see my other post in this thread on how to verify that the port is open. As to VNC, the only way to enable it is to modify the script, which is configuring the firewall. Here's how:

1) open the file Plesk\admin\bin\pfwmng.js in the Notepad
2) look for the following code in the beginning:

Code: 
// -- Turning Firewall On, Normal mode
function SetModeOn(handle, Interfaces) {

var PortsTCP = new Array ("21",22,25,53,80,110,143,443,465,993,995,3389,8443,30000);
var PortsUDP = new Array ("53"); 
var ICMP = new Array ("0",3,8);

3) Add your VNC port to the PortsTCP list. By default it should be 5900, I believe, so the line will now look like:

Code: 
var PortsTCP = new Array ("21",22,25,53,80,110,143,443,465,993,995,3389,5900,8443,30000);

4) save the file, turn the firewall off/on from control panel, and you should now be able to use VNC

5) other ports could be added or removed here, just be careful when you are editing this file, it is always better to make a backup copy first.
 
Just been using the firewall this morning - it has stopped all email from leaving the server.

Error message returned is that the message is delayed because it cant resolve the target domain.

I'm presuming the firewall by default does not block port 25.

Switching the firewall off has resolved the problem instantly.

Any ideas ?
 
I did it this morning and all works well

ms remote desktop/ TS is allowed by default in plesk 7 windows


emsol

Have you been messing about with RRAS if so you have to disable it before turing plesks firewall on, to get rid of the old settings

when plesks fiewall is on RASS says its uncongifured, but plesk uses it, so i do know how it uses it yet.. but it does work

also

when you turn the firewall on ...you may have to wait a while for it to setup

or try a reboot

Andrew
 
Originally posted by emsol
Just been using the firewall this morning - it has stopped all email from leaving the server.

Error message returned is that the message is delayed because it cant resolve the target domain.

I'm presuming the firewall by default does not block port 25.

Switching the firewall off has resolved the problem instantly.

Any ideas ?
Click to expand...

Hmm, probably firewall is a little bit too strict. Try this version - pfwmng_ft2.zip
Download, unpack, and replace pfwmng.js script that comes in Plesk/admin/bin with the new one. Please let us know how it works for you.
 
Thanks Jaytee - so far so good !

EDIT......

To allow customers to connect correctly using passive FTP - I had to add TCP port 1024 to the firewall config.
 
everything works except using the webbrowser on my server ie check for updates etc

i think the new problem is that my server cant relsove domain names it times out when connecting to my server providers nameserver.

nslookup times out


nslookup ????????????

DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address ??????: Timed out
Server: UnKnown
Address: ???????

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out


yet from the outside i can use my dnsserver on my server so it must be something to do with outbound dns.

turn the firewall off and all works fine

here are my current settings


// -- Turning Firewall On, Normal mode
function SetModeOn(handle, Interfaces) {

var PortsTCP = new Array ("21",22,25,53,80,110,143,443,465,993,995,3389,8443,30000);
var PortsUDP = new Array ("53");
var ICMP = new Array ("0",3,8);

RemoveFilters(handle, Interfaces);
AddInputFilters(handle, Interfaces, PortsTCP, PortsUDP, ICMP, true);

anyone else have this problem?

AndiC
 
jaytee

ahhhh

i see you added

// Allow DNS resolution
tfile.WriteLine ("routing ip add filter " + intf + " input 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 proto=udp 53 any");

any more changes :)

NOTE! should tcp 53 any be added to this?

AndiC
 
Just wanted to mention, even after adding port 1024, we still experienced problems connecting via ftp from all customers.

Currently firewall is disabled.
 
Originally posted by AndiC_UK
jaytee

ahhhh

i see you added

// Allow DNS resolution
tfile.WriteLine ("routing ip add filter " + intf + " input 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 proto=udp 53 any");

any more changes :)

NOTE! should tcp 53 any be added to this?

AndiC
Click to expand...

Yes, that filter expression allows for answers from remote NS sent from port 53 over UDP, and I also opened port 5900 for VNC.
TCP port 53 is typically used for zone transfers only, and it is opened already in standard configuration.
 
Originally posted by emsol
Just wanted to mention, even after adding port 1024, we still experienced problems connecting via ftp from all customers.

Currently firewall is disabled.
Click to expand...

You will probably need to add a range of ports, starting from 1024 and up, as the port assignment here is dynamic. Unfortunately, RRAS-based packet filtering is very unflexible, we are looking for other option for future versions.

ICF (Internet Connection Firewall) in Windows 2003 was promising, but it is completely broken (does not work with more than one IP) and Microsoft refuses to fix it.
 
Can I specify a range in that file or would I need to add each port number ?

Its a great feature and I'm sure we can get it to work with a certain amount of tweaking.
 
Open Ports for Specific IP Addresses?

How would I go about modifying this script to allow inbound traffic on certain ports from specific IP addresses?

My DataCenter host has several utilities that monitor the health of my server and I need to open my firewall to allow access from their IP's. I've been reading through the pfwmng.js file, but I am uncomfortable making any changes without a little guidance.

jaytee if you are still monitoring this thread, please help! :)

In summary what I am looking for is
  1. Allow TCP/UDP access on Port XYZ for IP Address xxx.xxx.xxx.xxx
  2. Allow TCP/UDP access on Port XYZ for IP Address Range yyy.yyy.yyy.0/24
  3. Allow TCP/UDP access on All Ports for IP Address yyy.yyy.yyy.yyy
  4. Allow TCP/UDP access on All Ports for IP Address Range yyy.yyy.yyy.0/24[/list=1]
    Thanks in advance!!
 
its easy ......

1.learn javascript

2.then look up netsh and its syntax

3. dont get confused with syntax added by xp sp2...... if you do test/play with it on XP that is.


AndiC_UK
 
Possible Solution

For anyone reading this looking for a solution...here is what I have implemented:

Add code similar to the lines at the bottom of the following function within the pfwmng.js file located in the plesk Admin/Bin directory (where mmm.mmm.mmm.mmm is the appropriate subnet mask for your situation):

Code: 
function AddInputFilters( tfile, Interfaces, PortsTCP, PortsUDP, ICMP, Established )
var intf;

     for (var n = 0; n < Interfaces.length; n++) {
     .
     .
     .
          // NEW CODE BEGINS HERE

          // Allow TCP/UDP access on Port XYZ for IP Address xxx.xxx.xxx.xxx
          tfile.WriteLine ("routing ip add filter " + intf + " input xxx.xxx.xxx.xxx mmm.mmm.mmm.mmm 0.0.0.0 0.0.0.0 proto=tcp xyz xyz");
          tfile.WriteLine ("routing ip add filter " + intf + " input xxx.xxx.xxx.xxx mmm.mmm.mmm.mmm 0.0.0.0 0.0.0.0 proto=udp xyz xyz");

          // Allow TCP/UDP access on Port XYZ for IP Address Range yyy.yyy.yyy.0/24
          tfile.WriteLine ("routing ip add filter " + intf + " input xxx.xxx.xxx.0 mmm.mmm.mmm.mmm 0.0.0.0 0.0.0.0 proto=tcp xyz xyz");
          tfile.WriteLine ("routing ip add filter " + intf + " input xxx.xxx.xxx.0 mmm.mmm.mmm.mmm 0.0.0.0 0.0.0.0 proto=udp xyz xyz");

          //Allow TCP/UDP access on All Ports for IP Address yyy.yyy.yyy.yyy
          tfile.WriteLine ("routing ip add filter " + intf + " input yyy.yyy.yyy.yyy mmm.mmm.mmm.mmm 0.0.0.0 0.0.0.0 proto=tcp 0 0");
          tfile.WriteLine ("routing ip add filter " + intf + " input yyy.yyy.yyy.yyy mmm.mmm.mmm.mmm 0.0.0.0 0.0.0.0 proto=udp 0 0");

          //Allow TCP/UDP access on All Ports for IP Address Range yyy.yyy.yyy.0/24
          tfile.WriteLine ("routing ip add filter " + intf + " input yyy.yyy.yyy.0 mmm.mmm.mmm.mmm 0.0.0.0 0.0.0.0 proto=tcp 0 0");
          tfile.WriteLine ("routing ip add filter " + intf + " input yyy.yyy.yyy.0 mmm.mmm.mmm.mmm 0.0.0.0 0.0.0.0 proto=udp 0 0");

     }
}
It is important to note that because the way the pfwmng.js script is designed, you must write a unique line for each protocol instead of just using the 'proto=any' option. Attempting to substitute the 'proto=any' syntax in place of 'proto=tcp' or 'proto=udp' will work fine for turning the firewall 'On' but will fail when attempting to turn the firewall 'off'.

Hope this helps someone else, and if anyone out there knows of a more efficient solution, by all means please let me know.
 
LastChoice

Well done !

you must write a unique line for each protocol instead
Click to expand...


you could have a data structure to hold ip's and there allowed ports.

and use a few lines of code to loop through the data structure adding filter rules.

as for the problem with using 'proto=any' i don’t remember this i would have to look into it.


AndiC_UK
 
You must log in or register to reply here.

Similar threads

H
Issue Plesk DNS configuration question
Replies
3
Views
978
scsa20
scsa20
B
Question How to deny all IPs in Plesk Firewall except certain IPs (e.g. Cloudflare IPs)?
Replies
0
Views
1K
BernieG
B
M
Question Plesk Firewall Question
Replies
5
Views
1K
RichardvdB
R
L
Issue Being logged out of Plesk after nearly every page (error 400)
Replies
2
Views
2K
Himanshu Goyal
H
Bitpalast
Input Please vote for a feature to solve this for good: Email login fails with "failed auth" despite correct password from some Android, iPhone, Outlook
Replies
2
Views
1K
Bitpalast
Bitpalast
Back
Top