1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice

Plesk Firewall question

Discussion in 'Plesk for Windows - 8.x and Older' started by AndiC_UK, Aug 22, 2004.

  1. AndiC_UK

    AndiC_UK Guest

    0
     
    will the plesk firewall block by default remote desktop/terminal services ?

    that remote admin needs to configure servers.

    has anyone got around this?

    at the moment i configure RRAS myself however its going to be a pain when i increase my number of ip addresses.:rolleyes:

    i have also tried IPSEC easier for multiple ip's however i had problems eg it would not let port 8443 past :mad:

    AndiC
     
  2. emsol

    emsol Guest

    0
     
    Bump!

    I'd like to know this too - I like the idea of the plesk firewall but we need to use remote desktop.
     
  3. addstravel

    addstravel Guest

    0
     
    I tried the plesk firewall and this stopped my remote access via TS and VNC. However, I switched this off again and I could gain access again.

    Although not ideal, but you could enable the firewall and only disable it if needing remote access. Of course this is only a good idea if you have some other firewall in operation...
     
  4. emsol

    emsol Guest

    0
     
    You have a good point, Its easy to enable / disable the firewall from a control panel login. Better done that way than not at all imho.
     
  5. jaytee

    jaytee Guest

    0
     
    I just tested it and was able to connect to the box with Plesk via Remote Desktop when the firewall is turned on. You can check that Remote Desktop port is open by opening a command-line window and running the following command:

    netsh routing ip show filter "Local Area Connection"

    (change the interface name if it is different on your system).

    You should see the list of open ports, and it should include 3389, the port used by RDP protocol. If port 3389 does not show, or you are still unable to connect via remote desktop, email me, we will find the solution.
     
  6. jaytee

    jaytee Guest

    0
     
    TS access should work if it is enabled in Windows - see my other post in this thread on how to verify that the port is open. As to VNC, the only way to enable it is to modify the script, which is configuring the firewall. Here's how:

    1) open the file Plesk\admin\bin\pfwmng.js in the Notepad
    2) look for the following code in the beginning:

    Code:
    // -- Turning Firewall On, Normal mode
    function SetModeOn(handle, Interfaces) {
    
    var PortsTCP = new Array ("21",22,25,53,80,110,143,443,465,993,995,3389,8443,30000);
    var PortsUDP = new Array ("53"); 
    var ICMP = new Array ("0",3,8);
    3) Add your VNC port to the PortsTCP list. By default it should be 5900, I believe, so the line will now look like:

    Code:
    var PortsTCP = new Array ("21",22,25,53,80,110,143,443,465,993,995,3389,5900,8443,30000);
    4) save the file, turn the firewall off/on from control panel, and you should now be able to use VNC

    5) other ports could be added or removed here, just be careful when you are editing this file, it is always better to make a backup copy first.
     
  7. emsol

    emsol Guest

    0
     
    Just been using the firewall this morning - it has stopped all email from leaving the server.

    Error message returned is that the message is delayed because it cant resolve the target domain.

    I'm presuming the firewall by default does not block port 25.

    Switching the firewall off has resolved the problem instantly.

    Any ideas ?
     
  8. AndiC_UK

    AndiC_UK Guest

    0
     
    I did it this morning and all works well

    ms remote desktop/ TS is allowed by default in plesk 7 windows


    emsol

    Have you been messing about with RRAS if so you have to disable it before turing plesks firewall on, to get rid of the old settings

    when plesks fiewall is on RASS says its uncongifured, but plesk uses it, so i do know how it uses it yet.. but it does work

    also

    when you turn the firewall on ...you may have to wait a while for it to setup

    or try a reboot

    Andrew
     
  9. jaytee

    jaytee Guest

    0
     
    Hmm, probably firewall is a little bit too strict. Try this version - pfwmng_ft2.zip
    Download, unpack, and replace pfwmng.js script that comes in Plesk/admin/bin with the new one. Please let us know how it works for you.
     
  10. emsol

    emsol Guest

    0
     
    Thanks Jaytee - so far so good !

    EDIT......

    To allow customers to connect correctly using passive FTP - I had to add TCP port 1024 to the firewall config.
     
  11. AndiC_UK

    AndiC_UK Guest

    0
     
    everything works except using the webbrowser on my server ie check for updates etc

    i think the new problem is that my server cant relsove domain names it times out when connecting to my server providers nameserver.

    nslookup times out


    nslookup ????????????

    DNS request timed out.
    timeout was 2 seconds.
    *** Can't find server name for address ??????: Timed out
    Server: UnKnown
    Address: ???????

    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    *** Request to UnKnown timed-out


    yet from the outside i can use my dnsserver on my server so it must be something to do with outbound dns.

    turn the firewall off and all works fine

    here are my current settings


    // -- Turning Firewall On, Normal mode
    function SetModeOn(handle, Interfaces) {

    var PortsTCP = new Array ("21",22,25,53,80,110,143,443,465,993,995,3389,8443,30000);
    var PortsUDP = new Array ("53");
    var ICMP = new Array ("0",3,8);

    RemoveFilters(handle, Interfaces);
    AddInputFilters(handle, Interfaces, PortsTCP, PortsUDP, ICMP, true);

    anyone else have this problem?

    AndiC
     
  12. AndiC_UK

    AndiC_UK Guest

    0
     
    jaytee

    ahhhh

    i see you added

    // Allow DNS resolution
    tfile.WriteLine ("routing ip add filter " + intf + " input 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 proto=udp 53 any");

    any more changes :)

    NOTE! should tcp 53 any be added to this?

    AndiC
     
  13. emsol

    emsol Guest

    0
     
    Just wanted to mention, even after adding port 1024, we still experienced problems connecting via ftp from all customers.

    Currently firewall is disabled.
     
  14. jaytee

    jaytee Guest

    0
     
    Yes, that filter expression allows for answers from remote NS sent from port 53 over UDP, and I also opened port 5900 for VNC.
    TCP port 53 is typically used for zone transfers only, and it is opened already in standard configuration.
     
  15. jaytee

    jaytee Guest

    0
     
    You will probably need to add a range of ports, starting from 1024 and up, as the port assignment here is dynamic. Unfortunately, RRAS-based packet filtering is very unflexible, we are looking for other option for future versions.

    ICF (Internet Connection Firewall) in Windows 2003 was promising, but it is completely broken (does not work with more than one IP) and Microsoft refuses to fix it.
     
  16. emsol

    emsol Guest

    0
     
    Can I specify a range in that file or would I need to add each port number ?

    Its a great feature and I'm sure we can get it to work with a certain amount of tweaking.
     
  17. LastChoice

    LastChoice Guest

    0
     
    Open Ports for Specific IP Addresses?

    How would I go about modifying this script to allow inbound traffic on certain ports from specific IP addresses?

    My DataCenter host has several utilities that monitor the health of my server and I need to open my firewall to allow access from their IP's. I've been reading through the pfwmng.js file, but I am uncomfortable making any changes without a little guidance.

    jaytee if you are still monitoring this thread, please help! :)

    In summary what I am looking for is
    1. Allow TCP/UDP access on Port XYZ for IP Address xxx.xxx.xxx.xxx
    2. Allow TCP/UDP access on Port XYZ for IP Address Range yyy.yyy.yyy.0/24
    3. Allow TCP/UDP access on All Ports for IP Address yyy.yyy.yyy.yyy
    4. Allow TCP/UDP access on All Ports for IP Address Range yyy.yyy.yyy.0/24[/list=1]
      Thanks in advance!!
     
  18. AndiC_UK

    AndiC_UK Guest

    0
     
    its easy ......

    1.learn javascript

    2.then look up netsh and its syntax

    3. dont get confused with syntax added by xp sp2...... if you do test/play with it on XP that is.


    AndiC_UK
     
  19. LastChoice

    LastChoice Guest

    0
     
    Possible Solution

    For anyone reading this looking for a solution...here is what I have implemented:

    Add code similar to the lines at the bottom of the following function within the pfwmng.js file located in the plesk Admin/Bin directory (where mmm.mmm.mmm.mmm is the appropriate subnet mask for your situation):

    Code:
    function AddInputFilters( tfile, Interfaces, PortsTCP, PortsUDP, ICMP, Established )
    var intf;
    
         for (var n = 0; n < Interfaces.length; n++) {
         .
         .
         .
              // NEW CODE BEGINS HERE
    
              // Allow TCP/UDP access on Port XYZ for IP Address xxx.xxx.xxx.xxx
              tfile.WriteLine ("routing ip add filter " + intf + " input xxx.xxx.xxx.xxx mmm.mmm.mmm.mmm 0.0.0.0 0.0.0.0 proto=tcp xyz xyz");
              tfile.WriteLine ("routing ip add filter " + intf + " input xxx.xxx.xxx.xxx mmm.mmm.mmm.mmm 0.0.0.0 0.0.0.0 proto=udp xyz xyz");
    
              // Allow TCP/UDP access on Port XYZ for IP Address Range yyy.yyy.yyy.0/24
              tfile.WriteLine ("routing ip add filter " + intf + " input xxx.xxx.xxx.0 mmm.mmm.mmm.mmm 0.0.0.0 0.0.0.0 proto=tcp xyz xyz");
              tfile.WriteLine ("routing ip add filter " + intf + " input xxx.xxx.xxx.0 mmm.mmm.mmm.mmm 0.0.0.0 0.0.0.0 proto=udp xyz xyz");
    
              //Allow TCP/UDP access on All Ports for IP Address yyy.yyy.yyy.yyy
              tfile.WriteLine ("routing ip add filter " + intf + " input yyy.yyy.yyy.yyy mmm.mmm.mmm.mmm 0.0.0.0 0.0.0.0 proto=tcp 0 0");
              tfile.WriteLine ("routing ip add filter " + intf + " input yyy.yyy.yyy.yyy mmm.mmm.mmm.mmm 0.0.0.0 0.0.0.0 proto=udp 0 0");
    
              //Allow TCP/UDP access on All Ports for IP Address Range yyy.yyy.yyy.0/24
              tfile.WriteLine ("routing ip add filter " + intf + " input yyy.yyy.yyy.0 mmm.mmm.mmm.mmm 0.0.0.0 0.0.0.0 proto=tcp 0 0");
              tfile.WriteLine ("routing ip add filter " + intf + " input yyy.yyy.yyy.0 mmm.mmm.mmm.mmm 0.0.0.0 0.0.0.0 proto=udp 0 0");
    
         }
    }
    
    It is important to note that because the way the pfwmng.js script is designed, you must write a unique line for each protocol instead of just using the 'proto=any' option. Attempting to substitute the 'proto=any' syntax in place of 'proto=tcp' or 'proto=udp' will work fine for turning the firewall 'On' but will fail when attempting to turn the firewall 'off'.

    Hope this helps someone else, and if anyone out there knows of a more efficient solution, by all means please let me know.
     
  20. AndiC_UK

    AndiC_UK Guest

    0
     
    LastChoice

    Well done !


    you could have a data structure to hold ip's and there allowed ports.

    and use a few lines of code to loop through the data structure adding filter rules.

    as for the problem with using 'proto=any' i don’t remember this i would have to look into it.


    AndiC_UK
     
Loading...