• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Plesk Firewall seems to prevent connection to remotely hosted database

Christoph Farnleitner

Christoph Farnleitner

New Pleskian
Hey

Plesk 17.5.3#55 (multi server setup, hence not upgradable)

I'm (unfortunately) running an odoo server within a docker. The database for this odoo inst is located on a remote host. The setup uses default ports (odoo: 8069, 8071 and 8072; redis: 6379, running in a docker as well on the same server; postgres: 5432, running on a remote host)

Once I enable firewall rules on the server hosting my odoo/redis dockers I am unable to connect to the database.

Firewall rules on the docker-host (order is the same as in the firewall management):
Remote DB Host Incoming [test]: Allow incoming from 192.168.1.14, <external IPv4> on all ports
FTP server passive ports: Allow incoming from all on port 49152-65535/tcp
Odoo *: Allow incoming from all on ports 6379/tcp, 8069/tcp, 8071/tcp, 8072/tcp
~all the other default Plesk incoming firewall rules, that ends with~
System policy for incoming traffic: Deny all other incoming traffic
Remote DB Host Outgoing [test]: Allow Outgoing to 192.168.1.14, <external IPv4> on all ports
System policy for outgoing traffic: Allow all other outgoing traffic
System policy for forwarding of traffic: Deny forwarding of all other traffic

* I doubt that ports 8071 and 8072 are even necessary here

Neither via the external IP of the remote host nor with it's LAN IP (servers are put together into a VLAN by a vSwitch) I am able to establish a connection when the firewall is enabled. The remote hosts firewall (the host where the database is located) allows the connection with and without active firewall rules so the remote host should not make any troubles at this point.

I wonder whether there might be a similar problem like with the passive FTP connections in combination with an active firewall (i.e. How to configure passive ports range for ProFTPd on a server behind a firewall?
 
Last edited:
Probably related to Forwarded to devs - Docker(Redis) and Plesk Firewall
It turned out that after enabling the firewall, restarting the docker service and then restarting the containers I had no wan nor lan connection within these docker containers at all.

Interestingly, at one point after restarting the docker service for some more times and the restarting the containers it turned out to be working all of a sudden.

Maybe also related: Docker loses the connection when Plesk Firewall rules were modified

Is it possible to reproduce the issue for anyone else based on the issue description or does anybody have a clue what is causing these troubles? Main concern I got right now is what will happen once new rules are added to the firewall or another docker container gets created...?
Also, if the troubles are related to #PPPM-7924 I would appreciate some more prominent keywords (and a linking from one or the other firewall and docker support articles) in the support article so one can at least find it more easily ;)
 
Hey there,

unfortunately I'm experiencing a similar/the same issue.
In Plesk's firewall I've been blocking all incoming traffic on those exposed docker ports (e.g. Gitlab exposes 3 Ports, Nextcloud 2 Ports).
Also I've created a rule to allow incoming traffic on those ports from my localhost (ip of docker0 interface).

Well this works fine so far, but when I change those rules, my docker containers are unable to get outside of my server so to say. Nextcloud's version check fails and Gitlab's CI runner can't resolve the domain (of its own host in this case) of the repository.

After finding Docker loses the connection when Plesk Firewall rules were modified I've noticed that restarting the docker service helps with containters connecting to the outside world. But now my issue is, that my firewall rules to block access to those exposed docker ports are completely ignored.
According to nmap / Zenmap all of them are open, which is very....uncool.

Are there any updates on those tickets? When can we expect a fix for that issue?

At the moment I'm trying to build my own shell script to restore those broken iptables rules...let's see if this is a workaround for now.

Best Regards,
Stefan
 
I seem to be having the same problem. Unfortunately, restarting the Docker service does not solve it. I have a Strapi app that is not able to connect to a Postgres database running in a container itself, which is exposed (confirmed working externally). The only thing I have found to work is enabling the rule to allow all incoming in the Plesk firewall. This is obviously something I do not want to do.
 
You must log in or register to reply here.

Similar threads

J
Question Plesk Firewall is blocking requests even with configured rules
Replies
2
Views
349
Johnny9977
J
A
Resolved Plesk Firewall and Samba
2
Replies
22
Views
838
Raul A.
R
D
Issue Headscale on Plesk/Client Unable to Reach Server/Firewall Configs
Replies
0
Views
375
dmcgrat4
D
P
Resolved How to expose a Docker port to the public?
Replies
1
Views
2K
philippL
P
S
Question Plesk Firewall do not block connections to Docker container
Replies
0
Views
1K
shopuser
S
Back
Top