• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Forwarded to devs Plesk Firewall

WebHostingAce

Silver Pleskian
TITLE:
Plesk Firewall
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
CentOS Linux 7.5.1804 (Core)‬
Product Plesk Onyx Version 17.8.11 Update #28
PROBLEM DESCRIPTION:
Unable to Block/Deny incoming for Docker Ports with Plesk Firewall​
STEPS TO REPRODUCE:
Install a Docker - eg Redis on Manual Mapping Port 6379

Plesk Firewall Settings -

Name of the rule - Redis Docker
Match direction - Incoming
Action - Deny
Ports - TCP 6379, UDP 6379
Sources - (any host)​
ACTUAL RESULT:
Port 6379 is externally accessible. Unblocked.​
EXPECTED RESULT:
Port 6379 to be Blocked externally.​
ANY ADDITIONAL INFORMATION:
This was working as expected few weeks ago.
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Help with sorting out
 
From developer:

The issue is not reproduced even in default firewall configuration (without additional rule, since there's already a rule that defines system policy for incoming traffic as "deny").
After adding the "Redis Docker" rule as described in STR the situation (obviously) doesn't change (even if incoming traffic policy is changed to "allow").
So, there is no issue. Checked on Ubuntu 16.04 and CentOS 7.
 
Hi @IgorG,

Thank you.

I can reproduce this issue across all my servers. Also I'm not the only one experiencing this issue. Issue - Plesk firewall rule

Could you please ask the Dev to test this with latest docker and Plesk updates? There was no issues previously.

without additional rule, since there's already a rule that defines system policy for incoming traffic as "deny"

I'm not sure about this. even the Plesk Documentation for Docker request you to Block the ports which will be opened Dockers.

Using Docker
Important: If port mapping is configured, Docker binds to the specified port on all network interfaces of the host system. Usually, this means that the application can be accessed from anywhere. Docker presumes that authentication is carried out by the application itself, but sometimes it is not so (for example, MySQL does not allow anonymous access by default, but redis does).
Plesk cannot determine what service is installed in a specific Docker container, and cannot control access to it. If you need to prohibit access to the application from outside Plesk, do it manually using the firewall on the host system.
 
Checked on freshly installed Plesk 17.8:

Code:
# plesk version
Product version: Plesk Onyx 17.8.11 Update #28
    Update date: 2018/11/01 16:07
     Build date: 2018/10/25 16:03
     OS version: CentOS 7.5.1804
       Revision: b4c4245b56286dfd5d0e45d4bb191b84577b118b
   Architecture: 64-bit
Wrapper version: 1.2
# plesk bin extension --get-xml-info docker
<?xml version="1.0"?>
<module fullVersion="1.4.0-138" status="true"/>
# docker version
Client:
 Version:           18.06.1-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        e68fc7a
 Built:             Tue Aug 21 17:23:03 2018
 OS/Arch:           linux/amd64
 Experimental:      false
 
Server:
 Engine:
  Version:          18.06.1-ce
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.10.3
  Git commit:       e68fc7a
  Built:            Tue Aug 21 17:25:29 2018
  OS/Arch:          linux/amd64
  Experimental:     false
# rpm -q psa-firewall
psa-firewall-17.8.11-cos7.build1708180301.19.x86_64
# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
32b672db878b        redis               "docker-entrypoint.s…"   24 seconds ago      Up 22 seconds       0.0.0.0:6379->6379/tcp   redis
# iptables -L | egrep 'Chain|all|6379'
Chain INPUT (policy DROP)
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
...
# # OR
# iptables -L | egrep 'Chain|all|6379'
Chain INPUT (policy DROP)
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere
DROP       tcp  --  anywhere             anywhere             tcp dpt:6379
DROP       udp  --  anywhere             anywhere             udp dpt:6379
ACCEPT     all  --  anywhere             anywhere
...

Checked both the default configuration with enabled firewall above and a configuration with the suggested "Redis Docker" rule. After that, from another machine connection is not possible:

Code:
# telnet 10.52.35.113 6379
Trying 10.52.35.113...
^C

So the issue does not reproduce with the provided STR.
 
Hi @IgorG,

Thank you!!!

I just tried with Newly Build Server as well and can reproduce the issue.

I checked the all the versions. They are exactly the same.

Could you please try with Fail2Ban and Mod_Security installed and enabled.
 
Fail2ban and ModSecurity do no open connections to arbitrary ports in firewall, so they are irrelevant in this case.
If you're using Plesk Firewall module, please also make sure that firewalld is disabled in the system.
 
firewalld was running. I stopped that. But the issue is there there.

Here is my #iptables -L


Code:
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere           
DROP       tcp  --  anywhere             anywhere             tcp dpt:6379
DROP       udp  --  anywhere             anywhere             udp dpt:6379
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:49152:65535
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:12443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:11443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:11444
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8447
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pcsync-https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:cddbp-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:urd
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:poppassd
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:mysql
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:postgres
ACCEPT     udp  --  anywhere             anywhere             udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     icmp --  anywhere             anywhere             icmptype 8 code 0
DROP       all  --  anywhere             anywhere           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere           
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere           

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           

Chain DOCKER (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:6379

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere           
RETURN     all  --  anywhere             anywhere           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           
RETURN     all  --  anywhere             anywhere           

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

Please check if you can help.

Thank you.
 
Find the source of the following rule and eliminate it:

Code:
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere           
DROP       tcp  --  anywhere             anywhere             tcp dpt:6379
DROP       udp  --  anywhere             anywhere             udp dpt:6379
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:49152:65535
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:12443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:11443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:11444
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8447
...
ACCEPT     icmp --  anywhere             anywhere             icmptype 8 code 0
DROP       all  --  anywhere             anywhere
 
Hi @IgorG

Thank you.

I contacted the Plesk Support.

They have confirmed this is a bug and have sent me the workaround.

Plesk Firewall deny rules do not block connections to Docker container

Hello,

I have checked the issue.

This issue is submitted as a bug PPPM-9222 which is planned to be fixed in one of the future Plesk updates.
As a workaround please add the following rule via the command line:


color:#2B2E2F;background:#F8F8F8">iptables -I FORWARD -d 172.17.0.2 -p tcp --dport 6379 -j DROP
Also, you may subscribe to the following article in order to be notified when the bug is fixed:
Plesk Firewall deny rules do not block connections to Docker container

Please let me know if you have any additional questions.

Best Regards,

Bato Tsydenov
Technical Support Engineer
Plesk
 
Is there any progess on this bug?
Since Docker-Containers are quite popular, it would be good if plesk-firewall could handle this...
 
@MSZ You can start the docker in the command-line Bind to the local host.

Eg - docker run --name=varnish -p 127.0.0.1:32780:80 "million12/varnish"
 
Back
Top