• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Remove psa-firewall and use iptables in OS

Michael MacDonald

Basic Pleskian
I want to remove the psa-firewall and use iptables within the OS. I am trying to get the Plesk server to meet PCI standards and am thinking that using iptables within the Redhat OS will allow me to block any and all ports I don't want advertised. I do not seem to be able to block 8443 using the Plesk firewall. I would like to block 8443 except for certain IP addresses.

I need to make sure that I can remove psa-firewall and then start iptables service. right now, I am not able to start iptables - even with psa-firewall shut down.

Please advise.

Thank you.
 
Maybe you will just wait 9.5.0 release?

http://download1.parallels.com/Plesk/Panel9.5/plesk-9.5.0-for-rpm-based-os.html#20

PCI Compliance — Parallels Plesk Panel can be made compliant with the Payment Card Industry Data Security Standard. This can be achieved by running a special PCI compliance resolver utility and additional tuning of system components, as described in the document Achieving PCI Compliance for Servers Managed by Parallels Plesk Panel 9.5. The document is available at http://download1.parallels.com/Plesk/Panel9.5/Doc/en-US/plesk-9.5-pci-compliance-guide/.
 
I like what I read about 9.5 but I don't want to wait. Also almost without fail, every time I upgrade Plesk there is a problem. Sometimes there are BIG problems. Are you saying there is no way to remove the psa-firewall module and use iptables from the OS? I would like to do this.
 
What is the problem? For example:

# rpm -qa | grep firewall
psa-firewall-1.0.1-cos5.build93091230.06

# rpm -e psa-firewall-1.0.1-cos5.build93091230.06

# /etc/init.d/iptables stop
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter nat [ OK ]
Unloading iptables modules: [ OK ]

# /etc/init.d/iptables start
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter nat [ OK ]
Unloading iptables modules: [ OK ]

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
 
I did it like this on Debian/Ubuntu

# save current firewall
iptables-save >/etc/iptables.rules
# remove plesk's firewall module
aptitude remove psa-firewall

# create iptables-startup script
echo '#!/bin/sh' >/etc/network/if-up.d/iptables
echo 'iptables-restore </etc/iptables.rules' >>/etc/network/if-up.d/iptables
chmod +x /etc/network/if-up.d/iptables

Your firewall script can then be edited using 'vi' in /etc/iptables.rules
 
Last edited:
I just recently did it on a CentOS server. It's a bit different because that distribution already has its firewall more or less configured

Code:
# cd /etc/sysconfig
# iptables-save                             # check if you are really running a firewall now
# cp -p iptables iptables.org                  # save the original OS firewall (for documentation)
# iptables-save >iptables.plesk                    # save the firewall as it's currently running..    
# iptables-save >iptables                              # save it again to the one we will be using

# chkconfig iptables on                                 # re-enable the OS firewall module
         

# rpm -qa | grep firewall                                                # find out the name of the Plesk firewall module
psa-firewall-10.13.4-cos5.build1013111102.18

# rpm -e psa-firewall-10.13.4-cos5.build1013111102.18       # erase the plesk firewall module
# /etc/init.d/iptables start                                              # Start the firewall
# iptables-save                                                             # check if it is working...
 
Last edited:
Back
Top