Plesk Firewall deny rules do not block connections to Docker container

Follow

Comments

20 comments

  • Avatar
    Francis

    Can confirm that on Plesk Onyx 17.8.11 Update #35 the Problem occurs. The iptables should not be changed via shell since it is overwritten like mentioned in the Preview function.
    Is there any other way to deny Docker managed ports from external access?

  • Avatar
    Alexandr Redikultsev

    Hi @Francis,

    Have you tried to add the rule for precise block of specific docker port via Plesk Firewall?

    Try it out and let me know in case it works.

  • Avatar
    Dumith

    Hi @Alexandr

     

    How do we add this to Plesk Firewall? I tried, it doesn't seems to work

  • Avatar
    Ivan Postnikov

    Hello @Dumith,

    Detailed instruction on how to use Plesk firewall may be found here

    Please note that the issue from this article is still not resolved. So in case you have faced this issue, you will need to use the workaround from the article (SSH access will be required).

  • Avatar
    Dumith (Edited )

    Hi,
    How can we make this permanent for now? Tried Plesk Firewall. Its not working.

    Every time Plesk Panel Updates/Restarts or Server restarts, Port 6379 become open. Huge problem as hackers attacks on Redis. Many servers running Redis

    Thank you.

  • Avatar
    Ivan Postnikov

    Hello @Dumith,

    >> How can we make this permanent for now? Tried Plesk Firewall. Its not working.
    Until bug is fixed, currently there is no permanent solution in Plesk Firewall. It is necessary to add firewall rules into iptables manually as described in workaround.

    Iptables resets to default settings after server reboot. Here is examples on how to save iptables rules permanently for different OS'es:
    CentOS 7 - https://serverfault.com/questions/626521/centos-7-save-iptables-settings
    For Debian/Ubuntu - https://www.thomas-krenn.com/en/wiki/Saving_Iptables_Firewall_Rules_Permanently

  • Avatar
    Imre Szalai

    It also seems to restart docker or at least the containers every time you apply the firewall rules. This bug can result in big security issues without continuous and proper attention, it should be solved/hotfixed immediately.

  • Avatar
    Konstantin Annikov

    @Imre, 

    I believe it is not needed to restart the container. The issue is inside iptables module only. Docker Forward rules are placed higher than Plesk firewall's rules and the following occurs:

    1. A request comes to port 6379
    2. Forward rule is executed
    3. The request go further according to this rule and totally ignores the Drop rule which is located after forward rule

    .So, restart of the container does not make influence in that case. 

    The bug already has Major priority and we are working on the fix. Please follow this article to be notified once the fix become available. Until that, please use the workaround described in the article. 

  • Avatar
    Imre Szalai

    I meant that whenever I apply new rules to the Plesk firewall Docker is restarted automatically, every container I have restarts except for the ones that do not have the --restart=always option, and I have several containers that are not autostarted, which means that I have to manually start those containers every time I change firewall rules.

  • Avatar
    Alisa Kasyanova

    @Imre Szalai
    Thank you for the clarification! I suppose you've hit the bug from the following article:
    https://support.plesk.com/hc/en-us/articles/360000515754-Docker-loses-the-connection-when-Plesk-Firewall-rules-were-modified
    It is being investigated by our development team, so the fix should become available in the next updates. Please follow this article to receive a notification when the bug is fixed.

  • Avatar
    Priyan A

    Hi,

    I'm the one inform Plesk team about this bug on Sep 5, 2018. I was expecting to Plesk to take immediate action as there will be many Plesk users affected by this bug but still no.

  • Avatar
    Ivan Postnikov

    Hello @Priyan A,

    Thank you for the feedback. Indeed, Plesk Development team was concentrated on other more critical bugs and new functionality. 

    There is no exact ETA for the bug in question but it is planned to be fixed in one future Plesk releases.

    Until a fix becomes available, please, use the workaround from this article.

  • Avatar
    Priyan A

    Hi @Ivan Postnikov,

    Problem with this workaround is, it does NOT explain to the user that the Port will be re-open almost every time Plesk updates or restart the server.

  • Avatar
    Vladimir Chernikov

    Hello @Priyan A,

    Thank you for pointing on that matter.

    In order to avoid losing rules after iptables restart, it is required to save the rules:
    https://support.plesk.com/hc/en-us/articles/213404549-Firewall-rules-disappeared-after-restarting-iptables 

    I added the additional step to the resolution.

  • Avatar
    Nils

    Any updates on this issue?

  • Avatar
    Daria Gavrilova

    Hello @Priyan A,

    Thank you for your input!
    We really appreciate it.

  • Avatar
    Daria Gavrilova

    Hello @Nils,

    Thank you for your question.

    There is no exact ETA for the bug in question but it is planned to be fixed in one future Plesk releases.
    Please subscribe to the article to be notified when the bug will be fixed.

  • Avatar
    Priyan A

    Hi @Nils

    I have solved this issue by binding the Redis Docker to the Localhost.

    Please follow my instruction in above URL I posted.

Please sign in to leave a comment.

Have more questions? Submit a request