Plesk Firewall deny rules do not block connections to Docker container




  • Avatar

    Can confirm that on Plesk Onyx 17.8.11 Update #35 the Problem occurs. The iptables should not be changed via shell since it is overwritten like mentioned in the Preview function.
    Is there any other way to deny Docker managed ports from external access?

  • Avatar
    Alexandr Redikultsev

    Hi @Francis,

    Have you tried to add the rule for precise block of specific docker port via Plesk Firewall?

    Try it out and let me know in case it works.

  • Avatar

    Hi @Alexandr


    How do we add this to Plesk Firewall? I tried, it doesn't seems to work

  • Avatar
    Ivan Postnikov

    Hello @Dumith,

    Detailed instruction on how to use Plesk firewall may be found here

    Please note that the issue from this article is still not resolved. So in case you have faced this issue, you will need to use the workaround from the article (SSH access will be required).

  • Avatar
    Dumith (Edited )

    How can we make this permanent for now? Tried Plesk Firewall. Its not working.

    Every time Plesk Panel Updates/Restarts or Server restarts, Port 6379 become open. Huge problem as hackers attacks on Redis. Many servers running Redis

    Thank you.

  • Avatar
    Ivan Postnikov

    Hello @Dumith,

    >> How can we make this permanent for now? Tried Plesk Firewall. Its not working.
    Until bug is fixed, currently there is no permanent solution in Plesk Firewall. It is necessary to add firewall rules into iptables manually as described in workaround.

    Iptables resets to default settings after server reboot. Here is examples on how to save iptables rules permanently for different OS'es:
    CentOS 7 -
    For Debian/Ubuntu -

  • Avatar
    Imre Szalai

    It also seems to restart docker or at least the containers every time you apply the firewall rules. This bug can result in big security issues without continuous and proper attention, it should be solved/hotfixed immediately.

  • Avatar
    Konstantin Annikov


    I believe it is not needed to restart the container. The issue is inside iptables module only. Docker Forward rules are placed higher than Plesk firewall's rules and the following occurs:

    1. A request comes to port 6379
    2. Forward rule is executed
    3. The request go further according to this rule and totally ignores the Drop rule which is located after forward rule

    .So, restart of the container does not make influence in that case. 

    The bug already has Major priority and we are working on the fix. Please follow this article to be notified once the fix become available. Until that, please use the workaround described in the article. 

  • Avatar
    Imre Szalai

    I meant that whenever I apply new rules to the Plesk firewall Docker is restarted automatically, every container I have restarts except for the ones that do not have the --restart=always option, and I have several containers that are not autostarted, which means that I have to manually start those containers every time I change firewall rules.

  • Avatar
    Alisa Kasyanova

    @Imre Szalai
    Thank you for the clarification! I suppose you've hit the bug from the following article:
    It is being investigated by our development team, so the fix should become available in the next updates. Please follow this article to receive a notification when the bug is fixed.

Please sign in to leave a comment.

Have more questions? Submit a request