[pve-devel] URGEND: BUG Firewall after Update

Detlef Bracker bracker at 1awww.com
Thu Dec 7 07:10:14 CET 2017 

Dear,

a new Bug as we have update today the proxmox with firewall

General-Settings in cluster.fw normal (cut) for plesk! See here the 
first line is marked with |
the disable marker will been ignored - can been why a 2nd setting for 
8443 witch is activated in the rules!

See the iptables - rules under this!

[group plesk] # Plesk-Server - Options IN: DROP

|IN DROP -p tcp -dport 8443 # nicht aktiviert
|IN ACCEPT -p tcp -dport 9080 # Tomcat-Applications
IN ACCEPT -p tcp -dport 8447 # Plesk Installer, Plesk Upgrades and updates
IN ACCEPT -p tcp -dport 5224 # Plesk-Licensing-Communications
|IN MSSQL(ACCEPT)
|IN PostgreSQL(ACCEPT)
IN MySQL(ACCEPT)
IN ACCEPT -p tcp -dport 106 # Mail password change service
IN IMAPS(ACCEPT)
IN IMAP(ACCEPT)
IN Mail(ACCEPT)
IN SMTPS(ACCEPT)
IN SMTP(ACCEPT)
IN SSH(ACCEPT)
IN ACCEPT -p tcp -dport 57000:58000 # FTP MLSD
IN FTP(ACCEPT)
IN HTTPS(ACCEPT)
IN HTTP(ACCEPT)
|IN ACCEPT -p udp -dport 1194 # VPN-Service
|IN ACCEPT -p udp -dport 137,138,139,445 # Samba File-Sharing in 
Windows-Network
IN ACCEPT -p tcp -dport 8443 # Plesk-GUI Administrierung
IN DROP -source fakedgooglens -p udp -sport 59032 # Hacking 8.8.8.8:59032
IN DROP -source fakedgooglens -p tcp -sport 59032 # Hacking 8.8.8.8:59032
IN DROP -source fakedgooglens -p udp -sport 61961 # Hacking 8.8.8.8:61961
IN DROP -source fakedgooglens -p tcp -sport 61961 # Hacking 8.8.8.8:61961
IN Ping(ACCEPT)
IN ACCEPT -source 213.32.112.200 -p udp -dport 53 # ns2.1awww.net
IN ACCEPT -source 213.32.112.200 -p tcp -dport 53 # ns2.1awww.net
IN ACCEPT -source 5.135.125.189 -p udp -dport 53 # ns3.1awww.net
IN ACCEPT -source 5.135.125.189 -p tcp -dport 53 # ns3.1awww.net
IN ACCEPT -source 178.32.95.222 -p udp -dport 53 # A ns2.1awww.net
IN ACCEPT -source 178.32.95.222 -p tcp -dport 53 # A ns2.1awww.net
IN ACCEPT -source 5.135.125.184 -p udp -dport 53 # ns1.1awww.net
IN ACCEPT -source 5.135.125.184 -p tcp -dport 53 # ns1.1awww.net
IN DROP -p udp -dport 53
IN DROP -p tcp -dport 53

wrong iptables-rules, when line 1 is in the rules

iptables -L | grep 8443
DROP       tcp  --  anywhere             anywhere             tcp dpt:8443
PVEFW-SET-ACCEPT-MARK  tcp  --  anywhere anywhere            [goto]  tcp 
dpt:8443

without line 1 in the rules, the iptables looks like this:

iptables -L | grep 8443
PVEFW-SET-ACCEPT-MARK  tcp  --  anywhere anywhere            [goto]  tcp 
dpt:8443

insert again the deactivated rule in the general settings, then we see 
again the wrong iptbles-rules!

iptables -L | grep 8443
DROP       tcp  --  anywhere             anywhere             tcp dpt:8443
PVEFW-SET-ACCEPT-MARK  tcp  --  anywhere anywhere            [goto]  tcp 
dpt:8443

Regards

Detlef

More information about the pve-devel mailing list