Is it possible to combine usage plesk firewall and asl?
Posted: Thu Dec 06, 2007 6:55 am
Is it possible to use plesk firewall at same time than ASL? Dont know if this is a stuped question.
Thanks
Thanks
Atomicorp
Security for Everyone
https://forums.atomicorp.com/
Is it possible to combine usage plesk firewall and asl?
Page 1 of 1
Posted: Thu Dec 06, 2007 9:10 am
Yep, its 100% compatible with any 3rd party firewall interface, Plesk, APF, Shorewall, Firestarter, etc.
Posted: Thu Dec 06, 2007 9:33 am
Ok, so if y do a: /etc/init.d/psa-firewall restat, or if i go to te Plesk control pannel and apply new firewall rules, that does not affect ASL, right? (just making sure... 
)
)Posted: Thu Dec 06, 2007 9:38 am
Yep, thats totally safe.
Posted: Thu Jan 03, 2008 10:17 am
I'm unsure about that "totaly safe" ??.. in my server i'm using plesk firewall , and i found that after activating firewall, after a while, ASL resets the "ipatables" configuration, and makes its own.
I mean, right after i activate the config thru plesk CP, from SSH shell i issue the command:
/sbin/iptables -L
to see the actual iptables configuration, but if i go like, 3 to 4 days after (no reboots made...!) and i issue the same command , I get the following:
As you see, my plesk firewall config has been cleaned and substituted by ASL's one...
I mean, right after i activate the config thru plesk CP, from SSH shell i issue the command:
/sbin/iptables -L
Code: Select all
[root@s1 ]# /sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED
REJECT tcp -- anywhere anywhere tcp flags:!SYN,RST, ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:8443
ACCEPT tcp -- anywhere anywhere tcp dpt:8880
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtps
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:poppassd
DROP tcp -- anywhere anywhere tcp dpt:mysql
DROP tcp -- anywhere anywhere tcp dpt:postgres
DROP tcp -- anywhere anywhere tcp dpt:9008
DROP tcp -- anywhere anywhere tcp dpt:9080
DROP udp -- anywhere anywhere udp dpt:netbios-ns
DROP udp -- anywhere anywhere udp dpt:netbios-dgm
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:microsoft-d s
DROP udp -- anywhere anywhere udp dpt:1194
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp type 8 code 0
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED
REJECT tcp -- anywhere anywhere tcp flags:!SYN,RST, ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED
REJECT tcp -- anywhere anywhere tcp flags:!SYN,RST, ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Code: Select all
[root@s1 ]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 222.241.211.162 anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere 222.241.211.162
Posted: Thu Jan 03, 2008 1:27 pm
Hmm, ASL doesn't have any kind of "clear" function. It uses a 1 to 1 add/delete script based on the IP address, it sends:
iptables -I INPUT -s <IP> -j DROP
or
iptables -D INPUT -s <IP> -j DROP
As you can see the logic is very simple (ditto for FORWARD), its purely used for blocking. It doesn't even touch the OUTPUT table.
I suspect you've got something else going on there. To achieve that kind of reset event youd have to run /etc/init.d/iptables stop, or iptables -t <tablename> -F. You might want to put a wrapper around iptables to see what is calling it.
iptables -I INPUT -s <IP> -j DROP
or
iptables -D INPUT -s <IP> -j DROP
As you can see the logic is very simple (ditto for FORWARD), its purely used for blocking. It doesn't even touch the OUTPUT table.
I suspect you've got something else going on there. To achieve that kind of reset event youd have to run /etc/init.d/iptables stop, or iptables -t <tablename> -F. You might want to put a wrapper around iptables to see what is calling it.
Posted: Fri Jan 04, 2008 7:16 am
Yep, i would like to know what's going on... but i dont know how to put a wrapper to iptables... is it very dificult? Where should I start looking?
Also it might be the "whatchdog" ? i use plesk watchdog i have it activated for all services...
The thing is that this only happens since i have ASL... ¿?
Also it might be the "whatchdog" ? i use plesk watchdog i have it activated for all services...
The thing is that this only happens since i have ASL... ¿?
Posted: Fri Jan 04, 2008 8:01 am
You should now a thing or two about shell scripting. The basic idea is to rename the iptables binary to something else (e.g. iptables.orig) and then create a script that for instance logs its arguments to a file or sends them to you by e-mail and finally calls the real iptables (iptables.orig).benji wrote:Yep, i would like to know what's going on... but i dont know how to put a wrapper to iptables... is it very dificult? Where should I start looking?
We have no problems with ASL and firewalls.