Managing Custom Rules
This section describes how to add, modify, remove custom rules, and change the order in which the rules are applied. This section also covers the steps required for enabling passive mode for FTP connections.
To add a custom rule:
- Go to Modules > Firewall, and click Edit Firewall Configuration.
- Click Add Custom Rule.
- Enter the name of the new rule in the Name of the rule field.
- Select one of the following communication directions: Incoming for the communications inbound to the server, Outgoing for communications outbound from this server, or Forwarding for communications transiting through your server in any direction.
For incoming communications you can specify the destination ports on your server, the protocol used for this communication, and the IP address the communications come from.
For outgoing communications you can specify the destination ports, destination IP address, and the protocol used for the communication.
For transit communications going through the server, you can specify the destination ports and source / destination IP addresses.
- To specify the port number, type it into the Add port input box, and click Add. To remove a port number from an existing rule, select it from the list and click Remove. If the list of ports is empty, this rule will be applied to all TCP and UDP ports.
- To specify the IP address or network address, type it into the Add IP address or network input box, and click Add. To remove an IP address or network from the list, select it in the list and click Remove. If the list of IP addresses is empty, this rule will be valid for all IP addresses.
- Specify the action that will be applied to the communications that match the defined criteria: allow or deny.
- Click OK to submit the rule.
- After you have defined the required rules, click Activate to apply them to your system. A confirmation screen will open, in which you can preview the shell script generated to apply your rules (this might be of interest only to advanced users). Click Activate to apply the new configuration.
When the new configuration is being applied, the module will check for connection with the control panel. If there are some connection problems, the Firewall module will automatically revert to the previous active configuration in 60 seconds. Thus, if you misconfigure your firewall in such a way that access to your control panel is prohibited even for you, this wrong configuration will be automatically discarded and you will be able to access your server in any case.
Note: Unless your configuration is activated, you have a chance to discard all the rules you configured. To do this, click the Revert to Active Configuration button.
Under FreeBSD, all currently established TCP connections will drop when the new configuration is activated!
To edit a custom rule:
- Go to Modules > Firewall, and click Edit Firewall Configuration.
- Click the rule name in the list of existing rules. Make necessary changes (the options are the same as when creating a new rule).
To remove a custom rule:
- Go to Modules > Firewall, and click Edit Firewall Configuration.
- Select the check box corresponding to the rule you want to remove and click Remove Selected.
To change the order in which your custom rules are applied:
- Go to Modules > Firewall, and click Edit Firewall Configuration.
- Click the icons
Up or
Down in the Order column. This will move the rule relatively to other rules covering the same direction (incoming communications, outgoing communications, or data forwarding).
To enable passive mode for FTP connections on your server:
- Log in as "root" to the server shell over SSH.
- Edit your ProFTPD configuration file.
- Issue the command
vi /etc/proftpd.conf
- Add the following lines anywhere within the <Global> section:
PassivePorts 49152 65534
- Save the file
- Log in to Plesk as "admin", go to Modules > Firewall, and click Edit Firewall Configuration.
- Click Add Custom Rule.
- Specify the following:
- Rule name
- Direction: select Incoming.
- Action: select Allow.
- Ports: in the Add port input box, enter the value
49152-65534.
Leave the TCP option selected, and click Add.
- Click OK.
- Click Activate, and then click Activate again.