Managing Custom Rules

This section describes how to add, modify, remove custom rules, and change the order in which the rules are applied. This section also covers the steps required for enabling passive mode for FTP connections.

To add a custom rule:

1. Go to Extensions > Firewall > Modify Plesk Firewall Rules.
2. Click Add Custom Rule.
3. Enter the name of the new rule in the Name of the rule field.
4. Select one of the following communication directions: Incoming for the communications inbound to the server, Outgoing for communications outbound from this server, or Forwarding for communications transiting through your server in any direction.

   For incoming communications you can specify the destination ports on your server, the protocol used for this communication, and the IP address the communications come from.

   For outgoing communications you can specify the destination ports, destination IP address, and the protocol used for the communication.

   For transit communications going through the server, you can specify the destination ports and source / destination IP addresses.

5. To specify the port number or a range of port numbers, type it into the Add port or port range input box, and click Add. To remove a port number from an existing rule, select it from the list and click Remove. If the list of ports is empty, this rule will be applied to all TCP and UDP ports.
6. To specify the IP address or network address, type it into the Add IP address or network input box, and click Add. To remove an IP address or network from the list, select it in the list and click Remove. If the list of IP addresses is empty, this rule will be valid for all IP addresses.
7. Specify the action that will be applied to the communications that match the defined criteria: allow or deny.
8. Click OK to submit the rule.
9. After you have defined the required rules, click Apply Changes and then click Activate to apply them to your system. A confirmation screen will open, in which you can preview the shell script generated to apply your rules (this might be of interest only to advanced users). Click Activate to apply the new configuration.

When the new configuration is being applied, the component will check for connection with the Plesk. If there are some connection problems, the Firewall component will automatically revert to the previous active configuration in 60 seconds. Thus, if you misconfigure your firewall in such a way that access to your Plesk is prohibited even for you, this wrong configuration will be automatically discarded and you will be able to access your server in any case.

Note: Unless your configuration is activated, you have a chance to discard all changes to the rules you configured. To do this, click the Discard Changes button.

Under FreeBSD, all currently established TCP connections will drop when the new configuration is activated!

To edit a custom rule:

1. Go to Extensions > Firewall > Modify Plesk Firewall Rules.
2. Click the rule name in the list of existing rules. Make necessary changes (the options are the same as when creating a new rule) and click OK.

To remove a custom rule:

1. Go to Extensions > Firewall > Modify Plesk Firewall Rules.
2. Select the checkbox corresponding to the rule you want to remove and click Delete.

To change the order in which your custom rules are applied:

1. Go to Extensions > Firewall > Modify Plesk Firewall Rules.
2. Click the icons Up or Down in the Order column. This will move the rule relatively to other rules covering the same direction (incoming communications, outgoing communications, or data forwarding).

To enable passive mode for FTP connections on your server:

1. Log in as "root" to the server shell over SSH.
2. Edit your ProFTPD configuration file.
   1. Issue the command vi /etc/proftpd.conf.
   2. Add the following line anywhere within the <Global> section:

      PassivePorts 49152 65534

   3. Save the file.
3. Log in to Plesk as "admin", go to Extensions > Firewall, and click Modify Plesk Firewall Rules.
4. Click Add Custom Rule.
5. Specify the following:
   1. Rule name.
   2. Direction: select Incoming.
   3. Action: select Allow.
   4. Ports: in the Add port input box, enter the value 49152-65534. Leave the TCP option selected, and click Add.
6. Click OK.
7. Click Apply Changes, and then click Activate.