firewalld is a firewall management tool for Linux operating systems. This section explains how you can use it to open the ports necessary for Plesk to operate.

For Plesk and its services to work properly, a number of ports must be open on the server. On some operating systems, these ports can be closed by default. When you install Plesk, if firewalld is installed on the server, Plesk automatically opens the ports required for Plesk to operate. This mechanism works even if firewalld is turned off during the Plesk installation.

firewalld is supported on the following operating systems:

  • CentOS 7, RHEL 7, CloudLinux 7
  • Ubuntu 16.04 and higher.

On CentOS and RHEL versions 7 and later, firewalld is installed and runs by default. On Ubuntu 16.04 and later, you need to turn on firewalld manually after installing Plesk.

Known Issues and Limitations

  • Plesk can only configure firewalld version 0.4 or later.
  • Plesk can only configure firewalld during Plesk installation. When you upgrade Plesk, the firewalld configuration does not change.

You can see the list of ports and associated protocols Plesk opens via firewalld in the table below:

Service name Ports used by service
Administrative interface of Plesk over HTTPS TCP 8443
Administrative interface of Plesk over HTTP TCP 8880
Web server TCP 80, TCP 443
FTP server TCP 21
SSH (secure shell) server TCP 22
SMTP (mail sending) server TCP 25, TCP 465, TCP 587
POP3 (mail retrieval) server TCP 110, TCP 995
IMAP (mail retrieval) server TCP 143, TCP 993
Domain name server UDP 53, TCP 53
Plesk upgrades and updates TCP 8447

Plesk applies the configuration above to the firewalld zone called “plesk” and sets that zone as the default one. Runtime firewalld rules added before installing Plesk are lost. Permanent rules are not affected. You can roll them back at anytime.

Rolling Back the Initial firewalld Configuration

If you configured permanent firewalld rules before installing Plesk by adding them to a firewalld zone, you can roll them back. To do so, set the firewalld zone containing those rules as the default one.

To roll back the initial firewalld configuration:

  1. In Plesk CLI, execute the following command:

    firewall-cmd --set-default-zone=zonename
    

    where zonename is the name of the zone containing the rules you want to roll back.

  2. (Optional) You can delete the “plesk” firewalld zone if you do not want to use it anymore:

    firewall-cmd --delete-zone=plesk –permanent
    

    Note: The command above deletes the “plesk” zone. This cannot be undone. To operate Plesk, you need to configure the required ports manually.

Preventing Plesk from Configuring firewalld

During Plesk installation, you can have Plesk not configure firewalld. This will preserve the currently configured firewalld runtime rules. However, in this case, you must manually open the ports required for Plesk to operate in firewalld.

Alternatively, you can turn firewalld off and use the Plesk Firewall extension instead. The extension is preconfigured to open all ports required for Plesk to operate.

To learn how to prevent Plesk from configuring firewalld, refer to the Plesk for Linux installation guide:

Compatibility with the Plesk Firewall extension

Both firewalld and the Plesk Firewall extension are tools for managing the iptables firewall. Using both tools simultaneously can result in conflicts and in ports required for Plesk to operate being closed. We recommend only using one tool at a time.

Compatibility with Fail2Ban and Docker

When Plesk configures firewalld, the firewall rules should not affect the operation of Fail2Ban and Docker. If issues arise we recommend restarting the Fail2ban and Docker services. If that does not help, contact Plesk Support.