Plesk for Linux and firewalld Compatibility
firewalld is a firewall management tool for Linux operating systems. This section explains how you can use it to open the ports necessary for Plesk to operate.
For Plesk and its services to work properly, a number of ports must be open on the server. On some operating systems, these ports can be closed by default. When you install Plesk, if firewalld is installed on the server, Plesk automatically opens the ports required for Plesk to operate. This mechanism works even if firewalld is turned off during the Plesk installation.
firewalld is supported on the following operating systems:
- CentOS 7, RHEL 7, CloudLinux 7
- Ubuntu 18.04 and later
On CentOS and RHEL versions 7 and later, firewalld is installed and runs by default. On Ubuntu 16.04 and later, you need to turn on firewalld manually after installing Plesk.
Known Issues and Limitations
- Plesk can only configure firewalld version 0.4 or later.
- Plesk can only configure firewalld during Plesk installation. When you upgrade Plesk, the firewalld configuration does not change.
You can see the list of ports and associated protocols Plesk opens via firewalld in the table below:
| Service name | Ports used by service |
|---|---|
| Administrative interface of Plesk over HTTPS | TCP 8443 |
| Administrative interface of Plesk over HTTP | TCP 8880 |
| Web server | TCP 80, TCP 443 |
| FTP server | TCP 21 |
| SSH (secure shell) server | TCP 22 |
| SMTP (mail sending) server | TCP 25, TCP 465, TCP 587 |
| POP3 (mail retrieval) server | TCP 110, TCP 995 |
| IMAP (mail retrieval) server | TCP 143, TCP 993 |
| Domain name server | UDP 53, TCP 53 |
| Plesk upgrades and updates | TCP 8447 |
Plesk applies the configuration above to the firewalld zone called “plesk” and sets that zone as the default one. Runtime firewalld rules added before installing Plesk are lost. Permanent rules are not affected. You can roll them back at anytime.
Rolling Back the Initial firewalld Configuration
If you configured permanent firewalld rules before installing Plesk by adding them to a firewalld zone, you can roll them back. To do so, set the firewalld zone containing those rules as the default one.
To roll back the initial firewalld configuration:
-
In Plesk CLI, execute the following command:
firewall-cmd --set-default-zone=zonenamewhere
zonenameis the name of the zone containing the rules you want to roll back. -
(Optional) You can delete the “plesk” firewalld zone if you do not want to use it anymore:
firewall-cmd --delete-zone=plesk –permanentNote: The command above deletes the “plesk” zone. This cannot be undone. To operate Plesk, you need to configure the required ports manually.
Preventing Plesk from Configuring firewalld
During Plesk installation, you can have Plesk not configure firewalld. This will preserve the currently configured firewalld runtime rules. However, in this case, you must manually open the ports required for Plesk to operate in firewalld.
Alternatively, you can turn firewalld off and use the Plesk Firewall extension instead. The extension is preconfigured to open all ports required for Plesk to operate.
To learn how to prevent Plesk from configuring firewalld, refer to the Plesk for Linux installation guide:
Compatibility with the Plesk Firewall extension
Both firewalld and the Plesk Firewall extension are tools for managing the iptables firewall. Using both tools simultaneously can result in conflicts and in ports required for Plesk to operate being closed. We recommend only using one tool at a time.
Compatibility with Fail2Ban and Docker
When Plesk configures firewalld, the firewall rules should not affect the operation of Fail2Ban and Docker. If issues arise we recommend restarting the Fail2ban and Docker services. If that does not help, contact Plesk Support.