Plesk for Linux and firewalld Compatibility

firewalld is a firewall management tool for Linux operating systems. This section explains how you can use it to open the ports necessary for Plesk to operate.

For Plesk and its services to work properly, a number of ports must be open on the server. On some operating systems, these ports can be closed by default. When you install Plesk, if firewalld is installed on the server, Plesk automatically opens the ports required for Plesk to operate. This mechanism works even if firewalld is turned off during the Plesk installation.

firewalld is supported on the following operating systems:

  • CentOS 7, RHEL 7, CloudLinux 7
  • Ubuntu 16.04 and higher.

On CentOS and RHEL versions 7 and later, firewalld is installed and runs by default. On Ubuntu 16.04 and later, you need to turn on firewalld manually after installing Plesk.

Known Issues and Limitations
  • Plesk can only configure firewalld version 0.4 or later.
  • Plesk can only configure firewalld during Plesk installation. When you upgrade Plesk, the firewalld configuration does not change.

You can see the list of ports and associated protocols Plesk opens via firewalld in the table below:

Service name Ports used by service

Administrative interface of Plesk over HTTPS

TCP 8443

Administrative interface of Plesk over HTTP

TCP 8880

Web server

TCP 80, TCP 443

FTP server

TCP 21

SSH (secure shell) server

TCP 22

SMTP (mail sending) server 

TCP 25, TCP 465, TCP 587

POP3 (mail retrieval) server

TCP 110, TCP 995

IMAP (mail retrieval) server 

TCP 143, TCP 993

Domain name server

UDP 53, TCP 53

Plesk upgrades and updates

TCP 8447

Plesk applies the configuration above to the firewalld zone called “plesk” and sets that zone as the default one. Runtime firewalld rules added before installing Plesk are lost. Permanent rules are not affected. You can roll them back at anytime.

Rolling Back the Initial firewalld Configuration

If you configured permanent firewalld rules before installing Plesk by adding them to a firewalld zone, you can roll them back. To do so, set the firewalld zone containing those rules as the default one.

To roll back the initial firewalld configuration:

  1. In Plesk CLI, execute the following command:

    firewall-cmd --set-default-zone=zonename, where zonename is the name of the zone containing the rules you want to roll back.

  2. (Optional) You can delete the “plesk” firewalld zone if you do not want to use it anymore:

    firewall-cmd --delete-zone=plesk –permanent

    Note: The command above deletes the “plesk” zone. This cannot be undone. To operate Plesk, you need to configure the required ports manually.

Preventing Plesk from Configuring firewalld

During Plesk installation, you can have Plesk not configure firewalld. This will preserve the currently configured firewalld runtime rules. However, in this case, you must manually open the ports required for Plesk to operate in firewalld.

Alternatively, you can turn firewalld off and use the Plesk Firewall extension instead. The extension is preconfigured to open all ports required for Plesk to operate.

To learn how to prevent Plesk from configuring firewalld, refer to the Plesk for Linux installation guide:

Compatibility with the Plesk Firewall extension

Both firewalld and the Plesk Firewall extension are tools for managing the iptables firewall. Using both tools simultaneously can result in conflicts and in ports required for Plesk to operate being closed. We recommend only using one tool at a time.

Compatibility with Fail2Ban and Docker

When Plesk configures firewalld, the firewall rules should not affect the operation of Fail2Ban and Docker. If issues arise we recommend restarting the Fail2ban and Docker services. If that does not help, contact Plesk Support.