Question Block country without extension "firewall"?

[Azurel]

Server operating system version

AlmaLinux 8.10

Plesk version and microupdate number

18.0.74#2

I found these two articles:

• https://support.plesk.com/hc/en-us/...or-whitelist-specific-countries-through-Plesk
• (Plesk for Linux) The Plesk Firewall

Both are quite confusing to me because I am using AlmaLinux 8 with the default firewalld.

The documentation for the Firewall extension states:

Caution: Both the Plesk firewall and firewalld are tools for managing the iptables firewall. Using both tools simultaneously can result in conflicts and in ports required for Plesk to operate being closed. We recommend only using one tool at a time.

But it never explains what the recommended approach is when firewalld is already in use by the OS. This part seems completely unclear.

I also wonder what happens with Fail2Ban (ModSecurity) and any existing bans if the Plesk Firewall extension is enabled. Will they still work correctly?

Why can the Plesk Firewall extension not work alongside firewalld, or why is there no alternative Plesk extension that supports firewalld directly?

So my main question is:
Is there a Plesk-supported way to block countries without enabling the Plesk Firewall extension, especially when firewalld is the default firewall on AlmaLinux?

Thanks in advance!

 

[nmdpa3]

They work perfectly together. IMO that is best case, using both Fail2Ban and the Plesk FW. Do all your country blocking in the FW by two leter country code. Is there a reason to use firewalld over the Plesk FW? Maybe I'm missing something I could improve on.

Note, this is just my opinion, and I do not provide Plesk support.

 

[Kaspar]

But it never explains what the recommended approach is when firewalld is already in use by the OS. This part seems completely unclear.

It's recommended to uninstall firewalld and use the Plesk Firewall instead.

Why can the Plesk Firewall extension not work alongside firewalld, or why is there no alternative Plesk extension that supports firewalld directly?

Both the Plesk Firewall and firewalld are interfaces for iptables/nftables, which is the default IP packet filter of the Linux kernel. However, firewalld has much more advanced options and can block/filter traffic at different levels. The main advantage of the Plesk firewall is that can be used from within the Plesk GUI, making it easy to use. Where as firewalld is purely command line based, which can a challange for users that are not so familair with command line operations.

Using both Plesk Firewall and firewalld can cause a lot of confusion for users as they are not compatible. Any firewall rule added to firewalld for example, won't be visible on on the Plesk Firewall. Making it very hard to track which firewall rules actaully exist and are active when running both firewall applications.

I also wonder what happens with Fail2Ban (ModSecurity) and any existing bans if the Plesk Firewall extension is enabled. Will they still work correctly?

Both ModSecurity and Fail2ban are fully supported options by Plesk. They work perfectly alongside of the Plesk Firewall.

ModSecurity is a Web Application Firewall (WAF) which operates at the web application level (either on Apache or nginx). It does not conflict with any system firewall. Fail2ban is application which also blocks IP using iptables/nftables. Unlike firewalld, fail2ban is comatible with the Plesk Firewall (but both work separtely).

Is there a Plesk-supported way to block countries without enabling the Plesk Firewall extension, especially when firewalld is the default firewall on AlmaLinux?

No, there aren't any other methods for geo blocking offically supported by Plesk other than the Plesk Firewall. However, if you prefer to use firewalld,
there are geo some blocking options for firewalld avaible. Like this one for example.