allow for custom firewall rules
currently you can do it by IP/Port, but would like to be able to add firewall rules for things like string matching. A GUI would be ideal too.
Renan Ferreira commented
Be able to block a network port for all IP addresses except one specific IP address using Plesk Firewall. Currently, the only possible way to block all connections to a certain port is by creating a rule directly on Windows Firewall, and adding the remote IP address ranges from which connections should be blocked.
Dre v.S. commented
Give option to change the config file Plesk firewall.
Currently only way to add or remove rules is true the interface.
This is simple and easy but limited.
I would like for most to be able to add *NAT rules, postrouting.
This would be an important feature for us, as we have two network imterfaces: One interface for internal communication (database server etc.) and one for external access. It should definitely be possible to define per interface rules or, even better, to define custom rules.
Dr Gerard Bulger commented
Plesk firewall utility for the web version I am using, does not allow users to set up the firewall for different interfaces eg eth0:0 etho:1 when you have two IP addresses. One of the points of have two IP address is to allow you to open ports on one interface/IP, while keeping then or most closed on the other. Currently the firewall set up is for ALL IP/Interfaces. So I have had to turn it off and set it up manually. Tiresome
Tim Reeves commented
I want to add a rule to stop SlowLoris attacks - in Webmin it's easy:
Rule comment = Protect against SlowLoris attacks
Action to take = Drop
Network protocol = TCP
Destination TCP or UDP port : Equals : 80
Additional parameters = -m connlimit --connlimit-above 20 --connlimit-mask 40
The only thing I'm missing in Plesk is the ability to append the additional parameters - so I would be very glad to see a field added to allow that. Sure, you would have to warn "Experts only", but without this possibility I have to either live without SlowLoris protection, or without Plesk Firewall.
Currently there is a simple iptables firewall module. Maybe enough in most cases, but I think it's time to switch to a more flexible fw solution with the possibility to define custom rules/uwf applications. PREROUTING/POSTROUTING should also be configurable via GUI to be able to define port forwardings.
String matching is no longer a layer 2 firewall as iptables is, but requires a level 7 firewall which is something completely different.