Sooooo.... how exactly does one enable the Plesk WAF?

I've enabled the very last option in the configuration screen in the ASL GUI, then I ran:

/var/asl/bin/plesk-waf-setup and followed the prompts.

This adds an allow for port 8445 in iptables and I see tortixd listening in port 8445.

However, I see nothing in the firewall to redirect traffic from 8443 to 8445.

service asl-firewall restart doesn't add anything.

What have I missed out?

This is Centos 6.2 with APF as the main firewall creator/editor.

EDIT: I thought it was working despite there being no visible means of redirect as there was no traffic noted on port 8443 but there was on 8445 according to iptables. However, it seems the 8445 traffic was 100% from a test I did by connecting to that port directly. I'm getting no traffic reported on 8443 at all, and 8445 does not increase when I login via 8443.

I know that under virtuozzo 8443 gets redirected when offline management is enabled for Plesk. However, offline management needs to be disabled for Plesk 10 and is definitely disabled here.

Also how do you DISABLE the Plesk WAF? Just be disabling the option in /etc/asl/config?

If I'm going to enable this on a production system I'd really like to know how to disable it if something goes wrong

Right. So plesk-waf-setup is deprecated. Um....

I can see how to easily enable T-WAF, and get it to protect Plesk using the WAF tab in the GUI.

Unfortunately this by itself doesn't seem to do anything. I'm seeing no redirect of port 8443 in iptables, but I am seeing port 30001 added as an allow in the firewall (??) and sw-cp-serverd
listening on port 100001.

I'm also mystified about the PSA_WAF_ENABLE option in the asl config. Yes, I know it says "Enable the Web Application Firewall redirect in the ASL-Firewall. This is a prototype feature and requries the firewall to be manually reloaded at this time" but even after manually reloading the firewall, unless it is the addition of the 30001 allow rule, I don't know what it is supposed to be doing.

asl -s -f doesn't improve things.

Pointers please?

Best way to do this is to follow the documentation for the WAF here:

https://www.atomicorp.com/wiki/index.php/ASL_WAF

Second, make sure you are not using any third party firewall management tools, they may conflict with the system setting up the redirect rules.

Thanks Mike.

Unfortunately the wiki doesn't cover the purpose of the PSA_WAF_ENABLE option.

I do use APF as my firewall. This should not get in the way and certainly won't prevent additional rules being added (the ASL block/black/geo/acl rules are added without any problem)

Please can you tell me where exactly is the redirect being added and how it is being added? What does it look like?

That is now deprecated since we have the T-WAF. It has a plesk option, however if you are using a 3rd party firewall module it could (probably will) break the forwarding for it. So if you're going to continue using that you should reach out to them on how to create a redirect rule to pass traffic to the WAF daemon. The idea here is that you need to get a redirect rule in ahead of anything else that would mess that up, or for that matter turn forwarding off.

As for third party firewall management tools, they are not supported with ASL so you should expect conflicts if you use any. You may be able to get two tools to play well, but ASL expects to be able to control the firewall if you use the T-WAF, and that nothing else is going to change that. If something does, expect issues.

Apf plays nice with everything. It does nothing once loaded (in my configuration) . All that's not happening is that I'm not seeing a redirect.

What part of asl adds the redirect? Asl-firewall?
What does the redirect look like?
Is it in the main tables visible through iptables -L

Or to put it another way, and if I wanted to add the redirect to iptables manually what would I do? I know it will be a pre route and nat or mangle. That's why I am asking what adds it and where. I if I am looking in the wrong place it could be already added and working. I have no way to test and only guess that I should see traffic in iptables for 8445 in order to get confirmation it works. The but as I followed the deprecated enabling installation instructions I have no idea if it is or isn't configured correctly.

I am also aware it is unsupported - just asking for pointers.

OK, I found it ... hmmm... not looking good so far. The rule won't load. Investigating.

I'm stuck at this point. Any pointers plpease?

Ach. Sigh. Looks like it is just a module loading issue. As this is VZ, things are a tad complicated.

EDIT: or maybe not. I got the damn rule to load finally. Not sure if it is working but it is at least in iptables status

Finally, some progress...

The main issue was that ipt_REDIRECT was not loaded. Loading this then going through the process of adding plesk to the t-waf via the gui allows asl to add the redirect. Port 30001 also gets added as an allow in iptables at this point.

However, there's nothing listening on 30001 so it then all falls over.

asl -s -f / service tortixd restart / service asl-firewall restart don't help.

I'm also reasonably sure that the redirect and 30001 allow do not get added after a reboot.

So, with the exception of getting tortixd to actually listen on port 30001 for the redirected 8443 traffic, we have made huge progress