Some of our clients like to use the Plesk firewall module. When a change is made via the Plesk firewall module the ASL firewall is stopped and needs to be restarted (service asl-firewall start). Could ASL somehow detect this and restart the ASL firewall automatically?

Oh wow, so they delete all your firewall rules, dont save the rules that are installed on the system and then reload them? Thats a pretty awful implementation (iptables-save its one command!).

Hmmm... well, to start with I'd report this as a bug to Parallels. They arent saving the rules that are loaded, which is not good (if anything else changes the rules that will get lost too, like all your geoblocking rules for example). Two, they flush ALL the rules to add new ones? WTF? Why are they flushing the rules? If they are adding rules, don't they know about insert and append?

As for detecting it, we'll think about that. For now though, I'd report this as a serious bug in their GUI. They shouldnt be:
1) flushing all the rules, theres no need to do that, you can add, delect, insert and append using iptables natively
2) they should save the rules that are loaded, and reload them
3) this can create a race condition when you have *no* firewall rules because they are flushing and reloading, instead of delete, append, insert.

'Nuff said.

We'll contact Parallels. In the meantime, if ASL could do something about this, that would be appreciated.

We'll do some research, but this may not be as easy to do as you may think. For example, if the rules are flushed and the sysadmin meant to do that for some reason (maintainence, etc.), this may in fact not look any different from the plesk FW manager just flushing all the rules before it adds one (again, this is pretty strange for them to do, its a race condition at the very least).

If Plesk has no hooks for this, then yeah, I understand this might not be easy.

Maybe ASL can check whether the ASL-* chains are active from time to time after 'service asl-firewall start' and if not run 'service asl-firewall start'?

don't know how Plesk does it and if it helps working that "hacky" way...
but what about the way denying the user that plesk is using for triggering the firewall reconfig to do so.
and instead let asl catch the firewall rules from plesk DB and do the firewall job.?!

We actually want the client to be able to modify whitelisted IP addresses for services via the Plesk firewall module. The problem is that ASL's firewall rules get flushed in the process. (I understand that it's Plesk that's not playing nice.)