• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue Can't confirm firewall rules from CLI

M

MariuszB

Basic Pleskian
Server operating system version
CentOS Linux 7.9.2009 (Core)
Plesk version and microupdate number
Plesk Obsidian 18.0.52 #2
I can't confirm firewall rules from cli after last update. From Plesk interface is ok.

/usr/local/psa/bin/modules/firewall/settings -a
The firewall rules were activated. To save your changes, run the --confirm command within 120 second(s).

/usr/local/psa/bin/modules/firewall/settings -c
Too late to confirm: no rules activation process
Unable to confirm the firewall rules.

exit status 1
Click to expand...

As you see I tried rise timeout but this is not change anything. I tried wait 1 second or 60 seconds without success. After apply command nothing in iptables rules was added so nothing was to confirm.
 
Might be related to;

Resolved - Firewall disabled

Hi all, I'm having problems enabling Plesk Firewall. It had been working perfectly the last two years, but now it's disabled and can't find a way to enable it again. I'm not sure where this issue come from, but: a few days ago I removed a custom rule (for varnish) -> Firewall told me it had to...
talk.plesk.com talk.plesk.com

Have you installed the updated firewall extension from earlier in the month to see if that addresses your issue?
 
As you can see in my first post I already set higher timeout. I would like to note problem exists only in cli.
 
MariuszB said:
As you can see in my first post I already set higher timeout. I would like to note problem exists only in cli.
Click to expand...
Sorry about that, I must admit I missed that part in your first post.

MariuszB said:
/usr/local/psa/bin/modules/firewall/settings -a
The firewall rules were activated. To save your changes, run the --confirm command within 120 second(s).

/usr/local/psa/bin/modules/firewall/settings -c
Too late to confirm: no rules activation process
Unable to confirm the firewall rules.

exit status 1
Click to expand...
Just to be sure did you run the /usr/local/psa/bin/modules/firewall/settings --confirm command to confirm the rule changes?
 
I wonder why I have message like this:

Too late to confirm: no rules activation process
Unable to confirm the firewall rules.
Click to expand...

when in process list is:

/usr/bin/python3 -Estt -IS /usr/local/psa/admin/sbin/modules//firewall/rules --activate --rules-file /usr/local/psa/tmp/ext-firewall-rules-FpT47O
Click to expand...

This process works to timeout from panel.ini. Is it process for firewall activation?
 
Have you tried to set long timeout values in panel.ini? For example
Code: 
[ext-firewall]
confirmTimeout = 120
confirmTimeoutCli = 120
 
Yes, timeout do not change anything. I can wait 1 second or 90 second with the same effect.

Maybe problem is in another iptables app like fail2ban? What happens when fail2ban add something to firewall before confirmation?
 
MariuszB said:
Maybe problem is in another iptables app like fail2ban? What happens when fail2ban add something to firewall before confirmation?
Click to expand...
That might be a quite good point. I observed the issue on my server that fail2ban got decativated / became unresponsive after changing firewall settings. Bot the fail2ban log had no critical entries. After cleaning the entries in fail2ban everything was fine again. So between both apps seem to be a non-documented dependency.
 
Fail2Ban uses iptables, it is not a replacement for it. Anyway, it would be good if you could test the theory in your case, e.g. disable Fail2Ban, then apply a change to the firewall manually and see if it then works with shorter timeouts.
 
It's looks like fail2ban doesn't matter. Is any other log except panel.log where I can see what is doing firewall?
 
When I try start manually command: /usr/local/psa/admin/sbin/modules//firewall/rules --activate --rules-file /usr/local/psa/tmp/ext-firewall-rules-KhZNmg

I have error message: Activation token is absent .

This message appears much time before timeout.
 
Seem you have quite some bad luck with the Firewall. I suggest contacting Plesk support so they can investigate the issue on your server directly.
 
I don't think so is only my bad luck. I have 9 servers with Plesk on CentOS 7, Alma 8 and 9 and all of them with new firewall have this issue.

Sometimes firewall reload correctly but I don't know when. I can't reproduce problem with 100% sure.
 
Sorry, that was bad phrasing from my part. With 'bad luck' I meant to acknowledge that you seem to encounter quite some issues with the Firewall. That hasn't got anything to do with 'luck' off course. Obviously something is causing those issues, which could be a multitude of things. Hence my suggestion to contact support for investigation.
 
You need to run /usr/local/psa/bin/modules/firewall/settings -c is a separate SSH session

you can do this from one session using:
Code: 
/usr/local/psa/bin/modules/firewall/settings --apply
SSH_CLIENT="127.0.0.1 65533 22" plesk bin modules/firewall/settings --confirm
 
You must log in or register to reply here.

Similar threads

Pascal_Netenvie
Issue Cloudflare and Firewall rules
Replies
3
Views
887
Pascal_Netenvie
Pascal_Netenvie
P
Issue plesk firewall 2.1.5-412 still has problems
2
Replies
20
Views
2K
PeterKi
P
A
Question Some security questions
Replies
2
Views
154
amba1980
A
K
Resolved Firewall disabled
2 3
Replies
40
Views
7K
sjhshheuhje
S
xx1Andy1xxx
Issue Plesk Firewall doesn't work !!
Replies
12
Views
2K
Peter Debik
P
Back
Top