• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Can't confirm firewall rules from CLI

same here. No matter whether I use the "SSH_CLIENT=..." in the same ssh session or really open a new ssh session to the server and try to confirm from there.
 
I suppose problem is in nginx check in /usr/local/psa/admin/sbin/modules/firewall/rules script. Try restart nginx before firewall apply and confirm. Chance for correctly confirmation is much more but not 100%. May be very long timeouts counted in minutes should workaround this issue.
 
Doing alot of digging into this with support.

Code:
SSH_CLIENT="127.0.0.1 65533 22" plesk bin modules/firewall/settings --confirm
kind of worked, but its a hack to fool the shell environment, its not consistent and shouldnt be used.

I have tried restarting nginx, but I still cannot --confirm from a remote server.

Firewall version is 2.1.2-401.

I get the Activation token is absent error when I
Code:
ssh <IP> "plesk ext firewall--confirm"
or
Code:
ssh <IP> "/usr/local/psa/admin/bin/modules/firewall/rules --confirm"

Ive also tried by logging into the server from a remote server to --confirm and it fails with the same error.

I'm also questioning if we are managing the firewall as the root user then why do we have to do --confirm.

Ye,s I agree that it should be in place for the GUI, but if you are using CLI then you should be aware that it is possible to lock yourself out using firewall commands as it is possible to irrevocably damage your server.

D.
 
Here is a solution that we had with a client. The problem was that the firewall could not be activated with a VZ container with Ubuntu 22.04. In the VZ configuration in the VA, the netfilter mode had to be set to full so that the firewall could be started.

Otherwise the following happens: the firewall is activated via the web interface, but then the confirmation does not come because port 443 (and other TCP ports) are blocked because the state is not delivered via VZ.

I hope this solution is of some use to someone and saves someone time.
 
Here is a solution that we had with a client. The problem was that the firewall could not be activated with a VZ container with Ubuntu 22.04. In the VZ configuration in the VA, the netfilter mode had to be set to full so that the firewall could be started.

Otherwise the following happens: the firewall is activated via the web interface, but then the confirmation does not come because port 443 (and other TCP ports) are blocked because the state is not delivered via VZ.

I hope this solution is of some use to someone and saves someone time.
That's obviously something I can't configure. I only have access to the server itself and some unuseful settings on the Strato server settings page.
 
Back
Top