Issue Failed to apply the firewall configuration - [ext-firewall] set to 40 seconds

[brother4]

Server operating system version

Ubuntu 22.04 x86_64

Plesk version and microupdate number

18.0.53.2

I've only one custom firewall rule I want to add: port 8080 incoming.

I've already set

[ext-firewall] confirmTimeout = 40;

in panel.ini. But I get the error every time:

I did not receive connectivity confirmation after applying new firewall configuration, then same happened after I reverted to previous configuration. This means that both new and previous configurations were bad. Emergency rollback to configuration without rules was performed. Firewall is now disabled. Fix your rules and try again.

Any ideas?

 

[Peter Debik]

Does the same happen without the custom firewall rule? Did you fill in all fields required for that custom firewall rule?

 

[brother4]

Does the same happen without the custom firewall rule? Did you fill in all fields required for that custom firewall rule?

Without the rule it also takes some time but works. But it should be possible to add your own rules.
There is no other rule with port 8080.

 

[Peter Debik]

I setup an Ubuntu 22 test server and created the same rule. It was stored and applied without any issues. Do you have any other custom rules or modifications in existing rules?

 

[brother4]

No, that's the only rule I wanted to add individually. I have already tried twice to first uninstall and then reinstall the firewall component and also to be on the safe side ran a plesk repair all -y. I recently reinstalled the system with Ubuntu 22. Fresh reinstallation. Then resumed the websites etc. with the Plesk Migrator. Other services apart from Plesk are not running on the server. Mod Security and Fail2Ban are also enabled on my system (over plesk).

 

[brother4]

Sometimes Plesk also shows that the rule was successfully recorded (message above). However, it does not appear in iptables and the status widget at the bottom right shows the quoted error I post at the first post. When I reload the firewall page, it is active and the rule is shown as active. But the view cannot be trusted as it has not been adopted.

 

[Peter Debik]

That's really bad as I cannot reproduce it. Several users have reported issues with the new Firewall extension, but all could be resolved either to wrong, incomplete or duplicate rules or - when the command line version is used - not using two different sessions to activate and confirm. I have actually been using a fresh Ubuntu 22 installation for testing, too, so I was hoping that it fails there that we can find the cause or create a bug report from.

You can try to give the routine much more time, like not 40 seconds but maybe 120 or 200.

If no other user can help here, I think the only option is that Plesk support staff checks it on your system. Many users have a licence from a reseller so the reseller should provide support, which many resellers don't do unfortunately. In that case please use the 30-day free trial when submitting a support ticket. https://support.plesk.com

 

[Jeroen Bl]

Hi Peter,

Just wanted to tag along as our system seems to have the exact same issue.
Long NGINX restart times have been tested and are near instant. Firewall used to work for me too, but since the new one came out all I am getting is the error:

---
"I did not receive connectivity confirmation after applying new firewall configuration, then same happened after I reverted to previous configuration. This means that both new and previous configurations were bad. Emergency rollback to configuration without rules was performed. Firewall is now disabled. Fix your rules and try again."
--

As well as 2 popups with "Load failed".

I am running the 2.1.3-407 version and already tried increasing the confirmTimeout in panel.ini.

Hope you can help.

 

[Peter Debik]

There are three major causes that have been observed repeatedly:
1) The installation contains false or incomplete rules.
2) The installation contains myriads of rules (some customers are blocking hundreds of individual IPs).
3) The installation contains repeated, identical rules.
4) CLI is used. On CLI however, the confirm must be done by a different SSH user session than then apply.

If you find yourself in any of these, you know what to do. In other cases: https://support.plesk.com
I've experimented with the Firewall during the past months on different operating systems, but I've never been able to reproduce the error.

 

[Jeroen Bl]

Hi Peter,

Thanks for the quick reply.

1) I have not yet changed rules and am already getting the error
2) see above
3) see above
4) I am using the UI under Tools & Settings -> Firewall

In my efforts to get my firewall back up again I have also followed this KB (https://support.plesk.com/hc/en-us/...rules-using-Plesk-Firewall-in-Plesk-for-Linux) and disabled Firewalld.

Doing that made me wonder if maybe the Firewall Extension is interfering with the Fail2Ban extension in a way?
Would disabling Firewalld interfere with the Fail2ban workings?

 

[Peter Debik]

Plesk is based on iptables and ipsets. Indeed Firewalld should be disabled. Fail2Ban does not primarily interfere with the firewall, but it also uses iptables. I am not sure whether Fail2ban could interfere with the Firewall. For that it would need to excessively apply changes to the iptables list all the time and normally it does not do that.

Could you please open a support ticket for your case? There have been other users who experienced issues with the new Firewall extension, but unfortunately I was never able to reproduce them on any test or production scenario I am using, so I cannot be of further help here. Support staff needs to check it directly on your server.

https://support.plesk.com

 

[Jeroen Bl]

Hi @Peter Debik ,

I am still trying to debug this issue and I have a question:

Could it be that one of the checks the Firewall does before enabling is if the SSH port is reachable and fails if it is not able to reach it?
I am using a custom SSH port on this server, however, I am not able to change the rules of the Firewall (and add this port as a custom port) before the firewall is enabled (which it doesn't do). This might also be the reason that you cannot reproduce the issue on your own server?
Hope you can shed some light.

Kind regards,
Jeroen

 

[Juergen369]

Hi,
I got the error message "Command '['/usr/local/psa/var/modules/firewall/firewall-new.sh']' timed out after 30 seconds". When I increased the [ext-firewall] confirmTimeout to 100 and confirmTimeoutCli to 120 in /opt/psa/admin/conf/panel.ini it was possible for me to activate new firewall rules. First
tries with 60 seconds not worked.
I'm not sure which impact the increasing can have but I'm happy that the new rules are added now checked with "iptables -L -n"
Kind regards
Juergen

 

[brother4]

I tried it again:

My Panel.ini:

[ext-firewall]
confirmTimeout = 120
confirmTimeoutCli = 120

Wanted to open TCP port 8080 for everyone.

Error:

"I did not receive connectivity confirmation after applying new firewall configuration, then same happened after I reverted to previous configuration. This means that both new and previous configurations were bad. Emergency rollback to configuration without rules was performed. Firewall is now disabled. Fix your rules and try again."

Now with:
Plesk Obsidian Version 18.0.54 Update #2, zuletzt aktualisiert: 2. Aug. 2023 04:22:24

@Jeroen Bl
I use the default ssh port - same error on my side.

If such things don't work, Plesk is quite dangerous for production systems.

 

[Peter Debik]

@brother4, the issue is known for users who try to use the same SSH session for activation and confirmation of the rules. Do you? Without a more detailed descriptions of step to reproduce it is not possible to give more assistance.

 

[Jeroen Bl]

@Peter Debik, we just use the User Interface in the Plesk Panel. Shouldn't Plesk do it the way Plesk needs it to be done?
I am reading so many posts on this firewall issue. I don't believe we are alone in this.
Would there be a log system were we could find more information for your team to debug the Firewall?

 

[Peter Debik]

We are seeing the messages, too, but unfortunately users do not present them to official Plesk support so that they cannot be investigated on the servers. In the test environments here with all supported operating systems and on several production servers we cannot reproduce the issue. It needs investigation on the users' machines, but if we are not allowed access we cannot check it, neither fix it.

 

[Jeroen Bl]

@Peter Debik, Can you point me to the right source to have someone take a look. I want to open up my server for this, but will need some assurance on uptime as this is a live production server.
Also submitting a request doesn't seem to work for me as I ordered it trough an intermediary (who doesn't do support).

 

[Peter Debik]

To sign-in to support please go to https://support.plesk.com

If you experience login issues, please see this KB article:
https://support.plesk.com/hc/en-us/...rt-plesk-com-and-password-reset-does-not-work

If you bought your license from a reseller, your reseller should provide support for you. If the reseller does not provide support, here is an alternative:
https://support.plesk.com/hc/en-us/articles/12388090147095-How-to-get-support-directly-from-Plesk-

 

[brother4]

My hoster has analyzed the problem with Plesk. It should be fixed with an update. Temporarily it should help to do the following:

systemctl edit nginx.service

Paste:

### Editing /etc/systemd/system/nginx.service.d/override.conf
### Anything between here and the comment below will become the new contents of the file


[Service]
ExecStopPost=/bin/sleep 0.5