Issue Firewall stopped working after update to Plesk Obsidian v18.0.77 on Debian 11.11

[zubasoft]

Server operating system version

Debian 11.11

Plesk version and microupdate number

Plesk Obsidian v18.0.77_build1800260405.05

Hi,

last week with Plesk Obsidian v18.0.76 I have made a change to my firewall settings and worked perfectly. Also two other Plesk Servers with Plesk Obsidian v18.0.76 (one with Ubuntu, the other also with Debian 11.11) I was able to change my firewall settings. But suddenly on the Debian-Server that worked last week it stopped working with the error:
Connectivity failure occurred with both the new and rollback (previous) firewall configurations, indicating that both configurations are faulty. As an emergency measure, the firewall was disabled and a configuration without firewall rules was applied. To resolve the issue, correct the firewall rules and re-enable the firewall.

The only thing I can see is that the Plesk version has changed. Because on the other identical Server with Debian 11.11 and Plesk Obsidian v18.0.76 it still works fine.

panel.log
[2026-04-20 21:58:52.053] 2195156:69e6851f91949 ERR [panel] Task failed: id=18741, pid=2195156, type=ext-firewall-tasks\activate, error=pm_Exception: Connectivity failure occurred with both the new and rollback (previous) firewall configurations, indicating that both configurations are faulty. As an emergency measure, the firewall was disabled and a configuration without firewall rules was applied. To resolve the issue, correct the firewall rules and re-enable the firewall.

file: /opt/psa/admin/plib/modules/firewall/library/FwConfigurator.php
line: 580
code: 0
trace: #0 /opt/psa/admin/plib/modules/firewall/library/FwConfigurator.php(388): PleskExt\Firewall\FwConfigurator::callSbin(string 'rules', array, array)
#1 /opt/psa/admin/plib/modules/firewall/library/Tasks/Activate.php(39): PleskExt\Firewall\FwConfigurator->activate(string 'ac90ba0a3e9cfc365332a839854688b3', integer '30')
#2 /opt/psa/admin/plib/Task/Control/Sdk.php(49): PleskExt\Firewall\Tasks\Activate->run()
#3 /opt/psa/admin/plib/Db/Table/Broker/LongTasks.php(178): Plesk\Task\Control\Sdk->run()
#4 /opt/psa/admin/plib/Db/Table/Broker/LongTasks.php(113): Db_Table_Broker_LongTasks->_syncStart(object of type Db_Table_Row_LongTask)
#5 /opt/psa/admin/plib/Task/Async/Executor.php(54): Db_Table_Broker_LongTasks->runTaskWithinExecutor(object of type Db_Table_Row_LongTask)
#6 /opt/psa/admin/plib/scripts/task-async-executor.php(6): Task_Async_Executor->execute()

[2026-04-20 21:58:52.053] 2195156:69e6851f91949 ERR [panel] Connectivity failure occurred with both the new and rollback (previous) firewall configurations, indicating that both configurations are faulty. As an emergency measure, the firewall was disabled and a configuration without firewall rules was applied. To resolve the issue, correct the firewall rules and re-enable the firewall.

[2026-04-20 21:58:52.057] 2195156:69e6851f91949 ERR [panel] Long task executor: id=18741 completed with error: Connectivity failure occurred with both the new and rollback (previous) firewall configurations, indicating that both configurations are faulty. As an emergency measure, the firewall was disabled and a configuration without firewall rules was applied. To resolve the issue, correct the firewall rules and re-enable the firewall.
:
0: /opt/psa/admin/plib/Task/Async/Executor.php:56
Task_Async_Executor->execute()
1: /opt/psa/admin/plib/scripts/task-async-executor.php:6

What I have tried already:
I already have removed the firewall extension and reinstalled it. So I have now all default rules. But it's still the same error message and cannot activate it anymore.
I also tried to increase the confirmTimeout in panel.ini from 15 to 30. Same error.
I also checked if there is a firewalld service, but it's not there:
systemctl status firewalld
Unit firewalld.service could not be found.

I also checked for Plesk component updates and installed them. Error persists.

Wasn't able to find any further things I can do. Please help.

 

[WebHostingAce]

As far as I know (Almalinux user) Plesk does not rely on firewall services like firewalld or iptables.service.

It generates and applies rules directly using iptables/ip6tables commands.

On modern systems like AlmaLinux 8, these commands use the iptables-nft backend, so the actual rules are implemented via nftables.

You can confirm this by running the command below, where the Plesk firewall rules will be visible.

#nft list ruleset

 

[WebHostingAce]

My output without any custom rules is attached as a Zip file.

 

[zubasoft]

Thanks for your reply, but on Ubuntu and Debian, I think the firewall is relying on iptables. That's the generated preview of the script that Plesk generates and fails to apply (I have truncated some of the ip6table rules to comply with the max post length):

#!/bin/bash
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

set -e

([ -f /var/lock/subsys/ipchains ] && /etc/init.d/ipchains stop) >/dev/null 2>&1 || true
(rmmod ipchains) >/dev/null 2>&1 || true

apply_rule()
{
    local iptables_bin="$1"
    shift

    local iptables_version
    iptables_version="`"$iptables_bin" --version | awk '{print $2}' | awk -F. '{printf "%d%02d\n", $2, $3}'`"

    # Use the native --wait option since v1.4.20
    if [ "$iptables_version" -gt 420 ]; then
        "$iptables_bin" -w "$@" 2>/dev/null
        return $?
    fi

    # Emulate --wait for older versions
    for i in `seq 10`; do
        "$iptables_bin" "$@" 2>&1 | grep -q xtable || return 0
        sleep 1
    done

    return 1
}

# Start of /usr/sbin/iptables setup

/usr/sbin/iptables-save -t filter | grep -- "-A INPUT" | grep -v "fail2ban-\|f2b-" | sed -e "s#^-A#apply_rule /usr/sbin/iptables -D#g" | while read -r cmd; do ${cmd} || true; done

apply_rule /usr/sbin/iptables -F FORWARD
apply_rule /usr/sbin/iptables -F OUTPUT
apply_rule /usr/sbin/iptables -Z FORWARD
apply_rule /usr/sbin/iptables -Z OUTPUT

apply_rule /usr/sbin/iptables -P INPUT DROP
apply_rule /usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /usr/sbin/iptables -A INPUT -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /usr/sbin/iptables -A INPUT -m state --state INVALID -j DROP
apply_rule /usr/sbin/iptables -P OUTPUT DROP
apply_rule /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /usr/sbin/iptables -A OUTPUT -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /usr/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
apply_rule /usr/sbin/iptables -P FORWARD DROP
apply_rule /usr/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /usr/sbin/iptables -A FORWARD -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /usr/sbin/iptables -A FORWARD -m state --state INVALID -j DROP

apply_rule /usr/sbin/iptables -A INPUT -i lo  -j ACCEPT
apply_rule /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
apply_rule /usr/sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT

apply_rule /usr/sbin/iptables -t mangle -F
apply_rule /usr/sbin/iptables -t mangle -Z
apply_rule /usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
apply_rule /usr/sbin/iptables -t mangle -P OUTPUT ACCEPT
apply_rule /usr/sbin/iptables -t mangle -P INPUT ACCEPT
apply_rule /usr/sbin/iptables -t mangle -P FORWARD ACCEPT
apply_rule /usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT

apply_rule /usr/sbin/iptables -t nat -F
apply_rule /usr/sbin/iptables -t nat -Z
apply_rule /usr/sbin/iptables -t nat -P PREROUTING ACCEPT
apply_rule /usr/sbin/iptables -t nat -P OUTPUT ACCEPT
apply_rule /usr/sbin/iptables -t nat -P POSTROUTING ACCEPT

# Start of /usr/sbin/ip6tables setup

/usr/sbin/ip6tables-save -t filter | grep -- "-A INPUT" | grep -v "fail2ban-\|f2b-" | sed -e "s#^-A#apply_rule /usr/sbin/ip6tables -D#g" | while read -r cmd; do ${cmd} || true; done

apply_rule /usr/sbin/ip6tables -F FORWARD
apply_rule /usr/sbin/ip6tables -F OUTPUT
apply_rule /usr/sbin/ip6tables -Z FORWARD
apply_rule /usr/sbin/ip6tables -Z OUTPUT

apply_rule /usr/sbin/ip6tables -P INPUT DROP
apply_rule /usr/sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /usr/sbin/ip6tables -A INPUT -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /usr/sbin/ip6tables -A INPUT -m state --state INVALID -j DROP
apply_rule /usr/sbin/ip6tables -P OUTPUT DROP
apply_rule /usr/sbin/ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /usr/sbin/ip6tables -A OUTPUT -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /usr/sbin/ip6tables -A OUTPUT -m state --state INVALID -j DROP
apply_rule /usr/sbin/ip6tables -P FORWARD DROP
apply_rule /usr/sbin/ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /usr/sbin/ip6tables -A FORWARD -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /usr/sbin/ip6tables -A FORWARD -m state --state INVALID -j DROP

apply_rule /usr/sbin/ip6tables -A INPUT -i lo  -j ACCEPT
apply_rule /usr/sbin/ip6tables -A OUTPUT -o lo -j ACCEPT
apply_rule /usr/sbin/ip6tables -A FORWARD -i lo -o lo -j ACCEPT

apply_rule /usr/sbin/ip6tables -t mangle -F
apply_rule /usr/sbin/ip6tables -t mangle -Z
apply_rule /usr/sbin/ip6tables -t mangle -P PREROUTING ACCEPT
apply_rule /usr/sbin/ip6tables -t mangle -P OUTPUT ACCEPT
apply_rule /usr/sbin/ip6tables -t mangle -P INPUT ACCEPT
apply_rule /usr/sbin/ip6tables -t mangle -P FORWARD ACCEPT
apply_rule /usr/sbin/ip6tables -t mangle -P POSTROUTING ACCEPT

apply_rule /usr/sbin/ip6tables -t nat -F
apply_rule /usr/sbin/ip6tables -t nat -Z
apply_rule /usr/sbin/ip6tables -t nat -P PREROUTING ACCEPT
apply_rule /usr/sbin/ip6tables -t nat -P OUTPUT ACCEPT
apply_rule /usr/sbin/ip6tables -t nat -P POSTROUTING ACCEPT

# Start of /usr/sbin/iptables rules

apply_rule /usr/sbin/iptables -A INPUT -p udp --dport 68 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 49152:65535 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 8447 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p udp --dport 8443 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p udp --dport 443 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 587 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 106 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 3306 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 5432 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p udp --dport 137 -j ACCEPT
apply_rule /usr/sbin/iptables -A INPUT -p udp --dport 138 -j ACCEPT
apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 139 -j ACCEPT
apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 445 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
apply_rule /usr/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT

apply_rule /usr/sbin/iptables -A INPUT -j DROP

apply_rule /usr/sbin/iptables -A OUTPUT -j ACCEPT

apply_rule /usr/sbin/iptables -A FORWARD -j DROP

# End of /usr/sbin/iptables rules

#
# End of script
#

The hint to list the existing rules is good. But I cannot see any problems. Only the fail2ban rules are there:

root:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-recidive  tcp  --  anywhere             anywhere
f2b-plesk-postfix  tcp  --  anywhere             anywhere             multiport dports smtp,submissions,submission
f2b-ssh    tcp  --  anywhere             anywhere             tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-plesk-postfix (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain f2b-recidive (1 references)
target     prot opt source               destination
REJECT     all  --  195.***.***.**       anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

Chain f2b-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

 

[Kaspar]

Are you using a virtual server?

What happens when you manually run the firewall script?

Sudo bash /usr/local/psa/var/modules/firewall/firewall-active.sh

 

[zubasoft]

Yes, they are all virtual servers. All by the same provider. So same environment.
I also thought about running the script in CLI through SSH. But I'm worried that it will completly break the server and I cannot access the server anymore, because the faulty firewall config will block me completly out. There is no automatic reset when running on CLI. Or am I wrong? Is it safe to run it manually?

 

[WebHostingAce]

@Kaspar Could it be the '/usr/local/psa/var/modules/firewall/firewall.sqlite3 file'? I was wondering.. since @zubasoft has mentioned about custom rules.

​

 

[zubasoft]

Yes, I had custom rules (only allowing specific IPs to access specific services like SSH or FTP). But the documentation said with removing and reinstalling the Firewall the custom rules should be deleted. And also they are not there in the overview screen anymore. Also the generated script does not indicate any specific custom rules anymore, or does it?

 

[WebHostingAce]

Please see the output of,

#/usr/local/psa/bin/modules/firewall/settings --list-json

Does it still contain the custom rules?

Also what is your output of # iptables --version

 

[Kaspar]

@zubasoft, that's a fair point. What you could do is to setup a a cron job that runs the emergency script below 5 minutes after you manually run the firewall script. The emergency script clears all iptables rules. Should you no longer have access after running the firewall script, this should clear iptables and allow you to have network access to the server again.

bash /usr/local/psa/var/modules/firewall/firewall-emergency.sh

But equally as important is to see if you have direct (virtual) console access via your provider. So you can still access the server that way in case you get completely blocked on network access.

@Kaspar Could it be the '/usr/local/psa/var/modules/firewall/firewall.sqlite3 file'? I was wondering.. since @zubasoft has mentioned about custom rules.

Like a corrupted database you mean? Could be, but in that case I would also expect there being a database related error too. @zubasoft, also mentioned that he re-installed the firewall extension, so that would have deleted the original database. I am thinking that there might be a resource issue on the virtual node, causing issues/limitation on kernel related actions (network filtering is a kernel feature).

But to test this hypothesis it would be good to know if running the firewall script manually causes issues too.

 

[zubasoft]

Sure

[
    {
        "type": "service",
        "class": "dhcp",
        "direction": "input",
        "ports": "ip4:68\/udp,ip6:546\/udp",
        "action": "allow",
        "originalId": 23,
        "id": 24
    },
    {
        "type": "service",
        "class": "ftp_passive",
        "direction": "input",
        "ports": "49152-65535\/tcp",
        "action": "allow",
        "originalId": 22,
        "id": 25
    },
    {
        "type": "service",
        "class": "autoinstaller",
        "direction": "input",
        "ports": "8447\/tcp",
        "action": "allow",
        "originalId": 21,
        "id": 26
    },
    {
        "type": "service",
        "class": "plesk_http3",
        "direction": "input",
        "ports": "8443\/udp",
        "action": "allow",
        "originalId": 20,
        "id": 27
    },
    {
        "type": "service",
        "class": "www_http3",
        "direction": "input",
        "ports": "443\/udp",
        "action": "allow",
        "originalId": 19,
        "id": 28
    },
    {
        "type": "service",
        "class": "plesk",
        "direction": "input",
        "ports": "8443\/tcp,8880\/tcp",
        "action": "allow",
        "originalId": 18,
        "id": 29
    },
    {
        "type": "service",
        "class": "www",
        "direction": "input",
        "ports": "80\/tcp,443\/tcp",
        "action": "allow",
        "originalId": 17,
        "id": 30
    },
    {
        "type": "service",
        "class": "ftp",
        "direction": "input",
        "ports": "21\/tcp",
        "action": "allow",
        "originalId": 16,
        "id": 31
    },
    {
        "type": "service",
        "class": "ssh",
        "direction": "input",
        "ports": "22\/tcp",
        "action": "allow",
        "originalId": 15,
        "id": 32
    },
    {
        "type": "service",
        "class": "smtp_submission",
        "direction": "input",
        "ports": "587\/tcp",
        "action": "allow",
        "originalId": 14,
        "id": 33
    },
    {
        "type": "service",
        "class": "smtp",
        "direction": "input",
        "ports": "25\/tcp,465\/tcp",
        "action": "allow",
        "originalId": 13,
        "id": 34
    },
    {
        "type": "service",
        "class": "pop3",
        "direction": "input",
        "ports": "110\/tcp,995\/tcp",
        "action": "allow",
        "originalId": 12,
        "id": 35
    },
    {
        "type": "service",
        "class": "imap",
        "direction": "input",
        "ports": "143\/tcp,993\/tcp",
        "action": "allow",
        "originalId": 11,
        "id": 36
    },
    {
        "type": "service",
        "class": "poppassd",
        "direction": "input",
        "ports": "106\/tcp",
        "action": "allow",
        "originalId": 10,
        "id": 37
    },
    {
        "type": "service",
        "class": "mysql",
        "direction": "input",
        "ports": "3306\/tcp",
        "action": "allow",
        "originalId": 9,
        "id": 38
    },
    {
        "type": "service",
        "class": "postgresql",
        "direction": "input",
        "ports": "5432\/tcp",
        "action": "allow",
        "originalId": 8,
        "id": 39
    },
    {
        "type": "service",
        "class": "samba",
        "direction": "input",
        "ports": "137\/udp,138\/udp,139\/tcp,445\/tcp",
        "action": "allow",
        "originalId": 7,
        "id": 40
    },
    {
        "type": "service",
        "class": "dns",
        "direction": "input",
        "ports": "53\/udp,53\/tcp",
        "action": "allow",
        "originalId": 6,
        "id": 41
    },
    {
        "type": "service",
        "class": "neighbor_disc",
        "direction": "input",
        "ports": "130\/0\/icmpv6,134\/0\/icmpv6,135\/0\/icmpv6,136\/0\/icmpv6,137\/0\/icmpv6",
        "action": "allow",
        "originalId": 5,
        "id": 42
    },
    {
        "type": "service",
        "class": "ping",
        "direction": "input",
        "ports": "8\/0\/icmp,128\/0\/icmpv6,129\/0\/icmpv6",
        "action": "allow",
        "originalId": 4,
        "id": 43
    },
    {
        "type": "catchall",
        "class": "catchall",
        "direction": "input",
        "action": "deny",
        "originalId": 2,
        "id": 44
    },
    {
        "type": "catchall",
        "class": "catchall",
        "direction": "output",
        "action": "allow",
        "originalId": 3,
        "id": 45
    },
    {
        "type": "catchall",
        "class": "catchall",
        "direction": "forward",
        "action": "deny",
        "originalId": 1,
        "id": 46
    }
]

iptables v1.8.7 (legacy)

 

[zubasoft]

But to test this hypostasis it would be good to know if running the firewall script manually causes issues too.

Okay, I'll test it. But first I'll backup everything somewhere else to have a fallback plan if something does not work out (It's a productive server). This will need some time. Probably I can do it tomorrow in the evening (UTC time). My provider has a rescue system that I can start for the server. But it only allows file access. No command line. Which file do I have to delete or restore to revert the iptables?

 

[Kaspar]

I recommend asking your provider what other options they might have or how they can assist in case you can't access your server (because of a firewall issue). Most providers do have a console option or something to let you boot into recovery mode. I am not sure if a rescue system with just file access (without the option the execute any commands) will be of much use. I am also not sure in which directory iptable data gets stored on Debian (AI suggests /etc/iptables/ but I can't confirm that).