Question
A new Plesk Firewall configuration has been applied via CLI with the --apply
parameter:
# /usr/local/psa/bin/modules/firewall/settings --apply
How is the configuration applied?
Can the old configuration be restored after this step?
Answer
How is the configuration applied?
Setting a new rule (--set-rule
) changes the pending configuration in the database and after --apply
is executed the pending configuration from the database is transferred to the /usr/local/psa/var/modules/firewall/firewall-new.sh
file.
If in next 60 second --confirm
is received content of the /usr/local/psa/var/modules/firewall/firewall-new.sh
file is copied to the /usr/local/psa/var/modules/firewall/firewall-active.sh
file, and pending configuration is copied to the active configuration of the database.
If --confirm
is not received in 60 seconds after --apply
executed then /usr/local/psa/var/modules/firewall/firewall-active.sh
is applied to iptables (this effectively rolls back the currently running configuration).
Can the old configuration be restored after this step?
--apply
option was executed by mistake it's recommended to wait 60 seconds for configuration to roll back to its previous state.
If a new configuration is applied again while the previous process is still running the second configuration will not be able to be confirmed. Before executing the second --apply
wait until the previous process is finished.
You can check if the process is finished with the following command (wait until the output is empty):
# ps auxf | grep -i firewall-new.sh | grep -v grep
To perform rollback in the database configuration as well use --reset
option.
Note that the /usr/local/psa/var/modules/firewall/firewall-new.sh
file should not be removed and any manual change of internal firewall state should be avoided.
To rolls back changes made in the pending configuration of the database by the --set-rule
option use the the --reset
option. The --reset
option used then the rule was set by mistake and the pending configuration of the database needs to be rollback. Note that it does not roll back the state of the /usr/local/psa/var/modules/firewall/firewall-new.sh
file.
All rules that were set (--set-rule
) stay in the pending configuration of the database until confirmation (--confirm
) or reset (--reset
) are executed. If the confirmation window of 60 seconds was missed it's possible to apply and then confirm rules again without setting them.