How does the Plesk Firewall CLI tool update and restore configuration?

Setting a new rule (--set-rule) changes the pending configuration in the database and after --apply is executed the pending configuration from the database is transferred to the /usr/local/psa/var/modules/firewall/firewall-new.sh file.

If in next 60 second --confirm is received content of the  /usr/local/psa/var/modules/firewall/firewall-new.sh file is copied to the /usr/local/psa/var/modules/firewall/firewall-active.sh​ file, and pending configuration is copied to the active configuration of the database.

If  --confirm is not received in 60 seconds after --apply executed then /usr/local/psa/var/modules/firewall/firewall-active.sh is applied to iptables (this effectively rolls back the currently running configuration).

If the --apply option was executed by mistake it's recommended to wait 60 seconds for configuration to roll back to its previous state.

If a new configuration is applied again while the previous process is still running the second configuration will not be able to be confirmed. Before executing the second --apply  wait until the previous process is finished.

You can check if the process is finished with the following command (wait until the output is empty):

# ps auxf | grep -i firewall-new.sh | grep -v grep

To perform rollback in the database configuration as well use --reset option. 

Note that the /usr/local/psa/var/modules/firewall/firewall-new.sh file should not be removed and any manual change of internal firewall state should be avoided.

To rolls back changes made in the pending configuration of the database by the --set-rule option use the the --reset option. The --reset option used then the rule was set by mistake and the pending configuration of the database needs to be rollback. Note that it does not roll back the state of the /usr/local/psa/var/modules/firewall/firewall-new.sh file. 

All rules that were set (--set-rule) stay in the pending configuration of the database until confirmation (--confirm) or reset (--reset) are executed. If the confirmation window of 60 seconds was missed it's possible to apply and then confirm rules again without setting them.