How to manage Plesk Firewall via CLI?




  • Avatar
    Claudio Rifo

    Is there an official documentation page (Of this CLI tool)?

    The default rules (The ones included on install) always have the same IDs?

    Is there any way to see how the default rules are built (port/protocol)?


  • Avatar
    Alexandr Nikolaenko

    Hello Claudio,

    Let me answer your questions one by one.

    1. There is no official documentation of Plesk Firewall Management CLI as it was developed for internal usage. All documented CLI utilities are available at our Documentation Portal;
    2. ID's of Plesk default rules can be changed on activation/disabling Firewall management. "Priority" can be used as anchor if it is required, see point 3.
    3. Firewall rules are stored in "psa.module_firewall_rules" table. Default Plesk rules have values of "priority" in 0-20 range. At "object" the rule is written in service format, but nevertheless is understandable.
  • Avatar
    John Bertin

    When confirming  the changes, I get the following message; 

    "Applying and confirmation of firewall changes should be done via different ssh sessions."

  • Avatar
    Bato Tsydenov

    @John Bertin

    The message is self-explanatory: you should establish another SSH session to the server and confirm changes in the new SSH session.
    I have updated the article accordingly.

  • Avatar

    Denied a port "from any" (apply/confirm) and the port ist still able to open. Any suggestion why this could happen? Like the Firewall Rule would not be active...

  • Avatar
    Alexandr Redikultsev

    Hi @Francis,

    Have you applied the changes via the following commands:

    # /usr/local/psa/bin/modules/firewall/settings -a
    # /usr/local/psa/bin/modules/firewall/settings -c

  • Avatar
    Peter Kielbasiewicz (Edited )

    Great article. That is exactly what I was looking for.
    I find my postfix server being targeted by systems trying to access it with dictionary attacks.
    I have enabled fail2ban and DNSBL service but still some servers get through.

    So I added a rule to ban them completely and it is a real pain to do this from the GUI.
    I'd like to fully automate it but with the extra ssh this doesn't seem to be possible.

    Nonetheless the CLI is a great enhancement for my purpose.

    BTW: I did report a bug in October but it is still not solved.

  • Avatar
    Anzhelika Khapaknysh

    Hi @Peter Kielbasiewicz,

    Thanks for your feedback!

    Regarding the reported bug: PPPM-9487 is still in progress. Currently, I don't have any ETA regarding it.

Please sign in to leave a comment.

Have more questions? Submit a request