Introduction
Managing firewall rules through Plesk’s web interface is straightforward, but there are times when you only have SSH access to your server. Whether you’re troubleshooting a lockdown situation, automating server configuration, or simply prefer the command line, knowing how to manipulate the Plesk Firewall via CLI is an essential skill for any server administrator.
In this guide, I’ll walk you through everything you need to know about managing Plesk Firewall rules from the command line, including how to create, modify, delete, and apply rules without ever opening a web browser.
Prerequisites
- Root SSH access to your Plesk server
- Plesk Firewall extension installed (most Plesk installations include it)
- Two separate SSH sessions open (critical for safety – explained below)
Understanding the Plesk Firewall CLI
The Plesk Firewall command-line tool is called via plesk ext firewall. Here are the most important commands you’ll use:
| Command | Purpose |
|---|---|
--list-json | List all existing rules |
--set-rule | Create a new rule or update an existing one |
--remove-rules | Delete one or more rules |
--apply | Stage changes to the active firewall |
--confirm | Permanently save staged changes |
--reset | Revert to the last saved configuration |
--enable / --disable | Turn Plesk Firewall on or off |
⚠️ The Most Important Safety Rule: The Two-Session Requirement
When you run plesk ext firewall --apply, you have exactly 60 seconds to run --confirm from a separate SSH session. This safety mechanism prevents you from locking yourself out of your own server.
Why? If your new rule accidentally blocks your SSH access, the automatic rollback after 60 seconds will save you. The second session ensures you can still run the confirm command even if your primary session is disrupted.
Always do this:
- Session 1: Run
--apply - Session 2: Within 60 seconds, run
--confirm
Viewing Existing Firewall Rules
Before making changes, you need to know what rules already exist:
plesk ext firewall --list-json
This outputs JSON-formatted data. To make it more readable:
plesk ext firewall --list-json | python3 -m json.tool
Or to find a specific rule:
plesk ext firewall --list-json | grep -A 10 "rule-name"
Sample Output
{
"name": "temp-admin-access",
"direction": "input",
"action": "allow",
"ports": "8443/tcp",
"from": "192.168.1.100,10.0.0.50",
"class": "custom",
"type": "custom",
"id": 193
}
The id field is crucial – you’ll need it to modify existing rules.
Creating a New Firewall Rule
Basic Rule Creation
To create a rule that allows traffic on a specific port:
plesk ext firewall --set-rule \ -name "Allow SSH" \ -direction input \ -action allow \ -ports "22/tcp"
Rule with IP Restrictions
To allow only specific IP addresses:
plesk ext firewall --set-rule \ -name "Restricted Access" \ -direction input \ -action allow \ -ports "8443/tcp" \ -remote-addresses "203.0.113.10,198.51.100.25"
Rule with Port Ranges
plesk ext firewall --set-rule \ -name "Port Range" \ -direction input \ -action allow \ -ports "10000-20000/tcp"
Rule with Multiple Ports
plesk ext firewall --set-rule \ -name "Web Ports" \ -direction input \ -action allow \ -ports "80/tcp,443/tcp,8080/tcp"
Deny a Specific IP
plesk ext firewall --set-rule \ -name "Block Attacker" \ -direction input \ -action deny \ -remote-addresses "192.168.1.100"
Modifying an Existing Rule
To modify a rule, you need its ID (found from --list-json). Unlike creation, you don’t need to specify all parameters – only the ones you want to change.
Change the Ports
plesk ext firewall --set-rule -id 193 -ports "2222/tcp"
Change Allowed IPs
plesk ext firewall --set-rule -id 193 -remote-addresses "10.0.0.1,10.0.0.2"
Change Both Port and IPs
plesk ext firewall --set-rule \ -id 193 \ -ports "8443/tcp" \ -remote-addresses "192.168.1.100,10.0.0.50"
Change Rule Action (Allow to Deny)
plesk ext firewall --set-rule -id 193 -action deny
Deleting Firewall Rules
Delete by ID
plesk ext firewall --remove-rules -ids 193
Delete by Name
plesk ext firewall --remove-rules -name "temp-admin-access"
Delete Multiple Rules
plesk ext firewall --remove-rules -ids 193,194,195
Applying and Confirming Changes
This is the critical sequence that actually activates your changes:
Standard Two-Session Method
Session 1 (Primary):
plesk ext firewall --apply
Output: The firewall rules were activated. To save your changes, run the --confirm command within 60 second(s).
Session 2 (Secondary – within 60 seconds):
plesk ext firewall --confirm
Output: The firewall rules were saved.
Auto-Confirm Method (Use with Extreme Caution)
If you’re absolutely certain your changes won’t lock you out, you can auto-confirm:
plesk ext firewall --apply -auto-confirm-this-may-lock-me-out-of-the-server
Warning: Only use this if:
- You’re certain your current IP is in the allow list
- You’re not changing SSH port rules
- You have out-of-band access (like a hosting provider’s console)
Reverting Changes
Revert to Last Saved Configuration
If you applied changes but haven’t confirmed them yet (within the 60-second window):
plesk ext firewall --reset
Disable Firewall Entirely (Emergency)
plesk ext firewall --disable
Re-enable Firewall
plesk ext firewall --enable
Common Scenarios
Scenario 1: Add Your Current IP to an Existing Rule
First, get your current IP:
curl -s ifconfig.me
Then find the rule ID and update it:
plesk ext firewall --list-json plesk ext firewall --set-rule -id 193 -remote-addresses "YOUR_IP,EXISTING_IP" plesk ext firewall --apply # In second session within 60 seconds: plesk ext firewall --confirm
Scenario 2: Open a Port for Everyone
plesk ext firewall --set-rule \ -name "Open Port 8080" \ -direction input \ -action allow \ -ports "8080/tcp" plesk ext firewall --apply # Confirm in second session
Scenario 3: Remove a Rule That’s Blocking Access
First, list rules to find the blocking rule:
plesk ext firewall --list-json
Then remove it:
plesk ext firewall --remove-rules -id 193 plesk ext firewall --apply # Confirm in second session
Troubleshooting
“Unknown command: list”
The correct command is --list-json, not --list.
“The rule was not found”
The rule ID or name doesn’t exist. Use --list-json to see existing rules and their current IDs.
Changes don’t persist
You likely ran --set-rule but forgot to run --apply and --confirm. The rule is staged but not active.
“Too late to confirm”
The 60-second window expired. Run --reset to clear the pending state, then start over.
I locked myself out!
Wait 60 seconds – the firewall will automatically roll back to the last confirmed configuration. Then reconnect.
Best Practices
- Always keep two SSH sessions open when modifying firewall rules
- Test changes during maintenance windows when possible
- Document your rules – use descriptive names so you remember what each rule does
- Backup current rules before major changes:bashplesk ext firewall –export > firewall-backup.json
- Restore from backup if needed:bashplesk ext firewall –import < firewall-backup.json
When to Use CLI vs Web Interface
| Use CLI When… | Use Web Interface When… |
|---|---|
| You only have SSH access | You have Plesk panel access |
| Automating with scripts | Doing one-off changes |
| Server is locked out of Plesk | You want visual confirmation |
| Bulk operations | You’re less comfortable with CLI |
Final Thoughts
Managing Plesk Firewall from the command line gives you powerful control over your server’s security, even when the web interface is inaccessible. The key to success is understanding the two-session confirmation requirement – it’s there to protect you, not to annoy you.
Remember: when in doubt, run --list-json first to see what you’re working with, always keep a second SSH session ready, and never auto-confirm unless you’re absolutely certain.
The Two Systems You May Need to Update
| System | What It Controls | CLI Method |
|---|---|---|
| Plesk Firewall | Network-level access (port 8443, SSH, etc.) | plesk ext firewall |
| Plesk IP Access Restriction | Who can log into the Plesk admin panel | plesk db (SQL) |
How to Update the Plesk Database for IP Access Restriction
Step 1: Check Current Policy
First, see what your current access policy is:
plesk db "SELECT * FROM misc WHERE param='access_policy'"
This will return either:
allow– Allow all IPs except those listed asdenyincp_accessdeny– Deny all IPs except those listed asallowincp_access
Step 2: View Existing IP Restrictions
plesk db "SELECT * FROM cp_access"
Sample output:
+----+-------+----------------+----------------+ | id | type | netaddr | netmask | +----+-------+----------------+----------------+ | 1 | allow | 203.0.113.10 | 255.255.255.255| | 2 | deny | 198.51.100.0 | 255.255.255.0 | +----+-------+----------------+----------------+
Step 3: Add an IP to the Allow List
If your policy is deny (most common for security), add IPs you want to allow:
plesk db "INSERT INTO cp_access (type, netaddr, netmask) VALUES ('allow', '203.0.113.50', '255.255.255.255')"
Step 4: Add an IP to the Deny List
If your policy is allow (allow everyone except specific IPs):
plesk db "INSERT INTO cp_access (type, netaddr, netmask) VALUES ('deny', '203.0.113.200', '255.255.255.255')"
Step 5: Modify an Existing Record
To change an existing restriction (e.g., change a deny to an allow):
# First, find the ID plesk db "SELECT * FROM cp_access" # Then update by ID plesk db "UPDATE cp_access SET type='allow' WHERE id=3"
Step 6: Remove an IP Restriction
plesk db "DELETE FROM cp_access WHERE id=3"
Step 7: Clear All Restrictions (Emergency)
plesk db "DELETE FROM cp_access" plesk db "UPDATE misc SET val='allow' WHERE param='access_policy'"
Complete Example: Allow a New IP to Access Plesk Panel
Let’s say you want to allow IP 203.0.113.75 to log into Plesk:
# Check current policy
plesk db "SELECT * FROM misc WHERE param='access_policy'"
# If policy is 'deny', add as 'allow'
plesk db "INSERT INTO cp_access (type, netaddr, netmask) VALUES ('allow', '203.0.113.75', '255.255.255.255')"
# Verify it was added
plesk db "SELECT * FROM cp_access"
How to Update Both Firewall AND Plesk DB
If you want to both allow network access AND allow Plesk login from a new IP:
Step 1: Update Plesk Firewall
# Get your current IP MY_IP=$(curl -s ifconfig.me) # Add to firewall rule (replace 193 with your actual rule ID) plesk ext firewall --set-rule -id 193 -remote-addresses "$MY_IP,EXISTING_IP" # Apply firewall changes plesk ext firewall --apply # Confirm in second session within 60 seconds
Step 2: Update Plesk Database for Panel Access
# Add to Plesk IP access restriction
plesk db "INSERT INTO cp_access (type, netaddr, netmask) VALUES ('allow', '$MY_IP', '255.255.255.255')"
# Verify
plesk db "SELECT * FROM cp_access"
Quick Reference: Common Plesk DB Commands
| Action | Command |
|---|---|
| View policy | plesk db "SELECT * FROM misc WHERE param='access_policy'" |
| List restrictions | plesk db "SELECT * FROM cp_access" |
| Add allowed IP | plesk db "INSERT INTO cp_access (type, netaddr, netmask) VALUES ('allow', 'IP_HERE', '255.255.255.255')" |
| Add denied IP | plesk db "INSERT INTO cp_access (type, netaddr, netmask) VALUES ('deny', 'IP_HERE', '255.255.255.255')" |
| Modify record | plesk db "UPDATE cp_access SET type='allow' WHERE id=NUMBER" |
| Delete record | plesk db "DELETE FROM cp_access WHERE id=NUMBER" |
| Delete all | plesk db "DELETE FROM cp_access" |
Why Both May Be Needed
Based on your earlier error message:
“Access for administrator from address ‘IP_HERE’ is restricted in accordance with IP Access restriction policy”
This error comes from the Plesk database restriction system, not the firewall. Even if your firewall allows the connection, Plesk itself will block the login if the IP isn’t in its allowed list.
Testing Your Changes
After updating the database, you should be able to log in immediately – no service restart is needed. The Plesk panel reads the cp_access table on each login attempt.
Bottom line: The Plesk Firewall controls whether packets reach your server. The Plesk database controls whether a successful connection can actually log into the admin panel. Both may need updating when you change IP access rules.