We had an issue wherein a server couldn't reach the Plesk licensing server, even with port 5224 added to the egress rules. We had RU added to the CC_DENY config which was very clearly the cause (I found the blocked range in iptables). After removing RU from CC_DENY, all worked fine.
I had even tried inserting a rule into csf.allow which created the corresponding iptables rule correctly, yet it wasn't overriding the CC_DENY config (shouldn't it?)
But even more odd is that the CountryCode rules show the following documentation:
Notice the very end where it says they're for incoming connections only: this was an outgoing connection that it was blocking. Is the documentation wrong or is this a bug?# SECTION:Country Code Lists and Settings
###############################################################################
# Country Code to CIDR allow/deny. In the following two options you can allow
# or deny whole country CIDR ranges. The CIDR blocks are generated from the
# Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry
# and entirely relies on that service being available
#
# Specify the the two-letter ISO Country Code(s). The iptables rules are for
# incoming connections only