• @TimTamJimJam
    link
    11710 months ago

    Happened to me in work once… I was connected via SSH to one of our test machines, so I could test connection disruption handling on a product we had installed.

    I had a script that added iptables rules to block all ports for 30 seconds then unblock them. Of course I didn’t add an exception for port 22, and I didn’t run it with nohup, so when I ran the script it blocked the ports, which locked me out of SSH access, and the script stopped running when the SSH session ended so never unblocked the ports. I just sat there in awe of my stupidity.

      • @[email protected]
        link
        fedilink
        English
        3910 months ago

        Ah, if only it was a server room and not a customer 3 hours drive away. And he’d closed and gone home for the night.

        Fortunately it just needed a reboot, and I was able to talk him through that in the morning.

        • @[email protected]
          link
          fedilink
          1310 months ago

          Oof… well you can just say “it must be some hardware problem or something… maybe a reboot will fix it.”

        • @[email protected]
          link
          fedilink
          5
          edit-2
          10 months ago

          Oof I did a firmware upgrade on my main external firewall.

          The upgrade went fine but when we added an ISP a month or so prior, I forgot to redistribute the ISPs routes. While all my ISPs were technically working, and the firewall came back up, nothing below it could get to the internet, so it was good as down.

          Cue the 1.5 hour drive into the office…

          Had that drive to think about what went wrong. Got into the main lobby, sat down, joined the wifi, and fixed it in 3 minutes.

          Didn’t even get to my desk or the datacenter.

        • u/lukmly013 💾 (lemmy.sdf.org)
          link
          fedilink
          English
          10
          edit-2
          10 months ago

          Well, the script could keep running even after he would have detached from that tmux session due to losing ssh connection. And since that script would unblock all ports after 30 seconds…

          (Same use case as nohup that they mentioned)

        • @[email protected]
          link
          fedilink
          310 months ago

          Tmux essentially creates a pseudo-shell that persists between sessions.

          So you can start a process, detach the session, start something else, disconnect, come back next week, and check on it.

          It does other things too. Like console tiling.

    • @[email protected]
      link
      fedilink
      310 months ago

      Out of curiousity, how would nohup make your situation different? As I understand, nohup makes it possible to keep terminal applications running even when the terminal session has ended.

      • @[email protected]
        link
        fedilink
        English
        710 months ago

        If the script was supposed to wait 30 secs and then unblock the ports, running with nohup would have allowed the ports to be unblocked 30 secs later. Instead, the script terminated when the SSH session died, and never executed the countdown nor unblock.

      • @aidan
        link
        510 months ago

        the script stopped running when the SSH session ended so never unblocked the ports

  • TurboWafflz
    link
    7410 months ago

    I accidentally put all the interfaces on my router running openwrt into the wrong firewall zone so now I can’t access it via ssh or the web interface. I already had it configured though and it still works so I’m just ignoring the problem until something breaks

    • @muntedcrocodile
      link
      5010 months ago

      There is nothing more perminant than a temporary solution.

      • Ignotum
        link
        23
        edit-2
        10 months ago

        “i’ll fix that later”
        Narrator: “they never did”

    • idunnololz
      link
      2810 months ago

      It’s super secure though, not even you have access!

    • @[email protected]
      link
      fedilink
      English
      1210 months ago

      I did the same thing, set up OpenWRT perfectly, then changed the local range from 192.168.1.0 to 192.168.0.0 to suit some legacy connections. Everything works, except I can’t change settings on the router, so for now I leave it alone

    • @Tangent5280
      link
      510 months ago

      Maybe you can put aside a day which has nothing else going on so you can sit down and fix it before it breaks.

    • @[email protected]
      link
      fedilink
      210 months ago

      Sounds like my Unifi experience with the old CloudKeys that liked to brick themselves if the wind blew in a way they disliked. Everything still ran fine, but I couldn’t manage any of it till I factory reset it all. I think it ran like that for 3mo before I could be bothered 😅

    • @[email protected]
      link
      fedilink
      2810 months ago

      UFW is a software firewall. SSH is a way to remote into computers. The joke is they turned on UFW and got locked out of the machine.

      • @[email protected]
        link
        fedilink
        3910 months ago

        I’m pretty sure it was a joke.

        Everyone did this at some point, but nobody would admit such a silly thing happened to them.

        • @[email protected]
          link
          fedilink
          1210 months ago

          Never done this to a single server.

          Managed to write the “ufw enable, deny all” part of ansislbe script without the “allow 22” part and run it against all my homelab once.

  • MrPasty
    link
    fedilink
    1710 months ago

    Firewallcmd’s runtime-to-permanent is one of my favorite features of any software. Set everything up, make sure everything works before making the changes permanent. If not, just reboot!

  • CronyAkatsuki
    link
    fedilink
    10
    edit-2
    10 months ago

    Happened to me, luckilly I kept an ssh connection up.

    Now I make sure to enable the firewall rules before I enable ufw ( still happened to me 3 more times ).

  • @[email protected]
    link
    fedilink
    810 months ago

    I know this is posted in funny, but whatever. You could still login locally using keyboard and monitor. Uncool, but it works

    • @marcos
      link
      1610 months ago

      You are assuming there is a keyboard and monitor plugged to it, and that the computer is somewhere nearby.

      None of those are automatically true. And when it’s nearby, it’s usually easier to just get the SD card into another computer and edit the configuration.

    • @treechickenOP
      link
      510 months ago

      That’s exactly what I did lol. Thankfully my Pi’s just in a drawer. If this was a remote host at work I would’ve already shat myself :P

  • r00ty
    link
    fedilink
    610 months ago

    I’ve had to boot a remote server into rescue after locking myself out.

    I think most people have done this at least once.

  • 7heo
    link
    fedilink
    510 months ago

    ufw is not a good software. I really tried to work with it. My solution was to disable it.

      • z3bra
        link
        fedilink
        6
        edit-2
        10 months ago

        Just like stabbing yourself if the eye is better with a fork than with a rusty fork.

        pf gang rise up !

  • @[email protected]
    link
    fedilink
    410 months ago

    This literally happened to me yesterday. Fortunately ufw enable did not configure it as persistent across reboots 🤠

  • @[email protected]
    link
    fedilink
    310 months ago

    What is a good firewall that can also block ports published with docker? I’d need it to run on the same host.

      • @[email protected]
        link
        fedilink
        210 months ago

        I remember trying with ufw and the docker ports were still open. Iirc I’ve read somewhere that docker and ufw both use the same underlying software, so ufw cannot block docker (IP tables?)

        • @[email protected]
          link
          fedilink
          110 months ago

          Hmm, not sure. I know with docker you can “mock” ports for the container, where the port the container sees is different than the port on the system. Maybe you can do something with that?

          • @[email protected]
            link
            fedilink
            110 months ago

            I can configure the containers in ways that don’t require ports to be published for the real network, but that’s always possible. It would still be nice to have a firewall that can block even those containers that try to publish their ports to the whole (real) network.

    • @[email protected]
      link
      fedilink
      210 months ago

      UFW does work with Docker, but requires some tweaking. IIRC you have to disallow Docker to modify IPTables and then add a rule to forward all traffic to the Docker network of your choice. It’s a little finicky but works.

    • @[email protected]
      link
      fedilink
      110 months ago

      Are your Docker containers connecting to the network (eg using ipvlan or macvlan)? The default bridge network driver doesn’t expose the container publicly unless you explicitly expose a port. If you don’t expose a port, the Docker container is only accessible from the host, not from any other system on the network.

        • @[email protected]
          link
          fedilink
          110 months ago

          If you don’t want the Docker container to be accessible from other systems then just don’t publish the port.

          • @[email protected]
            link
            fedilink
            110 months ago

            Yeah of course, that’s what I’m doing anyways, but the purpose of a firewall would be defense in depth, even is something were to be published, the firewall got it.

    • @Crack0n7uesday
      link
      1
      edit-2
      10 months ago

      You want a virtual firewall. Is this for profit or just your science project because that’s going to change the answer. You might hate me, but I’m still gonna say it, Cisco…

  • @Crack0n7uesday
    link
    310 months ago

    it’s become self aware and is always blocking ports 22 & 23.

  • @[email protected]
    link
    fedilink
    310 months ago

    i have ssh configured on a different port,

    more than one time i enabled ssh in ufw, restarted the service… and the connection dropped