Happened to me in work once… I was connected via SSH to one of our test machines, so I could test connection disruption handling on a product we had installed.
I had a script that added iptables rules to block all ports for 30 seconds then unblock them. Of course I didn’t add an exception for port 22, and I didn’t run it with nohup, so when I ran the script it blocked the ports, which locked me out of SSH access, and the script stopped running when the SSH session ended so never unblocked the ports. I just sat there in awe of my stupidity.
We’ve all experienced the walk of shame to the server room to hook up a monitor keyboard.
Ah, if only it was a server room and not a customer 3 hours drive away. And he’d closed and gone home for the night.
Fortunately it just needed a reboot, and I was able to talk him through that in the morning.
Oof… well you can just say “it must be some hardware problem or something… maybe a reboot will fix it.”
lol. When I get asked what went wrong at work. So. A solar flare can swap the bits…
the script stopped running when the SSH session ended
tmux
Always use tmux when possible for remote connections.What does it do in this case?
Well, the script could keep running even after he would have detached from that tmux session due to losing ssh connection. And since that script would unblock all ports after 30 seconds…
(Same use case as nohup that they mentioned)
Tmux essentially creates a pseudo-shell that persists between sessions.
So you can start a process, detach the session, start something else, disconnect, come back next week, and check on it.
It does other things too. Like console tiling.
Out of curiousity, how would nohup make your situation different? As I understand, nohup makes it possible to keep terminal applications running even when the terminal session has ended.
I accidentally put all the interfaces on my router running openwrt into the wrong firewall zone so now I can’t access it via ssh or the web interface. I already had it configured though and it still works so I’m just ignoring the problem until something breaks
There is nothing more perminant than a temporary solution.
“i’ll fix that later”
Narrator: “they never did”
It’s super secure though, not even you have access!
I did the same thing, set up OpenWRT perfectly, then changed the local range from 192.168.1.0 to 192.168.0.0 to suit some legacy connections. Everything works, except I can’t change settings on the router, so for now I leave it alone
Maybe you can put aside a day which has nothing else going on so you can sit down and fix it before it breaks.
Sounds like my Unifi experience with the old CloudKeys that liked to brick themselves if the wind blew in a way they disliked. Everything still ran fine, but I couldn’t manage any of it till I factory reset it all. I think it ran like that for 3mo before I could be bothered 😅
Whistles and looks away
I have absolutely no idea what you’re talking about
😜
UFW is a software firewall. SSH is a way to remote into computers. The joke is they turned on UFW and got locked out of the machine.
I’m pretty sure it was a joke.
Everyone did this at some point, but nobody would admit such a silly thing happened to them.
Never done this to a single server.
Managed to write the “ufw enable, deny all” part of ansislbe script without the “allow 22” part and run it against all my homelab once.
Hehe. I was joking there.
Have done it randomly on my backup raspi 3 so many times 🤣
I’ve been bamboozled
Firewallcmd’s runtime-to-permanent is one of my favorite features of any software. Set everything up, make sure everything works before making the changes permanent. If not, just reboot!
Isn’t that just like it is on Cisco systems?
Happened to me, luckilly I kept an ssh connection up.
Now I make sure to enable the firewall rules before I enable ufw ( still happened to me 3 more times ).
I know this is posted in funny, but whatever. You could still login locally using keyboard and monitor. Uncool, but it works
You are assuming there is a keyboard and monitor plugged to it, and that the computer is somewhere nearby.
None of those are automatically true. And when it’s nearby, it’s usually easier to just get the SD card into another computer and edit the configuration.
That’s exactly what I did lol. Thankfully my Pi’s just in a drawer. If this was a remote host at work I would’ve already shat myself :P
I’ve had to boot a remote server into rescue after locking myself out.
I think most people have done this at least once.
this is me dealing with ZScaler at work
ufw is not a good software. I really tried to work with it. My solution was to disable it.
It’s better than raw iptables / nftables though.
Just like stabbing yourself if the eye is better with a fork than with a rusty fork.
pfgang rise up !Not IMHO no. By far.
It happened to me when I was configuring IP geoblocking: Only whitelist IP ranges are allowed. That was fetched from a trusted URL. If the DNS provider just happened to not be on that list, the whitelist would become empty, blocking all IPs. Literally 100% proof firewall; not even a ping gets a pass.
OPNsense has an anti-lock-out rule at the top for a reason 😁
i have ssh configured on a different port,
more than one time i enabled ssh in ufw, restarted the service… and the connection dropped
What is a good firewall that can also block ports published with docker? I’d need it to run on the same host.
Ufw should work, jus
ufw block/limit/allow port numberI remember trying with ufw and the docker ports were still open. Iirc I’ve read somewhere that docker and ufw both use the same underlying software, so ufw cannot block docker (IP tables?)
UFW does work with Docker, but requires some tweaking. IIRC you have to disallow Docker to modify IPTables and then add a rule to forward all traffic to the Docker network of your choice. It’s a little finicky but works.
Interesting, I might have to read up on that next time. Thanks
I ran into this same situation, this repo helped me solve it.
https://github.com/chaifeng/ufw-docker#solving-ufw-and-docker-issues
Are your Docker containers connecting to the network (eg using ipvlan or macvlan)? The default bridge network driver doesn’t expose the container publicly unless you explicitly expose a port. If you don’t expose a port, the Docker container is only accessible from the host, not from any other system on the network.
They are Only in my docker bridge networks and have a few published ports
If you don’t want the Docker container to be accessible from other systems then just don’t publish the port.
Yeah of course, that’s what I’m doing anyways, but the purpose of a firewall would be defense in depth, even is something were to be published, the firewall got it.
I know I forgot to reactivate my firewall yesterday, but I’m too scared of getting locked in to do it remotely. I have physical access to it, but gotta wait after work
Yeah, that’s my philosophy. Don’t mess with it unless I can get my ass in there and fix it in case it goes south.
But then that thing is going to be the single only thing I can think about and it keeps disrupting me from everything else, so I decide to risk it.
Connects a monitor and a keyboard to the Raspberry Pi
@GolfNovemberUniform @treechicken so we deduct he has no Raspberry 400
I mean, yea? Why would they buy a 400 if it’s unnecessarily more expensive?
deleted by creator
