Hacker News new | ask | show | jobs
Ask HN: Enable a Linux firewall without locking yourself out?
1 points by wmockbill 2558 days ago
I have a friend who has an ubuntu server at a remote datacenter (not cloud based unfortunately), the other day he set up the ufw firewall and even though he assures me he added his IP address to the rules, he was locked out when he enabled the firewall

sudo ufw allow from his-ip-address sudo ufw allow ssh sudo ufw enable

It ended up costing him over £200 to pay for out-of-hours support for an engineer to drive to the data centre and restart the server.

He still needs to enable the firewall, but is very worried about getting locked out again. How can he do this without locking himself out?

My initial ideas are :

1. have a crontab that runs every 10 minutes to disable the firewall. Then enable the firewall, test he can still gain access. If not, worst case he is locked out for 10 minutes

2. run a shell script that enables the firewall, sleeps for a few minutes, and then disables it This would need to run in something like tmux so that when the session is killed by the firewall the script will continue running

Is there a better way?

I have already suggested he take a look at moving to AWS - but that may take some time.

Thanks
5 comments
moviuro 2558 days ago
Yeah, option 1 is what I do for my own remote machine.

  0 * * * * /sbin/pfctl -f /etc/pf.conf.knowngood
If needed, copy then edit the known good file, load rules temporarily, make sure everything works. Make sure the tests have enough time to run (that is: don't reload every minute, but every <long enough duration here>). If all is OK, then backup the old known good file, move the new one in place.
link
thepapanoob 2557 days ago
ufw is awesome and really shit at the same time... as long as you just need opened & closed ports its all fine, as soon as you do something with multiple networks (Docker, VM's) you have to fix quite alot manually into iptables directly and make sure it gets readded whenever ufw decides to overwrite iptables.

i can highly recommend to directly use iptables and take a look at the arch linux wiki and especially this site https://wiki.archlinux.org/index.php/Simple_stateful_firewal...

link
wmockbill 2557 days ago
Might be a struggle to teach him iptables but the link was useful, even for me

Thanks

link
highhedgehog 2558 days ago
I mean, honestly the first idea to me seems smart for developing. Once it is set up you just remove that crontab and you're done.
link
64bint 2558 days ago
i used to get locked out on my early day learning to use ufw and ended reinstalling my vps many times. in the end i just set up a temporary reverse ssh tunnel (using autossh), so whenever i locked out i still able to get back using this tunnel
link
wmockbill 2557 days ago
autossh is a nice suggestion
link
vectorEQ 2558 days ago
iptables
link