Firewall

JATtho , 4 months ago

It happened to me when I was configuring IP geoblocking: Only whitelist IP ranges are allowed. That was fetched from a trusted URL. If the DNS provider just happened to not be on that list, the whitelist would become empty, blocking all IPs. Literally 100% proof firewall; not even a ping gets a pass.

conti473 , 4 months ago

OPNsense has an anti-lock-out rule at the top for a reason 😁

KuroeNekoDemon , 4 months ago

That moment when you forget to run sudo ufw allow ssh after enabling the firewall

neosheo , 4 months ago

You mean before?

KuroeNekoDemon , 4 months ago

Yeah sorry my brain is fried

dan , 4 months ago

Not exactly the same thing, but on one of my systems, eth0 and eth1 swapped position after a kernel update, so the IP was on the wrong interface. I had IPMI/BMC on the system so didn’t have to physically go to it and plug in a keyboard and monitor, but I still had to deal with manually typing a long randomly-generated password, twice (one to log in and once again for sudo).

I’m glad “predictable” interface names are supported now. Those eth0/eth1/etc names were dangerous since the numbers were just based on the order the kernel loaded the drivers and initialized them in, which can change across reboots. The predictable names are based on physical position in the system, so they’re consistent across reboots.

Crack0n7uesday , 4 months ago

it’s become self aware and is always blocking ports 22 & 23.

churisotophu , 4 months ago

This literally happened to me yesterday. Fortunately ufw enable did not configure it as persistent across reboots 🤠

uis , 4 months ago

UART it

GolfNovemberUniform , 4 months ago

Connects a monitor and a keyboard to the Raspberry Pi

picard , 4 months ago

@GolfNovemberUniform @treechicken so we deduct he has no Raspberry 400

GolfNovemberUniform , 4 months ago

I mean, yea? Why would they buy a 400 if it’s unnecessarily more expensive?

picard , 4 months ago

@GolfNovemberUniform for collectors reasons?

GolfNovemberUniform , 4 months ago

Oh I didn’t think about that one

ILikeBoobies , 4 months ago

It’s cute

bartolomeo , 4 months ago

Defeatedly Connects a monitor and a keyboard to the Raspberry Pi

PlexSheep , 4 months ago

What is a good firewall that can also block ports published with docker? I’d need it to run on the same host.

iiGxC , 4 months ago

Ufw should work, jus ufw block/limit/allow port number

PlexSheep , 4 months ago

I remember trying with ufw and the docker ports were still open. Iirc I’ve read somewhere that docker and ufw both use the same underlying software, so ufw cannot block docker (IP tables?)

iiGxC , 4 months ago

Hmm, not sure. I know with docker you can “mock” ports for the container, where the port the container sees is different than the port on the system. Maybe you can do something with that?

PlexSheep , 4 months ago

I can configure the containers in ways that don’t require ports to be published for the real network, but that’s always possible. It would still be nice to have a firewall that can block even those containers that try to publish their ports to the whole (real) network.

derpgon , 4 months ago

UFW does work with Docker, but requires some tweaking. IIRC you have to disallow Docker to modify IPTables and then add a rule to forward all traffic to the Docker network of your choice. It’s a little finicky but works.

PlexSheep , 4 months ago

Interesting, I might have to read up on that next time. Thanks

tux7350 , 4 months ago

I ran into this same situation, this repo helped me solve it.

github.com/chaifeng/ufw-docker#solving-ufw-and-do…

JasonDJ , 4 months ago

But…why?

Project Calico is designed for segmenting network traffic between kubernetes workloads.

Right tool for the job.

Also if you are a Fortinet shop, supposedly you can manage rules with FortiManager. I haven’t tried that yet but it looks really cool.

derpgon , 4 months ago

I was specifically talking about Docker+UFW. Of course the possibilities are endless.

Crack0n7uesday , 4 months ago

You want a virtual firewall. Is this for profit or just your science project because that’s going to change the answer. You might hate me, but I’m still gonna say it, Cisco…

PlexSheep , 4 months ago

For my homelab, and I’ll only host OSS

dan , 4 months ago

Are your Docker containers connecting to the network (eg using ipvlan or macvlan)? The default bridge network driver doesn’t expose the container publicly unless you explicitly expose a port. If you don’t expose a port, the Docker container is only accessible from the host, not from any other system on the network.

PlexSheep , 4 months ago

They are Only in my docker bridge networks and have a few published ports

dan , 4 months ago

If you don’t want the Docker container to be accessible from other systems then just don’t publish the port.

PlexSheep , 4 months ago

Yeah of course, that’s what I’m doing anyways, but the purpose of a firewall would be defense in depth, even is something were to be published, the firewall got it.

KingThrillgore , 4 months ago

this is me dealing with ZScaler at work

TimTamJimJam , 4 months ago

Happened to me in work once… I was connected via SSH to one of our test machines, so I could test connection disruption handling on a product we had installed.

I had a script that added iptables rules to block all ports for 30 seconds then unblock them. Of course I didn’t add an exception for port 22, and I didn’t run it with nohup, so when I ran the script it blocked the ports, which locked me out of SSH access, and the script stopped running when the SSH session ended so never unblocked the ports. I just sat there in awe of my stupidity.

SpaceCowboy , 4 months ago

We’ve all experienced the walk of shame to the server room to hook up a monitor keyboard.

Blackmist , 4 months ago

Ah, if only it was a server room and not a customer 3 hours drive away. And he’d closed and gone home for the night.

Fortunately it just needed a reboot, and I was able to talk him through that in the morning.

SpaceCowboy , 4 months ago

Oof… well you can just say “it must be some hardware problem or something… maybe a reboot will fix it.”

aStonedSanta , 4 months ago

lol. When I get asked what went wrong at work. So. A solar flare can swap the bits…

JasonDJ , 4 months ago

Oof I did a firmware upgrade on my main external firewall.

The upgrade went fine but when we added an ISP a month or so prior, I forgot to redistribute the ISPs routes. While all my ISPs were technically working, and the firewall came back up, nothing below it could get to the internet, so it was good as down.

Cue the 1.5 hour drive into the office…

Had that drive to think about what went wrong. Got into the main lobby, sat down, joined the wifi, and fixed it in 3 minutes.

Didn’t even get to my desk or the datacenter.

user224 , 4 months ago

the script stopped running when the SSH session ended

tmux
Always use tmux when possible for remote connections.

QuazarOmega , 4 months ago

What does it do in this case?

user224 , 4 months ago

Well, the script could keep running even after he would have detached from that tmux session due to losing ssh connection. And since that script would unblock all ports after 30 seconds…

(Same use case as nohup that they mentioned)

JasonDJ , 4 months ago

Tmux essentially creates a pseudo-shell that persists between sessions.

So you can start a process, detach the session, start something else, disconnect, come back next week, and check on it.

It does other things too. Like console tiling.

krash , 4 months ago

Out of curiousity, how would nohup make your situation different? As I understand, nohup makes it possible to keep terminal applications running even when the terminal session has ended.

aidan , 4 months ago

the script stopped running when the SSH session ended so never unblocked the ports

octopus_ink , 4 months ago

If the script was supposed to wait 30 secs and then unblock the ports, running with nohup would have allowed the ports to be unblocked 30 secs later. Instead, the script terminated when the SSH session died, and never executed the countdown nor unblock.

krash , 4 months ago

Thanks for the elaborate answer!

octopus_ink , 4 months ago

Any time! :)

RedstoneValley , 4 months ago

I know this is posted in funny, but whatever. You could still login locally using keyboard and monitor. Uncool, but it works

marcos , 4 months ago

You are assuming there is a keyboard and monitor plugged to it, and that the computer is somewhere nearby.

None of those are automatically true. And when it’s nearby, it’s usually easier to just get the SD card into another computer and edit the configuration.

treechicken OP , 4 months ago

That’s exactly what I did lol. Thankfully my Pi’s just in a drawer. If this was a remote host at work I would’ve already shat myself :P

7heo , 4 months ago

ufw is not a good software. I really tried to work with it. My solution was to disable it.

tetris11 , 4 months ago

It’s better than raw iptables / nftables though.

7heo , 4 months ago

Not IMHO no. By far.

wgs , 4 months ago

Just like stabbing yourself if the eye is better with a fork than with a rusty fork.

pf gang rise up !

r00ty Admin , 4 months ago

I've had to boot a remote server into rescue after locking myself out.

I think most people have done this at least once.

crony , 4 months ago (edited 4 months ago)

Happened to me, luckilly I kept an ssh connection up.

Now I make sure to enable the firewall rules before I enable ufw ( still happened to me 3 more times ).

Discover5164 , 4 months ago

i have ssh configured on a different port,

more than one time i enabled ssh in ufw, restarted the service… and the connection dropped