Happened to me in work once... I was connected via SSH to one of our test machines, so I could test connection disruption handling on a product we had installed.
I had a script that added iptables rules to block all ports for 30 seconds then unblock them. Of course I didn't add an exception for port 22, and I didn't run it with nohup, so when I ran the script it blocked the ports, which locked me out of SSH access, and the script stopped running when the SSH session ended so never unblocked the ports. I just sat there in awe of my stupidity.
Out of curiousity, how would nohup make your situation different? As I understand, nohup makes it possible to keep terminal applications running even when the terminal session has ended.
If the script was supposed to wait 30 secs and then unblock the ports, running with nohup would have allowed the ports to be unblocked 30 secs later. Instead, the script terminated when the SSH session died, and never executed the countdown nor unblock.
I accidentally put all the interfaces on my router running openwrt into the wrong firewall zone so now I can't access it via ssh or the web interface. I already had it configured though and it still works so I'm just ignoring the problem until something breaks
I did the same thing, set up OpenWRT perfectly, then changed the local range from 192.168.1.0 to 192.168.0.0 to suit some legacy connections. Everything works, except I can't change settings on the router, so for now I leave it alone
Sounds like my Unifi experience with the old CloudKeys that liked to brick themselves if the wind blew in a way they disliked. Everything still ran fine, but I couldn't manage any of it till I factory reset it all. I think it ran like that for 3mo before I could be bothered 😅
Firewallcmd's runtime-to-permanent is one of my favorite features of any software. Set everything up, make sure everything works before making the changes permanent. If not, just reboot!
You are assuming there is a keyboard and monitor plugged to it, and that the computer is somewhere nearby.
None of those are automatically true. And when it's nearby, it's usually easier to just get the SD card into another computer and edit the configuration.
I remember trying with ufw and the docker ports were still open. Iirc I've read somewhere that docker and ufw both use the same underlying software, so ufw cannot block docker (IP tables?)
UFW does work with Docker, but requires some tweaking. IIRC you have to disallow Docker to modify IPTables and then add a rule to forward all traffic to the Docker network of your choice. It's a little finicky but works.
Are your Docker containers connecting to the network (eg using ipvlan or macvlan)? The default bridge network driver doesn't expose the container publicly unless you explicitly expose a port. If you don't expose a port, the Docker container is only accessible from the host, not from any other system on the network.
You want a virtual firewall. Is this for profit or just your science project because that's going to change the answer. You might hate me, but I'm still gonna say it, Cisco....
It happened to me when I was configuring IP geoblocking: Only whitelist IP ranges are allowed. That was fetched from a trusted URL. If the DNS provider just happened to not be on that list, the whitelist would become empty, blocking all IPs. Literally 100% proof firewall; not even a ping gets a pass.
Not exactly the same thing, but on one of my systems, eth0 and eth1 swapped position after a kernel update, so the IP was on the wrong interface. I had IPMI/BMC on the system so didn't have to physically go to it and plug in a keyboard and monitor, but I still had to deal with manually typing a long randomly-generated password, twice (one to log in and once again for sudo).
I'm glad "predictable" interface names are supported now. Those eth0/eth1/etc names were dangerous since the numbers were just based on the order the kernel loaded the drivers and initialized them in, which can change across reboots. The predictable names are based on physical position in the system, so they're consistent across reboots.
I know I forgot to reactivate my firewall yesterday, but I'm too scared of getting locked in to do it remotely. I have physical access to it, but gotta wait after work
Used terraform to do "the first 5 minutes on a server" for whenever I needed a fresh server. Just a hobbiest but it was a fun little project and I don't run ino that problem anymore.