It happened to me when I was configuring IP geoblocking: Only whitelist IP ranges are allowed. That was fetched from a trusted URL. If the DNS provider just happened to not be on that list, the whitelist would become empty, blocking all IPs. Literally 100% proof firewall; not even a ping gets a pass.
OPNsense has an anti-lock-out rule at the top for a reason 😁
Happened to me in work once… I was connected via SSH to one of our test machines, so I could test connection disruption handling on a product we had installed.
I had a script that added iptables rules to block all ports for 30 seconds then unblock them. Of course I didn’t add an exception for port 22, and I didn’t run it with nohup, so when I ran the script it blocked the ports, which locked me out of SSH access, and the script stopped running when the SSH session ended so never unblocked the ports. I just sat there in awe of my stupidity.
We’ve all experienced the walk of shame to the server room to hook up a monitor keyboard.
Ah, if only it was a server room and not a customer 3 hours drive away. And he’d closed and gone home for the night.
Fortunately it just needed a reboot, and I was able to talk him through that in the morning.
Oof… well you can just say “it must be some hardware problem or something… maybe a reboot will fix it.”
the script stopped running when the SSH session ended
tmux
Always use tmux when possible for remote connections.What does it do in this case?
Tmux essentially creates a pseudo-shell that persists between sessions.
So you can start a process, detach the session, start something else, disconnect, come back next week, and check on it.
It does other things too. Like console tiling.
I accidentally put all the interfaces on my router running openwrt into the wrong firewall zone so now I can’t access it via ssh or the web interface. I already had it configured though and it still works so I’m just ignoring the problem until something breaks
There is nothing more perminant than a temporary solution.
What is a good firewall that can also block ports published with docker? I’d need it to run on the same host.
Are your Docker containers connecting to the network (eg using ipvlan or macvlan)? The default bridge network driver doesn’t expose the container publicly unless you explicitly expose a port. If you don’t expose a port, the Docker container is only accessible from the host, not from any other system on the network.
They are Only in my docker bridge networks and have a few published ports
If you don’t want the Docker container to be accessible from other systems then just don’t publish the port.
Yeah of course, that’s what I’m doing anyways, but the purpose of a firewall would be defense in depth, even is something were to be published, the firewall got it.
