A neat little trick I found when configuring UFW to protect you from yourself

So I was looking up some syntax the other night on configuring Ubuntu’s UFW (Uncomplicated FireWall) and stumbled across this little gem.

I was connected to a remote cloud server though SSH and I was configuring the database server to only allow access from specific UP addresses. I had just finished typing a command to add a rule that would limit access on the database port to a specific IP I was testing. Right before I hit enter, the thought crossed my mind that…wait….I’m connected remotely to this server, UFW was currently disabled, but I wondered if by adding a rule would that enable it by default? If that were the case, it would have killed my connection to the server & I would of effectively locked myself out of my own server.

BTW, UFW doesn’t enable itself by default if it’s disabled and you add a new rule to it. You have to run ufw enable to enable it.

 sudo ufw enable

 

This was definitely something that I felt warranted a double check & I found the answer within 30 seconds but it raised another question…what would you do if you did accidentally disable SSH access to your remote server? Would you have to kill the server instance, would you just have to delete the Cloud Server container & start a new one from scratch?

The 2 minutes I spent searching didn’t yield a black & white answer but in that time I  stumbled across a forum post where a user had pretty much done what I was afraid I almost did. He effectively locked him self out of his server by disabling ssh.

I can’t recall what the outcome was, but one user posted this:

Howdy,
When I have to work on a remote firewall, I first set up a cron (at) job for 1 hour into the future, that will flush all iptables rules. Then, when the inevitable lock out occurs, I wait for the cron job to let me in again. Otherwise, if all went well, I stop the cron job when things are done and working right.

 

It brought a smile to my face because the user who posted the tip definitely is aware of the fact that sooner or later we all screw up and taking actions a head of time to prevent the inevitable f*ck up is definitely a tip worth repeating.

I though this was genius. It’s a way of proteting you from you. KNowing that you’ll inevitably mess something up, just create a cron job in the not to distance future to disable anything you have just changed or enabled.

In the case of the UFW, using the CLI (either physical terminal or ssh connection) here’s what I did:

 

touch disable_ufw.sh
echo "sudo ufw disable" >>disable_test.sh
chmod ug+x disable_test.sh
sudo at now + 10 minutes -f disable_ufw.sh

Boom, now before you lock yourself out somehow with a misc-configured firewall, take 10 seconds to type these 4 lines to give yourself a mini-script to undo your jacked up configuration.

Good Luck,

 

-Brandon

 

PS: BTW, the link to that forum post that i found this tip on can be found at: https://ubuntuforums.org/showthread.php?t=2255572

Leave a Reply

Your email address will not be published. Required fields are marked *