New Firewall - changed eth0 to External now poof locked out

I am using a FreePBX VPS by Cyberlynk.net and I had been playing around with activating the Firewall a few days ago. Today when I logged in I saw that there was a warning about a new interface but really there is only one of them. So I changed the eth0 from Trusted to External and completely and totally locked myself out of the box. Thankfully there is a VNC to the box that I can access from my control panel and I have been able to log in and now that I am in I am lost as to how to turn that Firewall off so I can resume my normal operating and get my services accessible again. Thank you for your time and support.

Since it’s a VNC in the data center, the eth0 is public facing so you’re right it is External and if your IP or FQDN (DDNS is ok) isn’t white listed, it’ll get locked out, which is the case for most firewalls. Rob is enroute from Australia to Astricon so with intermitent access, not sure how quickly he’ll be able to reply.

As we’re getting feedback like this though he’s busy incorporating that feedback into better ease of use changes so we’ll defintiely discuss this one. If he hasn’t already added this to the ‘todo’ list, we’ll definitley look at detecting such changes in context of the IP address you’re currenlty coming from when making the change, to see if there’s an option for us to automatically whitelist the IP you’re coming from if it would otherwise be part of the excluded zone and then informing you of that added rule and giving you the option at that time to keep the rule, or disgard it if you prefer (and lock yourself out if you have another way in and meant to do what you did).

I’m sure Rob will chime in when he get’s some access and time along his travel.

1 Like

Thank you for the reply! I was able to get the hosting company to drop the firewall temporarily so that I could once again regain access to the system. That would be a nice catch though to automatically detect a complete lockout. I look forward to Rob’s response.

I actually thought we had discussed this scenario and ways around addressing it, but, who knows, it sometimes all blurrs :smile:

It’s been released but definitely continues to have work in progress to make improvements and take feedback from the user base ot continue to improve on it, as was eluded to in the blog post. The lockout scenario is common with firewalls and as such, we will defintiely address this situation and I’m sure Rob will be chiming in at some point, once he shakes off the fact that he’s probably spent the better part of the last 24 hours 5+ miles above this planet in a small tin can!

Here is a bit more on my particular situation…

I ended up removing the firewall by uninstalling it and was locked out again. So I rebooted the virtual machine and now I cannot get ucp daemon running.

If anyone has any information I am all ears. That is a strange issue and I am sure that it actually has nothing to do with Firewall but it presented at the same time so food for thought…

A second reboot did solve the problem!! Note here that I waited an hour before performing the second reboot and the UCP Daemon did not start during that time frame.

Hello all,
sorry for posting this old topic but I think it is much better than creating a mew one with a similar query.
Well, I have a FreePBX box running with a public IP and did exactly the same so my server is completely locked out. Luckily there is a person who can log in and perform required actions for me. Could anybody advise how to reset the firewall or change the rule which prevent be from logging in? I am not so familiar with Linux so detailed explanation would be much appreciated.

Thanks!

I was able to fix it!!!

Reboot the machine twice in a row quickly then the responsive firewall will be offline for several minutes. Giving you time to whitelist yourself.

If you use a ddns service, I highly suggest you use one if your server is hosted offsite or virtually, then go in and add the host name to your whitelist. The server will actively check the ip and when your ip gets changed by your ISP then the whitelist entry will too. You will be good to go from that point forward!

You don’t need it now, but for anyone else reading, it’s all in the wiki:
http://wiki.freepbx.org/display/FPG/Firewall+Command+Line

May sound like a crazy idea, but would it be possible to make use of ssh identity certificates in this case - if ssh lets you log in because you have the identity certificate (i.e. password would not be accepted) then the firewall could safely whitelist the host that tried this. (or could require both the certificate and the password). How to marry that into web access I dunno (maybe client certificates?) but surely you can figure something out :wink:

Using certificate based SSH would work unless the firewall has already locked you out or your IP changes and the new address isn’t in the white list.

The problem with setting up the outward facing interface as external (which IS totally what you should do) is that almost everything is locked out before you can hit a service, which means that your certificate will never get read.

To make this work reasonably seamlessly wouldn’t be too challenging (I’d think) but it would be really nice if something like that was set up in the base firewall install. In order to do that, a feature request would be needed. I don’t need this level of assistance in the firewall, or I’d submit the request myself - perhaps @el_es you could (Issues in the top of the page header).