unlcear if ufw can be enabled on remote servers before allowing ssh

Bug #1186600 reported by Bjoern Guenzel
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Server Guide
Undecided
Unassigned

Bug Description

In the server guide chapter on Firewalls ( https://help.ubuntu.com/13.04/serverguide/firewall.html ) it says "first, ufw needs to be enabled". The second step is enabling ssh. However, since my server is remote and I can only access it via ssh, I am not sure if this is the correct way to proceed - what if ufw denies ssh, so I can not log in to the server anymore?

In the UncomplicatedFirewall wiki ( https://wiki.ubuntu.com/UncomplicatedFirewall ) they first execute sudo ufw allow ssh/tcp before executing sudo ufw enable.

Sorry I can not risk to try what happens if I enable ufw first. Maybe it is OK, however, I think it would warrant an extra comment in the guide that it is safe to do so. Or if it isn't safe for remote administration, the order should be changed (first allow ssh, then enable ufw).

Revision history for this message
Doug Smythies (dsmythies) wrote :

Even if you are managing a computer from remote via ssh, you can do things in the order as described in the serverguide.
Why? Because the ssh session you are using when you issue the "sudo ufw enable" command is an already established connection and that path will be used to traverse the iptables rules set. You will not be able to make any new ssh connection until after the "sudo ufw allow ssh" command. In the extremly unlikley situation of somehow losing your ssh session between the enable and the allow ssh commands, then yes you would be locked out from your remote computer.

However, yes it might be worth adding some specific note, particularly in view of this message:

doug@test-smy:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)?

which, in my opinion, is misleading.

no longer affects: serverguide/raring
no longer affects: serverguide/saucy
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers