Minimize damage in case of problems during sshd and firewall setup


My typical playbook usually includes firewall and ssh configuration:

- hosts: api
    - sshd
    - apf

For sshd, simply copy the template with the desired port to /etc/ssh/sshd_config , where:

# What ports, IPs and protocols we listen for
Port {{ ssh_port }}

After that the installation of apf takes place, setting up /etc/apf-firewall/allow_hosts.rules and the main /etc/apf-firewall/conf.apf . As you understand in conf.apf :

IG_TCP_CPORTS="{{ ssh_port }}"

Prerequisite: Let's say we already have sshd and apf installed and the port for ssh is set to 22 .

When reconfiguring (for example, we want to change the port to 222 ), it may happen that something goes wrong between the sshd setup and the apf setup.

As a result, ssh will be on port 222 , but the old port 22 will be open in apf. As a result, you can no longer connect via ssh, you will have to reboot the machine in recovery mod and fix everything manually.

I gave this example because I myself encountered a similar one. But in many other tasks, if a problem occurs in the middle of the role execution, the system will end up in an inconsistent state.

How can such things be prevented or the damage minimized?


But what if you move gradually?

  1. apf – open port 222.

    If it breaks after this step, you will just have an extra open port 222.

  2. sshd – switch to port 222

    If it breaks here, then there will also be an extra open 22, but you can already log in to 222 via ssh.

  3. apf – close port 222

Scroll to Top