Minimize damage in case of problems during sshd and firewall setup

Question:

My typical playbook usually includes firewall and ssh configuration:

- hosts: api
  roles:
    - sshd
    - apf

For sshd, simply copy the template with the desired port to /etc/ssh/sshd_config , where:

# What ports, IPs and protocols we listen for
Port {{ ssh_port }}

After that the installation of apf takes place, setting up /etc/apf-firewall/allow_hosts.rules and the main /etc/apf-firewall/conf.apf . As you understand in conf.apf :

IG_TCP_CPORTS="{{ ssh_port }}"

Prerequisite: Let's say we already have sshd and apf installed and the port for ssh is set to 22 .

When reconfiguring (for example, we want to change the port to 222 ), it may happen that something goes wrong between the sshd setup and the apf setup.

As a result, ssh will be on port 222 , but the old port 22 will be open in apf. As a result, you can no longer connect via ssh, you will have to reboot the machine in recovery mod and fix everything manually.

I gave this example because I myself encountered a similar one. But in many other tasks, if a problem occurs in the middle of the role execution, the system will end up in an inconsistent state.

How can such things be prevented or the damage minimized?

Answer:

But what if you move gradually?

  1. apf – open port 222.

    If it breaks after this step, you will just have an extra open port 222.

  2. sshd – switch to port 222

    If it breaks here, then there will also be an extra open 22, but you can already log in to 222 via ssh.

  3. apf – close port 222

Scroll to Top