hetzner-cloud-init icon indicating copy to clipboard operation
hetzner-cloud-init copied to clipboard

Published 20 hours ago verified publisher icon vitobotta

ufw deny

Open mdc-git opened this issue 3 years ago • 4 comments

Might be me, but as far as I can tell the DENY rules introduced with update-config.sh are never cleaned up. With Hetzner giving you the same exact external IP on some machines if you delete and recreate a cluster quickly you might run into issues.

In my case I couldn't install an app from an external repo.

There was a DENY entry but I don't recall which machine. Wiped the rules, reapplied the inital version of the rules from setup.sh and ran update-config.sh again and everything was fine.

To finally solve the issue for me I changed deny to delete allow which should accomplish the same job as the default INPUT policy is DROP according to iptables -L

I also chose to use the private network and only whitelisted 127.0.0.1 which seems to work ok by now.

for IP in "${REMOVED[@]}"; do
  ufw deny from "$IP"
done

changed to

for IP in "${REMOVED[@]}"; do
  ufw delete allow from "$IP"
done

This should remove the previously whitelisted entries. No?

mdc-git avatar Mar 02 '21 21:03 mdc-git

Hi! Even if an IP gets denied after deleting a server, it will be allowed again once the server with that IP is back in the project. It seemed to work during my testing. Not sure why it's not working as expected for you. Weird

vitobotta avatar Mar 02 '21 21:03 vitobotta

Might be timing. I was provisioning in very rapid succession over different datacenters.

mdc-git avatar Mar 02 '21 21:03 mdc-git

Yeah, it's possible :)

vitobotta avatar Mar 02 '21 22:03 vitobotta

But nevertheless just removing the old rules makes more sense than getting a big list of denies.

tboerger avatar Oct 08 '22 12:10 tboerger