Webmin>Networking>Linux Firewall allows adding rule to "Drop Always"

Currently, Webmin>Networking>Linux Firewall allows the (accidental) adding of a 'Drop' rule with no additional parameters set, which results in a "Drop Always" if the new configuration is then applied, which immediately kills ALL network access until the iptables get fixed via console mode. This exact situation happened to me yesterday; thank goodness I'm now on virtual machines with virtual console access - if it had been dedicated hardware at a colo, I'd have been dead in the water until someone could get physical access to that hardware. As there's surely no reason to ever want to actually have a 'Drop Always' rule, wouldn't it be possible for you to prevent such a rule from getting applied?

Status: 
Closed (fixed)

Comments

Adding a "drop always" rule is valid though, if added after rules that accept packets.

I don't think it makes sense for Virtualmin to deny this kind of rule - a better option may be to add some kind of confirmation step to ensure that the user hasn't accidentally locked himself out.

SoftwareLibrarian's picture
Submitted by SoftwareLibrarian on Sun, 03/31/2013 - 12:45 Pro Licensee

Ok, right, that could indeed be valid, except in the first position :)

Let me explain my circumstance a bit more, just for context: I've been added the IP addresses of known botnets, as my servers, most of which have WordPress sites on them, are getting hammered with faked login attacks. There are other mitigation mechanisms, but for known botnets, direct IP filtering seems to make sense. So I've got a slew of single-IP rules at the top of my list, and I managed to accidentally add an empty Drop in the middle of those the other day, resulting in the complete lockout.

Just getting an "Are you sure you want to add this "Drop Always" rule?" confirmation request would have certainly protected me from myself. I encourage you to add something like that to protect the next poor clod...

Although a confirmation would be possible, I think something better would be a re-check that the system is still accessible, sort of like what you get in Windows after changing the display resolution. If the user doesn't click it in 15 seconds, the firewall rules are reverted. That would catch all possible misconfigurations..

SoftwareLibrarian's picture
Submitted by SoftwareLibrarian on Sun, 03/31/2013 - 13:30 Pro Licensee

You're the man, Jamie! (sorry, got my IT start in the 60s...)

Whatever you think will do the trick is more than fine with me! I like features that help me avoid accidental idiocy. If I had pulled this stunt on my old Dell server sitting in another company's cage in a WA colo, I'd have been dead in the water for many hours or days, and probably lost my business.

I'm thrilled to now have four virtual machines in three separate data centers, all managed with Virtualmin licenses. Yay! Virtual console access happened to save my buns this time.

The support you guys provide is just fantastic. Thanks again!