Common firewall mistakes

Topic: Networking basics

Avoid locking yourself out, allowing too much, or misordering rules: allow SSH before enabling or before default deny; do not allow 0.0.0.0/0 to all ports; put allow before deny for the same traffic; allow established/related for outbound. Use this as a checklist so you do not repeat these errors when configuring host or network firewalls.

Intent: How-to

Quick answer

  • Lockout: enabling firewall or default deny before allowing SSH (or your admin port). Fix: allow SSH first; test in a second session; have console access when enabling.
  • Over-permissive: allowing all from 0.0.0.0/0 to all ports, or forgetting default deny so everything is allowed. Fix: default deny; allow only required ports (and optionally restrict by source).
  • Wrong order: deny or default drop before allow, so required traffic is blocked. Fix: allow established,related and allow SSH (and services) before any deny or default drop; list rules and verify order.

Prerequisites

Steps

  1. Avoid lockout

    Always allow SSH (or the port you use for admin) before enabling the firewall or setting default deny. Open a second SSH session and confirm login before closing the first. Have console or out-of-band access the first time you enable.

  2. Avoid over-permissive rules

    Do not allow 0.0.0.0/0 to all ports; do not set default policy to accept for inbound. Use default deny and allow only the ports (and optionally sources) you need; allow established/related for return traffic.

  3. Avoid wrong rule order

    First match wins. If a deny or default drop is evaluated before an allow for the same traffic, the traffic is blocked. Put allow established,related and allow SSH (and other required ports) before any broad deny or default drop.

  4. Document and verify

    Document which ports and sources are allowed and why; after changes run ufw status or nft list ruleset and test from a client; add verification to your runbook or checklist.

Summary

Common mistakes are locking yourself out (no allow for SSH before enable), being too permissive (no default deny or allow all), and wrong rule order (deny before allow). Avoid them by allowing SSH first, using default deny and minimal allows, and ordering rules correctly. Use this as a quick checklist when changing firewall config.

Prerequisites

Steps

Step 1: Avoid lockout

Allow SSH (or your admin port) before enabling the firewall or setting default deny. Test in a second session. Keep console or OOB access when enabling for the first time.

Step 2: Avoid over-permissive rules

Do not allow 0.0.0.0/0 to all ports. Do not set inbound default to accept. Use default deny and allow only the ports (and optionally sources) you need; allow established/related for return traffic.

Step 3: Avoid wrong rule order

Rules are evaluated in order; first match wins. Put allow established,related and allow SSH (and other required ports) before any deny or default drop so required traffic is not blocked.

Step 4: Document and verify

Document allowed ports and sources and the reason. After changes, list rules and test from a client. Add a verification step to your runbook or firewall checklist.

Verification

  • You have not locked yourself out; only intended ports are allowed; rule order is correct; and the config is documented and tested.

Troubleshooting

Already locked out — Use console; add allow for SSH and reload, or disable the firewall temporarily and fix rules, then re-enable.

Unclear order — List rules (ufw status numbered, nft list ruleset) and trace which rule matches first for a given port; reorder or refine rules.

Next steps

Continue to