From 114737399a5775d95c7eeb659e5972d33c290c58 Mon Sep 17 00:00:00 2001 From: Storm Dragon Date: Thu, 16 Apr 2026 15:51:53 -0400 Subject: [PATCH] docs: tighten firewall ssh safety requirements --- .../2026-04-16-server-firewall-cleanup-design.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/docs/superpowers/specs/2026-04-16-server-firewall-cleanup-design.md b/docs/superpowers/specs/2026-04-16-server-firewall-cleanup-design.md index 486af06..7f56095 100644 --- a/docs/superpowers/specs/2026-04-16-server-firewall-cleanup-design.md +++ b/docs/superpowers/specs/2026-04-16-server-firewall-cleanup-design.md @@ -48,12 +48,23 @@ The firewall submenu is intentionally narrow and dialog-driven. It will provide: Behavior details: - `Install ufw` installs the package only if it is not already present. -- `Enable firewall` runs `ufw enable`. +- `Enable firewall` first ensures the active SSH port is explicitly allowed before enabling `ufw`. - `Disable firewall` runs `ufw disable`. -- `Allow SSH` allows the current OpenSSH port if detectable from `sshd_config` or `sshd_config.d`; otherwise it falls back to port `22/tcp`. +- `Allow SSH` allows the current SSH port based on the server conversion drop-in file if available. If the port cannot be determined confidently, the user is prompted to enter it manually. If the port still cannot be confirmed, the action is cancelled without changing firewall rules. - `Open custom port` prompts for either a bare port such as `80` or an explicit `port/protocol` string such as `443/tcp` and validates the input before calling `ufw allow`. - `View status` shows `ufw status verbose` in a dialog-friendly text view. +## SSH Port Safety + +Preventing SSH lockout takes priority over convenience. + +- The primary source of truth for the SSH port is `/etc/ssh/sshd_config.d/99-stormux-server.conf`, which is written by the earlier server conversion step. +- Firewall actions that could affect remote access must check that file first and extract the configured `Port` value when present. +- If the port file is missing, unreadable, malformed, or otherwise ambiguous, the script must not guess. It should prompt the user to enter the SSH port explicitly. +- If the user cancels the prompt or enters an invalid value, the script must cancel the firewall-enabling action rather than continue. +- `Enable firewall` should allow the resolved SSH port before running `systemctl enable --now ufw` or `ufw enable`. +- `Allow SSH` should reuse the same resolution logic so behavior is consistent. + ## File Boundaries - `configure-server.sh` @@ -76,6 +87,7 @@ Obsolete include files that are no longer referenced by the top-level server lau ## Error Handling - Missing `ufw` will be reported clearly for actions that require it, with `Install ufw` available as the explicit fix path. +- If the SSH port cannot be confirmed, `Enable firewall` must abort with a clear message rather than risk locking the user out. - Invalid custom port input will show a message and return to the firewall menu without applying a rule. - Commands that require privilege will continue using the existing `sudoFlags` handling.