I searched the forum, but all I could find in response to "I locked myself out of my NAS with QuFirewall" were variations on "time for a paperclip reset, then".
I got lucky tonight, so I figured I'd post my experience in the hope that it might help someone else.
TL;DR: open an SSH session to the NAS before messing about with QuFirewall.
I'm new to QNAP and QTS, and I'm currently finding my way around my shiny new TS-251D. I thought I'd use QuFirewall to lock down inbound management access to devices in one subnet, and hamfistedly set the permit rule's source to x.x.x.0/32 instead of x.x.x.0/24, and didn't notice.
All of a sudden, the QTS web interface wouldn't play nice. Gee, I wonder why...
Here's where I got lucky: I happened to have an SSH session already open to the NAS, and QuFirewall didn't dump that existing session when I flicked the switch to lock myself out. Searching the filesystem revealed the existence of .qpkg/qufirewall/QuFirewall.sh and /etc/config/QuFirewall.conf.
I edited QuFirewall.conf to change the line firewall_status = 1 to firewall_status = 0, then issued QuFirewall.sh stop followed by QuFirewall.sh start. That saved my bacon.
However, I realise that I was lucky. If I hadn't had that SSH session already open, it would have been time for a paperclip reset for me, too.
So, my experience is, if contemplating any modifications to QuFirewall, open an SSH session first. It's a safety-net against hamfistedness.
Locked myself out of my NAS and recovered without a reset
-
- First post
- Posts: 1
- Joined: Thu Dec 09, 2021 2:35 am
-
- New here
- Posts: 7
- Joined: Sun May 26, 2013 1:09 am
Re: Locked myself out of my NAS and recovered without a reset
Thank you for this post. It really helped me out today! I didn't have an open SSH connection but I was able to connect a monitor thru hdmi and a keyboard thru usb to get access to the shell and disable the firewall.
The stupid qnap-message said to first deny everybody and second allow yourself. Please never ever do that! First allow yourself on top and deny everybody on the last rule.
The stupid qnap-message said to first deny everybody and second allow yourself. Please never ever do that! First allow yourself on top and deny everybody on the last rule.