When working with firewalls such as firewalld, the unexpected can happen and you can be locked out of your vps.
Many VPS provider provides a rescue mode that permits to get access back to your disk called a rescue mode.
This how-to shows you how to disable your firewall but you may use it to perform any other maintenance operations.
To reboot your VPS in rescue mode, you should go to the administration website of your VPS. They would have then an action in order to reboot your VPS in rescue mode.
The rescue mode is just:
You get then access to your file and disk. You can perform administrative task such as:
They should send you via email or via their dashboard the root and password credentials of the new virtual machine created.
Once you have login to your machine, the prompt should indicate you that it's in a rescue mode.
[RESCUE] root@vps-427a1b7c:/ $
You can list the disk partitions with the lsblk command.
lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 2.5G 0 disk
└─sda1 8:1 0 2.5G 0 part /
sdb 8:16 0 80G 0 disk
└─sdb1 8:17 0 80G 0 part
The above output shows two disks device:
In a non-rescue mode, you would see only your disk.
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 80G 0 disk
└─sda1 8:1 0 80G 0 part /
To get access to the data on your disk, you need to mount it.
# /mnt may be already created
mkdir /mnt
mount /dev/sdb1 /mnt
chroot /mnt
At this stage, you have access to your disk, you can search file
find . -name myfile.myextension
grep -rnw . -e 'how to disable ?'
A service is just a symbolic link in a directory that points to a file:
To disable a service, you just:
For systemd, the location of this service link is /etc/systemd/system/.
For instance, to disable firewalld, you would create the symlink with the following command
ln -s /dev/null /etc/systemd/system/firewalld.service
You could also just check and modify the configuration of your firewall. For firewalld, the data are stored in the zones located at
/etc/firewalld/zones
And there is also a backup with an old suffix. For instance, for a public zone.
/etc/firewalld/zones/public.xml.old
Below is an example of a bad public zone configuration that got mess up by firewall-cmd because the ipset nl was deleted before the rule.
<?xml version="1.0" encoding="utf-8"?>
<zone>
<rule family="ipv4">
<source ipset="nl" invert="True"/>
<service name="ssh"/>
<drop/>
</rule>
</zone>
The reboot should happen in the dashboard of your VPS provider because it needs to recreate a VPS with your disk.
Correct your configuration and unmask your service
Example:
systemctl unmask firewalld
systemctl start firewalld
unlink /etc/systemd/system/firewalld.service