URGENT: Lost All Access to IPFire Firewall – No SSH/HTTP/Console – Need Help Identifying and Recovering

Hi everyone,

I’m in a critical situation and urgently need help recovering access to an IPFire firewall that’s no longer responding.

System Details

• IPFire Version: 2.29 (x86_64) - Core-Update 183
• Hardware: Fanless appliance from Sylbek
• Environment: 3 identical firewall boxes in the server room
• No config backup available

Current Issue

We cannot access the firewall anymore via:

• HTTP / HTTPS (Web UI)
• SSH / SCP / SFTP

Also:

• No screen output on VGA or HDMI when connected (2 of the 3 boxes)
• No way to confirm which of the 3 identical boxes is the affected one

Recent Changes Before Lockout

• WebGUI IP of the firewall 192.168.203.251:444
• Added a DNAT rule:From: 192.168.203.0/24To: 192.168.1.1

Immediately after applying the rule, the firewall became unresponsive.

Additional Info

• One of the boxes has screen output and is confirmed to be 192.168.203.254 (not the one we’re looking for)
• The remaining two boxes have no screen output at all, even after switching cables and monitors
• The network environment itself seems stable and up

Request for Help

• How can we safely identify the correct box without a display or network access?
• Is there a non-destructive way to reboot or recover access without bricking the setup further?
• Any ideas on blind recovery , console access , or USB rescue options ?
• Suggestions for safe next steps (e.g., pulling power, checking logs if we manage to boot with another disk, etc.)

We are in a live environment. Any help or insight would be greatly appreciated.

Thanks in advance,

Welcome to the community!

If a system isn’t reachable through WebGUI or SSH after some network/firewall configs the only access method is through the system console. This is is interface that is used to install IPFire.

Using this interface you can try to edit the firewall settings stored in /var/ipfire/firewall/config. There you can find the DNAT rule. Delete it and do /usr/local/bin/firewallctrl restart.

To allocate the irresponsive device you should know the IP. The assignment of IPs to physical devices is known, I suppose.

Hi Bernhard!

Thank you very much for your response! Do you have any suggestions on how to resolve the black screen issue via the system console? Pressing the space key did not help. The same monitor works on the other firewall.

Reboot resolved the issue regarding black console screen.

If you can boot your machine with a LiveCD, Antix, Ubuntu, etc.
Mount the /dev/sda4 partition and edit the /var/ipfire/firewall/config file as @bbitsch suggested.
(Remove the first ON on the line of the broken rule)
Restart IPFire.

the other thing that may work if you have console access.
is Elinks. www.ipfire.org - elinks

Hi Guys, the issue has been resolved by removing the rule from
/var/ipfire/firewall/config and /etc/rc.d/init.d/firewall reload.
I also found this thread:

Gotta be more careful with the rules, im not used to the IPFire yet.
Thanks so much for the help!

Remains the problem of the DNAT rule.
Could you newly define it, without cutting the WebGUI and SSH access?

I didn’t try. The idea was to access the guest network more comfortably but i will do a workaround for now.

I pulled a backup from the firewall, just in case - is there a way to read the encrypted files or is it only possible through the appliance?

The backups aren’t encrypted. They are just archives ( .gz ).