ufw deny

[mdc-git]

Might be me, but as far as I can tell the DENY rules introduced with update-config.sh are never cleaned up. With Hetzner giving you the same exact external IP on some machines if you delete and recreate a cluster quickly you might run into issues.

In my case I couldn't install an app from an external repo.

There was a DENY entry but I don't recall which machine. Wiped the rules, reapplied the inital version of the rules from setup.sh and ran update-config.sh again and everything was fine.

To finally solve the issue for me I changed deny to delete allow which should accomplish the same job as the default INPUT policy is DROP according to iptables -L

I also chose to use the private network and only whitelisted 127.0.0.1 which seems to work ok by now.

for IP in "${REMOVED[@]}"; do
  ufw deny from "$IP"
done

changed to

for IP in "${REMOVED[@]}"; do
  ufw delete allow from "$IP"
done

This should remove the previously whitelisted entries. No?

[vitobotta]

Hi! Even if an IP gets denied after deleting a server, it will be allowed again once the server with that IP is back in the project. It seemed to work during my testing. Not sure why it's not working as expected for you. Weird

[mdc-git]

Might be timing. I was provisioning in very rapid succession over different datacenters.

[vitobotta]

Yeah, it's possible :)

[tboerger]

But nevertheless just removing the old rules makes more sense than getting a big list of denies.