My hope is, when I am remote and I make wrong firewall entry, one hour later my access should return. WIll this work? Is there a better way? Pls advise.
It seems unnecessarily complicated to me. Make a copy of working network and firewall configurations (and any other file you plan to play with) in say /etc/backup and make the cron job look like this:
I think that this method will actually cause more issues than it solves for a number of reasons.
A few notable concerns:
This will write to your flash storage hourly... unnecessarily increasing the number of write-cycles and in turn reducing the lifespan of the device due to degradation of the storage.
This proposed restore of the backup occurring every hour means that if you are in the process of making changes, you might suddenly have all those changes reverted. Sounds like a potential Sysyphus situation.
The backup file, and potentially the cron-job itself will need to be constantly updated with the 'known good' configurations.
It's possible that you could accidentally backup a bad state, in which case you'd have a perpetual restore of a bad config.
There are other reasons that this could be problematic, too... but those are some of the big ones.
Instead, a simple but effective method to ensure you (almost) always have access would be to setup a dedicated tunnel on the remote router where it initiates a connection to your local router. Specifically, this would mean the remote router would act as a 'client' and your local one would be the 'server', like a wireguard road-warrior config. On the remote side, you'd put this wg network into its own firewall zone with input = ACCEPT, which would allow you to administer the router via the tunnel it establishes. Unless you really mess up your configuration, this should basically always work.
If I understand the OP correctly, the cron job should only be enabled when changes are made remotely so that access to the device can be restored in case of mistakes. If the changes are successful, the cron job will be disabled to prevent the previous configuration from being restored.
In that case, yes, there shouldn't be too much flash wear. However, if the cron job is left enabled, that could produce undesirable effects.
Another approach would be to use watchcat or similar that triggers on a loss of connectivity. Creating the right triggers and while minimizing false-positive events might be a bit of a challenge, but it would probably be better than the cron method.
Thanks. I wasn't aware that I could create two wire guard interface. One that is tested and has only purpose of remote access and its rules aren't touched at all.
Yes. Sort of. What I thought is that I will keep the restore file in that directory only when I am making changes. And its a test machines so the hourly boot would be a pain but wont cause needless restores.
However, I realize that better would be to put a # at the start of cron line and save thereby disabling it.
Yes, I agree. I just read it. I suppose I could have a ping to device on the otherside of wireguard but your other solution is simpler and the requirement is very transient.