I’m a little confused with how the API accepts ports. If I iterate through my current firewalls’ inbound rules, I can see this:

[29] pry(#<DigitalOceanAPI>)> @firewalls["PivotSSH"].inbound_rules
=> [<DropletKit::FirewallInboundRule {:@protocol=>"tcp", :@ports=>"8443", :@sources=>{"addresses"=>["redcacted"], "droplet_ids"=>[redacted]}}>,
 <DropletKit::FirewallInboundRule {:@protocol=>"tcp", :@ports=>"31000-32000", :@sources=>{"addresses"=>["redacted"], "droplet_ids"=>[redacted]}}>]

As you can see above, it looks like the ports is set to “31000-32000” which just looks like a string. However, if I take an existing firewall object and modify its ports to the same thing, the API doesn’t like it when calling the .update function:

[30] pry(#<DigitalOceanAPI>)> firewall
=> <DropletKit::Firewall {:@id=>"redacted, :@name=>"vPenTestAgents", :@status=>"succeeded", :@created_at=>"2020-06-22T03:24:05Z", :@inbound_rules=><DropletKit::FirewallInboundRule {:@protocol=>"tcp", :@ports=>[31000, 32000], :@sources=>{:addresses=>["192.168.1.1"]}}>, :@outbound_rules=>[<DropletKit::FirewallOutboundRule {:@protocol=>"icmp", :@ports=>"0", :@destinations=>{"addresses"=>["0.0.0.0/0", "::/0"]}}>, <DropletKit::FirewallOutboundRule {:@protocol=>"tcp", :@ports=>"0", :@destinations=>{"addresses"=>["0.0.0.0/0", "::/0"]}}>, <DropletKit::FirewallOutboundRule {:@protocol=>"udp", :@ports=>"0", :@destinations=>{"addresses"=>["0.0.0.0/0", "::/0"]}}>], :@droplet_ids=>[redacted], :@tags=>[], :@pending_changes=>[]}>
[32] pry(#<DigitalOceanAPI>)> @client.firewalls.update(firewall)
DropletKit::FailedUpdate: You must specify a positive value for ports.
from /usr/local/rvm/gems/ruby-2.5.8/gems/droplet_kit-3.8.0/lib/droplet_kit/mappings/error_mapping.rb:16:in `fail_with'
[33] pry(#<DigitalOceanAPI>)>

Any idea what could be going on here? It’s weird that I just can’t update the value from what it is currently to the same object type (string) and have it work.

I can’t even take an unmodified firewall and update itself without getting an error about the ports. I can’t understand why this would happen.

If I do something like firewall = client.firewalls.find(id: "xyz"); client.firewalls.update(firewall) then it gives me the same error about the ports. Makes no sense.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

Still having this exact same issue. No updates??

I ran into this same thing and just figured out the issue. It’s definitely a bug on their end. When you call something like client.firewalls.find(id: "xyz"), if you inspect the firewall that’s returned, the default outbound rules have the ports set as “0” which is not a positive number so when you go to update any part of the firewall resource, it submits those outbound rules with it and thus getting the error stated above.

My workaround for this was emptying out the outbound_rules array on my firewall by setting it to [] and then submitting the update request. This works for me because I am only interested in the inbound rules.

  • Thank you for sharing this Dave! I was so frustrated by this just last night.

    Just to piggyback off of your explanation; if you did need to keep the outbound rules you could loop through the outbound_rules array and replace any ‘0’ ports with 'all’. You’ll also need to delete any ports properties for ICMP rules.

    This is the loop I’m using in my Node app:

    for (let i = 0; i < firewall.outbound_rules.length; i++) {
        if (firewall.outbound_rules[i].ports === '0') {
          firewall.outbound_rules[i].ports = 'all';
        }
    
        if (firewall.outbound_rules[i].protocol === 'icmp') {
          delete firewall.outbound_rules[i].ports;
        }
      }
    

    I’m also doing this for the inbound rules just incase.

Submit an Answer