Adding firewall rules to /etc/firewall.user does not work

Adding firewall rules to /etc/firewall.user fails/does not work and by restarting firewall (/etc/init.d/firewall restart) ends up in the following state:

* Running script '/etc/firewall.user'
You cannot use UCI in firewall includes!
! Failed with exit code 1

However, it wont happen (it will work OK) if the new rule is added to /etc/config/firewall instead.
Does anyone experience similar issue?

OpenWRT version:

root@OpenWrt:/# cat /etc/openwrt_release
DISTRIB_DESCRIPTION='OpenWrt 19.07.2 r10947-65030d81f3'

firewall.user are for iptables rules, not for the firewall rules in UCI format

Hi, this is what I added to /etc/config/firewall and that works.

#Allow SSH
config rule
    option name Allow-SSH
    option target ACCEPT
    option src wan
    option dest_port 1234
    option proto tcp
    option family ipv4

Adding it to /etc/firewall.user fails.
What I understand from your reply, I should use different syntax.
If yes, could you help me to rewrite ti ti the correct one?

Just between you and me.. Allowing SSH from the WAN is a very very very bad idea. You should set up an VPN server if you really need to access your LAN from outside (including the OpenWRT SSH service). If you don't want to set up a VPN, please use public key authentication instead of password authentication for SSH. Or tighten up the rule even further, only allowing certain IP addresses. If you don't do this, you will notice bruteforce attacks from bots when they picked up your IP address. It's only a matter of hours.

And no need for a rewrite. What you did is the preferred (correct) way. Now your firewall rule can also be managed from the graphical user interface LuCI. The iptables syntax / firewall.user is meant for exotic firewall stuff, like post-routing rules and such.


firewall.user is a shell script, not a uci config file. If you put it in firewall.user you would need to add an explicit iptables command to add the rule that looks something like the following

iptables -i eth0 -p tcp --dport 1234 -j ACCEPT

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.