Could not find out how to test the firewall in the luci webinterface before saving the confiiguration.
(On other systems i usually do this with a timed reboot to prevent locking me out with misconfigured firewall rules)
Some OS implementations have a "failsafe" script that can be use when applying rules. The script captures the current rules, apply new rules, and, if a "console interrupt" is not seen within a timeout period, automatically reverts to the previous rules. Such scripts can be very helpful for devices that are only accessed through the network.
One could likely write such a script using uci. Hooking it into LuCI would be more challenging.
Thank you for all suggestions!
The link from jow looks very promising.
But how do you configure your firewalls right now?
To some routers i have to drive the whole day if i make a mistake.
that is not really practical.
In the meantime i could deactivating luci-firewall an write my rules in a "boot-script" which is running at boot time.
then i could make a "test-script" with timed reboot.
if it works i could copy "test-script" to "boot-script".
Sill leaving the possibility to copy the wrong script...
Any better workaround's?
Can i run fw3 on a different configfile?
I advise you understand the ordering of rules and the differences between the usage of the -I and -A arguments in iptables. Also understand that the entire firewall is reloaded each time a save is made, so the rules will always be loaded in the same order.
You can also place the rules at the very top of the web interface, that would make the rules first - and prevent lockout. I advise not using /etc/firewall.user unless you're unable to add the rules through the LuCI web GUI.
Remember to remove these rules after you're comfortable you won't lock yourself out.
Yes, but I highly advise you understand iptables at this point - to write the rules yourself. You are entering dangerous security paradigms to open your admin ports to all interfaces.
First, I also suggested FORWARD, if on the WAN. But I have only suggested LAN INPUT rules because your firewall is configured by default to allow OUTPUT. So, unless you've completely erased or altered your default rules, this should be the case.
If you are referencing routing of the packet to its destination, this thread has only covered firewalling. If you are not clear on Linux (OpenWRT) routing, I might suggest creating another thread.
Don't feel bad, I personally find the iptables syntax close to completely unreadable. This is one of the reasons why the LuCI interface is relatively simple on its firewall options -- meets most users' needs.
Don't mess with any manually entered firewall rules unless you understand how iptables works, and how they will impact your security
Remember that in the unlikely case that it is a firewall rule that "locks you out" of the router, you can boot into "failsafe" mode and access the router on 192.168.1.1 and "fix" what is messed up with the firewall.
Remote management, yes, I agree that making reasonably sure that you aren't locked out is a "good" reason.
Moving your outside port off 22 may help keep your logs cleaner, but is "security by obscurity". With the port-forward, you've changed a single-point configuration into now into a three-point one (WAN open port, forward port, LAN open port).