Why should you ever come here and waste human time?
1 Like
I used it has a guide testing. Cause i was having issues with the rules given of this forum. They weren't applying at all.
If all the stuff given by you wasn't doing the job correctly, i don't see any issue in relaying at AI to help me understand the correct structure alternatives, to make it work correctly. No need for that. Thanks for the help.
I came here first, to make sure i could get the best help as possible, and only used it as last resort, otherwise i would still be using regular iptables (cause that was the only thing that work in the first place).
You did not come here, you brought chadgpt under the belt.
This hyperbolization is uncomparable.
Perhaps if the stuff given here worked, i wouldn't had the need to relay on it, same goes with Discord server, most of the time it's rare to find the good knowledge ones, who really give efficient solutions, instead of posting nonsense.
After all ChatGPT + Other articles help me putting on the pieces on the correct order, and that's all it matter in the end. My motto is simplicity. And that award me with a functional solution.
You have to reset your device and apply only my NFT file. There is no telling if everything crammed on by YOUR llm parrot is safe.
All the solutions were tested after a normal reboot, if it didn't work i make sure i deleted. "rm"
You fail to respond to request for
ubus call system board
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.150",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "ASUS RT-AX59U",
"board_name": "asus,rt-ax59u",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "mediatek/filogic",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
}
Nice, follow step-by-step instructions to put single file in /etc/nftables.d and then in luci/status/firewall confirm it is installed (it is in later half of display)
Yes!!!! Human typing 
Esc : wq -> save file
Thats correct
fw4 check -> says rules ok
fw4 print | less -> look at them
service firewall restart -> apply rules keeping all existing connections open
root@OpenWrt:/etc/nftables.d# fw4 print
table inet fw4
flush table inet fw4
table inet fw4 {
#
# Defines
#
define lan_devices = { "br-lan" }
define lan_subnets = { 192.168.1.0/24, fd6e:8b30:329f::/60 }
define wan_devices = { "usb0" }
define wan_subnets = { 192.168.42.0/24 }
#
# User includes
#
include "/etc/nftables.d/*.nft"
#
# Filter rules
#
chain input {
type filter hook input priority filter; policy drop;
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
tcp flags & (fin | syn | rst | ack) == syn jump syn_flood commen t "!fw4: Rate limit TCP syn packets"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/I Pv6 input traffic"
iifname "usb0" jump input_wan comment "!fw4: Handle wan IPv4/IPv 6 input traffic"
jump handle_reject
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept comment "!fw4: Allow forward ed established and related flows"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4 /IPv6 forward traffic"
iifname "usb0" jump forward_wan comment "!fw4: Handle wan IPv4/I Pv6 forward traffic"
jump handle_reject
}
chain output {
type filter hook output priority filter; policy accept;
oifname "lo" accept comment "!fw4: Accept traffic towards loopba ck"
ct state established,related accept comment "!fw4: Allow outboun d established and related flows"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/ IPv6 output traffic"
oifname "usb0" jump output_wan comment "!fw4: Handle wan IPv4/IP v6 output traffic"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/ IPv6 helper assignment"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject an y other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Acce pt SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
}
chain input_lan {
jump accept_from_lan
}
chain output_lan {
jump accept_to_lan
}
chain forward_lan {
jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
jump accept_to_lan
}
chain helper_lan {
}
chain accept_from_lan {
iifname "br-lan" counter accept comment "!fw4: accept lan IPv4/I Pv6 traffic"
}
chain accept_to_lan {
oifname "br-lan" counter accept comment "!fw4: accept lan IPv4/I Pv6 traffic"
}
chain input_wan {
meta nfproto ipv4 udp dport 68 counter accept comment "!fw4: All ow-DHCP-Renew"
meta nfproto ipv4 icmp type 8 counter accept comment "!fw4: Allo w-Ping"
meta nfproto ipv4 meta l4proto igmp counter accept comment "!fw4 : Allow-IGMP"
meta nfproto ipv6 udp dport 546 counter accept comment "!fw4: Al low-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { 130 . 0, 131 . 0 , 132 . 0, 143 . 0 } counter accept comment "!fw4: Allow-MLD"
meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3, 133, 134 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Input"
meta nfproto ipv6 icmpv6 type . icmpv6 code { 2 . 0, 4 . 0, 4 . 1, 135 . 0, 136 . 0 } limit rate 1000/second counter accept comment "!fw4: Allow -ICMPv6-Input"
jump reject_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3 } limit rate 1000 /second counter accept comment "!fw4: Allow-ICMPv6-Forward"
meta nfproto ipv6 icmpv6 type . icmpv6 code { 2 . 0, 4 . 0, 4 . 1 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Forward"
meta l4proto esp counter jump accept_to_lan comment "!fw4: Allow -IPSec-ESP"
udp dport 500 counter jump accept_to_lan comment "!fw4: Allow-IS AKMP"
jump reject_to_wan
}
chain accept_to_wan {
meta nfproto ipv4 oifname "usb0" ct state invalid counter drop c omment "!fw4: Prevent NAT leakage"
oifname "usb0" counter accept comment "!fw4: accept wan IPv4/IPv 6 traffic"
}
chain reject_from_wan {
iifname "usb0" counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain reject_to_wan {
oifname "usb0" counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
#
# NAT rules
#
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname "usb0" jump srcnat_wan comment "!fw4: Handle wan IPv4/IP v6 srcnat traffic"
}
chain srcnat_wan {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
}
#
# Raw rules (notrack)
#
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
#
# Mangle rules
#
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
}
chain mangle_output {
type route hook output priority mangle; policy accept;
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
iifname "usb0" tcp flags syn tcp option maxseg size set rt mtu c omment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
oifname "usb0" tcp flags syn tcp option maxseg size set rt mtu c omment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
}
}
root@OpenWrt:/etc/nftables.d#
It does not print includes, you will have to go with check result, apply ant then print 
via nft list ruleset | less (same as luci firewall status, just without beautiful explanations)
Can you repeat chain names within the fw4 table?
You need to repeat hook heading 
Would not work with 3 main chains as the hook heading is variable.
I'm lost. Apologies.
would discord be better?