Cron job to Restart Firewall

I want to restart my firewall every 12 hrs and I believe a cron job run @ "0 */12 * * * < cmd here >" will do nicely, however I am not sure where I should put my commands, or how I should formulate them - e.g. should I create a script that cron calls with a "restart firewall service" command; or can I directly call a restart of the firewall from the cron job input screen?

I have this other (solved) post On Demand Iptable update & DNS refresh that I now want to automate somewhat*.
*NB: Somewhat being that I still want to restart the my firewall and load the IPTable rules on demand.

Looking around I come across very complex scripts to restart firewalls to restrict access and such, which is a bit much for my current needs - a simple call to restart the firewall, update IPTables, and flush the DNS (currently residing in the Firewall > Custom Rules screen).

As always, the community's time and assistance is greatly appreciated.

You could either run "crontab -e" from the console or paste your fully-formed line in the GUI, under System -> Scheduled Tasks.

The command you're looking for is:
/etc/init.d/firewall reload

1 Like

Love it, a box that intentionally opens all ports like clockwork.

Most Linux firewall are “accept” as default, so reloading the rules leaves you open as they do.

Selective add/remove is a safer approach.

3 Likes

Thank you, Jeff.

I am confused as I asked this in my original thread, and was advised that nothing would be exposed as there were no rules when restartig the firewall - On Demand Iptable update & DNS refresh

Or is the "reload" command different somehow to what is run when clicking the 'Restart firewall' under the Network > Firewall/Custom Rules tab? This is what I see from the system logs when I click
restart:

Sun Jul 7 13:52:13 2019 user.info : Restarting firewall on custom /etc/firewall.user change

Is this different to a 'reload'?

Slight side step whilst on the topic of opening ports: after I run the update to the iptables I run...

killall -HUP dnsmasq

...to clear DNS cache. Hopefully this is not leaving me exposed in anyway either. (Is there a draft in here :stuck_out_tongue: )

Any basic reading suggestions or online resources/course that you think would help me, I would be grateful to know about (they're probably on page 3 of the search results, but who goes there? :wink: )

I appreciate all the help - there is a bit of a steep curve when it comes to networking.

Thank you, aboaboit.

I will look in to this more considering the comment from @jeff re the potential exposure risk.

1 Like

At least when I've looked into Linux networking, the default is to pass all packets.

With a properly orchestrated boot, this is not an insurmountable problem. You, for example

  1. Initialize network interfaces, leaving them down
  2. Load firewall rules
  3. Bring up network interfaces
  4. Bring up services

Now, if you decide to flush the rules to reload them, there's a brief period of time when you've got no firewall. The one bright side is that your ISP should be filtering out the private address space, so the hosts in your LAN won't be addressed. Your router's public IP, however, reachable. Like LuCI listening on all interfaces. Now, as I believe that conntrack is still running, so any connection established during the drop shows up as "established/related" and gets passed even once your rules come back.

Two "better" approaches, at least in my opinion, include:

  • Add a "block all from any to any via any" rule as "rule 1" while you swap out rules
  • Drop in your replacement rule just ahead of what it is replacing, then delete the "old" version

If you need to change something, then I'd go with the second option (or a table-based rule where the rule stays in place, just the contents of the table it references changes).

nftables, I believe, has finally implemented an "atomic swap", but it is not yet supported by LuCI.

2 Likes

You're failing to consider your own (custom) rules, which I considered when responding.

You're also failing to recall that you intended to flush the OpenWrt default rules.

Obviously, if you flush the rules - and also fail to properly write your own, you'll have an exposure. Please be mindful of that when writing your own firewall - as not to expose your device.

1 Like

Kia Ora All,

I realised I left this open and needed some closure for myself.

To resolve, I set a job to reboot the entire router every couple of days. As my understanding this will be the most secure option(?).

I appreciate everyone's time and input.

Edited for grammar

Restarting the firewall is already an overkill that may drop your established connections, but rebooting the router is even more overkill that is most likely pointless.

Meanwhile, you can use more resilient approaches:

  • Auto-expiring rules:
  • Removing all the rules matching some pattern:
cat << "EOF" > /etc/firewall.clean
IPT_PATTERN="--comment.*temp_rule"
for IPT in iptables ip6tables
do
${IPT}-save -c \
| sed -e "/${IPT_PATTERN}/d" \
| ${IPT}-restore -c
done
EOF
2 Likes

IPsets may be suitable here, as they allow adding entries with automatic expiry times.

3 Likes