I want to restart my firewall every 12 hrs and I believe a cron job run @ "0 */12 * * * < cmd here >" will do nicely, however I am not sure where I should put my commands, or how I should formulate them - e.g. should I create a script that cron calls with a "restart firewall service" command; or can I directly call a restart of the firewall from the cron job input screen?
I have this other (solved) post On Demand Iptable update & DNS refresh that I now want to automate somewhat*.
*NB: Somewhat being that I still want to restart the my firewall and load the IPTable rules on demand.
Looking around I come across very complex scripts to restart firewalls to restrict access and such, which is a bit much for my current needs - a simple call to restart the firewall, update IPTables, and flush the DNS (currently residing in the Firewall > Custom Rules screen).
As always, the community's time and assistance is greatly appreciated.
Or is the "reload" command different somehow to what is run when clicking the 'Restart firewall' under the Network > Firewall/Custom Rules tab? This is what I see from the system logs when I click
restart:
Sun Jul 7 13:52:13 2019 user.info : Restarting firewall on custom /etc/firewall.user change
Is this different to a 'reload'?
Slight side step whilst on the topic of opening ports: after I run the update to the iptables I run...
killall -HUP dnsmasq
...to clear DNS cache. Hopefully this is not leaving me exposed in anyway either. (Is there a draft in here )
Any basic reading suggestions or online resources/course that you think would help me, I would be grateful to know about (they're probably on page 3 of the search results, but who goes there? )
I appreciate all the help - there is a bit of a steep curve when it comes to networking.
At least when I've looked into Linux networking, the default is to pass all packets.
With a properly orchestrated boot, this is not an insurmountable problem. You, for example
Initialize network interfaces, leaving them down
Load firewall rules
Bring up network interfaces
Bring up services
Now, if you decide to flush the rules to reload them, there's a brief period of time when you've got no firewall. The one bright side is that your ISP should be filtering out the private address space, so the hosts in your LAN won't be addressed. Your router's public IP, however, reachable. Like LuCI listening on all interfaces. Now, as I believe that conntrack is still running, so any connection established during the drop shows up as "established/related" and gets passed even once your rules come back.
Two "better" approaches, at least in my opinion, include:
Add a "block all from any to any via any" rule as "rule 1" while you swap out rules
Drop in your replacement rule just ahead of what it is replacing, then delete the "old" version
If you need to change something, then I'd go with the second option (or a table-based rule where the rule stays in place, just the contents of the table it references changes).
nftables, I believe, has finally implemented an "atomic swap", but it is not yet supported by LuCI.
You're failing to consider your own (custom) rules, which I considered when responding.
You're also failing to recall that you intended to flush the OpenWrt default rules.
Obviously, if you flush the rules - and also fail to properly write your own, you'll have an exposure. Please be mindful of that when writing your own firewall - as not to expose your device.
Restarting the firewall is already an overkill that may drop your established connections, but rebooting the router is even more overkill that is most likely pointless.
Meanwhile, you can use more resilient approaches:
Auto-expiring rules:
Removing all the rules matching some pattern:
cat << "EOF" > /etc/firewall.clean
IPT_PATTERN="--comment.*temp_rule"
for IPT in iptables ip6tables
do
${IPT}-save -c \
| sed -e "/${IPT_PATTERN}/d" \
| ${IPT}-restore -c
done
EOF
)
)