Custom firewall rules don't work

I created 2 custom firewall rules to block Intel AMT traffic.
I entered the rules in the etc/firewall file using WinSCP.

The rules are:

config rule
	option name 'Disable AMT lan to wan'
	option src 'lan'
	option dst 'wan'
	option proto 'all'
	option src_port '9971, 16992:16995, 623, 664'
	option target 'DROP'
        
config rule
	option name 'Disable AMT wan to lan'
	option src 'wan'
        option dst 'lan'
        option proto 'all'
        option src_port '9971, 16992:16995, 623, 664'
        option target 'DROP'

When i login to LUCI and look under Network>Firewall i see the following error. What did i do wrong?

Disable AMT lan to wan

500 Internal Server Error

Sorry, the server encountered an unexpected error.

/usr/lib/lua/luci/dispatcher.lua:460: Failed to execute arcombine dispatcher target for entry '/admin/network/firewall/rules'.
The called action terminated with an exception:
/usr/lib/lua/luci/template.lua:97: Failed to execute template 'cbi/map'.
A runtime error occured: /usr/lib/lua/luci/template.lua:97: Failed to execute template 'cbi/tblsection'.
A runtime error occured: /usr/lib/lua/luci/template.lua:97: Failed to execute template 'cbi/dvalue'.
A runtime error occured: /usr/lib/lua/luci/tools/firewall.lua:58: bad argument #3 to '?' (integer expected, got string)
stack traceback:
	[C]: in function 'assert'
	/usr/lib/lua/luci/dispatcher.lua:460: in function 'dispatch'
	/usr/lib/lua/luci/dispatcher.lua:141: in function

Please only separate ports or port ranges with spaces, no commas.

2 Likes

I removed the commas but now i am unable to connect to the router.
Either wireless or wired.

Rebooting the device didn't work so i assume the rules i created are no good.
Can somebody put me in the right direction.

Check if uci show firewall >/dev/null reports syntax errors. Also see if fw3 print reports errors.

1 Like

In addition to the mentioned above.

There is a syntax error in your rules.
You should use 'dest' instead od 'dst' option to specify zone name.
Because of this error a firewall rule will be created but in the INPUT chain instead of the FORWARD chain.

option dest 'wan'

Please refer to wiki for details.

3 Likes

See manual in the message above. So second rule is VERY strange due to 'forward' FROM wan TO lan.