Custom firewall rules may not work after reboot

I discovered that custom firewall rules will not work after reboot if they contain a device name (server name, printer name, etc.) that has a static IP address defined. They will work after you click the 'Restart Firewall' button in Luci. The danger here is that someone will tweak and test all of their rules through Luci and have them working perfectly, and not realize that they won't be loaded when the router reboots. I will agree in advance that they should test after reboot - but if we make it easy to do it right, and difficult to do it wrong, then people will be less likely to make mistakes.

The problem is that at boot time, the custom rules are loaded before dnsmasq is loaded, so the device names can't be resolved to IP addresses and the rules can't be created.

One workaround is to go to System/Startup and add a local startup script that includes ''/etc/init.d/firewall restart". I tested this and it works; being a bit cautious I then added a 'sleep 1' before the firewall restart. Or, if you prefer, you can do the same thing by editing /etc/rc.local.

Another workaround is to simply use IP or MAC addresses in all of your firewall rules; this works but is unsatisfactory because firewall rules are much easier to understand when they include device names.

Someone might suggest putting a similar sleep into the firewall script; this doesn't work. I tried 'sleep 10' and 'sleep 120' and neither one worked.

This should really be documented in the official firewall documentation; I am documenting it here so that it will be easy to find. I searched all of the documentation and the forum and couldn't find this mentioned anywhere.

I am running OpenWrt 18.06.1 r7258-5eb055306f / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152) on a Linksys WRT1900ACS.

This wouldn't work.

This is what's supposed to be done.

:confused:
Can you show me the manual that says iptables uses hostnames?

http://ipset.netfilter.org/iptables.man.html#lbAI
However it doesn't mean that using hostnames is a good practice.

Loading iptables before network startup is justified enough, because waiting for dnsmasq would delay firewall startup process and could cause security issues.

1 Like

Loading iptables before network startup is justified enough, because waiting for dnsmasq would delay firewall startup process and could cause security issues.
[/quote]
Correct, the firewall needs to be up and running before we start processing packets, hence it would be a bad plan to wait for dnsmasq. However, I do think that this should be documented.

As for using hostnames in firewall rules, it certainly makes the rules easier to understand.

If it's really critical for you, you could try defining aliases for your key static IPs in /etc/hosts and refer to those in your iptables rules.