I kept wondering why I couldn't seal my DMZ until I found that firewall zones have 'Covered Networks' and 'Covered Devices' (under Advanced Configuration in LuCI).
Should one be preferred over the other? Why and how can they get out of sync? And shouldn't there be a warning to use either one or the other? Because...
Can bad things happen if a configuration mixes both Networks and Devices? Definitely yes, because my Network was in the DMZ while the Device was still in the LAN zone.
The device option is useful for devices that are managed outside of UCI, in particular VPN tunnels. Before that existed it was necessary to set up a dummy network:
/etc/config/network:
config interface vpntun
option ifname 'tun0'
option proto 'none'This doesn't do anything other than let the UCI firewall script look up network name 'vpntun' and find that tun0 is its actual kernel device name to insert into iptables. So instead that can be done directly with a list device in /etc/config/firewall.
Use list network in almost all other cases except for something like this.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.