Firewall not being read

Hi,

For some reason my openwrt firewall has decide to not read the contents of the firewall configuration file but rather delete all the settings even though the configuration file is not empty.

Here are the contents of my firewall config file:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'
	option src 'relay'

config rule
	option name 'Allow-Ping'
	option proto 'icmp'
	option family 'ipv4'
	option target 'ACCEPT'
	list icmp_type 'echo-request'
	option src 'relay'
	option dest '*'

config rule
	option name 'Allow-IGMP'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option src 'relay'

config rule
	option name 'Allow-DHCPv6'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option src 'relay'
	list dest_ip 'fc00::/6'
	list src_ip 'fc00::/6'

config rule
	option name 'Allow-MLD'
	option proto 'icmp'
	option family 'ipv6'
	option target 'ACCEPT'
	list src_ip 'fe80::/10'
	option src 'relay'

config rule
	option name 'Allow-ICMPv6-Input'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'neighbour-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'router-solicitation'
	list icmp_type 'time-exceeded'
	option src 'relay'

config rule
	option name 'Allow-ICMPv6-Forward'
	option dest '*'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'time-exceeded'
	option src 'relay'

config rule
	option name 'Allow-IPSec-ESP'
	option proto 'esp'
	option target 'ACCEPT'
	option src 'relay'
	option dest 'relay'

config rule
	option name 'Allow-ISAKMP'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option src 'relay'
	option dest 'relay'

config include
	option path '/etc/firewall.user'

config zone
	option name 'relay'
	option forward 'ACCEPT'
	option network 'relayBridge'
	option input 'ACCEPT'
	option output ACCEPT'

config redirect
	option dest_port '3000'
	option src 'relay'
	option name 'Beef'
	option src_dport '3000'
	option target 'DNAT'
	option dest_ip '10.1.1.31'
	list proto 'tcp'
	option dest 'relay'

config redirect
	option dest_port '32400'
	option src 'relay'
	option name 'Plex'
	option src_dport '32400'
	option target 'DNAT'
	option dest_ip '10.1.1.31'
	list proto 'tcp'
	option dest 'relay'

config redirect
	option dest_port '25565'
	option src 'relay'
	option src_dport '25565'
	option target 'DNAT'
	option dest_ip '10.1.1.31'
	list proto 'tcp'
	option name 'Minecraft'
	option dest 'relay'

config redirect
	option dest_port '1190'
	option src 'relay'
	option name 'OpenVPN'
	option src_dport '1190'
	option target 'DNAT'
	list proto 'udp'

config redirect
	option dest_port '9'
	option src 'relay'
	option name 'WoL'
	option src_dport '9'
	option target 'DNAT'
	option dest_ip '10.1.1.31'
	list proto 'tcp'
	option dest 'relay'

config rule
	option src_port '631'
	option src 'relay'
	option name 'Printer'
	option target 'ACCEPT'
	option dest_port '631'
	option dest 'relay'

config zone
	option name 'VPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun0'
	option network 'VPN'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option proto 'udp'
	option target 'ACCEPT'
	option src 'relay'
	option dest_port '1190'

config zone
	option name 'wwan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'wwan'

config rule
	option src_port '22'
	option src 'relay'
	option name 'ssh'
	option target 'ACCEPT'
	list dest_ip '10.1.1.31'
	option dest_port '22'
	list proto 'tcp'
	option dest 'relay'

config forwarding
	option dest 'relay'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'relay'

config forwarding
	option dest 'relay'
	option src 'VPN'

config forwarding
	option dest 'VPN'
	option src 'relay'

config forwarding
	option dest 'relay'
	option src 'wwan'

config forwarding
	option dest 'wwan'
	option src 'relay'

config redirect
	option dest_port '5900'
	option src 'relay'
	option src_dport '5900'
	option target 'DNAT'
	option dest 'relay'
	list proto 'tcp'
	option name 'VNC'

Thanks,

Nightwalker

How do you know it is deleting the settings? What is the actual symptom?

What is the output of df -h
and what devices is this?

1 Like

I haven't tried df -h yet only via Luci at this stage. I am using a Banana Pi R1 as a extender/iot play thing.

If you have Putty; a ssh shell program, you log into your router via the app and run the command @psherman suggested to get this: pasted into the "preformatted text"

root@Dachshund:~# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                 3.5M      3.5M         0 100% /rom
tmpfs                    27.7M    264.0K     27.5M   1% /tmp
/dev/mtdblock9            9.8M      3.6M      6.2M  37% /overlay
overlayfs:/overlay        9.8M      3.6M      6.2M  37% /
tmpfs                   512.0K         0    512.0K   0% /dev
root@Dachshund:~#

It won't let me ssh into the router and when I check the firewall setting this is what appears no matter which tab I click on. Completely empty.


Trying to add a new does not even add a new zone it is as if the whole firewall system is broken or at least using Luci.

You've lost control of this device and if you can still manage to get to the "Perform Reset" you should.

From that view, it certainly looks like something is wrong. But it's not clear if this is just a rendering issue or an actual firewall problem.

iptables-save -c should presumably tell you what is actually happening with your running config.

What version of OpenWrt are you running? What packages have you installed? Have you used okpg upgrade at all? What about free space? Have you tried backing up the system and restoring it to a default condition?

Is it possible to load everything back onto openwrt after "factory reset" say I copy the files to hard drive perform reset then copy them back on to the sd card? Only have to modify the new firewall.

I can't say for sure. (Using WinSCP for drag and drop on a windows system: I know that scripts for sure will lose there OpenWrt assigned permissions; rendering them unusable.)

Since I know what I back up, what I use, what is going to need attention after an upgrade/reset, it's not a problem.
So it really depends on how familiar you are with the file structure of OpenWrt, and the specialize packages you have.

And I hope you feel the same about the saying "practice makes perfect".

@psherman please provide the insight you're known for on this subject.

Thanks guys! I solved the problem. I was missing an ' in one of the rules and that is why the firewall configuration was not loading properly.

Awesome, nothing more satisfying than a self solve.

1 Like

Luckily I had the custom command thing for Luci installed otherwise I might not have found the answer so quickly.

1 Like

LOL 24hrs later.. not so quick but none the less persistent. Maybe the actuality that you might have to reset the device opened your eyes a bit more. I don't know how you managed to do this without ssh, and a bricked Luci frontend, but you did.

Have a great weekend!

custom command? which package it is?

Luci-app-commands

1 Like

Well, if the files have errors in them such as missing quotes, etc it can make the device stop functioning.

For syntax handling yes.

For fixing ssh access to into router idk.

My router can't maintain its uptime, bcz I keep installing opkg packages. :rofl: Another package to install.

So the question remained in my head: After seeing the package you mentioned; that I have now installed.

  • The question is how could we have supported you better within the context of you OP (original post)?
  • The answer is in plain sight; retrospectively.

Thank you for introducing me to a new package.

Indeed. But it required a keen eye to see that there was a missing quote mark!

I wonder if the logs had anything that would have indicated an invalid firewall file... even a general warning/error might have pointed us to scrutinize the syntax in the file.