Firewall rule (fw4) is not working .. how to debug?

darksky · February 6, 2022, 9:00pm

I built an image from master just now and created this firewall rule to deny WAN access to a particular client. The rule is active yet I can still get out to the WAN from that client. Under a pure fw3 image built from a few days ago, the rule worked as expected. How can I debug?

config rule
  option src 'lan'
  option target 'REJECT'
  option name 'Deny WAN access'
  option dest 'wan'
  list proto 'all'
  list src_ip '10.9.8.100'
  list src_ip '10.9.8.112'

EDIT: Is this to be expected?

# /etc/init.d/firewall status
inactive

anon98444528 · February 6, 2022, 10:31pm

opkg intsall iptables-nft

copy the fw3 working tables entries related to this rule, save to file, use iptables-restore-translate on the resulting file to create a nft tables rule and compare with that generated by fw4 (nft list | grep "Deny")?

just a thought - haven't done this yet, but i need to start thinking about it.

dave14305 · February 6, 2022, 10:37pm

Run fw4 reload and look for errors. Then run nft list ruleset to see the actual rules.

darksky · February 7, 2022, 8:56am

Thanks for the replies.

That gave no output. I would try the other suggestions, but I flashed an older image to the device which uses fw3 and that does work. I don't know what else isn't working and need to control access to devices here. Will have to get a spare RPi4 to use for development testing with this.

I did open FS#4258 since this behavior was confirmed by another user.

@dave14305 @anon98444528 - Either of you running with fw4? Care to make that rule and see what you can determine?

jow · February 7, 2022, 10:47am

Fixed with

github.com/openwrt/openwrt

firewall4: update to latest Git HEAD

committed 10:47PM - 03 Feb 22 UTC

jow-

+3 -3

b54f462 fw4: parse traffic rules before forwarding rules 4d5af8b fw4: consolidat…e helper code 300c737 fw4: fix applying zone family restrictions to forwardings eb9c25a tests: implement fs.opendir() mock interface d30ff48 tests: fix mocked fs.popen() trace log 52831a0 fw4: improve flowtable handling 7cb10c8 fw4: disable "flow_offloading_hw" option for now b2241a1 fw4: fix enabling NAT reflection rules for DNATs without explicit family Signed-off-by: Jo-Philipp Wich <jo@mein.io>

darksky · February 7, 2022, 11:53am

Thank you @jow. I will build an image later today to verify on my hardware.

darksky · February 7, 2022, 5:08pm

@jow - Build from master just now did give the expected behavior, but the rule was not active when the device booted. I had to manually start it.

# /etc/init.d/firewall status
inactive

# /etc/init.d/firewall stop  
Command failed: Not found

# /etc/init.d/firewall start

# /etc/init.d/firewall status
active with no instances

Is this to be expected?

It is symlinked to start:

# ls -l /etc/rc.d|grep fire
lrwxrwxrwx    1 root     root            18 Feb  7 11:05 S19firewall -> ../init.d/firewall

jow · February 7, 2022, 5:26pm

Can you provide a complete logread output after boot?

darksky · February 7, 2022, 5:33pm

I am happy to. I think the log will disclose my public IP which I will sanitize. Are there any other piece of data that might be a privacy breach you can think of in the log? I do not believe it will include my wireguard interface client keys.

jow · February 7, 2022, 5:39pm

Can't think of any, but depends on your system configuration, installed package etc. You could just PM it to me if you like.

darksky · February 7, 2022, 5:48pm

Done, had to split it into 2 parts due to character limit.

jow · February 7, 2022, 5:58pm

Thank you, please run the following command, then reboot and see if it works then:

sed -i -e 's#\tstart_service#\tstart#' /etc/init.d/firewall

(That sed script will replace the start_service call in the final boot() procedure with just start).

darksky · February 7, 2022, 6:20pm

Before I try that, I should clarify. I think the reboot is a distraction.

I have this existing rule:

config rule
  option src 'lan'
  option target 'REJECT'
  option name 'Deny WAN access'
  option dest 'wan'
  list proto 'all'
  list src_ip '10.9.8.100'

I want to test the fw4, so I did this:

Luci>Network>Firewall>Traffic Rules
Edit my blocking WAN rule to add the IP address 10.9.8.112 to the rule
Hit save then hit save and apply

Upon doing that, I can still access the WAN from 10.9.8.112. I therefore concluded that fw4 (or the luci interface) was broken somehow.

In order to have the rule take effect I need to reload the firewall.

/etc/init.d/firewall reload

The same is true if I delete the 10.9.8.112 IP and hit save then save and apply. LuCi updated to show that IP was removed, but WAN access is still denied on that device. Again, I had to reload the firewall.

Thoughts?

jow · February 7, 2022, 6:21pm

This is because the firewall service is not properly registered on boot, so the reload actions do not work until you stopped/started the init script at least once. The sed fix above should solve that.

darksky · February 7, 2022, 6:42pm

You are correct. Running that sed onliner, then rebooting causes fw4 to behave as expected. I further tested by editing the rule to remove 10.9.8.112, save, then save and apply behave as expected. Did you edit the affected upstream code? I assume the issue will affect other users as well.

jow · February 7, 2022, 6:53pm

Yes, I am preparing some other fixes as well and will push an update later.

darksky · February 7, 2022, 7:08pm

Thanks for your help to troubleshoot this and for all your contributes to this project

system · February 17, 2022, 7:09pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.