Firewall rules not reloading

I have ran https-dns-proxy. Simply installing it via opkg seems to actually modify the configuration of fw3 and dnsmasq.

The following code seems to be adding a rule to the configuration of fw3

        json_add_object ""
  		json_add_string type rule
  		json_add_string src lan
  		json_add_string dest "*"
  		json_add_string proto "tcp udp"
  		json_add_string dest_port "$c"
  		json_add_string target REJECT

I do not have a lan network. So this rule fails. I observe this warning, which tells me this rule is in memory somewhere:

root@OpenWrt:~# fw3 print
Warning: Warning: ubus rule (ubus:https-dns-proxy[main] rule 1) refers to not existing zone 'lan'
Warning: Warning: ubus redirect (ubus:https-dns-proxy[main] redirect 0) refers to not existing zone 'lan'

I do not know where this rule is. I have checked all the places I could think of, it does not appear in any of them. Here's what I checked :

  • /etc/config/firewall
  • /etc/firewall.user
  • uci show firewall
  • ubus call uci get '{ "config": "firewall", "type": "rule" }'
  • iptables -L

Equally worrying, this warning still exists after I perform a fw3 reload and a fw3 restart.

So it seems that not only this rule exist in a place that I cannot see, but also I cannot get rid of it. I find it worrying because I like to be able to see the exhaustive list of rules that my firewall is using.

Can anyone let me know where such a rule lives? And how to get rid of all unseen rules?

Then it's not anywhere. You just saw an error when loading. As you can see, the rule is to stop the traffic (DNS???) from going to WAN. If that doesn't concern you, you may simply ignore it and not create a valid rule, make your own, etc.


Do you have a lan firewall zone?

EDIT - Similar/possible duplicate:

1 Like

My two questions arise from the same underlying cause, but they tackle two different issues : in one it is more of a development question (how does the code push the configuration), in the other I enquire how to appropriately reload the firewall (a usage/configuration issue).

I am not sure I agree with that. I don't think it's good practice to just ignore warnings without understanding precisely what's going on. In this case, this warning highlighted that there are hidden parts of the firewall configuration that I am not able to visualize or remove. I need to remediate that.

:open_mouth: WHAT?!?!
Ummmm, you said the rule was somewhere...

I stated it isn't...then you said not to ignore the error...?


So we agree it's an error and the rule does not exist, cool.

Also, didn't you look at the code? (meaning, you already know - as in, you showed us already in 2 threads)

/etc/init.d/firewall reload

(I'm sure that info is in the Wiki - unless you're relating specifically to this proxy code, then the Developers section is best.)

I'm confused as to why you are further troubleshooting an informational error/warning when you know why it's occurring (you know you don't have LAN and so it fails) also know what the rule does, so you can create it in your special perhaps others can help you on that...or maybe you're not...I hope the best on your endeavor (it seems to me like you identified everything, though)...

1 Like