I have been using OpenWRT since many years on my Mi 3g and everything was super until I moved from 19.x to the 23.05.
I am not able to manage the firewall... I would like to build from scratch my nft rules as I made it with iptable into the 19.x firmware but I have the feeling that I need to pass via the luci-app and fw4.
If I am writing my firewall rules from scratch directly in /etc/config/firewall and I made a service firewall reload I can see FW4 table is reappearing !
If you are able to express your envisioned ruleset in uci form, using /etc/config/firewall, fw4 takes the same configuration as input as fw3 did before (with very, very minimal restrictions).
If you really want to apply your own free-form iptables or nftables rulesets, without interaction from fw3/ fw4, /etc/config/firewall is the wrong place to do that (and has always been). In this case you'd probably disable/ remove fw3/ fw4 altogether and integrate your own policies as you desire. This isn't exactly going to be trivial, if you want to keep using luci and lose all the behind-the-scences interaction between netifd, fw4 and hotplug events - but that would be the price you'd have to pay for doing it differently.
the first one is the inexsticence of a failback mode but I made a workaround by using a script, now , I have to write the rules by myself and to respect the fw4 standard but at least I found a way to make an automatic revert.
For the second point, I don't yet find a solution.
I would like to log all dropped packet by using ulogd
Where did you look?
Why use ulogd instead of syslog?
It would probably be better to run external log server for you instead of rebuild the whole OpenWrt to reinvent the wheel all over the place and then ask why it doesn’t work?
Port knocking, I don’t really see a way to handle that with any firewall without pulling the wan connection. That is pretty much the world outside as-it-is.
But what is the actual issue with the port knocking? Besides the knowledge from the firewall log that it happens?
Finally, I found a " solution " , I dropped everything from /usr/share/firewall4/templates/ruleset.uc and just let include "/etc/nftables.d/*.nft"
Also I found a way to manage the port knocking
set clients_ipv4 {
type ipv4_addr
flags timeout
}
set candidates_ipv4 {
type ipv4_addr . inet_service
flags timeout
}
chain input {
type filter hook input priority -10; policy accept;
iifname "lo" return
iifname wan tcp dport PORT_1 add @candidates_ipv4 {ip saddr . PORT_2 timeout 1s}
iifname wan tcp dport PORT_2 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip saddr
. PORT_3 timeout 1s}
iifname wan tcp dport PORT_3 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip saddr
. PORT_4 timeout 1s}
iifname wan tcp dport PORT_4 ip saddr . tcp dport @candidates_ipv4 add @clients_ipv4 {ip saddr tim
eout 10s} log prefix "Successful portknock: "
iifname wan tcp dport $guarded_ports ip saddr @clients_ipv4 counter accept
iifname wan tcp dport $guarded_ports ct state established,related counter accept
iifname wan tcp dport $guarded_ports counter reject with tcp reset
}
}
