FW4 and nightmare

Hello All,

I have been using OpenWRT since many years on my Mi 3g and everything was super until I moved from 19.x to the 23.05.

I am not able to manage the firewall... I would like to build from scratch my nft rules as I made it with iptable into the 19.x firmware but I have the feeling that I need to pass via the luci-app and fw4.

If I am writing my firewall rules from scratch directly in /etc/config/firewall and I made a service firewall reload I can see FW4 table is reappearing !

Do you have any solution to use nft without fw4 ?


If you are able to express your envisioned ruleset in uci form, using /etc/config/firewall, fw4 takes the same configuration as input as fw3 did before (with very, very minimal restrictions).

If you really want to apply your own free-form iptables or nftables rulesets, without interaction from fw3/ fw4, /etc/config/firewall is the wrong place to do that (and has always been). In this case you'd probably disable/ remove fw3/ fw4 altogether and integrate your own policies as you desire. This isn't exactly going to be trivial, if you want to keep using luci and lose all the behind-the-scences interaction between netifd, fw4 and hotplug events - but that would be the price you'd have to pay for doing it differently.


In fact, I have two main awkward:

  • the first one is the inexsticence of a failback mode but I made a workaround by using a script, now , I have to write the rules by myself and to respect the fw4 standard but at least I found a way to make an automatic revert.

  • For the second point, I don't yet find a solution.
    I would like to log all dropped packet by using ulogd

Why can’t you simply turn on the logging of the zone you are interested in?

1 Like

What is a firewall failback mode?

1 Like

A way to restore automatiquelly an well know ruleset if nothing go wrong with a new one.

For the log, I found nothing regarding the mapping with ulogd.

How do you know that the new firewall config failed and failback is needed?

But in practical terms this is the same as run config change but without commit changes. And reboot if it spins out of control.

Where did you look?
Why use ulogd instead of syslog?

It would probably be better to run external log server for you instead of rebuild the whole OpenWrt to reinvent the wheel all over the place and then ask why it doesn’t work?

The goal is to forward the logs to loki, that why I made the update to the 23.05.
But I think I will do a rollback to 19.

I don't like the way to manage the firewall rules and I don't find a way to manage port knocking...

Port knocking, I don’t really see a way to handle that with any firewall without pulling the wan connection. That is pretty much the world outside as-it-is.

But what is the actual issue with the port knocking? Besides the knowledge from the firewall log that it happens?

Finally, I found a " solution " , I dropped everything from /usr/share/firewall4/templates/ruleset.uc and just let include "/etc/nftables.d/*.nft"
Also I found a way to manage the port knocking :slight_smile:

       set clients_ipv4 {
                type ipv4_addr
                flags timeout

        set candidates_ipv4 {
                type ipv4_addr . inet_service
                flags timeout

        chain input {
                type filter hook input priority -10; policy accept;

                iifname "lo" return

                iifname wan tcp dport PORT_1 add @candidates_ipv4 {ip  saddr . PORT_2 timeout 1s}
                iifname wan tcp dport PORT_2 ip  saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip  saddr
 . PORT_3 timeout 1s}
                iifname wan tcp dport PORT_3 ip  saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip  saddr
 . PORT_4 timeout 1s}
                iifname wan tcp dport PORT_4 ip  saddr . tcp dport @candidates_ipv4 add @clients_ipv4 {ip  saddr tim
eout 10s} log prefix "Successful portknock: "

               iifname wan tcp dport $guarded_ports ip  saddr @clients_ipv4 counter accept
               iifname wan tcp dport $guarded_ports ct state established,related counter accept

               iifname wan tcp dport $guarded_ports counter reject with tcp reset


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.