Fw4 update question

sombrero2003 · October 31, 2022, 3:31am

Hello,
I apologize if my question is obvious. I am really no networking expert
I just updated fw4 from 2022-10-14-4fbf6d75-1 to 2022-10-18-7ae5e14b-1
I got the following warning that do worry me

Section @rule[9] (Support-UDP-Traceroute) is disabled, ignoring section
Section @redirect[1] (RDP) is disabled, ignoring section
Section @redirect[2] (InfluxDB) is disabled, ignoring section
Section @include[0] is not marked as compatible with fw4, ignoring section
Section @include[0] requires 'option fw4_compatible 1' to be considered compatible

I believe the issues are related to this section of my firewall config file

config redirect
        option target 'DNAT'  
        option name 'Home assistant'
        option src 'wan'
        option dest 'lan'
        option dest_ip 'XXX.XXX.X.XXX'
        option dest_port 'XXXX'
        option src_dport 'XXX'
        
config redirect
        option target 'DNAT'
        option name 'RDP'
        option src 'wan'
        option src_dport 'XXX'
        option dest 'lan'
        option dest_ip 'XXX.XXX.X.XXX'
        option dest_port 'XXX'
        option enabled '0'

config redirect
        option target 'DNAT'
        option name 'InfluxDB'
        option src 'wan'  
        option src_dport 'XXX'
        option dest 'lan'
        option dest_ip 'XXX.XXX.X.XXX'
        option enabled '0'
        option dest_port 'XXX'

These were generated via the LuCi UI quite a while ago. I am wondering what I need to do for these instructions to be taken into account by the new fw4. Thanks a lot.

slh · October 31, 2022, 3:42am

config include
        option path '/etc/firewall.user'

is no longer supported with fw4, if you don't need it, remove those two lines - if you do, translate it to nftables instead.

The other messages are not a bug, just pointing out that you had those rules defined, but disabled - if you want them to be enabled, drop option enabled '0' (or toggle 0 to 1).

sombrero2003 · October 31, 2022, 3:55am

Thanks a lot. I've made the corrections you recommended. Is there a script I can run on my /etc/config/firewall to make sure it does not have any more errors?

sombrero2003 · October 31, 2022, 4:05am

I think restarting the firewall just does the trick. Thanks again for your help.

slh · October 31, 2022, 4:18am

/etc/init.d/firewall reload should do that, just be aware that warnings aren't necessarily errors - and the messages about disabled rules are a bit of a misnomer. as there are valid reasons for having rules defined, but not (always-) enabled.

efahl · November 1, 2022, 3:55pm

Just for posterity... Since I do customizations beyond what LuCI provides, I use the following, but if you don't have any includes, @slh's solution is best.

$ fw4 check
Automatically including '/usr/share/nftables.d/table-pre/10-doh_sets.nft'
Automatically including '/usr/share/nftables.d/chain-post/dstnat_lan/90-redirect.nft'
Ruleset passes nftables check.

system · November 11, 2022, 3:56pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.