Bad firewall got me locked out

did you mount the filesystem is r/w? If not, you're likely working on the ROM partition (which obviously can't be updated). You also need to commit your changes in UCI.

1 Like

I did xd ( I didn't know what mount_root does until you commented but I figured if it's in failsafe guide then it's probably good to use )

Anyways... I followed the advice and tried firewalling again - I've set forward to REJECT and output to REJECT but internet still remains o.o ( lan>wan zone )

Are you running normally (i.e. not in failsafe; booted with your normal config)? Even if it is not doing what you want, are you at least able to use the router normally?

Are you running normally (i.e. not in failsafe; booted with your normal config)? Even if it is not doing what you want, are you at least able to use the router normally?

Yes , back in the luci web interface

I already isued those 3 commands from above ,then uci commit firewall and reboot

I followed the advice and tried firewalling again - I've set forward to REJECT and output to REJECT but internet still remains o.o ( lan>wan zone )

Maybe I should reboot firewall for changes to take effect? I only pressed save and apply ( But then again back when I was locked out that was enough... And now I can't really take down the internet to test )

If you want to cut off internet acess from the LAN, simply remove the lan > wan forwarding

config forwarding
	option src 'lan'
	option dest 'wan'
1 Like

To stop Internet on LAN:

  • You click "Edit" on the LAN row (i.e. to edit the LAN zone)

screen135

  • Browse to "Allow forward to destination zones"; and
  • Uncheck WAN

screen134

  • Save and Apply

(It seems like you were accidentally editing the FORWARD parameters between interfaces on LAN and not LAN-to-WAN forwarding.)

1 Like

Yeah this one

Ty I found what you're talking about

I don't know how to apply this without taking down firewall for a reset ( which would kill internet for evryone ? )

I showed you: Bad firewall got me locked out - #12 by lleachii

Excellent!

(Then just use the web GUI.)

Leave the lan zone as:
forward = accept
input = accept
output = accept

Then edit the lan zone and remove the "wan" zone from the "allow forward to" section.

1 Like

Thanks , I meant this one :

config forwarding
option src 'lan'
option dest 'wan

It's supposed to be changed in /etc/config/firewall ?

Anyways let me try via luci, thanks for all the help guys !

LuCI is just a front-end for the UCI commands that ultimately edit the text configuration files... it's all the same.

2 Likes

As @psherman noted, you can:

  • use the LuCI web GUI; or
  • the command line to edit the firewall file

In any case, you editing the same thing.

1 Like

Oh , so just changing the /etc/config/firewall would have it update firewall rules instantly?

I already managed to set it up via luci btw :heart:

1 Like

No, on command line, you must:

  • Save the file
  • Exit the file editor
  • Run /etc/init.d/firewall reload

(i.e. Save and Apply)

2 Likes

This doesn't kill internet while it reloads firewall ? ( Does that mean going over to startup and pressing reset on firewall wouldn't either ? )

I've tested and luci interface doesn't kick you out of online game while it applies firewall changes to different zone

You confused me. Please clarify your question.

???

If you edited and saved the the firewall file, yes it'll be configured to whatever you saved (you're describing the behavior of editing and saving a file - perhaps I'm missing something).

The router will reboot with the config saved in /etc/config/firewall.

Not sure what you're saying.

Are you having some fruther issue?

Does that mean going over to startup and pressing reset on firewall wouldn't either ? )

Granted I am newb all linux related , I thought reload of rules kills firewall service then resets...

Not sure what you're saying.

Are you having some fruther issue?

No all is good :hugs: I am just curios as to how firewall updates it's rules without placing hold on all trafic while it's doing so hmm

That appears to be on another web page called System > Startup. The screenshot you posted is unrelated to the issue and instructions provide by everyone above. It's also unrelated to your inquiry on "reset" buttons.
For Wikis on what the Startup page is:

In any case, I would not suggest using this button to restart the firewall - I would use the "Save & Apply" button (as noted above a few times) - on the page where you made any edits.

It doesn't, it reloads your new configs (i.e. you save/apply).

:laughing: Yeah sorry , let's not flood the thread with random stuff at the end .. my bad

Anyways thanks again for helping out

1 Like

Hey there. I followed the thread along, and you're back on track as it seems. But maybe one additional note on how to change network configuration:

Especially for beginners, I suggest to change interface configuration as well as firewall configuration always via web ui.

Once you hit "apply", this is what happens:

  • Your changes get written to the config files
  • All necessary processes get reloaded
  • A timer starts that will wait for a couple of seconds and then expect the browser to confirm it's still able to communicate with the web ui.
  • If that's no longer possible, settings are reverted
  • And you get a popup asking to confirm if you want to change those settings anyway.

The last couple of steps would have saved you from locking you out, since the router would have detected that situation and reverted your config.

1 Like