How to disable default fw4 rules

Aduviel · January 3, 2023, 8:47pm

I've recently been practicing creating my own nftable rules for openWRT.

If my rules are correct for my network, then my firewall should no longer need the "ct state established,related" rules. If I missed something, I can always restore the fw4 backup I made.

In the /etc/config/firewall documentation there is an option to disable synflood protection and also disable the ct invalid rule.

How do I disable only the "ct state established, related" rules in each of the main INPUT, FORWARD, and OUTPUT chains? (see attached screenshot)

Thank you.

dave14305 · January 3, 2023, 9:31pm

The first ct state rule is hardcoded, so it can’t be turned off without running a script to delete it by handle.

The second ct state rule (invalid) can be disabled on the firewall main page for dropping invalid packets.

efahl · January 4, 2023, 6:14pm

Or you can hack /usr/share/firewall4/templates/ruleset.uc and comment out the rules that you don't want generated. If you do this, make sure to run fw4 check to do the obvious syntax check, and then fw4 print so you can verify what you did, before you reload them...

Edit: Note that these changes will be wiped out with any upgrades...

_bernd · January 4, 2023, 7:00pm

May I ask out of curiosity why you do not want established,related rules?

system · January 14, 2023, 7:00pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.