How to Specify Firewall Rule Order

iGoul · October 18, 2022, 1:31pm

config rule
option name 'Allow-500'
option src 'wan'
option src_ip '100.1.0.0/24'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config rule
option name 'Drop-500'
option src 'wan'
option src_ip '100.1.0.200'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'DROP'

How to specify the order of firewall rules, for example: If I want Drop-500 to be ranked before Allow-500, can it only be achieved by editing /etc/config/firewall to reorder the rules? Is there an option parameter that can directly specify the order?

lleachii · October 18, 2022, 1:54pm

Yes - just move it above.

In LuCI - they can simply be moved. By command line, I'm not sure - maybe someone else can reply.

iGoul · October 18, 2022, 2:04pm

It is possible to move in LuCI, but the rule sequence should be regenerated in essence. It is inconvenient for no LuCI

trendy · October 18, 2022, 2:21pm

You can rearrange the order of the rules in /etc/config/firewall. The higher the rule, the earlier it will be called to be matched against a packet.

pavelgl · October 18, 2022, 2:24pm

Usage: uci [<options>] <command> [<arguments>]

Commands:
reorder    <config>.<section>=<position>

uci reorder firewall.@rule[6]=0

iGoul · October 18, 2022, 3:22pm

thanks!

The uci command line and luci are just to improve the efficiency of directly editing /etc/config/firewall to adjust this method. The disadvantage of this adjustment is that I have to remember the location of the target rule, which is not so convenient if there are many rules , Would it be more accurate to add an option to directly specify the order before and after