Is there a way to script enabling / disabling a FW-Traffic Rule?

Installing and Using OpenWrt Network and Wireless Configuration
1

Here's what I'm trying to accomplish... I have a rule that causes all traffic to drop for a given device, in this case, an iPad.

I'd like to be able to script a simple way to enable / disable that rule instead of opening LuCI, then doing it manually.

Ideally, with a shortcut from my iPhone. So either some IFTTT trigger or the like.

Ideas? Thanks!

2

Did you declare that rule via LuCI or did you script it yourself?

3

I used LuCI.

4

You could install luci-app-commands and then declare two custom commands to enable and disable the rule.

  1. Head to System -> Software, enter luci-app-commands into Download and install package and confirm
  2. Open the edit view of your traffic rule, take note of the identifier in the URL (e.g. http://192.168.1.1/cgi-bin/luci/admin/network/firewall/rules/cfg4092bd => cfg4092bd)
  3. Head to System -> Custom commands, tab Configure
  4. Add a new command:
    • Description is enable rule
    • Command is sh -c "uci set firewall.cfgXXXXXX.enabled=1 && fw3 reload" - replace cfgXXXXXX with the identifier from step 2.
    • Custom arguments disabled
    • Public access enabled
  5. Add another new command:
    • Description is disable rule
    • Command is sh -c "uci set firewall.cfgXXXXXX.enabled=0 && fw3 reload" - replace cfgXXXXXX with the identifier from step 2.
    • Custom arguments disabled
    • Public access enabled
  6. Click Save & Apply and switch to the Dashboard tab
    • Bookmark the links shown after clicking the Link button
    • Note that there is a bug in the link url generation; it will show something like http://192.168.1.1/cgi-bin/luci/admin/system/commands/dashboardcommand/cfg0d9944s while the actual url is http://192.168.1.1/cgi-bin/luci/command/cfg0f9944s

Afterwards you should be able to trigger rule enabling / disabling using simple HTTP requests.
Note that anyone in your lan has access to these HTTP command links so it offers no protection from rogue actors but it will be enough to lock out smart devices and such things.

5

Very cool, let me have a go at it.

Thanks!

6

I have tried your solution but unfortunately i only get this:

  • Rule 'Disable-IoT-RouterAccess'
    ! Exception: iprange: Bad value for "--src-range" option: "192.168.2.150"

The extra arguments of this rule are "-m iprange --src-range 192.168.2.150-192.168.2.160"

It looks to me that changing the enable/disable status of a fw rule via uci set is somehow different than by luci gui, because clicking the same rule on and off by hand is working well.