Managing firewall rules manually

Hello great team.

I have a device running the last version of OpenWRT, which seem to work so far.

However, I would like to manage the firewall rules using an nftables script I would upload over sftp on the device.

My preliminary tests seem to work, and are replacing the firewall rules accordingly.

However, I would like to know, if I can disable the web interfaces that manage the firewall rules, to avoid any error or interference. How can I do this, then ?

What should I do to ensure my rules are not overwritten if the firewall reboots ?

Thanks for your help.

service uhttpd disable
service uhttpd stop

https://openwrt.org/docs/guide-user/firewall/firewall_configuration#includes_2203_and_later_with_fw4

You can put web server on localhost and operate it via ssh port forwarding.

/etc/init.d/firewall disable; /etc/init.d/firewall stop

You can put protective file, like with opening bracket only in /etc/nftables.d/whatever.nft that will fail firewall loading rules.

Thanks for your help.
I was hoping that in the web server, there was an option to only disable the firewall module, and to keep the other modules.
Thanks again.

Have you considered creating the equivalent rules using UCI?

Yes, I considered the option, but will not use it.
OpenWRT is great to install Linux on a broadband low-consumption hardware, but the firewall interface is not adequate to my standards.
I have used OpnSense before, to cite one, and it is something I am more use to.
There are also a lot of features in nftables that are not available in the interface.

Don't suppose you'd like to expand on what's missing/is inadequate?

I get that, but trying to force OpenWRT to operate like OpnSense probably isn't the best way to solve the matter.

Maybe just don't use LuCI, and edit /etc/config/firewall with its plain text config? /etc/init.d/firewall reload (not restart) works most of the time without breaking established connections....

I'm not well versed in luci config but from what I have learned the following should help.
As always, be sure to have a full backup and know your device recovery methods.

If you want to remove access to the "Firewall" management portion of luci altogether on recent versions of OpenWrt (v22 though 24 ?), that might be easy.

I just tested this and it worked:
Backup file /usr/share/luci/menu.d/luci-app-firewall.json
Remove file /usr/share/luci/menu.d/luci-app-firewall.json
Logout of luci
Log back in to luci and the "Firewall" menu item in the "Network" menu should be gone.
Clear your browser cache if needed.

To restore access to the firewall menu in luci, restore the file /usr/share/luci/menu.d/luci-app-firewall.json file and be sure file ownership and permissions are correct.
Logout and back in to luci.

That prevents casual use of the web api for changing the firewall settings. If you want a more robust solution preventing it, you should look at changing ACLs and or more significant modifications of luci.

For more ideas / info on this search the forum, wiki, and github.

These threads in the forum were insightful: Disable certain Luci menu items - #2 by stangri and Description of the JSON in menu.d and acl.d? - #4 by jow so might be a good starting point for deeper understanding.

Good Luck!

Thanks, @spence

To @krazeh

I get that, but trying to force OpenWRT to operate like OpnSense probably isn't the best way to solve the matter.

Exactly. This is why I will use a text file managed by git, and not the web interface.

So you're doing the exact thing I suggested is not the best way to solve it...

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.