[Solved] LuCI Firewall app bugs on 21.02.2

I have recently updated to 21.02.2 on one of my devices (config backup, clean firmware rewrite and config import from 21.02.1). I have issues with the Firewall app under LuCI:

  • Items and zones appear duplicated as seen here:
  • Some port forwarding rules dissapeared, even though they are apparently applied and working
  • The wan zone shows as (empty) even though the wan adapters are in that zone, etc.

It seems like the settings shown in the Firewall GUI are not reflected, or settings are not read correctly. Is there a way to "reset" the firewall interface or to re-read and apply the proper settings?

I don’t see duplicated zones in the image you showed, but something definitely looks wrong.

Let’s take a look at the config file itself before you do anything else.

To get to the default configuration, you can move or delete the current firewall file and copy the one from /rom/etc/config/firewall.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/firewall

EDIT: as I looked at the image again, I see the duplication of the general settings... that is odd. But let's look at the config file to see if we can understand why that might be happening.

I have removed the duplicate "wan" and "lan" and other custom zones that I had previously. Obviously the duplicate settings for sw/hw acceleration and the general input/output/forwarding settings can't be removed in this state...

Below are the contents of /etc/config/firewall:

root@mky:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'monkey'
        list network 'wg0'
        list network 'wg80'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan_v6'

config include
        option path '/etc/firewall.user'

config zone
        option name 'iot'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'monkey_iot'

config rule
        option name 'Allow-mDNS'
        list proto 'udp'
        option src '*'
        option src_port '5353'
        list dest_ip '224.0.0.251'
        option dest_port '5353'
        option target 'ACCEPT'

config redirect 'dns_int'
        option name 'Intercept-DNS'
        option src 'lan'
        option src_dport '53'
        option proto 'tcp udp'
        option target 'DNAT'

config redirect
        option target 'DNAT'
        option name 'DNS_HIJACK_PREVENT_853'
        option src 'lan'
        option src_dport '853'
        option dest 'lan'
        option dest_port '853'
        option enabled '0'

config redirect
        option target 'DNAT'
        option name 'DNS_HIJACK_PREVENT_53'
        option src 'lan'
        option src_dport '53'
        option dest 'lan'
        option dest_port '53'
        option enabled '0'

config defaults
        option input 'REJECT'
        option output 'REJECT'
        option forward 'REJECT'

It sure looks like I have lost my rules, as there were many other port forward and traffic rule entier. These seems quire wrong, however the functioning settings seem to be in order (for ex. I had a rule to forward port 80 to an internal host...). I might need to restore these settings manually from a previous backup, but I',m not sure what I can do about the duplication of the settings as seen in the screenshot, or if the firewall service would fuction correctly afterwards.

What happens if you copy over the firewall file from rom?

Are you running an unofficial version of OpenWrt (a fork or community build) or have you installed or upgraded any specific packages?

1 Like

You actually do have two sets of defaults defined...

and

delete the smaller set, and change the other default so that input = reject, forward = reject, output = accept.

1 Like

OK, I finally got the hang of this. I have deleted the firewall file and re-created it from a previous backup archive. After restarting /etc/init.d/firewall, all seems to be fine now.

Not sure how do we get to this situation, as I never edited the config files manually before, everything was done from LuCI as far as I am aware.

I can't explain why you had a messed up file, either. but glad it is now working!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.