I have recently updated to 21.02.2 on one of my devices (config backup, clean firmware rewrite and config import from 21.02.1). I have issues with the Firewall app under LuCI:
Some port forwarding rules dissapeared, even though they are apparently applied and working
The wan zone shows as (empty) even though the wan adapters are in that zone, etc.
It seems like the settings shown in the Firewall GUI are not reflected, or settings are not read correctly. Is there a way to "reset" the firewall interface or to re-read and apply the proper settings?
I don’t see duplicated zones in the image you showed, but something definitely looks wrong.
Let’s take a look at the config file itself before you do anything else.
To get to the default configuration, you can move or delete the current firewall file and copy the one from /rom/etc/config/firewall.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/firewall
EDIT: as I looked at the image again, I see the duplication of the general settings... that is odd. But let's look at the config file to see if we can understand why that might be happening.
I have removed the duplicate "wan" and "lan" and other custom zones that I had previously. Obviously the duplicate settings for sw/hw acceleration and the general input/output/forwarding settings can't be removed in this state...
Below are the contents of /etc/config/firewall:
root@mky:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
option flow_offloading '1'
option flow_offloading_hw '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'monkey'
list network 'wg0'
list network 'wg80'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan_v6'
config include
option path '/etc/firewall.user'
config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'monkey_iot'
config rule
option name 'Allow-mDNS'
list proto 'udp'
option src '*'
option src_port '5353'
list dest_ip '224.0.0.251'
option dest_port '5353'
option target 'ACCEPT'
config redirect 'dns_int'
option name 'Intercept-DNS'
option src 'lan'
option src_dport '53'
option proto 'tcp udp'
option target 'DNAT'
config redirect
option target 'DNAT'
option name 'DNS_HIJACK_PREVENT_853'
option src 'lan'
option src_dport '853'
option dest 'lan'
option dest_port '853'
option enabled '0'
config redirect
option target 'DNAT'
option name 'DNS_HIJACK_PREVENT_53'
option src 'lan'
option src_dport '53'
option dest 'lan'
option dest_port '53'
option enabled '0'
config defaults
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'
It sure looks like I have lost my rules, as there were many other port forward and traffic rule entier. These seems quire wrong, however the functioning settings seem to be in order (for ex. I had a rule to forward port 80 to an internal host...). I might need to restore these settings manually from a previous backup, but I',m not sure what I can do about the duplication of the settings as seen in the screenshot, or if the firewall service would fuction correctly afterwards.
OK, I finally got the hang of this. I have deleted the firewall file and re-created it from a previous backup archive. After restarting /etc/init.d/firewall, all seems to be fine now.
Not sure how do we get to this situation, as I never edited the config files manually before, everything was done from LuCI as far as I am aware.
