V22.03 MyBookLive (apm821xx/sata) Still Using FW3

I first upgraded and then wiped and factory installed v22.03 for the MyBookLive onto a test device and found it was still using the iptables Firewall 3 in both cases. I tried to installed FW4 using opkg but this produced errors. I eventually removed FW3 and got FW4 in place after some trial and error.

Looking at the config.buildinfo for this device on the v22.03 release page it still has FW3 selected and not FW4. This somewhat defeats the primary objective of V22.03 in moving to nfttables with FW4.

Could the maintainer please update this device to FW4.


We need a change similar to 27fbae4c5af612b1a1790c35a30b154b8e888057 for the nas DEVICE_TYPE.

1 Like

Both firewall and firewall4 provide uci-firewall, which luci-app-firewall wants. All of these targets want luci.

I'm confused as the v22 release notice and notes state that FW4 is now the default but it's clearly not the case for the apm821xx target.

I'm able to do full Openwrt builds on a Debian VM but am somewhat baffled as to where this "default" is being reverted to back to FW3.

yes, looks like uci-firewall defaults to firewall over firewall4.

As for how this all comes together. @hurricos rightly stated the MyBook Live uses the DEVICE_TYPE := nas but the patch that "switched" the build to use firewall4 just set it on the DEVICE_TYPE := router

The "NAS" target doesn't include any firewall package. In case of the MyBook Live (and maybe other older NAS with a single core) a running firewall slows samba/nfs/sftp/rsync/9p/ftp down. It would be great if luci could be installed without luci-app-firewall.

The offiicial V21 & V22 release builds for the MyBookLive contain the firewall(3) packages and this can be seen in the buildinfo.config files. Are the release build configurations defined separately from the Git source tree as it is unclear how the release images end up including FW3?

I use a firewall on the NAS even though it is only directly accessible from within my home LAN as I subscribe to the "defence-in-depth" approach to security i.e. never rely on a single mechanism to protect important data. It also allows me to block guests (family / friends) who are visiting and who inevitable start with "Hello, btw what's the wi-fi password?"