WAN network gone in /etc/config/firewall - option network ' '

This might sound very nooby, and no; I was not hacked by the secret underground bahn but yesterday something bad happened:
Testing OpenVPN server, messing around with lots of

uci set firewall.@forwarding[-1].dest="lan"
uci commit firewall

and deleting a "newzone" firewall zone leaded to the loss of all networks in the zone config. E.g.:

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network ' '

In Luci interfaces, all interfaces were coloured with white / no colour instead of green and red.
In Zenmap all ports were open and also Luci was accessible on the internet.

I mean, even if I clicked around too fast and maybe did nooby things, how can this happen? And even if it is possible under certain circumstances, the "system" must avoid configurations getting active with settings like option network ' '
This was a OPENWRT-CON 2 alert condition (sound exciting, doesn't it) and I need to avoid it in future.

The system cannot decide whether such a configuration was intentional or not. The sole space char in the network list indicates that LuCI removed the items there. Maybe because you deleted and recreated interfaces via the ui.

Since you do not exactly remember what you did, it is unlikely that we'll reach further conclusions.

1 Like

is there a situation where this kind of configuration makes sense? Should an active interface exist without being assigned to a firewall zone?
option network ' '

The interfaces were always existing, but temporarily "white" - not assigned to a zone.

Yes. For example when you want to predeclare firewall zones to attach interfaces later.

Not assigning zone means applying default policy.
You can remove zones and use default policy for everything.

1 Like

I see, you mean:

config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT

So, in my case, I should change this to

config defaults
	option syn_flood	1
	option input		REJECT
	option output		REJECT
	option forward		REJECT

If so, shouldn't this be the default for all?

Default policy is permissive to prevent device bricking.

1 Like

But this would be the solution to avoid the issue that WAN is completely open to the internet?
If there is no interface selected in the dropbear config is this then also the default which applies?

But still better close down all access instead of opening all interfaces...

There's no ideal solution.
The issue of potential device bricking has higher priority than potential permissive firewall policy.
And note that it is only relevant to modified network/firewall configuration when modification is performed without verification.

the ' ' can actually be partially reproduced:
Luci Firewall
Add zone forwarding
covered networks: LAN

delete this one and zone LAN is without assignment to interface LAN.

Yes, because you create a zone "vpnserver", moved the "lan" network to it, then deleted the zone, leaving the "lan" orphaned.