WAN network gone in /etc/config/firewall - option network ' '

Frood42 · October 24, 2018, 7:05am

This might sound very nooby, and no; I was not hacked by the secret underground bahn but yesterday something bad happened:
Testing OpenVPN server, messing around with lots of
e.g.

uci set firewall.@forwarding[-1].dest="lan"
uci commit firewall

and deleting a "newzone" firewall zone leaded to the loss of all networks in the zone config. E.g.:

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network ' '

In Luci interfaces, all interfaces were coloured with white / no colour instead of green and red.
In Zenmap all ports were open and also Luci was accessible on the internet.

I mean, even if I clicked around too fast and maybe did nooby things, how can this happen? And even if it is possible under certain circumstances, the "system" must avoid configurations getting active with settings like option network ' '
This was a OPENWRT-CON 2 alert condition (sound exciting, doesn't it) and I need to avoid it in future.

jow · October 24, 2018, 8:06am

The system cannot decide whether such a configuration was intentional or not. The sole space char in the network list indicates that LuCI removed the items there. Maybe because you deleted and recreated interfaces via the ui.

Since you do not exactly remember what you did, it is unlikely that we'll reach further conclusions.

Frood42 · October 24, 2018, 8:28am

is there a situation where this kind of configuration makes sense? Should an active interface exist without being assigned to a firewall zone?
option network ' '

The interfaces were always existing, but temporarily "white" - not assigned to a zone.

jow · October 24, 2018, 8:30am

Yes. For example when you want to predeclare firewall zones to attach interfaces later.

vgaetera · October 24, 2018, 9:28am

Not assigning zone means applying default policy.
You can remove zones and use default policy for everything.

Frood42 · October 24, 2018, 11:26am

I see, you mean:

config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT

So, in my case, I should change this to

config defaults
	option syn_flood	1
	option input		REJECT
	option output		REJECT
	option forward		REJECT

If so, shouldn't this be the default for all?

vgaetera · October 24, 2018, 12:54pm

Default policy is permissive to prevent device bricking.

Frood42 · October 24, 2018, 3:26pm

But this would be the solution to avoid the issue that WAN is completely open to the internet?
If there is no interface selected in the dropbear config is this then also the default which applies?

But still better close down all access instead of opening all interfaces...

vgaetera · October 24, 2018, 3:49pm

There's no ideal solution.
The issue of potential device bricking has higher priority than potential permissive firewall policy.
And note that it is only relevant to modified network/firewall configuration when modification is performed without verification.

Frood42 · October 24, 2018, 9:59pm

the ' ' can actually be partially reproduced:
Luci Firewall
Add zone forwarding
from LAN to VPNSERVER
covered networks: LAN

delete this one and zone LAN is without assignment to interface LAN.

jow · October 25, 2018, 7:20am

Yes, because you create a zone "vpnserver", moved the "lan" network to it, then deleted the zone, leaving the "lan" orphaned.