OpenWrt Forum Archive

Topic: firewall block rules overruled by default

The content of this topic has been archived on 2 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

hello,

how to block dns requests for some clients from lan to wan?
by default lan -> wan forwarding is accepted, so far so good. i added some rules for some clients to block them from lan to wan. so far so good, but the clients still are able to ping and resolv hosts.

how can i block that too? -> icmp match type is "any".

thx in advance!

Hey there.

I just investiaged and found something confusing.

Seems like "Save and Apply" in LuCI doesn't recreate the same state as "/etc/init.d/firewall restart" does.

My WAN side is another router of type FRITZ!Box making "192.168.178.0/24" the IP range of my WAN port and 192.168.178.1 te upstream gateway for my OpenWRT router.
Here I want my local LAN devices not to be able to access this IP address directory. I consider this device to be part of my ISPs network even though it's located in my basement. So I created a "deny" rule keeping my LAN devices out.

That's the rule:

config rule
        option name 'disble fritzbox'
        option dest_ip '192.168.178.1'
        option family 'ipv4'
        option src '*'
        option dest 'wan'
        option proto 'tcp'
        option dest_port '64-1024'
        option target 'REJECT'

When I go to LuCI http://router/cgi-bin/luci/admin/network/firewall/rules, I can switch this rule on and off and hit "Save and Apply" at the bottom.

Switching this rule off makes my LAN clients being able to connect to http//192.168.178.1
Switching this rule on again does *not* make my LAN clients being unablge to connect. They still can access the FRITZ!Box.
When I ssh to my OpenWRT to call "/etc/init.d/firewall restart" the "off" applies and my LAN clients stop being able to access the FRITZ!Box.

That's what I do:

  • /etc/init.d/firewall restart

  • Don't have access to 192.168.178.1

  • Go to http://router/cgi-bin/luci/admin/network/firewall/rules

  • Disable that deny rule

  • Hit "Save and Apply"

  • Have access to 192.168.178.1

  • Enable that deny rule

  • Hit "Save and Apply"

  • Still have access to 192.168.178.1

  • /etc/init.d/firewall restart

  • Don't have access to 192.168.178.1

I have no clue what's causing this. When comparing "iptables-save" in between there's nothing suspicious at all.

Could you please check that on your setup?
Maybe it's not the question of "how can I overrule the global ALLOW" but more a bug of "LuCI doesn't properly reload firewall"?

[edit]

Ah, it's somehow about the difference between "reload" and "restart".

Regards,
Stephan.

(Last edited by golialive on 18 Apr 2017, 18:55)

The discussion might have continued from here.