Firewall needs to be restarted manually

[phugoid]

I'm running this module on up-to-date OpenWrt Chaos Calmer 15.05.

The automatic restart of system and firewall services works correctly after you make any change that would switch the current access from blocked to allowed. For instance, if you uncheck Enable for a rule that current blocks your device.

However, if you make any change that would block current access and then click Save&Apply, it has no effect unless you manually restart the firewall via "/etc/init.d/firewall restart".

I verified that the AJAX call to restart the services is successful after page reload, in both cases.

If there's any further testing I can do help debug this issue, I'm offering my help.

[phugoid]

I think I'm getting closer to a solution. This problem is only occurring when I have a constant stream of pings being sent through the connection while I am trying to block it using the access rules. If I stop pinging first and then enable the access rule, it works properly to block the connection.

Further research suggests this is caused by the conntrack functionality:
"From r42048 to r44873, there was a new setting activated by default which causes the packets with the established state, completely bypass iptables filter table." taken from https://wiki.openwrt.org/doc/uci/firewall
According to the same page, this function can no longer be easily disabled.

One possible explanation why the systemctl AJAX call is ineffective but manually restarting the firewall works is that the AJAX version takes longer, allowing pings to get through during the restart and thus engaging conntrack:
"Linux performs connection tracking independently of the currently configured firewall rules. If a client connects the router while the firewall is being restarted it gains access and Linux create a conntrack entry for the client." https://forum.openwrt.org/viewtopic.php?id=39267

If this is the case, I need to find a way to either disable (temporarily) the connection tracking, or find a way to reliably restart the firewall from LuCI. (I need the connection to get blocked even if users are streaming video at the time.)

[phugoid]

I think I've found a workaround.

The reason why LuCI's "Save&Apply" button doesn't cause any connections to be blocked, despite the access rules, is because any connections already listed in the conntrack table are allowed. Upon closer inspection, LuCI's AJAX call to
/cgi-bin/luci/;stok=xxx/servicectl/restart/access_control,firewall
is equivalent to running
/etc/init.d/firewall reload

A firewall reload will not flush the conntrack table, while a restart will.

The best workaround I can think of is to modify /etc/init.d/firewall so reloads flush the table. This uses the utility conntrack with is part of the conntrack-tools package:

reload_service() {
fw3 reload
command -v conntrack > /dev/null && conntrack -F || echo "ERROR: cmd not available: conntrack"
}

It appears this will have the side-effect of hanging up any connection using NAT, which is unavoidable if we want to enforce the new firewall access rules.

I hope this typing exercise is useful instead of cumbersome to the project maintainer and other users.

[jevga]

I found that for me if I create rule, it creates appropriate but disabled rule in firewall.
So I have to manuali enable it in firewall.

[adnanhz]

I am facing the same exact problem. I have to restart the firewall for each new rule which causes all active connections to drop. Anyone to confirm whether this has been fixed in more recent versions ?

[softcoder]

Same Here (using the Turris Omnia Router)

[teamalpha5441]

Same here, using conntrack -F in crontab looks good but drops all connections.
Problem may be because the firewall rules are inserted after accepting RELATED and ESTABLISHED.
Should be fixable by inserting them before this specific rule, but I'm not sure if UCI can do this.

[FloK84]

Hi,
I know this post is a little bit old :-) But I think I found a workaround/solution and maybe this helps someone else. I modified the function reload_init in the script /sbin/luci-reload
reload_init() { [ -x /etc/init.d/$2 ] && /etc/init.d/$2 enabled && { echo "Reloading $1... " # Modified by Flo if [ $1 = "firewall" ] then /etc/init.d/$2 restart >/dev/null 2>&1 else /etc/init.d/$2 reload >/dev/null 2>&1 [ -n "$3" -a "$?" != "$3" ] && echo '!!! Failed to reload' $1 '!!!' fi } }
If the first script parameter is "firewall" I'm doing a restart instead of a reload. That works and I haven't seen any negative effects...