Modify

Opened 3 years ago

Last modified 3 years ago

#17685 new defect

Active firewall after disabling it in Startup and reboot

Reported by: philip_petev Owned by: developers
Priority: response-needed Milestone: Chaos Calmer 15.05
Component: packages Version: Trunk
Keywords: Cc:

Description

WR841N V8, trunk 42260 CC
For some reason, the firewall is still active after I've disabled it in System/Startup. If you go to Status/Firewall after reboot, you'll see some firewall chains, which indicates active firewall. I've added in /etc/rc.local the following:

sleep 10
/etc/init.d/firewall stop

and it works, but as I said, that's only a workaround, not a permanent solution.

Attachments (0)

Change History (12)

comment:1 Changed 3 years ago by bittorf@…

please show the output of:

/etc/init.d/firewall enabled
return $?

comment:2 Changed 3 years ago by philip_petev

You know, that script doesn't have any enable or disable routines inside, I've just examined it, so commands like /etc/init.d/firewall enable or /etc/init.d/firewall disable would never work. And yet, there is Enable/Disable button on the Firewall line in System/Startup, which obviously doesn't do anything at all.

As you can see, there is no output:

root@WR841N:~# /etc/init.d/firewall enabled
root@WR841N:~#

comment:3 Changed 3 years ago by philip_petev

Actually, the Enable/Disable button creates or deletes a file, called /etc/rc.d/S19firewall, which is a symlink to /etc/init.d/firewall, but that doesn't change anything, the firewall is still active after each reboot, no matter if the button is in enabled or disabled state.

Last edited 3 years ago by philip_petev (previous) (diff)

comment:4 Changed 3 years ago by bittorf@…

the magic is in "/etc/rc.common" which is sourced via shebang.
please simply do what i wrote and dont try to be too smart.

/etc/init.d/firewall enabled
return $?

comment:5 Changed 3 years ago by philip_petev

The last command closes my SSH session, so there is nothing I can tell you about its output. Are you sure you mean not return $?, but echo $? ? If so, then the last exit code is 1 and I presume it should be 0, if everything is OK.

Last edited 3 years ago by philip_petev (previous) (diff)

comment:6 Changed 3 years ago by bittorf@…

sorry, 'echo $?' ofcurse.
if it's '1', this means firewall is 'disabled'. (this is what you want).

comment:7 Changed 3 years ago by philip_petev

Sounds good, but it's not disabled, I have active firewall chains in Status / Firewall and that list was supposed to be empty.
One more thing: the router is set as a wireless repeater, there are two wlan interfaces, one set as a client and one set as AP and there is also active relay bridge between the two routers. Connected to the main router, I can't access this one via SSH. I have to run locally /etc/init.d/firewall stop in order to enable the SSH access for computers, connected to the first router. That's a second sign that the firewall is still active.

Last edited 3 years ago by philip_petev (previous) (diff)

comment:8 Changed 3 years ago by bittorf@…

please the output of 'df'.

comment:9 Changed 3 years ago by philip_petev

root@WR841N:~# df
Filesystem 1K-blocks Used Available Use% Mounted on
rootfs 384 240 144 63% /
/dev/root 2560 2560 0 100% /rom
tmpfs 14500 608 13892 4% /tmp
/dev/mtdblock3 384 240 144 63% /overlay
overlayfs:/overlay 384 240 144 63% /
tmpfs 512 0 512 0% /dev

comment:10 Changed 3 years ago by jow

  • Priority changed from normal to response-needed

What kind of active chains? Please psot an example. The firewall package is not the only program installing chains, some are installed by miniupnpd and other by qos-scripts. Also certain chains like PREROUTING, POSTROUTING, INPUT, OUTPUT, FORWARD are core system chains which are always present even if no iptables rules have been installed.

comment:11 Changed 3 years ago by philip_petev

Alright, here they are:

Table: Filter

Chain INPUT (Policy: ACCEPT, Packets: 5, Traffic: 300.00 B)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	42 	2.57 KB 	delegate_input 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	-

Chain FORWARD (Policy: DROP, Packets: 0, Traffic: 0.00 B)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	0 	0.00 B 	delegate_forward 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	-

Chain OUTPUT (Policy: ACCEPT, Packets: 28, Traffic: 2.02 KB)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	133 	35.13 KB 	delegate_output 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	-

Chain delegate_forward (References: 1)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	0 	0.00 B 	forwarding_rule 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	/* user chain for forwarding */
2 	0 	0.00 B 	ACCEPT 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	ctstate RELATED,ESTABLISHED
3 	0 	0.00 B 	zone_lan_forward 	all 	-- 	br-lan 	* 	0.0.0.0/0 	0.0.0.0/0 	-
4 	0 	0.00 B 	zone_wan_forward 	all 	-- 	eth1.1 	* 	0.0.0.0/0 	0.0.0.0/0 	-
5 	0 	0.00 B 	reject 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	-

Chain delegate_input (References: 1)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	32 	2.13 KB 	ACCEPT 	all 	-- 	lo 	* 	0.0.0.0/0 	0.0.0.0/0 	-
2 	10 	460.00 B 	input_rule 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	/* user chain for input */
3 	0 	0.00 B 	ACCEPT 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	ctstate RELATED,ESTABLISHED
4 	5 	300.00 B 	syn_flood 	tcp 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	tcp flags:0x17/0x02
5 	5 	160.00 B 	zone_lan_input 	all 	-- 	br-lan 	* 	0.0.0.0/0 	0.0.0.0/0 	-
6 	0 	0.00 B 	zone_wan_input 	all 	-- 	eth1.1 	* 	0.0.0.0/0 	0.0.0.0/0 	-

Chain delegate_output (References: 1)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	32 	2.13 KB 	ACCEPT 	all 	-- 	* 	lo 	0.0.0.0/0 	0.0.0.0/0 	-
2 	101 	33.00 KB 	output_rule 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	/* user chain for output */
3 	3 	312.00 B 	ACCEPT 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	ctstate RELATED,ESTABLISHED
4 	70 	30.68 KB 	zone_lan_output 	all 	-- 	* 	br-lan 	0.0.0.0/0 	0.0.0.0/0 	-
5 	0 	0.00 B 	zone_wan_output 	all 	-- 	* 	eth1.1 	0.0.0.0/0 	0.0.0.0/0 	-

Chain reject (References: 3)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	0 	0.00 B 	REJECT 	tcp 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	reject-with tcp-reset
2 	0 	0.00 B 	REJECT 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	reject-with icmp-port-unreachable

Chain syn_flood (References: 1)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	5 	300.00 B 	RETURN 	tcp 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	tcp flags:0x17/0x02 limit: avg 25/sec burst 50
2 	0 	0.00 B 	DROP 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	-

Chain zone_lan_dest_ACCEPT (References: 2)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	70 	30.68 KB 	ACCEPT 	all 	-- 	* 	br-lan 	0.0.0.0/0 	0.0.0.0/0 	-

Chain zone_lan_forward (References: 1)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	0 	0.00 B 	MINIUPNPD 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	-
2 	0 	0.00 B 	forwarding_lan_rule 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	/* user chain for forwarding */
3 	0 	0.00 B 	zone_wan_dest_ACCEPT 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	/* forwarding lan -> wan */
4 	0 	0.00 B 	ACCEPT 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	ctstate DNAT /* Accept port forwards */
5 	0 	0.00 B 	zone_lan_dest_ACCEPT 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	-

Chain zone_lan_input (References: 1)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	5 	160.00 B 	input_lan_rule 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	/* user chain for input */
2 	0 	0.00 B 	ACCEPT 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	ctstate DNAT /* Accept port redirections */
3 	5 	160.00 B 	zone_lan_src_ACCEPT 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	-

Chain zone_lan_output (References: 1)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	70 	30.68 KB 	output_lan_rule 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	/* user chain for output */
2 	70 	30.68 KB 	zone_lan_dest_ACCEPT 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	-

Chain zone_lan_src_ACCEPT (References: 1)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	5 	160.00 B 	ACCEPT 	all 	-- 	br-lan 	* 	0.0.0.0/0 	0.0.0.0/0 	-

Chain zone_wan_dest_ACCEPT (References: 2)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	0 	0.00 B 	ACCEPT 	all 	-- 	* 	eth1.1 	0.0.0.0/0 	0.0.0.0/0 	-

Chain zone_wan_dest_REJECT (References: 1)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	0 	0.00 B 	reject 	all 	-- 	* 	eth1.1 	0.0.0.0/0 	0.0.0.0/0 	-

Chain zone_wan_forward (References: 1)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	0 	0.00 B 	forwarding_wan_rule 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	/* user chain for forwarding */
2 	0 	0.00 B 	ACCEPT 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	ctstate DNAT /* Accept port forwards */
3 	0 	0.00 B 	zone_wan_dest_REJECT 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	-

Chain zone_wan_input (References: 1)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	0 	0.00 B 	input_wan_rule 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	/* user chain for input */
2 	0 	0.00 B 	ACCEPT 	udp 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	udp dpt:68 /* Allow-DHCP-Renew */
3 	0 	0.00 B 	ACCEPT 	icmp 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	icmptype 8 /* Allow-Ping */
4 	0 	0.00 B 	ACCEPT 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	ctstate DNAT /* Accept port redirections */
5 	0 	0.00 B 	zone_wan_src_REJECT 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	-

Chain zone_wan_output (References: 1)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	0 	0.00 B 	output_wan_rule 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	/* user chain for output */
2 	0 	0.00 B 	zone_wan_dest_ACCEPT 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	-

Chain zone_wan_src_REJECT (References: 1)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	0 	0.00 B 	reject 	all 	-- 	eth1.1 	* 	0.0.0.0/0 	0.0.0.0/0 	-


Table: NAT

Chain PREROUTING (Policy: ACCEPT, Packets: 6, Traffic: 332.00 B)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	6 	332.00 B 	delegate_prerouting 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	-

Chain POSTROUTING (Policy: ACCEPT, Packets: 62, Traffic: 4.59 KB)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	62 	4.59 KB 	delegate_postrouting 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	-

Chain delegate_postrouting (References: 1)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	62 	4.59 KB 	postrouting_rule 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	/* user chain for postrouting */
2 	2 	462.00 B 	zone_lan_postrouting 	all 	-- 	* 	br-lan 	0.0.0.0/0 	0.0.0.0/0 	-
3 	0 	0.00 B 	zone_wan_postrouting 	all 	-- 	* 	eth1.1 	0.0.0.0/0 	0.0.0.0/0 	-

Chain delegate_prerouting (References: 1)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	6 	332.00 B 	prerouting_rule 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	/* user chain for prerouting */
2 	1 	32.00 B 	zone_lan_prerouting 	all 	-- 	br-lan 	* 	0.0.0.0/0 	0.0.0.0/0 	-
3 	0 	0.00 B 	zone_wan_prerouting 	all 	-- 	eth1.1 	* 	0.0.0.0/0 	0.0.0.0/0 	-

Chain zone_lan_postrouting (References: 1)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	2 	462.00 B 	postrouting_lan_rule 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	/* user chain for postrouting */

Chain zone_lan_prerouting (References: 1)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	1 	32.00 B 	MINIUPNPD 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	-
2 	1 	32.00 B 	prerouting_lan_rule 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	/* user chain for prerouting */

Chain zone_wan_postrouting (References: 1)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	0 	0.00 B 	postrouting_wan_rule 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	/* user chain for postrouting */
2 	0 	0.00 B 	MASQUERADE 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	-

Chain zone_wan_prerouting (References: 1)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	0 	0.00 B 	prerouting_wan_rule 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	/* user chain for prerouting */


Table: Mangle

Chain PREROUTING (Policy: ACCEPT, Packets: 283, Traffic: 25.47 KB)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	283 	25.47 KB 	fwmark 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	-

Chain FORWARD (Policy: ACCEPT, Packets: 0, Traffic: 0.00 B)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	0 	0.00 B 	mssfix 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	-

Chain mssfix (References: 1)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	0 	0.00 B 	TCPMSS 	tcp 	-- 	* 	eth1.1 	0.0.0.0/0 	0.0.0.0/0 	tcp flags:0x06/0x02 /* wan (mtu_fix) */ TCPMSS clamp to PMTU


Table: Raw

Chain PREROUTING (Policy: ACCEPT, Packets: 283, Traffic: 25.47 KB)
Rule # 	Pkts. 	Traffic 	Target 	Prot. 	Flags 	In 	Out 	Source 	Destination 	Options
1 	283 	25.47 KB 	delegate_notrack 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	-

UPnP is disabled as well and there is no room on WR841N's flash for QoS, so it's not installed.
Isn't that the point of the presence of Enable/Disable button for any service, to turn it on and off (completely off)?

comment:12 Changed 3 years ago by jow

Yep, thats indeed the point. As far as I can see the firewall start and firewall hotplug repects the disabled state of the init script. Maybe LuCI or another program triggered a start. Will be able to investigate it tonight hopefully.

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.