Opened 8 years ago

Closed 8 years ago

Last modified 4 years ago

#6505 closed defect (fixed)

SSH/HTTP ports open to public and WAN forwarding not working in brcm47xx (trunk r19117)

Reported by: Sami Pelkonen <sami.s.pelkonen@…> Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: base system Version: Trunk
Keywords: firewall forwarding Cc:


Build a minimal setup for brcm47xx platform (trunk r19117) and flashed it on Asus WL-500gP. After boot, I'm unable to access public network from lan. Also noticed that local router ports (SSH and HTTP) where open towards public network.

After investigating the issue I found out that restarting /etc/init.d/firewall resolved the issue. Listings from iptables after boot and firewall restart showed that following rules where missing:

From forward chain: zone_wan_forward
From input chain: zone_wan

.. and also following chains where empty:
zone_wan_ACCEPT, zone_wan_DROP and zone_wan_REJECT

As a quick workaround I modified the startup sequence of firewall from 45 to 55 after generic daemons. This seems to give time for network to setup before firewall rules are applied..

I have attached config and iptables listings after boot and after firewall restart

Attachments (3)

.config (60.4 KB) - added by Sami Pelkonen <sami.s.pelkonen@…> 8 years ago.
OpenWRT configuration
iptables-boot (5.3 KB) - added by Sami Pelkonen <sami.s.pelkonen@…> 8 years ago.
iptables listing after boot
iptables-firewall-restart (5.9 KB) - added by Sami Pelkonen <sami.s.pelkonen@…> 8 years ago.
iptables listing after /etc/init.d/firewall restart

Download all attachments as: .zip

Change History (9)

Changed 8 years ago by Sami Pelkonen <sami.s.pelkonen@…>

OpenWRT configuration

Changed 8 years ago by Sami Pelkonen <sami.s.pelkonen@…>

iptables listing after boot

Changed 8 years ago by Sami Pelkonen <sami.s.pelkonen@…>

iptables listing after /etc/init.d/firewall restart

comment:1 Changed 8 years ago by anonymous

I can confirm this. Same here with Asus WL-500gP and Ahteros miniPCI card.

comment:2 Changed 8 years ago by anonymous

Tried r19180 and cant reach any host on wan side.

PING ( 56(84) bytes of data.
From icmp_seq=1 Destination Port Unreachable
From icmp_seq=2 Destination Port Unreachable

Surprisingly router can catch ntp timeserver.

comment:3 Changed 8 years ago by anonymous

A restart of firewall seems to solve the problem. Someone can confirm this?

comment:4 Changed 8 years ago by cshore@…

Nope, for me. I'm on a brcm63xx, which makes me think that this issue is not architecture specific.

Damn stupid Akismet. Can somebody please beat Akismet over the head for for me. It's not like I've got any spamlike content here and smaller posts don't get rejected. I'm using the fact I have to do something to make it accept my post to rant about it's behaviour.

Can we at least know the rules Akismet uses so that we can have accepted posts?

What is wrong with this post? Is it the word firewall?

comment:5 Changed 8 years ago by jow

  • Resolution set to fixed
  • Status changed from new to closed

The issue should be solved with r19232

comment:6 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

as closed .
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.