Changes in /etc/config/firewall
588 views
Skip to first unread message
henriqsc
Apr 26, 2017, 11:20:50 AM4/26/17
to OpenWISP
Hello everyone,
I noticed that after openwisp_config service is run for the first time the /etc/config/firewal is changed, all the rules and zones descriptions are chaged, for example:
config rule
option dst_port 'xxx'
option taget 'yyy'
is changed to:
config rule 'cfg0c932bd'
option dst_port 'xxx'
option taget 'yyy'
I'm not sure if it's an openwisp intervention or something openwrt related, althought I haven't found any explanation on the openwrt documentation so far. Configuration from the UI "download configuration" does not contain /etc/config/firewall.
Federico Capoano
Apr 26, 2017, 11:50:14 AM4/26/17
to OpenWISP
It's an openwisp intervention:
You should not worry too much about this because in recent versions of LEDE and OpenWRT default UCI configurations will always have a default name.
Federico
henriqsc
Apr 26, 2017, 2:12:09 PM4/26/17
to OpenWISP
Thanks, as long as these names don't change from device to device I think there will be no problem.
One last question related to firewall, I've been able to create several templates via json which are working neatly but II'm struggling to build a json template to include an interface to an existing wan zone.
Is it possible to configure zones using json advanced mode?
I tried to define the zone inside the interface, but it seems that this sort of configuration must be done via firewall.
These are my references:
Federico Capoano
Apr 27, 2017, 8:22:33 AM4/27/17
to open...@googlegroups.com
On Wed, Apr 26, 2017 at 8:12 PM henriqsc <henrique...@gmail.com> wrote:
Thanks, as long as these names don't change from device to device I think there will be no problem.One last question related to firewall, I've been able to create several templates via json which are working neatly but II'm struggling to build a json template to include an interface to an existing wan zone.Is it possible to configure zones using json advanced mode?I tried to define the zone inside the interface, but it seems that this sort of configuration must be done via firewall.
Yes it's possible, you just have to figure out what's the required UCI configuration to accomplish this.
You may want to do this from luci, the OpenWRT web interface, and see how it changes the UCI files.
Then you can perform the same addition in your templates.
If you need help, send some examples.
If you need help, send some examples.
Pay attention, that link points to the documentation of an old release of the configuration engine, that is 0.3.7, while the latest release is 0.5.5.
Please use this URL as a reference: http://netjsonconfig.openwisp.org/en/stable/
henriqsc
Apr 27, 2017, 10:00:23 AM4/27/17
to OpenWISP
Hi Federico thanks for the links. I'm looking for something like:
{
"zone": [
{
"output": "ACCEPT",
"input": "REJECT",
"forward": "REJECT",
"name": "wan"
"network": "wan wan3g"
}
]
}
To get something like:
config zone 'rule_name_here'
option output 'ACCEPT'
option name 'wan'
option input 'REJECT'
option forward 'REJECT'
option network 'wan wan3g'
Aparently I need the correct key for "zone".
As a rule I always test via uci configuration, then check the changes where applied on the Openwrt UI, then I create the json and test via netjsonconfig command line then if everything looks ok I create the template via advanced mode, apply it to the device and test again to have an "approved" template.
Federico Capoano
Apr 27, 2017, 12:15:16 PM4/27/17
to OpenWISP
Consult this section of the docs:
http://netjsonconfig.openwisp.org/en/stable/backends/openwrt.html#all-the-other-settings
http://netjsonconfig.openwisp.org/en/stable/backends/openwrt.html#all-the-other-settings
The following NetJSON:
{
"firewall": [
{
"config_name": "zone",
"config_value": "wan",
"name": "wan",
"output": "ACCEPT",
"input": "REJECT",
"forward": "REJECT",
"network": ["wan", "wan3g"]
}
]
}
Produces:
package firewall
config zone 'wan'
option forward 'REJECT'
option input 'REJECT'
option name 'wan'
list network 'wan'
list network 'wan3g'
option output 'ACCEPT'
I hope it helps.
--
You received this message because you are subscribed to the Google Groups "OpenWISP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages