Question

Hello,

Is it possible to change order of firewall rules on TRB140 (TRB1400_R_00.01.05) using LuCI?

Thank you in advance

Comments

Hello, it's implemented in TRB1400_R_00.01.06., thank you.

Answer 1

Hi,

I assume you mean uci and if I'm correct then yes, it's possible. Possible but clumsy, since uci is not really meant for settings firewall rule numbers.

Firewall rules are stored in the /etc/config/firewall file and their order depends on their positions in that file:

• Rule 0 is Allow-DHCP-Renew
• Rule 1 is Allow-Ping
• etc...

So, for example, to switch Rule 0 and Rule 1, you would have to either change each option in the rules or delete them both and add them back in a different (which I will demonstrate below).

1. Use uci show firewall to see the rules in uci format (output abridged for clarity):

• ...
• firewall.@rule[0]=rule
• firewall.@rule[0].name='Allow-DHCP-Renew'
• firewall.@rule[0].src='wan'
• firewall.@rule[0].proto='udp'
• firewall.@rule[0].dest_port='68'
• firewall.@rule[0].target='ACCEPT'
• firewall.@rule[0].family='ipv4'
• firewall.@rule[1]=rule
• firewall.@rule[1].src='wan'
• firewall.@rule[1].src_ip='fc00::/6'
• firewall.@rule[1].dest_ip='fc00::/6'
• firewall.@rule[1].dest_port='546'
• firewall.@rule[1].target='ACCEPT'
• firewall.@rule[1].name='Allow-Ping'
• firewall.@rule[1].proto='icmp'
• firewall.@rule[1].icmp_type='echo-request'
• firewall.@rule[1].family='ipv4'
• ...

2. Delete both rules:

• uci delete firewall.@rule[0]
• uci delete firewall.@rule[1]

3. Now add them back but in a reverse order:

• uci set firewall.@rule[0]=rule
• uci set firewall.@rule[0].name='Allow-Ping'
• uci set firewall.@rule[0].src='wan'
• uci set firewall.@rule[0].proto='icmp'
• uci set firewall.@rule[0].icmp_type='echo-request'
• uci set firewall.@rule[0].family='ipv4'
• uci set firewall.@rule[0].target='ACCEPT'
• uci set firewall.@rule[1]=rule
• uci set firewall.@rule[1].name='Allow-DHCP-Renew'
• uci set firewall.@rule[1].src='wan'
• uci set firewall.@rule[1].proto='udp'
• uci set firewall.@rule[1].dest_port='68'
• uci set firewall.@rule[1].target='ACCEPT'
• uci set firewall.@rule[1].family='ipv4'

4. Execute uci commit
5. Execute /etc/init.d/firewall restart
6. The rules' order should have changed.

Comments

Thank you for your answer!

I meant LuCI – Web interface.. I do not see how to do it using WebUI and that's strange..

It's not that I want to reoder those rules in screenshot, I do not see any buttons to select rules/move up/move down..

---

I'm sorry, I made it way too complicated then. :D

In the web interface you should be able to drag and drop the rules in the positions you want.

---

I can't find an appropriate gif, but it's similar to this: https://wiki.teltonika.lt/wikibase/images/4/4a/Networking_rutx_manual_wan_interface_setup_v1.gif

---

It's not working with „Firefox 70.0.1“ and „Chromium 78.0.3904.97“ then..

(click on the image to see screen capture..)

Thanks for trying to help :D

---

I'll check back with you tomorrow, I don't have a TRB on hand to test at this moment.

---

Thanks! I can report more bugs I have encountered on the first day...

---

Ok, looks like I was wrong. It's implemented in RUTX, but not yet in TRB14x.. So, it's not a bug, it's just that the feature isn't there yet. I made a request to add to a future firmware.

Sure, if you find any bugs it will be appreciated if you report them. Only I would suggest opening a different ticket for that.

---

So, it's not a bug, it's just that the feature isn't there yet. I made a request to add to a future firmware.

Order of rules is important thing in firewalls. It's a must having possibility to re-oder rules.

Are you saying that TRB140 is not "production ready" device and is still in early development?

---

Not necessarily early development, but not yet in mass production. Plus, we add features as we go, based on customer demand. But I agree with you 100 %, you should be able to change firewall rule order. I have registered this case, the feature will be added in the next FW.