FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
2,014 views 10 comments
by anonymous

Hello,

Is it possible to change order of firewall rules on TRB140 (TRB1400_R_00.01.05) using LuCI?

Thank you in advance

by anonymous
Hello, it's implemented in TRB1400_R_00.01.06., thank you.

1 Answer

0 votes
by anonymous

Hi,

I assume you mean uci and if I'm correct then yes, it's possible. Possible but clumsy, since uci is not really meant for settings firewall rule numbers.

Firewall rules are stored in the /etc/config/firewall file and their order depends on their positions in that file:

  • Rule 0 is Allow-DHCP-Renew
  • Rule 1 is Allow-Ping
  • etc...
So, for example, to switch Rule 0 and Rule 1, you would have to either change each option in the rules or delete them both and add them back in a different (which I will demonstrate below).
  1. Use uci show firewall to see the rules in uci format (output abridged for clarity):
  • ...
  • firewall.@rule[0]=rule
  • firewall.@rule[0].name='Allow-DHCP-Renew'
  • firewall.@rule[0].src='wan'
  • firewall.@rule[0].proto='udp'
  • firewall.@rule[0].dest_port='68'
  • firewall.@rule[0].target='ACCEPT'
  • firewall.@rule[0].family='ipv4'
  • firewall.@rule[1]=rule
  • firewall.@rule[1].src='wan'
  • firewall.@rule[1].src_ip='fc00::/6'
  • firewall.@rule[1].dest_ip='fc00::/6'
  • firewall.@rule[1].dest_port='546'
  • firewall.@rule[1].target='ACCEPT'
  • firewall.@rule[1].name='Allow-Ping'
  • firewall.@rule[1].proto='icmp'
  • firewall.@rule[1].icmp_type='echo-request'
  • firewall.@rule[1].family='ipv4'
  • ...
  1. Delete both rules:
  • uci delete firewall.@rule[0]
  • uci delete firewall.@rule[1]
  1. Now add them back but in a reverse order:
  • uci set firewall.@rule[0]=rule
  • uci set firewall.@rule[0].name='Allow-Ping'
  • uci set firewall.@rule[0].src='wan'
  • uci set firewall.@rule[0].proto='icmp'
  • uci set firewall.@rule[0].icmp_type='echo-request'
  • uci set firewall.@rule[0].family='ipv4'
  • uci set firewall.@rule[0].target='ACCEPT'
  • uci set firewall.@rule[1]=rule
  • uci set firewall.@rule[1].name='Allow-DHCP-Renew'
  • uci set firewall.@rule[1].src='wan'
  • uci set firewall.@rule[1].proto='udp'
  • uci set firewall.@rule[1].dest_port='68'
  • uci set firewall.@rule[1].target='ACCEPT'
  • uci set firewall.@rule[1].family='ipv4'
  1. Execute uci commit
  2. Execute /etc/init.d/firewall restart
  3. The rules' order should have changed.
by anonymous
Thank you for your answer!

I meant LuCI – Web interface.. I do not see how to do it using WebUI and that's strange..

It's not that I want to reoder those rules in screenshot, I do not see any buttons to select rules/move up/move down..
by anonymous
I'm sorry, I made it way too complicated then. :D

In the web interface you should be able to drag and drop the rules in the positions you want.
by anonymous
by anonymous

It's not working with „Firefox 70.0.1“ and „Chromium 78.0.3904.97“ then..

(click on the image to see screen capture..)

Thanks for trying to help :D

by anonymous
I'll check back with you tomorrow, I don't have a TRB on hand to test at this moment.
by anonymous
Thanks! I can report more bugs I have encountered on the first day...
by anonymous
Ok, looks like I was wrong. It's implemented in RUTX, but not yet in TRB14x.. So, it's not a bug, it's just that the feature isn't there yet. I made a request to add to a future firmware.

Sure, if you find any bugs it will be appreciated if you report them. Only I would suggest opening a different ticket for that.
by anonymous

So, it's not a bug, it's just that the feature isn't there yet. I made a request to add to a future firmware.

Order of rules is important thing in firewalls. It's a must having possibility to re-oder rules.

Are you saying that TRB140 is not "production ready" device and is still in early development?

by anonymous
Not necessarily early development, but not yet in mass production. Plus, we add features as we go, based on customer demand. But I agree with you 100 %, you should be able to change firewall rule order. I have registered this case, the feature will be added in the next FW.