Disabing firewall locked router

[gds]

rt-ac56u Firmware:3.0.0.4.374.39 (Merlin build)

I wanted to disable the firewall for a short test from the WAN side. Using the web gui I set the "Enable Firewall" selection to "No" and applied the setting. The router never came back online even after a couple power cycles (couldn't ping it). A set to factory default using the reset switch (holding it for 5 seconds) finally brought it back again. Seems like a bug.

-gds

 

[L&LD]

Was this testing done after resetting to defaults first and manually entering any setup info (i.e. not restoring a backup configuration file)?

 

[gds]

Was this testing done after resetting to defaults first and manually entering any setup info (i.e. not restoring a backup configuration file)?

Before I disabled the firewall, the router was set to my personal custom settings, mainly a few fixed dhcp host address and names on the LAN side and enabling ssh on wan. I didn't have a saved setup info file so I had to manually re-enter my router configuration after resetting to factory default. Other non-gui settings, saved to /jffs, were preserved.

So before I disabled the firewall, I didn't reset back to defaults first. I was running with my custom configuration when I did that and it messed up something it seems.

 

[L&LD]

No, I don't mean resetting to defaults before disabling the firewall; I think you did this right. Could be a real bug for RMerlin to track down.

 

[RMerlin]

Tested on my RT-AC56U and I had no trouble accessing the router after disabling its firewall and rebooting it a few times.

If you have done any "customization" at the iptables level then one of these might be causing an issue with the result rulesets.

 

[gds]

Tested on my RT-AC56U and I had no trouble accessing the router after disabling its firewall and rebooting it a few times.

Are you saying it didn't come back after disabling firewall so you had to reboot a few times to get it back? If so, I only rebooted maybe twice with no effect.

If you have done any "customization" at the iptables level then one of these might be causing an issue with the result rulesets.

Here' what I have in firewall-start (where ***.***.***.*** == work IP addr):

#!/bin/sh

# Special firware rules to allow only ssh access from work IP address
#
iptables -D INPUT -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 22 --source ***.***.***.*** -j ACCEPT
iptables -A INPUT -j DROP

 

[RMerlin]

Are you saying it didn't come back after disabling firewall so you had to reboot a few times to get it back? If so, I only rebooted maybe twice with no effect.

No, I'm saying it worked fine after the first reboot, and also after every subsequent reboots.

Here' what I have in firewall-start (where ***.***.***.*** == work IP addr):

#!/bin/sh

# Special firware rules to allow only ssh access from work IP address
#
iptables -D INPUT -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 22 --source ***.***.***.*** -j ACCEPT
iptables -A INPUT -j DROP

Well, if you have a default policy of DROP in the INPUT chain and you tell the router not to configure any rule (by disabling the firewall), you will have a problem for sure.

 

[gds]

Well, if you have a default policy of DROP in the INPUT chain and you tell the router not to configure any rule (by disabling the firewall), you will have a problem for sure.

Are you maybe saying my firewall-start file should be look like this?:

#!/bin/sh

# Special firewall rules to allow only ssh access from work IP address
#
iptables -D INPUT -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 22 --source ***.***.***.*** -j ACCEPT
iptables -A INPUT -i eth0 -j DROP

The /tmp/filter_default also contains INPUT drop for all interfaces as default (last rule in input chain):

:
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -j DROP
:

Seems this would have the same problem if I try to disabled the firewall when there is no /jffs/scripts/firewall-start ? But you say yours works OK with just this default?

-gds