Opened 6 years ago

Closed 6 years ago

Last modified 3 years ago

#10093 closed defect (worksforme)

Cannot configure rules for INPUT chain with luci-app-firewall (Can't open ports for access from WAN)

Reported by: dancho Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: luci-app-firewall WAN ports zone_wan cannot open Cc:


I tried and failed to open up a single port and a port range using luci-app-firewall for access from the WAN (the Internet). The objective is to be able to allow access to services running on the router itself from the Internet.

The following example config entry:

config 'rule'

option 'target' 'ACCEPT'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '1234'
option '_name' 'open-port-to-Internet'

in /etc/config/firewall places a rule in zone_wan, which even though is named zone_wan also houses the rule which permits access to the DHCP service running on the router for computers on the *LAN*.

Here is the entry for DHCP:

config 'rule'

option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'
option 'family' 'ipv4'

which also goes into zone_wan (why would you want the WAN to be able to query the DHCP serve is beyond me :D, so good thing it doesn't work).

I've scanned port 68 on the router from the outside with nmap, and the result is:

$ nmap -p 68 my.external.ip.address

Starting Nmap 4.62 ( ) at 2011-09-13 11:27 EDT
68/tcp filtered dhcpc

Nmap done: 1 IP address (1 host up) scanned in 0.898 seconds

I hope this is a mistake on my part, but if it isn't, then I hope this bug report hits the spot!

Attachments (0)

Change History (4)

comment:1 Changed 6 years ago by jow

  • Resolution set to worksforme
  • Status changed from new to closed

The port 68 rule is not for LAN DHCP but for WAN DHCP request, see #4108 . As for the other rule I do not know whats your point here. Your nmap invocation neither scanned UDP, nor port 1234. Additionally input rules work as expected here.

comment:2 Changed 6 years ago by dancho

You're right, I re-tested carefully, and the zone_wan rule does do the expected thing. I've no idea why my testing was showing otherwise all day yesterday...

Can you please tell me, if it's not too much of a bother, why would you want port 68 open to the world by default? Why would we serve DHCP leases through the WAN port?

comment:3 Changed 6 years ago by jow

Read #4108 - it is not about serving leases but receiving renews.

comment:4 Changed 3 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

as closed .
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.