Bug #345

I was about to report the same issue - but in my case I am using the newer build r31204 (Apr 6) with the 3.3.1 kernel. Same error though:

The syntax expected by the web interface and the syntax in the file have diverged.

On my todo list is to rebuild the firewall rules from scratch to handle ipv6 and the guest zone and mesh networking concepts well.

If you’d like to take a crack at it, grab the firewall rules file and put it somewhere,
take the existing one in an editor (both vi and zile are available)
and eliminate all the rules, and then re-enter them via the web interface…

Attached a syntactally correct version, that may or may not be logically correct.
I would appreciate testing. It MAY need the /etc/firewall.user file explicitly included
and that file needs work too.

I note that the Device naming scheme is designed to make it possible to create much more effecient firewall rules, but the gui will not accept the syntax required, so it has a tendency to create
O (n) sorts of rules that scale really badly.

The original ‘dream’ of syntax was you’d use the inherent iptables + pattern match to create a zone.

iptables -I FORWARD -i g+ -o s+ -g do_some_secure processing
iptables -I FORWARD -j ACCEPT # default free zone

is about 12 more rules efficient than the default rules generated which rapidly gets worse with vlans or ipv6 in the mix. (it scales O (n))

Similarly the rules don’t sort by traffic pattern but by logic, so the default openwrt rules currently send everything through an enormous and unneeded icmp chain instead of first matching on the most common protocols.

Regrettably a gui programmer hasn’t shown up that can do that. Writing a script for it is straightforward, but then I lose the gui audience. Alternate solutions are highly desired.

There are also some issues along the lines of bugs #195 and #352 .

While we made great progress today towards getting the gui to work and ipv6 to work, I needed to put up some documentation on what I’d wanted to do in the first place, which is called CeroWall. I have ENOTIME to make CeroWall work, but when you look at the default openwrt firewall rules, the simplicity I describe with this alternative (with a few clever pattern matches) seems appealing.

The next build (3.3.2-3) will have working firewall rules viewable in the web browser.

They may not be perfect… and suggestions are highly desired.

fixed in 3.3.2