Firewall issues

[-BW-]

I have a few issues regarding the firewall configuration.

1: Error message:
When I restart the firewall using SSH I get this error message regarding a forward-rules:

Code: Select all

Warning: Section 'redirect_enabled_number_0' has no target specified, defaulting to DNAT

The rule is created in the GUI but it looks like this in the "/etc/config/firewall" file

Code: Select all

config redirect 'redirect_enabled_number_0'
     	option name 'SMTP(25)'
     	option src 'wan'
     	option dest 'lan'
     	option proto 'tcp'
     	option src_dport '25'
     	option dest_ip '10.0.0.100'
     	option dest_port '25'

Should I just add "option target 'ACCEPT'"?

2: Creating new rule:
It seems creating blocking rules in the GUI is not working very well by the look of the threads about the subject on the internet and my own experience.
I wanna block an external SMTP server, let's say IP: 80.62.117.12, port: 25 (but ONLY port 25, e.g. 110 should be accepted)
I'm all new to Gargoyle/OpenWRT, but my guess is I have these options:
1: Do it on the web gui (doesn't work).
2: Edit the /etc/config/firewall file by adding something like:

Code: Select all

config rule
   	option src 			wan
   	option dest			lan
   	option src_ip		80.62.117.12
   	option dest_port 	25       
   	option target		REJECT

or

Code: Select all

config restriction_rule 'rule_3'
   	option is_ingress '0'
   	option description 'Block IP'
   	option remote_addr '80.62.117.12'
   	option remote_port '25'
   	option local_port '25'
   	option proto 'both'
   	option enabled '1'

3: Add a iptables command in the /config/firewall.user file, something like this:

Code: Select all

iptables -A INPUT -s 80.62.117.12 -p tcp --destination-port 25 -j DROP

Can someone guide in the right direction, what is the best approach and how do I do it?

Thanks in advance.

Using:
Gargoyle Version:1.7.0 on TP-Link WR1043ND

[nworbnhoj]

Warning: Section 'redirect_enabled_number_0' has no target specified, defaulting to DNAT

I restarted the firewall on 1.7.1 and did not see this error.

There was however:

Code: Select all

* Running script '/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall'
iptables v1.4.21: Couldn't load match `layer7':No such file or directory

which I guess is simply there because I do not have any layer7 rules setup.

[nworbnhoj]

I wanna block an external SMTP server, let's say IP: 80.62.117.12, port: 25 (but ONLY port 25, e.g. 110 should be accepted)

On 1.7.1 GUI I configured this rule

-BW-.jpg (35.91 KiB) Viewed 5568 times

The change was reflected in /etc/config/firewall

Code: Select all

config restriction_rule 'rule_1'
	option is_ingress '0'
	option description '-BW-'
	option remote_addr '80.62.117.12'
	option remote_port '25'
	option proto 'both'
	option enabled '1'

[rseiler]

Should I just add "option target 'ACCEPT'"?

Not sure about that, but OpenWRT uses this. I wonder why Gargoyle doesn't? Yes, as the error messages says, it defaults to DNAT, but why not include it automatically to avoid the errors?

Code: Select all

option target 'DNAT'

I restarted the firewall on 1.7.1 and did not see this error.

Do you have any forwarding rules?

[rseiler]

There's one other odd warning that I've seen (1.9.1):

"Warning: Option @defaults[0].enforce_dhcp_assignments is unknown."

This is despite "Enforce DHCP assignments" being set in the UI.

I don't know what setting that's supposed to correspond to in the file system, so I can't check to see if it's actually there.