Bug or misunderstanding in firewall rules

jack · January 20, 2025, 2:19am

If I add a rule without specifying a protocol, instead of one rule with protocol=all, two rules end up getting added to iptables. One for udp, and one for tcp. Icmp packets aren’t affected.
I tried to add a rule to block all traffic from br-lan_2 (VLAN 2) being forwarded to LAN zone.

I see with uci show:

firewall.@rule[11].name='isolate guest'
firewall.@rule[11].target='REJECT'
firewall.@rule[11].device='br-lan_2'
firewall.@rule[11].direction='in'
firewall.@rule[11].src='lan'
firewall.@rule[11].dest='lan'

I see with iptables -vL:

    2   180 zone_lan_dest_REJECT  tcp  --  br-lan_2 any     anywhere             anywhere             /* !fw3: isolate guest */
    0     0 zone_lan_dest_REJECT  udp  --  br-lan_2 any     anywhere             anywhere             /* !fw3: isolate guest */

If I do: uci set firewall.@rule[11].proto=‘all’
and restart the firewall, I see instead:

    0     0 zone_lan_dest_REJECT  all  --  br-lan_2 any     anywhere             anywhere             /* !fw3: isolate guest */

Am I correct this a bug?

Alta-cmb · January 21, 2025, 11:24am

Yes, that’s a bug from openwrt’s odd handling of rules without any protocol specified, it assumes TCP+UDP like you’re seeing there. I’m changing firmware to make omitted protocol == any, like would be expected.

Thanks for the report!

Bill_Ny · August 27, 2025, 6:45am

When I use this the rule looks good, but it does not work.. It is as if its not there, but if change all to icmp that works.

Can someone verify?

system · February 23, 2026, 6:45am

This thread has been automatically closed due to inactivity. If you believe you have the same issue, please create a new post describing your issue. Feel free to link to this post for context if desired.