Hi,
I've noticed that every time my WAN ip is renewed my firewall rules are flushed even if the ip didn't change.
The dhcp client is configured to run the /usr/share/udhcpc/default.script after every dhcp event. It passes the argument "renew" or "bound" to reflect the reason of the invocation. In the end of this script the firewall script is invoked.
Snippet from /usr/share/udhcpc/default.script
Code:
# Invoke NAT and Firewall
. /etc/linuxigd/FirewallConfig
if [ "$DmzEnable" = 1 ] && [ "$DmzDevices" != None ]; then
/init/firewall $interface $ip br0 $IPRouters br1 $DmzIP
else
/init/firewall $interface $ip br0 $IPRouters
fi
# 2003/09/23 by Joey
# nvram set wan_ifname=eth1
nvram set wan_ipaddr=$ip
Now, the /init/firewall script will start by clearing all settings. During this time packets are dropped (at least if that is your default target). By the way, could this be related to the reported dead wan interface? During a short period of time you firewall rules will not be in place. To me this happens every 30 minutes.
Since the ip adress is the only parameter of the /init/firewall script that can be changed by the dhcp client (not really true, dns adress as well, but you get the picture) wouldn't it be better to flush the firewall rules only if there is a change in the parameters?
I'm thinkin something like:
Code:
if [ "$wan_ipaddr" != $ip ] || [ "$1" != "renew" ]; then
# Invoke NAT and Firewall
. /etc/linuxigd/FirewallConfig
if [ "$DmzEnable" = 1 ] && [ "$DmzDevices" != None ]; then
/init/firewall $interface $ip br0 $IPRouters br1 $DmzIP
else
/init/firewall $interface $ip br0 $IPRouters
fi
# 2003/09/23 by Joey
# nvram set wan_ifname=eth1
nvram set wan_ipaddr=$ip
fi
This way, the firewall rules are only flushed if the wan ip is changed by the dchp client or if the reason was not a renewal of the ip.
What do you think?
Cheers!
(I'm running Oleg's 1.7.5.9-5 firmware)