fix: Simplify WAN access to DMZ-style open ports (v0.6.0-r36)

- Rewrite secubox-wan-access to use src="*" (all zones, DMZ style) - Remove firewall include script (was causing loops) - Keep only hotplug script for WAN interface up events - Rules saved in UCI persist across reboots - Firewall reload runs in background (&) to avoid blocking - secubox-core bumped to 0.9.0-3 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-08 17:31:26 +01:00 · 2026-01-08 17:31:26 +01:00 · 4eaf1cb27f
commit 4eaf1cb27f
parent 512ed12178
4 changed files with 41 additions and 118 deletions
--- a/package/secubox/secubox-core/Makefile
+++ b/package/secubox/secubox-core/Makefile
@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=secubox-core
 PKG_VERSION:=0.9.0
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 PKG_ARCH:=all
 PKG_LICENSE:=GPL-2.0
 PKG_MAINTAINER:=SecuBox Team
@ -79,9 +79,7 @@ define Package/secubox-core/install
 	$(INSTALL_BIN) ./root/usr/sbin/secubox-sync-registry $(1)/usr/sbin/
 	$(INSTALL_BIN) ./root/usr/sbin/secubox-wan-access $(1)/usr/sbin/
-	# WAN Access persistence (firewall include + hotplug)
+	# WAN Access hotplug for interface events
 	$(INSTALL_DIR) $(1)/etc
 	$(INSTALL_BIN) ./root/etc/firewall.secubox-wan $(1)/etc/
 	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
 	$(INSTALL_BIN) ./root/etc/hotplug.d/iface/99-secubox-wan $(1)/etc/hotplug.d/iface/
@ -140,15 +138,6 @@ EOF
 	# Register with rpcd
 	/etc/init.d/rpcd restart
 	# Setup firewall include for WAN access persistence (fw4 compatible)
 	if ! uci -q get firewall.secubox_wan_include >/dev/null 2>&1; then
 		uci set firewall.secubox_wan_include=include
 		uci set firewall.secubox_wan_include.path='/etc/firewall.secubox-wan'
 		uci set firewall.secubox_wan_include.type='script'
 		uci commit firewall
 		echo "SecuBox WAN access firewall include configured"
 	fi
 	# Sync component registry from catalog
 	if [ -x /usr/sbin/secubox-sync-registry ]; then
 		echo "Syncing component registry..."
--- a/package/secubox/secubox-core/root/etc/firewall.secubox-wan
+++ b/package/secubox/secubox-core/root/etc/firewall.secubox-wan
@ -1,16 +0,0 @@
 #!/bin/sh
 #
 # SecuBox WAN Access - Firewall Include Script
 # This script is called on every firewall reload to ensure WAN access rules persist
 #
 # Only run if secubox-wan-access exists
 [ -x /usr/sbin/secubox-wan-access ] || exit 0
 # Log the reload
 logger -t secubox-wan "Firewall reload detected - reapplying WAN access rules"
 # Apply WAN access rules from UCI config (noreload to avoid infinite loop)
 /usr/sbin/secubox-wan-access apply-noreload >/dev/null 2>&1
 exit 0
--- a/package/secubox/secubox-core/root/etc/hotplug.d/iface/99-secubox-wan
+++ b/package/secubox/secubox-core/root/etc/hotplug.d/iface/99-secubox-wan
@ -15,7 +15,7 @@ logger -t secubox-wan "WAN interface $INTERFACE up - reapplying WAN access rules
 # Small delay to ensure firewall is ready
 sleep 2
-# Apply WAN access rules
+# Apply WAN access rules (noreload to avoid loops)
-/usr/sbin/secubox-wan-access apply >/dev/null 2>&1
+/usr/sbin/secubox-wan-access apply-noreload >/dev/null 2>&1
 exit 0
--- a/package/secubox/secubox-core/root/usr/sbin/secubox-wan-access
+++ b/package/secubox/secubox-core/root/usr/sbin/secubox-wan-access
@ -1,90 +1,48 @@
 #!/bin/sh
 #
 # SecuBox WAN Access Manager
-# Manages firewall rules for remote access to LuCI/SecuBox
+# Opens ports completely (DMZ-style) for remote access
 #
 . /lib/functions.sh
 . /usr/share/libubox/jshn.sh
 RULE_PREFIX="secubox_wan"
-# Remove all SecuBox WAN access rules
+# Remove all SecuBox WAN access rules from UCI
-remove_rules() {
+remove_uci_rules() {
 	local changed=0
 	local sections=""
-	# Find and remove all secubox_wan rules
+	# Find all secubox_wan rules by name
-	while uci -q get firewall.@rule[-1] >/dev/null 2>&1; do
+	sections=$(uci show firewall 2>/dev/null | grep "\.name='${RULE_PREFIX}" | cut -d. -f2 | cut -d= -f1)
-		local name=$(uci -q get firewall.@rule[-1].name)
+
-		if echo "$name" | grep -q "^${RULE_PREFIX}"; then
+	for section in $sections; do
-			uci delete firewall.@rule[-1]
+		[ -n "$section" ] && {
 			uci delete "firewall.$section" 2>/dev/null
 			changed=1
-		else
+		}
 			break
 		fi
 	done
-	# Iterate through all rules to find secubox ones
+	[ "$changed" -eq 1 ] && uci commit firewall
-	local i=0
+	return $changed
 	while true; do
 		local name=$(uci -q get firewall.@rule[$i].name)
 		[ -z "$name" ] && break
 		if echo "$name" | grep -q "^${RULE_PREFIX}"; then
 			uci delete firewall.@rule[$i]
 			changed=1
 			# Don't increment i since indices shift after delete
 		else
 			i=$((i + 1))
 		fi
 	done
 	[ "$changed" -eq 1 ] && return 0
 	return 1
 }
-# Detect WAN zone name (fallback to '*' for any)
+# Add a simple firewall rule - open to ALL (DMZ style)
 get_wan_zone() {
 	# Try common WAN zone names
 	for zone in wan WAN external internet; do
 		if uci -q get firewall.@zone[] 2>/dev/null | grep -q "name='$zone'"; then
 			echo "$zone"
 			return
 		fi
 	done
 	# Check for zone with wan/wan6 network
 	local i=0
 	while true; do
 		local name=$(uci -q get firewall.@zone[$i].name 2>/dev/null)
 		[ -z "$name" ] && break
 		local network=$(uci -q get firewall.@zone[$i].network 2>/dev/null)
 		if echo "$network" | grep -qE '^wan|wan6|wan '; then
 			echo "$name"
 			return
 		fi
 		i=$((i + 1))
 	done
 	# No WAN zone found - use '*' for any source
 	echo "*"
 }
 # Add a firewall rule
 add_rule() {
 	local name="$1"
 	local port="$2"
 	local proto="${3:-tcp}"
 	local src="${4:-$(get_wan_zone)}"
 	uci add firewall rule >/dev/null
 	uci set firewall.@rule[-1].name="$name"
-	uci set firewall.@rule[-1].src="$src"
+	uci set firewall.@rule[-1].src="*"
 	uci set firewall.@rule[-1].dest_port="$port"
 	uci set firewall.@rule[-1].proto="$proto"
 	uci set firewall.@rule[-1].target="ACCEPT"
 	uci set firewall.@rule[-1].enabled="1"
 }
 # Apply rules based on secubox config
 # Note: noreload parameter skips firewall reload (used by firewall include to avoid loops)
 apply_rules() {
 	local noreload="$1"
@ -101,34 +59,34 @@ apply_rules() {
 	config_get ssh_port remote ssh_port "22"
 	# Remove existing rules first
-	remove_rules
+	remove_uci_rules
 	# Only add rules if WAN access is enabled
 	if [ "$enabled" = "1" ]; then
 		# HTTPS access
 		if [ "$https_enabled" = "1" ]; then
-			add_rule "${RULE_PREFIX}_https" "$https_port" "tcp" "wan"
+			add_rule "${RULE_PREFIX}_https" "$https_port" "tcp"
-			echo "Added HTTPS access rule (port $https_port)"
+			logger -t secubox-wan "Opened HTTPS port $https_port (all zones)"
 		fi
 		# HTTP access
 		if [ "$http_enabled" = "1" ]; then
-			add_rule "${RULE_PREFIX}_http" "$http_port" "tcp" "wan"
+			add_rule "${RULE_PREFIX}_http" "$http_port" "tcp"
-			echo "Added HTTP access rule (port $http_port)"
+			logger -t secubox-wan "Opened HTTP port $http_port (all zones)"
 		fi
 		# SSH access
 		if [ "$ssh_enabled" = "1" ]; then
-			add_rule "${RULE_PREFIX}_ssh" "$ssh_port" "tcp" "wan"
+			add_rule "${RULE_PREFIX}_ssh" "$ssh_port" "tcp"
-			echo "Added SSH access rule (port $ssh_port)"
+			logger -t secubox-wan "Opened SSH port $ssh_port (all zones)"
 		fi
 		uci commit firewall
 	fi
-	uci commit firewall
+	# Reload firewall unless called with noreload
 	# Only reload firewall if not called from firewall include (avoid infinite loop)
 	if [ "$noreload" != "noreload" ]; then
-		/etc/init.d/firewall reload >/dev/null 2>&1
+		/etc/init.d/firewall reload >/dev/null 2>&1 &
 	fi
 	echo "WAN access rules applied"
@ -148,17 +106,14 @@ status() {
 	config_get ssh_enabled remote ssh_enabled "0"
 	config_get ssh_port remote ssh_port "22"
-	echo "SecuBox WAN Access Status"
+	echo "SecuBox WAN Access Status (DMZ Mode)"
-	echo "========================="
+	echo "====================================="
 	echo "Master switch: $([ "$enabled" = "1" ] && echo "ENABLED" || echo "DISABLED")"
 	echo ""
-	echo "Services:"
+	echo "Open Ports (all zones):"
-	echo "  HTTPS (port $https_port): $([ "$https_enabled" = "1" ] && echo "ENABLED" || echo "disabled")"
+	echo "  HTTPS (port $https_port): $([ "$https_enabled" = "1" ] && echo "OPEN" || echo "closed")"
-	echo "  HTTP  (port $http_port): $([ "$http_enabled" = "1" ] && echo "ENABLED" || echo "disabled")"
+	echo "  HTTP  (port $http_port): $([ "$http_enabled" = "1" ] && echo "OPEN" || echo "closed")"
-	echo "  SSH   (port $ssh_port): $([ "$ssh_enabled" = "1" ] && echo "ENABLED" || echo "disabled")"
+	echo "  SSH   (port $ssh_port): $([ "$ssh_enabled" = "1" ] && echo "OPEN" || echo "closed")"
 	echo ""
 	echo "Active firewall rules:"
 	iptables -L INPUT -n --line-numbers 2>/dev/null | grep -E "dpt:(${https_port}|${http_port}|${ssh_port})" || echo "  (none)"
 }
 # Enable WAN access
@ -166,16 +121,14 @@ enable() {
 	uci set secubox.remote.enabled='1'
 	uci commit secubox
 	apply_rules
 	echo "WAN access enabled"
 }
 # Disable WAN access
 disable() {
 	uci set secubox.remote.enabled='0'
 	uci commit secubox
-	remove_rules
+	remove_uci_rules
-	uci commit firewall
+	/etc/init.d/firewall reload >/dev/null 2>&1 &
 	/etc/init.d/firewall reload >/dev/null 2>&1
 	echo "WAN access disabled"
 }
@ -193,7 +146,6 @@ json_status() {
 	config_get ssh_enabled remote ssh_enabled "0"
 	config_get ssh_port remote ssh_port "22"
 	. /usr/share/libubox/jshn.sh
 	json_init
 	json_add_boolean "enabled" "$enabled"
 	json_add_object "services"
@ -218,13 +170,11 @@ case "$1" in
 		apply_rules
 		;;
 	apply-noreload)
 		# Called from firewall include - skip firewall reload to avoid loop
 		apply_rules "noreload"
 		;;
 	remove)
-		remove_rules
+		remove_uci_rules
-		uci commit firewall
+		/etc/init.d/firewall reload >/dev/null 2>&1 &
 		/etc/init.d/firewall reload >/dev/null 2>&1
 		echo "WAN access rules removed"
 		;;
 	enable)