Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:firewall_configuration [2023/11/20 17:49] – consolidate wording vgaeteradocs:guide-user:firewall:firewall_configuration [2024/08/28 10:11] – [Rules] Added some clarification hints for src and dest IP addresses and added a real world example for inter zone traffic forwarding between interfaces. flygarn12
Line 15: Line 15:
   * **OpenWrt 22.03 and later** ships with **firewall4** by default, which uses nftables as a backend. It accepts the same UCI configuration syntax as fw3.   * **OpenWrt 22.03 and later** ships with **firewall4** by default, which uses nftables as a backend. It accepts the same UCI configuration syntax as fw3.
   * **The UCI firewall configuration in ''/etc/config/firewall'' covers a reasonable subset of [[docs:guide-user:firewall:netfilter_iptables:netfilter_openwrt|NetFilter]] rules, but not all of them**   * **The UCI firewall configuration in ''/etc/config/firewall'' covers a reasonable subset of [[docs:guide-user:firewall:netfilter_iptables:netfilter_openwrt|NetFilter]] rules, but not all of them**
-    * To provide more functionality, ''[[firewall_configuration#includes_for_2203_and_later_with_fw4|include]]'' mechanisms are available.+    * To provide more functionality, ''[[firewall_configuration#includes_2203_and_later_with_fw4|include]]'' mechanisms are available.
       * //You can either include a shell script with nftables commands, or include nftables snippets at different locations.//       * //You can either include a shell script with nftables commands, or include nftables snippets at different locations.//
         * See [[docs:guide-user:firewall:fw3_configurations:fw3_config_examples|Firewall examples]] for usage (might be outdated!)         * See [[docs:guide-user:firewall:fw3_configurations:fw3_config_examples|Firewall examples]] for usage (might be outdated!)
Line 96: Line 96:
 | ''synflood_burst'' | string | no | ''50'' | Set burst limit for SYN packets above which the traffic is considered a flood if it exceeds the allowed rate. | | ''synflood_burst'' | string | no | ''50'' | Set burst limit for SYN packets above which the traffic is considered a flood if it exceeds the allowed rate. |
 | ''tcp_syncookies'' | boolean | no | ''1'' | Enable the use of [[wp>SYN cookies]]. | | ''tcp_syncookies'' | boolean | no | ''1'' | Enable the use of [[wp>SYN cookies]]. |
-| ''tcp_ecn''boolean | no | ''0''Enable/Disable [[wp>Explicit_Congestion_Notification|Explicit Congestion Notification]]. Affects only traffic originating from the router itself. Implemented upstream in Linux Kernel. See [[https://docs.kernel.org/networking/ip-sysctl.html|kernel docs]]. |+| ''tcp_ecn''integer | no | ''0''''0'' Disable, ''1'' Enable, ''2'' Enable when requested for ingress (but disable for egress) [[wp>Explicit_Congestion_Notification|Explicit Congestion Notification]]. Affects only traffic originating from the router itself. Implemented upstream in Linux Kernel. See [[https://docs.kernel.org/networking/ip-sysctl.html|kernel docs]]. |
 | ''tcp_window_scaling'' | boolean | no | ''1'' | Enable [[wp>TCP_window_scale_option|TCP window scaling]]. | | ''tcp_window_scaling'' | boolean | no | ''1'' | Enable [[wp>TCP_window_scale_option|TCP window scaling]]. |
 | ''accept_redirects'' | boolean | no | ''0'' | Accepts redirects. Implemented upstream in Linux Kernel. See [[https://docs.kernel.org/networking/ip-sysctl.html|kernel docs]]. | | ''accept_redirects'' | boolean | no | ''0'' | Accepts redirects. Implemented upstream in Linux Kernel. See [[https://docs.kernel.org/networking/ip-sysctl.html|kernel docs]]. |
Line 192: Line 192:
  option proto 'tcp'  option proto 'tcp'
  option target 'REJECT'  option target 'REJECT'
 +</code>
 +
 +Below example is based on a **inter zone forward case** (where zone forward is set to reject) where you have one firewall zone called ''lan'' with two interfaces. In one interface you have a server with IP address ''172.30.100.1'' and the other interface is the default lan interface with ''192.168.1.0/24'' IP range. This configuration case will allow IPv4 ''tcp'' traffic from all IP addresses in the default lan interface to specifically connect only to the server IP address and to the server port ''22''.
 +
 +<code bash>
 +config rule
 + option name             'forward ssh to server'
 + option family           'ipv4'
 + option src              'lan'
 + option src_ip           '192.168.1.0/24'
 + option dest             'lan'
 + option dest_ip          '172.30.100.1'
 + option proto            'tcp'
 + option dest_port        '22'
 + option target           'ACCEPT'
 +
 </code> </code>
  
Line 199: Line 215:
   * If only ''dest'' is given, the rule matches //outgoing// traffic   * If only ''dest'' is given, the rule matches //outgoing// traffic
   * If neither ''src'' nor ''dest'' are given, the rule defaults to an //outgoing// traffic rule   * If neither ''src'' nor ''dest'' are given, the rule defaults to an //outgoing// traffic rule
 +  * IP address for ''src_ip'' and ''dest_ip'' can be a specific IP address or use CIDR notations to define a complete interface group of IP addresses as a source or destination, for instance ''192.168.1.0/24''.
   * Port ranges are specified as ''start-stop'', for instance ''6666-6670''.   * Port ranges are specified as ''start-stop'', for instance ''6666-6670''.
  
Line 205: Line 222:
 | ''name'' | string | no | //(none)// | Name of rule | | ''name'' | string | no | //(none)// | Name of rule |
 | ''src'' | zone name | no | //(none)// | Specifies the traffic //source zone//. Refers to one of the defined //zone names//, or ''*'' for any zone. If omitted, the rule applies to //output// traffic. | | ''src'' | zone name | no | //(none)// | Specifies the traffic //source zone//. Refers to one of the defined //zone names//, or ''*'' for any zone. If omitted, the rule applies to //output// traffic. |
-| ''src_ip'' | ip address | no | //(none)// | Match incoming traffic from the specified //source IP address// |+| ''src_ip'' | ip address | no | //(none)// | Match incoming traffic from the specified //source IP address//, CIDR notations can be used, see note above. |
 | ''src_mac'' | mac address | no | //(none)// | Match incoming traffic from the specified //MAC address// | | ''src_mac'' | mac address | no | //(none)// | Match incoming traffic from the specified //MAC address// |
 | ''src_port'' | port or range | no | //(none)// | Match incoming traffic from the specified //source port// or //port range//, if relevant ''proto'' is specified. Multiple ports can be specified like '80 443 465' [[https://forum.openwrt.org/viewtopic.php?pid=287271|1]]. | | ''src_port'' | port or range | no | //(none)// | Match incoming traffic from the specified //source port// or //port range//, if relevant ''proto'' is specified. Multiple ports can be specified like '80 443 465' [[https://forum.openwrt.org/viewtopic.php?pid=287271|1]]. |
Line 211: Line 228:
 | ''icmp_type'' | list of type names or numbers | no | any | For //protocol// ''icmp'' select specific ICMP types to match. Values can be either exact ICMP type numbers or type names (see below). | | ''icmp_type'' | list of type names or numbers | no | any | For //protocol// ''icmp'' select specific ICMP types to match. Values can be either exact ICMP type numbers or type names (see below). |
 | ''dest'' | zone name | no | //(none)// | Specifies the traffic //destination zone//. Refers to one of the defined //zone names//, or ''*'' for any zone. If specified, the rule applies to //forwarded// traffic; otherwise, it is treated as //input// rule. | | ''dest'' | zone name | no | //(none)// | Specifies the traffic //destination zone//. Refers to one of the defined //zone names//, or ''*'' for any zone. If specified, the rule applies to //forwarded// traffic; otherwise, it is treated as //input// rule. |
-| ''dest_ip'' | ip address | no | //(none)// | Match incoming traffic directed to the specified //destination IP address//. With no dest zone, this is treated as an input rule! |+| ''dest_ip'' | ip address | no | //(none)// | Match incoming traffic directed to the specified //destination IP address//, CIDR notations can be used, see note above. With no dest zone, this is treated as an input rule! |
 | ''dest_port'' | port or range | no | //(none)// | Match incoming traffic directed at the given //destination port or port range//, if relevant ''proto'' is specified. Multiple ports can be specified like '80 443 465' [[https://forum.openwrt.org/viewtopic.php?pid=287271|1]]. | | ''dest_port'' | port or range | no | //(none)// | Match incoming traffic directed at the given //destination port or port range//, if relevant ''proto'' is specified. Multiple ports can be specified like '80 443 465' [[https://forum.openwrt.org/viewtopic.php?pid=287271|1]]. |
 | ''ipset'' | string | no | //(none)// | If specified, match traffic against the given //[[docs:guide-user:firewall:firewall_configuration#ip_sets|ipset]]//. The match can be inverted by prefixing the value with an exclamation mark. You can specify the direction as 'setname src' or 'setname dest'. The default if neither src nor dest are added is to assume src | | ''ipset'' | string | no | //(none)// | If specified, match traffic against the given //[[docs:guide-user:firewall:firewall_configuration#ip_sets|ipset]]//. The match can be inverted by prefixing the value with an exclamation mark. You can specify the direction as 'setname src' or 'setname dest'. The default if neither src nor dest are added is to assume src |
Line 335: Line 352:
 | ''external'' | string | no | //(none)// | If the ''external'' option is set to a name, the firewall will simply reference an already existing ipset pointed to by the name. If the ''external'' option is unset, the firewall will create the ipset on start and destroy it on stop. | | ''external'' | string | no | //(none)// | If the ''external'' option is set to a name, the firewall will simply reference an already existing ipset pointed to by the name. If the ''external'' option is unset, the firewall will create the ipset on start and destroy it on stop. |
 | ''name'' | string | yes if ''external'' is unset \\ no if ''external'' is set | //(none)// if ''external'' is unset \\ value of ''external'' if ''external'' is set | Specifies the firewall internal name of the ipset which is used to reference the set in rules or redirects. | | ''name'' | string | yes if ''external'' is unset \\ no if ''external'' is set | //(none)// if ''external'' is unset \\ value of ''external'' if ''external'' is set | Specifies the firewall internal name of the ipset which is used to reference the set in rules or redirects. |
-| ''family'' | string | no | ''ipv4'' | Specifies the address family (''ipv4''''ipv6'') for which the IP set is created. Only applicable to storage types ''hash'' and ''list'', the ''bitmap'' type implies ''ipv4''. |+| ''family'' | string | no | ''ipv4'' | Specifies the address family (''ipv4'' or ''ipv6'') for which the IP set is created. Only applicable to storage types ''hash'' and ''list'', the ''bitmap'' type implies ''ipv4''. |
 | ''storage'' | string | no | //varies// | Specifies the storage method (''bitmap'', ''hash'' or ''list'') used by the ipset, the default varies depending on the used datatypes (see ''match'' option below). In most cases the storage method can be automatically inferred from the datatype combination but in some cases multiple choices are possible (e.g. ''bitmap:ip'' vs. ''hash:ip''). :!: This is only required by fw3 and must be removed from the fw4 configuration. | | ''storage'' | string | no | //varies// | Specifies the storage method (''bitmap'', ''hash'' or ''list'') used by the ipset, the default varies depending on the used datatypes (see ''match'' option below). In most cases the storage method can be automatically inferred from the datatype combination but in some cases multiple choices are possible (e.g. ''bitmap:ip'' vs. ''hash:ip''). :!: This is only required by fw3 and must be removed from the fw4 configuration. |
 | ''match'' | list of direction/type tuples | yes | //(none)// | Specifies the matched data types (''ip'', ''port'', ''mac'', ''net'' or ''set'') and their direction (''src'' or ''dest''). The direction is joined with the datatype by an underscore to form a tuple, e.g. ''src_port'' to match source ports or ''dest_net'' to match destination CIDR ranges. When using ipsets matching on multiple elements, e.g. ''hash:ip,port'', specify the packet fields to match on in quotes or comma-separated (i.e. "match dest_ip dest_port"). | | ''match'' | list of direction/type tuples | yes | //(none)// | Specifies the matched data types (''ip'', ''port'', ''mac'', ''net'' or ''set'') and their direction (''src'' or ''dest''). The direction is joined with the datatype by an underscore to form a tuple, e.g. ''src_port'' to match source ports or ''dest_net'' to match destination CIDR ranges. When using ipsets matching on multiple elements, e.g. ''hash:ip,port'', specify the packet fields to match on in quotes or comma-separated (i.e. "match dest_ip dest_port"). |
Line 352: Line 369:
 | ''comment'' | boolean | no | //(none)// | Seems like a bug: should be a string for user defined comment. | | ''comment'' | boolean | no | //(none)// | Seems like a bug: should be a string for user defined comment. |
 | ''name'' | string | yes | //(none)// | Specifies the firewall internal name of the ipset which is used to reference the set in rules or redirects. | | ''name'' | string | yes | //(none)// | Specifies the firewall internal name of the ipset which is used to reference the set in rules or redirects. |
-| ''family'' | string | no | ''ipv4'' | Specifies the address family (''ipv4''''ipv6'') for which the IP set is created. |+| ''family'' | string | no | ''ipv4'' | Specifies the address family (''ipv4'' or ''ipv6'') for which the IP set is created. |
 | ''match'' | list of ipsettypes | yes | //(none)// | Specifies the matched data types (''ip'', ''port'', ''mac'', ''net'' or ''set'') and their direction (''src'' or ''dest''). The direction is joined with the datatype by an underscore to form a tuple, e.g. ''src_port'' to match source ports or ''dest_net'' to match destination CIDR ranges. | | ''match'' | list of ipsettypes | yes | //(none)// | Specifies the matched data types (''ip'', ''port'', ''mac'', ''net'' or ''set'') and their direction (''src'' or ''dest''). The direction is joined with the datatype by an underscore to form a tuple, e.g. ''src_port'' to match source ports or ''dest_net'' to match destination CIDR ranges. |
 | ''maxelem'' | integer | no | ''65536'' | Limits the number of items that can be added to the set. | | ''maxelem'' | integer | no | ''65536'' | Limits the number of items that can be added to the set. |
  • Last modified: 2024/11/24 12:25
  • by charles_harris