| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| docs:guide-user:firewall:firewall_configuration [2023/12/12 00:08] – [Defaults] systemcrash | docs:guide-user:firewall:firewall_configuration [2024/08/28 10:11] – [Rules] Added some clarification hints for src and dest IP addresses and added a real world example for inter zone traffic forwarding between interfaces. flygarn12 |
|---|
| * **OpenWrt 22.03 and later** ships with **firewall4** by default, which uses nftables as a backend. It accepts the same UCI configuration syntax as fw3. | * **OpenWrt 22.03 and later** ships with **firewall4** by default, which uses nftables as a backend. It accepts the same UCI configuration syntax as fw3. |
| * **The UCI firewall configuration in ''/etc/config/firewall'' covers a reasonable subset of [[docs:guide-user:firewall:netfilter_iptables:netfilter_openwrt|NetFilter]] rules, but not all of them** | * **The UCI firewall configuration in ''/etc/config/firewall'' covers a reasonable subset of [[docs:guide-user:firewall:netfilter_iptables:netfilter_openwrt|NetFilter]] rules, but not all of them** |
| * To provide more functionality, ''[[firewall_configuration#includes_for_2203_and_later_with_fw4|include]]'' mechanisms are available. | * To provide more functionality, ''[[firewall_configuration#includes_2203_and_later_with_fw4|include]]'' mechanisms are available. |
| * //You can either include a shell script with nftables commands, or include nftables snippets at different locations.// | * //You can either include a shell script with nftables commands, or include nftables snippets at different locations.// |
| * See [[docs:guide-user:firewall:fw3_configurations:fw3_config_examples|Firewall examples]] for usage (might be outdated!) | * See [[docs:guide-user:firewall:fw3_configurations:fw3_config_examples|Firewall examples]] for usage (might be outdated!) |
| | ''synflood_burst'' | string | no | ''50'' | Set burst limit for SYN packets above which the traffic is considered a flood if it exceeds the allowed rate. | | | ''synflood_burst'' | string | no | ''50'' | Set burst limit for SYN packets above which the traffic is considered a flood if it exceeds the allowed rate. | |
| | ''tcp_syncookies'' | boolean | no | ''1'' | Enable the use of [[wp>SYN cookies]]. | | | ''tcp_syncookies'' | boolean | no | ''1'' | Enable the use of [[wp>SYN cookies]]. | |
| | ''tcp_ecn'' | integer | no | ''0'' | 0 Disable, 1 Enable, 2 Enable when requested for ingress (but disable for egress) [[wp>Explicit_Congestion_Notification|Explicit Congestion Notification]]. Affects only traffic originating from the router itself. Implemented upstream in Linux Kernel. See [[https://docs.kernel.org/networking/ip-sysctl.html|kernel docs]]. | | | ''tcp_ecn'' | integer | no | ''0'' | ''0'' Disable, ''1'' Enable, ''2'' Enable when requested for ingress (but disable for egress) [[wp>Explicit_Congestion_Notification|Explicit Congestion Notification]]. Affects only traffic originating from the router itself. Implemented upstream in Linux Kernel. See [[https://docs.kernel.org/networking/ip-sysctl.html|kernel docs]]. | |
| | ''tcp_window_scaling'' | boolean | no | ''1'' | Enable [[wp>TCP_window_scale_option|TCP window scaling]]. | | | ''tcp_window_scaling'' | boolean | no | ''1'' | Enable [[wp>TCP_window_scale_option|TCP window scaling]]. | |
| | ''accept_redirects'' | boolean | no | ''0'' | Accepts redirects. Implemented upstream in Linux Kernel. See [[https://docs.kernel.org/networking/ip-sysctl.html|kernel docs]]. | | | ''accept_redirects'' | boolean | no | ''0'' | Accepts redirects. Implemented upstream in Linux Kernel. See [[https://docs.kernel.org/networking/ip-sysctl.html|kernel docs]]. | |
| option proto 'tcp' | option proto 'tcp' |
| option target 'REJECT' | option target 'REJECT' |
| | </code> |
| | |
| | Below example is based on a **inter zone forward case** (where zone forward is set to reject) where you have one firewall zone called ''lan'' with two interfaces. In one interface you have a server with IP address ''172.30.100.1'' and the other interface is the default lan interface with ''192.168.1.0/24'' IP range. This configuration case will allow IPv4 ''tcp'' traffic from all IP addresses in the default lan interface to specifically connect only to the server IP address and to the server port ''22''. |
| | |
| | <code bash> |
| | config rule |
| | option name 'forward ssh to server' |
| | option family 'ipv4' |
| | option src 'lan' |
| | option src_ip '192.168.1.0/24' |
| | option dest 'lan' |
| | option dest_ip '172.30.100.1' |
| | option proto 'tcp' |
| | option dest_port '22' |
| | option target 'ACCEPT' |
| | |
| </code> | </code> |
| |
| * If only ''dest'' is given, the rule matches //outgoing// traffic | * If only ''dest'' is given, the rule matches //outgoing// traffic |
| * If neither ''src'' nor ''dest'' are given, the rule defaults to an //outgoing// traffic rule | * If neither ''src'' nor ''dest'' are given, the rule defaults to an //outgoing// traffic rule |
| | * IP address for ''src_ip'' and ''dest_ip'' can be a specific IP address or use CIDR notations to define a complete interface group of IP addresses as a source or destination, for instance ''192.168.1.0/24''. |
| * Port ranges are specified as ''start-stop'', for instance ''6666-6670''. | * Port ranges are specified as ''start-stop'', for instance ''6666-6670''. |
| |
| | ''name'' | string | no | //(none)// | Name of rule | | | ''name'' | string | no | //(none)// | Name of rule | |
| | ''src'' | zone name | no | //(none)// | Specifies the traffic //source zone//. Refers to one of the defined //zone names//, or ''*'' for any zone. If omitted, the rule applies to //output// traffic. | | | ''src'' | zone name | no | //(none)// | Specifies the traffic //source zone//. Refers to one of the defined //zone names//, or ''*'' for any zone. If omitted, the rule applies to //output// traffic. | |
| | ''src_ip'' | ip address | no | //(none)// | Match incoming traffic from the specified //source IP address// | | | ''src_ip'' | ip address | no | //(none)// | Match incoming traffic from the specified //source IP address//, CIDR notations can be used, see note above. | |
| | ''src_mac'' | mac address | no | //(none)// | Match incoming traffic from the specified //MAC address// | | | ''src_mac'' | mac address | no | //(none)// | Match incoming traffic from the specified //MAC address// | |
| | ''src_port'' | port or range | no | //(none)// | Match incoming traffic from the specified //source port// or //port range//, if relevant ''proto'' is specified. Multiple ports can be specified like '80 443 465' [[https://forum.openwrt.org/viewtopic.php?pid=287271|1]]. | | | ''src_port'' | port or range | no | //(none)// | Match incoming traffic from the specified //source port// or //port range//, if relevant ''proto'' is specified. Multiple ports can be specified like '80 443 465' [[https://forum.openwrt.org/viewtopic.php?pid=287271|1]]. | |
| | ''icmp_type'' | list of type names or numbers | no | any | For //protocol// ''icmp'' select specific ICMP types to match. Values can be either exact ICMP type numbers or type names (see below). | | | ''icmp_type'' | list of type names or numbers | no | any | For //protocol// ''icmp'' select specific ICMP types to match. Values can be either exact ICMP type numbers or type names (see below). | |
| | ''dest'' | zone name | no | //(none)// | Specifies the traffic //destination zone//. Refers to one of the defined //zone names//, or ''*'' for any zone. If specified, the rule applies to //forwarded// traffic; otherwise, it is treated as //input// rule. | | | ''dest'' | zone name | no | //(none)// | Specifies the traffic //destination zone//. Refers to one of the defined //zone names//, or ''*'' for any zone. If specified, the rule applies to //forwarded// traffic; otherwise, it is treated as //input// rule. | |
| | ''dest_ip'' | ip address | no | //(none)// | Match incoming traffic directed to the specified //destination IP address//. With no dest zone, this is treated as an input rule! | | | ''dest_ip'' | ip address | no | //(none)// | Match incoming traffic directed to the specified //destination IP address//, CIDR notations can be used, see note above. With no dest zone, this is treated as an input rule! | |
| | ''dest_port'' | port or range | no | //(none)// | Match incoming traffic directed at the given //destination port or port range//, if relevant ''proto'' is specified. Multiple ports can be specified like '80 443 465' [[https://forum.openwrt.org/viewtopic.php?pid=287271|1]]. | | | ''dest_port'' | port or range | no | //(none)// | Match incoming traffic directed at the given //destination port or port range//, if relevant ''proto'' is specified. Multiple ports can be specified like '80 443 465' [[https://forum.openwrt.org/viewtopic.php?pid=287271|1]]. | |
| | ''ipset'' | string | no | //(none)// | If specified, match traffic against the given //[[docs:guide-user:firewall:firewall_configuration#ip_sets|ipset]]//. The match can be inverted by prefixing the value with an exclamation mark. You can specify the direction as 'setname src' or 'setname dest'. The default if neither src nor dest are added is to assume src | | | ''ipset'' | string | no | //(none)// | If specified, match traffic against the given //[[docs:guide-user:firewall:firewall_configuration#ip_sets|ipset]]//. The match can be inverted by prefixing the value with an exclamation mark. You can specify the direction as 'setname src' or 'setname dest'. The default if neither src nor dest are added is to assume src | |