| Both sides previous revision Previous revision | Next revisionBoth sides next revision |
| docs:guide-user:firewall:firewall_configuration [2024/04/28 23:43] – anchor link fix 532910 | docs:guide-user:firewall:firewall_configuration [2024/08/28 10:11] – [Rules] Added some clarification hints for src and dest IP addresses and added a real world example for inter zone traffic forwarding between interfaces. flygarn12 |
|---|
| option proto 'tcp' | option proto 'tcp' |
| option target 'REJECT' | option target 'REJECT' |
| | </code> |
| | |
| | Below example is based on a **inter zone forward case** (where zone forward is set to reject) where you have one firewall zone called ''lan'' with two interfaces. In one interface you have a server with IP address ''172.30.100.1'' and the other interface is the default lan interface with ''192.168.1.0/24'' IP range. This configuration case will allow IPv4 ''tcp'' traffic from all IP addresses in the default lan interface to specifically connect only to the server IP address and to the server port ''22''. |
| | |
| | <code bash> |
| | config rule |
| | option name 'forward ssh to server' |
| | option family 'ipv4' |
| | option src 'lan' |
| | option src_ip '192.168.1.0/24' |
| | option dest 'lan' |
| | option dest_ip '172.30.100.1' |
| | option proto 'tcp' |
| | option dest_port '22' |
| | option target 'ACCEPT' |
| | |
| </code> | </code> |
| |
| * If only ''dest'' is given, the rule matches //outgoing// traffic | * If only ''dest'' is given, the rule matches //outgoing// traffic |
| * If neither ''src'' nor ''dest'' are given, the rule defaults to an //outgoing// traffic rule | * If neither ''src'' nor ''dest'' are given, the rule defaults to an //outgoing// traffic rule |
| | * IP address for ''src_ip'' and ''dest_ip'' can be a specific IP address or use CIDR notations to define a complete interface group of IP addresses as a source or destination, for instance ''192.168.1.0/24''. |
| * Port ranges are specified as ''start-stop'', for instance ''6666-6670''. | * Port ranges are specified as ''start-stop'', for instance ''6666-6670''. |
| |
| | ''name'' | string | no | //(none)// | Name of rule | | | ''name'' | string | no | //(none)// | Name of rule | |
| | ''src'' | zone name | no | //(none)// | Specifies the traffic //source zone//. Refers to one of the defined //zone names//, or ''*'' for any zone. If omitted, the rule applies to //output// traffic. | | | ''src'' | zone name | no | //(none)// | Specifies the traffic //source zone//. Refers to one of the defined //zone names//, or ''*'' for any zone. If omitted, the rule applies to //output// traffic. | |
| | ''src_ip'' | ip address | no | //(none)// | Match incoming traffic from the specified //source IP address// | | | ''src_ip'' | ip address | no | //(none)// | Match incoming traffic from the specified //source IP address//, CIDR notations can be used, see note above. | |
| | ''src_mac'' | mac address | no | //(none)// | Match incoming traffic from the specified //MAC address// | | | ''src_mac'' | mac address | no | //(none)// | Match incoming traffic from the specified //MAC address// | |
| | ''src_port'' | port or range | no | //(none)// | Match incoming traffic from the specified //source port// or //port range//, if relevant ''proto'' is specified. Multiple ports can be specified like '80 443 465' [[https://forum.openwrt.org/viewtopic.php?pid=287271|1]]. | | | ''src_port'' | port or range | no | //(none)// | Match incoming traffic from the specified //source port// or //port range//, if relevant ''proto'' is specified. Multiple ports can be specified like '80 443 465' [[https://forum.openwrt.org/viewtopic.php?pid=287271|1]]. | |
| | ''icmp_type'' | list of type names or numbers | no | any | For //protocol// ''icmp'' select specific ICMP types to match. Values can be either exact ICMP type numbers or type names (see below). | | | ''icmp_type'' | list of type names or numbers | no | any | For //protocol// ''icmp'' select specific ICMP types to match. Values can be either exact ICMP type numbers or type names (see below). | |
| | ''dest'' | zone name | no | //(none)// | Specifies the traffic //destination zone//. Refers to one of the defined //zone names//, or ''*'' for any zone. If specified, the rule applies to //forwarded// traffic; otherwise, it is treated as //input// rule. | | | ''dest'' | zone name | no | //(none)// | Specifies the traffic //destination zone//. Refers to one of the defined //zone names//, or ''*'' for any zone. If specified, the rule applies to //forwarded// traffic; otherwise, it is treated as //input// rule. | |
| | ''dest_ip'' | ip address | no | //(none)// | Match incoming traffic directed to the specified //destination IP address//. With no dest zone, this is treated as an input rule! | | | ''dest_ip'' | ip address | no | //(none)// | Match incoming traffic directed to the specified //destination IP address//, CIDR notations can be used, see note above. With no dest zone, this is treated as an input rule! | |
| | ''dest_port'' | port or range | no | //(none)// | Match incoming traffic directed at the given //destination port or port range//, if relevant ''proto'' is specified. Multiple ports can be specified like '80 443 465' [[https://forum.openwrt.org/viewtopic.php?pid=287271|1]]. | | | ''dest_port'' | port or range | no | //(none)// | Match incoming traffic directed at the given //destination port or port range//, if relevant ''proto'' is specified. Multiple ports can be specified like '80 443 465' [[https://forum.openwrt.org/viewtopic.php?pid=287271|1]]. | |
| | ''ipset'' | string | no | //(none)// | If specified, match traffic against the given //[[docs:guide-user:firewall:firewall_configuration#ip_sets|ipset]]//. The match can be inverted by prefixing the value with an exclamation mark. You can specify the direction as 'setname src' or 'setname dest'. The default if neither src nor dest are added is to assume src | | | ''ipset'' | string | no | //(none)// | If specified, match traffic against the given //[[docs:guide-user:firewall:firewall_configuration#ip_sets|ipset]]//. The match can be inverted by prefixing the value with an exclamation mark. You can specify the direction as 'setname src' or 'setname dest'. The default if neither src nor dest are added is to assume src | |