Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:bridge [2020/07/15 18:31] – created vgaeteradocs:guide-user:firewall:fw3_configurations:bridge [2023/10/14 05:41] – use service invocation vgaetera
Line 1: Line 1:
 ====== Bridge firewall ====== ====== Bridge firewall ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
-  * This how-to describes the method for setting up bridge firewall on OpenWrt. +  * This how-to describes the method for setting up [[wp>Bridging_(networking)|bridge]] firewall on OpenWrt. 
-  * It makes possible to filter traffic between different bridged interfaces.+  * Follow [[docs:guide-user:network:vlan:creating_virtual_switches|Splitting VLANs]] to be able to filter traffic between VLAN ports. 
 +  * Follow [[docs:guide-user:network:wifi:basic|Wireless configuration]] to isolate wireless clients from each other.
  
-===== Instructions ===== +===== Goals ===== 
-Install the packages and enable bridge firewall.+  * Filter and intercept transit traffic on bridged interfaces. 
 + 
 +===== Command-line instructions ===== 
 +Assuming a setup with bridged LAN and WAN interfaces. 
 +Install the required packages
 +Enable bridge firewall intercepting DNS queries and filtering transit traffic from ''eth0'' to ''eth1''.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install kmod-br-netfilter+opkg install kmod-nft-bridge
  
-Enable bridge firewall +Configure firewall 
-cat << EOF >> /etc/sysctl.conf +cat << "EOF> /etc/nftables.d/bridge.sh 
-net.bridge.bridge-nf-call-arptables=1 +/lib/functions/network.sh 
-net.bridge.bridge-nf-call-iptables=1 +network_flush_cache 
-net.bridge.bridge-nf-call-ip6tables=1+network_find_wan NET_IF 
 +network_get_device NET_DEV "${NET_IF}" 
 +NET_MAC="$(ubus -call network.device status \ 
 +"{'name':'${NET_DEV}'}" | jsonfilter -e "$['macaddr']")" 
 +nft add table bridge filter 
 +nft flush table bridge filter 
 +nft add chain bridge filter prerouting \ 
 +{ type filter hook prerouting priority dstnat\; } 
 +nft add rule bridge filter prerouting meta \ 
 +l4proto { tcp, udp } th dport 53 pkttype set host \ 
 +ether daddr set "${NET_MAC}" comment "Intercept-DNS" 
 +nft add chain bridge filter forward \ 
 +{ type filter hook forward priority filter\; } 
 +nft add rule bridge filter forward iifname "eth0"
 +oifname "eth1" drop comment "Deny-eth0-eth1"
 EOF EOF
-/etc/init.d/sysctl restart+uci -q delete firewall.bridge 
 +uci set firewall.bridge="include" 
 +uci set firewall.bridge.path="/etc/nftables.d/bridge.sh" 
 +uci commit firewall 
 +service firewall restart
 </code> </code>
  
-Customize LAN to LAN forward if required.+Set up [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] and [[docs:guide-user:base-system:dhcp_configuration#dns_filtering|DNS filtering]].
  
-<code bash> +===== Testing ===== 
-# Disable LAN to LAN forward +Use [[man>nslookup(1)|nslookup]], [[man>ping(1)|ping]], [[man>ping6(1)|ping6]] on LAN clients to verify the firewall configuration.
-uci rename firewall.@zone[0]="lan" +
-uci set firewall.lan.forward="REJECT" +
-uci commit firewall +
-/etc/init.d/firewall restart +
-</code>+
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 38: Line 57:
 <code bash> <code bash>
 # Log and status # Log and status
-/etc/init.d/firewall restart+service firewall restart
  
 # Runtime configuration # Runtime configuration
-iptables-save +lsmod | grep -e bridge 
-ip6tables-save+nft list ruleset
  
 # Persistent configuration # Persistent configuration
 uci show firewall uci show firewall
 </code> </code>
 +
 +===== Extras =====
 +==== References ====
 +  * [[https://wiki.nftables.org/wiki-nftables/index.php/Bridge_filtering|nftables wiki: Bridge filtering]]
 +  * [[https://netdevconf.info//1.1/proceedings/papers/Bridge-filter-with-nftables.pdf|NetDev: Bridge filtering with nftables]]
  
  • Last modified: 2024/11/01 16:42
  • by vgaetera