Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:bridge [2020/07/15 19:55] – [Introduction] related links vgaeteradocs:guide-user:firewall:fw3_configurations:bridge [2023/10/14 05:41] – use service invocation vgaetera
Line 1: Line 1:
 ====== Bridge firewall ====== ====== Bridge firewall ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
-  * This how-to describes the method for setting up bridge firewall on OpenWrt. +  * This how-to describes the method for setting up [[wp>Bridging_(networking)|bridge]] firewall on OpenWrt. 
-  * Follow [[docs:guide-user:network:vlan:creating_virtual_switches|Splitting VLAN]] to be able to filter traffic between VLAN ports. +  * Follow [[docs:guide-user:network:vlan:creating_virtual_switches|Splitting VLANs]] to be able to filter traffic between VLAN ports. 
-  * Follow [[docs:guide-user:network:wifi:basic|Wireless configuration]] isolate wireless clients from each other.+  * Follow [[docs:guide-user:network:wifi:basic|Wireless configuration]] to isolate wireless clients from each other.
  
 ===== Goals ===== ===== Goals =====
-  * Filter traffic between bridged interfaces+  * Filter and intercept transit traffic on bridged interfaces.
-    * Isolate LAN clients from each other.+
  
-===== Instructions ===== +===== Command-line instructions ===== 
-Install the packages and enable bridge firewall.+Assuming a setup with bridged LAN and WAN interfaces. 
 +Install the required packages
 +Enable bridge firewall intercepting DNS queries and filtering transit traffic from ''eth0'' to ''eth1''.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install kmod-br-netfilter+opkg install kmod-nft-bridge
  
-Enable bridge firewall +Configure firewall 
-cat << EOF >> /etc/sysctl.conf +cat << "EOF> /etc/nftables.d/bridge.sh 
-net.bridge.bridge-nf-call-arptables=1 +/lib/functions/network.sh 
-net.bridge.bridge-nf-call-iptables=1 +network_flush_cache 
-net.bridge.bridge-nf-call-ip6tables=1+network_find_wan NET_IF 
 +network_get_device NET_DEV "${NET_IF}" 
 +NET_MAC="$(ubus -call network.device status \ 
 +"{'name':'${NET_DEV}'}" | jsonfilter -e "$['macaddr']")" 
 +nft add table bridge filter 
 +nft flush table bridge filter 
 +nft add chain bridge filter prerouting \ 
 +{ type filter hook prerouting priority dstnat\; } 
 +nft add rule bridge filter prerouting meta \ 
 +l4proto { tcp, udp } th dport 53 pkttype set host \ 
 +ether daddr set "${NET_MAC}" comment "Intercept-DNS" 
 +nft add chain bridge filter forward \ 
 +{ type filter hook forward priority filter\; } 
 +nft add rule bridge filter forward iifname "eth0"
 +oifname "eth1" drop comment "Deny-eth0-eth1"
 EOF EOF
-/etc/init.d/sysctl restart+uci -q delete firewall.bridge 
 +uci set firewall.bridge="include" 
 +uci set firewall.bridge.path="/etc/nftables.d/bridge.sh" 
 +uci commit firewall 
 +service firewall restart
 </code> </code>
  
-Customize LAN to LAN forward if required. +Set up [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] and [[docs:guide-user:base-system:dhcp_configuration#dns_filtering|DNS filtering]].
- +
-<code bash> +
-# Disable LAN to LAN forward +
-uci rename firewall.@zone[0]="lan" +
-uci set firewall.lan.forward="REJECT" +
-uci commit firewall +
-/etc/init.d/firewall restart +
-</code>+
  
 ===== Testing ===== ===== Testing =====
-Use [[man>ping]], [[man>ping6]] or [[man>nmap]] between LAN clients to verify your firewall rules.+Use [[man>nslookup(1)|nslookup]], [[man>ping(1)|ping]][[man>ping6(1)|ping6]] on LAN clients to verify the firewall configuration.
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 46: Line 57:
 <code bash> <code bash>
 # Log and status # Log and status
-/etc/init.d/firewall restart+service firewall restart
  
 # Runtime configuration # Runtime configuration
-lsmod | grep -e br_netfilter +lsmod | grep -e bridge 
-sysctl net.bridge +nft list ruleset
-iptables-save +
-ip6tables-save+
  
 # Persistent configuration # Persistent configuration
-cat /etc/sysctl.conf 
 uci show firewall uci show firewall
 </code> </code>
 +
 +===== Extras =====
 +==== References ====
 +  * [[https://wiki.nftables.org/wiki-nftables/index.php/Bridge_filtering|nftables wiki: Bridge filtering]]
 +  * [[https://netdevconf.info//1.1/proceedings/papers/Bridge-filter-with-nftables.pdf|NetDev: Bridge filtering with nftables]]
  
  • Last modified: 2024/11/01 16:42
  • by vgaetera