Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:firewall:fw3_configurations:bridge [2023/01/17 04:27] – [Bridge firewall] update infobox vgaetera | docs:guide-user:firewall:fw3_configurations:bridge [2023/10/14 05:41] – use service invocation vgaetera | ||
|---|---|---|---|
| Line 8: | Line 8: | ||
| ===== Goals ===== | ===== Goals ===== | ||
| - | * Filter traffic | + | * Filter |
| ===== Command-line instructions ===== | ===== Command-line instructions ===== | ||
| + | Assuming a setup with bridged LAN and WAN interfaces. | ||
| Install the required packages. | Install the required packages. | ||
| - | Enable bridge firewall. | + | Enable bridge firewall |
| <code bash> | <code bash> | ||
| Line 18: | Line 19: | ||
| opkg update | opkg update | ||
| opkg install kmod-nft-bridge | opkg install kmod-nft-bridge | ||
| + | |||
| + | # Configure firewall | ||
| + | cat << " | ||
| + | . / | ||
| + | network_flush_cache | ||
| + | network_find_wan NET_IF | ||
| + | network_get_device NET_DEV " | ||
| + | NET_MAC=" | ||
| + | " | ||
| + | nft add table bridge filter | ||
| + | nft flush table bridge filter | ||
| + | nft add chain bridge filter prerouting \ | ||
| + | { type filter hook prerouting priority dstnat\; } | ||
| + | nft add rule bridge filter prerouting meta \ | ||
| + | l4proto { tcp, udp } th dport 53 pkttype set host \ | ||
| + | ether daddr set " | ||
| + | nft add chain bridge filter forward \ | ||
| + | { type filter hook forward priority filter\; } | ||
| + | nft add rule bridge filter forward iifname " | ||
| + | oifname " | ||
| + | EOF | ||
| + | uci -q delete firewall.bridge | ||
| + | uci set firewall.bridge=" | ||
| + | uci set firewall.bridge.path="/ | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| </ | </ | ||
| + | |||
| + | Set up [[docs: | ||
| ===== Testing ===== | ===== Testing ===== | ||
| - | Use [[man>ping(8)|ping]], [[man>ping6(8)|ping6]] or [[man>nmap(1)|nmap]] between | + | Use [[man>nslookup(1)|nslookup]], [[man>ping(1)|ping]], [[man>ping6(1)|ping6]] on LAN clients to verify |
| ===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
| Line 28: | Line 57: | ||
| <code bash> | <code bash> | ||
| # Log and status | # Log and status | ||
| - | / | + | service |
| # Runtime configuration | # Runtime configuration | ||
| Line 39: | Line 68: | ||
| ===== Extras ===== | ===== Extras ===== | ||
| - | ==== Restrict forwarding | + | ==== References |
| - | Restrict traffic forwarding between bridged interfaces. | + | |
| - | + | * [[https://netdevconf.info//1.1/ | |
| - | <code bash> | + | |
| - | # Disable LAN to LAN forwarding | + | |
| - | uci rename firewall.@zone[0]=" | + | |
| - | uci set firewall.lan.forward=" | + | |
| - | uci commit firewall | + | |
| - | /etc/init.d/firewall restart | + | |
| - | </code> | + | |
| - | + | ||
| - | ==== Selective forwarding ==== | + | |
| - | Selective traffic forwarding between bridged interfaces. | + | |
| - | + | ||
| - | <code bash> | + | |
| - | # Deny LAN1 to LAN2 forwarding | + | |
| - | uci -q delete firewall.lan1 | + | |
| - | uci set firewall.lan1=" | + | |
| - | uci set firewall.lan1.name=" | + | |
| - | uci set firewall.lan1.input=" | + | |
| - | uci set firewall.lan1.output=" | + | |
| - | uci set firewall.lan1.forward=" | + | |
| - | uci add_list firewall.lan1.device=" | + | |
| - | uci -q delete firewall.lan2 | + | |
| - | uci set firewall.lan2=" | + | |
| - | uci set firewall.lan2.name=" | + | |
| - | uci set firewall.lan2.input=" | + | |
| - | uci set firewall.lan2.output=" | + | |
| - | uci set firewall.lan2.forward=" | + | |
| - | uci add_list firewall.lan2.device=" | + | |
| - | uci -q delete firewall.lan1_lan2 | + | |
| - | uci set firewall.lan1_lan2=" | + | |
| - | uci set firewall.lan1_lan2.name=" | + | |
| - | uci set firewall.lan1_lan2.src=" | + | |
| - | uci set firewall.lan1_lan2.dest=" | + | |
| - | uci set firewall.lan1_lan2.proto=" | + | |
| - | uci set firewall.lan1_lan2.target=" | + | |
| - | uci commit firewall | + | |
| - | / | + | |
| - | </ | + | |