Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:firewall:fw3_configurations:fw3_config_examples [2018/09/16 12:49] – ↷ Links adapted because of a move operation bobafetthotmail | docs:guide-user:firewall:fw3_configurations:fw3_config_examples [2022/10/30 21:06] – [Firewall IPv4 examples] vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== fw3 IPv4 Configuration Examples | + | ====== IPv4 firewall examples ====== |
| - | This section contains a collection of useful | + | This section contains a collection of useful [[docs: |
| - | [[docs: | + | All of these can be added on the LuCI //Network -> Firewall -> Traffic Rules// page. |
| - | configuration examples based on the UCI | + | |
| - | Configuration Files. All of these can be added on the LuCI | + | |
| - | // Network -> Firewall -> Traffic Rules // page. | + | |
| - | In keeping with the underlying netfilter service, the first matching rule will run its | + | In keeping with the underlying netfilter service, the first matching rule will run its target and (with a couple of exceptions) filtering stops; no subsequent rules are checked. |
| - | target and (with a couple of exceptions) filtering stops; no subsequent rules | + | LuCI has the capability to move rules up and down to sort them correctly. |
| - | are checked. | + | |
| - | correctly. | + | |
| - | See [[docs: | + | See [[docs: |
| - | visual representation of the network used to test the examples here. These | + | These examples cover only IPv4 networks. |
| - | examples cover only IPv4 networks. | + | |
| - | The term **station** is used to refer to any electronic device that can source | + | The term **station** is used to refer to any electronic device that can source or sink packets through, or to/from, the router. |
| - | or sink packets through, or to/from, the router. | + | This can be a web server, mobile phone, tablet, laptop, IoT device on the LAN-side or the WAN-side. |
| - | phone, tablet, laptop, IoT device on the LAN-side or the WAN-side. | + | The netfilter rules match stations and traffic types to allow packets to continue through the network stack or not. |
| - | netfilter rules match stations and traffic types to allow packets to continue | + | |
| - | through the network stack or not. | + | |
| - | Unless otherwise noted, all rules have been tested mostly with | + | Unless otherwise noted, all rules have been tested mostly with [[https:// |
| - | [[https:// | + | The '' |
| - | [[https:// | + | |
| - | between tests to verify the specific rule causes the expected behavior - on | + | |
| - | will cause packets to be accepted or not, off will cause the opposite behavior. | + | |
| - | :!: Before modifying rules, | + | :!: Before modifying rules, |
| - | ==== Opening ports on the OpenWrt router ==== | + | ===== Opening ports on the OpenWrt router |
| - | The default configuration accepts all LAN traffic, but blocks all incoming WAN traffic on ports | + | The default configuration accepts all LAN traffic, but blocks all incoming WAN traffic on ports not currently used for connections or NAT. |
| - | not currently used for connections or NAT. The reference topology blocks all | + | The reference topology blocks all LAN and WAN traffic, requiring a rule to open port(s) for a service. |
| - | LAN and WAN traffic, requiring a rule to open port(s) for a service. | + | |
| - | < | + | < |
| - | config rule | + | config rule |
| - | option target | + | option target 'ACCEPT' |
| - | option src wan | + | option src 'wan' |
| - | option proto tcp | + | option proto 'tcp' |
| - | option dest_port | + | option dest_port '22' |
| - | option name | + | option name 'ACCEPT-SSH-WAN-DEVICE' |
| - | option enabled | + | option enabled '1' |
| </ | </ | ||
| This example enables stations on the WAN-side to use SSH to access the router (the default destination). | This example enables stations on the WAN-side to use SSH to access the router (the default destination). | ||
| - | :!: If the WAN-side of the router is connected to the internet this rule allows any public site | + | :!: If the WAN-side of the router is connected to the internet this rule allows any public site SSH access to your router. |
| - | SSH access to your router. Once a portscanner discovers the open SSH port it will | + | Once a portscanner discovers the open SSH port it will repeatedly try to break in - even with a strong pub key these attacks can be a nuisance. |
| - | repeatedly try to break in - even with a strong pub key these attacks can be a nuisance. | + | |
| - | ==== Opening ports for selected subnet/host ==== | + | ===== Opening ports for selected subnet/ |
| Use **src_ip** and **dest_ip** options to match on specific subnets. | Use **src_ip** and **dest_ip** options to match on specific subnets. | ||
| - | < | + | < |
| - | config rule | + | config rule |
| - | option target ACCEPT | + | option target 'ACCEPT' |
| - | option src wan | + | option src 'wan' |
| - | option family ipv4 | + | option family 'ipv4' |
| - | option proto tcp | + | option proto 'tcp' |
| - | option src_ip 192.168.3.0/ | + | option src_ip '192.168.3.0/ |
| - | option dest_port 22 | + | option dest_port '22' |
| - | option name ACCEPT-SSH-INTERNAL-DEVICE | + | option name 'ACCEPT-SSH-INTERNAL-DEVICE' |
| - | option enabled 1 | + | option enabled '1' |
| </ | </ | ||
| - | This example enables SSH access to the router from any station in the private | + | This example enables SSH access to the router from any station in the private '' |
| - | '' | + | It will not match any other src IP address. |
| - | :!: When using an IPv4 address set the family to **ipv4**, otherwise | + | :!: When using an IPv4 address set the family to **ipv4**, otherwise |
| - | fw3 warns '' | + | |
| - | ==== Block WAN-side networks and ports ==== | + | ===== Block WAN-side networks and ports ===== |
| - | When public-facing servers run behind the firewall (e.g. mail server), | + | When public-facing servers run behind the firewall (e.g. mail server), each is susceptible to attacks: SSH probing, SPAM, screen-scraping, |
| - | susceptible to attacks: SSH probing, SPAM, screen-scraping, | + | |
| - | Customers of the large overseas ISPs (particular China and Vietnam) have made | + | Customers of the large overseas ISPs (particular China and Vietnam) have made spam attacks into an artform, generating blocks of prose to confuse spam filters, sprinkling emails across many source stations and many subnets. |
| - | spam attacks into an artform, generating blocks of prose to confuse spam filters, | + | The best way to counter this is to block the main originating network sending the spam. |
| - | sprinkling emails across many source stations and many subnets. | + | |
| - | to counter this is to block the main originating network sending the spam. | + | |
| - | < | + | < |
| - | config rule | + | config rule |
| - | option src wan | + | option src 'wan' |
| - | option dest lan | + | option dest 'lan' |
| - | option proto tcp | + | option proto 'tcp' |
| - | option src_ip 42.56.0.0/ | + | option src_ip '42.56.0.0/ |
| - | option dest_port 25 | + | option dest_port '25' |
| - | option target DROP | + | option target 'DROP' |
| - | option name DROP-WAN-0001 | + | option name 'DROP-WAN-0001' |
| - | option enabled 1 | + | option enabled '1' |
| </ | </ | ||
| - | In this example, stations in a Beijing network are sending email spam in | + | In this example, stations in a Beijing network are sending email spam in bursts of three with different content incrementing ipv4 addresses across subnets! |
| - | bursts of three with different content incrementing ipv4 addresses across | + | This rule DROPS all incoming traffic on port 25 (SMTP) from any station in their network. |
| - | subnets! | + | DROP silently discards the packet rather than REJECT which returns a response to the source. |
| - | station in their network. DROP silently discards the packet rather than REJECT | + | |
| - | which returns a response to the source. | + | |
| - | :!: Once the number of blocked networks grows to more than a couple dozen | + | :!: Once the number of blocked networks grows to more than a couple dozen (there are thousands of spamming sites), then adding each to the firewal config becomes prohibitive to manage. |
| - | (there are thousands of spamming sites), then adding each to the firewal config | + | Two alternatives are: |
| - | becomes prohibitive to manage. | + | |
| - | | + | |
| * add individual netfilter rules to ''/ | * add individual netfilter rules to ''/ | ||
| - | * use the'' | + | * use the '' |
| - | ==== Using ipset to block LAN-side networks ==== | + | ===== Using ipset to block LAN-side networks |
| - | The example below creates a rule in the netfilter FORWARD chain, rejecting traffic from | + | The example below creates a rule in the netfilter FORWARD chain, rejecting traffic from the LAN-side to the WAN-side on the ports 1000-1100. |
| - | the LAN-side to the WAN-side on the ports 1000-1100. | + | |
| - | < | + | < |
| - | config rule | + | config rule |
| - | option src lan | + | option src 'lan' |
| - | option dest | + | option dest 'wan' |
| - | option dest_port | + | option dest_port '1000-1100' |
| - | option proto | + | option proto 'tcp udp' |
| - | option target | + | option target 'REJECT' |
| - | option name | + | option name 'REJECT-LAN-WAN-PORTS' |
| - | option enabled | + | option enabled '1' |
| </ | </ | ||
| - | ==== Block LAN-side access to a specific site ==== | + | ===== Block LAN-side access to a specific site ===== |
| The following rule blocks HTTP/S connections from all LAN-side stations to a single public site. | The following rule blocks HTTP/S connections from all LAN-side stations to a single public site. | ||
| Use a DNS utility ('' | Use a DNS utility ('' | ||
| - | < | + | < |
| - | config rule | + | config rule |
| - | option src lan | + | option src 'lan' |
| - | option dest wan | + | option dest 'wan' |
| - | option proto tcp | + | option proto 'tcp' |
| - | option family ipv4 | + | option family 'ipv4' |
| - | option dest_ip 63.251.153.68 | + | option dest_ip '63.251.153.68' |
| - | option dest_port '80 443' | + | option dest_port ' |
| - | option target REJECT | + | option target 'REJECT' |
| - | option name REJECT-LAN-SITE-HTTP | + | option name 'REJECT-LAN-SITE-HTTP' |
| - | option enabled 1 | + | option enabled '1' |
| </ | </ | ||
| - | Notice the **dest_port** option has two ports: HTTP and HTTPS. When there is | + | Notice the **dest_port** option has two ports: HTTP and HTTPS. |
| - | white space in the list it must be surrounded by single quotes. | + | When there is white space in the list it must be surrounded by single quotes. |
| - | If the source or destination is the router itself then the option is not | + | If the source or destination is the router itself then the option is not explicitly defined in a rule. |
| - | explicitly defined in a rule. For reference, these rules are added to the | + | For reference, these rules are added to the netfilter INPUT (to the router) and OUTPUT (from the router) chains. |
| - | netfilter INPUT (to the router) and OUTPUT (from the router) chains. | + | |
| - | < | + | < |
| - | config rule | + | config rule |
| - | option dest | + | option dest 'wan' |
| - | option dest_ip | + | option dest_ip '8.8.8.8' |
| - | option family | + | option family 'ipv4' |
| - | option proto icmp | + | option proto 'icmp' |
| - | option target | + | option target 'REJECT' |
| - | option name | + | option name 'REJECT-DEVICE-DNS' |
| - | option enabled | + | option enabled '1' |
| </ | </ | ||
| - | This rule causes netfilter to reject any icmp echo from the router (OUTPUT | + | This rule causes netfilter to reject any icmp echo from the router (OUTPUT chain) to the public google DNS server. |
| - | chain) to the public google DNS server. | + | This rule is not particularly useful but serves as an illustrative example. |
| - | but serves as an illustrative example. | + | |
| - | ==== Block access to the Internet for a specific station | + | ===== Block access to certain domains based on their names ===== |
| + | An example is give at [[docs: | ||
| + | It is also capable to filter DDNS hosts. | ||
| + | It has also the advantage to allow for other subdomains (like www.) by just filtering the root-domain-name (like example.com). | ||
| + | |||
| + | ===== Block access to the Internet for a specific | ||
| The following rule can be used for parental access control. | The following rule can be used for parental access control. | ||
| - | < | + | < |
| - | config rule | + | config rule |
| - | option src lan | + | option src 'lan' |
| - | option dest wan | + | option dest 'wan' |
| - | option src_mac 4C: | + | option src_mac '4C: |
| - | option proto tcpudp | + | option proto 'tcp udp' |
| - | option start_time 21:00:00 | + | option start_time '21:00:00' |
| - | option stop_time 09:00:00 | + | option stop_time '09:00:00' |
| - | option utc_time 0 | + | option utc_time '0' |
| - | option weekdays 'Mon Tue Wed Thu Fri' | + | option weekdays ' |
| - | option target REJECT | + | option target 'REJECT' |
| - | option name REJECT-LAN-WAN-TIME | + | option name 'REJECT-LAN-WAN-TIME' |
| - | option enabled 1 | + | option enabled '1' |
| </ | </ | ||
| - | When this rule is enabled, it will block all TCP and UDP access from STA2 to | + | When this rule is enabled, it will block all TCP and UDP access from STA2 to the internet on weekdays between 21:00 and 09:00. |
| - | the internet on weekdays between 21:00 and 09: | + | By default, the time will be UTC unless the '' |
| - | UTC unless the '' | + | |
| + | These time/date matches use the netfilter '' | ||
| + | Check ''/ | ||
| - | These time/date matches use the netfilter '' | + | From LuCI this rule can be added by following " |
| - | included in the release. | + | with the desired MAC address and an action of " |
| :!: Remove the time and day options to always block WAN-side access for the station. | :!: Remove the time and day options to always block WAN-side access for the station. | ||
| - | :!: this type of rule is very useful for mobile devices like smartphones and | + | :!: This rule can be created for a single |
| - | tablets. A lot can change in a smartphone but the wifi MAC is always the same. | + | |
| - | ==== IPSec passthrough ==== | + | :!: this type of rule is very useful for mobile devices like smartphones and tablets. |
| - | This example enables proper forwarding | + | A lot can change in a smartphone but the wifi MAC is **almost** always programmed at the factory. |
| - | protocol references are: | + | The MAC **can** be modified by a sophisticated user by doing something similar to the Linux commands: |
| - | '' | + | |
| - | and | + | |
| - | '' | + | |
| - | < | + | < |
| - | config rule | + | root> ip link set wlan0 down |
| - | | + | root> ip link set address " |
| - | | + | root> ip link set wlan0 up |
| - | | + | </ |
| - | | + | |
| + | An alternative mechanism to block multiple LAN MACs can be found in the LuCI " | ||
| + | Set the filter for "Allow all except listed" | ||
| + | In the ''/ | ||
| + | |||
| + | ===== IPSec passthrough ===== | ||
| + | This example enables proper forwarding of IPSec traffic through the wan. | ||
| + | The protocol references are: | ||
| + | * '' | ||
| + | * '' | ||
| + | |||
| + | <code bash> | ||
| + | config rule | ||
| + | option src 'wan' | ||
| + | option dest 'lan' | ||
| + | option proto 'ah' | ||
| + | option target 'ACCEPT' | ||
| - | config rule | + | config rule |
| - | | + | option src 'wan' |
| - | | + | option dest 'lan' |
| - | | + | option proto 'esp' |
| - | | + | option target 'ACCEPT' |
| </ | </ | ||
| For some configurations you also have to open port 500/UDP for the ISAKMP protocol. | For some configurations you also have to open port 500/UDP for the ISAKMP protocol. | ||
| - | < | + | < |
| - | config rule | + | config rule |
| - | | + | option src 'wan' |
| - | | + | option dest 'lan' |
| - | | + | option proto 'udp' |
| - | | + | option src_port '500' |
| - | | + | option dest_port '500' |
| - | | + | option target 'ACCEPT' |
| </ | </ | ||
| - | ==== Zone declaration for semi non-UCI interfaces, manually listed in the network config, and forwardings ==== | + | ===== Zone declaration for semi non-UCI interfaces, manually listed in the network config, and forwardings |
| - | Scenario: having one or more vpn tunnels using openvpn, | + | Scenario: having one or more VPN tunnels using OpenVPN, with the need of defining a zone to forward the traffic between the VPN interfaces and the LAN. |
| - | with the need of defining a zone to forward the traffic between the | + | |
| - | vpn interfaces and the lan. | + | |
| - | First list the interfaces in **/ | + | First list the interfaces in **/ |
| - | below. | + | Be careful on the limits of interface naming in terms of name length, [[docs: |
| - | Be careful on the limits of interface naming in terms of name length, | + | |
| - | [[docs: | + | |
| - | < | + | < |
| - | config interface ' | + | config interface ' |
| - | option ifname ' | + | option ifname ' |
| - | option proto ' | + | option proto ' |
| - | config interface ' | + | config interface ' |
| - | option ifname ' | + | option ifname ' |
| - | option proto ' | + | option proto ' |
| </ | </ | ||
| Then create the zone in **/ | Then create the zone in **/ | ||
| - | < | + | |
| - | config zone | + | < |
| - | option name | + | config zone |
| - | list | + | option name 'vpn_tunnel' |
| - | list | + | list network ' |
| - | option input ACCEPT | + | list network ' |
| - | #the traffic towards the router from the interface will be accepted | + | option input 'ACCEPT' |
| - | #(as for the lan communications) | + | # the traffic towards the router from the interface will be accepted |
| - | option output | + | # (as for the lan communications) |
| - | #the traffic from the router to the interface will be accepted | + | option output 'ACCEPT' |
| - | option forward | + | # the traffic from the router to the interface will be accepted |
| - | #traffic from this zone to other zones is normally rejected | + | option forward 'REJECT' |
| + | # traffic from this zone to other zones is normally rejected | ||
| </ | </ | ||
| - | Then we want to communicate with the " | + | Then we want to communicate with the " |
| - | (from lan to wan and viceversa) | + | |
| - | < | + | < |
| - | config forwarding | + | config forwarding |
| - | option src lan | + | option src 'lan' |
| - | option dest | + | option dest 'vpn_tunnel' |
| - | #if a packet from lan wants to go to the vpn_tunnel zone | + | # if a packet from lan wants to go to the vpn_tunnel zone |
| - | #let it pass | + | # let it pass |
| - | config forwarding | + | config forwarding |
| - | option src vpn_tunnel | + | option src 'vpn_tunnel' |
| - | option dest | + | option dest 'lan' |
| - | #if a packet from vpn_tunnel wants to go to the lan zone | + | # if a packet from vpn_tunnel wants to go to the lan zone |
| - | #let it pass | + | # let it pass |
| </ | </ | ||
| - | This will create a lot of " | ||
| - | as efficient as raw iptable commands in ''/ | ||
| - | but those rules will be more clear in the luci webinterface and also more readable for | ||
| - | less expert users. | ||
| - | In general remember that forwardings are relying how routing rules are defined, and afterwards which zones are | + | In general remember that forwardings are relying how routing rules are defined, and afterwards which zones are defined on which interfaces. |
| - | defined on which interfaces. | + | |
| - | ==== Zone declaration for non-UCI interfaces ==== | + | ===== Zone declaration for non-UCI interfaces |
| This example declares a zone which matches any Linux network device whose name begins with " | This example declares a zone which matches any Linux network device whose name begins with " | ||
| - | < | + | < |
| - | config zone | + | config zone |
| - | option name | + | option name 'example' |
| - | option input ACCEPT | + | option input 'ACCEPT' |
| - | option output | + | option output 'ACCEPT' |
| - | option forward | + | option forward 'REJECT' |
| - | option device | + | option device ' |
| </ | </ | ||
| - | ==== Zone declaration for a specific subnet and protocol ==== | + | ===== Zone declaration for a specific subnet and protocol |
| This example declares a zone which maches any TCP stream in the '' | This example declares a zone which maches any TCP stream in the '' | ||
| - | < | + | < |
| - | config zone | + | config zone |
| - | option name | + | option name 'example' |
| - | option input ACCEPT | + | option input 'ACCEPT' |
| - | option output | + | option output 'ACCEPT' |
| - | option forward | + | option forward 'REJECT' |
| - | option subnet | + | option subnet ' |
| - | option extra '-p tcp' | + | option extra '-p tcp' |
| </ | </ | ||
| - | ==== Zone declaration for a specific protocol and port ==== | + | ===== Zone declaration for a specific protocol and port ===== |
| This example declares a zone which maches any TCP stream from and to port '' | This example declares a zone which maches any TCP stream from and to port '' | ||
| - | < | + | < |
| - | config zone | + | config zone |
| - | option name | + | option name 'example' |
| - | option input ACCEPT | + | option input 'ACCEPT' |
| - | option output | + | option output 'ACCEPT' |
| - | option forward | + | option forward 'REJECT' |
| - | option extra_src | + | option extra_src ' |
| - | option extra_dest | + | option extra_dest ' |
| </ | </ | ||
| - | ==== Stateful firewall without NAT ==== | + | ===== Stateful firewall without NAT ===== |
| <WRAP center round alert 60%> | <WRAP center round alert 60%> | ||
| I have not tested this, but it **seems** reasonable. | I have not tested this, but it **seems** reasonable. | ||
| - | In reality, the monthly cost of a block of public IPv4 addresses makes sense | + | In reality, the monthly cost of a block of public IPv4 addresses makes sense for ISPs that distribute the addresses to customers for a fee and larger corporations that need public addresses for their internet presence (e.g. web, mail, name servers, remote offices) |
| - | for ISPs that distribute the addresses to customers for a fee and larger | + | |
| - | corporations that need public addresses for their internet presence (e.g. web, | + | |
| - | mail, name servers, remote offices) | + | |
| </ | </ | ||
| - | If your LAN is running with public IP addresses, then you definitely don't want | + | If your LAN is running with public IP addresses, then you definitely don't want NAT (masquerading). |
| - | NAT (masquerading). | + | But you may still want to run a stateful firewall on the router, so that stations on the LAN-side are not reachable from the WAN-side. |
| - | router, so that stations on the LAN-side are not reachable from the WAN-side. | + | |
| To do this, add the '' | To do this, add the '' | ||
| - | < | + | < |
| - | config zone | + | config zone |
| - | option name | + | option name 'wan' |
| - | list | + | list network ' |
| - | list | + | list network ' |
| - | option input REJECT | + | option input 'REJECT' |
| - | option output | + | option output 'ACCEPT' |
| - | option forward | + | option forward 'REJECT' |
| - | option masq | + | option masq '0' |
| - | option mtu_fix | + | option mtu_fix '1' |
| - | option conntrack | + | option conntrack '1' |
| </ | </ | ||
| + | ===== Allow HTTP/HTTPS access from Cloudflare ===== | ||
| + | Here is an example that allows HTTP/HTTPS access from Cloudflare. | ||
| + | Use if your webserver is behind the Cloudflare proxy. | ||
| + | |||
| + | <code bash> | ||
| + | cat << EOF >> / | ||
| + | uci -q delete firewall.cf_proxy.dest_ip | ||
| + | for IPV in 4 6 | ||
| + | do for IP in $(uclient-fetch -O - \ | ||
| + | " | ||
| + | do uci add_list firewall.cf_proxy.dest_ip=" | ||
| + | done | ||
| + | done | ||
| + | / | ||
| + | EOF | ||
| + | uci -q delete firewall.cf_proxy | ||
| + | uci set firewall.cf_proxy=" | ||
| + | uci set firewall.cf_proxy.name=" | ||
| + | uci set firewall.cf_proxy.src=" | ||
| + | uci add_list firewall.cf_proxy.dest_port=" | ||
| + | uci add_list firewall.cf_proxy.dest_port=" | ||
| + | uci set firewall.cf_proxy.proto=" | ||
| + | uci set firewall.cf_proxy.target=" | ||
| + | uci commit firewall | ||
| + | / | ||
| + | </ | ||