Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:firewall:fw3_configurations:fw3_config_examples [2019/09/22 06:22] – formatting vgaetera | docs:guide-user:firewall:fw3_configurations:fw3_config_examples [2022/10/30 21:06] – [Firewall IPv4 examples] vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== | + | ====== IPv4 firewall examples |
| - | This section contains a collection of useful [[docs: | + | This section contains a collection of useful [[docs: |
| - | All of these can be added on the LuCI // Network -> Firewall -> Traffic Rules // page. | + | All of these can be added on the LuCI //Network -> Firewall -> Traffic Rules// page. |
| In keeping with the underlying netfilter service, the first matching rule will run its target and (with a couple of exceptions) filtering stops; no subsequent rules are checked. | In keeping with the underlying netfilter service, the first matching rule will run its target and (with a couple of exceptions) filtering stops; no subsequent rules are checked. | ||
| Line 16: | Line 16: | ||
| The '' | The '' | ||
| - | :!: Before modifying rules, | + | :!: Before modifying rules, |
| ===== Opening ports on the OpenWrt router ===== | ===== Opening ports on the OpenWrt router ===== | ||
| Line 23: | Line 23: | ||
| <code bash> | <code bash> | ||
| - | config rule | + | config rule |
| - | option target | + | option target 'ACCEPT' |
| - | option src wan | + | option src 'wan' |
| - | option proto tcp | + | option proto 'tcp' |
| - | option dest_port | + | option dest_port '22' |
| - | option name | + | option name 'ACCEPT-SSH-WAN-DEVICE' |
| - | option enabled | + | option enabled '1' |
| </ | </ | ||
| Line 41: | Line 41: | ||
| <code bash> | <code bash> | ||
| - | config rule | + | config rule |
| - | option target ACCEPT | + | option target 'ACCEPT' |
| - | option src wan | + | option src 'wan' |
| - | option family ipv4 | + | option family 'ipv4' |
| - | option proto tcp | + | option proto 'tcp' |
| - | option src_ip 192.168.3.0/ | + | option src_ip '192.168.3.0/ |
| - | option dest_port 22 | + | option dest_port '22' |
| - | option name ACCEPT-SSH-INTERNAL-DEVICE | + | option name 'ACCEPT-SSH-INTERNAL-DEVICE' |
| - | option enabled 1 | + | option enabled '1' |
| </ | </ | ||
| Line 55: | Line 55: | ||
| It will not match any other src IP address. | It will not match any other src IP address. | ||
| - | :!: When using an IPv4 address set the family to **ipv4**, otherwise | + | :!: When using an IPv4 address set the family to **ipv4**, otherwise |
| ===== Block WAN-side networks and ports ===== | ===== Block WAN-side networks and ports ===== | ||
| Line 64: | Line 64: | ||
| <code bash> | <code bash> | ||
| - | config rule | + | config rule |
| - | option src wan | + | option src 'wan' |
| - | option dest lan | + | option dest 'lan' |
| - | option proto tcp | + | option proto 'tcp' |
| - | option src_ip 42.56.0.0/ | + | option src_ip '42.56.0.0/ |
| - | option dest_port 25 | + | option dest_port '25' |
| - | option target DROP | + | option target 'DROP' |
| - | option name DROP-WAN-0001 | + | option name 'DROP-WAN-0001' |
| - | option enabled 1 | + | option enabled '1' |
| </ | </ | ||
| Line 82: | Line 82: | ||
| Two alternatives are: | Two alternatives are: | ||
| * add individual netfilter rules to ''/ | * add individual netfilter rules to ''/ | ||
| - | * use the'' | + | * use the '' |
| ===== Using ipset to block LAN-side networks ===== | ===== Using ipset to block LAN-side networks ===== | ||
| Line 88: | Line 88: | ||
| <code bash> | <code bash> | ||
| - | config rule | + | config rule |
| - | option src lan | + | option src 'lan' |
| - | option dest | + | option dest 'wan' |
| - | option dest_port | + | option dest_port '1000-1100' |
| - | option proto | + | option proto 'tcp udp' |
| - | option target | + | option target 'REJECT' |
| - | option name | + | option name 'REJECT-LAN-WAN-PORTS' |
| - | option enabled | + | option enabled '1' |
| </ | </ | ||
| Line 103: | Line 103: | ||
| <code bash> | <code bash> | ||
| - | config rule | + | config rule |
| - | option src lan | + | option src 'lan' |
| - | option dest wan | + | option dest 'wan' |
| - | option proto tcp | + | option proto 'tcp' |
| - | option family ipv4 | + | option family 'ipv4' |
| - | option dest_ip 63.251.153.68 | + | option dest_ip '63.251.153.68' |
| - | option dest_port '80 443' | + | option dest_port ' |
| - | option target REJECT | + | option target 'REJECT' |
| - | option name REJECT-LAN-SITE-HTTP | + | option name 'REJECT-LAN-SITE-HTTP' |
| - | option enabled 1 | + | option enabled '1' |
| </ | </ | ||
| Line 122: | Line 122: | ||
| <code bash> | <code bash> | ||
| - | config rule | + | config rule |
| - | option dest | + | option dest 'wan' |
| - | option dest_ip | + | option dest_ip '8.8.8.8' |
| - | option family | + | option family 'ipv4' |
| - | option proto icmp | + | option proto 'icmp' |
| - | option target | + | option target 'REJECT' |
| - | option name | + | option name 'REJECT-DEVICE-DNS' |
| - | option enabled | + | option enabled '1' |
| </ | </ | ||
| Line 135: | Line 135: | ||
| This rule is not particularly useful but serves as an illustrative example. | This rule is not particularly useful but serves as an illustrative example. | ||
| - | ===== Block access to the Internet for a specific station | + | ===== Block access to certain domains based on their names ===== |
| + | An example is give at [[docs: | ||
| + | It is also capable to filter DDNS hosts. | ||
| + | It has also the advantage to allow for other subdomains (like www.) by just filtering the root-domain-name (like example.com). | ||
| + | |||
| + | ===== Block access to the Internet for a specific | ||
| The following rule can be used for parental access control. | The following rule can be used for parental access control. | ||
| <code bash> | <code bash> | ||
| - | config rule | + | config rule |
| - | option src lan | + | option src 'lan' |
| - | option dest wan | + | option dest 'wan' |
| - | option src_mac 4C: | + | option src_mac '4C: |
| - | option proto tcpudp | + | option proto 'tcp udp' |
| - | option start_time 21:00:00 | + | option start_time '21:00:00' |
| - | option stop_time 09:00:00 | + | option stop_time '09:00:00' |
| - | option utc_time 0 | + | option utc_time '0' |
| - | option weekdays 'Mon Tue Wed Thu Fri' | + | option weekdays ' |
| - | option target REJECT | + | option target 'REJECT' |
| - | option name REJECT-LAN-WAN-TIME | + | option name 'REJECT-LAN-WAN-TIME' |
| - | option enabled 1 | + | option enabled '1' |
| </ | </ | ||
| When this rule is enabled, it will block all TCP and UDP access from STA2 to the internet on weekdays between 21:00 and 09:00. | When this rule is enabled, it will block all TCP and UDP access from STA2 to the internet on weekdays between 21:00 and 09:00. | ||
| - | By default, the time will be UTC unless the '' | + | By default, the time will be UTC unless the '' |
| These time/date matches use the netfilter '' | These time/date matches use the netfilter '' | ||
| Check ''/ | Check ''/ | ||
| + | |||
| + | From LuCI this rule can be added by following " | ||
| + | with the desired MAC address and an action of " | ||
| :!: Remove the time and day options to always block WAN-side access for the station. | :!: Remove the time and day options to always block WAN-side access for the station. | ||
| + | |||
| + | :!: This rule can be created for a single MAC address, not a range. | ||
| :!: this type of rule is very useful for mobile devices like smartphones and tablets. | :!: this type of rule is very useful for mobile devices like smartphones and tablets. | ||
| - | A lot can change in a smartphone but the wifi MAC is always the same. | + | A lot can change in a smartphone but the wifi MAC is **almost** |
| + | The MAC **can** be modified by a sophisticated user by doing something similar to the Linux commands: | ||
| + | |||
| + | <code bash> | ||
| + | root> ip link set wlan0 down | ||
| + | root> ip link set address " | ||
| + | root> ip link set wlan0 up | ||
| + | </ | ||
| + | |||
| + | An alternative mechanism to block multiple LAN MACs can be found in the LuCI " | ||
| + | Set the filter for "Allow all except listed" | ||
| + | In the ''/ | ||
| ===== IPSec passthrough ===== | ===== IPSec passthrough ===== | ||
| Line 171: | Line 192: | ||
| <code bash> | <code bash> | ||
| - | config rule | + | config rule |
| - | | + | option src 'wan' |
| - | | + | option dest 'lan' |
| - | | + | option proto 'ah' |
| - | | + | option target 'ACCEPT' |
| - | config rule | + | config rule |
| - | | + | option src 'wan' |
| - | | + | option dest 'lan' |
| - | | + | option proto 'esp' |
| - | | + | option target 'ACCEPT' |
| </ | </ | ||
| Line 187: | Line 208: | ||
| <code bash> | <code bash> | ||
| - | config rule | + | config rule |
| - | | + | option src 'wan' |
| - | | + | option dest 'lan' |
| - | | + | option proto 'udp' |
| - | | + | option src_port '500' |
| - | | + | option dest_port '500' |
| - | | + | option target 'ACCEPT' |
| </ | </ | ||
| Line 203: | Line 224: | ||
| <code bash> | <code bash> | ||
| - | config interface ' | + | config interface ' |
| - | option ifname ' | + | option ifname ' |
| - | option proto ' | + | option proto ' |
| - | config interface ' | + | config interface ' |
| - | option ifname ' | + | option ifname ' |
| - | option proto ' | + | option proto ' |
| </ | </ | ||
| Line 215: | Line 236: | ||
| <code bash> | <code bash> | ||
| - | config zone | + | config zone |
| - | option name | + | option name 'vpn_tunnel' |
| - | list | + | list network ' |
| - | list | + | list network ' |
| - | option input ACCEPT | + | option input 'ACCEPT' |
| - | #the traffic towards the router from the interface will be accepted | + | # the traffic towards the router from the interface will be accepted |
| - | #(as for the lan communications) | + | # (as for the lan communications) |
| - | option output | + | option output 'ACCEPT' |
| - | #the traffic from the router to the interface will be accepted | + | # the traffic from the router to the interface will be accepted |
| - | option forward | + | option forward 'REJECT' |
| - | #traffic from this zone to other zones is normally rejected | + | # traffic from this zone to other zones is normally rejected |
| </ | </ | ||
| Line 231: | Line 252: | ||
| <code bash> | <code bash> | ||
| - | config forwarding | + | config forwarding |
| - | option src lan | + | option src 'lan' |
| - | option dest | + | option dest 'vpn_tunnel' |
| - | #if a packet from lan wants to go to the vpn_tunnel zone | + | # if a packet from lan wants to go to the vpn_tunnel zone |
| - | #let it pass | + | # let it pass |
| - | config forwarding | + | config forwarding |
| - | option src vpn_tunnel | + | option src 'vpn_tunnel' |
| - | option dest | + | option dest 'lan' |
| - | #if a packet from vpn_tunnel wants to go to the lan zone | + | # if a packet from vpn_tunnel wants to go to the lan zone |
| - | #let it pass | + | # let it pass |
| </ | </ | ||
| - | |||
| - | This will create a lot of " | ||
| In general remember that forwardings are relying how routing rules are defined, and afterwards which zones are defined on which interfaces. | In general remember that forwardings are relying how routing rules are defined, and afterwards which zones are defined on which interfaces. | ||
| Line 252: | Line 271: | ||
| <code bash> | <code bash> | ||
| - | config zone | + | config zone |
| - | option name | + | option name 'example' |
| - | option input ACCEPT | + | option input 'ACCEPT' |
| - | option output | + | option output 'ACCEPT' |
| - | option forward | + | option forward 'REJECT' |
| - | option device | + | option device ' |
| </ | </ | ||
| Line 264: | Line 283: | ||
| <code bash> | <code bash> | ||
| - | config zone | + | config zone |
| - | option name | + | option name 'example' |
| - | option input ACCEPT | + | option input 'ACCEPT' |
| - | option output | + | option output 'ACCEPT' |
| - | option forward | + | option forward 'REJECT' |
| - | option subnet | + | option subnet ' |
| - | option extra '-p tcp' | + | option extra '-p tcp' |
| </ | </ | ||
| Line 278: | Line 297: | ||
| <code bash> | <code bash> | ||
| - | config zone | + | config zone |
| - | option name | + | option name 'example' |
| - | option input ACCEPT | + | option input 'ACCEPT' |
| - | option output | + | option output 'ACCEPT' |
| - | option forward | + | option forward 'REJECT' |
| - | option extra_src | + | option extra_src ' |
| - | option extra_dest | + | option extra_dest ' |
| </ | </ | ||
| Line 300: | Line 319: | ||
| <code bash> | <code bash> | ||
| - | config zone | + | config zone |
| - | option name | + | option name 'wan' |
| - | list | + | list network ' |
| - | list | + | list network ' |
| - | option input REJECT | + | option input 'REJECT' |
| - | option output | + | option output 'ACCEPT' |
| - | option forward | + | option forward 'REJECT' |
| - | option masq | + | option masq '0' |
| - | option mtu_fix | + | option mtu_fix '1' |
| - | option conntrack | + | option conntrack '1' |
| + | </ | ||
| + | |||
| + | ===== Allow HTTP/HTTPS access from Cloudflare ===== | ||
| + | Here is an example that allows HTTP/HTTPS access from Cloudflare. | ||
| + | Use if your webserver is behind the Cloudflare proxy. | ||
| + | |||
| + | <code bash> | ||
| + | cat << EOF >> / | ||
| + | uci -q delete firewall.cf_proxy.dest_ip | ||
| + | for IPV in 4 6 | ||
| + | do for IP in $(uclient-fetch -O - \ | ||
| + | " | ||
| + | do uci add_list firewall.cf_proxy.dest_ip=" | ||
| + | done | ||
| + | done | ||
| + | / | ||
| + | EOF | ||
| + | uci -q delete firewall.cf_proxy | ||
| + | uci set firewall.cf_proxy=" | ||
| + | uci set firewall.cf_proxy.name=" | ||
| + | uci set firewall.cf_proxy.src=" | ||
| + | uci add_list firewall.cf_proxy.dest_port=" | ||
| + | uci add_list firewall.cf_proxy.dest_port=" | ||
| + | uci set firewall.cf_proxy.proto=" | ||
| + | uci set firewall.cf_proxy.target=" | ||
| + | uci commit firewall | ||
| + | / | ||
| </ | </ | ||