Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:fw3_config_examples [2019/09/22 06:22] – formatting vgaeteradocs:guide-user:firewall:fw3_configurations:fw3_config_examples [2022/10/30 21:06] – [Firewall IPv4 examples] vgaetera
Line 1: Line 1:
-====== fw3 IPv4 Configuration Examples ====== +====== IPv4 firewall examples ====== 
-This section contains a collection of useful [[docs:guide-user:firewall:overview|firewall3]] configuration examples based on the UCI configuration files. +This section contains a collection of useful [[docs:guide-user:firewall:overview|firewall]] configuration examples based on the UCI configuration files. 
-All of these can be added on the LuCI // Network -> Firewall -> Traffic Rules // page.+All of these can be added on the LuCI //Network -> Firewall -> Traffic Rules// page.
  
 In keeping with the underlying netfilter service, the first matching rule will run its target and (with a couple of exceptions) filtering stops; no subsequent rules are checked. In keeping with the underlying netfilter service, the first matching rule will run its target and (with a couple of exceptions) filtering stops; no subsequent rules are checked.
Line 16: Line 16:
 The ''enabled'' option in each rule is toggled between tests to verify the specific rule causes the expected behavior - on will cause packets to be accepted or not, off will cause the opposite behavior. The ''enabled'' option in each rule is toggled between tests to verify the specific rule causes the expected behavior - on will cause packets to be accepted or not, off will cause the opposite behavior.
  
-:!: Before modifying rules, make sure to back-up your current **/etc/config/firewall**!+:!: Before modifying rules, be sure to back-up your current ''/etc/config/firewall''!
  
 ===== Opening ports on the OpenWrt router ===== ===== Opening ports on the OpenWrt router =====
Line 23: Line 23:
  
 <code bash> <code bash>
-config rule +config rule 
-        option target           ACCEPT + option target 'ACCEPT' 
-        option src              wan + option src 'wan' 
-        option proto            tcp + option proto 'tcp' 
-        option dest_port        22 + option dest_port '22' 
-        option name             ACCEPT-SSH-WAN-DEVICE + option name 'ACCEPT-SSH-WAN-DEVICE' 
-        option enabled          1+ option enabled '1'
 </code> </code>
  
Line 41: Line 41:
  
 <code bash> <code bash>
-config rule +config rule 
-        option target ACCEPT + option target 'ACCEPT' 
-        option src wan + option src 'wan' 
-        option family ipv4 + option family 'ipv4' 
-        option proto tcp    + option proto 'tcp' 
-        option src_ip 192.168.3.0/24 + option src_ip '192.168.3.0/24' 
-        option dest_port 22                    + option dest_port '22' 
-        option name ACCEPT-SSH-INTERNAL-DEVICE + option name 'ACCEPT-SSH-INTERNAL-DEVICE' 
-        option enabled 1+ option enabled '1'
 </code> </code>
  
Line 55: Line 55:
 It will not match any other src IP address. It will not match any other src IP address.
  
-:!: When using an IPv4 address set the family to **ipv4**, otherwise fw3 warns ''! Skipping due to different family of ip address''.+:!: When using an IPv4 address set the family to **ipv4**, otherwise firewall warns ''! Skipping due to different family of ip address''.
  
 ===== Block WAN-side networks and ports ===== ===== Block WAN-side networks and ports =====
Line 64: Line 64:
  
 <code bash> <code bash>
-config rule +config rule 
-        option src wan + option src 'wan' 
-        option dest lan + option dest 'lan' 
-        option proto tcp + option proto 'tcp' 
-        option src_ip 42.56.0.0/16 + option src_ip '42.56.0.0/16' 
-        option dest_port 25 + option dest_port '25' 
-        option target DROP + option target 'DROP' 
-        option name DROP-WAN-0001 + option name 'DROP-WAN-0001' 
-        option enabled 1+ option enabled '1'
 </code> </code>
  
Line 82: Line 82:
 Two alternatives are: Two alternatives are:
   * add individual netfilter rules to ''/etc/firewall.user''   * add individual netfilter rules to ''/etc/firewall.user''
-  * use the''ipset'' mechanism described in [[docs:guide-user:firewall:fw3_configurations:fw3_config_ipset|ipset examples]]+  * use the ''ipset'' mechanism described in [[docs:guide-user:firewall:fw3_configurations:fw3_config_ipset|ipset examples]]
  
 ===== Using ipset to block LAN-side networks ===== ===== Using ipset to block LAN-side networks =====
Line 88: Line 88:
  
 <code bash> <code bash>
-config rule +config rule 
-        option src              lan + option src 'lan' 
-        option dest             wan + option dest 'wan' 
-        option dest_port        1000-1100 + option dest_port '1000-1100' 
-        option proto            tcpudp + option proto 'tcp udp' 
-        option target           REJECT + option target 'REJECT' 
-        option name             REJECT-LAN-WAN-PORTS + option name 'REJECT-LAN-WAN-PORTS' 
-        option enabled          1+ option enabled '1'
 </code> </code>
  
Line 103: Line 103:
  
 <code bash> <code bash>
-config rule +config rule 
-        option src lan + option src 'lan' 
-        option dest wan + option dest 'wan' 
-        option proto tcp + option proto 'tcp' 
-        option family ipv4 + option family 'ipv4' 
-        option dest_ip 63.251.153.68 + option dest_ip '63.251.153.68' 
-        option dest_port '80 443' + option dest_port '80 443' 
-        option target REJECT + option target 'REJECT' 
-        option name REJECT-LAN-SITE-HTTP + option name 'REJECT-LAN-SITE-HTTP' 
-        option enabled 1+ option enabled '1'
 </code> </code>
  
Line 122: Line 122:
  
 <code bash> <code bash>
-config rule +config rule 
-        option dest             wan + option dest 'wan' 
-        option dest_ip          8.8.8.8 + option dest_ip '8.8.8.8' 
-        option family           ipv4 + option family 'ipv4' 
-        option proto            icmp + option proto 'icmp' 
-        option target           REJECT + option target 'REJECT' 
-        option name             REJECT-DEVICE-DNS + option name 'REJECT-DEVICE-DNS' 
-        option enabled          1+ option enabled '1'
 </code> </code>
  
Line 135: Line 135:
 This rule is not particularly useful but serves as an illustrative example. This rule is not particularly useful but serves as an illustrative example.
  
-===== Block access to the Internet for a specific station on certain times =====+===== Block access to certain domains based on their names ===== 
 +An example is give at [[docs:guide-user:firewall:fw3_configurations:fw3_parent_controls#blocking_ips_based_on_their_domainnames_fqdn_hostnames|Blocking IPs based on their hostname]] This is really useful if large CDNs need to be filtered based on their names. 
 +It is also capable to filter DDNS hosts. 
 +It has also the advantage to allow for other subdomains (like www.) by just filtering the root-domain-name (like example.com). 
 + 
 +===== Block access to the Internet for a specific LAN station between certain times =====
 The following rule can be used for parental access control. The following rule can be used for parental access control.
  
 <code bash> <code bash>
-config rule +config rule 
-        option src lan + option src 'lan' 
-        option dest wan + option dest 'wan' 
-        option src_mac 4C:EB:42:32:0C:9E + option src_mac '4C:EB:42:32:0C:9E' 
-        option proto tcpudp + option proto 'tcp udp' 
-        option start_time 21:00:00 + option start_time '21:00:00' 
-        option stop_time 09:00:00 + option stop_time '09:00:00' 
-        option utc_time 0 + option utc_time '0' 
-        option weekdays 'Mon Tue Wed Thu Fri' + option weekdays 'Mon Tue Wed Thu Fri' 
-        option target REJECT + option target 'REJECT' 
-        option name REJECT-LAN-WAN-TIME + option name 'REJECT-LAN-WAN-TIME' 
-        option enabled 1+ option enabled '1'
 </code> </code>
  
 When this rule is enabled, it will block all TCP and UDP access from STA2 to the internet on weekdays between 21:00 and 09:00. When this rule is enabled, it will block all TCP and UDP access from STA2 to the internet on weekdays between 21:00 and 09:00.
-By default, the time will be UTC unless the ''utc_time'' option is cleared.+By default, the time will be UTC unless the ''utc_time'' option is cleared (''0'').
  
 These time/date matches use the netfilter ''xt_time'' kernel module, which is included in the release. These time/date matches use the netfilter ''xt_time'' kernel module, which is included in the release.
 Check ''/proc/modules'' to confirm it is loaded. Check ''/proc/modules'' to confirm it is loaded.
 +
 +From LuCI this rule can be added by following "Firewall->Traffic Rules" and creating a new rule
 +with the desired MAC address and an action of "block" or "reject."
  
 :!: Remove the time and day options to always block WAN-side access for the station. :!: Remove the time and day options to always block WAN-side access for the station.
 +
 +:!: This rule can be created for a single MAC address, not a range.
  
 :!: this type of rule is very useful for mobile devices like smartphones and tablets. :!: this type of rule is very useful for mobile devices like smartphones and tablets.
-A lot can change in a smartphone but the wifi MAC is always the same.+A lot can change in a smartphone but the wifi MAC is **almost** always programmed at the factory. 
 +The MAC **can** be modified by a sophisticated user by doing something similar to the Linux commands: 
 + 
 +<code bash> 
 +root> ip link set wlan0 down 
 +root> ip link set address "de:ad:be:ef:00:01" wlan0 
 +root> ip link set wlan0 up 
 +</code> 
 + 
 +An alternative mechanism to block multiple LAN MACs can be found in the LuCI "Wireless->Interface Edit->MAC Filter" section. 
 +Set the filter for "Allow all except listed" and add multiple LAN MACs. 
 +In the ''/etc/config/wireless'' file, this creates a "list maclist" entry for the interface.
  
 ===== IPSec passthrough ===== ===== IPSec passthrough =====
Line 171: Line 192:
  
 <code bash> <code bash>
-config rule +config rule 
-       option src              wan + option src 'wan' 
-       option dest             lan + option dest 'lan' 
-       option proto            ah + option proto 'ah' 
-       option target           ACCEPT+ option target 'ACCEPT'
  
-config rule +config rule 
-       option src              wan + option src 'wan' 
-       option dest             lan + option dest 'lan' 
-       option proto            esp + option proto 'esp' 
-       option target           ACCEPT+ option target 'ACCEPT'
 </code> </code>
  
Line 187: Line 208:
  
 <code bash> <code bash>
-config rule +config rule 
-       option src              wan + option src 'wan' 
-       option dest             lan + option dest 'lan' 
-       option proto            udp + option proto 'udp' 
-       option src_port         500 + option src_port '500' 
-       option dest_port        500 + option dest_port '500' 
-       option target           ACCEPT+ option target 'ACCEPT'
 </code> </code>
  
Line 203: Line 224:
  
 <code bash> <code bash>
-config interface 'tun0' +config interface 'tun0' 
-        option ifname 'tun0' + option ifname 'tun0' 
-        option proto 'none'+ option proto 'none'
  
-config interface 'tun1' +config interface 'tun1' 
-        option ifname 'tun1' + option ifname 'tun1' 
-        option proto 'none'+ option proto 'none'
 </code> </code>
  
Line 215: Line 236:
  
 <code bash> <code bash>
-config zone +config zone 
-        option name             vpn_tunnel + option name 'vpn_tunnel' 
-        list   network          'tun0' + list network 'tun0' 
-        list   network          'tun1' + list network 'tun1' 
-        option input            ACCEPT + option input 'ACCEPT' 
-          #the traffic towards the router from the interface will be accepted + # the traffic towards the router from the interface will be accepted 
-          #(as for the lan communications) + # (as for the lan communications) 
-        option output           ACCEPT + option output 'ACCEPT' 
-          #the traffic from the router to the interface will be accepted + # the traffic from the router to the interface will be accepted 
-        option forward          REJECT + option forward 'REJECT' 
-          #traffic from this zone to other zones is normally rejected+ # traffic from this zone to other zones is normally rejected
 </code> </code>
  
Line 231: Line 252:
  
 <code bash> <code bash>
-config forwarding +config forwarding 
-        option src              lan + option src 'lan' 
-        option dest             vpn_tunnel + option dest 'vpn_tunnel' 
-        #if a packet from lan wants to go to the vpn_tunnel zone + # if a packet from lan wants to go to the vpn_tunnel zone 
-        #let it pass+ # let it pass
  
-config forwarding +config forwarding 
-        option src              vpn_tunnel + option src 'vpn_tunnel' 
-        option dest             lan + option dest 'lan' 
-        #if a packet from vpn_tunnel wants to go to the lan zone + # if a packet from vpn_tunnel wants to go to the lan zone 
-        #let it pass+ # let it pass
 </code> </code>
- 
-This will create a lot of "automatic" iptables rules (because automatic scripting is not as efficient as raw iptable commands in ''/etc/firewall.user'') but those rules will be more clear in the luci webinterface and also more readable for less expert users. 
  
 In general remember that forwardings are relying how routing rules are defined, and afterwards which zones are defined on which interfaces. In general remember that forwardings are relying how routing rules are defined, and afterwards which zones are defined on which interfaces.
Line 252: Line 271:
  
 <code bash> <code bash>
-config zone +config zone 
-        option name             example + option name 'example' 
-        option input            ACCEPT + option input 'ACCEPT' 
-        option output           ACCEPT + option output 'ACCEPT' 
-        option forward          REJECT + option forward 'REJECT' 
-        option device           'ppp+'+ option device 'ppp+'
 </code> </code>
  
Line 264: Line 283:
  
 <code bash> <code bash>
-config zone +config zone 
-        option name             example + option name 'example' 
-        option input            ACCEPT + option input 'ACCEPT' 
-        option output           ACCEPT + option output 'ACCEPT' 
-        option forward          REJECT + option forward 'REJECT' 
-        option subnet           '10.21.0.0/16' + option subnet '10.21.0.0/16' 
-        option extra            '-p tcp'+ option extra '-p tcp'
 </code> </code>
  
Line 278: Line 297:
  
 <code bash> <code bash>
-config zone +config zone 
-        option name             example + option name 'example' 
-        option input            ACCEPT + option input 'ACCEPT' 
-        option output           ACCEPT + option output 'ACCEPT' 
-        option forward          REJECT + option forward 'REJECT' 
-        option extra_src        '-p tcp --sport 22' + option extra_src '-p tcp --sport 22' 
-        option extra_dest       '-p tcp --dport 22'+ option extra_dest '-p tcp --dport 22'
 </code> </code>
  
Line 300: Line 319:
  
 <code bash> <code bash>
-config zone +config zone 
-        option name             wan + option name 'wan' 
-        list   network          'wan' + list network 'wan' 
-        list   network          'wan6' + list network 'wan6' 
-        option input            REJECT + option input 'REJECT' 
-        option output           ACCEPT + option output 'ACCEPT' 
-        option forward          REJECT + option forward 'REJECT' 
-        option masq             + option masq '0' 
-        option mtu_fix          + option mtu_fix '1' 
-        option conntrack        1+ option conntrack '1
 +</code> 
 + 
 +===== Allow HTTP/HTTPS access from Cloudflare ===== 
 +Here is an example that allows HTTP/HTTPS access from Cloudflare. 
 +Use if your webserver is behind the Cloudflare proxy. 
 + 
 +<code bash> 
 +cat << EOF >> /etc/firewall.user 
 +uci -q delete firewall.cf_proxy.dest_ip 
 +for IPV in 4 6 
 +do for IP in $(uclient-fetch -O - \ 
 +"https://www.cloudflare.com/ips-v${IPV}"
 +do uci add_list firewall.cf_proxy.dest_ip="${IP}" 
 +done 
 +done 
 +/etc/init.d/firewall reload 
 +EOF 
 +uci -q delete firewall.cf_proxy 
 +uci set firewall.cf_proxy="rule" 
 +uci set firewall.cf_proxy.name="Allow-Cloudflare-Proxy" 
 +uci set firewall.cf_proxy.src="wan" 
 +uci add_list firewall.cf_proxy.dest_port="80" 
 +uci add_list firewall.cf_proxy.dest_port="443" 
 +uci set firewall.cf_proxy.proto="tcp" 
 +uci set firewall.cf_proxy.target="ACCEPT" 
 +uci commit firewall 
 +/etc/init.d/firewall restart
 </code> </code>
  
  • Last modified: 2023/10/14 06:21
  • by vgaetera