Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:firewall:fw3_configurations:fw3_config_examples [2019/09/22 06:26] – formatting vgaetera | docs:guide-user:firewall:fw3_configurations:fw3_config_examples [2022/10/30 21:06] – [Firewall IPv4 examples] vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== | + | ====== IPv4 firewall examples |
| - | This section contains a collection of useful [[docs: | + | This section contains a collection of useful [[docs: |
| - | All of these can be added on the LuCI // Network -> Firewall -> Traffic Rules // page. | + | All of these can be added on the LuCI //Network -> Firewall -> Traffic Rules// page. |
| In keeping with the underlying netfilter service, the first matching rule will run its target and (with a couple of exceptions) filtering stops; no subsequent rules are checked. | In keeping with the underlying netfilter service, the first matching rule will run its target and (with a couple of exceptions) filtering stops; no subsequent rules are checked. | ||
| Line 16: | Line 16: | ||
| The '' | The '' | ||
| - | :!: Before modifying rules, | + | :!: Before modifying rules, |
| ===== Opening ports on the OpenWrt router ===== | ===== Opening ports on the OpenWrt router ===== | ||
| Line 23: | Line 23: | ||
| <code bash> | <code bash> | ||
| - | config rule | + | config rule |
| - | option target | + | option target ' |
| - | option src ' | + | option src ' |
| - | option proto ' | + | option proto ' |
| - | option dest_port | + | option dest_port ' |
| - | option name | + | option name ' |
| - | option enabled | + | option enabled ' |
| </ | </ | ||
| Line 41: | Line 41: | ||
| <code bash> | <code bash> | ||
| - | config rule | + | config rule |
| - | option target ' | + | option target ' |
| - | option src ' | + | option src ' |
| - | option family ' | + | option family ' |
| - | option proto ' | + | option proto ' |
| - | option src_ip ' | + | option src_ip ' |
| - | option dest_port ' | + | option dest_port ' |
| - | option name ' | + | option name ' |
| - | option enabled ' | + | option enabled ' |
| </ | </ | ||
| Line 55: | Line 55: | ||
| It will not match any other src IP address. | It will not match any other src IP address. | ||
| - | :!: When using an IPv4 address set the family to **ipv4**, otherwise | + | :!: When using an IPv4 address set the family to **ipv4**, otherwise |
| ===== Block WAN-side networks and ports ===== | ===== Block WAN-side networks and ports ===== | ||
| Line 64: | Line 64: | ||
| <code bash> | <code bash> | ||
| - | config rule | + | config rule |
| - | option src ' | + | option src ' |
| - | option dest ' | + | option dest ' |
| - | option proto ' | + | option proto ' |
| - | option src_ip ' | + | option src_ip ' |
| - | option dest_port ' | + | option dest_port ' |
| - | option target ' | + | option target ' |
| - | option name ' | + | option name ' |
| - | option enabled ' | + | option enabled ' |
| </ | </ | ||
| Line 88: | Line 88: | ||
| <code bash> | <code bash> | ||
| - | config rule | + | config rule |
| - | option src ' | + | option src ' |
| - | option dest | + | option dest ' |
| - | option dest_port | + | option dest_port ' |
| - | option proto 'tcpudp' | + | option proto 'tcp udp' |
| - | option target | + | option target ' |
| - | option name | + | option name ' |
| - | option enabled | + | option enabled ' |
| </ | </ | ||
| Line 103: | Line 103: | ||
| <code bash> | <code bash> | ||
| - | config rule | + | config rule |
| - | option src ' | + | option src ' |
| - | option dest ' | + | option dest ' |
| - | option proto ' | + | option proto ' |
| - | option family ' | + | option family ' |
| - | option dest_ip ' | + | option dest_ip ' |
| - | option dest_port '80 443' | + | option dest_port ' |
| - | option target ' | + | option target ' |
| - | option name ' | + | option name ' |
| - | option enabled ' | + | option enabled ' |
| </ | </ | ||
| Line 122: | Line 122: | ||
| <code bash> | <code bash> | ||
| - | config rule | + | config rule |
| - | option dest | + | option dest ' |
| - | option dest_ip | + | option dest_ip ' |
| - | option family | + | option family ' |
| - | option proto ' | + | option proto ' |
| - | option target | + | option target ' |
| - | option name | + | option name ' |
| - | option enabled | + | option enabled ' |
| </ | </ | ||
| Line 135: | Line 135: | ||
| This rule is not particularly useful but serves as an illustrative example. | This rule is not particularly useful but serves as an illustrative example. | ||
| - | ===== Block access to the Internet for a specific station | + | ===== Block access to certain domains based on their names ===== |
| + | An example is give at [[docs: | ||
| + | It is also capable to filter DDNS hosts. | ||
| + | It has also the advantage to allow for other subdomains (like www.) by just filtering the root-domain-name (like example.com). | ||
| + | |||
| + | ===== Block access to the Internet for a specific | ||
| The following rule can be used for parental access control. | The following rule can be used for parental access control. | ||
| <code bash> | <code bash> | ||
| - | config rule | + | config rule |
| - | option src ' | + | option src ' |
| - | option dest ' | + | option dest ' |
| - | option src_mac ' | + | option src_mac ' |
| - | option proto 'tcpudp' | + | option proto 'tcp udp' |
| - | option start_time ' | + | option start_time ' |
| - | option stop_time ' | + | option stop_time ' |
| - | option utc_time ' | + | option utc_time ' |
| - | option weekdays 'Mon Tue Wed Thu Fri' | + | option weekdays ' |
| - | option target ' | + | option target ' |
| - | option name ' | + | option name ' |
| - | option enabled ' | + | option enabled ' |
| </ | </ | ||
| When this rule is enabled, it will block all TCP and UDP access from STA2 to the internet on weekdays between 21:00 and 09:00. | When this rule is enabled, it will block all TCP and UDP access from STA2 to the internet on weekdays between 21:00 and 09:00. | ||
| - | By default, the time will be UTC unless the '' | + | By default, the time will be UTC unless the '' |
| These time/date matches use the netfilter '' | These time/date matches use the netfilter '' | ||
| Check ''/ | Check ''/ | ||
| + | |||
| + | From LuCI this rule can be added by following " | ||
| + | with the desired MAC address and an action of " | ||
| :!: Remove the time and day options to always block WAN-side access for the station. | :!: Remove the time and day options to always block WAN-side access for the station. | ||
| + | |||
| + | :!: This rule can be created for a single MAC address, not a range. | ||
| :!: this type of rule is very useful for mobile devices like smartphones and tablets. | :!: this type of rule is very useful for mobile devices like smartphones and tablets. | ||
| - | A lot can change in a smartphone but the wifi MAC is always the same. | + | A lot can change in a smartphone but the wifi MAC is **almost** |
| + | The MAC **can** be modified by a sophisticated user by doing something similar to the Linux commands: | ||
| + | |||
| + | <code bash> | ||
| + | root> ip link set wlan0 down | ||
| + | root> ip link set address " | ||
| + | root> ip link set wlan0 up | ||
| + | </ | ||
| + | |||
| + | An alternative mechanism to block multiple LAN MACs can be found in the LuCI " | ||
| + | Set the filter for "Allow all except listed" | ||
| + | In the ''/ | ||
| ===== IPSec passthrough ===== | ===== IPSec passthrough ===== | ||
| Line 171: | Line 192: | ||
| <code bash> | <code bash> | ||
| - | config rule | + | config rule |
| - | | + | option src ' |
| - | | + | option dest ' |
| - | | + | option proto ' |
| - | | + | option target ' |
| - | config rule | + | config rule |
| - | | + | option src ' |
| - | | + | option dest ' |
| - | | + | option proto ' |
| - | | + | option target ' |
| </ | </ | ||
| Line 187: | Line 208: | ||
| <code bash> | <code bash> | ||
| - | config rule | + | config rule |
| - | | + | option src ' |
| - | | + | option dest ' |
| - | | + | option proto ' |
| - | | + | option src_port ' |
| - | | + | option dest_port ' |
| - | | + | option target ' |
| </ | </ | ||
| Line 203: | Line 224: | ||
| <code bash> | <code bash> | ||
| - | config interface ' | + | config interface ' |
| - | option ifname ' | + | option ifname ' |
| - | option proto ' | + | option proto ' |
| - | config interface ' | + | config interface ' |
| - | option ifname ' | + | option ifname ' |
| - | option proto ' | + | option proto ' |
| </ | </ | ||
| Line 215: | Line 236: | ||
| <code bash> | <code bash> | ||
| - | config zone | + | config zone |
| - | option name | + | option name ' |
| - | list | + | list network ' |
| - | list | + | list network ' |
| - | option input ' | + | option input ' |
| - | #the traffic towards the router from the interface will be accepted | + | # the traffic towards the router from the interface will be accepted |
| - | #(as for the lan communications) | + | # (as for the lan communications) |
| - | option output | + | option output ' |
| - | #the traffic from the router to the interface will be accepted | + | # the traffic from the router to the interface will be accepted |
| - | option forward | + | option forward ' |
| - | #traffic from this zone to other zones is normally rejected | + | # traffic from this zone to other zones is normally rejected |
| </ | </ | ||
| Line 231: | Line 252: | ||
| <code bash> | <code bash> | ||
| - | config forwarding | + | config forwarding |
| - | option src ' | + | option src ' |
| - | option dest | + | option dest ' |
| - | #if a packet from lan wants to go to the vpn_tunnel zone | + | # if a packet from lan wants to go to the vpn_tunnel zone |
| - | #let it pass | + | # let it pass |
| - | config forwarding | + | config forwarding |
| - | option src ' | + | option src ' |
| - | option dest | + | option dest ' |
| - | #if a packet from vpn_tunnel wants to go to the lan zone | + | # if a packet from vpn_tunnel wants to go to the lan zone |
| - | #let it pass | + | # let it pass |
| </ | </ | ||
| - | |||
| - | This will create a lot of " | ||
| In general remember that forwardings are relying how routing rules are defined, and afterwards which zones are defined on which interfaces. | In general remember that forwardings are relying how routing rules are defined, and afterwards which zones are defined on which interfaces. | ||
| Line 252: | Line 271: | ||
| <code bash> | <code bash> | ||
| - | config zone | + | config zone |
| - | option name | + | option name ' |
| - | option input ' | + | option input ' |
| - | option output | + | option output ' |
| - | option forward | + | option forward ' |
| - | option device | + | option device ' |
| </ | </ | ||
| Line 264: | Line 283: | ||
| <code bash> | <code bash> | ||
| - | config zone | + | config zone |
| - | option name | + | option name ' |
| - | option input ' | + | option input ' |
| - | option output | + | option output ' |
| - | option forward | + | option forward ' |
| - | option subnet | + | option subnet ' |
| - | option extra '-p tcp' | + | option extra '-p tcp' |
| </ | </ | ||
| Line 278: | Line 297: | ||
| <code bash> | <code bash> | ||
| - | config zone | + | config zone |
| - | option name | + | option name ' |
| - | option input ' | + | option input ' |
| - | option output | + | option output ' |
| - | option forward | + | option forward ' |
| - | option extra_src | + | option extra_src ' |
| - | option extra_dest | + | option extra_dest ' |
| </ | </ | ||
| Line 300: | Line 319: | ||
| <code bash> | <code bash> | ||
| - | config zone | + | config zone |
| - | option name | + | option name ' |
| - | list | + | list network ' |
| - | list | + | list network ' |
| - | option input ' | + | option input ' |
| - | option output | + | option output ' |
| - | option forward | + | option forward ' |
| - | option masq | + | option masq ' |
| - | option mtu_fix | + | option mtu_fix ' |
| - | option conntrack | + | option conntrack ' |
| + | </ | ||
| + | |||
| + | ===== Allow HTTP/HTTPS access from Cloudflare ===== | ||
| + | Here is an example that allows HTTP/HTTPS access from Cloudflare. | ||
| + | Use if your webserver is behind the Cloudflare proxy. | ||
| + | |||
| + | <code bash> | ||
| + | cat << EOF >> / | ||
| + | uci -q delete firewall.cf_proxy.dest_ip | ||
| + | for IPV in 4 6 | ||
| + | do for IP in $(uclient-fetch -O - \ | ||
| + | " | ||
| + | do uci add_list firewall.cf_proxy.dest_ip=" | ||
| + | done | ||
| + | done | ||
| + | / | ||
| + | EOF | ||
| + | uci -q delete firewall.cf_proxy | ||
| + | uci set firewall.cf_proxy=" | ||
| + | uci set firewall.cf_proxy.name=" | ||
| + | uci set firewall.cf_proxy.src=" | ||
| + | uci add_list firewall.cf_proxy.dest_port=" | ||
| + | uci add_list firewall.cf_proxy.dest_port=" | ||
| + | uci set firewall.cf_proxy.proto=" | ||
| + | uci set firewall.cf_proxy.target=" | ||
| + | uci commit firewall | ||
| + | / | ||
| </ | </ | ||