Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:firewall:fw3_configurations:fw3_config_examples [2019/09/22 07:10] – formatting vgaetera | docs:guide-user:firewall:fw3_configurations:fw3_config_examples [2022/10/30 21:06] – [Firewall IPv4 examples] vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== | + | ====== IPv4 firewall |
| - | This section contains a collection of useful [[docs: | + | This section contains a collection of useful [[docs: |
| All of these can be added on the LuCI //Network -> Firewall -> Traffic Rules// page. | All of these can be added on the LuCI //Network -> Firewall -> Traffic Rules// page. | ||
| Line 16: | Line 16: | ||
| The '' | The '' | ||
| - | :!: Before modifying rules, | + | :!: Before modifying rules, |
| ===== Opening ports on the OpenWrt router ===== | ===== Opening ports on the OpenWrt router ===== | ||
| Line 55: | Line 55: | ||
| It will not match any other src IP address. | It will not match any other src IP address. | ||
| - | :!: When using an IPv4 address set the family to **ipv4**, otherwise | + | :!: When using an IPv4 address set the family to **ipv4**, otherwise |
| ===== Block WAN-side networks and ports ===== | ===== Block WAN-side networks and ports ===== | ||
| Line 92: | Line 92: | ||
| option dest ' | option dest ' | ||
| option dest_port ' | option dest_port ' | ||
| - | option proto ' | + | option proto ' |
| option target ' | option target ' | ||
| option name ' | option name ' | ||
| Line 135: | Line 135: | ||
| This rule is not particularly useful but serves as an illustrative example. | This rule is not particularly useful but serves as an illustrative example. | ||
| - | ===== Block access to the Internet for a specific station | + | ===== Block access to certain domains based on their names ===== |
| + | An example is give at [[docs: | ||
| + | It is also capable to filter DDNS hosts. | ||
| + | It has also the advantage to allow for other subdomains (like www.) by just filtering the root-domain-name (like example.com). | ||
| + | |||
| + | ===== Block access to the Internet for a specific | ||
| The following rule can be used for parental access control. | The following rule can be used for parental access control. | ||
| Line 143: | Line 148: | ||
| option dest ' | option dest ' | ||
| option src_mac ' | option src_mac ' | ||
| - | option proto ' | + | option proto ' |
| option start_time ' | option start_time ' | ||
| option stop_time ' | option stop_time ' | ||
| Line 154: | Line 159: | ||
| When this rule is enabled, it will block all TCP and UDP access from STA2 to the internet on weekdays between 21:00 and 09:00. | When this rule is enabled, it will block all TCP and UDP access from STA2 to the internet on weekdays between 21:00 and 09:00. | ||
| - | By default, the time will be UTC unless the '' | + | By default, the time will be UTC unless the '' |
| These time/date matches use the netfilter '' | These time/date matches use the netfilter '' | ||
| Check ''/ | Check ''/ | ||
| + | |||
| + | From LuCI this rule can be added by following " | ||
| + | with the desired MAC address and an action of " | ||
| :!: Remove the time and day options to always block WAN-side access for the station. | :!: Remove the time and day options to always block WAN-side access for the station. | ||
| + | |||
| + | :!: This rule can be created for a single MAC address, not a range. | ||
| :!: this type of rule is very useful for mobile devices like smartphones and tablets. | :!: this type of rule is very useful for mobile devices like smartphones and tablets. | ||
| - | A lot can change in a smartphone but the wifi MAC is always the same. | + | A lot can change in a smartphone but the wifi MAC is **almost** |
| + | The MAC **can** be modified by a sophisticated user by doing something similar to the Linux commands: | ||
| + | |||
| + | <code bash> | ||
| + | root> ip link set wlan0 down | ||
| + | root> ip link set address " | ||
| + | root> ip link set wlan0 up | ||
| + | </ | ||
| + | |||
| + | An alternative mechanism to block multiple LAN MACs can be found in the LuCI " | ||
| + | Set the filter for "Allow all except listed" | ||
| + | In the ''/ | ||
| ===== IPSec passthrough ===== | ===== IPSec passthrough ===== | ||
| Line 243: | Line 264: | ||
| # let it pass | # let it pass | ||
| </ | </ | ||
| - | |||
| - | This will create a lot of " | ||
| In general remember that forwardings are relying how routing rules are defined, and afterwards which zones are defined on which interfaces. | In general remember that forwardings are relying how routing rules are defined, and afterwards which zones are defined on which interfaces. | ||
| Line 310: | Line 329: | ||
| option mtu_fix ' | option mtu_fix ' | ||
| option conntrack ' | option conntrack ' | ||
| + | </ | ||
| + | |||
| + | ===== Allow HTTP/HTTPS access from Cloudflare ===== | ||
| + | Here is an example that allows HTTP/HTTPS access from Cloudflare. | ||
| + | Use if your webserver is behind the Cloudflare proxy. | ||
| + | |||
| + | <code bash> | ||
| + | cat << EOF >> / | ||
| + | uci -q delete firewall.cf_proxy.dest_ip | ||
| + | for IPV in 4 6 | ||
| + | do for IP in $(uclient-fetch -O - \ | ||
| + | " | ||
| + | do uci add_list firewall.cf_proxy.dest_ip=" | ||
| + | done | ||
| + | done | ||
| + | / | ||
| + | EOF | ||
| + | uci -q delete firewall.cf_proxy | ||
| + | uci set firewall.cf_proxy=" | ||
| + | uci set firewall.cf_proxy.name=" | ||
| + | uci set firewall.cf_proxy.src=" | ||
| + | uci add_list firewall.cf_proxy.dest_port=" | ||
| + | uci add_list firewall.cf_proxy.dest_port=" | ||
| + | uci set firewall.cf_proxy.proto=" | ||
| + | uci set firewall.cf_proxy.target=" | ||
| + | uci commit firewall | ||
| + | / | ||
| </ | </ | ||