Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:firewall:fw3_configurations:fw3_config_examples [2020/10/06 03:34] – obsolete proto=tcpudp to avoid luci-specific compatibility issues: https://forum.openwrt.org/t/is-tcpudp-a-valid-protocol-name/76048 vgaetera | docs:guide-user:firewall:fw3_configurations:fw3_config_examples [2022/10/30 21:06] – [Firewall IPv4 examples] vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== | + | ====== IPv4 firewall |
| - | This section contains a collection of useful [[docs: | + | This section contains a collection of useful [[docs: |
| All of these can be added on the LuCI //Network -> Firewall -> Traffic Rules// page. | All of these can be added on the LuCI //Network -> Firewall -> Traffic Rules// page. | ||
| Line 16: | Line 16: | ||
| The '' | The '' | ||
| - | :!: Before modifying rules, | + | :!: Before modifying rules, |
| ===== Opening ports on the OpenWrt router ===== | ===== Opening ports on the OpenWrt router ===== | ||
| Line 55: | Line 55: | ||
| It will not match any other src IP address. | It will not match any other src IP address. | ||
| - | :!: When using an IPv4 address set the family to **ipv4**, otherwise | + | :!: When using an IPv4 address set the family to **ipv4**, otherwise |
| ===== Block WAN-side networks and ports ===== | ===== Block WAN-side networks and ports ===== | ||
| Line 136: | Line 136: | ||
| ===== Block access to certain domains based on their names ===== | ===== Block access to certain domains based on their names ===== | ||
| - | An example is give at [[docs: | + | An example is give at [[docs: |
| + | It is also capable to filter DDNS hosts. | ||
| + | It has also the advantage to allow for other subdomains (like www.) by just filtering the root-domain-name (like example.com). | ||
| - | ===== Block access to the Internet for a specific station | + | ===== Block access to the Internet for a specific |
| The following rule can be used for parental access control. | The following rule can be used for parental access control. | ||
| Line 157: | Line 159: | ||
| When this rule is enabled, it will block all TCP and UDP access from STA2 to the internet on weekdays between 21:00 and 09:00. | When this rule is enabled, it will block all TCP and UDP access from STA2 to the internet on weekdays between 21:00 and 09:00. | ||
| - | By default, the time will be UTC unless the '' | + | By default, the time will be UTC unless the '' |
| These time/date matches use the netfilter '' | These time/date matches use the netfilter '' | ||
| Check ''/ | Check ''/ | ||
| + | |||
| + | From LuCI this rule can be added by following " | ||
| + | with the desired MAC address and an action of " | ||
| :!: Remove the time and day options to always block WAN-side access for the station. | :!: Remove the time and day options to always block WAN-side access for the station. | ||
| + | |||
| + | :!: This rule can be created for a single MAC address, not a range. | ||
| :!: this type of rule is very useful for mobile devices like smartphones and tablets. | :!: this type of rule is very useful for mobile devices like smartphones and tablets. | ||
| - | A lot can change in a smartphone but the wifi MAC is always the same. | + | A lot can change in a smartphone but the wifi MAC is **almost** |
| + | The MAC **can** be modified by a sophisticated user by doing something similar to the Linux commands: | ||
| + | |||
| + | <code bash> | ||
| + | root> ip link set wlan0 down | ||
| + | root> ip link set address " | ||
| + | root> ip link set wlan0 up | ||
| + | </ | ||
| + | |||
| + | An alternative mechanism to block multiple LAN MACs can be found in the LuCI " | ||
| + | Set the filter for "Allow all except listed" | ||
| + | In the ''/ | ||
| ===== IPSec passthrough ===== | ===== IPSec passthrough ===== | ||
| Line 246: | Line 264: | ||
| # let it pass | # let it pass | ||
| </ | </ | ||
| - | |||
| - | This will create a lot of " | ||
| In general remember that forwardings are relying how routing rules are defined, and afterwards which zones are defined on which interfaces. | In general remember that forwardings are relying how routing rules are defined, and afterwards which zones are defined on which interfaces. | ||
| Line 313: | Line 329: | ||
| option mtu_fix ' | option mtu_fix ' | ||
| option conntrack ' | option conntrack ' | ||
| + | </ | ||
| + | |||
| + | ===== Allow HTTP/HTTPS access from Cloudflare ===== | ||
| + | Here is an example that allows HTTP/HTTPS access from Cloudflare. | ||
| + | Use if your webserver is behind the Cloudflare proxy. | ||
| + | |||
| + | <code bash> | ||
| + | cat << EOF >> / | ||
| + | uci -q delete firewall.cf_proxy.dest_ip | ||
| + | for IPV in 4 6 | ||
| + | do for IP in $(uclient-fetch -O - \ | ||
| + | " | ||
| + | do uci add_list firewall.cf_proxy.dest_ip=" | ||
| + | done | ||
| + | done | ||
| + | / | ||
| + | EOF | ||
| + | uci -q delete firewall.cf_proxy | ||
| + | uci set firewall.cf_proxy=" | ||
| + | uci set firewall.cf_proxy.name=" | ||
| + | uci set firewall.cf_proxy.src=" | ||
| + | uci add_list firewall.cf_proxy.dest_port=" | ||
| + | uci add_list firewall.cf_proxy.dest_port=" | ||
| + | uci set firewall.cf_proxy.proto=" | ||
| + | uci set firewall.cf_proxy.target=" | ||
| + | uci commit firewall | ||
| + | / | ||
| </ | </ | ||