Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:firewall:fw3_configurations:fw3_config_examples [2021/05/17 14:11] – Add an alternate recipe for blocking LAN MAC addresses dturvene | docs:guide-user:firewall:fw3_configurations:fw3_config_examples [2022/10/30 21:06] – [Firewall IPv4 examples] vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== | + | ====== IPv4 firewall |
| - | This section contains a collection of useful [[docs: | + | This section contains a collection of useful [[docs: |
| All of these can be added on the LuCI //Network -> Firewall -> Traffic Rules// page. | All of these can be added on the LuCI //Network -> Firewall -> Traffic Rules// page. | ||
| Line 16: | Line 16: | ||
| The '' | The '' | ||
| - | :!: Before modifying rules, | + | :!: Before modifying rules, |
| ===== Opening ports on the OpenWrt router ===== | ===== Opening ports on the OpenWrt router ===== | ||
| Line 55: | Line 55: | ||
| It will not match any other src IP address. | It will not match any other src IP address. | ||
| - | :!: When using an IPv4 address set the family to **ipv4**, otherwise | + | :!: When using an IPv4 address set the family to **ipv4**, otherwise |
| ===== Block WAN-side networks and ports ===== | ===== Block WAN-side networks and ports ===== | ||
| Line 136: | Line 136: | ||
| ===== Block access to certain domains based on their names ===== | ===== Block access to certain domains based on their names ===== | ||
| - | An example is give at [[docs: | + | An example is give at [[docs: |
| + | It is also capable to filter DDNS hosts. | ||
| + | It has also the advantage to allow for other subdomains (like www.) by just filtering the root-domain-name (like example.com). | ||
| ===== Block access to the Internet for a specific LAN station between certain times ===== | ===== Block access to the Internet for a specific LAN station between certain times ===== | ||
| Line 179: | Line 181: | ||
| </ | </ | ||
| - | An alternative mechanism to block multiple LAN MACs can be found in | + | An alternative mechanism to block multiple LAN MACs can be found in the LuCI " |
| - | the LuCI | + | Set the filter for "Allow all except listed" |
| - | " | + | In the ''/ |
| - | "Allow all except listed" | + | |
| - | ''/ | + | |
| - | for the interface. | + | |
| ===== IPSec passthrough ===== | ===== IPSec passthrough ===== | ||
| Line 265: | Line 264: | ||
| # let it pass | # let it pass | ||
| </ | </ | ||
| - | |||
| - | This will create a lot of " | ||
| In general remember that forwardings are relying how routing rules are defined, and afterwards which zones are defined on which interfaces. | In general remember that forwardings are relying how routing rules are defined, and afterwards which zones are defined on which interfaces. | ||
| Line 332: | Line 329: | ||
| option mtu_fix ' | option mtu_fix ' | ||
| option conntrack ' | option conntrack ' | ||
| + | </ | ||
| + | |||
| + | ===== Allow HTTP/HTTPS access from Cloudflare ===== | ||
| + | Here is an example that allows HTTP/HTTPS access from Cloudflare. | ||
| + | Use if your webserver is behind the Cloudflare proxy. | ||
| + | |||
| + | <code bash> | ||
| + | cat << EOF >> / | ||
| + | uci -q delete firewall.cf_proxy.dest_ip | ||
| + | for IPV in 4 6 | ||
| + | do for IP in $(uclient-fetch -O - \ | ||
| + | " | ||
| + | do uci add_list firewall.cf_proxy.dest_ip=" | ||
| + | done | ||
| + | done | ||
| + | / | ||
| + | EOF | ||
| + | uci -q delete firewall.cf_proxy | ||
| + | uci set firewall.cf_proxy=" | ||
| + | uci set firewall.cf_proxy.name=" | ||
| + | uci set firewall.cf_proxy.src=" | ||
| + | uci add_list firewall.cf_proxy.dest_port=" | ||
| + | uci add_list firewall.cf_proxy.dest_port=" | ||
| + | uci set firewall.cf_proxy.proto=" | ||
| + | uci set firewall.cf_proxy.target=" | ||
| + | uci commit firewall | ||
| + | / | ||
| </ | </ | ||