Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:fw3_config_examples [2021/12/05 10:13] – [Allow HTTP/HTTPS access from Cloudflare] merge from docs:guide-user:firewall:firewall_configuration vgaeteradocs:guide-user:firewall:fw3_configurations:fw3_config_examples [2022/10/30 21:06] – [Firewall IPv4 examples] vgaetera
Line 1: Line 1:
-====== fw3 IPv4 configuration examples ====== +====== IPv4 firewall examples ====== 
-This section contains a collection of useful [[docs:guide-user:firewall:overview|firewall3]] configuration examples based on the UCI configuration files.+This section contains a collection of useful [[docs:guide-user:firewall:overview|firewall]] configuration examples based on the UCI configuration files.
 All of these can be added on the LuCI //Network -> Firewall -> Traffic Rules// page. All of these can be added on the LuCI //Network -> Firewall -> Traffic Rules// page.
  
Line 55: Line 55:
 It will not match any other src IP address. It will not match any other src IP address.
  
-:!: When using an IPv4 address set the family to **ipv4**, otherwise fw3 warns ''! Skipping due to different family of ip address''.+:!: When using an IPv4 address set the family to **ipv4**, otherwise firewall warns ''! Skipping due to different family of ip address''.
  
 ===== Block WAN-side networks and ports ===== ===== Block WAN-side networks and ports =====
Line 136: Line 136:
  
 ===== Block access to certain domains based on their names ===== ===== Block access to certain domains based on their names =====
-An example is give at [[docs:guide-user:firewall:fw3_configurations:fw3_parent_controls#blocking_ips_based_on_their_domainnames_fqdn_hostnames|Blocking IPs based on their hostname]] This is really useful if large CDNs need to be filtered based on their names. It is also capable to filter DDNS hosts. It has also the advantage to allow for other subdomains (like www.) by just filtering the root-domain-name (like example.com).+An example is give at [[docs:guide-user:firewall:fw3_configurations:fw3_parent_controls#blocking_ips_based_on_their_domainnames_fqdn_hostnames|Blocking IPs based on their hostname]] This is really useful if large CDNs need to be filtered based on their names. 
 +It is also capable to filter DDNS hosts. 
 +It has also the advantage to allow for other subdomains (like www.) by just filtering the root-domain-name (like example.com).
  
 ===== Block access to the Internet for a specific LAN station between certain times ===== ===== Block access to the Internet for a specific LAN station between certain times =====
Line 179: Line 181:
 </code> </code>
  
-An alternative mechanism to block multiple LAN MACs can be found in  +An alternative mechanism to block multiple LAN MACs can be found in the LuCI "Wireless->Interface Edit->MAC Filter" section. 
-the LuCI  +Set the filter for "Allow all except listed" and add multiple LAN MACs. 
-"Wireless->Interface Edit->MAC Filter" section.  Set the filter for  +In the ''/etc/config/wireless'' file, this creates a "list maclist" entry for the interface.
-"Allow all except listed" and add multiple LAN MACs.  In the  +
-''/etc/config/wireless'' file, this creates a "list maclist" entry +
-for the interface.+
  
 ===== IPSec passthrough ===== ===== IPSec passthrough =====
Line 265: Line 264:
  # let it pass  # let it pass
 </code> </code>
- 
-This will create a lot of "automatic" iptables rules (because automatic scripting is not as efficient as raw iptable commands in ''/etc/firewall.user'') but those rules will be more clear in the luci webinterface and also more readable for less expert users. 
  
 In general remember that forwardings are relying how routing rules are defined, and afterwards which zones are defined on which interfaces. In general remember that forwardings are relying how routing rules are defined, and afterwards which zones are defined on which interfaces.
Line 335: Line 332:
  
 ===== Allow HTTP/HTTPS access from Cloudflare ===== ===== Allow HTTP/HTTPS access from Cloudflare =====
-Here is an example that allows HTTP/HTTPS from Cloudflare.+Here is an example that allows HTTP/HTTPS access from Cloudflare.
 Use if your webserver is behind the Cloudflare proxy. Use if your webserver is behind the Cloudflare proxy.
  
Line 342: Line 339:
 uci -q delete firewall.cf_proxy.dest_ip uci -q delete firewall.cf_proxy.dest_ip
 for IPV in 4 6 for IPV in 4 6
-do for IP in $(uclient-fetch -q -O - \+do for IP in $(uclient-fetch -O - \
 "https://www.cloudflare.com/ips-v${IPV}") "https://www.cloudflare.com/ips-v${IPV}")
 do uci add_list firewall.cf_proxy.dest_ip="${IP}" do uci add_list firewall.cf_proxy.dest_ip="${IP}"
 done done
 +done
 +/etc/init.d/firewall reload
 EOF EOF
 uci -q delete firewall.cf_proxy uci -q delete firewall.cf_proxy
  • Last modified: 2023/10/14 06:21
  • by vgaetera