User Tools

Site Tools


docs:guide-user:firewall:fw3_configurations:fw3_config_guide

fw3 Usage Guide

This section contains useful information and best-practice guides for configuring firewall3.

Use a Consistent Pattern for fw3 Rule Names

Depending on the network topology there can be a large number of fw3 rules. For maintenance and debugging it helps to have, and use, a pattern for the name option in the . This is entirely a admin memory key so use whatever pattern works well for you.

One possible pattern for rule names is: target-port-source-dest, where

  • target: the netfilter target
  • port: the IP port
  • source: generally the zone, device, or specific station originating the packet
  • dest: generally the zone, device, or specific station destination of the packet

Examples:

option name 'ACCEPT-SSH-WAN-LAN'

ACCEPT a SSH request from any device in the WAN zone of the router to any device in the LAN zone.

option name 'ACCEPT-SSH-WAN-DEVICE'

ACCEPT an SSH request from any device in the WAN zone to the router. This is only necessary if the default rule and WAN zone config rule are set to REJECT or DROP.

Enable and Disable a fw3 Rule

The enabled option is defined for each functional section and defaulted to true. To override it add option enabled '0' to a particular rule (or toggle the LuCI Network → Firewall → Traffic Rule → Enable checkbox.)

This is very useful when adding a rule and quickly enabling/disabling it.

For example, the following rule disables SSH access from a particular station on the WAN-side of the reference network to devices on the LAN-side. Note, for production, it is probably better to use a MAC address instead of the DHCP IPv4 address.

config rule option src 'wan' option dest 'lan' option proto 'tcp' option dest_port '22' option src_ip '192.168.3.171' option target 'REJECT' option name 'REJECT-SSH-WANSTA-LAN' option enabled '0'

Debugging fw3 and netfilter rules

It is important to test each firewall rule you have added. If it works, GREAT!

If it does not produce the desired result then it is almost certainly a problem with the resulting netfilter rule(s) or rule order. See Openwrt Netfilter Management for tips on debugging the problem.

Default firewall configuration for a device

When the openwrt image is first installed on the target device, it contains a “safe” /etc/config/firewall file. This is a useful file to study and potentially save for backup. Note there are a large number of rules commented out that could be uncommented for your use.

It will generally need to be modified for your needs.

The original source for the firewall configuration file is in the firewall package source as `firewall.config`. This is installed to the root file system for the image.

docs/guide-user/firewall/fw3_configurations/fw3_config_guide.txt · Last modified: 2018/09/16 12:49 by bobafetthotmail