Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| inbox:firewall:fw3_configurations:fw3_config_guide [2018/09/11 01:50] – [Debugging fw3 and iptable rules] dturvene | docs:guide-user:firewall:fw3_configurations:fw3_config_guide [2020/07/15 21:57] – formatting optimized vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== fw3 Usage Guide ====== | + | ====== fw3 Usage guide ====== |
| This section contains useful information and best-practice guides for | This section contains useful information and best-practice guides for | ||
| - | configuring [[inbox:firewall:firewall3: | + | configuring [[docs:guide-user:firewall: |
| - | ==== Use a Consistent Pattern for fw3 Rule Names ===== | + | ===== Rules ===== |
| - | Depending on the network topology there can be a large number of fw3 rules. | + | ==== Names ==== |
| - | For maintenance and debugging it helps to have, and use, a pattern for the | + | Depending on network topology, there can be a large number of fw3 rules. |
| - | '' | + | For maintenance, and debugging, it helps to create |
| - | well for you. | + | Use whatever pattern works well for you. |
| - | One possible pattern for rule names is: **target-port-source-dest**, | + | One possible pattern for rule names is: **target-port-source-dest**, |
| - | * target: the netfilter target | + | |
| - | * port: the IP port | + | |
| - | * source: generally | + | |
| - | * dest: generally | + | |
| Examples: | Examples: | ||
| - | '' | + | ACCEPT |
| - | ACCEPT | + | <code bash> |
| - | device in the LAN zone. | + | option name 'ACCEPT-SSH-WAN-LAN' |
| + | </ | ||
| - | '' | + | ACCEPT |
| + | This is only necessary if the default rule and WAN zone config rule are set to REJECT or DROP. | ||
| - | ACCEPT | + | <code bash> |
| - | only necessary if the default rule and WAN zone config rule are set to REJECT or DROP. | + | option name 'ACCEPT-SSH-WAN-DEVICE' |
| + | </ | ||
| - | ===== Enable | + | ==== Enable |
| - | The '' | + | The '' |
| + | To override it add '' | ||
| This is very useful when adding a rule and quickly enabling/ | This is very useful when adding a rule and quickly enabling/ | ||
| For example, the following rule disables SSH access from a particular station on the WAN-side of the | For example, the following rule disables SSH access from a particular station on the WAN-side of the | ||
| - | [[inbox: | + | [[docs: |
| + | Note, for production, it is probably better to use a MAC address instead of the DHCP IPv4 address. | ||
| - | '' | + | <code bash> |
| - | config rule | + | config rule |
| - | option src ' | + | option src ' |
| - | option dest ' | + | option dest ' |
| - | option proto ' | + | option proto ' |
| - | option dest_port ' | + | option dest_port ' |
| - | option src_ip ' | + | option src_ip ' |
| - | option target ' | + | option target ' |
| - | option name ' | + | option name ' |
| - | option enabled ' | + | option enabled ' |
| - | '' | + | </ |
| - | ===== Debugging | + | ==== Debugging ==== |
| - | It is important to test each firewall rule you have added. | + | It is important to test each firewall rule you have added. |
| + | If it works, GREAT! | ||
| - | If it does not produce the desired result then it is almost certainly a problem | + | If it does not produce the desired result then it is almost certainly a problem with the resulting |
| - | with the resulting | + | See [[docs: |
| - | [[inbox: | + | |
| - | problem. | + | |
| - | ===== Default | + | ===== Default |
| - | When the openwrt image is first installed on the target device, it contains a | + | When the openwrt image is first installed on the target device, it contains a " |
| - | " | + | This is a useful file to study and potentially save for backup. |
| - | potentially save for backup. | + | Note there are a large number of rules commented out that could be uncommented for your use. |
| - | out that could be uncommented for your use. | + | |
| It will generally need to be modified for your needs. | It will generally need to be modified for your needs. | ||
| - | The original source for the firewall configuration file is in the firewall | + | The original source for the firewall configuration file is in the firewall package source as `firewall.config`. |
| - | package source as `firewall.config`. | + | This is installed to the root file system for the image. |
| - | for the image. | + | |