Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revisionBoth sides next revision
inbox:firewall:fw3_configurations:fw3_config_guide [2018/09/11 01:50] – [Debugging fw3 and iptable rules] dturvenedocs:guide-user:firewall:fw3_configurations:fw3_config_guide [2020/07/16 14:27] – [Usage guide] vgaetera
Line 1: Line 1:
-====== fw3 Usage Guide ======+====== Firewall usage guide ======
 This section contains useful information and best-practice guides for This section contains useful information and best-practice guides for
-configuring [[inbox:firewall:firewall3:overview|firewall3]].+configuring [[docs:guide-user:firewall:overview|firewall3]].
  
-==== Use a Consistent Pattern for fw3 Rule Names ===== +===== Rules ===== 
-Depending on the network topology there can be a large number of fw3 rules. +==== Names ==== 
-For maintenance and debugging it helps to have, and use, pattern for the +Depending on network topologythere can be a large number of fw3 rules. 
-''name'' option in the .  This is entirely a admin memory key so use whatever pattern works +For maintenanceand debuggingit helps to create naming scheme to enter in the ''name'' option of the [[docs:guide-user:firewall:firewall_configuration|config sections]]. 
-well for you.+Use whatever pattern works well for you.
  
-One possible pattern for rule names is: **target-port-source-dest**, where +One possible pattern for rule names is: **target-port-source-dest**, where: 
-  * targetthe netfilter target +  * **target** is the netfilter target, 
-  * portthe IP port +  * **port** is the port number (see [[https://tools.ietf.org/html/rfc793#section-2.7|RFC 793, Section 2.7]]), 
-  * source: generally the zone, device, or specific station originating the packet +  * **source** is the zone, device, or specific station the packet originates from, and... 
-  * dest: generally the zone, device, or specific station destination of the packet+  * **dest** is the zone, device, or specific station the packet is destined for
  
 Examples: Examples:
  
-''option name 'ACCEPT-SSH-WAN-LAN' ''+ACCEPT SSH request from any device in the WAN zone of the router to any device in the LAN zone.
  
-ACCEPT SSH request from any device in the WAN zone of the router to any +<code bash> 
-device in the LAN zone.+option name 'ACCEPT-SSH-WAN-LAN
 +</code>
  
-''option name 'ACCEPT-SSH-WAN-DEVICE' ''+ACCEPT an SSH request from any device in the WAN zone to the router. 
 +This is only necessary if the default rule and WAN zone config rule are set to REJECT or DROP.
  
-ACCEPT an SSH request from any device in the WAN zone to the router.  This is +<code bash> 
-only necessary if the default rule and WAN zone config rule are set to REJECT or DROP.+option name 'ACCEPT-SSH-WAN-DEVICE' 
 +</code>
  
-===== Enable and Disable a fw3 Rule ===== +==== Enabling or disabling ==== 
-The ''enabled'' option is defined for each functional section and defaulted to //true// To override it add ''option enabled '0' '' to a particular rule (or toggle the LuCI //Network -> Firewall -> Traffic Rule -> **Enable**// checkbox.)+The ''enabled'' option is defined for each functional section and defaulted to //true//. 
 +To override it add ''option enabled '0''' to a particular rule (or toggle the LuCI //Network -> Firewall -> Traffic Rule -> **Enable**// checkbox.)
  
 This is very useful when adding a rule and quickly enabling/disabling it. This is very useful when adding a rule and quickly enabling/disabling it.
  
 For example, the following rule disables SSH access from a particular station on the WAN-side of the For example, the following rule disables SSH access from a particular station on the WAN-side of the
-[[inbox:firewall:fw3_configurations:fw3_ref_topo|reference network]] to devices on the LAN-side. Note, for production, it is probably better to use a MAC address instead of the DHCP IPv4 address.+[[docs:guide-user:firewall:fw3_configurations:fw3_ref_topo|reference network]] to devices on the LAN-side. 
 +Note, for production, it is probably easier to use a MAC address instead of setting up a static DHCP lease and adding separate rules for IPv4 and IPv6.
  
-'' +<code bash> 
-config rule                                  +config rule 
-        option src 'wan'                     + option src 'wan' 
-        option dest 'lan'                    + option dest 'lan' 
-        option proto 'tcp'                   + option proto 'tcp' 
-        option dest_port '22'                + option dest_port '22' 
-        option src_ip '192.168.3.171'        + option src_ip '192.168.3.171' 
-        option target 'REJECT'               + option target 'REJECT' 
-        option name 'REJECT-SSH-WANSTA-LAN' + option name 'REJECT-SSH-WANSTA-LAN' 
-        option enabled '0'  + option enabled '0' 
-''+</code>
  
-===== Debugging fw3 and iptable rules ===== +==== Debugging ==== 
-It is important to test each firewall rule you have added.  If it works, GREAT!+It is important to test each firewall rule you have added. 
 +If it works, GREAT!
  
-If it does not produce the desired result then it is almost certainly a problem +If it does not produce the desired result then it is almost certainly a problem with the resulting netfilter rule(s) or rule order
-with the resulting iptable rule. See +See [[docs:guide-user:firewall:netfilter_iptables:netfilter_management|Openwrt Netfilter Management]] for tips on debugging the problem.
-[[inbox:firewall:netfilter_iptables:netfilter_management]] for tips on debugging the +
-problem.+
  
-===== Default firewall configuration for a device ===== +===== Default configuration ===== 
-When the openwrt image is first installed on the target device, it contains a +When the openwrt image is first installed on the target device, it contains a "safe" ''/etc/config/firewall'' file. 
-"safe" ''/etc/config/firewall'' file.  This is a useful file to study and +This is a useful file to study and potentially save for backup. 
-potentially save for backup.  Note there are a large number of rules commented +Note there are a large number of rules commented out that could be uncommented for your use.
-out that could be uncommented for your use.+
  
 It will generally need to be modified for your needs. It will generally need to be modified for your needs.
  
-The original source for the firewall configuration file is in the firewall +The original source for the firewall configuration file is in the firewall package source as `firewall.config`. 
-package source as `firewall.config`.  This is installed to the root file system +This is installed to the root file system for the image.
-for the image.+
  
  • Last modified: 2020/07/16 14:47
  • by vgaetera