Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
inbox:firewall:fw3_configurations:fw3_config_guide [2018/09/11 01:50] – [Debugging fw3 and iptable rules] dturvenedocs:guide-user:firewall:fw3_configurations:fw3_config_guide [2020/07/16 14:47] (current) – [Default configuration] vgaetera
Line 1: Line 1:
-====== fw3 Usage Guide ======+====== Firewall usage guide ======
 This section contains useful information and best-practice guides for This section contains useful information and best-practice guides for
-configuring [[inbox:firewall:firewall3:overview|firewall3]].+configuring [[docs:guide-user:firewall:overview|firewall3]].
  
-==== Use a Consistent Pattern for fw3 Rule Names ===== +===== Rules ===== 
-Depending on the network topology there can be a large number of fw3 rules. +==== Names ==== 
-For maintenance and debugging it helps to have, and use, pattern for the +Depending on network topologythere can be a large number of fw3 rules. 
-''name'' option in the .  This is entirely a admin memory key so use whatever pattern works +For maintenanceand debuggingit helps to create naming scheme to enter in the ''name'' option of the [[docs:guide-user:firewall:firewall_configuration|config sections]]. 
-well for you.+Use whatever pattern works well for you.
  
-One possible pattern for rule names is: **target-port-source-dest**, where +One possible pattern for rule names is: **target-port-source-dest**, where: 
-  * targetthe netfilter target +  * **target** is the netfilter target, 
-  * portthe IP port +  * **port** is the port number (see [[https://tools.ietf.org/html/rfc793#section-2.7|RFC 793, Section 2.7]]), 
-  * source: generally the zone, device, or specific station originating the packet +  * **source** is the zone, device, or specific station the packet originates from, and... 
-  * dest: generally the zone, device, or specific station destination of the packet+  * **dest** is the zone, device, or specific station the packet is destined for
  
 Examples: Examples:
  
-''option name 'ACCEPT-SSH-WAN-LAN' ''+ACCEPT SSH request from any device in the WAN zone of the router to any device in the LAN zone.
  
-ACCEPT SSH request from any device in the WAN zone of the router to any +<code bash> 
-device in the LAN zone.+option name 'ACCEPT-SSH-WAN-LAN
 +</code>
  
-''option name 'ACCEPT-SSH-WAN-DEVICE' ''+ACCEPT an SSH request from any device in the WAN zone to the router. 
 +This is only necessary if the default rule and WAN zone config rule are set to REJECT or DROP.
  
-ACCEPT an SSH request from any device in the WAN zone to the router.  This is +<code bash> 
-only necessary if the default rule and WAN zone config rule are set to REJECT or DROP.+option name 'ACCEPT-SSH-WAN-DEVICE' 
 +</code>
  
-===== Enable and Disable a fw3 Rule ===== +==== Enabling or disabling ==== 
-The ''enabled'' option is defined for each functional section and defaulted to //true// To override it add ''option enabled '0' '' to a particular rule (or toggle the LuCI //Network -> Firewall -> Traffic Rule -> **Enable**// checkbox.)+The ''enabled'' option is defined for each functional section and defaulted to //true//. 
 +To override it add ''option enabled '0''' to a particular rule (or toggle the LuCI //Network -> Firewall -> Traffic Rule -> **Enable**// checkbox.)
  
 This is very useful when adding a rule and quickly enabling/disabling it. This is very useful when adding a rule and quickly enabling/disabling it.
  
 For example, the following rule disables SSH access from a particular station on the WAN-side of the For example, the following rule disables SSH access from a particular station on the WAN-side of the
-[[inbox:firewall:fw3_configurations:fw3_ref_topo|reference network]] to devices on the LAN-side. Note, for production, it is probably better to use a MAC address instead of the DHCP IPv4 address.+[[docs:guide-user:firewall:fw3_configurations:fw3_ref_topo|reference network]] to devices on the LAN-side. 
 +Note, for production, it is probably easier to use a MAC address instead of setting up a static DHCP lease and adding separate rules for IPv4 and IPv6.
  
-'' +<code bash> 
-config rule                                  +config rule 
-        option src 'wan'                     + option src 'wan' 
-        option dest 'lan'                    + option dest 'lan' 
-        option proto 'tcp'                   + option proto 'tcp' 
-        option dest_port '22'                + option dest_port '22' 
-        option src_ip '192.168.3.171'        + option src_ip '192.168.3.171' 
-        option target 'REJECT'               + option target 'REJECT' 
-        option name 'REJECT-SSH-WANSTA-LAN' + option name 'REJECT-SSH-WANSTA-LAN' 
-        option enabled '0'  + option enabled '0' 
-''+</code>
  
-===== Debugging fw3 and iptable rules ===== +==== Debugging ==== 
-It is important to test each firewall rule you have added.  If it works, GREAT!+It is important to test each firewall rule you have added. 
 +If it works, GREAT!
  
-If it does not produce the desired result then it is almost certainly a problem +If it does not produce the desired result then it is almost certainly a problem with the resulting netfilter rule(s) or rule order
-with the resulting iptable rule. See +See [[docs:guide-user:firewall:netfilter_iptables:netfilter_management|Openwrt Netfilter Management]] for tips on debugging the problem.
-[[inbox:firewall:netfilter_iptables:netfilter_management]] for tips on debugging the +
-problem.+
  
-===== Default firewall configuration for a device ===== +===== Default configuration ===== 
-When the openwrt image is first installed on the target device, it contains a +When the openwrt image is first installed on the target device, it contains a "safe" ''/etc/config/firewall'' file. 
-"safe" ''/etc/config/firewall'' file.  This is a useful file to study and +This is a useful file to study and potentially save for backup. 
-potentially save for backup.  Note there are a large number of rules commented +Note there are a large number of rules commented out that could be uncommented for your use.
-out that could be uncommented for your use.+
  
 It will generally need to be modified for your needs. It will generally need to be modified for your needs.
  
-The original source for the firewall configuration file is in the firewall +The original source for the firewall configuration file is in the firewall package source as ''firewall.config''. 
-package source as `firewall.config` This is installed to the root file system +This is installed to the root file system for the image.
-for the image.+
  
  • Last modified: 2020/07/16 14:47
  • by vgaetera