Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:fw3_config_guide [2018/09/16 12:48] – ↷ Page moved from inbox:firewall:fw3_configurations:fw3_config_guide to docs:guide-user:firewall:fw3_configurations:fw3_config_guide bobafetthotmaildocs:guide-user:firewall:fw3_configurations:fw3_config_guide [2019/05/31 02:44] – [Names] Added references to firewall config section, and pointed to port definition opensomewrtcan
Line 1: Line 1:
 ====== fw3 Usage Guide ====== ====== fw3 Usage Guide ======
 This section contains useful information and best-practice guides for This section contains useful information and best-practice guides for
-configuring [[inbox:firewall:overview|firewall3]].+configuring [[docs:guide-user:firewall:overview|firewall3]].
  
-==== Use a Consistent Pattern for fw3 Rule Names ===== +===== Rules =====
-Depending on the network topology there can be a large number of fw3 rules. +
-For maintenance and debugging it helps to have, and use, a pattern for the +
-''name'' option in the .  This is entirely a admin memory key so use whatever pattern works +
-well for you.+
  
-One possible pattern for rule names is: **target-port-source-dest**, where +==== Names ==== 
-  * targetthe netfilter target +Depending on network topology, there can be a large number of fw3 rules. For maintenance, and debugging, it helps to create a naming scheme to enter in the ''name'' option of the [[docs:guide-user:firewall:firewall_configuration|config sections]]. Use whatever pattern works well for you. 
-  * portthe IP port + 
-  * source: generally the zone, device, or specific station originating the packet +One possible pattern for rule names is: **target-port-source-dest**, where: 
-  * dest: generally the zone, device, or specific station destination of the packet+  * **target** is the netfilter target, 
 +  * **port** is the port number (see [[https://tools.ietf.org/html/rfc793#section-2.7|RFC 793, Section 2.7]]), 
 +  * **source** is the zone, device, or specific station the packet originates from, and... 
 +  * **dest** is the zone, device, or specific station the packet is destined for
  
 Examples: Examples:
 +<WRAP lo><code bash>option name 'ACCEPT-SSH-WAN-LAN'</code></WRAP>
 +  * ACCEPT a SSH request from any device in the WAN zone of the router to any device in the LAN zone.
 +<WRAP lo><code bash>option name 'ACCEPT-SSH-WAN-DEVICE'</code></WRAP>
 +  * ACCEPT an SSH request from any device in the WAN zone to the router.
 +    * This is only necessary if the default rule and WAN zone config rule are set to REJECT or DROP.
  
-''option name 'ACCEPT-SSH-WAN-LAN' '' +==== Enable Disable ==== 
- +The <wrap lo>''enabled''</wrap> option is defined for each functional section and defaulted to //true// To override it add <wrap lo>''option enabled '0'''</wrap> to a particular rule (or toggle the LuCI //Network -> Firewall -> Traffic Rule -> **Enable**// checkbox.)
-ACCEPT a SSH request from any device in the WAN zone of the router to any +
-device in the LAN zone. +
- +
-''option name 'ACCEPT-SSH-WAN-DEVICE' '' +
- +
-ACCEPT an SSH request from any device in the WAN zone to the router.  This is +
-only necessary if the default rule and WAN zone config rule are set to REJECT or DROP. +
- +
-===== Enable and Disable a fw3 Rule ===== +
-The ''enabled'' option is defined for each functional section and defaulted to //true// To override it add ''option enabled '0' '' to a particular rule (or toggle the LuCI //Network -> Firewall -> Traffic Rule -> **Enable**// checkbox.)+
  
 This is very useful when adding a rule and quickly enabling/disabling it. This is very useful when adding a rule and quickly enabling/disabling it.
  
 For example, the following rule disables SSH access from a particular station on the WAN-side of the For example, the following rule disables SSH access from a particular station on the WAN-side of the
-[[inbox:firewall:fw3_configurations:fw3_ref_topo|reference network]] to devices on the LAN-side. Note, for production, it is probably better to use a MAC address instead of the DHCP IPv4 address.+[[docs:guide-user:firewall:fw3_configurations:fw3_ref_topo|reference network]] to devices on the LAN-side. Note, for production, it is probably better to use a MAC address instead of the DHCP IPv4 address.
  
-''+<WRAP lo><code bash>
 config rule                                  config rule                                 
-        option src 'wan'                     +    option  src         'wan'                     
-        option dest 'lan'                    +    option  dest        'lan'                    
-        option proto 'tcp'                   +    option  proto       'tcp'                   
-        option dest_port '22'                +    option  dest_port   '22'                
-        option src_ip '192.168.3.171'        +    option  src_ip      '192.168.3.171'        
-        option target 'REJECT'               +    option  target      'REJECT'               
-        option name 'REJECT-SSH-WANSTA-LAN' +    option  name        'REJECT-SSH-WANSTA-LAN' 
-        option enabled '0'  +    option  enabled     '0' 
-''+</code></WRAP>
  
-===== Debugging fw3 and netfilter rules =====+==== Debugging ====
 It is important to test each firewall rule you have added.  If it works, GREAT! It is important to test each firewall rule you have added.  If it works, GREAT!
  
 If it does not produce the desired result then it is almost certainly a problem If it does not produce the desired result then it is almost certainly a problem
 with the resulting netfilter rule(s) or rule order. See with the resulting netfilter rule(s) or rule order. See
-[[inbox:firewall:netfilter_iptables:netfilter_management|Openwrt Netfilter Management]] +[[docs:guide-user:firewall:netfilter_iptables:netfilter_management|Openwrt Netfilter Management]] 
 for tips on debugging the problem. for tips on debugging the problem.
  
-===== Default firewall configuration for a device =====+===== Default Configuration =====
 When the openwrt image is first installed on the target device, it contains a When the openwrt image is first installed on the target device, it contains a
 "safe" ''/etc/config/firewall'' file.  This is a useful file to study and "safe" ''/etc/config/firewall'' file.  This is a useful file to study and
  • Last modified: 2020/07/16 14:47
  • by vgaetera