Differences

This shows you the differences between two versions of the page.

doc:uci:firewall [2012/09/13 08:53]
kenyon /etc/services names are allowed too
doc:uci:firewall [2014/11/18 17:55] (current)
jow rename ipv6 port forwarding, its technically incorrect
Line 2: Line 2:
The firewall configuration located in **''/etc/config/firewall''**. The firewall configuration located in **''/etc/config/firewall''**.
-===== Requirements ===== +===== Overview ===== 
- * **''firewall''** and its dependencies (//pre-installed//) +OpenWrt relies on [[doc:howto:netfilter]] for packet filtering, NAT and mangling. The UCI Firewall provides a configuration interface that abstracts from the **iptables** system to provide a simplified configuration model that is fit for most regular purposes while enabling the user to supply needed iptables rules on his own when needed.
-    * **''iptables''** (//pre-installed//) +
-    * **''iptables-mod-conntrack''** (//pre-installed//) +
-    * **''iptables-mod-nat''** (//pre-installed//) +
-    * **''iptables-mod-?''** (//optional//), see [[doc:howto:netfilter]]+
- +
-  - The whole UCI firewall is not required. It exists to make your life simpler. This wiki page is being written and kept up-to-date for //you//, to help //you// configure the UCI firewall as quickly and as easily as possible. We refer to it throughout the wiki. +
-  - There is no [[doc:howto:LuCI]]-firewall, it is simply a module to configure ''/etc/config/firewall'' from the WebUI. +
-  - the UCI firewall is a set of scripts based on [[doc:howto:netfilter]]. +
-  - You can find the firewall package here: ''[[https://dev.openwrt.org/browser/trunk/package/firewall|firewall]]''. +
- +
- +
-The UCI firewall configuration consists of several //zones// covering one or more //interfaces//. +
-Allowed traffic flow between the zones is controlled by //forwardings//. +
-Each zone may include multiple //rules// and //redirects//. +
 +UCI Firewall maps two or more //Interfaces// together into //Zones// that are used to describe default rules for a given interface, forwarding rules between interfaces, and extra rules that are not covered by the first two. In the config file, default rules come //first// but they are the last to take effect. The netfilter system is a chained processing filter where packets pass through various rules. The first rule that matches is executed, often leading to another rule-chain until a packet hits either ACCEPT or DROP/REJECT. Such an outcome is final, therefore the default rules take effect last, and the most specific rule takes effect first. Zones are also used to configure //masquerading// also known as NAT (network-address-translation) as well as port forwarding rules, which are more generally known as redirects.
 +Zones must always be mapped onto one or more Interfaces which ultimately map onto physical devices; therefore zones cannot be used to specify networks (subnets), and the generated iptables rules operate on interfaces exclusively. The difference is that interfaces can be used to reach destinations not part of their own subnet, when their subnet contains another gateway. Usually however, forwarding is done between lan and wan interfaces, with the router serving as 'edge' gateway to the internet. The default configuration of UCI Firewall provides for such a common setup.
 +===== Requirements =====
 +  * **''firewall''** (or  **''firewall3''**) and its dependencies (//pre-installed//)
 +    * **''iptables''** (//pre-installed//)
 +    * **''iptables-mod-?''** (//optional//), see [[doc:howto:netfilter#OPKG Netfilter Packages]].
===== Sections ===== ===== Sections =====
Below is an overview of the section types that may be defined in the firewall configuration. Below is an overview of the section types that may be defined in the firewall configuration.
-A minimal firewall configuration for a router usually consists of one //defaults// section, at least two //zones// (''lan'' and ''wan'') and one //forwarding// to allow traffic from ''lan'' to ''wan''.+A minimal firewall configuration for a router usually consists of one //defaults// section, at least two //zones// (''lan'' and ''wan'') and one //forwarding// to allow traffic from ''lan'' to ''wan''. (The forwarding section is not strictly required when there are no more than two zones as the rule can then be set as the 'global default' for that zone.) 
==== Defaults ==== ==== Defaults ====
The ''defaults'' section declares global firewall settings which do not belong to specific zones. The ''defaults'' section declares global firewall settings which do not belong to specific zones.
Line 31: Line 23:
^ Name ^ Type ^ Required ^ Default ^ Description ^ ^ Name ^ Type ^ Required ^ Default ^ Description ^
-| ''syn_flood'' | boolean | no | ''1'' | Enable [[wp>SYN flood]] protection | +| ''input'' | string | no | ''REJECT'' | Set policy for the ''INPUT'' chain of the ''filter'' table. | 
-| ''drop_invalid'' | boolean | no | ''1'' | Drop packets not matching any active connection +| ''output'' | string | no | ''REJECT'' | Set policy for the ''OUTPUT'' chain of the ''filter'' table. | 
-| ''disable_ipv6'' | boolean | no | ''0'' | Disable IPv6 firewall rules +| ''forward'' | string | no | ''REJECT'' | Set policy for the ''FORWARD'' chain of the ''filter'' table.  | 
-| ''input'' | string | no | ''DROP'' | Set policy for the ''INPUT'' chain of the filter table (Available: ''ACCEPT'', ''REJECT'', ''DROP'') +| ''drop_invalid'' | boolean | no | ''0'' | Drop invalid packets (e.g. not matching any active connection). | 
-| ''forward'' | string | no | ''DROP'' | Set policy for the ''FORWARD'' chain of the filter table (Available: ''ACCEPT'', ''REJECT'', ''DROP'') +| ''syn_flood'' | boolean | no | ''0'' | Enable [[wp>SYN flood]] protection (obsoleted by ''synflood_protect'' setting).
-| ''output'' | string | no | ''DROP'' | Set policy for the ''OUTPUT'' chain of the filter table (Available: ''ACCEPT'', ''REJECT'', ''DROP'') |+| ''synflood_protect'' | boolean | no | ''0'' | Enable [[wp>SYN flood]] protection.
 +| ''synflood_rate'' | string | no | ''25'' | Set rate limit (packets/second) for SYN packets above which the traffic is considered a flood.
 +| ''synflood_burst'' | string | no | ''50'' | Set burst limit for SYN packets above which the traffic is considered a flood if it exceeds the allowed rate. | 
 +| ''tcp_syncookies'' | boolean | no | ''1'' | Enable the use of [[wp>SYN cookies]]. | 
 +| ''tcp_ecn'' | boolean | no | ''0''
 +| ''tcp_westwood'' | boolean | no | ''0'' |
 +| ''tcp_window_scaling'' | boolean | no | ''1'' | Enable TCP window scaling. | 
 +| ''accept_redirects'' | boolean | no | ''0'' |
 +| ''accept_source_route'' | boolean | no | ''0'' |
 +| ''custom_chains'' | boolean | no | ''1'' |  | 
 +| ''disable_ipv6'' | boolean | no | ''0'' | Disable IPv6 firewall rules. |
==== Zones ==== ==== Zones ====
-A ''zone'' section groups one or more //interfaces// and serves as a //source// or //destination// for //forwardings//, //rules// and //redirects//. Masquerading (NAT) of outgoing traffic is controlled on a per-zone basis.+A ''zone'' section groups one or more //interfaces// and serves as a //source// or //destination// for //forwardings//, //rules// and //redirects//. Masquerading (NAT) of outgoing traffic is controlled on a per-zone basis. Note that masquerading is defined on the //outgoing// interface. 
 + 
 +  * INPUT rules for a zone describe what happens to traffic trying to reach the router itself through that interface. 
 +  * OUTPUT rules for a zone describe what happens to traffic originating from the router itself. 
 +  * FORWARD rules for a zone describe what happens to traffic coming from that zone and passing to another zone.
The options below are defined within ''zone'' sections: The options below are defined within ''zone'' sections:
Line 46: Line 52:
^ Name ^ Type ^ Required ^ Default ^ Description ^ ^ Name ^ Type ^ Required ^ Default ^ Description ^
| ''name'' | zone name | yes | //(none)// | Unique zone name | | ''name'' | zone name | yes | //(none)// | Unique zone name |
-| ''network'' | list | no | //(none)// | List of //[[doc:uci:network#interfaces|interfaces]]// attached to this zone. If omitted, the value of ''name'' is used by default |+| ''network'' | list | no | //(none)// | List of //[[doc:uci:network#interfaces|interfaces]]// attached to this zone. If omitted and neither extra* options, subnets or devices are given, the value of ''name'' is used by default |
| ''masq'' | boolean | no | ''0'' | Specifies whether //outgoing// zone traffic should be masqueraded - this is typically enabled on the //wan// zone | | ''masq'' | boolean | no | ''0'' | Specifies whether //outgoing// zone traffic should be masqueraded - this is typically enabled on the //wan// zone |
| ''masq_src'' | list of subnets | no | ''0.0.0.0/0'' | Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with ''!''; multiple subnets are allowed. | | ''masq_src'' | list of subnets | no | ''0.0.0.0/0'' | Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with ''!''; multiple subnets are allowed. |
| ''masq_dest'' | list of subnets | no | ''0.0.0.0/0'' | Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with ''!''; multiple subnets are allowed. | | ''masq_dest'' | list of subnets | no | ''0.0.0.0/0'' | Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with ''!''; multiple subnets are allowed. |
-| ''conntrack'' | boolean | no | ''1'' if masquerading is used, ''0'' otherwise | Force connection tracking for this zone (see [[#note.on.connection.tracking.notrack|Note on connection tracking]]) |+| ''conntrack'' | boolean | no | ''1'' if masquerading is used, ''0'' otherwise | Force connection tracking for this zone (see [[#notes.on.connection.tracking|Note on connection tracking]]) |
| ''mtu_fix'' | boolean | no | ''0'' | Enable MSS clamping for //outgoing// zone traffic | | ''mtu_fix'' | boolean | no | ''0'' | Enable MSS clamping for //outgoing// zone traffic |
| ''input'' | string | no | ''DROP'' | Default policy (''ACCEPT'', ''REJECT'', ''DROP'') for //incoming// zone traffic | | ''input'' | string | no | ''DROP'' | Default policy (''ACCEPT'', ''REJECT'', ''DROP'') for //incoming// zone traffic |
Line 58: Line 64:
| ''log'' | boolean | no | ''0'' | Create log rules for rejected and dropped traffic in this zone. | | ''log'' | boolean | no | ''0'' | Create log rules for rejected and dropped traffic in this zone. |
| ''log_limit'' | string | no | ''10/minute'' | Limits the amount of log messages per interval. | | ''log_limit'' | string | no | ''10/minute'' | Limits the amount of log messages per interval. |
 +| ''device'' | list | no | //(none)// | List of raw network device names attached to this zone, e.g. ''ppp+'' to match any PPP interface. \\ :!: Only supported by the Firewall v2, version 58 and above |
 +| ''subnet'' | list | no | //(none)// | List of IP subnets attached to this zone. \\ :!: Only supported by the Firewall v2, version 58 and above |
 +| ''extra'' | string | no | //(none)// | Extra arguments passed directly to iptables. Note that these options are passed to both source and destination classification rules, therfore direction-specific options like ''--dport'' should not be used here - in this case the ''extra_src'' and ''extra_dest'' options should be used instead. \\ :!: Only supported by the Firewall v2, version 58 and above |
 +| ''extra_src'' | string | no | //Value of ''extra''// | Extra arguments passed directly to iptables for source classification rules. \\ :!: Only supported by the Firewall v2, version 58 and above |
 +| ''extra_dest'' | string | no | //Value of ''extra''// | Extra arguments passed directly to iptables for destination classification rules. \\ :!: Only supported by the Firewall v2, version 58 and above |
 +
==== Forwardings ==== ==== Forwardings ====
Line 78: Line 90:
//Redirects are also commonly known as "port forwarding", and "virtual servers".// //Redirects are also commonly known as "port forwarding", and "virtual servers".//
 +
 +Port ranges are specified as ''start:stop'', for instance ''6666:6670''.  This is similar to the iptables syntax.
The options below are valid for //redirects//: The options below are valid for //redirects//:
Line 89: Line 103:
| ''src_dport'' | port or range | no | //(none)// | For //DNAT//, match incoming traffic directed at the given //destination port or port range// on this host. For //SNAT// rewrite the //source ports// to the given value. | | ''src_dport'' | port or range | no | //(none)// | For //DNAT//, match incoming traffic directed at the given //destination port or port range// on this host. For //SNAT// rewrite the //source ports// to the given value. |
| ''proto'' | protocol name or number | yes | //tcpudp// | Match incoming traffic using the given //protocol// | | ''proto'' | protocol name or number | yes | //tcpudp// | Match incoming traffic using the given //protocol// |
-| ''dest'' | zone name | yes for ''SNAT'' target | //(none)// | Specifies the traffic //destination zone//, must refer to one of the defined //zone names//. |+| ''dest'' | zone name | yes for ''SNAT'' target | //(none)// | Specifies the traffic //destination zone//. Must refer to one of the defined //zone names//. For ''DNAT'' target on Attitude Adjustment, NAT reflection works only if this is equal to ''lan''. |
| ''dest_ip'' | ip address | yes for ''DNAT'' target | //(none)// | For //DNAT//, redirect matched incoming traffic to the specified internal host. For //SNAT//, match traffic directed at the given address. | | ''dest_ip'' | ip address | yes for ''DNAT'' target | //(none)// | For //DNAT//, redirect matched incoming traffic to the specified internal host. For //SNAT//, match traffic directed at the given address. |
| ''dest_port'' | port or range | no | //(none)// | For //DNAT//, redirect matched incoming traffic to the given port on the internal host. For //SNAT//, match traffic directed at the given ports. | | ''dest_port'' | port or range | no | //(none)// | For //DNAT//, redirect matched incoming traffic to the given port on the internal host. For //SNAT//, match traffic directed at the given ports. |
 +| ''ipset'' | string | no | //(none)// | If specified, match traffic against the given //[[#ip.sets|ipset]]//. The match can be inverted by prefixing the value with an exclamation mark |
 +| ''mark'' | string | no | //(none)// | If specified, match traffic against the given firewall mark, e.g. ''0xFF'' to match mark 255 or ''0x0/0x1'' to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. ''!0x10'' to match all but mark #16. |
 +| ''start_date'' | date (''yyyy-mm-dd'') | no | //(always)// | If specifed, only match traffic after the given date (inclusive). |
 +| ''stop_date'' | date (''yyyy-mm-dd'') | no | //(always)// | If specified, only match traffic before the given date (inclusive). |
 +| ''start_time'' | time (''hh:mm:ss'') | no | //(always)// | If specified, only match traffic after the given time of day (inclusive). |
 +| ''stop_time'' | time (''hh:mm:ss'') | no | //(always)// | If specified, only match traffic before the given time of day (inclusive). |
 +| ''weekdays'' | list of weekdays | no | //(always)// | If specified, only match traffic during the given week days, e.g. ''sun mon thu fri'' to only match on sundays, mondays, thursdays and fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ''! sat sun'' to always match but on saturdays and sundays. |
 +| ''monthdays'' | list of dates | no | //(always)// | If specified, only match traffic during the given days of the month, e.g. ''2 5 30'' to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ''! 31'' to always match but on the 31st of the month. |
 +| ''utc_time'' | boolean | no | ''0'' | Treat all given time values as UTC time instead of local time. |
| ''target'' | string | no | ''DNAT'' | NAT target (''DNAT'' or ''SNAT'') to use when generating the rule | | ''target'' | string | no | ''DNAT'' | NAT target (''DNAT'' or ''SNAT'') to use when generating the rule |
| ''family'' | string | no | ''any'' | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate iptables rules for. | | ''family'' | string | no | ''any'' | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate iptables rules for. |
-| ''reflection'' | boolean | no | ''1'' | Disables NAT reflection for this redirect if set to ''0'' - applicable to ''DNAT'' targets. | +| ''reflection'' | boolean | no | ''1'' | Activate NAT reflection for this redirect - applicable to ''DNAT'' targets. | 
-| ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Example: ''3/hour''. |+| ''reflection_src'' | string | no | ''internal'' | The source address to use for NAT-reflected packets if ''reflection'' is ''1''. This can be ''internal'' or ''external'', specifying which interface’s address to use. Applicable to ''DNAT'' targets. | 
 +| ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Examples: ''3/second'', ''3/sec'' or ''3/s''. |
| ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' | | ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' |
| ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. | | ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. |
 +
 +:!: On Attitude Adjustment, for NAT reflection to work, you **must** specify ''option dest lan'' in the ''redirect'' section (even though we're using a ''DNAT'' target).
 +
==== Rules ==== ==== Rules ====
-Sections of the type ''rule'' can be used to define basic accept or reject rules to allow or restrict access to specific ports or hosts. Like //redirects// the rules are tied to the given //source zone// and match incoming traffic occuring there.+Sections of the type ''rule'' can be used to define basic accept or reject rules to allow or restrict access to specific ports or hosts. 
 + 
 +Up to Firewall v2, version 57 and below the rules behave like //redirects// and are tied to the given //source zone// and match incoming traffic occuring there
 + 
 +In later versions the rules are defined as follows: 
 +  * If ''src'' and ''dest'' are given, the rule matches //forwarded// traffic 
 +  * If only ''src'' is given, the rule matches //incoming// traffic 
 +  * If only ''dest'' is given, the rule matches //outgoing// traffic 
 +  * If neither ''src'' nor ''dest'' are given, the rule defaults to an //outgoing// traffic rule 
 + 
 +Port ranges are specified as ''start:stop'', for instance ''6666:6670''.  This is similar to the iptables syntax.
Valid options for this section are: Valid options for this section are:
^ Name ^ Type ^ Required ^ Default ^ Description ^ ^ Name ^ Type ^ Required ^ Default ^ Description ^
-| ''src'' | zone name | yes | //(none)// | Specifies the traffic //source zone//. Must refer to one of the defined //zone names//. |+| ''src'' | zone name | yes (:!: optional since Firewall v2, version 58 and above) | //(none)// | Specifies the traffic //source zone//. Must refer to one of the defined //zone names//, or * for any zone. |
| ''src_ip'' | ip address | no | //(none)// | Match incoming traffic from the specified //source ip address// | | ''src_ip'' | ip address | no | //(none)// | Match incoming traffic from the specified //source ip address// |
| ''src_mac'' | mac address | no | //(none)// | Match incoming traffic from the specified //mac address// | | ''src_mac'' | mac address | no | //(none)// | Match incoming traffic from the specified //mac address// |
Line 111: Line 148:
| ''proto'' | protocol name or number | no | ''tcpudp'' | Match incoming traffic using the given //protocol//. Can be one of ''tcp'', ''udp'', ''tcpudp'', ''udplite'', ''icmp'', ''esp'', ''ah'', ''sctp'', or ''all'' or it can be a numeric value, representing one of these protocols or a different one. A protocol name from ''/etc/protocols'' is also allowed. The number 0 is equivalent to ''all''. | | ''proto'' | protocol name or number | no | ''tcpudp'' | Match incoming traffic using the given //protocol//. Can be one of ''tcp'', ''udp'', ''tcpudp'', ''udplite'', ''icmp'', ''esp'', ''ah'', ''sctp'', or ''all'' or it can be a numeric value, representing one of these protocols or a different one. A protocol name from ''/etc/protocols'' is also allowed. The number 0 is equivalent to ''all''. |
| ''dest'' | zone name | no | //(none)// | Specifies the traffic //destination zone//. Must refer to one of the defined //zone names//, or * for any zone. If specified, the rule applies to //forwarded// traffic; otherwise, it is treated as //input// rule. | | ''dest'' | zone name | no | //(none)// | Specifies the traffic //destination zone//. Must refer to one of the defined //zone names//, or * for any zone. If specified, the rule applies to //forwarded// traffic; otherwise, it is treated as //input// rule. |
-| ''dest_ip'' | ip address | no | //(none)// | Match incoming traffic directed to the specified //destination ip address// | +| ''dest_ip'' | ip address | no | //(none)// | Match incoming traffic directed to the specified //destination ip address//. With no dest zone, this is treated as an input rule!
-| ''dest_port'' | port or range | no | //(none)// | Match incoming traffic directed at the given //destination port or port range//, if relevant ''proto'' is specified. A service name from ''/etc/services'' is also allowed. | +| ''dest_port'' | port or range | no | //(none)// | Match incoming traffic directed at the given //destination port or port range//, if relevant ''proto'' is specified.
-| ''target'' | string | yes | ''DROP'' | Firewall action (''ACCEPT'', ''REJECT'', ''DROP'') for matched traffic |+| ''ipset'' | string | no | //(none)// | If specified, match traffic against the given //[[#ip.sets|ipset]]//. The match can be inverted by prefixing the value with an exclamation mark | 
 +| ''mark'' | mark/mask | no | //(none)// | If specified, match traffic against the given firewall mark, e.g. ''0xFF'' to match mark 255 or ''0x0/0x1'' to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. ''!0x10'' to match all but mark #16. | 
 +| ''start_date'' | date (''yyyy-mm-dd'') | no | //(always)// | If specifed, only match traffic after the given date (inclusive). | 
 +| ''stop_date'' | date (''yyyy-mm-dd'') | no | //(always)// | If specified, only match traffic before the given date (inclusive). | 
 +| ''start_time'' | time (''hh:mm:ss'') | no | //(always)// | If specified, only match traffic after the given time of day (inclusive). | 
 +| ''stop_time'' | time (''hh:mm:ss'') | no | //(always)// | If specified, only match traffic before the given time of day (inclusive). | 
 +| ''weekdays'' | list of weekdays | no | //(always)// | If specified, only match traffic during the given week days, e.g. ''sun mon thu fri'' to only match on sundays, mondays, thursdays and fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ''! sat sun'' to always match but on saturdays and sundays. | 
 +| ''monthdays'' | list of dates | no | //(always)// | If specified, only match traffic during the given days of the month, e.g. ''2 5 30'' to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ''! 31'' to always match but on the 31st of the month. | 
 +| ''utc_time'' | boolean | no | ''0'' | Treat all given time values as UTC time instead of local time. | 
 +| ''target'' | string | yes | ''DROP'' | Firewall action (''ACCEPT'', ''REJECT'', ''DROP'', ''MARK'', ''NOTRACK'') for matched traffic
 +| ''set_mark'' | mark/mask | yes for target ''MARK'' | //(none)// | Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed | 
 +| ''set_xmark'' | ::: | ::: | ::: | Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed |
| ''family'' | string | no | ''any'' | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate iptables rules for. | | ''family'' | string | no | ''any'' | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate iptables rules for. |
-| ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Example: ''3/hour''. |+| ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Examples: ''3/minute'', ''3/min'' or ''3/m''. |
| ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' | | ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' |
| ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. | | ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. |
Line 126: Line 174:
^ Name ^ Type ^ Required ^ Default ^ Description ^ ^ Name ^ Type ^ Required ^ Default ^ Description ^
 +| ''enabled'' | boolean | no | ''1'' | Allows to disable the corresponding include without having to delete the section |
 +| ''type'' | string | no | ''script'' | Specifies the type of the include, can be ''script'' for traditional shell script includes or ''restore'' for plain files in //iptables-restore// format |
| ''path'' | file name | yes | ''/etc/firewall.user'' | Specifies a shell script to execute on boot or firewall restarts | | ''path'' | file name | yes | ''/etc/firewall.user'' | Specifies a shell script to execute on boot or firewall restarts |
 +| ''family'' | string | no | ''any'' | Specifies the address family (''ipv4'', ''ipv6'' or ''any'') for which the include is called |
 +| ''reload'' | boolean | no | ''0'' | Specifies whether the include should be called on reload - this is only needed if the include injects rules into internal chains |
 +
 +Includes of type ''script'' may contain arbitary commands, for example advanced iptables rules or tc commands required for traffic shaping.
 +
 +:!: Since custom iptables rules are meant to be more specific than the generic ones, you must make sure to use ''-I'' (insert) instead of ''-A'' (append) so that the rules appear **before** the default rules.
 +
 +
 +==== IP Sets ====
 +
 +The UCI firewall version 3 supports referencing or creating [[http://ipset.netfilter.org/|ipsets]] to simplify matching of
 +huge address or port lists without the need for creating one rule per item to match,
 +
 +The following options are defined for //ipsets//:
 +
 +^ Name ^ Type ^ Required ^ Default ^ Description ^
 +| ''enabled'' | boolean | no | ''1'' | Allows to disable the declaration fo the ipset without the need to delete the section. |
 +| ''external'' | string | no | //(none)// | If the ''external'' option is set to a name, the firewall will simply reference an already existing ipset pointed to by the name. If the ''external'' option is unset, the firewall will create the ipset on start and destroy it on stop. |
 +| ''name'' | string | yes if ''external'' is unset \\ no if ''external'' is set | //(none)// if ''external'' is unset \\ value of ''external'' if ''external'' is set | Specifies the firewall internal name of the ipset which is used to reference the set in rules or redirects. |
 +| ''family'' | string | no | ''ipv4'' | Protocol family (''ipv4'' or ''ipv6'') to create ipset for. Only applicable to storage types ''hash'' and ''list'', the ''bitmap'' type implies ''ipv4''. |
 +| ''storage'' | string | no | //varies// | Specifies the storage method (''bitmap'', ''hash'' or ''list'') used by the ipset, the default varies depending on the used datatypes (see ''match'' option below). In most cases the storage method can be automatically inferred from the datatype combination but in some cases multiple choices are possible (e.g. ''bitmap:ip'' vs. ''hash:ip''). |
 +| ''match'' | list of direction/type tuples | yes | //(none)// | Specifies the matched data types (''ip'', ''port'', ''mac'', ''net'' or ''set'') and their direction (''src'' or ''dest''). The direction is joined with the datatype by an underscore to form a tuple, e.g. ''src_port'' to match source ports or ''dest_net'' to match destination CIDR ranges. |
 +| ''iprange'' | IP range | yes for storage type ''bitmap'' with datatype ''ip'' | //(none)// | Specifies the IP range to cover, see [[http://ipset.netfilter.org/ipset.man.html|ipset(8)]]. Only applicable to the ''hash'' storage type. |
 +| ''portrange'' | Port range | yes for storage type ''bitmap'' with datatype ''port'' | //(none)// | Specifies the port range to cover, see [[http://ipset.netfilter.org/ipset.man.html|ipset(8)]]. Only applicable to the ''hash'' storage type. |
 +| ''netmask'' | integer | no | ''32'' | If specified, network addresses will be stored in the set instead of IP host addresses. Value must be between ''1'' and ''32'', see [[http://ipset.netfilter.org/ipset.man.html|ipset(8)]]. Only applicable to the ''bitmap'' storage type with match ''ip'' or the ''hash'' storage type with match ''ip''. |
 +| ''maxelem'' | integer | no | ''65536'' | Limits the number of items that can be added to the set, only applicable to the ''hash'' and ''list'' storage types. |
 +| ''hashsize'' | integer | no | ''1024'' | Specifies the initial hash size of the set, only applicable to the ''hash'' storage type. |
 +| ''timeout'' | integer | no | ''0'' | Specifies the default timeout for entries added to the set. A value of ''0'' means no timeout. |
 +
 +=== Possible Storage / Match Combinations ===
-Included scripts may contain arbitary commands, for example advanced iptables rules or tc commands required for traffic shaping.+The table below outlines the possible combinations of storage methods and matched datatypes as well as the usable IP address family. 
 +The order of the datatype matches is significant.
-:!: When writing custom iptables rules remember to use ''-I'' (insert) instead of ''-A'' (append) to ensure that the created rules **appear before** the generic ones.+^ Family ^ Storage ^ Match ^ Notes ^ 
 +| ''ipv4'' | ''bitmap'' | ''ip'' | Requries ''iprange'' option | 
 +| ''ipv4'' | ''bitmap'' | ''ip mac'' | Requires ''iprange'' option | 
 +| ''ipv4'' | ''bitmap'' | ''port'' | Requires ''portrange'' option | 
 +| //any// | ''hash'' | ''ip'' | -
 +| //any// | ''hash'' | ''net'' | -
 +| //any// | ''hash'' | ''ip port'' | - | 
 +| //any// | ''hash'' | ''net port'' | - | 
 +| //any// | ''hash'' | ''ip port ip'' | - | 
 +| //any// | ''hash'' | ''ip port net'' | - | 
 +| - | ''list'' | ''set'' | Meta type to create a set-of-sets |
===== IPv6 notes ===== ===== IPv6 notes =====
Line 174: Line 265:
This example enables machines on the internet to use SSH to access your router. This example enables machines on the internet to use SSH to access your router.
-==== Forwarding ports (Destination NAT/DNAT) ====+==== Port forwarding for IPv4 (Destination NAT/DNAT) ====
This example forwards http (but not HTTPS) traffic to the webserver running on 192.168.1.10: This example forwards http (but not HTTPS) traffic to the webserver running on 192.168.1.10:
Line 183: Line 274:
        option src_dport 80         option src_dport 80
        option proto    tcp         option proto    tcp
 +        option dest      lan
        option dest_ip  192.168.1.10         option dest_ip  192.168.1.10
</code> </code>
Line 189: Line 281:
<code> <code>
-config 'redirect' +config redirect 
-        option 'name' 'ssh' +        option src      wan 
-        option 'src' 'wan' +        option src_dport 5555 
-        option 'proto' 'tcpudp' +        option proto     tcp 
-        option 'src_dport' '5555' +        option dest      lan 
-        option 'dest_ip' '192.168.1.100' +        option dest_ip   192.168.1.100 
-        option 'dest_port' '22+        option dest_port 22
-        option 'target' 'DNAT' +
-        option 'dest' 'lan'+
</code> </code>
 +
 +==== Allow IPv6 access from internet ====
 +
 +To open port 80 so that a local webserver at ''2001:db8:42::1337'' can be reached from the Internet:
 +
 +<code>
 +config rule
 +        option src      wan
 +        option proto    tcp
 +        option dest      lan
 +        option dest_ip  2001:db8:42::1337
 +        option dest_port 80
 +        option family    ipv6
 +        option target    ACCEPT
 +</code>
 +
 +To open SSH access to all IPv6 hosts in the local network:
 +
 +<code>
 +config rule
 +        option src      wan
 +        option proto    tcp
 +        option dest      lan
 +        option dest_port 22
 +        option family    ipv6
 +        option target    ACCEPT
 +</code>
 +
 +To open all TCP/UDP port between 1024 and 65535 towards the local IPv6 network:
 +
 +<code>
 +config rule
 +        option src      wan
 +        option proto    tcpudp
 +        option dest      lan
 +        option dest_port 1024:65535
 +        option family    ipv6
 +        option target    ACCEPT
 +</code>
 +
==== Source NAT (SNAT) ==== ==== Source NAT (SNAT) ====
Line 267: Line 397:
        option src_ip          192.168.1.27         option src_ip          192.168.1.27
        option extra            '-m time --weekdays Mon,Tue,Wed,Thu,Fri --timestart 21:00 --timestop 09:00'         option extra            '-m time --weekdays Mon,Tue,Wed,Thu,Fri --timestart 21:00 --timestop 09:00'
 +        option target          REJECT
 +</code>
 +
 +Using firewall v3 and later the example becomes:
 +
 +<code>
 +config rule
 +        option src              lan
 +        option dest            wan
 +        option src_ip          192.168.1.27
 +        option start_time      21:00
 +        option stop_time        09:00
 +        option weekdays        'mon tue wed thu fri'
        option target          REJECT         option target          REJECT
</code> </code>
Line 281: Line 424:
        option target          REJECT</code>         option target          REJECT</code>
 +==== Simple output rule ====
 +
 +The example below creates an //output// rule which prevents the router from pinging the address ''8.8.8.8''.
 +
 +:!: Only supported by the Firewall v2, version 58 and above
 +
 +<code>config rule
 +        option dest            wan
 +        option dest_ip          8.8.8.8
 +        option proto            icmp
 +        option target          REJECT</code>
==== Transparent proxy rule (same host) ==== ==== Transparent proxy rule (same host) ====
Line 290: Line 444:
option proto            tcp option proto            tcp
option src_dport        80 option src_dport        80
- option dest_port        3128</code>+ option dest_port        3128 
 + option dest_ip          192.168.1.1</code>
==== Transparent proxy rule (external) ==== ==== Transparent proxy rule (external) ====
Line 355: Line 510:
        option target          ACCEPT         option target          ACCEPT
</code> </code>
 +
 +==== Zone declaration for non-UCI interfaces ====
 +
 +This example declares a zone which maches any Linux network device whose name begins with "ppp".
 +
 +:!: Only supported by the Firewall v2, version 58 and above
 +
 +<code>
 +config zone
 +        option name            example
 +        option input            ACCEPT
 +        option output          ACCEPT
 +        option forward          REJECT
 +        option device          'ppp+'
 +</code>
 +
 +==== Zone declaration for a specific subnet and protocol ====
 +
 +This example declares a zone which maches any TCP stream in the ''10.21.0.0/16'' subnet.
 +
 +:!: Only supported by the Firewall v2, version 58 and above
 +
 +<code>
 +config zone
 +        option name            example
 +        option input            ACCEPT
 +        option output          ACCEPT
 +        option forward          REJECT
 +        option subnet          '10.21.0.0/16'
 +        option extra            '-p tcp'
 +</code>
 +
 +
 +==== Zone declaration for a specific protocol and port ====
 +
 +This example declares a zone which maches any TCP stream from and to port ''22''.
 +
 +:!: Only supported by the Firewall v2, version 58 and above
 +
 +<code>
 +config zone
 +        option name            example
 +        option input            ACCEPT
 +        option output          ACCEPT
 +        option forward          REJECT
 +        option extra_src        '-p tcp --sport 22'
 +        option extra_dest      '-p tcp --dport 22'
 +</code>
 +
==== Forwarding IPv6 tunnel traffic === ==== Forwarding IPv6 tunnel traffic ===
Line 386: Line 590:
option dest lan option dest lan
option src wan6 option src wan6
 +#you don't need the below as you can a firewall rule to open the port that you need
config forwarding config forwarding
option dest wan6 option dest wan6
Line 415: Line 619:
Note that ''disable'' does not flush the rules, so it might be required to issue a ''stop'' before. Note that ''disable'' does not flush the rules, so it might be required to issue a ''stop'' before.
Use ''enable'' to activate the firewall again. Use ''enable'' to activate the firewall again.
 +
 +==== Temporarily disable firewall ====
 +
 +Run ''/etc/init.d/firewall stop'' to flush all rules and set the policies to ACCEPT.
 +To restart the firewall, run ''/etc/init.d/firewall start''.
 +
===== Hotplug hooks (8.09.2+) ===== ===== Hotplug hooks (8.09.2+) =====
Line 437: Line 647:
When connection attempts are //dropped// the client is not aware of the blocking and will continue to re-transmit its packets until the connection eventually times out. Depending on the way the client software is implemented, this could result in frozen or hanging programs that need to wait until a timeout occurs before they're able to continue. When connection attempts are //dropped// the client is not aware of the blocking and will continue to re-transmit its packets until the connection eventually times out. Depending on the way the client software is implemented, this could result in frozen or hanging programs that need to wait until a timeout occurs before they're able to continue.
 +
 +Also there is an interesting article which that claims dropping connections doesnt make you any safer - [[http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject|Drop versus Reject]].
**DROP** **DROP**
Line 450: Line 662:
-===== Note on connection tracking (NOTRACK) =====+===== Notes on connection tracking ===== 
 + 
 +==== NOTRACK ====
By default, the firewall will disable connection tracking for a zone if no masquerading is enabled. This is achieved by generating //NOTRACK// firewall rules matching all traffic passing via interfaces referenced by the firewall zone. The purpose of //NOTRACK// is to speed up routing and save memory by circumventing resource intensive connection tracking in cases where it is not needed. You can check if connection tracking is disabled by issuing ''iptables -t raw -vnL'', it will list all rules, check for //NOTRACK// target. By default, the firewall will disable connection tracking for a zone if no masquerading is enabled. This is achieved by generating //NOTRACK// firewall rules matching all traffic passing via interfaces referenced by the firewall zone. The purpose of //NOTRACK// is to speed up routing and save memory by circumventing resource intensive connection tracking in cases where it is not needed. You can check if connection tracking is disabled by issuing ''iptables -t raw -vnL'', it will list all rules, check for //NOTRACK// target.
Line 458: Line 672:
If connection tracking is required, for example by custom rules in ''/etc/firewall.user'', the ''conntrack'' option must be enabled in the corresponding zone to disable //NOTRACK//. It should appear as ''option 'conntrack' '1' '' in the right zone in ''/etc/config/firewall''. If connection tracking is required, for example by custom rules in ''/etc/firewall.user'', the ''conntrack'' option must be enabled in the corresponding zone to disable //NOTRACK//. It should appear as ''option 'conntrack' '1' '' in the right zone in ''/etc/config/firewall''.
For further information see http://security.maruhn.com/iptables-tutorial/x4772.html . For further information see http://security.maruhn.com/iptables-tutorial/x4772.html .
 +
 +==== nf_conntrack_skip_filter ====
 +
 +Since [[https://dev.openwrt.org/changeset/42048/trunk/package|r42048]], there is a new setting activated by default which causes the packets with the established state, completely bypass iptables filter table. This is to [[https://dev.openwrt.org/ticket/17690#comment:6|help with network performance]] and unless you need all packets to be counted by iptables filter or have some specific rules which would apply to already established connections, you should leave it active.
 +
 +This behavior can be disabled by editing /etc/sysctl.conf :
 +  net.netfilter.nf_conntrack_skip_filter=0
 +and then activating the new setting:
 +  sysctl -p
 +
 +or be temporarily turned off untill the next reboot by issuing :
 +  sysctl -w net.netfilter.nf_conntrack_skip_filter=0
===== How to delete a rule ===== ===== How to delete a rule =====
Line 492: Line 718:
# FW_TRACE=1 fw reload 2>/tmp/iptables.log # FW_TRACE=1 fw reload 2>/tmp/iptables.log
</code> </code>
 +
 +
 +If you are using the firewall3, you can enable debug mode using the ''-d'' switch:
 +<code>
 +# fw3 -d reload 2>/tmp/iptables.log
 +</code>
 +
 +Furthermore it is also possible to print the to-be generated ruleset using the ''print'' command in conjunction with the ''-4'' and ''-6'' switches:
 +<code>
 +# fw3 -4 print > /tmp/ipv4.rules
 +# fw3 -6 print > /tmp/ipv6.rules
 +</code>
 +
 +===== Packet flow ======
 +
 +==== INPUT (destined to router) ====
 +
 +^ Table  ^ Chain                        ^ Type    ^ Description ^
 +| raw    | ''PREROUTING''                | system  | |
 +| :::    | ''notrack''                  | internal | Internal chain for NOTRACK rules |
 +| mangle | ''PREROUTING''                | system  | |
 +| :::    | ''fwmark''                    | internal | Internal chain for MARK rules |
 +| nat    | ''PREROUTING''                | system  | |
 +| :::    | ''delegate_prerouting''      | internal | Internal chain to hold toplevel prerouting rules, dispatches traffic to the corresponding ''zone_//name//_prerouting'' chains |
 +| :::    | ''prerouting_rule''          | user    | Container chain for custom user prerouting rules (firewall.user) |
 +| :::    | ''zone_//name//_prerouting''  | internal | Per-zone container chains for DNAT (port forwarding) rules |
 +| :::    | ''prerouting_//name//_rule''  | user    | Per-zone container chains for custom user prerouting rules (firewall.user) |
 +| mangle | ''INPUT''                    | system  | |
 +| filter | ''INPUT''                    | system  | |
 +| :::    | ''delegate_input''            | internal | Internal chain to hold toplevel input rules, dispatches traffic to the corresponding ''zone_//name//_input'' chains |
 +| :::    | ''input_rule''                | user    | Container chain for custom user input rules (firewall.user) |
 +| :::    | ''syn_flood''                | internal | Internal chain to match and drop syn flood attempts |
 +| :::    | ''zone_//name//_input''      | internal | Per-zone container chains for input rules |
 +| :::    | ''input_//name//_rule''      | user    | Per-zone container chains for custom user input rules (firewall.user) |
 +
 +==== OUTPUT (originating from router) ====
 +
 +^ Table  ^ Chain                        ^ Type    ^ Description ^
 +| raw    | ''OUTPUT''                    | system  | |
 +| mangle | ''OUTPUT''                    | system  | |
 +| nat    | ''OUTPUT''                    | system  | |
 +| filter | ''OUTPUT''                    | system  | |
 +| :::    | ''delegate_output''          | internal | Internal chain to hold toplevel output rules, dispatches traffic to the corresponding ''zone_//name//_output'' chains |
 +| :::    | ''output_rule''              | user    | Container chain for custom user output rules (firewall.user) |
 +| :::    | ''zone_//name//_output''      | internal | Per-zone container chains for output rules |
 +| :::    | ''output_//name//_rule''      | user    | Per-zone container chains for custom user output rules (firewall.user) |
 +| mangle | ''POSTROUTING''              | system  | |
 +| nat    | ''POSTROUTING''              | system  | |
 +| :::    | ''delegate_postrouting''      | internal | Internal chain to hold toplevel postrouting rules, dispatches traffic to the corresponding ''zone_//name//_postrouting'' chains |
 +| :::    | ''postrouting_rule''          | user    | Container chain for custom user postrouting rules (firewall.user) |
 +| :::    | ''zone_//name//_postrouting'' | internal | Per-zone container chains for postrouting rules (masq, snat) |
 +| :::    | ''postrouting_//name//_rule'' | user    | Per-zone container chains for custom user postrouting rules (firewall.user) |
 +
 +==== FORWARD (relayed through router) ====
 +
 +^ Table  ^ Chain                        ^ Type    ^ Description ^
 +| raw    | ''PREROUTING''                | system  | |
 +| :::    | ''notrack''                  | internal | Internal chain for NOTRACK rules |
 +| mangle | ''PREROUTING''                | system  | |
 +| :::    | ''fwmark''                    | internal | Internal chain for MARK rules |
 +| nat    | ''PREROUTING''                | system  | |
 +| :::    | ''delegate_prerouting''      | internal | Internal chain to hold toplevel prerouting rules, dispatches traffic to the corresponding ''zone_//name//_prerouting'' chains |
 +| :::    | ''prerouting_rule''          | user    | Container chain for custom user prerouting rules (firewall.user) |
 +| :::    | ''zone_//name//_prerouting''  | internal | Per-zone container chains for DNAT (port forwarding) rules |
 +| :::    | ''prerouting_//name//_rule''  | user    | Per-zone container chains for custom user prerouting rules (firewall.user) |
 +| mangle | ''FORWARD''                  | system  | |
 +| :::    | ''mssfix''                    | internal | Internal chain to hold for TCPMSS rules (mtu_fix) |
 +| filter | ''FORWARD''                  | system  | |
 +| :::    | ''delegate_forward''          | internal | Internal chain to hold toplevel forward rules, dispatches traffic to the corresponding ''zone_//name//_forward'' chains |
 +| :::    | ''forwarding_rule''          | user    | Container chain for custom user forward rules (firewall.user) |
 +| :::    | ''zone_//name//_forward''    | internal | Per-zone container chains for output rules |
 +| :::    | ''forwarding_//name//_rule''  | user    | Per-zone container chains for custom user forward rules (firewall.user) |
 +| mangle | ''POSTROUTING''              | system  | |
 +| nat    | ''POSTROUTING''              | system  | |
 +| :::    | ''delegate_postrouting''      | internal | Internal chain to hold toplevel postrouting rules, dispatches traffic to the corresponding ''zone_//name//_postrouting'' chains |
 +| :::    | ''postrouting_rule''          | user    | Container chain for custom user postrouting rules (firewall.user) |
 +| :::    | ''zone_//name//_postrouting'' | internal | Per-zone container chains for postrouting rules (masq, snat) |
 +| :::    | ''postrouting_//name//_rule'' | user    | Per-zone container chains for custom user postrouting rules (firewall.user) |
 +

Back to top

doc/uci/firewall.1347519181.txt.bz2 · Last modified: 2012/09/13 08:53 by kenyon