You are here: OpenWrt Wiki » Documentation » The UCI System » Firewall configuration

Differences

This shows you the differences between two versions of the page.

--- doc:uci:firewall [2013/02/05 10:09]
orca
+++ doc:uci:firewall [2013/05/21 16:13] (current)
jow remove bullshit comments
@@ Line 1: / Line 1: @@
 ====== Firewall configuration ======
 The firewall configuration located in **''/etc/config/firewall''**.
-Note: Maybe not all newest changes [[https://dev.openwrt.org/changeset/35484/trunk|trunk r35484]] are documented.
 ===== Overview =====
 UCI Firewall provides a configuration interface that abstracts from the **iptables** system to provide a simplified configuration model that is fit for most regular purposes while enabling the user to supply needed iptables rules on his own when needed.
-UCI Firewall maps //Interfaces// into Zones that are used to describe default rules for a given interface, forwarding rules between interfaces, and extra rules that are not covered by the first two. In the config file, default rules come //first// but they are the last to take effect. The iptables ([[doc:howto:netfilter]]) system is a chained processing filter where packets pass through various rules. The first rule that matches is executed, often leading to another rule-chain until a packet hits either ACCEPT or DROP/REJECT. Such an outcome is final, therefore the default rules take effect last, and the most specific rule takes effect first. Zones are also used to configure //masquerading// also known as NAT (network-address-translation) as well as port forwarding rules, which are more generally known as redirects.
+UCI Firewall maps two or more //Interfaces// together into //Zones// that are used to describe default rules for a given interface, forwarding rules between interfaces, and extra rules that are not covered by the first two. In the config file, default rules come //first// but they are the last to take effect. The iptables ([[doc:howto:netfilter]]) system is a chained processing filter where packets pass through various rules. The first rule that matches is executed, often leading to another rule-chain until a packet hits either ACCEPT or DROP/REJECT. Such an outcome is final, therefore the default rules take effect last, and the most specific rule takes effect first. Zones are also used to configure //masquerading// also known as NAT (network-address-translation) as well as port forwarding rules, which are more generally known as redirects.
 Zones must always be mapped onto one or more Interfaces which ultimately map onto physical devices; therefore zones cannot be used to specify networks (subnets), and the generated iptables rules operate on interfaces exclusively. The difference is that interfaces can be used to reach destinations not part of their own subnet, when their subnet contains another gateway. Usually however, forwarding is done between lan and wan interfaces, with the router serving as 'edge' gateway to the internet. The default configuration of UCI Firewall provides for such a common setup.
@@ Line 18: / Line 16: @@
     * **''iptables-mod-?''** (//optional//), see [[doc:howto:netfilter]].
-It is not required to use UCI Firewall, but merely exists to make life easier for you. The WebUI ([[doc:howto:LuCI]]) may also be used to configure the UCI firewall. The firewall package may be found here: ''[[https://dev.openwrt.org/browser/trunk/package/firewall|firewall]]''.
+It is not required to use UCI Firewall, but merely exists to make life easier for you. The WebUI ([[doc:howto:LuCI]]) may also be used to configure the UCI firewall. The firewall package may be found here: ''[[https://dev.openwrt.org/browser/trunk/package/network/config/firewall|firewall]]''.
 ===== Sections =====
@@ Line 110: / Line 108: @@
 | ''dest_ip'' | ip address | yes for ''DNAT'' target | //(none)// | For //DNAT//, redirect matched incoming traffic to the specified internal host. For //SNAT//, match traffic directed at the given address. |
 | ''dest_port'' | port or range | no | //(none)// | For //DNAT//, redirect matched incoming traffic to the given port on the internal host. For //SNAT//, match traffic directed at the given ports. |
+| ''ipset'' | string | no | //(none)// | If specified, match traffic against the given //[[#ip.sets|ipset]]//. The match can be inverted by prefixing the value with an exclamation mark |
+| ''mark'' | string | no | //(none)// | If specified, match traffic against the given firewall mark, e.g. ''0xFF'' to match mark 255 or ''0x0/0x1'' to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. ''!0x10'' to match all but mark #16. |
+| ''start_date'' | date (''yyyy-mm-dddd'') | no | //(always)// | If specifed, only match traffic after the given date (inclusive). |
+| ''stop_date'' | date (''yyyy-mm-dddd'') | no | //(always)// | If specified, only match traffic before the given date (inclusive). |
+| ''start_time'' | time (''hh:mm:ss'') | no | //(always)// | If specified, only match traffic after the given time of day (inclusive). |
+| ''stop_time'' | time (''hh:mm:ss'') | no | //(always)// | If specified, only match traffic before the given time of day (inclusive). |
+| ''weekdays'' | list of weekdays | no | //(always)// | If specified, only match traffic during the given week days, e.g. ''sun mon thu fri'' to only match on sundays, mondays, thursdays and fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ''! sat sun'' to always match but on saturdays and sundays. |
+| ''monthdays'' | list of dates | no | //(always)// | If specified, only match traffic during the given days of the month, e.g. ''2 5 30'' to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ''! 31'' to always match but on the 31st of the month. |
+| ''utc_time'' | boolean | no | ''0'' | Treat all given time values as UTC time instead of local time. |
 | ''target'' | string | no | ''DNAT'' | NAT target (''DNAT'' or ''SNAT'') to use when generating the rule |
 | ''family'' | string | no | ''any'' | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate iptables rules for. |
 | ''reflection'' | boolean | no | ''1'' | Disables NAT reflection for this redirect if set to ''0'' - applicable to ''DNAT'' targets. |
+| ''reflection_src'' | string | no | ''internal'' | The source address to use for NAT-reflected packets if ''reflection'' is ''1''. This can be ''internal'' or ''external'', specifying which interface’s address to use. Applicable to ''DNAT'' targets. |
 | ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Example: ''3/hour''. |
 | ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' |
 | ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. |
 ==== Rules ====
@@ Line 139: / Line 148: @@
 | ''dest_ip'' | ip address | no | //(none)// | Match incoming traffic directed to the specified //destination ip address//. With no dest zone, this is treated as an input rule! |
 | ''dest_port'' | port or range | no | //(none)// | Match incoming traffic directed at the given //destination port or port range//, if relevant ''proto'' is specified. |
-| ''target'' | string | yes | ''DROP'' | Firewall action (''ACCEPT'', ''REJECT'', ''DROP'') for matched traffic |
+| ''ipset'' | string | no | //(none)// | If specified, match traffic against the given //[[#ip.sets|ipset]]//. The match can be inverted by prefixing the value with an exclamation mark |
+| ''mark'' | mark/mask | no | //(none)// | If specified, match traffic against the given firewall mark, e.g. ''0xFF'' to match mark 255 or ''0x0/0x1'' to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. ''!0x10'' to match all but mark #16. |
+| ''start_date'' | date (''yyyy-mm-dddd'') | no | //(always)// | If specifed, only match traffic after the given date (inclusive). |
+| ''stop_date'' | date (''yyyy-mm-dddd'') | no | //(always)// | If specified, only match traffic before the given date (inclusive). |
+| ''start_time'' | time (''hh:mm:ss'') | no | //(always)// | If specified, only match traffic after the given time of day (inclusive). |
+| ''stop_time'' | time (''hh:mm:ss'') | no | //(always)// | If specified, only match traffic before the given time of day (inclusive). |
+| ''weekdays'' | list of weekdays | no | //(always)// | If specified, only match traffic during the given week days, e.g. ''sun mon thu fri'' to only match on sundays, mondays, thursdays and fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ''! sat sun'' to always match but on saturdays and sundays. |
+| ''monthdays'' | list of dates | no | //(always)// | If specified, only match traffic during the given days of the month, e.g. ''2 5 30'' to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ''! 31'' to always match but on the 31st of the month. |
+| ''utc_time'' | boolean | no | ''0'' | Treat all given time values as UTC time instead of local time. |
+| ''target'' | string | yes | ''DROP'' | Firewall action (''ACCEPT'', ''REJECT'', ''DROP'', ''MARK'', ''NOTRACK'') for matched traffic |
+| ''set_mark'' | mark/mask | yes for target ''MARK'' | //(none)// | Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed |
+| ''set_xmark'' | ::: | ::: | ::: | Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed |
 | ''family'' | string | no | ''any'' | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate iptables rules for. |
 | ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Example: ''3/hour''. |
@@ Line 152: / Line 172: @@
 ^ Name ^ Type ^ Required ^ Default ^ Description ^
+| ''enabled'' | boolean | no | ''1'' | Allows to disable the corresponding include without having to delete the section |
+| ''type'' | string | no | ''script'' | Specifies the type of the include, can be ''script'' for traditional shell script includes or ''restore'' for plain files in //iptables-restore// format |
 | ''path'' | file name | yes | ''/etc/firewall.user'' | Specifies a shell script to execute on boot or firewall restarts |
+| ''family'' | string | no | ''any'' | Specifies the address family (''ipv4'', ''ipv6'' or ''any'') for which the include is called |
+| ''reload'' | boolean | no | ''0'' | Specifies whether the include should be called on reload - this is only needed if the include injects rules into internal chains |
-Included scripts may contain arbitary commands, for example advanced iptables rules or tc commands required for traffic shaping.
+Includes of type ''script'' may contain arbitary commands, for example advanced iptables rules or tc commands required for traffic shaping.
 :!: Since custom iptables rules are meant to be more specific than the generic ones, you must make sure to use ''-I'' (insert) instead of ''-A'' (append) so that the rules appear **before** the default rules.
+==== IP Sets ====
+The UCI firewall version 3 supports referencing or creating [[http://ipset.netfilter.org/|ipsets]] to simplify matching of
+huge address or port lists without the need for creating one rule per item to match,
+The following options are defined for //ipsets//:
+^ Name ^ Type ^ Required ^ Default ^ Description ^
+| ''enabled'' | boolean | no | ''1'' | Allows to disable the declaration fo the ipset without the need to delete the section. |
+| ''external'' | string | no | //(none)// | If the ''external'' option is set to a name, the firewall will simply reference an already existing ipset pointed to by the name. If the ''external'' option is unset, the firewall will create the ipset on start and destroy it on stop. |
+| ''name'' | string | yes if ''external'' is unset \\ no if ''external'' is set | //(none)// if ''external'' is unset \\ value of ''external'' if ''external'' is set | Specifies the firewall internal name of the ipset which is used to reference the set in rules or redirects. |
+| ''family'' | string | no | ''ipv4'' | Protocol family (''ipv4'' or ''ipv6'') to create ipset for. Only applicable to storage types ''hash'' and ''list'', the ''bitmap'' type implies ''ipv4''. |
+| ''storage'' | string | no | //varies// | Specifies the storage method (''bitmap'', ''hash'' or ''list'') used by the ipset, the default varies depending on the used datatypes (see ''match'' option below). In most cases the storage method can be automatically inferred from the datatype combination but in some cases multiple choices are possible (e.g. ''bitmap:ip'' vs. ''hash:ip''). |
+| ''match'' | list of direction/type tuples | yes | //(none)// | Specifies the matched data types (''ip'', ''port'', ''mac'', ''net'' or ''set'') and their direction (''src'' or ''dest''). The direction is joined with the datatype by an underscore to form a tuple, e.g. ''src_port'' to match source ports or ''dest_net'' to match destination CIDR ranges. |
+| ''iprange'' | IP range | yes for storage type ''bitmap'' with datatype ''ip'' | //(none)// | Specifies the IP range to cover, see [[http://ipset.netfilter.org/ipset.man.html|ipset(8)]]. Only applicable to the ''hash'' storage type. |
+| ''portrange'' | Port range | yes for storage type ''bitmap'' with datatype ''port'' | //(none)// | Specifies the port range to cover, see [[http://ipset.netfilter.org/ipset.man.html|ipset(8)]]. Only applicable to the ''hash'' storage type. |
+| ''netmask'' | integer | no | ''32'' | If specified, network addresses will be stored in the set instead of IP host addresses. Value must be between ''1'' and ''32'', see [[http://ipset.netfilter.org/ipset.man.html|ipset(8)]]. Only applicable to the ''bitmap'' storage type with match ''ip'' or the ''hash'' storage type with match ''ip''. |
+| ''maxelem'' | integer | no | ''65536'' | Limits the number of items that can be added to the set, only applicable to the ''hash'' and ''list'' storage types. |
+| ''hashsize'' | integer | no | ''1024'' | Specifies the initial hash size of the set, only applicable to the ''hash'' storage type. |
+| ''timeout'' | integer | no | ''0'' | Specifies the default timeout for entries added to the set. A value of ''0'' means no timeout. |
+=== Possible Storage / Match Combinations ===
+The table below outlines the possible combinations of storage methods and matched datatypes as well as the usable IP address family.
+The order of the datatype matches is significant.
+^ Family ^ Storage ^ Match ^ Notes ^
+| ''ipv4'' | ''bitmap'' | ''ip'' | Requries ''iprange'' option |
+| ''ipv4'' | ''bitmap'' | ''ip mac'' | Requires ''iprange'' option |
+| ''ipv4'' | ''bitmap'' | ''port'' | Requires ''portrange'' option |
+| //any// | ''hash'' | ''ip'' | - |
+| //any// | ''hash'' | ''net'' | - |
+| //any// | ''hash'' | ''ip port'' | - |
+| //any// | ''hash'' | ''net port'' | - |
+| //any// | ''hash'' | ''ip port ip'' | - |
+| //any// | ''hash'' | ''ip port net'' | - |
+| - | ''list'' | ''set'' | Meta type to create a set-of-sets |
 ===== IPv6 notes =====
@@ Line 293: / Line 356: @@
         option src_ip           192.168.1.27
         option extra            '-m time --weekdays Mon,Tue,Wed,Thu,Fri --timestart 21:00 --timestop 09:00'
+        option target           REJECT
+</code>
+Using firewall v3 and later the example becomes:
+<code>
+config rule
+        option src              lan
+        option dest             wan
+        option src_ip           192.168.1.27
+        option start_time       21:00
+        option stop_time        09:00
+        option weekdays         'mon tue wed thu fri'
         option target           REJECT
 </code>
@@ Line 327: / Line 403: @@
 	option proto            tcp
 	option src_dport        80
-	option dest_port        3128</code>
+	option dest_port        3128
+	option dest_ip          192.168.1.1</code>
 ==== Transparent proxy rule (external) ====
@@ Line 498: / Line 575: @@
 Note that ''disable'' does not flush the rules, so it might be required to issue a ''stop'' before.
 Use ''enable'' to activate the firewall again.
+==== Temporarily disable firewall ====
+Run ''/etc/init.d/firewall stop'' to flush all rules and set the policies to ACCEPT.
+To restart the firewall, run ''/etc/init.d/firewall start''.
 ===== Hotplug hooks (8.09.2+) =====
@@ Line 575: / Line 658: @@
 # FW_TRACE=1 fw reload 2>/tmp/iptables.log
 </code>
+If you are using the firewall3, you can enable debug mode using the ''-d'' switch:
+<code>
+# fw3 -d reload 2>/tmp/iptables.log
+</code>
+Furthermore it is also possible to print the to-be generated ruleset using the ''print'' command in conjunction with the ''-4'' and ''-6'' switches:
+<code>
+# fw3 -4 print > /tmp/ipv4.rules
+# fw3 -6 print > /tmp/ipv6.rules
+</code>
+===== Packet flow ======
+==== INPUT (destined to router) ====
+^ Table  ^ Chain                         ^ Type     ^ Description ^
+| raw    | ''PREROUTING''                | system   | |
+| :::    | ''notrack''                   | internal | Internal chain for NOTRACK rules |
+| mangle | ''PREROUTING''                | system   | |
+| :::    | ''fwmark''                    | internal | Internal chain for MARK rules |
+| nat    | ''PREROUTING''                | system   | |
+| :::    | ''delegate_prerouting''       | internal | Internal chain to hold toplevel prerouting rules, dispatches traffic to the corresponding ''zone_//name//_prerouting'' chains |
+| :::    | ''prerouting_rule''           | user     | Container chain for custom user prerouting rules (firewall.user) |
+| :::    | ''zone_//name//_prerouting''  | internal | Per-zone container chains for DNAT (port forwarding) rules |
+| mangle | ''INPUT''                     | system   | |
+| filter | ''INPUT''                     | system   | |
+| :::    | ''delegate_input''            | internal | Internal chain to hold toplevel input rules, dispatches traffic to the corresponding ''zone_//name//_input'' chains |
+| :::    | ''input_rule''                | user     | Container chain for custom user input rules (firewall.user) |
+| :::    | ''syn_flood''                 | internal | Internal chain to match and drop syn flood attempts |
+| :::    | ''zone_//name//_input''       | internal | Per-zone container chains for input rules |
+==== OUTPUT (originating from router) ====
+^ Table  ^ Chain                         ^ Type     ^ Description ^
+| raw    | ''OUTPUT''                    | system   | |
+| mangle | ''OUTPUT''                    | system   | |
+| nat    | ''OUTPUT''                    | system   | |
+| filter | ''OUTPUT''                    | system   | |
+| :::    | ''delegate_output''           | internal | Internal chain to hold toplevel output rules, dispatches traffic to the corresponding ''zone_//name//_output'' chains |
+| :::    | ''output_rule''               | user     | Container chain for custom user output rules (firewall.user) |
+| :::    | ''zone_//name//_output''      | internal | Per-zone container chains for output rules |
+| mangle | ''POSTROUTING''               | system   | |
+| nat    | ''POSTROUTING''               | system   | |
+| :::    | ''delegate_postrouting''      | internal | Internal chain to hold toplevel postrouting rules, dispatches traffic to the corresponding ''zone_//name//_postrouting'' chains |
+| :::    | ''postrouting_rule''          | user     | Container chain for custom user postrouting rules (firewall.user) |
+| :::    | ''zone_//name//_postrouting'' | internal | Per-zone container chains for postrouting rules (masq, snat) |
+==== FORWARD (relayed through router) ====
+^ Table  ^ Chain                         ^ Type     ^ Description ^
+| raw    | ''PREROUTING''                | system   | |
+| :::    | ''notrack''                   | internal | Internal chain for NOTRACK rules |
+| mangle | ''PREROUTING''                | system   | |
+| :::    | ''fwmark''                    | internal | Internal chain for MARK rules |
+| nat    | ''PREROUTING''                | system   | |
+| :::    | ''delegate_prerouting''       | internal | Internal chain to hold toplevel prerouting rules, dispatches traffic to the corresponding ''zone_//name//_prerouting'' chains |
+| :::    | ''prerouting_rule''           | user     | Container chain for custom user prerouting rules (firewall.user) |
+| :::    | ''zone_//name//_prerouting''  | internal | Per-zone container chains for DNAT (port forwarding) rules |
+| mangle | ''FORWARD''                   | system   | |
+| :::    | ''mssfix''                    | internal | Internal chain to hold for TCPMSS rules (mtu_fix) |
+| filter | ''FORWARD''                   | system   | |
+| :::    | ''delegate_forward''          | internal | Internal chain to hold toplevel forward rules, dispatches traffic to the corresponding ''zone_//name//_forward'' chains |
+| :::    | ''forwarding_rule''           | user     | Container chain for custom user forward rules (firewall.user) |
+| :::    | ''zone_//name//_forward''     | internal | Per-zone container chains for output rules |
+| mangle | ''POSTROUTING''               | system   | |
+| nat    | ''POSTROUTING''               | system   | |
+| :::    | ''delegate_postrouting''      | internal | Internal chain to hold toplevel postrouting rules, dispatches traffic to the corresponding ''zone_//name//_postrouting'' chains |
+| :::    | ''postrouting_rule''          | user     | Container chain for custom user postrouting rules (firewall.user) |
+| :::    | ''zone_//name//_postrouting'' | internal | Per-zone container chains for postrouting rules (masq, snat) |

doc/uci/firewall.1360055342.txt.bz2 · Last modified: 2013/02/05 10:09 by orca

OpenWrt

Wiki Search

Actions

Donate

Translations

Differences