Differences

This shows you the differences between two versions of the page.

doc:uci:firewall [2013/05/19 11:59]
orca
doc:uci:firewall [2014/03/03 13:45] (current)
ayaka more security
Line 1: Line 1:
====== Firewall configuration ====== ====== Firewall configuration ======
The firewall configuration located in **''/etc/config/firewall''**. The firewall configuration located in **''/etc/config/firewall''**.
- 
-**''Note No1''**: Maybe not all newest changes [[https://dev.openwrt.org/changeset/35484/trunk|trunk r35484]] are documented.\\ 
-**''Note No2''**: Precompiled OpenWrt Images contain the OpenWrt-Firewall. The OpenWrt-Firewall already contains a couple of rules. For some obscure reasons, this pre-defined rules are not contained in the file **''/etc/config/firewall''** but are hard-coded in other files. http://nbd.name/gitweb.cgi?p=firewall3.git;a=summary Since the netfilter system is a chained processing filter, you need to know this pre-existing rules in order to successfully add own rules. 
===== Overview ===== ===== Overview =====
-UCI Firewall provides a configuration interface that abstracts from the **iptables** system to provide a simplified configuration model that is fit for most regular purposes while enabling the user to supply needed iptables rules on his own when needed.+OpenWrt relies on [[doc:howto:netfilter]] for packet filtering, NAT and mangling. The UCI Firewall provides a configuration interface that abstracts from the **iptables** system to provide a simplified configuration model that is fit for most regular purposes while enabling the user to supply needed iptables rules on his own when needed.
-UCI Firewall maps two or more //Interfaces// together into //Zones// that are used to describe default rules for a given interface, forwarding rules between interfaces, and extra rules that are not covered by the first two. In the config file, default rules come //first// but they are the last to take effect. The iptables ([[doc:howto:netfilter]]) system is a chained processing filter where packets pass through various rules. The first rule that matches is executed, often leading to another rule-chain until a packet hits either ACCEPT or DROP/REJECT. Such an outcome is final, therefore the default rules take effect last, and the most specific rule takes effect first. Zones are also used to configure //masquerading// also known as NAT (network-address-translation) as well as port forwarding rules, which are more generally known as redirects.+UCI Firewall maps two or more //Interfaces// together into //Zones// that are used to describe default rules for a given interface, forwarding rules between interfaces, and extra rules that are not covered by the first two. In the config file, default rules come //first// but they are the last to take effect. The netfilter system is a chained processing filter where packets pass through various rules. The first rule that matches is executed, often leading to another rule-chain until a packet hits either ACCEPT or DROP/REJECT. Such an outcome is final, therefore the default rules take effect last, and the most specific rule takes effect first. Zones are also used to configure //masquerading// also known as NAT (network-address-translation) as well as port forwarding rules, which are more generally known as redirects.
Zones must always be mapped onto one or more Interfaces which ultimately map onto physical devices; therefore zones cannot be used to specify networks (subnets), and the generated iptables rules operate on interfaces exclusively. The difference is that interfaces can be used to reach destinations not part of their own subnet, when their subnet contains another gateway. Usually however, forwarding is done between lan and wan interfaces, with the router serving as 'edge' gateway to the internet. The default configuration of UCI Firewall provides for such a common setup. Zones must always be mapped onto one or more Interfaces which ultimately map onto physical devices; therefore zones cannot be used to specify networks (subnets), and the generated iptables rules operate on interfaces exclusively. The difference is that interfaces can be used to reach destinations not part of their own subnet, when their subnet contains another gateway. Usually however, forwarding is done between lan and wan interfaces, with the router serving as 'edge' gateway to the internet. The default configuration of UCI Firewall provides for such a common setup.
===== Requirements ===== ===== Requirements =====
-  * **''firewall''** and its dependencies (//pre-installed//)+  * **''firewall''** (or  **''firewall3''**) and its dependencies (//pre-installed//)
    * **''iptables''** (//pre-installed//)     * **''iptables''** (//pre-installed//)
-    * **''iptables-mod-conntrack''** (//pre-installed//) +    * **''iptables-mod-?''** (//optional//), see [[doc:howto:netfilter#OPKG Netfilter Packages]].
-    * **''iptables-mod-nat''** (//pre-installed//) +
-    * **''iptables-mod-?''** (//optional//), see [[doc:howto:netfilter]]+
- +
-It is not required to use UCI Firewall, but merely exists to make life easier for you. The WebUI ([[doc:howto:LuCI]]) may also be used to configure the UCI firewall. The firewall package may be found here: ''[[https://dev.openwrt.org/browser/trunk/package/network/config/firewall|firewall]]''.+
===== Sections ===== ===== Sections =====
Line 108: Line 101:
| ''src_dport'' | port or range | no | //(none)// | For //DNAT//, match incoming traffic directed at the given //destination port or port range// on this host. For //SNAT// rewrite the //source ports// to the given value. | | ''src_dport'' | port or range | no | //(none)// | For //DNAT//, match incoming traffic directed at the given //destination port or port range// on this host. For //SNAT// rewrite the //source ports// to the given value. |
| ''proto'' | protocol name or number | yes | //tcpudp// | Match incoming traffic using the given //protocol// | | ''proto'' | protocol name or number | yes | //tcpudp// | Match incoming traffic using the given //protocol// |
-| ''dest'' | zone name | yes for ''SNAT'' target | //(none)// | Specifies the traffic //destination zone//, must refer to one of the defined //zone names//. |+| ''dest'' | zone name | yes for ''SNAT'' target | //(none)// | Specifies the traffic //destination zone//. Must refer to one of the defined //zone names//. For ''DNAT'' target on Attitude Adjustment, NAT reflection works only if this is equal to ''lan''. |
| ''dest_ip'' | ip address | yes for ''DNAT'' target | //(none)// | For //DNAT//, redirect matched incoming traffic to the specified internal host. For //SNAT//, match traffic directed at the given address. | | ''dest_ip'' | ip address | yes for ''DNAT'' target | //(none)// | For //DNAT//, redirect matched incoming traffic to the specified internal host. For //SNAT//, match traffic directed at the given address. |
| ''dest_port'' | port or range | no | //(none)// | For //DNAT//, redirect matched incoming traffic to the given port on the internal host. For //SNAT//, match traffic directed at the given ports. | | ''dest_port'' | port or range | no | //(none)// | For //DNAT//, redirect matched incoming traffic to the given port on the internal host. For //SNAT//, match traffic directed at the given ports. |
| ''ipset'' | string | no | //(none)// | If specified, match traffic against the given //[[#ip.sets|ipset]]//. The match can be inverted by prefixing the value with an exclamation mark | | ''ipset'' | string | no | //(none)// | If specified, match traffic against the given //[[#ip.sets|ipset]]//. The match can be inverted by prefixing the value with an exclamation mark |
| ''mark'' | string | no | //(none)// | If specified, match traffic against the given firewall mark, e.g. ''0xFF'' to match mark 255 or ''0x0/0x1'' to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. ''!0x10'' to match all but mark #16. | | ''mark'' | string | no | //(none)// | If specified, match traffic against the given firewall mark, e.g. ''0xFF'' to match mark 255 or ''0x0/0x1'' to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. ''!0x10'' to match all but mark #16. |
-| ''start_date'' | date (''yyyy-mm-dddd'') | no | //(always)// | If specifed, only match traffic after the given date (inclusive). | +| ''start_date'' | date (''yyyy-mm-dd'') | no | //(always)// | If specifed, only match traffic after the given date (inclusive). | 
-| ''stop_date'' | date (''yyyy-mm-dddd'') | no | //(always)// | If specified, only match traffic before the given date (inclusive). |+| ''stop_date'' | date (''yyyy-mm-dd'') | no | //(always)// | If specified, only match traffic before the given date (inclusive). |
| ''start_time'' | time (''hh:mm:ss'') | no | //(always)// | If specified, only match traffic after the given time of day (inclusive). | | ''start_time'' | time (''hh:mm:ss'') | no | //(always)// | If specified, only match traffic after the given time of day (inclusive). |
| ''stop_time'' | time (''hh:mm:ss'') | no | //(always)// | If specified, only match traffic before the given time of day (inclusive). | | ''stop_time'' | time (''hh:mm:ss'') | no | //(always)// | If specified, only match traffic before the given time of day (inclusive). |
Line 122: Line 115:
| ''target'' | string | no | ''DNAT'' | NAT target (''DNAT'' or ''SNAT'') to use when generating the rule | | ''target'' | string | no | ''DNAT'' | NAT target (''DNAT'' or ''SNAT'') to use when generating the rule |
| ''family'' | string | no | ''any'' | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate iptables rules for. | | ''family'' | string | no | ''any'' | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate iptables rules for. |
-| ''reflection'' | boolean | no | ''1'' | Disables NAT reflection for this redirect if set to ''0'' - applicable to ''DNAT'' targets. |+| ''reflection'' | boolean | no | ''1'' | Activate NAT reflection for this redirect - applicable to ''DNAT'' targets. |
| ''reflection_src'' | string | no | ''internal'' | The source address to use for NAT-reflected packets if ''reflection'' is ''1''. This can be ''internal'' or ''external'', specifying which interface’s address to use. Applicable to ''DNAT'' targets. | | ''reflection_src'' | string | no | ''internal'' | The source address to use for NAT-reflected packets if ''reflection'' is ''1''. This can be ''internal'' or ''external'', specifying which interface’s address to use. Applicable to ''DNAT'' targets. |
| ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Example: ''3/hour''. | | ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Example: ''3/hour''. |
| ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' | | ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' |
| ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. | | ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. |
 +
 +:!: On Attitude Adjustment, for NAT reflection to work, you **must** specify ''option dest lan'' in the ''redirect'' section (even though we're using a ''DNAT'' target).
==== Rules ==== ==== Rules ====
Line 153: Line 148:
| ''ipset'' | string | no | //(none)// | If specified, match traffic against the given //[[#ip.sets|ipset]]//. The match can be inverted by prefixing the value with an exclamation mark | | ''ipset'' | string | no | //(none)// | If specified, match traffic against the given //[[#ip.sets|ipset]]//. The match can be inverted by prefixing the value with an exclamation mark |
| ''mark'' | mark/mask | no | //(none)// | If specified, match traffic against the given firewall mark, e.g. ''0xFF'' to match mark 255 or ''0x0/0x1'' to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. ''!0x10'' to match all but mark #16. | | ''mark'' | mark/mask | no | //(none)// | If specified, match traffic against the given firewall mark, e.g. ''0xFF'' to match mark 255 or ''0x0/0x1'' to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. ''!0x10'' to match all but mark #16. |
-| ''start_date'' | date (''yyyy-mm-dddd'') | no | //(always)// | If specifed, only match traffic after the given date (inclusive). | +| ''start_date'' | date (''yyyy-mm-dd'') | no | //(always)// | If specifed, only match traffic after the given date (inclusive). | 
-| ''stop_date'' | date (''yyyy-mm-dddd'') | no | //(always)// | If specified, only match traffic before the given date (inclusive). |+| ''stop_date'' | date (''yyyy-mm-dd'') | no | //(always)// | If specified, only match traffic before the given date (inclusive). |
| ''start_time'' | time (''hh:mm:ss'') | no | //(always)// | If specified, only match traffic after the given time of day (inclusive). | | ''start_time'' | time (''hh:mm:ss'') | no | //(always)// | If specified, only match traffic after the given time of day (inclusive). |
| ''stop_time'' | time (''hh:mm:ss'') | no | //(always)// | If specified, only match traffic before the given time of day (inclusive). | | ''stop_time'' | time (''hh:mm:ss'') | no | //(always)// | If specified, only match traffic before the given time of day (inclusive). |
Line 275: Line 270:
        option src_dport 80         option src_dport 80
        option proto    tcp         option proto    tcp
 +        option dest      lan
        option dest_ip  192.168.1.10         option dest_ip  192.168.1.10
</code> </code>
Line 291: Line 287:
        option 'dest' 'lan'         option 'dest' 'lan'
</code> </code>
 +
==== Source NAT (SNAT) ==== ==== Source NAT (SNAT) ====
Line 481: Line 478:
<code> <code>
config zone config zone
 +        option name            example
        option input            ACCEPT         option input            ACCEPT
        option output          ACCEPT         option output          ACCEPT
Line 495: Line 493:
<code> <code>
config zone config zone
 +        option name            example
        option input            ACCEPT         option input            ACCEPT
        option output          ACCEPT         option output          ACCEPT
Line 511: Line 510:
<code> <code>
config zone config zone
 +        option name            example
        option input            ACCEPT         option input            ACCEPT
        option output          ACCEPT         option output          ACCEPT
Line 549: Line 549:
option dest lan option dest lan
option src wan6 option src wan6
 +#you don't need the below as you can a firewall rule to open the port that you need
config forwarding config forwarding
option dest wan6 option dest wan6
Line 606: Line 606:
When connection attempts are //dropped// the client is not aware of the blocking and will continue to re-transmit its packets until the connection eventually times out. Depending on the way the client software is implemented, this could result in frozen or hanging programs that need to wait until a timeout occurs before they're able to continue. When connection attempts are //dropped// the client is not aware of the blocking and will continue to re-transmit its packets until the connection eventually times out. Depending on the way the client software is implemented, this could result in frozen or hanging programs that need to wait until a timeout occurs before they're able to continue.
 +
 +Also there is an interesting article which that claims dropping connections doesnt make you any safer - [[http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject|Drop versus Reject]].
**DROP** **DROP**
Line 687: Line 689:
| :::    | ''prerouting_rule''          | user    | Container chain for custom user prerouting rules (firewall.user) | | :::    | ''prerouting_rule''          | user    | Container chain for custom user prerouting rules (firewall.user) |
| :::    | ''zone_//name//_prerouting''  | internal | Per-zone container chains for DNAT (port forwarding) rules | | :::    | ''zone_//name//_prerouting''  | internal | Per-zone container chains for DNAT (port forwarding) rules |
 +| :::    | ''prerouting_//name//_rule''  | user    | Per-zone container chains for custom user prerouting rules (firewall.user) |
| mangle | ''INPUT''                    | system  | | | mangle | ''INPUT''                    | system  | |
| filter | ''INPUT''                    | system  | | | filter | ''INPUT''                    | system  | |
Line 693: Line 696:
| :::    | ''syn_flood''                | internal | Internal chain to match and drop syn flood attempts | | :::    | ''syn_flood''                | internal | Internal chain to match and drop syn flood attempts |
| :::    | ''zone_//name//_input''      | internal | Per-zone container chains for input rules | | :::    | ''zone_//name//_input''      | internal | Per-zone container chains for input rules |
 +| :::    | ''input_//name//_rule''      | user    | Per-zone container chains for custom user input rules (firewall.user) |
==== OUTPUT (originating from router) ==== ==== OUTPUT (originating from router) ====
Line 704: Line 708:
| :::    | ''output_rule''              | user    | Container chain for custom user output rules (firewall.user) | | :::    | ''output_rule''              | user    | Container chain for custom user output rules (firewall.user) |
| :::    | ''zone_//name//_output''      | internal | Per-zone container chains for output rules | | :::    | ''zone_//name//_output''      | internal | Per-zone container chains for output rules |
 +| :::    | ''output_//name//_rule''      | user    | Per-zone container chains for custom user output rules (firewall.user) |
| mangle | ''POSTROUTING''              | system  | | | mangle | ''POSTROUTING''              | system  | |
| nat    | ''POSTROUTING''              | system  | | | nat    | ''POSTROUTING''              | system  | |
Line 709: Line 714:
| :::    | ''postrouting_rule''          | user    | Container chain for custom user postrouting rules (firewall.user) | | :::    | ''postrouting_rule''          | user    | Container chain for custom user postrouting rules (firewall.user) |
| :::    | ''zone_//name//_postrouting'' | internal | Per-zone container chains for postrouting rules (masq, snat) | | :::    | ''zone_//name//_postrouting'' | internal | Per-zone container chains for postrouting rules (masq, snat) |
 +| :::    | ''postrouting_//name//_rule'' | user    | Per-zone container chains for custom user postrouting rules (firewall.user) |
==== FORWARD (relayed through router) ==== ==== FORWARD (relayed through router) ====
Line 721: Line 727:
| :::    | ''prerouting_rule''          | user    | Container chain for custom user prerouting rules (firewall.user) | | :::    | ''prerouting_rule''          | user    | Container chain for custom user prerouting rules (firewall.user) |
| :::    | ''zone_//name//_prerouting''  | internal | Per-zone container chains for DNAT (port forwarding) rules | | :::    | ''zone_//name//_prerouting''  | internal | Per-zone container chains for DNAT (port forwarding) rules |
 +| :::    | ''prerouting_//name//_rule''  | user    | Per-zone container chains for custom user prerouting rules (firewall.user) |
| mangle | ''FORWARD''                  | system  | | | mangle | ''FORWARD''                  | system  | |
| :::    | ''mssfix''                    | internal | Internal chain to hold for TCPMSS rules (mtu_fix) | | :::    | ''mssfix''                    | internal | Internal chain to hold for TCPMSS rules (mtu_fix) |
Line 727: Line 734:
| :::    | ''forwarding_rule''          | user    | Container chain for custom user forward rules (firewall.user) | | :::    | ''forwarding_rule''          | user    | Container chain for custom user forward rules (firewall.user) |
| :::    | ''zone_//name//_forward''    | internal | Per-zone container chains for output rules | | :::    | ''zone_//name//_forward''    | internal | Per-zone container chains for output rules |
 +| :::    | ''forwarding_//name//_rule''  | user    | Per-zone container chains for custom user forward rules (firewall.user) |
| mangle | ''POSTROUTING''              | system  | | | mangle | ''POSTROUTING''              | system  | |
| nat    | ''POSTROUTING''              | system  | | | nat    | ''POSTROUTING''              | system  | |
Line 732: Line 740:
| :::    | ''postrouting_rule''          | user    | Container chain for custom user postrouting rules (firewall.user) | | :::    | ''postrouting_rule''          | user    | Container chain for custom user postrouting rules (firewall.user) |
| :::    | ''zone_//name//_postrouting'' | internal | Per-zone container chains for postrouting rules (masq, snat) | | :::    | ''zone_//name//_postrouting'' | internal | Per-zone container chains for postrouting rules (masq, snat) |
 +| :::    | ''postrouting_//name//_rule'' | user    | Per-zone container chains for custom user postrouting rules (firewall.user) |

Back to top

doc/uci/firewall.1368957565.txt.bz2 · Last modified: 2013/05/19 11:59 by orca