Differences

This shows you the differences between two versions of the page.

doc:uci:firewall [2014/03/03 13:45]
ayaka more security
doc:uci:firewall [2014/11/26 00:51] (current)
giner old revision restored
Line 56: Line 56:
| ''masq_src'' | list of subnets | no | ''0.0.0.0/0'' | Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with ''!''; multiple subnets are allowed. | | ''masq_src'' | list of subnets | no | ''0.0.0.0/0'' | Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with ''!''; multiple subnets are allowed. |
| ''masq_dest'' | list of subnets | no | ''0.0.0.0/0'' | Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with ''!''; multiple subnets are allowed. | | ''masq_dest'' | list of subnets | no | ''0.0.0.0/0'' | Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with ''!''; multiple subnets are allowed. |
-| ''conntrack'' | boolean | no | ''1'' if masquerading is used, ''0'' otherwise | Force connection tracking for this zone (see [[#note.on.connection.tracking.notrack|Note on connection tracking]]) |+| ''conntrack'' | boolean | no | ''1'' if masquerading is used, ''0'' otherwise | Force connection tracking for this zone (see [[#notes.on.connection.tracking|Note on connection tracking]]) |
| ''mtu_fix'' | boolean | no | ''0'' | Enable MSS clamping for //outgoing// zone traffic | | ''mtu_fix'' | boolean | no | ''0'' | Enable MSS clamping for //outgoing// zone traffic |
| ''input'' | string | no | ''DROP'' | Default policy (''ACCEPT'', ''REJECT'', ''DROP'') for //incoming// zone traffic | | ''input'' | string | no | ''DROP'' | Default policy (''ACCEPT'', ''REJECT'', ''DROP'') for //incoming// zone traffic |
Line 90: Line 90:
//Redirects are also commonly known as "port forwarding", and "virtual servers".// //Redirects are also commonly known as "port forwarding", and "virtual servers".//
 +
 +Port ranges are specified as ''start:stop'', for instance ''6666:6670''.  This is similar to the iptables syntax.
The options below are valid for //redirects//: The options below are valid for //redirects//:
Line 117: Line 119:
| ''reflection'' | boolean | no | ''1'' | Activate NAT reflection for this redirect - applicable to ''DNAT'' targets. | | ''reflection'' | boolean | no | ''1'' | Activate NAT reflection for this redirect - applicable to ''DNAT'' targets. |
| ''reflection_src'' | string | no | ''internal'' | The source address to use for NAT-reflected packets if ''reflection'' is ''1''. This can be ''internal'' or ''external'', specifying which interface’s address to use. Applicable to ''DNAT'' targets. | | ''reflection_src'' | string | no | ''internal'' | The source address to use for NAT-reflected packets if ''reflection'' is ''1''. This can be ''internal'' or ''external'', specifying which interface’s address to use. Applicable to ''DNAT'' targets. |
-| ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Example: ''3/hour''. |+| ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Examples: ''3/second'', ''3/sec'' or ''3/s''. |
| ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' | | ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' |
| ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. | | ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. |
Line 134: Line 136:
  * If only ''dest'' is given, the rule matches //outgoing// traffic   * If only ''dest'' is given, the rule matches //outgoing// traffic
  * If neither ''src'' nor ''dest'' are given, the rule defaults to an //outgoing// traffic rule   * If neither ''src'' nor ''dest'' are given, the rule defaults to an //outgoing// traffic rule
 +
 +Port ranges are specified as ''start:stop'', for instance ''6666:6670''.  This is similar to the iptables syntax.
Valid options for this section are: Valid options for this section are:
^ Name ^ Type ^ Required ^ Default ^ Description ^ ^ Name ^ Type ^ Required ^ Default ^ Description ^
-| ''src'' | zone name | yes (:!: optional since Firewall v2, version 58 and above) | //(none)// | Specifies the traffic //source zone//. Must refer to one of the defined //zone names//. |+| ''src'' | zone name | yes (:!: optional since Firewall v2, version 58 and above) | //(none)// | Specifies the traffic //source zone//. Must refer to one of the defined //zone names//, or * for any zone. |
| ''src_ip'' | ip address | no | //(none)// | Match incoming traffic from the specified //source ip address// | | ''src_ip'' | ip address | no | //(none)// | Match incoming traffic from the specified //source ip address// |
| ''src_mac'' | mac address | no | //(none)// | Match incoming traffic from the specified //mac address// | | ''src_mac'' | mac address | no | //(none)// | Match incoming traffic from the specified //mac address// |
Line 159: Line 163:
| ''set_xmark'' | ::: | ::: | ::: | Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed | | ''set_xmark'' | ::: | ::: | ::: | Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed |
| ''family'' | string | no | ''any'' | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate iptables rules for. | | ''family'' | string | no | ''any'' | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate iptables rules for. |
-| ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Example: ''3/hour''. |+| ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Examples: ''3/minute'', ''3/min'' or ''3/m''. |
| ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' | | ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' |
| ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. | | ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. |
Line 261: Line 265:
This example enables machines on the internet to use SSH to access your router. This example enables machines on the internet to use SSH to access your router.
-==== Forwarding ports (Destination NAT/DNAT) ====+==== Port forwarding for IPv4 (Destination NAT/DNAT) ====
This example forwards http (but not HTTPS) traffic to the webserver running on 192.168.1.10: This example forwards http (but not HTTPS) traffic to the webserver running on 192.168.1.10:
Line 277: Line 281:
<code> <code>
-config 'redirect' +config redirect 
-        option 'name' 'ssh' +        option src      wan 
-        option 'src' 'wan' +        option src_dport 5555 
-        option 'proto' 'tcpudp' +        option proto     tcp 
-        option 'src_dport' '5555' +        option dest      lan 
-        option 'dest_ip' '192.168.1.100' +        option dest_ip   192.168.1.100 
-        option 'dest_port' '22+        option dest_port 22 
-        option 'target' 'DNAT' +</code> 
-        option 'dest' 'lan'+ 
 +==== Allow IPv6 access from internet ==== 
 + 
 +To open port 80 so that a local webserver at ''2001:db8:42::1337'' can be reached from the Internet: 
 + 
 +<code> 
 +config rule 
 +        option src      wan 
 +        option proto    tcp 
 +        option dest      lan 
 +        option dest_ip  2001:db8:42::1337 
 +        option dest_port 80 
 +        option family    ipv6 
 +        option target   ACCEPT 
 +</code> 
 + 
 +To open SSH access to all IPv6 hosts in the local network: 
 + 
 +<code> 
 +config rule 
 +        option src      wan 
 +        option proto    tcp 
 +        option dest     lan 
 +        option dest_port 22 
 +        option family    ipv6 
 +        option target    ACCEPT 
 +</code> 
 + 
 +To open all TCP/UDP port between 1024 and 65535 towards the local IPv6 network: 
 + 
 +<code> 
 +config rule 
 +        option src      wan 
 +        option proto    tcpudp 
 +        option dest      lan 
 +        option dest_port 1024:65535 
 +        option family    ipv6 
 +        option target    ACCEPT
</code> </code>
Line 621: Line 662:
-===== Note on connection tracking (NOTRACK) =====+===== Notes on connection tracking ===== 
 + 
 +==== NOTRACK ====
By default, the firewall will disable connection tracking for a zone if no masquerading is enabled. This is achieved by generating //NOTRACK// firewall rules matching all traffic passing via interfaces referenced by the firewall zone. The purpose of //NOTRACK// is to speed up routing and save memory by circumventing resource intensive connection tracking in cases where it is not needed. You can check if connection tracking is disabled by issuing ''iptables -t raw -vnL'', it will list all rules, check for //NOTRACK// target. By default, the firewall will disable connection tracking for a zone if no masquerading is enabled. This is achieved by generating //NOTRACK// firewall rules matching all traffic passing via interfaces referenced by the firewall zone. The purpose of //NOTRACK// is to speed up routing and save memory by circumventing resource intensive connection tracking in cases where it is not needed. You can check if connection tracking is disabled by issuing ''iptables -t raw -vnL'', it will list all rules, check for //NOTRACK// target.
Line 629: Line 672:
If connection tracking is required, for example by custom rules in ''/etc/firewall.user'', the ''conntrack'' option must be enabled in the corresponding zone to disable //NOTRACK//. It should appear as ''option 'conntrack' '1' '' in the right zone in ''/etc/config/firewall''. If connection tracking is required, for example by custom rules in ''/etc/firewall.user'', the ''conntrack'' option must be enabled in the corresponding zone to disable //NOTRACK//. It should appear as ''option 'conntrack' '1' '' in the right zone in ''/etc/config/firewall''.
For further information see http://security.maruhn.com/iptables-tutorial/x4772.html . For further information see http://security.maruhn.com/iptables-tutorial/x4772.html .
 +
 +==== nf_conntrack_skip_filter ====
 +
 +Since [[https://dev.openwrt.org/changeset/42048/trunk/package|r42048]], there is a new setting activated by default which causes the packets with the established state, completely bypass iptables filter table. This is to [[https://dev.openwrt.org/ticket/17690#comment:6|help with network performance]] and unless you need all packets to be counted by iptables filter or have some specific rules which would apply to already established connections, you should leave it active.
 +
 +This behavior can be disabled by editing /etc/sysctl.conf :
 +  net.netfilter.nf_conntrack_skip_filter=0
 +and then activating the new setting:
 +  sysctl -p
 +
 +or be temporarily turned off untill the next reboot by issuing :
 +  sysctl -w net.netfilter.nf_conntrack_skip_filter=0
===== How to delete a rule ===== ===== How to delete a rule =====

Back to top

doc/uci/firewall.1393850717.txt.bz2 · Last modified: 2014/03/03 13:45 by ayaka