User Tools

Site Tools


doc:uci:firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:uci:firewall [2014/03/03 13:45]
ayaka more security
doc:uci:firewall [2014/11/28 13:24] (current)
jow2 Rename forward to accept for IPv6 since it is not a port forward in the traditional sense
Line 56: Line 56:
 | ''​masq_src''​ | list of subnets | no | ''​0.0.0.0/​0''​ | Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with ''​!'';​ multiple subnets are allowed. | | ''​masq_src''​ | list of subnets | no | ''​0.0.0.0/​0''​ | Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with ''​!'';​ multiple subnets are allowed. |
 | ''​masq_dest''​ | list of subnets | no | ''​0.0.0.0/​0''​ | Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with ''​!'';​ multiple subnets are allowed. | | ''​masq_dest''​ | list of subnets | no | ''​0.0.0.0/​0''​ | Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with ''​!'';​ multiple subnets are allowed. |
-| ''​conntrack''​ | boolean | no | ''​1''​ if masquerading is used, ''​0''​ otherwise | Force connection tracking for this zone (see [[#note.on.connection.tracking.notrack|Note on connection tracking]]) |+| ''​conntrack''​ | boolean | no | ''​1''​ if masquerading is used, ''​0''​ otherwise | Force connection tracking for this zone (see [[#notes.on.connection.tracking|Note on connection tracking]]) |
 | ''​mtu_fix''​ | boolean | no | ''​0''​ | Enable MSS clamping for //​outgoing//​ zone traffic | | ''​mtu_fix''​ | boolean | no | ''​0''​ | Enable MSS clamping for //​outgoing//​ zone traffic |
 | ''​input''​ | string | no | ''​DROP''​ | Default policy (''​ACCEPT'',​ ''​REJECT'',​ ''​DROP''​) for //​incoming//​ zone traffic | | ''​input''​ | string | no | ''​DROP''​ | Default policy (''​ACCEPT'',​ ''​REJECT'',​ ''​DROP''​) for //​incoming//​ zone traffic |
Line 90: Line 90:
  
 //Redirects are also commonly known as "port forwarding",​ and "​virtual servers"​.//​ //Redirects are also commonly known as "port forwarding",​ and "​virtual servers"​.//​
 +
 +Port ranges are specified as ''​start:​stop'',​ for instance ''​6666:​6670''​. ​ This is similar to the iptables syntax.
  
 The options below are valid for //​redirects//:​ The options below are valid for //​redirects//:​
Line 117: Line 119:
 | ''​reflection''​ | boolean | no | ''​1''​ | Activate NAT reflection for this redirect - applicable to ''​DNAT''​ targets. | | ''​reflection''​ | boolean | no | ''​1''​ | Activate NAT reflection for this redirect - applicable to ''​DNAT''​ targets. |
 | ''​reflection_src''​ | string | no | ''​internal''​ | The source address to use for NAT-reflected packets if ''​reflection''​ is ''​1''​. This can be ''​internal''​ or ''​external'',​ specifying which interface’s address to use. Applicable to ''​DNAT''​ targets. | | ''​reflection_src''​ | string | no | ''​internal''​ | The source address to use for NAT-reflected packets if ''​reflection''​ is ''​1''​. This can be ''​internal''​ or ''​external'',​ specifying which interface’s address to use. Applicable to ''​DNAT''​ targets. |
-| ''​limit''​ | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/​second'',​ ''/​minute'',​ ''/​hour''​ or ''/​day''​ suffix. ​Example: ''​3/​hour''​. |+| ''​limit''​ | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/​second'',​ ''/​minute'',​ ''/​hour''​ or ''/​day''​ suffix. ​Examples: ''​3/​second'',​ ''​3/​sec''​ or ''​3/​s''​. |
 | ''​limit_burst''​ | integer | no | ''​5''​ | Maximum initial number of packets to match, allowing a short-term average above ''​limit''​ | | ''​limit_burst''​ | integer | no | ''​5''​ | Maximum initial number of packets to match, allowing a short-term average above ''​limit''​ |
 | ''​extra''​ | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''​-m policy %%--%%dir in''​ for IPsec. | | ''​extra''​ | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''​-m policy %%--%%dir in''​ for IPsec. |
Line 134: Line 136:
   * If only ''​dest''​ is given, the rule matches //​outgoing//​ traffic   * If only ''​dest''​ is given, the rule matches //​outgoing//​ traffic
   * If neither ''​src''​ nor ''​dest''​ are given, the rule defaults to an //​outgoing//​ traffic rule   * If neither ''​src''​ nor ''​dest''​ are given, the rule defaults to an //​outgoing//​ traffic rule
 +
 +Port ranges are specified as ''​start:​stop'',​ for instance ''​6666:​6670''​. ​ This is similar to the iptables syntax.
  
 Valid options for this section are: Valid options for this section are:
Line 159: Line 163:
 | ''​set_xmark''​ | ::: | ::: | ::: | Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed | | ''​set_xmark''​ | ::: | ::: | ::: | Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed |
 | ''​family''​ | string | no | ''​any''​ | Protocol family (''​ipv4'',​ ''​ipv6''​ or ''​any''​) to generate iptables rules for. | | ''​family''​ | string | no | ''​any''​ | Protocol family (''​ipv4'',​ ''​ipv6''​ or ''​any''​) to generate iptables rules for. |
-| ''​limit''​ | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/​second'',​ ''/​minute'',​ ''/​hour''​ or ''/​day''​ suffix. ​Example: ''​3/​hour''​. |+| ''​limit''​ | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/​second'',​ ''/​minute'',​ ''/​hour''​ or ''/​day''​ suffix. ​Examples: ''​3/​minute'',​ ''​3/​min''​ or ''​3/​m''​. |
 | ''​limit_burst''​ | integer | no | ''​5''​ | Maximum initial number of packets to match, allowing a short-term average above ''​limit''​ | | ''​limit_burst''​ | integer | no | ''​5''​ | Maximum initial number of packets to match, allowing a short-term average above ''​limit''​ |
 | ''​extra''​ | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''​-m policy %%--%%dir in''​ for IPsec. | | ''​extra''​ | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''​-m policy %%--%%dir in''​ for IPsec. |
Line 261: Line 265:
  
 This example enables machines on the internet to use SSH to access your router. This example enables machines on the internet to use SSH to access your router.
-==== Forwarding ports (Destination NAT/DNAT) ====+==== Port forwarding for IPv4 (Destination NAT/DNAT) ====
  
 This example forwards http (but not HTTPS) traffic to the webserver running on 192.168.1.10:​ This example forwards http (but not HTTPS) traffic to the webserver running on 192.168.1.10:​
Line 277: Line 281:
  
 <​code>​ <​code>​
-config ​'redirect' +config redirect 
-        option ​'​name'​ '​ssh'​ +        option ​src       wan 
-        option ​'​src'​ '​wan'​ +        option ​src_dport 5555 
-        option ​'proto' '​tcpudp'​ +        option proto     tcp 
-        option ​'​src_dport'​ '​5555'​ +        option ​dest      lan 
-        option ​'dest_ip' '192.168.1.100' +        option dest_ip ​  ​192.168.1.100 
-        option ​'dest_port'​ '22+        option dest_port ​22 
-        option ​'target' '​DNAT'​ +</​code>​ 
-        option ​'dest' 'lan'+ 
 +==== Port accept for IPv6 ==== 
 + 
 +To open port 80 so that a local webserver at ''​2001:​db8:​42::​1337'' can be reached from the Internet: 
 + 
 +<​code>​ 
 +config rule 
 +        option src       wan 
 +        option proto     tcp 
 +        option dest      lan 
 +        option dest_ip ​  ​2001:​db8:​42::​1337 
 +        option dest_port 80 
 +        option family ​   ipv6 
 +        option target ​   ​ACCEPT 
 +</​code>​ 
 + 
 +To open SSH access to all IPv6 hosts in the local network: 
 + 
 +<​code>​ 
 +config rule 
 +        option src       wan 
 +        option proto     tcp 
 +        option dest      lan 
 +        option dest_port 22 
 +        option family ​   ipv6 
 +        option target ​   ACCEPT 
 +</​code>​ 
 + 
 +To open all TCP/UDP port between 1024 and 65535 towards the local IPv6 network: 
 + 
 +<​code>​ 
 +config rule 
 +        option src       wan 
 +        option proto     ​tcpudp 
 +        option dest      lan 
 +        option dest_port 1024:​65535 
 +        option family ​   ipv6 
 +        option target ​   ACCEPT
 </​code>​ </​code>​
  
Line 621: Line 662:
  
  
-===== Note on connection tracking ​(NOTRACK) ​=====+===== Notes on connection tracking ===== 
 + 
 +==== NOTRACK ​====
  
 By default, the firewall will disable connection tracking for a zone if no masquerading is enabled. This is achieved by generating //NOTRACK// firewall rules matching all traffic passing via interfaces referenced by the firewall zone. The purpose of //NOTRACK// is to speed up routing and save memory by circumventing resource intensive connection tracking in cases where it is not needed. You can check if connection tracking is disabled by issuing ''​iptables -t raw -vnL'',​ it will list all rules, check for //NOTRACK// target. By default, the firewall will disable connection tracking for a zone if no masquerading is enabled. This is achieved by generating //NOTRACK// firewall rules matching all traffic passing via interfaces referenced by the firewall zone. The purpose of //NOTRACK// is to speed up routing and save memory by circumventing resource intensive connection tracking in cases where it is not needed. You can check if connection tracking is disabled by issuing ''​iptables -t raw -vnL'',​ it will list all rules, check for //NOTRACK// target.
Line 629: Line 672:
 If connection tracking is required, for example by custom rules in ''/​etc/​firewall.user'',​ the ''​conntrack''​ option must be enabled in the corresponding zone to disable //​NOTRACK//​. It should appear as ''​option '​conntrack'​ '​1'​ ''​ in the right zone in ''/​etc/​config/​firewall''​. If connection tracking is required, for example by custom rules in ''/​etc/​firewall.user'',​ the ''​conntrack''​ option must be enabled in the corresponding zone to disable //​NOTRACK//​. It should appear as ''​option '​conntrack'​ '​1'​ ''​ in the right zone in ''/​etc/​config/​firewall''​.
 For further information see http://​security.maruhn.com/​iptables-tutorial/​x4772.html . For further information see http://​security.maruhn.com/​iptables-tutorial/​x4772.html .
 +
 +==== nf_conntrack_skip_filter ====
 +
 +Since [[https://​dev.openwrt.org/​changeset/​42048/​trunk/​package|r42048]],​ there is a new setting activated by default which causes the packets with the established state, completely bypass iptables filter table. This is to [[https://​dev.openwrt.org/​ticket/​17690#​comment:​6|help with network performance]] and unless you need all packets to be counted by iptables filter or have some specific rules which would apply to already established connections,​ you should leave it active. ​
 +
 +This behavior can be disabled by editing /​etc/​sysctl.conf :
 +  net.netfilter.nf_conntrack_skip_filter=0
 +and then activating the new setting:
 +  sysctl -p
 +
 +or be temporarily turned off untill the next reboot by issuing :
 +  sysctl -w net.netfilter.nf_conntrack_skip_filter=0
  
 ===== How to delete a rule ===== ===== How to delete a rule =====
doc/uci/firewall.1393850717.txt.bz2 · Last modified: 2014/03/03 13:45 by ayaka