Firewall rules on OpenWRT

Toggle sidebar Toggle sidebar
S

sam1275tom

Reputable
Oct 13, 2014
462
0
4,860
Hello.

I have a OpenWRT router which have the following rules allowed from WAN:

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'


config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
Click to expand...

Can I disable some/all of them to increase security? The router is for normal home use.

Thanks.
 
Solution
B
That is the best method for security deny everything and then add rules only for what you know you need. Most the IPv6 stuff will work fine without special rules even when the ISP supports it. Even more with IPv6 you do not want to allow incoming traffic of any kind. With IPv4 you have the NAT doing most the function of a firewall purely because it is too dumb to know which internal machine to give traffic to. When you have IPv6 your machines are directly on the internet.
Sort by date Sort by votes
S

sam1275tom

Reputable
Oct 13, 2014
462
0
4,860


Thank you, could you explain other settings, for example, why I need WAN port open for DHCP, MLD, esp? I can have a computer working perfectly without exception rules in firewall, so why cannot I do it on a router?
 
Upvote 0 Downvote
B

bill001g

Titan
Aug 9, 2012
28,318
2,754
125,640
Where do you have this router, are you using it internal or on the internet.

IPv6 stuff is generally not used much so unless your ISP supports it there is not much need...then again if it is not supported you will never see ipv6 traffic and the rules will never do anything anyway.

Even if you have IPV6 I have see no ISP that supports multicast even on ipv4. Multicast use even in corporate installs is rare. Why would you think you need MLD.

 
Upvote 0 Downvote
t53186

t53186

Distinguished
Aug 6, 2006
1,720
1
20,465
For the most part on a Windows computer firewall rules (allow/disallow) are created automatically for the user, for the most common network configurations. You may have seen this done when windows asks about a newly discovered network. One of the first questions; it this network home, work, or public.

A "out of the box" new router from your local electronics store will do that also. Most users don't know what a firewall is and have little desire or need to go in to the settings.

UDP, TCP/IP, DHCP, and all the others are services and protocols (traffic) that can be present at the firewall. Some you need, some you don't. Some can be exploited by any number of hacks and illegal activity.

Hope this answers some of your questions.
 
Upvote 0 Downvote
S

sam1275tom

Reputable
Oct 13, 2014
462
0
4,860


I use it as a home internet gateway, the WAN port connects to a fiber modem operates in dumb-bridge mode.
 
Upvote 0 Downvote
S

sam1275tom

Reputable
Oct 13, 2014
462
0
4,860


I do manually configure the computer's firewall to disallow ANY incoming traffic, and it still works.
 
Upvote 0 Downvote
B

bill001g

Titan
Aug 9, 2012
28,318
2,754
125,640
That is the best method for security deny everything and then add rules only for what you know you need. Most the IPv6 stuff will work fine without special rules even when the ISP supports it. Even more with IPv6 you do not want to allow incoming traffic of any kind. With IPv4 you have the NAT doing most the function of a firewall purely because it is too dumb to know which internal machine to give traffic to. When you have IPv6 your machines are directly on the internet.
 
Upvote 0 Downvote
Solution
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom