this post was submitted on 06 Feb 2024
12 points (92.9% liked)

OpenWrt

298 readers
1 users here now

OpenWrt news, tools, tips and discussion. Related projects, such as DD-WRT, Tomato and OpenSAN, are also on-topic.

Rules

  1. Stay on topic: All posts should be related to OpenWrt and related projects, including DD-WRT, Tomato, OpenSAN, and more!

  2. No offensive or low-effort content: Don't post offensive or unhelpful content. Be nice - keep it civil and friendly!

  3. Describe images/videos, no memes: Please include a text description when sharing images or videos.

  4. No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.

  5. No reposts or rehosted content: Share only the original source of an article, unless it's not available in English, behind a paywall or requires logging in (like Twitter). Avoid reposting the same topic from other sources.

  6. No editorializing titles: You can add the author or website's name if helpful, but keep article titles unchanged.

  7. No piracy: Do not share links or direct people to pirated content.

  8. No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.

  9. No affiliate links: Posting affiliate links is not allowed.

founded 1 year ago
MODERATORS
ijeff@lemdro.id
inspector@gadgetro.id
12
Could someone explain these OpenWRT LuCI firewall settings to me? I am having trouble interpereting what they are saying exactly. (sh.itjust.works)
submitted 9 months ago* (last edited 9 months ago) by Kalcifer@sh.itjust.works to c/openwrt@lemdro.id
6 comments fedilink hide all child comments
 

cross-posted to: https://sh.itjust.works/post/14114583

If the rule is about forwarding traffic from the lan interface to the wan interface, then why is there also a forward rule? How would inputs, and outputs make any sense if the rule is talking about forwarding? What does it mean for wan to forward to REJECT? I interperet that as saying that wan doesn't go anywhere, but that wouldn't make sense given that the router can send, and receive over the internet.

For example I would interperet the first rule as follows:

  • lan => wan: the conditions for which connections from the lan interface are forwarded to to the wan interface.
  • Input: accept: the lan interface accepts all connections originating from the network (I wouldn't understand the point of setting this to be reject).
  • Output: accept: all connections exiting the wan interface are accepted (again, I'm not sure what the point of this would be).
  • Forward: accept: forwarding of packets from lan to wan is allowed.
  • Masquerade: I honestly don't know what the effect of enabling this would be. What would it mean to masquerade the lan interface?

I tried finding documentation, and I did come across this, and this, but, from what I could understand, they didn't really answer any of my questions.

top 6 comments
sorted by: hot top controversial new old
[–] mhzawadi@lemmy.horwood.cloud 4 points 9 months ago (1 children)

have clicked the add button at the bottom of the zones, found the below. A look at the current zones show that LAN -> WAN is how you get out and WAN -> REJECT is the WAN -> LAN side.

So what your doing is allow all traffic in, out and forwarded of LAN

But reject any in and forward from WAN to LAN, as the traffic leaves the WAN interface masquerade it as the WAN IP

This section defines common properties of "this new zone". The input and output options set the default policies for traffic entering and leaving this zone while the forward option describes the policy for forwarded traffic between different networks within the zone. Covered networks specifies which available networks are members of this zone.

The options below control the forwarding policies between this zone (this new zone) and other zones. Destination zones cover forwarded traffic originating from this new zone. Source zones match forwarded traffic from other zones targeted at this new zone. The forwarding rule is unidirectional, e.g. a forward from lan to wan does not imply a permission to forward from wan to lan as well.

[–] Kalcifer@sh.itjust.works 2 points 9 months ago (1 children)

But reject any in [...] from WAN

I don't understand this one. Wouldn't this then reject any connection to the router from the internet? Say you have a server behind the router that is port forwarded. If you have Input: reject on wan, wouldn't this then mean that the router just drops any request to the server as that would be an input originating on the wan interface destined for the router?

as the traffic leaves the WAN interface masquerade it as the WAN IP

This is a great way to explain the masquerade setting! Thanks!

[–] mhzawadi@lemmy.horwood.cloud 0 points 9 months ago (1 children)

Thats how my setup looks, I do have about 7 NAT rules also and they work fine

[–] Kalcifer@sh.itjust.works 2 points 9 months ago (1 children)

Do you not know the answer to my question, or did you perhaps misunderstand it? You seem to have skipped over the whole comment 😆

[–] mhzawadi@lemmy.horwood.cloud 1 points 9 months ago (1 children)

in short, no I dont know how the firewalling works.

So a read of the wiki has what I thought

  • INPUT is into the router
  • OUTPUT is from the router
  • FORWARD is across the router

all as default settings, NAT is applied after the zone rules. So even though the zone will reject INPUT, a NAT rule will allow it.

Does that help?

[–] Kalcifer@sh.itjust.works 1 points 9 months ago* (last edited 9 months ago)

So even though the zone will reject INPUT, a NAT rule will allow it.

I don't think this is correct. NAT doesn't "allow" connections -- It just masquerades the source IP as that of the router. For WAN connections to be accepted, conntrack must see them as related to connections that were initiated by the router, or by a device on the LAN (assuming, of course, that conntrack is enabled, which, in my case, it is).