Development issues regarding the cerowrt test router project
 help / color / mirror / Atom feed
From: Vincent Frentzel <zcecc22@c3r.es>
To: cerowrt-devel@lists.bufferbloat.net
Subject: [Cerowrt-devel] saner defaults for config/firewall
Date: Fri, 21 Feb 2014 00:25:23 +0100	[thread overview]
Message-ID: <CACCCjEXdFP40pa_4L3gAK8kyCq_Qj2tZF-VEFqNGp9=jS4JpYg@mail.gmail.com> (raw)


[-- Attachment #1.1: Type: text/plain, Size: 549 bytes --]

Hi everyone,

After installing ceroWRT the first thing I did was to reconfigure the
firewall as shown attached. My router is used as home gateway and I wanted
to lock down the device a bit.

The changes are introduced are as follow:

- LAN (s+) to/from GUEST (g+) is not allowed.
- GUEST to ROUTER is restricted to DNS/DHCP/NTP.
- I've tuned the basic IPV6 rules to take the above changes into account
and allow proto 41 INPUT for 6to/in4 tunnels.
- LAN to/from ROUTER everything is allowed.

This could be a nice default config.

Feedback welcome.

[-- Attachment #1.2: Type: text/html, Size: 729 bytes --]

[-- Attachment #2: firewall --]
[-- Type: application/octet-stream, Size: 3569 bytes --]


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option drop_invalid '1'
	option synflood_protect '1'
	option synflood_rate '200/s'
	option synflood_burst '500'
	option tcp_ecn '1'

config zone
	option input 'DROP'
	option forward 'DROP'
	option output 'ACCEPT'
	option name 'wan'
	option masq '1'
	option mtu_fix '1'
	option network 'ge00 wan6'

config zone
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option name 'lan'
	option device 's+'

config forwarding
	option dest 'wan'
	option src 'lan'

config zone
	option input 'REJECT'
	option output 'ACCEPT'
	option name 'guest'
	option forward 'ACCEPT'
	option device 'gw+'

config forwarding
	option dest 'wan'
	option src 'guest'

config rule
        option src      wan
        option proto    41
        option target   ACCEPT
        option name '6TO4'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'DNS-GUEST'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '123'
	option name 'NTP-GUEST'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'udp'
	option dest_port '68'
	option src 'guest'
	option name 'DHCPv4-GUEST'

config rule
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'udp'
	option dest_port '68'
	option src 'wan'
	option name 'DHCPv4-WAN'

config rule
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option name 'DHCPv6-WAN'

config rule
	option src 'guest'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option name 'DHCPv6-GUEST'

config include
	option path '/etc/firewall.user'

config rule
	option name 'ICMPv6-WAN'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '200/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'ICMPv6-GUEST'
	option src 'guest'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '200/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'ICMPv6-FORWARD'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '200/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'IPv4'
	option reload '1'


             reply	other threads:[~2014-02-20 23:25 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-20 23:25 Vincent Frentzel [this message]
2014-02-23 17:21 ` Dave Taht
2014-02-23 19:10   ` J. Daniel Ashton
2014-02-24  8:07     ` Vincent Frentzel
2014-02-24  9:29       ` Sebastian Moeller
2014-02-24 10:05         ` Vincent Frentzel
2014-02-24 10:18           ` Fred Stratton
2014-02-24 11:03             ` Fred Stratton
2014-02-24 11:35               ` Vincent Frentzel
2014-02-24 12:45                 ` Fred Stratton
2014-02-24 12:54                   ` Robert Bradley
2014-02-24 13:05                     ` Vincent Frentzel
2014-02-24 13:48                       ` Robert Bradley
2014-02-24 13:35                 ` Sebastian Moeller
2014-02-24 13:29           ` Sebastian Moeller
2014-02-24 16:24     ` Dave Taht
2014-03-03 19:41     ` David Lang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CACCCjEXdFP40pa_4L3gAK8kyCq_Qj2tZF-VEFqNGp9=jS4JpYg@mail.gmail.com' \
    --to=zcecc22@c3r.es \
    --cc=cerowrt-devel@lists.bufferbloat.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox