From: Vincent Frentzel <zcecc22@c3r.es>
To: cerowrt-devel@lists.bufferbloat.net
Subject: [Cerowrt-devel] saner defaults for config/firewall
Date: Fri, 21 Feb 2014 00:25:23 +0100 [thread overview]
Message-ID: <CACCCjEXdFP40pa_4L3gAK8kyCq_Qj2tZF-VEFqNGp9=jS4JpYg@mail.gmail.com> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 549 bytes --]
Hi everyone,
After installing ceroWRT the first thing I did was to reconfigure the
firewall as shown attached. My router is used as home gateway and I wanted
to lock down the device a bit.
The changes are introduced are as follow:
- LAN (s+) to/from GUEST (g+) is not allowed.
- GUEST to ROUTER is restricted to DNS/DHCP/NTP.
- I've tuned the basic IPV6 rules to take the above changes into account
and allow proto 41 INPUT for 6to/in4 tunnels.
- LAN to/from ROUTER everything is allowed.
This could be a nice default config.
Feedback welcome.
[-- Attachment #1.2: Type: text/html, Size: 729 bytes --]
[-- Attachment #2: firewall --]
[-- Type: application/octet-stream, Size: 3569 bytes --]
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
option synflood_protect '1'
option synflood_rate '200/s'
option synflood_burst '500'
option tcp_ecn '1'
config zone
option input 'DROP'
option forward 'DROP'
option output 'ACCEPT'
option name 'wan'
option masq '1'
option mtu_fix '1'
option network 'ge00 wan6'
config zone
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option name 'lan'
option device 's+'
config forwarding
option dest 'wan'
option src 'lan'
config zone
option input 'REJECT'
option output 'ACCEPT'
option name 'guest'
option forward 'ACCEPT'
option device 'gw+'
config forwarding
option dest 'wan'
option src 'guest'
config rule
option src wan
option proto 41
option target ACCEPT
option name '6TO4'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'DNS-GUEST'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '123'
option name 'NTP-GUEST'
option src 'guest'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'udp'
option dest_port '68'
option src 'guest'
option name 'DHCPv4-GUEST'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'udp'
option dest_port '68'
option src 'wan'
option name 'DHCPv4-WAN'
config rule
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option name 'DHCPv6-WAN'
config rule
option src 'guest'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option name 'DHCPv6-GUEST'
config include
option path '/etc/firewall.user'
config rule
option name 'ICMPv6-WAN'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '200/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'ICMPv6-GUEST'
option src 'guest'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '200/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'ICMPv6-FORWARD'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '200/sec'
option family 'ipv6'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'IPv4'
option reload '1'
next reply other threads:[~2014-02-20 23:25 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-20 23:25 Vincent Frentzel [this message]
2014-02-23 17:21 ` Dave Taht
2014-02-23 19:10 ` J. Daniel Ashton
2014-02-24 8:07 ` Vincent Frentzel
2014-02-24 9:29 ` Sebastian Moeller
2014-02-24 10:05 ` Vincent Frentzel
2014-02-24 10:18 ` Fred Stratton
2014-02-24 11:03 ` Fred Stratton
2014-02-24 11:35 ` Vincent Frentzel
2014-02-24 12:45 ` Fred Stratton
2014-02-24 12:54 ` Robert Bradley
2014-02-24 13:05 ` Vincent Frentzel
2014-02-24 13:48 ` Robert Bradley
2014-02-24 13:35 ` Sebastian Moeller
2014-02-24 13:29 ` Sebastian Moeller
2014-02-24 16:24 ` Dave Taht
2014-03-03 19:41 ` David Lang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACCCjEXdFP40pa_4L3gAK8kyCq_Qj2tZF-VEFqNGp9=jS4JpYg@mail.gmail.com' \
--to=zcecc22@c3r.es \
--cc=cerowrt-devel@lists.bufferbloat.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox