Firewall settings

Use this information to set configuration of firewall.

Set default firewall

The default section declares global firewall settings which do not belong to specific zones.

Table 1. Set default firewall
Syntax
sudo uci set firewall.@defaults[0].input=<input>

sudo uci set firewall.@defaults[0].output=<output>

sudo uci set firewall.@defaults[0].forward=<forward>

sudo uci set firewall.@defaults[0].syn_flood=<syn_flood>

sudo uci set firewall.@defaults[0].drop_invalid=<drop_invalid>
Table 2. Parameters
Name Type Required Default Description

input

string

no

REJECT

Set policy for the INPUT chain of the filter table.

output

string

no

REJECT

Set policy for the OUTPUT chain of the filter table.

forward

string

no

REJECT

Set policy for the FORWARD chain of the filter table.

syn_flood

boolean

no

0

Enable SYN flood protection (obsoleted by synflood_protect setting).

drop_invalid

boolean

no

0

Drop invalid packets (e.g. not matching any active connection).

Commands example:

Table 3. Commands example
sudo uci set firewall.@defaults[0].input=ACCEPT  
sudo uci set firewall.@defaults[0].output= ACCEPT  
sudo uci set firewall.@defaults[0].forward= ACCEPT  
sudo uci set firewall.@defaults[0].syn_flood=1  
sudo uci set firewall.@defaults[0].drop_invalid=1  
sudo uci commit firewall  
sudo /etc/init.d/firewall restart

Add a new Zone

This section defines common properties of test. The input and output options set the default policies for traffic entering and leaving this zone while the forward option describes the policy for forwarded traffic between different networks within the zone. Covered networks specify which available networks are members of this zone.

Table 4. Add a new Zone
Syntax
sudo uci add firewall zone
sudo uci set firewall.@zone[-1].name=<name>
sudo uci set firewall.@zone[-1].input=<input>
sudo uci set firewall.@zone[-1].output=<output>
sudo uci set firewall.@zone[-1].forward=<forward>
sudo uci set firewall.@zone[-1].masq=<masq>
sudo uci set firewall.@zone[-1].mtu_fix=<mtu_fix>
sudo uci set firewall.@zone[-1].network=<network>
sudo uci set firewall.@zone[-1].family=<family>
sudo uci set firewall.@zone[-1].masq_src=<masq_src>
sudo uci set firewall.@zone[-1].masq_dest=<masq_dest>
sudo uci set firewall.@zone[-1].conntrack=<conntrack>
sudo uci set firewall.@zone[-1].log=<log>
sudo uci set firewall.@zone[-1].log_limit=<log_limit>
sudo uci commit firewall
Table 5. Parameters

Parameter

Type

Required

Default

Description

name

zone name

yes

none

Unique zone name. 11 characters is the maximum working firewall zone name length.

input

string

no

REJECT

Set policy for the INPUT chain of the filter table.

output

string

no

REJECT

Set policy for the OUTPUT chain of the filter table.

forward

string

no

REJECT

Set policy for the FORWARD chain of the filter table.

masq

boolean

no

0

Specifies whether outgoing zone traffic should be masqueraded - this is typically enabled on the wan zone.

mtu_fix

boolean

no

0

Enable MSS clamping for outgoing zone traffic.

network

list

no

none

List of interfaces attached to this zone. If omitted and neither extra* options, subnets or devices are given, the value of name is used by default. Alias interfaces defined in the network config cannot be used as valid 'standalone' networks. Use list syntax as explained in uci.

family

string

no

0

Protocol family (ipv4, ipv6 or any) to generate iptables rules for.

masq_src

list of subnets

no

0.0.0.0/0

Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with !; multiple subnets are allowed.

masq_dest

list of subnets

no

0.0.0.0/0

Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with !; multiple subnets are allowed.

conntrack

boolean

no

1 if masquerading is used, 0 otherwise

Force connection tracking for this zone (see Note on connection tracking).

log

boolean

no

0

Create log rules for rejected and dropped traffic in this zone.

log_limit

string

no

10/minute

Limits the amount of log messages per interval.

Commands example:

Table 6. Commands example
sudo uci add firewall zone  
sudo uci set firewall.@zone[-1].name=test  
sudo uci set firewall.@zone[-1].input=ACCEPT  
sudo uci set firewall.@zone[-1].output= ACCEPT  
sudo uci set firewall.@zone[-1].forward= ACCEPT  
sudo uci set firewall.@zone[-1].masq=<masq>  
sudo uci set firewall.@zone[-1].mtu_fix=<mtu_fix>  
sudo uci set firewall.@zone[-1].network=<network>  
sudo uci set firewall.@zone[-1].family=<family>  
sudo uci set firewall.@zone[-1].masq_src=<masq_src>  
sudo uci set firewall.@zone[-1].masq_dest=<masq_dest>  
sudo uci set firewall.@zone[-1].conntrack=<conntrack>  
sudo uci set firewall.@zone[-1].log=<log>  
sudo uci set firewall.@zone[-1].log_limit=<log_limit>  
sudo uci commit firewall  
sudo /etc/init.d/firewall restart  

Add a new forwarding

The forwarding sections control the traffic flow between zones and may enable MSS clamping for specific directions. Only one direction is covered by a forwarding rule. To allow bidirectional traffic flows between two zones, two forwardings are required, with src and dest reversed in each.

Table 7. Add a new forwarding
Syntax
sudo uci set firewall.@zone[-1].src=<src>
sudo uci set firewall.@zone[-1].dest=<dest>
sudo uci commit firewall
Table 8. Parameters
Parameter Type Required Default Description

src

zone name

yes

none

Specifies the traffic source zone. Must refer to one of the defined zone names.

dest

zone name

yes

none

Specifies the traffic destination zone. Must refer to one of the defined zone names.

Commands example:

Table 9. Commands example
sudo uci set firewall.@zone[-1].src=test
sudo uci set firewall.@zone[-1].dest=lan
sudo uci commit firewall
sudo /etc/init.d/firewall restart 

Add a new port forwards

Port forwardings (DNAT) are defined by redirect sections. All incoming traffic on the specified source zone which matches the given rules will be directed to the specified internal host. Redirects are also commonly known as "port forwarding", and "virtual servers". Port ranges are specified as start:stop, for instance 6666:6670. This is similar to the iptables syntax.

Table 10. Add a new port forwards
Syntax
sudo uci add firewall redirect
sudo uci set firewall.@redirect[-1].enabled=<enabled>
sudo uci set firewall.@redirect[-1].name=<name>
sudo uci set firewall.@redirect[-1].proto=<proto>
sudo uci set firewall.@redirect[-1].src=<src>
sudo uci set firewall.@redirect[-1].src_mac=<src_mac>
sudo uci set firewall.@redirect[-1].src_ip=<src_ip>
sudo uci set firewall.@redirect[-1].src_port=<src_port>
sudo uci set firewall.@redirect[-1].src_dip=<src_dip>
sudo uci set firewall.@redirect[-1].src_dport=<src_dport>
sudo uci set firewall.@redirect[-1].dest=<dest>
sudo uci set firewall.@redirect[-1].dest_ip=<dest_ip>
sudo uci set firewall.@redirect[-1].dest_port=<dest_port>
sudo uci set firewall.@redirect[-1].reflection=<reflection>
sudo uci commit firewall
Table 11. Parameters
Parameter Type Required Default Description

enabled

string

no

1 or yes

Enable the redirect rule or not.

name

string

no

none

Unique redirect name.

proto

protocol name or number

yes

tcp udp

Match incoming traffic using the given protocol.

src

zone name

no

yes for DNAT target

Specifies the traffic source zone. Must refer to one of the defined zone names. For typical port forwards this usually is wan.

src_mac

mac address

no

none

Match incoming traffic from the specified mac address.

src_ip

ip address

no

none

Match incoming traffic from the specified source ip address.

src_port

port or range

no

none

Match incoming traffic originating from the given source port or port range (ex: '5000-5100') on the client host.

src_dip

ip address

yes for SNAT target

none

For DNAT, match incoming traffic directed at the given destination ip address. For SNAT rewrite the source address to the given address.

src_dport

port or range

no

none

For DNAT, match incoming traffic directed at the given destination port or port range (ex: '5000-5100') on this host. For SNAT rewrite the source ports to the given value.

dest

zone name

yes for SNAT target

none

Specifies the traffic destination zone. Must refer to one of the defined zone names. For DNAT target on Attitude Adjustment, NAT reflection works only if this is equal to lan.

dest_ip

ip address

yes for DNAT target

none

For DNAT, redirect matched incoming traffic to the specified internal host. For SNAT, match traffic directed at the given address. For DNAT if the dest_ip value matches the local ip addresses of the router, as shown in the ifconfig, then the rule is translated in a DNAT + input 'accept' rule. Otherwise it is a DNAT + forward rule.

dest_port

port or range

no

none

For DNAT, redirect matched incoming traffic to the given port on the internal host. For SNAT, match traffic directed at the given ports. Only a single port or range can be specified (ex: '5000-5100'), not disparate ports as with Rules (below).

reflection

boolean

no

1

Activate NAT reflection for this redirect - applicable to DNAT targets.

Commands example:

Table 12. Forwards http (not HTTPS) traffic to the webserver running on 192.168.1.10:
sudo uci add firewall redirect
sudo uci set firewall.@redirect[-1].enabled=1
sudo uci set firewall.@redirect[-1].proto=tcp
sudo uci set firewall.@redirect[-1].src=wan
sudo uci set firewall.@redirect[-1].src_dport=80
sudo uci set firewall.@redirect[-1].dest=lan
sudo uci set firewall.@redirect[-1].dest_ip=192.168.1.10
sudo uci commit firewall
sudo /etc/init.d/firewall restart 

Add a new traffic rule

Port forwardings (DNAT) are defined by redirect sections. All incoming traffic on the specified source zone which matches the given rules will be directed to the specified internal host. Redirects are also commonly known as port forwarding, and virtual servers. Port ranges are specified as start:stop, for instance 6666:6670. This is similar to the iptables syntax.

Table 13. Add a new traffic rule
Syntax
sudo uci add firewall rule
sudo uci set firewall.@rule[-1].enabled=<enabled>
sudo uci set firewall.@rule[-1].name=<name>
sudo uci set firewall.@rule[-1].family=<family>
sudo uci set firewall.@rule[-1].proto=<proto>
sudo uci set firewall.@rule[-1].src=<src>
sudo uci set firewall.@rule[-1].src_mac=<src_mac>
sudo uci set firewall.@rule[-1].src_ip=<src_ip>
sudo uci set firewall.@rule[-1].src_port=<src_port>
sudo uci set firewall.@rule[-1].dest=<dest>
sudo uci set firewall.@rule[-1].dest_ip=<dest_ip>
sudo uci set firewall.@rule[-1].dest_port=<dest_port>
sudo uci set firewall.@rule[-1].target=<target>
sudo uci set firewall.@rule[-1].weekdays=<weekdays>
sudo uci set firewall.@rule[-1].monthdays=<monthdays>
sudo uci set firewall.@rule[-1].start_time=<start_time>
sudo uci set firewall.@rule[-1].stop_time=<stop_time>
sudo uci set firewall.@rule[-1].start_date=<start_date>
sudo uci set firewall.@rule[-1].stop_date=<stop_date>
sudo uci set firewall.@rule[-1].utc_time=<utc_time>
uci commit firewall
Table 14. Parameters
Parameter Type Required Default Description

enabled

boolean

no

yes

Enable or disable rule.

name

string

no

none

Unique rule name.

family

string

no

any

Protocol family (ipv4, ipv6 or any) to generate iptables rules for.

proto

protocol name or number

no

tcp udp

Match incoming traffic using the given protocol. Can be one of tcp, udp, tcpudp, udplite, icmp, esp, ah, sctp, or all or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. The number 0 is equivalent to all.

src

zone name

yes ( optional since Firewall v2, version 58 and above)

none

Specifies the traffic source zone. Must refer to one of the defined zone names.

src_mac

mac address

no

none

Match incoming traffic from the specified mac address.

src_ip

ip address

no

none

Match incoming traffic from the specified source ip address.

src_port

port or range

no

none

Match incoming traffic from the specified source port or port range (ex: '5000:5100', port range does not apply to all protocols), if relevant proto is specified. Multiple ports can be specified like '80 443 465' 1.

dest

zone name

no

none

Specifies the traffic destination zone. Must refer to one of the defined zone names, or * for any zone. If specified, the rule applies to forwarded traffic; otherwise, it is treated as input rule.

dest_ip

ip address

no

none

Match incoming traffic directed to the specified destination ip address. With no dest zone, this is treated as an input rule!

dest_port

port or range

no

none

Match incoming traffic directed at the given destination port or port range (ex: '5000:5100', port range does not apply to all protocols), if relevant proto is specified. Multiple ports can be specified like '80 443 465' 1.

target

string

yes

DROP

Activate NAT reflection for this redirect - applicable to DNAT targets.

weekdays

list of weekdays

no

(always)

If specified, only match traffic during the given week days, e.g. sun mon thu fri to only match on sundays, mondays, thursdays and fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ! sat sun to always match but on saturdays and sundays.

monthdays

list of dates

no

(always)

If specified, only match traffic during the given days of the month, e.g. 2 5 30 to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ! 31 to always match but on the 31st of the month.

start_time

time (hh:mm:ss)

no

(always)

If specified, only match traffic after the given time of day (inclusive).

stop_time

time (hh:mm:ss)

no

(always)

If specified, only match traffic before the given time of day (inclusive).

start_date

date (yyyy-mm-dd)

no

(always)

If specified, only match traffic after the given date (inclusive).

stop_date

date (yyyy-mm-dd)

no

(always)

If specified, only match traffic before the given date (inclusive).

utc_time

boolean

no

0

Treat all given time values as UTC time instead of local time.

Commands example:

Table 15. Blocks all connection attempts to connect the specified host address.
sudo uci add firewall rule
sudo uci set firewall.@rule[-1].enabled=1
sudo uci set firewall.@rule[-1].src=lan
sudo uci set firewall.@rule[-1].dest=wan
sudo uci set firewall.@rule[-1].dest_ip=123.45.67.89
sudo uci set firewall.@rule[-1].target=REJECT
sudo uci commit firewall
sudo /etc/init.d/firewall restart  

Add a new Source NAT

Source NAT changes an outgoing packet so that it looks as though the Embedded Switch system is the source of the packet.

Commands example:
Table 16. Define source NAT for UDP and TCP traffic

Define source NAT for UDP and TCP traffic directed to port 123 originating from the host with the IP address 10.55.34.85.

The source address is rewritten to 63.240.161.99:

sudo uci add firewall redirect
sudo uci set firewall.@redirect[-1].enabled=1
sudo uci set firewall.@redirect[-1].src=lan
sudo uci set firewall.@redirect[-1].src_ip=10.55.34.85
sudo uci set firewall.@redirect[-1].src_dip=63.240.161.99
sudo uci set firewall.@redirect[-1].dest=wan
sudo uci set firewall.@redirect[-1].dest_port=123
sudo uci set firewall.@redirect[-1].target=SNAT
sudo uci commit firewall
sudo /etc/init.d/firewall restart