On 12-12-22 06:51 PM, Lupe Christoph wrote: > > The address of the "lan" interface of your router, of course.
The documenation says that "src" is: Specifies the traffic source zone. Must refer to one of the defined zone names. You must be thinking of src_ip. But as I noted in my original message, it is insufficient to simply use IP addresses in firewall rules. IP addresses must be coupled with interface bindings so that you are not a victim of IP spoofing. > I apologize for the complexity of this. It was generated by fwbuilder > from an fwbuilder rule that contains a lot more that you need. Yes, thanks. But I am not really looking for other tools to do packet filter building. I already have a thorough understanding of packet filtering, security concepts and am quite capable of building complex iptables rules and equally capable of using meta-tools to build them. My question was specifically about using OpenWRT's native firewall processing to accomplish my security policy. > And > fwbuilder uses chains a lot. So does Shorewall. But that's not my goal (although it looks like I will be using Shorewall for a while still. > I guess for you, this might work: > $IPTABLES -A OUTPUT -o br-lan -s 172.17.0.1 -d 172.17.0.0/24 -m state --state > NEW -p udp -m udp --dport 514 -j ACCEPT Of course. But I am looking to encode that rule into /etc/config/firewall. But as Jow mentioned in the other message, OpenWRT's firewall module is not (yet?) capable of such a rule. :-( Thanks for your consideration though. Cheers, b.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openwrt-users mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-users
