Aaron Z <[email protected]> writes: [...]
Harry wrote: >> I picked this bit of code up in the piles of openwrt docs: >> (http://www.it-slav.net/blogs/2011/04/02/open-ssh-on-the-wan-inteface-openwrt/) >> >> config rule >> option src wan >> option dest_port 22 >> option target ACCEPT >> option proto tcp >> >> #/etc/init.d/firewall restart >> >> I thought it would let 10.0.0.0/24 hosts ssh to other subnet. But it >> does not appear to have that effect. Arron responded: > That would let you SSH from the WAN to the OpenWRT router. > If you want to allow access to SSH on the other machines in the > 192.168.2.x subnet, you will need to add a line to that which says > "option dest lan" to your rule to enable connections to machines other > than the OpenWRT router (see Link [1]). I see, and with the backup urls... It makes sense even to me who has no background in this sort of thing. > However, that wont do much unless you allow fowarding from WAN to LAN. > In the firewall config file, there is a section called "config > forwarding" (see Link [2] for more info) > By default, it has just one section (quoted below): > config forwarding > option src lan > option dest wan > > You will need to add another section to allow forwarding from WAN to > LAN I think that will need to be in its own "config forwarding" like > below: > > config forwarding > option src wan > option dest lan > > (note, I am guessing that it needs to be its own section as I have > never used it. If that doesn't work, try adding the "option src > wan" and "option dest lan" to the existing "config forwarding" > section) > Link [1]: http://wiki.openwrt.org/doc/uci/firewall#rules > Link [2]: http://wiki.openwrt.org/doc/uci/firewall#forwardings Thanks for the very helpful reply, and including the url pointers. I found the forwarding section you mentioned which now reads config forwarding option src 'lan' option dest 'wan' config forwarding option src 'wan' option dest 'lan' I guess enclosing the last element in single quotes is required eh? That forwarding section begins line # 24 of the inlined firewall at the end. Below is my rewritten original section (with the line you mentioned added) config rule option src 'wan' option dest_port '22' option target 'ACCEPT' option proto 'tcp' option dest 'lan' Will it matter where that last... directly above appears. I've inlined the whole thing just hoping you would have time to take a look and let me know if there is anything you notice that will wreck any security or the like that was available in the default firewall. This whole thing is being carried out behind whatever comcasts' version of a firewall is in their Arris model TG862G/GT router/modem. Without going into much detail that fw is set on its `medium' security setting. And I haven't monkeyed around with it only to add some dhcp assignments so my machines have a steady address. Its the kind of setup that allows user to match MAC to desirable dhcp address. So the owrt firewall is operating behind whatever comcast and ARRIS deem `medium security' I guess. ------- ------- ---=--- ------- ------- Here is the full firewall file on owrt: config defaults option syn_flood '1' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'lan' option network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'wan' option network 'wan' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' config forwarding option src 'lan' option dest 'wan' config forwarding option src 'wan' option dest 'lan' config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT' config rule option name 'Allow-DHCPv6' option src 'wan' option proto 'udp' option src_ip 'fe80::/10' option src_port '547' option dest_ip 'fe80::/10' option dest_port '546' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config include option path '/etc/firewall.user' config redirect option target 'DNAT' option src 'wan' option dest 'lan' option proto 'tcp' option src_dport '22' option dest_ip '192.168.2.1' option dest_port '22' option name 'ssh' option enabled '0' ################################################### config rule option src 'wan' option dest_port '22' option target 'ACCEPT' option proto 'tcp' option dest 'lan' _______________________________________________ openwrt-users mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users
