Re: [LEDE-DEV] firewall question
15.12.2017 09:24, e9hack: Hi, I did set-up a openvpn server on my router. /etc/config/network contains the interface definition: config interface 'vpn' option proto 'none' option ifname 'tun1' In /etc/config/firewall, I've the following definitions related to vpn, lan and wan: config zone option name 'lan' list network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' config zone option name 'wan' list network 'wan' list network 'wan_6' option input 'DROP' option output 'ACCEPT' option forward 'DROP' option masq '1' option mtu_fix '1' option conntrack '1' config zone option name 'vpn' option network 'vpn' option input 'ACCEPT' option forward 'REJECT' option output 'ACCEPT' You vpn zone configuration has to be read as: - allow traffic from vpn zone to firewall (INPUT) - allow traffic from firewall to vpn zone (OUTPUT) config forwarding option src 'lan' option dest 'wan' config rule option name 'Allow OpenVPN Inbound on wan' option src 'wan' option proto 'tcpudp' option dest_port '1194' option extra '-m conntrack --ctstate NEW' option target 'ACCEPT' config forwarding option src 'vpn' option dest 'wan' config rule option name 'Block NetBios from vpn to wan' option src 'vpn' option dest 'wan' list dest_port '135' list dest_port '137-139' list dest_port '445' list dest_port '3389' option proto 'tcpudp' option target 'DROP' This are not the complete firewall definitions, but it doesn't exist any other rule with the zone or network vpn. I did not define any forwarding rule between vpn and lan. The lan ip range is 192.168.x.x. and a client, which is connected to the openvpn server, gets an ip address from the range 10.8.y.y. From an openvpn client, I can access the web interface of the router via 192.168.x.1. Why is this possible? It is possible because your traffic targets the firewall (INPUT) and not the lan zone (FORWARD). The destination ip address doesn't really mater as long as it is an interface of the fireall. Consider the firewall as something like a special zone. Following an excerpt of the firewall configuration I'm using to restrict IoT devices. My complete configuration is more complex, since ipset is involved to limit forwarding of IoT traffic to WAN based on the destination fqdn/domain. But it should give you are start. config zone option name iot list network 'iot' option inputREJECT option output ACCEPT option forward REJECT config forwarding option src lan option dest iot config rule option name Allow-iot-DHCPv4-Input option src iot option protoudp option dest_port67 option target ACCEPT option family ipv4 config rule option name Allow-iot-DHCPv6-Input option src iot option protoudp option dest_port547 option target ACCEPT option family ipv6 config rule option name Allow-iot-DNS-Input option src iot option dest_port53 option proto'udp tcp' option target ACCEPT Mathias ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] firewall question
Am 15.12.2017 um 18:03 schrieb Eric Romano: > The "input" option of your LAN zone is set to ACCEPT. This means that > any traffic to the interface ip address(es) of that zone will be > allowed unless otherwise blocked by a rule. > > It's not obvious but zone forwarding rules only for traffic forwarded > on behalf of clients on the network, not for traffic to and from the > router itself. This seems not to be correct. On my router exist some other interfaces, which are not forwarded to the lan too. From such an interfaces is no access to the lan possible. I add to tun and some other interfaces a logging rule to the beginning of INPUT and OUTPUT chain. For all interfaces with exception of tun, I see only packages which have SRC and DST address from the same network. For tun interface, the INPUT chain shows also packages with SRC=10.8.x.x and DST=192.168.z.z and for the OUTPUT chain vice versa. Finally, I change the default rule for lan INPUT to REJECT and add all necessary rules for the lan interface explicitly with exception of port 80 and 443. Now I've no access from lan to the web interface, but I've still access to it over the tun interface. Something seems to be broken in the network area. Regards, Hartmut ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] firewall question
The "input" option of your LAN zone is set to ACCEPT. This means that any traffic to the interface ip address(es) of that zone will be allowed unless otherwise blocked by a rule. It's not obvious but zone forwarding rules only for traffic forwarded on behalf of clients on the network, not for traffic to and from the router itself. On Fri, Dec 15, 2017 at 3:24 AM, e9hack wrote: > Hi, > > I did set-up a openvpn server on my router. /etc/config/network contains the > interface definition: > > config interface 'vpn' > option proto 'none' > option ifname 'tun1' > > In /etc/config/firewall, I've the following definitions related to vpn, lan > and wan: > > config zone > option name 'lan' > list network 'lan' > option input 'ACCEPT' > option output 'ACCEPT' > option forward 'ACCEPT' > > config zone > option name 'wan' > list network 'wan' > list network 'wan_6' > option input 'DROP' > option output 'ACCEPT' > option forward 'DROP' > option masq '1' > option mtu_fix '1' > option conntrack '1' > > config zone > option name 'vpn' > option network 'vpn' > option input 'ACCEPT' > option forward 'REJECT' > option output 'ACCEPT' > > config forwarding > option src 'lan' > option dest 'wan' > > config rule > option name 'Allow OpenVPN Inbound on wan' > option src 'wan' > option proto 'tcpudp' > option dest_port '1194' > option extra '-m conntrack --ctstate NEW' > option target 'ACCEPT' > > config forwarding > option src 'vpn' > option dest 'wan' > > config rule > option name 'Block NetBios from vpn to wan' > option src 'vpn' > option dest 'wan' > list dest_port '135' > list dest_port '137-139' > list dest_port '445' > list dest_port '3389' > option proto 'tcpudp' > option target 'DROP' > > This are not the complete firewall definitions, but it doesn't exist any > other rule with the zone or network vpn. > > I did not define any forwarding rule between vpn and lan. The lan ip range is > 192.168.x.x. and a client, which is > connected to the openvpn server, gets an ip address from the range 10.8.y.y. > From an openvpn client, I can access the > web interface of the router via 192.168.x.1. Why is this possible? > > Regards, > Hartmut > > > ___ > Lede-dev mailing list > Lede-dev@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/lede-dev ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
[LEDE-DEV] firewall question
Hi, I did set-up a openvpn server on my router. /etc/config/network contains the interface definition: config interface 'vpn' option proto 'none' option ifname 'tun1' In /etc/config/firewall, I've the following definitions related to vpn, lan and wan: config zone option name 'lan' list network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' config zone option name 'wan' list network 'wan' list network 'wan_6' option input 'DROP' option output 'ACCEPT' option forward 'DROP' option masq '1' option mtu_fix '1' option conntrack '1' config zone option name 'vpn' option network 'vpn' option input 'ACCEPT' option forward 'REJECT' option output 'ACCEPT' config forwarding option src 'lan' option dest 'wan' config rule option name 'Allow OpenVPN Inbound on wan' option src 'wan' option proto 'tcpudp' option dest_port '1194' option extra '-m conntrack --ctstate NEW' option target 'ACCEPT' config forwarding option src 'vpn' option dest 'wan' config rule option name 'Block NetBios from vpn to wan' option src 'vpn' option dest 'wan' list dest_port '135' list dest_port '137-139' list dest_port '445' list dest_port '3389' option proto 'tcpudp' option target 'DROP' This are not the complete firewall definitions, but it doesn't exist any other rule with the zone or network vpn. I did not define any forwarding rule between vpn and lan. The lan ip range is 192.168.x.x. and a client, which is connected to the openvpn server, gets an ip address from the range 10.8.y.y. From an openvpn client, I can access the web interface of the router via 192.168.x.1. Why is this possible? Regards, Hartmut ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
