Skip Navigation

Could someone explain these OpenWRT LuCI firewall settings to me? I am having trouble interpereting what they are saying exactly.

cross-posted to: https://sh.itjust.works/post/14114583


If the rule is about forwarding traffic from the lan interface to the wan interface, then why is there also a forward rule? How would inputs, and outputs make any sense if the rule is talking about forwarding? What does it mean for wan to forward to REJECT? I interperet that as saying that wan doesn't go anywhere, but that wouldn't make sense given that the router can send, and receive over the internet.

For example I would interperet the first rule as follows:

  • lan => wan: the conditions for which connections from the lan interface are forwarded to to the wan interface.
  • Input: accept: the lan interface accepts all connections originating from the network (I wouldn't understand the point of setting this to be reject).
  • Output: accept: all connections exiting the wan interface are accepted (again, I'm not sure what the point of this would be).
  • Forward: accept: forwarding of packets from lan to wan is allowed.
  • Masquerade: I honestly don't know what the effect of enabling this would be. What would it mean to masquerade the lan interface?

I tried finding documentation, and I did come across this, and this, but, from what I could understand, they didn't really answer any of my questions.

6
homelab @lemmy.ml Kalcifer @sh.itjust.works
Could someone explain these OpenWRT LuCI firewall settings to me? I am having trouble interpereting what they are saying exactly.

You're viewing a single thread.

6 comments
  • have clicked the add button at the bottom of the zones, found the below. A look at the current zones show that LAN -> WAN is how you get out and WAN -> REJECT is the WAN -> LAN side.

    So what your doing is allow all traffic in, out and forwarded of LAN

    But reject any in and forward from WAN to LAN, as the traffic leaves the WAN interface masquerade it as the WAN IP

    This section defines common properties of "this new zone". The input and output options set the default policies for traffic entering and leaving this zone while the forward option describes the policy for forwarded traffic between different networks within the zone. Covered networks specifies which available networks are members of this zone.

    The options below control the forwarding policies between this zone (this new zone) and other zones. Destination zones cover forwarded traffic originating from this new zone. Source zones match forwarded traffic from other zones targeted at this new zone. The forwarding rule is unidirectional, e.g. a forward from lan to wan does not imply a permission to forward from wan to lan as well.

    • But reject any in [...] from WAN

      I don't understand this one. Wouldn't this then reject any connection to the router from the internet? Say you have a server behind the router that is port forwarded. If you have Input: reject on wan, wouldn't this then mean that the router just drops any request to the server as that would be an input originating on the wan interface destined for the router?

      as the traffic leaves the WAN interface masquerade it as the WAN IP

      This is a great way to explain the masquerade setting! Thanks!

      • Thats how my setup looks, I do have about 7 NAT rules also and they work fine

        • Do you not know the answer to my question, or did you perhaps misunderstand it? You seem to have skipped over the whole comment 😆

          • in short, no I dont know how the firewalling works.

            So a read of the wiki has what I thought

            • INPUT is into the router
            • OUTPUT is from the router
            • FORWARD is across the router

            all as default settings, NAT is applied after the zone rules. So even though the zone will reject INPUT, a NAT rule will allow it.

            Does that help?

            • So even though the zone will reject INPUT, a NAT rule will allow it.

              I don't think this is correct. NAT doesn't "allow" connections -- It just masquerades the source IP as that of the router. For WAN connections to be accepted, conntrack must see them as related to connections that were initiated by the router, or by a device on the LAN (assuming, of course, that conntrack is enabled, which, in my case, it is).

You've viewed 6 comments.