Differences

This shows you the differences between two versions of the page.

--- documentation:configuration:config_files:config_firewall [2015/05/09 14:46]
admin created
+++ documentation:configuration:config_files:config_firewall [2018/05/24 09:05] (current)
@@ Line 1: / Line 1: @@
 ====== /etc/config/firewall ======
+Firewall configuration file
+===== Sections =====
+^ Type ^ Description ^
+| [[config_firewall#defaults|defaults]] | global firewall settings |
+| [[config_firewall#zones|zones]] | groups one or more interface |
+| [[config_firewall#forwardings|forwardings]] | controls traffic flow between zones |
+| [[config_firewall#redirects|redirects]] | port forwards |
+| [[config_firewall#rules|rules]] | basic accept or reject rules for specific ports or hosts |
+| [[config_firewall#includes|includes]] | custom firewall scripts |
+==== defaults ====
+global firewall settings
+== Options ==
+^ Name ^ Type ^ Required ^ Default ^ Description ^
+| ''input'' | string | no | ''REJECT'' | Set policy for the ''INPUT'' chain of the ''filter'' table. |
+| ''output'' | string | no | ''REJECT'' | Set policy for the ''OUTPUT'' chain of the ''filter'' table. |
+| ''forward'' | string | no | ''REJECT'' | Set policy for the ''FORWARD'' chain of the ''filter'' table.  |
+| ''drop_invalid'' | boolean | no | ''0'' | Drop invalid packets (e.g. not matching any active connection). |
+| ''syn_flood'' | boolean | no | ''0'' | Enable [[wp>SYN flood]] protection (obsoleted by ''synflood_protect'' setting). |
+| ''synflood_protect'' | boolean | no | ''0'' | Enable [[wp>SYN flood]] protection. |
+| ''synflood_rate'' | string | no | ''25'' | Set rate limit (packets/second) for SYN packets above which the traffic is considered a flood. |
+| ''synflood_burst'' | string | no | ''50'' | Set burst limit for SYN packets above which the traffic is considered a flood if it exceeds the allowed rate. |
+| ''tcp_syncookies'' | boolean | no | ''1'' | Enable the use of [[wp>SYN cookies]]. |
+| ''tcp_ecn'' | boolean | no | ''0'' |  |
+| ''tcp_westwood'' | boolean | no | ''0'' |  |
+| ''tcp_window_scaling'' | boolean | no | ''1'' | Enable TCP window scaling. |
+| ''accept_redirects'' | boolean | no | ''0'' |  |
+| ''accept_source_route'' | boolean | no | ''0'' |  |
+| ''custom_chains'' | boolean | no | ''1'' |  |
+| ''disable_ipv6'' | boolean | no | ''0'' | Disable IPv6 firewall rules. |
+==== zones ====
+groups one or more interface
+== Options ==
+^ Name ^ Type ^ Required ^ Default ^ Description ^
+| ''name'' | zone name | yes | //(none)// | Unique zone name |
+| ''network'' | list | no | //(none)// | List of //[[doc:uci:network#interfaces|interfaces]]// attached to this zone. If omitted and neither extra* options, subnets or devices are given, the value of ''name'' is used by default. Use list syntax as explained in [[doc:uci]]. |
+| ''masq'' | boolean | no | ''0'' | Specifies whether //outgoing// zone traffic should be masqueraded - this is typically enabled on the //wan// zone |
+| ''masq_src'' | list of subnets | no | ''0.0.0.0/0'' | Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with ''!''; multiple subnets are allowed. |
+| ''masq_dest'' | list of subnets | no | ''0.0.0.0/0'' | Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with ''!''; multiple subnets are allowed. |
+| ''conntrack'' | boolean | no | ''1'' if masquerading is used, ''0'' otherwise | Force connection tracking for this zone (see [[#notes.on.connection.tracking|Note on connection tracking]]) |
+| ''mtu_fix'' | boolean | no | ''0'' | Enable MSS clamping for //outgoing// zone traffic |
+| ''input'' | string | no | ''DROP'' | Default policy (''ACCEPT'', ''REJECT'', ''DROP'') for //incoming// zone traffic |
+| ''forward'' | string | no | ''DROP'' | Default policy (''ACCEPT'', ''REJECT'', ''DROP'') for //forwarded// zone traffic |
+| ''output'' | string | no | ''DROP'' | Default policy (''ACCEPT'', ''REJECT'', ''DROP'') for //outgoing// zone traffic |
+| ''family'' | string | no | ''any'' | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate iptables rules for. |
+| ''log'' | boolean | no | ''0'' | Create log rules for rejected and dropped traffic in this zone. |
+| ''log_limit'' | string | no | ''10/minute'' | Limits the amount of log messages per interval. |
+| ''device'' | list | no | //(none)// | List of raw network device names attached to this zone, e.g. ''ppp+'' to match any PPP interface. \\ :!: Only supported by the Firewall v2, version 58 and above ; not supported by 12.09 default installation |
+| ''subnet'' | list | no | //(none)// | List of IP subnets attached to this zone. \\ :!: Only supported by the Firewall v2, version 58 and above, not supported by 12.09 default installation |
+| ''extra'' | string | no | //(none)// | Extra arguments passed directly to iptables. Note that these options are passed to both source and destination classification rules, therfore direction-specific options like ''--dport'' should not be used here - in this case the ''extra_src'' and ''extra_dest'' options should be used instead. \\ :!: Only supported by the Firewall v2, version 58 and above, not supported by 12.09 default installation |
+| ''extra_src'' | string | no | //Value of ''extra''// | Extra arguments passed directly to iptables for source classification rules. \\ :!: Only supported by the Firewall v2, version 58 and above, not supported by 12.09 default installation |
+| ''extra_dest'' | string | no | //Value of ''extra''// | Extra arguments passed directly to iptables for destination classification rules. \\ :!: Only supported by the Firewall v2, version 58 and above, not supported by 12.09 default installation |
+==== forwardings ====
+controls traffic flow between zones
+== Options ==
+^ Name ^ Type ^ Required ^ Default ^ Description ^
+| ''src'' | zone name | yes | //(none)// | Specifies the traffic //source zone//. Must refer to one of the defined //zone names// |
+| ''dest'' | zone name | yes | //(none)// | Specifies the traffic //destination zone//. Must refer to one of the defined //zone names// |
+| <del>''mtu_fix''</del> | <del>boolean</del> | <del>no</del> | <del>''0''</del> | <del>Enable MSS clamping for traffic flowing from the //source zone// to the //destination zone//</del> (Deprecated and moved to ''zone'' sections in 8.09.2+) |
+| ''family'' | string | no | ''any'' | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate iptables rules for. |
+:!: The //iptables// rules generated for this section rely on the //state match// which needs connection tracking to work.
+At least one of the ''src'' or ''dest'' zones needs to have //connection tracking// enabled through either the ''masq'' or the ''conntrack'' option.
+==== redirects ====
+port forwards
+== Options ==
+^ Name ^ Type ^ Required ^ Default ^ Description ^
+| ''src'' | zone name | yes for ''DNAT'' target | //(none)// | Specifies the traffic //source zone//. Must refer to one of the defined //zone names//. For typical port forwards this usually is ''wan'' |
+| ''src_ip'' | ip address | no | //(none)// | Match incoming traffic from the specified //source ip address// |
+| ''src_dip'' | ip address | yes for ''SNAT'' target | //(none)// | For //DNAT//, match incoming traffic directed at the given //destination ip address//. For //SNAT// rewrite the //source address// to the given address. |
+| ''src_mac'' | mac address | no | //(none)// | Match incoming traffic from the specified //mac address// |
+| ''src_port'' | port or range | no | //(none)// | Match incoming traffic originating from the given //source port or port range// on the client host |
+| ''src_dport'' | port or range | no | //(none)// | For //DNAT//, match incoming traffic directed at the given //destination port or port range// on this host. For //SNAT// rewrite the //source ports// to the given value. |
+| ''proto'' | protocol name or number | yes | //tcpudp// | Match incoming traffic using the given //protocol// |
+| ''dest'' | zone name | yes for ''SNAT'' target | //(none)// | Specifies the traffic //destination zone//. Must refer to one of the defined //zone names//. For ''DNAT'' target on Attitude Adjustment, NAT reflection works only if this is equal to ''lan''. |
+| ''dest_ip'' | ip address | yes for ''DNAT'' target | //(none)// | For //DNAT//, redirect matched incoming traffic to the specified internal host. For //SNAT//, match traffic directed at the given address. |
+| ''dest_port'' | port or range | no | //(none)// | For //DNAT//, redirect matched incoming traffic to the given port on the internal host. For //SNAT//, match traffic directed at the given ports. |
+| ''ipset'' | string | no | //(none)// | If specified, match traffic against the given //[[#ip.sets|ipset]]//. The match can be inverted by prefixing the value with an exclamation mark |
+| ''mark'' | string | no | //(none)// | If specified, match traffic against the given firewall mark, e.g. ''0xFF'' to match mark 255 or ''0x0/0x1'' to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. ''!0x10'' to match all but mark #16. |
+| ''start_date'' | date (''yyyy-mm-dd'') | no | //(always)// | If specifed, only match traffic after the given date (inclusive). |
+| ''stop_date'' | date (''yyyy-mm-dd'') | no | //(always)// | If specified, only match traffic before the given date (inclusive). |
+| ''start_time'' | time (''hh:mm:ss'') | no | //(always)// | If specified, only match traffic after the given time of day (inclusive). |
+| ''stop_time'' | time (''hh:mm:ss'') | no | //(always)// | If specified, only match traffic before the given time of day (inclusive). |
+| ''weekdays'' | list of weekdays | no | //(always)// | If specified, only match traffic during the given week days, e.g. ''sun mon thu fri'' to only match on sundays, mondays, thursdays and fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ''! sat sun'' to always match but on saturdays and sundays. |
+| ''monthdays'' | list of dates | no | //(always)// | If specified, only match traffic during the given days of the month, e.g. ''2 5 30'' to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ''! 31'' to always match but on the 31st of the month. |
+| ''utc_time'' | boolean | no | ''0'' | Treat all given time values as UTC time instead of local time. |
+| ''target'' | string | no | ''DNAT'' | NAT target (''DNAT'' or ''SNAT'') to use when generating the rule |
+| ''family'' | string | no | ''any'' | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate iptables rules for. |
+| ''reflection'' | boolean | no | ''1'' | Activate NAT reflection for this redirect - applicable to ''DNAT'' targets. |
+| ''reflection_src'' | string | no | ''internal'' | The source address to use for NAT-reflected packets if ''reflection'' is ''1''. This can be ''internal'' or ''external'', specifying which interface’s address to use. Applicable to ''DNAT'' targets. |
+| ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Examples: ''3/second'', ''3/sec'' or ''3/s''. |
+| ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' |
+| ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. |
+| ''enabled'' | string | no | ''1'' or ''yes'' | Enable the redirect rule or not. |
+:!: On Attitude Adjustment, for NAT reflection to work, you **must** specify ''option dest lan'' in the ''redirect'' section (even though we're using a ''DNAT'' target).
+==== rules ====
+basic accept or reject rules for specific ports or hosts
+== Options ==
+^ Name ^ Type ^ Required ^ Default ^ Description ^
+| ''src'' | zone name | yes (:!: optional since Firewall v2, version 58 and above) | //(none)// | Specifies the traffic //source zone//. Must refer to one of the defined //zone names//. |
+| ''src_ip'' | ip address | no | //(none)// | Match incoming traffic from the specified //source ip address// |
+| ''src_mac'' | mac address | no | //(none)// | Match incoming traffic from the specified //mac address// |
+| ''src_port'' | port or range | no | //(none)// | Match incoming traffic from the specified //source port// or //port range//, if relevant ''proto'' is specified. |
+| ''proto'' | protocol name or number | no | ''tcpudp'' | Match incoming traffic using the given //protocol//. Can be one of ''tcp'', ''udp'', ''tcpudp'', ''udplite'', ''icmp'', ''esp'', ''ah'', ''sctp'', or ''all'' or it can be a numeric value, representing one of these protocols or a different one. A protocol name from ''/etc/protocols'' is also allowed. The number 0 is equivalent to ''all''. |
+| ''dest'' | zone name | no | //(none)// | Specifies the traffic //destination zone//. Must refer to one of the defined //zone names//, or * for any zone. If specified, the rule applies to //forwarded// traffic; otherwise, it is treated as //input// rule. |
+| ''dest_ip'' | ip address | no | //(none)// | Match incoming traffic directed to the specified //destination ip address//. With no dest zone, this is treated as an input rule! |
+| ''dest_port'' | port or range | no | //(none)// | Match incoming traffic directed at the given //destination port or port range//, if relevant ''proto'' is specified. |
+| ''ipset'' | string | no | //(none)// | If specified, match traffic against the given //[[#ip.sets|ipset]]//. The match can be inverted by prefixing the value with an exclamation mark |
+| ''mark'' | mark/mask | no | //(none)// | If specified, match traffic against the given firewall mark, e.g. ''0xFF'' to match mark 255 or ''0x0/0x1'' to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. ''!0x10'' to match all but mark #16. |
+| ''start_date'' | date (''yyyy-mm-dd'') | no | //(always)// | If specifed, only match traffic after the given date (inclusive). |
+| ''stop_date'' | date (''yyyy-mm-dd'') | no | //(always)// | If specified, only match traffic before the given date (inclusive). |
+| ''start_time'' | time (''hh:mm:ss'') | no | //(always)// | If specified, only match traffic after the given time of day (inclusive). |
+| ''stop_time'' | time (''hh:mm:ss'') | no | //(always)// | If specified, only match traffic before the given time of day (inclusive). |
+| ''weekdays'' | list of weekdays | no | //(always)// | If specified, only match traffic during the given week days, e.g. ''sun mon thu fri'' to only match on sundays, mondays, thursdays and fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ''! sat sun'' to always match but on saturdays and sundays. |
+| ''monthdays'' | list of dates | no | //(always)// | If specified, only match traffic during the given days of the month, e.g. ''2 5 30'' to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ''! 31'' to always match but on the 31st of the month. |
+| ''utc_time'' | boolean | no | ''0'' | Treat all given time values as UTC time instead of local time. |
+| ''target'' | string | yes | ''DROP'' | Firewall action (''ACCEPT'', ''REJECT'', ''DROP'', ''MARK'', ''NOTRACK'') for matched traffic |
+| ''set_mark'' | mark/mask | yes for target ''MARK'' | //(none)// | Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed |
+| ''set_xmark'' | ::: | ::: | ::: | Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed |
+| ''family'' | string | no | ''any'' | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate iptables rules for. |
+| ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Examples: ''3/minute'', ''3/min'' or ''3/m''. |
+| ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' |
+| ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. |
+| ''enabled'' | boolean | no | yes | Enable or disable rule. |
+==== includes ====
+custom firewall scripts
+== Options ==
+^ Name ^ Type ^ Required ^ Default ^ Description ^
+| ''enabled'' | boolean | no | ''1'' | Allows to disable the corresponding include without having to delete the section |
+| ''type'' | string | no | ''script'' | Specifies the type of the include, can be ''script'' for traditional shell script includes or ''restore'' for plain files in //iptables-restore// format |
+| ''path'' | file name | yes | ''/etc/firewall.user'' | Specifies a shell script to execute on boot or firewall restarts |
+| ''family'' | string | no | ''any'' | Specifies the address family (''ipv4'', ''ipv6'' or ''any'') for which the include is called |
+| ''reload'' | boolean | no | ''0'' | Specifies whether the include should be called on reload - this is only needed if the include injects rules into internal chains |
+===== Possible Storage / Match Combinations =====
+The table below outlines the possible combinations of storage methods and matched datatypes as well as the usable IP address family.
+The order of the datatype matches is significant.
+^ Family ^ Storage ^ Match ^ Notes ^
+| ''ipv4'' | ''bitmap'' | ''ip'' | Requries ''iprange'' option |
+| ''ipv4'' | ''bitmap'' | ''ip mac'' | Requires ''iprange'' option |
+| ''ipv4'' | ''bitmap'' | ''port'' | Requires ''portrange'' option |
+| //any// | ''hash'' | ''ip'' | - |
+| //any// | ''hash'' | ''net'' | - |
+| //any// | ''hash'' | ''ip port'' | - |
+| //any// | ''hash'' | ''net port'' | - |
+| //any// | ''hash'' | ''ip port ip'' | - |
+| //any// | ''hash'' | ''ip port net'' | - |
+| - | ''list'' | ''set'' | Meta type to create a set-of-sets |

Differences

Page Tools