documentation:configuration:config_files:config_firewall
Table of Contents
/etc/config/firewall
Firewall configuration file
Sections
defaults
global firewall settings
Options
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
input | string | no | REJECT | Set policy for the INPUT chain of the filter table. |
output | string | no | REJECT | Set policy for the OUTPUT chain of the filter table. |
forward | string | no | REJECT | Set policy for the FORWARD chain of the filter table. |
drop_invalid | boolean | no | 0 | Drop invalid packets (e.g. not matching any active connection). |
syn_flood | boolean | no | 0 | Enable SYN flood protection (obsoleted by synflood_protect setting). |
synflood_protect | boolean | no | 0 | Enable SYN flood protection. |
synflood_rate | string | no | 25 | Set rate limit (packets/second) for SYN packets above which the traffic is considered a flood. |
synflood_burst | string | no | 50 | Set burst limit for SYN packets above which the traffic is considered a flood if it exceeds the allowed rate. |
tcp_syncookies | boolean | no | 1 | Enable the use of SYN cookies. |
tcp_ecn | boolean | no | 0 | |
tcp_westwood | boolean | no | 0 | |
tcp_window_scaling | boolean | no | 1 | Enable TCP window scaling. |
accept_redirects | boolean | no | 0 | |
accept_source_route | boolean | no | 0 | |
custom_chains | boolean | no | 1 | |
disable_ipv6 | boolean | no | 0 | Disable IPv6 firewall rules. |
zones
groups one or more interface
Options
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
name | zone name | yes | (none) | Unique zone name |
network | list | no | (none) | List of interfaces attached to this zone. If omitted and neither extra* options, subnets or devices are given, the value of name is used by default. Use list syntax as explained in uci. |
masq | boolean | no | 0 | Specifies whether outgoing zone traffic should be masqueraded - this is typically enabled on the wan zone |
masq_src | list of subnets | no | 0.0.0.0/0 | Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with !; multiple subnets are allowed. |
masq_dest | list of subnets | no | 0.0.0.0/0 | Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with !; multiple subnets are allowed. |
conntrack | boolean | no | 1 if masquerading is used, 0 otherwise | Force connection tracking for this zone (see Note on connection tracking) |
mtu_fix | boolean | no | 0 | Enable MSS clamping for outgoing zone traffic |
input | string | no | DROP | Default policy (ACCEPT, REJECT, DROP) for incoming zone traffic |
forward | string | no | DROP | Default policy (ACCEPT, REJECT, DROP) for forwarded zone traffic |
output | string | no | DROP | Default policy (ACCEPT, REJECT, DROP) for outgoing zone traffic |
family | string | no | any | Protocol family (ipv4, ipv6 or any) to generate iptables rules for. |
log | boolean | no | 0 | Create log rules for rejected and dropped traffic in this zone. |
log_limit | string | no | 10/minute | Limits the amount of log messages per interval. |
device | list | no | (none) | List of raw network device names attached to this zone, e.g. ppp+ to match any PPP interface.  Only supported by the Firewall v2, version 58 and above ; not supported by 12.09 default installation |
subnet | list | no | (none) | List of IP subnets attached to this zone. Only supported by the Firewall v2, version 58 and above, not supported by 12.09 default installation |
extra | string | no | (none) | Extra arguments passed directly to iptables. Note that these options are passed to both source and destination classification rules, therfore direction-specific options like –dport should not be used here - in this case the extra_src and extra_dest options should be used instead. Only supported by the Firewall v2, version 58 and above, not supported by 12.09 default installation |
extra_src | string | no | Value of extra | Extra arguments passed directly to iptables for source classification rules. Only supported by the Firewall v2, version 58 and above, not supported by 12.09 default installation |
extra_dest | string | no | Value of extra | Extra arguments passed directly to iptables for destination classification rules. Only supported by the Firewall v2, version 58 and above, not supported by 12.09 default installation |
forwardings
controls traffic flow between zones
Options
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
src | zone name | yes | (none) | Specifies the traffic source zone. Must refer to one of the defined zone names |
dest | zone name | yes | (none) | Specifies the traffic destination zone. Must refer to one of the defined zone names |
mtu_fix | | | 0 | zone sections in 8.09.2+) |
family | string | no | any | Protocol family (ipv4, ipv6 or any) to generate iptables rules for. |
The iptables rules generated for this section rely on the state match which needs connection tracking to work.
At least one of the src or dest zones needs to have connection tracking enabled through either the masq or the conntrack option.
redirects
port forwards
Options
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
src | zone name | yes for DNAT target | (none) | Specifies the traffic source zone. Must refer to one of the defined zone names. For typical port forwards this usually is wan |
src_ip | ip address | no | (none) | Match incoming traffic from the specified source ip address |
src_dip | ip address | yes for SNAT target | (none) | For DNAT, match incoming traffic directed at the given destination ip address. For SNAT rewrite the source address to the given address. |
src_mac | mac address | no | (none) | Match incoming traffic from the specified mac address |
src_port | port or range | no | (none) | Match incoming traffic originating from the given source port or port range on the client host |
src_dport | port or range | no | (none) | For DNAT, match incoming traffic directed at the given destination port or port range on this host. For SNAT rewrite the source ports to the given value. |
proto | protocol name or number | yes | tcpudp | Match incoming traffic using the given protocol |
dest | zone name | yes for SNAT target | (none) | Specifies the traffic destination zone. Must refer to one of the defined zone names. For DNAT target on Attitude Adjustment, NAT reflection works only if this is equal to lan. |
dest_ip | ip address | yes for DNAT target | (none) | For DNAT, redirect matched incoming traffic to the specified internal host. For SNAT, match traffic directed at the given address. |
dest_port | port or range | no | (none) | For DNAT, redirect matched incoming traffic to the given port on the internal host. For SNAT, match traffic directed at the given ports. |
ipset | string | no | (none) | If specified, match traffic against the given ipset. The match can be inverted by prefixing the value with an exclamation mark |
mark | string | no | (none) | If specified, match traffic against the given firewall mark, e.g. 0xFF to match mark 255 or 0x0/0x1 to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. !0x10 to match all but mark #16. |
start_date | date (yyyy-mm-dd) | no | (always) | If specifed, only match traffic after the given date (inclusive). |
stop_date | date (yyyy-mm-dd) | no | (always) | If specified, only match traffic before the given date (inclusive). |
start_time | time (hh:mm:ss) | no | (always) | If specified, only match traffic after the given time of day (inclusive). |
stop_time | time (hh:mm:ss) | no | (always) | If specified, only match traffic before the given time of day (inclusive). |
weekdays | list of weekdays | no | (always) | If specified, only match traffic during the given week days, e.g. sun mon thu fri to only match on sundays, mondays, thursdays and fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ! sat sun to always match but on saturdays and sundays. |
monthdays | list of dates | no | (always) | If specified, only match traffic during the given days of the month, e.g. 2 5 30 to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ! 31 to always match but on the 31st of the month. |
utc_time | boolean | no | 0 | Treat all given time values as UTC time instead of local time. |
target | string | no | DNAT | NAT target (DNAT or SNAT) to use when generating the rule |
family | string | no | any | Protocol family (ipv4, ipv6 or any) to generate iptables rules for. |
reflection | boolean | no | 1 | Activate NAT reflection for this redirect - applicable to DNAT targets. |
reflection_src | string | no | internal | The source address to use for NAT-reflected packets if reflection is 1. This can be internal or external, specifying which interface’s address to use. Applicable to DNAT targets. |
limit | string | no | (none) | Maximum average matching rate; specified as a number, with an optional /second, /minute, /hour or /day suffix. Examples: 3/second, 3/sec or 3/s. |
limit_burst | integer | no | 5 | Maximum initial number of packets to match, allowing a short-term average above limit |
extra | string | no | (none) | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as -m policy --dir in for IPsec. |
enabled | string | no | 1 or yes | Enable the redirect rule or not. |
On Attitude Adjustment, for NAT reflection to work, you must specify option dest lan in the redirect section (even though we're using a DNAT target).
rules
basic accept or reject rules for specific ports or hosts
Options
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
src | zone name | yes ( optional since Firewall v2, version 58 and above) | (none) | Specifies the traffic source zone. Must refer to one of the defined zone names. |
src_ip | ip address | no | (none) | Match incoming traffic from the specified source ip address |
src_mac | mac address | no | (none) | Match incoming traffic from the specified mac address |
src_port | port or range | no | (none) | Match incoming traffic from the specified source port or port range, if relevant proto is specified. |
proto | protocol name or number | no | tcpudp | Match incoming traffic using the given protocol. Can be one of tcp, udp, tcpudp, udplite, icmp, esp, ah, sctp, or all or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. The number 0 is equivalent to all. |
dest | zone name | no | (none) | Specifies the traffic destination zone. Must refer to one of the defined zone names, or * for any zone. If specified, the rule applies to forwarded traffic; otherwise, it is treated as input rule. |
dest_ip | ip address | no | (none) | Match incoming traffic directed to the specified destination ip address. With no dest zone, this is treated as an input rule! |
dest_port | port or range | no | (none) | Match incoming traffic directed at the given destination port or port range, if relevant proto is specified. |
ipset | string | no | (none) | If specified, match traffic against the given ipset. The match can be inverted by prefixing the value with an exclamation mark |
mark | mark/mask | no | (none) | If specified, match traffic against the given firewall mark, e.g. 0xFF to match mark 255 or 0x0/0x1 to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. !0x10 to match all but mark #16. |
start_date | date (yyyy-mm-dd) | no | (always) | If specifed, only match traffic after the given date (inclusive). |
stop_date | date (yyyy-mm-dd) | no | (always) | If specified, only match traffic before the given date (inclusive). |
start_time | time (hh:mm:ss) | no | (always) | If specified, only match traffic after the given time of day (inclusive). |
stop_time | time (hh:mm:ss) | no | (always) | If specified, only match traffic before the given time of day (inclusive). |
weekdays | list of weekdays | no | (always) | If specified, only match traffic during the given week days, e.g. sun mon thu fri to only match on sundays, mondays, thursdays and fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ! sat sun to always match but on saturdays and sundays. |
monthdays | list of dates | no | (always) | If specified, only match traffic during the given days of the month, e.g. 2 5 30 to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ! 31 to always match but on the 31st of the month. |
utc_time | boolean | no | 0 | Treat all given time values as UTC time instead of local time. |
target | string | yes | DROP | Firewall action (ACCEPT, REJECT, DROP, MARK, NOTRACK) for matched traffic |
set_mark | mark/mask | yes for target MARK | (none) | Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed |
set_xmark | Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed | |||
family | string | no | any | Protocol family (ipv4, ipv6 or any) to generate iptables rules for. |
limit | string | no | (none) | Maximum average matching rate; specified as a number, with an optional /second, /minute, /hour or /day suffix. Examples: 3/minute, 3/min or 3/m. |
limit_burst | integer | no | 5 | Maximum initial number of packets to match, allowing a short-term average above limit |
extra | string | no | (none) | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as -m policy --dir in for IPsec. |
enabled | boolean | no | yes | Enable or disable rule. |
includes
custom firewall scripts
Options
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
enabled | boolean | no | 1 | Allows to disable the corresponding include without having to delete the section |
type | string | no | script | Specifies the type of the include, can be script for traditional shell script includes or restore for plain files in iptables-restore format |
path | file name | yes | /etc/firewall.user | Specifies a shell script to execute on boot or firewall restarts |
family | string | no | any | Specifies the address family (ipv4, ipv6 or any) for which the include is called |
reload | boolean | no | 0 | Specifies whether the include should be called on reload - this is only needed if the include injects rules into internal chains |
Possible Storage / Match Combinations
The table below outlines the possible combinations of storage methods and matched datatypes as well as the usable IP address family. The order of the datatype matches is significant.
| Family | Storage | Match | Notes |
|---|---|---|---|
ipv4 | bitmap | ip | Requries iprange option |
ipv4 | bitmap | ip mac | Requires iprange option |
ipv4 | bitmap | port | Requires portrange option |
| any | hash | ip | - |
| any | hash | net | - |
| any | hash | ip port | - |
| any | hash | net port | - |
| any | hash | ip port ip | - |
| any | hash | ip port net | - |
| - | list | set | Meta type to create a set-of-sets |
documentation/configuration/config_files/config_firewall.txt · Last modified: 2018/05/24 09:05 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
