Hi,
I'm a total beginner regarding OpenWrt and I'm trying to allow only certain services to reach the internet. E.g. I would like to allow DNS and NTP for now. For this, I added two rules to the /etc/config/firewall file, which looks now like:
cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option forward 'REJECT'
option mtu_fix '1'
option masq '1'
option output 'DROP'
option network 'wan wan6'
option log '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'tun'
option forward 'REJECT'
option output 'ACCEPT'
option network 'tun'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
config rule
option target 'ACCEPT'
option src '*'
option proto 'tcpudp'
option dest_port '53'
option name 'public dns servers'
option family 'ipv4'
config forwarding
option dest 'wan'
option src 'lan'
config rule
option target 'ACCEPT'
option name 'NTP Servers'
option dest_port '123'
option proto 'tcpudp'
option src 'lan'
option dest 'wan'After running '/etc/init.d/firewall restart', I however see still many dropped packets with destination port 123:
dmesg | tail | grep -i "DPT=123"
[ 1376.080000] DROP(dest wan)IN= OUT=eth1 SRC=192.168.178.103 DST=93.180.6.3 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=62848 DF PROTO=UDP SPT=49977 DPT=123 LEN=56
[ 1381.100000] DROP(dest wan)IN= OUT=eth1 SRC=192.168.178.103 DST=91.207.136.55 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=13814 DF PROTO=UDP SPT=54868 DPT=123 LEN=56
[ 1381.110000] DROP(dest wan)IN= OUT=eth1 SRC=192.168.178.103 DST=85.21.78.8 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=57224 DF PROTO=UDP SPT=38917 DPT=123 LEN=56
[ 1381.120000] DROP(dest wan)IN= OUT=eth1 SRC=192.168.178.103 DST=81.171.44.131 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=11899 DF PROTO=UDP SPT=50927 DPT=123 LEN=56
[ 1381.140000] DROP(dest wan)IN= OUT=eth1 SRC=192.168.178.103 DST=93.180.6.3 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=62849 DF PROTO=UDP SPT=38498 DPT=123 LEN=56Here some more information regarding the network configuration:
cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd8f:1c57:775a::/48'
config interface 'lan'
option force_link '1'
option ipaddr '192.168.2.3'
option netmask '255.255.255.0'
option proto 'static'
option type 'bridge'
option _orig_ifname 'eth0 wlan0'
option _orig_bridge 'true'
option ifname 'eth0'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
config interface 'tun'
option proto 'dhcp'
option ifname 'tun0'
option defaultroute '0'Which rules to I have so set to get e.g. the NTP traffic through?
Thanks for your help in advance!