Hello,

I installed default openwrt for wndr3700. Then I saw some forwardings and TRaffic rules enabled per default.
Thinking every rule being a hole in the firewall I disabled them all.

Is that reasoning correct? Or are the rules creating extra security?

Here are the rules which I disabled:

   
IPv4-TCP+UDP
From any host in any zone
Via any router IP
   
any host in any zone
   
******************************************   
Allow-DHCP-Renew
   
IPv4-UDP
From any host in wan
To any router IP at port 68 on this device
   
Accept input
   
******************************************   
   
Allow-Ping
   
IPv4-ICMP with type echo-request
From any host in wan
To any router IP on this device
   
Accept input
   
******************************************   
   
Allow-IGMP
   
IPv4-IGMP
From any host in wan
To any router IP on this device
   
Accept input
   
******************************************   
   
Allow-DHCPv6
   
IPv6-UDP
From IP range fe80::/10 in wan with source port 547
To IP range fe80::/10 at port 546 on this device
   
Accept input
   
******************************************   
   
Allow-MLD
   
IPv6-ICMP with types 130/0, 131/0, 132/0, 143/0
From IP range fe80::/10 in wan
To any router IP on this device
   
Accept input
   
******************************************   
   
Allow-ICMPv6-Input
   
IPv6-ICMP with types echo-request, echo-reply, destination-unreachable, packet-too-big, time-exceeded, bad-header, unknown-header-type, router-solicitation, neighbour-solicitation, router-advertisement, neighbour-advertisement
From any host in wan
To any router IP on this device
   
Accept input and limit to 1000 pkts. per second
   
******************************************   
   
Allow-ICMPv6-Forward
   
IPv6-ICMP with types echo-request, echo-reply, destination-unreachable, packet-too-big, time-exceeded, bad-header, unknown-header-type
From any host in wan
To any host in any zone
   
Accept forward and limit to 1000 pkts. per second
   
******************************************   
   
-
   
Any IPSEC-ESP
From any host in wan
To any host in lan
   
Accept forward
   
******************************************   
   
-
   
Any UDP
From any host in wan
To any host, port 500 in lan
   
Accept forward

(Last edited by handango on 14 Feb 2016, 20:49)

AFAIK default firewall rules in CC/DD ensure the router operation and are not security risk. By disabling them (and restarting firewall afterwards) you're breaking things up.

Can anyone else confirm this?

I hate to be such a newb. I am learning python in school and really trying to embrace the open source community with my new rpi2 and now I put openwrt on my netgear wnr2000v3. The only issue is the default firewall seems overwhelming to me. I have searched both here and on google but I would like to know,

Are the default openwrt firewall settings secure? Is there anything else I need to do to a stock openwrt install to make it secure other than a strong root password and a strong wpa2 password? I am not currently running any servers or gaming systems.

Thanks!

The default firewall rules are secure enough.

The default rules are there to enable the key internet protocols to work. Removing some of the default rules will decrease functionality of some core protocols. E.g. ipv6 needs to be able to negotiate mtu size and removing the icmpv6 rules prevents that. Same kind of thinking goes for the other default rules.

Thanks - thats what I wanted to know.
Also I had qualsys online vulnerabilty scanner hitting my router - found only "info" results. Having those mentioned default rules enabled or not did not make a difference.

Now I can go on discover OpenWrt hyperspace ;-)

BTW: This book http://weidner.in-bad-schmiedeberg.de/a … -firewall/
is about to be released. I am already subscribed for the first edition! Pitty its only german...