Hello,
I installed default openwrt for wndr3700. Then I saw some forwardings and TRaffic rules enabled per default.
Thinking every rule being a hole in the firewall I disabled them all.
Is that reasoning correct? Or are the rules creating extra security?
Here are the rules which I disabled:
IPv4-TCP+UDP
From any host in any zone
Via any router IP
any host in any zone
******************************************
Allow-DHCP-Renew
IPv4-UDP
From any host in wan
To any router IP at port 68 on this device
Accept input
******************************************
Allow-Ping
IPv4-ICMP with type echo-request
From any host in wan
To any router IP on this device
Accept input
******************************************
Allow-IGMP
IPv4-IGMP
From any host in wan
To any router IP on this device
Accept input
******************************************
Allow-DHCPv6
IPv6-UDP
From IP range fe80::/10 in wan with source port 547
To IP range fe80::/10 at port 546 on this device
Accept input
******************************************
Allow-MLD
IPv6-ICMP with types 130/0, 131/0, 132/0, 143/0
From IP range fe80::/10 in wan
To any router IP on this device
Accept input
******************************************
Allow-ICMPv6-Input
IPv6-ICMP with types echo-request, echo-reply, destination-unreachable, packet-too-big, time-exceeded, bad-header, unknown-header-type, router-solicitation, neighbour-solicitation, router-advertisement, neighbour-advertisement
From any host in wan
To any router IP on this device
Accept input and limit to 1000 pkts. per second
******************************************
Allow-ICMPv6-Forward
IPv6-ICMP with types echo-request, echo-reply, destination-unreachable, packet-too-big, time-exceeded, bad-header, unknown-header-type
From any host in wan
To any host in any zone
Accept forward and limit to 1000 pkts. per second
******************************************
-
Any IPSEC-ESP
From any host in wan
To any host in lan
Accept forward
******************************************
-
Any UDP
From any host in wan
To any host, port 500 in lan
Accept forward
(Last edited by handango on 14 Feb 2016, 20:49)