the firewall is generally working on my OpenWRT router (TD-W8970). 4 computers are connected via LAN cables with the router. However I'm facing some SSDP packets, that I don't want to be carried around my network. They use the UDP port 1900, but they aren't UDP, they're SSDP. So trying to block these network ports with the following rule doesn't work:
option name 'NOSSDP'
option proto 'ssdp'
option src_port '1900'
option dest_port '1900'
option family 'any'
option target 'DROP'
option proto as 'udp' doesn't change the situation either. Is it the wrong approach to use /etc/config/firewall for the task of denying all the SSDP packets?
It is definetly SSDP traffic here. It uses the UDP port 1900, as it says in the wiki article too. Requests from one computer (running the program PowerDVD, which is the source of the SSDP calls) to 184.108.40.206, so Multicast.
Using SSDP in firewall.user like that unfortuneatly doesn't work:
iptables -A INPUT -p ssdp --dport 1900 -j DROP
... because the response when restarting the firewall is:
iptables v1.8.3 (legacy): unknown protocol "ssdp" specified
Additionally to "INPUT", I also made entries for "OUTPUT" and "FORWARD" to definetly have every case on the list.
Now, I've read somewhere that using iptables with strings can be used for filtering SSDP. Installing iptables-mod-filter on my device was necessary for that. I'm experimenting with that at the moment.
My goal is to make all four ports being able to connect to the internet. Do I need to create a bridge interface, or is it right to just stick all the interfaces together in one LAN interface? Unfortuneatly with this configuration, only the first VLAN (Port 2, my main computer) gets a DHCP address. Could you tell me, what I'm doing wrong?
Local [broadcast] traffic does not pass a firewall.
Additionally, usually multicast packets only have a TTL of 1, meaning a router drops them anyways.
Most ISPs are not multicast enabled to other networks.
Machines usually have to be running software to listen for/receive multicast traffic
You'd have to block udp/1900 on all LAN machines.
Can you show this to us?
Why don't you disable/block it on this one computer then?
(e.g. tell Windows Firewall that the PowerDVD EXE cannot use the network...or cannot go to LAN...or cannot go to the multicast subnet/SSDP IP, etc.)
I don't want to learn how to configure insulated solutions, I want to be powerful with OpenWRT across different devices (Linux, Windows, old, new). If it would be that easy! But thank you so far, I'm understanding more now!
Ehm... I'm a bit paranoid with my network. It's not that much about PowerDVD now. It could be every other software, chatting over the network without asking. Some might not even be configureable! Microsoft systems... well, they have their use cases, but blindly trusting it online, no, 0%. Microsoft opened up the Hosts file so that certain Microsoft servers can't be blocked anymore (since XP)! Maybe type in "dnsapi.dll Hosts" in your search engine of choice, to find more about that.
Maybe you're confused, the OpenWrt cannot block traffic that never passes it. Since you control the source machine (I assume), you just stop it from producing the traffic, simple. Also as already noted, WAN traffic is blocked by default on OpenWrt.
Then you want a military-grade network. In most other use cases, LAN traffic is trusted.
Is this OpenWrt related - or related to your inquiry about blocking SSDP???
I don't understand how this article relates to what you're trying to block.
The one way I could imagine this attack bypassing OpenWrts firewall is if there's a compromised host on your LAN sending spoofed packets to your LAN and inducing LAN devices to send SSDP responses to an internet host.
You can mitigate this by dropping all UDP traffic from port 1900 headed to the wan zone.
But note, if there's a compromised host on your LAN it could just flood the uplink with attack packets by itself there'd be no need to induce other LAN hosts to do so. Therefore this mitigation procedure is only barely relevant.
Acutally when I think about it... the example about SSDP is not that important, it was just an example of some kind of traffic, that didn't got blocked by the firewall (for the reason of it being LAN-to-LAN traffic). Thank you, you've helped me to undestand firewalls better!