Default firewall settings / rules

Installing and Using OpenWrt Network and Wireless Configuration
1

I just got OpenWRT up and running this afternoon and am very impressed. Of course I got the power I was looking for but was surprised not to be getting snagged on too many rough edges. (i.e. nice and polished experience 'out of the box') One area I was a bit surprised by were some of the default firewall settings / rules... I was expecting (and myself prefer) the defaults to be a bit more paranoid. For example:

Under Network->Firewall->General Setttings->Zones->wan the default was reject/accept/reject rather than drop/accept/drop.

Under Network->Firewall->Traffic Rules there are a bunch of (IMO) unnecessary rules enabled by default. I assume each of these has a reason but haven't found anything that goes through rule-by-rule and the 'why' of them. (I did track down this: https://forum.archive.openwrt.org/viewtopic.php?id=62743 which mentions the ICMPv6 rules)

I assume there was a very good reason for the defaults to ship the way they are, so I guess I'm asking if there's any documentation out there as to why these are the recommended defaults vs. being a bit more locked down?

2 Likes
2

The question between reject and drop has been asked a couple of times, please check the forum for prior discussions - in short, dropping packets doesn't gain you much in terms of security or "stealthyness", but is a nightmare for debugging (or even impossible, regarding ICMPv6 echo replies, without breaking IPv6 alltogether).

2 Likes
3

probably true that the dhcp-renew, igmp and ipsec/isakmp- rules are not needed by the vast majority of users and could easyli be disabled by default.