I had an issue with acme, but thought it was a firewall issue (it wasn't) so I spent time today going through the actual iptables that are generated in OpenWRT. Can someone give me a sanity check? Running 18.06.4 on a Linksys WRT1900ACS with luci.
Here's what I think I know:
The luci interface firewall option configures something called fw3, which writes config to /etc/config/firewall, which something during boot turns into iptables/netfilter entries. So if I look at iptables directly I see what's generated. These are supplemented by things I can add to the custom rules section (I have a few for openvpn).
So I went through the generated iptables, and it made sense, but I noticed that INPUT and OUTPUT both had a default policy of ACCEPT, which surprised me especially for INPUT.
So I put a logging statement on the fall-through for INPUT and got a ton of stuff, for example DNS queries, my own SSH session. The path it builds (INPUT -> zone_lan_input -> input_lan_rule (empty) -> zone_lan_src_ACCEPT misses a lot (namely anything not ctstate=new/untracked), falls through and is accepted anyway.
Did I break this in some fashion, or is this the default?
I see a GUI option to reset this (at least I think it will) but then worry that I will be missing explicit rules for basic stuff, like SSH access, HTTP access, DNS, etc. I guess I had assumed installing these features somehow were setting up rules, but it looks like they fall through under the default policy for INPUT. I can see interface limits on SSH for example, but have no idea what else is getting through (though if I dig a lot in this log I can find it).
Can someone speak to the philosophy of how this normally works?
For a secure system, should I have started by changing all the ACCEPTS to DROP and then allowing what I can't make work? (Or did I actually somehow change it to ACCEPT myself)?
Sadly I'm more of a Cisco ASA person, so can somewhat get by with IPTABLES, but only vaguely starting to understand this process (what's the proper name, "fw3"?), so apologies if this is all fairly obvious.
Incidentally I looked at this page:
https://openwrt.org/docs/guide-user/firewall/firewall_configuration
which I'm hoping is the most recent, and got confused down at the bottom where it says that the "defaults" section as accept for input/output, but then right under it says the default for all is reject, so short of wiping my system to defaults I'm not quite sure how to tell what the "default" really is.