Firewall - Default Traffic Rules - What do i need?


there are a number of traffic rules enabled on a fresh build of openwrt. As i understand some of them are for some VPNs (Cisco IPSEC and the like) to work. It is hard for me to understand what the other rules do. Is it save to disable them?

My openwrt-router is directly connected to the internet through the router of my ISP in bridge mode (router forwards public ip to LAN ports), so i am in need of a safe firewall.

Leave it as it is. The defaults provide a sufficiently secure firewall setup.

Ok thanks, but can you help me with understanding them?

I already disabled "Allow-Ping" as i think, i do not need to ping my router from wan.
I disabled "Allow-DHCP-Renew" and "Allow-DHCPv6" as my modem gets the public IP and forwards it.
I disabled "Allow-IPSec-ESP" and "Allow-ISAKMP" (not shown below) as i am not using these VPNs and my work-VPN seems to work fine without them.

I had all of them disabled for today and have not noticed any difference.

Turning this off is probably unlikely to break a lot of things. Sometimes it might get used for some VPN or tunnel setups to monitor whether your end is operational. Or if you're doing certain network/connectivity troubleshooting activities. But, on the other hand, having it enabled is not a security risk.

How is your WAN interface setup on the openwrt device? In setups such as yours (ISP router in bridge mode) it's not uncommon for the public IP to be passed through by DHCP, which would need those (or at least the Allow-DHCP-Renew) firewall rules to be enabled. In any event, leaving them both enabled is very very very very very unlikely to be a security risk.

As with the ping rule, you'll probably be fine with these disabled. But again, it's not really a security risk to leave them enabled. And if, at some point in the future, you do switch to a VPN which requires them how likely are you to remember you disabled these rules when trying to figure out why it doesn't work?

In short, while you can disable some of the default rules if you want, there is no need to do so in order to have/maintain a secure firewall setup.

Thanks for your detailed information. :slight_smile:
I guess, i will leave them unchanged.