Firewall OUTPUT chain set to drop, Not working as expected

jcmathews · February 24, 2020, 2:22pm

Setup :
OpenWrt_Device <--> WAN <--> PC

Use case 1 : All OUTPUT chain set to DROP

PC pings OpenWrt_Device using v4. Ping works
PC pings OpenWrt_Device using v6. Ping Not working/blocked

Use case 2 : All OUTPUT chain set to ACCEPT

PC pings OpenWrt_Device using v4. Ping works
PC pings OpenWrt_Device using v6. Ping works

Here what is the correct behavior ?

Firewall config is as below.

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'DROP'

config zone
        option name 'lan'
        list network 'lan'
        option forward 'ACCEPT'
        option input 'ACCEPT'
        option output 'DROP'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option output 'DROP'

config forwarding
        option src 'lan'
        option dest 'wan'

config include
        option path '/etc/firewall.user'

Version : 19.07-Stable

lleachii · February 24, 2020, 3:03pm

You actually failed to show your fix or clearly mark it; or are you asking for a fix?

It seems perhaps have a WWAN and added it?
Is your IPv6 a tunnel interface, a PD or just link local IPs?
Do you allow Ping on IPv6 (this is likely so)?
If the device is WAN, why do you believe the global DROP setting applied?

jcmathews · February 24, 2020, 3:17pm

I'm trying to understand the behavior of firewall. why IPv4 & IPv6 have different behavior for same configuration.

WWAN is added explicitly. Out of scope for this use case.
No IPv6 tunnel interface. br-lan->eth0 br-wan->eth1
No other traffic/forwarding rules set
Didn't understand last point, Not only global but zone are also set to be DROP. What gets the precedence here GLOBAL or ZONE settings?

jow · February 24, 2020, 3:33pm

I've read your post multiple times but having trouble understanding what you want to achieve / expect to see.

So you're pinging your OpenWrt device's wan interface and you expect OpenWrt to discard the ICMP echo replies it generates locally to respond to the incoming pings? Or whats the reason of dropping OUTPUT and not INPUT?

The firewall program will stage a generic related accept rule in output:

root@jj:~# fw3 print 2>/dev/null | grep OUTPUT | grep RELATED
iptables -t filter -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT

This means that replies related to established flows are always allowed, regardless of the global policy. The likely reason why IPv4 worked and IPv6 not is that your output drop policy discarded unrelated but important ICMPv6 messages like neighbour discovery packets which prevents IPv6 from working properly.

jcmathews · February 24, 2020, 3:46pm

I was testing/understanding firewall in general, nothing particular to achieve. Initially i just tried with IPv4 and saw its working.
Like you mentioned since the packet hit INPUT chain and connection tracking do mark the flow in accepted criteria and henceforth OUTPUT chain is not hit. Probably to enable packet traversal faster?

However when testing with IPv6, ICMPv6 drop happen which created a mismatch in behavior if seen from a top level.