Firewall: reject output WAN by default

Greetings,

Is it possible to change the default policy to REJECT packets from "lan" to "wan", and instead specifically list what should have access to send out? Is there a firewall hardening guide for OpenWRT?

Why? I'd like to make it more difficult for malicious people/programs..

Example:

Allow established lan to wan
Allow lan to wan:80
Allow lan to wan:443
Allow lan to wan:53

There's nothing stopping you, technically, from doing this with the firewall. But keep in mind that you'll likely break a lot of things in the process. It is not unreasonable to take this approach if you are really trying to limit the network to specific purposes -- this could be useful in the case of a business or educational environment where there may be a desire to have web access and nothing else (in this case, you've listed web and dns), but you need to decide what is allowed and what is not and then account for all the other legitimate uses that happen over other ports -- for example, email (commonly IMAP and SMTP) which are standardized but may still differ from service to service, streaming services, games, and the list goes on. It is worth noting that such firewall restrictions won't do all that much to restrict what someone might do with the services that are permitted -- for example, allowing the web to work means that social media also works, and won't stop someone from doing something questionable using those services, viewing web content you wish to restrict, etc. And there's nothing to say that nefarious people/programs might not just use the standard ports for communication anyway.

The better approach, IMO, is to create a separate network for untrusted devices/people and apply firewall rules as appropriate. For example, if your intent is to protect your data on your computer or network storage, keeping untrusted devices isolated on a different network will make it very hard (if not impossible) for an IoT device (for example) to exfiltrate such data. If you are trying to limit access to specific content/services, that might require adding firewall rules and/or more sophisticated netfiltering.

2 Likes

I'll second @psherman.
Should you still want to do it, just remove the lan->wan forwarding (in the lan zone untick the wan zone from destination zone that forwarding to is allowed).
Then manually add forward rules.

2 Likes

They’re already 10 steps ahead of you. Too easy to detect “strange” traffic if it’s on a strange port. They already use common ports and often the same protocol. Did you know you can run an encrypted tunnel over DNS?

6 Likes

Thank you, Gentlemen?

I now have IoT devices on a seperate network, but how do i now access their services from inside lan?

Example1: wireless printer
I assume I need to setup an iptables rule to allow ports (515, 721-731, 9100) from lan to guest, and allow established connections?
What are some examples rules I can use?

Example2: wireless camera
I assume I need to allow ftp (port 20,21) from guest to lan? This one makes me really nervous using ftp in clear txt.. :frowning:
What are some example rules I can use?

It's cleartext only for people able to sniff the traffic, but your WLAN is WAP2 AES encrypted I guess. Also I would isolate clients (in advanced settings)

Specifying BOTH zones you should configure FORWARD, neither INPUT nor OUTPUT.

ulmwind,

Can you provide a little bit more details? How would i setup firewall rules to allow connectivity from lan to guest for certain ports?

I believe I want to allow two way traffic over certain ports as long as the connection initiated from the lan network (established, I think it's called).

See Rules section: https://openwrt.org/docs/guide-user/firewall/firewall_configuration#rules

In fw3, the src and dest are tied to the target:

  • If src and dest are given, the rule matches forwarded traffic

  • If only src is given, the rule matches incoming traffic

  • If only dest is given, the rule matches outgoing traffic

  • If neither src nor dest are given, the rule defaults to an outgoing traffic rule

You should specify both src and dest, other parameters are at your choice. You don't need to specify reverse forward (connection tracking implements it).

ulmwind, I believe this will also work?

Maybe, but I don't know how it is implemented in LuCI. You can try, but post /etc/config/firewall

This rule allows all traffic from lan to iot.

@trendy

Correct, that's my limited understanding. This should allow me to initiate connections from trusted lan network to semi-trusted network iot (and it's reply, once established). Is this a dumb idea?

ie: it will allow me to leverage a printer and other various embedded type electronic devices w/o having to specify port/proto for very IoT device.

Yes, this is correct.