Firewall rules (forwarding)

tsmjay · December 16, 2024, 6:18pm

If I go to Network > Firewall > General Settings, and set 'Forward' to 'drop' in the general settings and zones, how is it possible that OpenWRT continues to forward traffic?

trendy · December 16, 2024, 6:41pm

This is the policy for the default action, when there is no other rule to govern the forwarded traffic.
The lan -> wan is allowed in the factory config, hence it won't hit the default action, which by the way is to reject in the forwarding.

brada4 · December 16, 2024, 6:57pm

You can clear states using conntrack tool.

lleachii · December 16, 2024, 7:23pm

General settings are only applicable in cases where any zone settings or rules don't apply (or were never assigned). You would block forwarding in the applicable SRC or DST zone located on the lower section of the same page you mentioned (e.g., to stop Interent on a default OpenWrt, either edit the LAN zone to remove the 'Allow Forwarding to WAN' setting - or, the same is located under WAN as 'Allow Forwarding from LAN').

psherman · December 17, 2024, 7:33am

There is a common misunderstanding of the meaning of forward in the zone settings.

The zone level forward rule controls forwarding between two or more networks that are in the same firewall zone. This is intra-zoneforwarding. If that is set to accept, it will allow those networks to communicate with each other unless there are any other rules filtering/prohibiting those connections. Likewise, drop or reject will prevent the networks from communicating unless other rules allow it.

The general settings works the same way but only for networks that are not assigned to a firewall zone.

This is different than the forwarding rules that you see between zones (inter-zone) such as the lan > wan forwarding that is part of the default firewall config.

tsmjay · December 17, 2024, 2:32pm

It's very confusing.

The OpenWRT firewall doesn't follow the same logic as iptables?

brada4 · December 17, 2024, 2:55pm

It perfectly follows iptables logic - established states and earlier rules happen before fall-through action.

lleachii · December 18, 2024, 9:45am

It indeed does.

OpenWrt configured fw3 and fw4 into various chains that result in a zone-based firewall. All interfaces are assigned to a zone and hence configured into the proper firewall chains.

Any interfaces or PHYs not assigned use the General rules.

The zones therefore are:

Input - into router (regardless of DST IP or where it's assigned on the OpenWrt)
output - from router [into this zone]
forward - between interfaces in the same zone

Hope this helps.

brada4 · December 18, 2024, 9:55am

drop forward by default is not "stop all forwarding", it is "drop packets that fall through other rules"

tsmjay · December 30, 2024, 4:34pm

If OpenWRT followed the same logic as iptables, then 'forward' would refer to packets forwarded to other hosts.

brada4 · December 30, 2024, 5:38pm

And is it any diffetent?

lleachii · December 30, 2024, 9:21pm

It does refer to that. Like any other device (i.e., running Linux with IP Forwarding enabled), you must physically connect another device to an interface - which you will forward said traffic.

Same as when it was iptables based.