Firewall startup gets it wrong

Recently upgraded to 23.05.3, and I've noticed that the firewall startup (fw4 ?) gets it wrong.
I have one wan, and then 2 lan interfaces in the 'z_lan' zone. The 'lan' interface has routeable IPv4 addresses (/29), and I'd like the wan->lan forwarding to drop new incoming requests rather than rejecting them.

A stripped down version of /etc/config/firewall is:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'z_lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'tun+'
        list network 'lan'
        list network 'lan2'

config zone
        option name 'z_wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'z_lan'
        option dest 'z_wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'z_wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-DHCPv6'
        option src 'z_wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

When I start the firewall, I notice that new incoming requests to hosts on the /29 are being rejected, not dropped.

chain "forward" has:
iifname "pppoe-wan" jump forward_z_wan comment "!fw4: Handle z_wan IPv4/IPv6 forward traffic"
which is:

                jump drop_to_z_wan

(note that's "drop to z_wan"), and that's:

                oifname "pppoe-wan" counter drop comment "!fw4: drop z_wan IPv4/IPv6 traffic"

which surely is wrong - it's looking for packets egressing on pppoe-wan which is how the device the packets ingressed on. I'm sure it should be calling "drop_from_z_wan".
The upshot is the firewall ignores the 'DROP' option on the z_wan zone, and falls back to the global 'REJECT' option.
If I switch the z_wan zone to REJECT rather than DROP, then the flow ends up on "reject_to_z_wan" which is wrong in the same way (in my eyes), should be "reject_from_z_wan".

The input option in the zone governs how the firewall reacts to traffic from interfaces in that zone trying to access the router, not traffic that's intended to be forwarded to a different zone.

If you want to drop requests either change the default forward from 'REJECT' to 'DROP', or add a specific firewall rule to drop that traffic.

1 Like

It has no place to forward to by large?

Do something like this:

config rule
   option src 'wan'
   option dest 'lan'
   option target 'DROP'

config forwarding is intended to work in conjunction with NAT. When you are doing symmetric routing, use regular rules.

Just need to make sure I can find these commands again:

nft add rule inet fw4 forward_z_wan jump drop_from_z_wan
nft -a list chain inet fw4 forward_z_wan
nft delete rule inet fw4 forward_z_wan handle

They've done what I wanted to do. Now I can consider your replies, thanks.

Doing it properly would be a better solution.

You have a misunderstanding of what the jump is intended for. The jump is meant to prevent forwarding between interfaces in the same zone. It looks awkward because the wan zone only has one interface in this scenario.

The default policy on the forward chain determines whether traffic from the wan can be forwarded to the lan. This traffic will fall through the existing rules in forward_z_wan (including jump to drop_to_z_wan) and return to the forward chain where the policy drop will prevent the wan traffic from reaching the lan.

You're right, i don't understand the zone based firewall, and i think it's too much for a home user with 1 wan and 1 lan.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.