Firewall zones forwards and rules

Hi all,

I just installed OpenWRT, but I have difficulties understanding the relation and meaning of forwardings, firewall chains and rules.

I noticed that there are forwardings that define where traffic originating from a specific zone can be forwarded, but I also noticed that forwarded traffic must be accepted at the destination zone (only visible by editing a zone). Then there is the input/output/forward chains that accept, reject or drop traffic. Where is that applied (interfaces?), what chains do what exactly (is input related to traffic going into a network?)? And lastly the rules, are the rules applied before they hit the chain policy?

I have to say that I found the documentation a bit unclear these topics. If someone can help me understand how this works I would be happy to help setting up some documentation for the website.

Not sure what you mean by this. You make settings for each zone. Another zone settings doesn't have bearing on another.

Documentation already exists, have you seen it?

https://openwrt.org/start?do=search&id=start&q=firewall

No, zones.

They are clearly stated.

They're applied in the proper location.

Do you have a device where you can view the firewall in the LuCI web GUI?

If so, that may help provide a better understanding - by visualizing it.

I would start with a few good tutorials on iptables. This one explains chains; this one explains tables, chains, and rules, and this one explains just about everything in immense detail.

I think I understand where I went wrong, I thought OpenWRT was using fw3 as firewall which I expected to be a zone-based firewall instead of the classic interface ones. However, I now understand that fw3 is just a wrapper around iptables which (afaik) doesn't do actual zone based filtering. I also expect that when zones are created, actually a new chain is created?

I have one question left though. When I change the input action of zone x to reject, I cannot reach the router, but according to the documentation it only applies to incoming zone traffic

Well traffic from your PC to the router is incoming traffic in the lan zone scope.

I guess this comes back to the zones that are not really zones right. The documentation talks about "incoming zone traffic", but I guess it's rejected because its coming out of the interface again which is (looking from other other interfaces) the entrance to the "zone".

Without knowing what you did exactly this is all just guesswork.

Wrong. Which is why the "wrapper" works in the manner it does.

I honestly think you are confusing the terms IN and OUT - as it relates to the perspective of the OpenWrt device. First, you are making reference to this table on the firewall page:

Name	Type	Required	Default	Description
input	string	no	DROP	Default policy (ACCEPT, REJECT, DROP) for incoming zone traffic.

• You change INPUT rule on LAN (usually br-lan/VLAN1/eth0.1) to DROP or REJECT.
• You connect a PC to LAN
• You cannot get: DHCP address, DNS lookup nor access the router via HTTP or SSH.

Since your PC is on LAN and trying to send a packet INTO the router, it won't work; because you set it to REJECT or DROP.

• Zone: LAN
• Direction of traffic: INPUT to device

Simple.

Thanks for your reply. I think you are right. Since OpenWRT makes use of zones I expected the input rule to be applied to a zone (so traffic going out of the interface, on the network) instead of an interface (or group of interfaces). I guess I have to see a zone as a set of interfaces instead of a network.

This might be helpful, since (as you may now know) you can actually assign multiple NICs, VLANs and bridges to a single firewall zone.

Perhaps you should think of it as FIREWALL Zones, instead of as NETWORK Zones.

I've found this topic on google while trying to deal with the difference between forwarding in zones and in firewall rules. Could anyone help me to solve the following issue:

1. There are LAN, WAN and OPT1 interfaces.
2. Each interface has its own firewall zone.
3. I am adding new firewall rule to allow forwarding Any traffic From any host in lan To any host in opt1

uci add firewall rule
uci set firewall.@rule[-1].name='Test'
uci set firewall.@rule[-1].src=lan
uci set firewall.@rule[-1].dest=opt1
uci set firewall.@rule[-1].target=ACCEPT

4. After adding this rule I am not able to ping host in OPT1 from LAN, but if I add zone forwarding then everything is going smooth.

uci add firewall forwarding
uci set firewall.@forwarding[-1].src=lan
uci set firewall.@forwarding[-1].dest=opt1

Why there is a difference between setting up forwarding using zones and setting up forwarding using rules?

Your rule doesn't specify option proto, hence a default of TCP+UDP is used, ping is ICMP however. Adding an option proto all should fix this.

Thank you! Now I understand that one more way to find this was to compare iptables --list outputs.

This is one without option proto all:

zone_opt1_dest_ACCEPT  tcp  --  anywhere             anywhere             /* !fw3: Test */
zone_opt1_dest_ACCEPT  udp  --  anywhere             anywhere             /* !fw3: Test */

and this is with option proto all:

zone_opt1_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Test */

There is one more think I cannot understand yet.

1. Default input, output and forward policies are DROP.
2. LAN input, output and forward policies are ACCEPT.
3. OPT1 input, output and forward policies are REJECT.
4. If no forward LAN -> OPT1 rule is created ping from LAN to OPT1 fails silently instead of "Destination port unreachable".
5. If I change default forward policy to REJECT then ping reports "Destination port unreachable".
6. If I change OPT1 forward policy to DROP then ping still reports "Destination port unreachable".

Why default policy matters but not OPT1 policy?

Default forward policy applies to any forwarded traffic not covered by rules or forwardings. Per-zone forward policy applies to traffic among different interfaces of the same zone only.