Fw3 defaults to REJECT

Installing and Using OpenWrt
1

I am a bit uncomfortable with the following config in /etc/config/firewall :

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

I feel that means I give too much access to an interface I would have forgotten to add to a zone.

Knowing that I have set all my interfaces inside zone, that I have configured appropriately, is it ok to configure the defaults in the following way:

config defaults
        option input 'REJECT'
        option output 'REJECT'
        option forward 'REJECT'
        option synflood_protect '1'

A specific doubt that I have is for the router itself. Given that it is not in a zone, will it be governed by these defaults value? So setting OUTPUT to reject would mean it cannot access the internet and INPUT would mean it cannot access the LAN? If that's the case, should I add my firewall to a specific zone (how?) so that I can set defaults to REJECT?

Thanks!

2

There should never be such a case, and if you do, it means that you don't lock yourself out.

  • I actually thought all three were ACCEPT
  • If you always use the UCI, this can't occur
  • I change them to REJECT after configuring my device
  • :warning: The Default Rules also apply in some traffic cases when there is no connection tracking or the PHY cannot be determined (not common) :wink:

The router is the input and output of all zones, your conceptualization of the router being in no zone is incorrect.

No (unless it's an un-enumerated interface that connects to the Internet).

LOL...now I know that a previous thread was due to misunderstanding the iptables firewall. It's already in a zone (all of them). :slightly_smiling_face:

2 Likes
3

Ah of course, I actually knew that but still managed to confuse myself. Thanks, it's clear now.

4

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.