fw3 config has forwarding
sections and rule
sections.
I am a little confused as to why these 2 types exist. Could I just remove all forwarding
sections, and only use rule
? Is it only syntactic sugar?
In other words, is:
config forwarding
option src 'lan'
option dest 'wan'
strictly the same as :
config rule
option src 'lan'
option dest 'wan'
option target 'ACCEPT'
?
Bonus question : how does fw3 translates its config to iptables
config? Does it add rules to the default filter
table of iptables
, and only add the rule to the 3 default chains (INPUT, OUTPUT and FORWARD)?
1 Like
hnyman
April 11, 2021, 10:01am
2
Yes
No. The structure is much more complex. It defines new chains for the various forewall zones.
See for yourself with iptables -L -v
OpenWrt 21.02-SNAPSHOT, r15986-cc51d97200
-----------------------------------------------------
root@router1:~# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
261 21628 ACCEPT all -- lo any anywhere anywhere /* !fw3 */
29048 3214K input_rule all -- any any anywhere anywhere /* !fw3: Custom input rule chain */
12698 1750K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
3816 167K syn_flood tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
9746 1094K zone_lan_input all -- br-lan any anywhere anywhere /* !fw3 */
6602 370K zone_wan_input all -- eth0.2 any anywhere anywhere /* !fw3 */
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
533K 1281M forwarding_rule all -- any any anywhere anywhere /* !fw3: Custom forwarding rule chain */
527K 1281M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
6466 500K zone_lan_forward all -- br-lan any anywhere anywhere /* !fw3 */
0 0 zone_wan_forward all -- eth0.2 any anywhere anywhere /* !fw3 */
0 0 reject all -- any any anywhere anywhere /* !fw3 */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
261 21628 ACCEPT all -- any lo anywhere anywhere /* !fw3 */
23795 3047K output_rule all -- any any anywhere anywhere /* !fw3: Custom output rule chain */
12425 2222K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
90 29504 zone_lan_output all -- any br-lan anywhere anywhere /* !fw3 */
11280 795K zone_wan_output all -- any eth0.2 anywhere anywhere /* !fw3 */
Chain MINIUPNPD (4 references)
pkts bytes target prot opt in out source destination
Chain forwarding_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_test_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_test_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_test_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (3 references)
pkts bytes target prot opt in out source destination
5423 235K REJECT tcp -- any any anywhere anywhere /* !fw3 */ reject-with tcp-reset
351 66229 REJECT all -- any any anywhere anywhere /* !fw3 */ reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
3814 167K RETURN tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
2 80 DROP all -- any any anywhere anywhere /* !fw3 */
Chain zone_lan_dest_ACCEPT (4 references)
pkts bytes target prot opt in out source destination
90 29504 ACCEPT all -- any br-lan anywhere anywhere /* !fw3 */
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
6466 500K forwarding_lan_rule all -- any any anywhere anywhere /* !fw3: Custom lan forwarding rule chain */
6466 500K zone_wan_dest_ACCEPT all -- any any anywhere anywhere /* !fw3: Zone lan to wan forwarding policy */
0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_lan_dest_ACCEPT all -- any any anywhere anywhere /* !fw3 */
Chain zone_lan_input (1 references)
pkts bytes target prot opt in out source destination
9746 1094K input_lan_rule all -- any any anywhere anywhere /* !fw3: Custom lan input rule chain */
0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
9746 1094K zone_lan_src_ACCEPT all -- any any anywhere anywhere /* !fw3 */
Chain zone_lan_output (1 references)
pkts bytes target prot opt in out source destination
90 29504 output_lan_rule all -- any any anywhere anywhere /* !fw3: Custom lan output rule chain */
90 29504 zone_lan_dest_ACCEPT all -- any any anywhere anywhere /* !fw3 */
Chain zone_lan_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
9746 1094K ACCEPT all -- br-lan any anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_test_dest_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
Chain zone_test_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
Chain zone_test_forward (0 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_test_rule all -- any any anywhere anywhere /* !fw3: Custom test forwarding rule chain */
0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_test_dest_REJECT all -- any any anywhere anywhere /* !fw3 */
Chain zone_test_input (0 references)
pkts bytes target prot opt in out source destination
0 0 input_test_rule all -- any any anywhere anywhere /* !fw3: Custom test input rule chain */
0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
0 0 zone_test_src_ACCEPT all -- any any anywhere anywhere /* !fw3 */
Chain zone_test_output (0 references)
pkts bytes target prot opt in out source destination
0 0 output_test_rule all -- any any anywhere anywhere /* !fw3: Custom test output rule chain */
0 0 zone_test_dest_ACCEPT all -- any any anywhere anywhere /* !fw3 */
Chain zone_test_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
Chain zone_wan_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
207 8964 DROP all -- any eth0.2 anywhere anywhere ctstate INVALID /* !fw3: Prevent NAT leakage */
17539 1286K ACCEPT all -- any eth0.2 anywhere anywhere /* !fw3 */
Chain zone_wan_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- any eth0.2 anywhere anywhere /* !fw3 */
Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_wan_rule all -- any any anywhere anywhere /* !fw3: Custom wan forwarding rule chain */
0 0 zone_lan_dest_ACCEPT esp -- any any anywhere anywhere /* !fw3: Allow-IPSec-ESP */
0 0 zone_lan_dest_ACCEPT udp -- any any anywhere anywhere udp dpt:isakmp /* !fw3: Allow-ISAKMP */
0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
0 0 MINIUPNPD all -- any any anywhere anywhere
0 0 MINIUPNPD all -- any any anywhere anywhere
0 0 zone_wan_dest_REJECT all -- any any anywhere anywhere /* !fw3 */
Chain zone_wan_input (1 references)
pkts bytes target prot opt in out source destination
6602 370K input_wan_rule all -- any any anywhere anywhere /* !fw3: Custom wan input rule chain */
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
828 68526 ACCEPT icmp -- any any anywhere anywhere icmp echo-request /* !fw3: Allow-Ping */
0 0 ACCEPT igmp -- any any anywhere anywhere /* !fw3: Allow-IGMP */
0 0 ACCEPT ipv6 -- any any tserv1.sto1.he.net anywhere /* !fw3: HEnet IPv6 */
0 0 ACCEPT tcp -- any any anywhere router1.lan tcp dpt:ssh /* !fw3: wanSsh */
0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
5774 301K MINIUPNPD all -- any any anywhere anywhere
5774 301K MINIUPNPD all -- any any anywhere anywhere
5774 301K zone_wan_src_REJECT all -- any any anywhere anywhere /* !fw3 */
Chain zone_wan_output (1 references)
pkts bytes target prot opt in out source destination
11280 795K output_wan_rule all -- any any anywhere anywhere /* !fw3: Custom wan output rule chain */
11280 795K zone_wan_dest_ACCEPT all -- any any anywhere anywhere /* !fw3 */
Chain zone_wan_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
5774 301K reject all -- eth0.2 any anywhere anywhere /* !fw3 */
1 Like
Yes, but better not.
Not exactly, it's similar to interface policies.
Forwarding is an implementation of zone-to-zone permissive traversal policy.
In addition, LuCI displays and manages forwardings and rules differently.
iptables-save
ip6tables-save
2 Likes
@hnyman @vgaetera That makes sense, things are clear for me now. Thanks for your answers.
1 Like
system
Closed
April 21, 2021, 11:16am
5
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.