How can I prevent SSH access from the WAN on OpenWrt despite firewall rules?

Kyar · March 21, 2023, 7:22am

Hello everyone,

I'm having an issue with my OpenWrt router where my SSH service is still accessible from the WAN on port 66 despite having configured my firewall rules to block it. I'm hoping someone can help me troubleshoot this issue.

Here are the firewall rules I have set up:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'DMZ'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'DMZ'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'WAN'
        option masq '1'
        option forward 'ACCEPT'
        list network 'wan'

config forwarding
        option src 'DMZ'
        option dest 'WAN'

config rule
        option name 'REJECT'
        option src 'WAN'
        option src_port '66'
        option dest '*'
        option dest_port '66'
        option target 'REJECT'

config rule
        option name 'ALL'
        option dest 'WAN'
        option target 'ACCEPT'
        option src '*'
        list proto 'all'

config forwarding
        option src 'HOME'
        option dest 'WAN'

config forwarding
        option src 'WAN'
        option dest 'HOME'

config rule
        option src 'WAN'
        option target 'ACCEPT'
        option name '80 EXT'
        list proto 'tcp'
        option src_port '80'
        option dest 'DMZ'
        list dest_ip '10.0.0.5'
        option dest_port '80'

config forwarding
        option src 'DMZ'
        option dest 'HOME'

config zone
        option name 'HOME'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'HOME'

config redirect
        option dest 'DMZ'
        option target 'DNAT'
        option name 'REVERSE PROXY'
        option src 'WAN'
        option src_dport '443'
        option dest_port '443'
        option dest_ip '10.0.0.5'

config redirect
        option dest 'DMZ'
        option target 'DNAT'
        option name 'REVERSE PROXY 80'
        option src 'WAN'
        option src_dport '80'
        option dest_port '80'
        list proto 'tcp'
        option dest_ip '10.0.0.5'
        option enabled '0'

config zone
        option name 'GUEST'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'Guest'

config forwarding
        option src 'GUEST'
        option dest 'WAN'

config rule
        option name 'GUEST DNS'
        option src 'GUEST'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'GUEST DHCP'
        list proto 'udp'
        option src 'GUEST'
        option dest_port '67-68'
        option target 'ACCEPT'

config redirect
        option dest 'DMZ'
        option target 'DNAT'
        option name 'PLEX'
        option src 'WAN'
        option src_dport '32400'
        option dest_ip '10.0.0.2'
        option dest_port '32400'
        list proto 'tcp'
        list proto 'udp'

config rule
        option name 'ALL_DMZ'
        option target 'ACCEPT'
        option src 'IoT'
        option dest 'DMZ'

config redirect
        option target 'DNAT'
        option name 'OPENWRT'
        list proto 'tcp'
        option src 'WAN'
        option src_dport '666'
        option dest_ip '10.0.0.254'
        option dest_port '80'
        option enabled '0'

config zone
        option name 'IoT'
        option output 'ACCEPT'
        list network 'IoT'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'DMZ'
        option dest 'IoT'

config forwarding
        option src 'HOME'
        option dest 'DMZ'

config forwarding
        option src 'IoT'
        option dest 'DMZ'

config forwarding
        option src 'WAN'
        option dest 'DMZ'

config forwarding
        option src 'WAN'
        option dest 'GUEST'

config forwarding
        option src 'WAN'
        option dest 'IoT'

config forwarding
        option src 'IoT'
        option dest 'HOME'

config forwarding
        option src 'HOME'
        option dest 'IoT'

config rule
        option name 'ALL_DMZ'
        option src 'DMZ'
        option dest 'IoT'
        option target 'ACCEPT'

config rule
        option name 'ALL_IOT'
        option src 'WAN'
        option dest 'IoT'
        option target 'ACCEPT'

config rule
        option name 'ALL_IOT'
        option src 'IoT'
        option dest 'WAN'
        option target 'ACCEPT'

config redirect
        option dest 'DMZ'
        option target 'DNAT'
        option name 'SSH'
        list proto 'tcp'
        option src 'WAN'
        option src_dport '80'
        option dest_ip '10.0.0.9'
        option dest_port '66'
        option src_ip '193.49.190.200'
        option enabled '0'

config forwarding
        option src 'IoT'
        option dest 'WAN'

config rule
        option src 'DMZ'
        option dest 'HOME'
        option target 'ACCEPT'

config rule
        option name 'TEST'
        option src 'HOME'
        option dest 'DMZ'
        option target 'ACCEPT'

config rule
        option name 'Allow-mDNS'
        list proto 'udp'
        option src 'HOME'
        option src_port '5353'
        option dest 'DMZ'
        list dest_ip '224.0.0.251'
        option dest_port '5353'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'
        option fw4_compatible '1'

config rule
        list proto 'udp'
        option src 'IoT'
        option src_port '5353'
        list dest_ip '224.0.0.0/4'
        option dest_port '5353'
        option target 'ACCEPT'

config rule
        list proto 'udp'
        option src 'DMZ'
        list dest_ip '224.0.0.0/4'
        option target 'ACCEPT'

config rule
        list proto 'udp'
        option src 'HOME'
        list dest_ip '224.0.0.0/4'
        option target 'ACCEPT'

config rule
        option name '443 EXT'
        list proto 'tcp'
        option src 'WAN'
        option src_port '443'
        option dest 'DMZ'
        list dest_ip '10.0.0.5'
        option dest_port '443'
        option target 'ACCEPT'

I'm not sure what I'm missing here, so any suggestions or guidance would be greatly appreciated. Thank you in advance!

frollic · March 21, 2023, 7:27am

ssh doesn't use port 66.
all non essential incoming traffic is blocked, by default, you're patching holes that doesn't/shouldn't exist.

port scanning your WAN IP from your LAN will generate false positives, don't do it.

Kyar · March 21, 2023, 7:30am

I have changed the ssh port (dropbear) to port 66. I am currently testing it from my workplace and I am able to connect.

frollic · March 21, 2023, 7:31am

then you've created a rule enabling it, this is not the default.
your fw looks like a swiss cheese anyway.

andyboeh · March 21, 2023, 7:31am

I would revert the config, you punched way too many holes in there.

Why did you change the defaults for wan to ACCEPT?
Your port 66 rule has a src port set - this can't work.

I repeat: I would revert it to defaults and then open the needed ports, one-by-one.

Kyar · March 21, 2023, 7:37am

Yes, I had to leave many bad rules to make services work while I configured everything. How can I set WAN as the default for reject? 'Your port 66 rule has a src port set - this can't work.' What should I do here?

frollic · March 21, 2023, 7:37am

from the wan side ?

set it to any.

default is

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

andyboeh · March 21, 2023, 7:40am

One more reason to revert to the safe defaults ...

Kyar · March 21, 2023, 7:43am

Like that :

config rule
        option name 'REJECT'
        option src 'WAN'
        option dest '*'
        option dest_port '66'
        option target 'REJECT'

Do I need to change :

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'WAN'
        option masq '1'
        option forward 'ACCEPT'
        list network 'wan'

to :

config zone
        option input 'REJECT'
        option output 'ACCEPT'
        option name 'WAN'
        option masq '1'
        option forward 'REJECT'
        list network 'wan'

?

frollic · March 21, 2023, 7:45am

looks OK
if you apply the last rule, the port 66 rule will be obsolete.

Kyar · March 21, 2023, 7:48am

Should I set the same rules for all interfaces and then create custom rules to allow incoming traffic?

frollic · March 21, 2023, 7:49am

depend on your use case ...

you'll have to be more specific.

Kyar · March 21, 2023, 7:53am

Okay, now I'm going to configure my firewall properly. Do you use IPS at home?

frollic · March 21, 2023, 8:21am

IPS as in .... IP addresses ?

trendy · March 21, 2023, 8:37am

This rule is applied to forwarded packets. To apply it to ingress packets to OpenWrt, you need to remove the option dest '*'
Start with the default firewall configuration. It is adequately secure. Then you can open the ports you need to do your work.

Kyar · March 21, 2023, 12:30pm

Ok now I have :

config defaults
        option forward 'REJECT'
        option synflood_protect '1'
        option input 'REJECT'
        option output 'REJECT'

config zone
        option name 'DMZ'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'DMZ'

config zone
        option input 'REJECT'
        option output 'ACCEPT'
        option name 'WAN'
        option masq '1'
        option forward 'REJECT'
        list network 'wan'

config forwarding
        option src 'DMZ'
        option dest 'WAN'

config forwarding
        option src 'HOME'
        option dest 'WAN'

config forwarding
        option src 'WAN'
        option dest 'HOME'

config rule
        list proto 'tcp'
        option src 'WAN'
        option src_port '443'
        option dest 'DMZ'
        list dest_ip '10.0.0.5'
        option dest_port '443'
        option target 'ACCEPT'
        option name 'HTTPS WAN/DMZ'

config rule
        option src 'WAN'
        option target 'ACCEPT'
        list proto 'tcp'
        option src_port '80'
        option dest 'DMZ'
        list dest_ip '10.0.0.5'
        option dest_port '80'
        option name 'HTTP WAN/DMZ'

config forwarding
        option src 'DMZ'
        option dest 'HOME'

config zone
        option name 'HOME'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'HOME'

config redirect
        option dest 'DMZ'
        option target 'DNAT'
        option src 'WAN'
        option src_dport '443'
        option dest_port '443'
        option dest_ip '10.0.0.5'
        list proto 'tcp'
        option name 'HTTPS REVERSE-PROXY'

config redirect
        option dest 'DMZ'
        option target 'DNAT'
        option src 'WAN'
        option src_dport '80'
        option dest_port '80'
        list proto 'tcp'
        option dest_ip '10.0.0.5'
        option enabled '0'
        option name 'HTTP REVERSE-PROXY'

config zone
        option name 'GUEST'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'Guest'

config forwarding
        option src 'GUEST'
        option dest 'WAN'

config redirect
        option dest 'DMZ'
        option target 'DNAT'
        option name 'PLEX'
        option src 'WAN'
        option src_dport '32400'
        option dest_ip '10.0.0.2'
        option dest_port '32400'
        list proto 'tcp'
        list proto 'udp'

config zone
        option name 'IoT'
        list network 'IoT'
        option input 'ACCEPT'
        option output 'REJECT'
        option forward 'REJECT'

config forwarding
        option src 'DMZ'
        option dest 'IoT'

config forwarding
        option src 'HOME'
        option dest 'DMZ'

config forwarding
        option src 'IoT'
        option dest 'DMZ'

config forwarding
        option src 'WAN'
        option dest 'DMZ'

config forwarding
        option src 'WAN'
        option dest 'GUEST'

config forwarding
        option src 'WAN'
        option dest 'IoT'

config forwarding
        option src 'IoT'
        option dest 'HOME'

config forwarding
        option src 'HOME'
        option dest 'IoT'

config redirect
        option dest 'DMZ'
        option target 'DNAT'
        option name 'SSH'
        list proto 'tcp'
        option src 'WAN'
        option src_dport '80'
        option dest_ip '10.0.0.9'
        option dest_port '66'
        option src_ip '193.49.190.200'

config forwarding
        option src 'IoT'
        option dest 'WAN'

config rule
        list proto 'udp'
        option src 'HOME'
        option src_port '5353'
        option dest 'DMZ'
        list dest_ip '224.0.0.251'
        option dest_port '5353'
        option target 'ACCEPT'
        option name 'mDNS'

config include
        option path '/etc/firewall.user'
        option fw4_compatible '1'

config rule
        list proto 'udp'
        option src 'IoT'
        option src_port '5353'
        list dest_ip '224.0.0.0/4'
        option dest_port '5353'
        option target 'ACCEPT'
        option name 'MULTICAST IOT'

config rule
        list proto 'udp'
        option src 'DMZ'
        list dest_ip '224.0.0.0/4'
        option target 'ACCEPT'
        option name 'MULTICAST DMZ'

config rule
        list proto 'udp'
        option src 'HOME'
        list dest_ip '224.0.0.0/4'
        option target 'ACCEPT'
        option name 'MULTICAST HOME'

config rule
        option name 'HTTP HOME'
        list proto 'tcp'
        option src 'HOME'
        option src_port '80'
        option dest 'WAN'
        option dest_port '80'
        option target 'ACCEPT'

config rule
        option name 'HTTPS HOME'
        list proto 'tcp'
        option src 'HOME'
        option src_port '443'
        option dest 'WAN'
        option dest_port '443'
        option target 'ACCEPT'

config rule
        option name 'DNS'
        list proto 'udp'
        option src_port '53'
        option dest_port '53'
        option target 'ACCEPT'
        option src '*'

config rule
        option name 'DHCP'
        list proto 'udp'
        option src '*'
        option src_port '67-68'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'ZABBIX'
        list proto 'tcp'
        option src 'HOME'
        option src_port '10050'
        list dest_ip '10.0.0.8'
        option dest_port '10050'
        option target 'ACCEPT'
        option dest 'DMZ'

config rule
        option name 'RSYSLOG'
        option src 'HOME'
        option src_port '514'
        option dest 'DMZ'
        list dest_ip '10.0.0.10'
        option dest_port '514'
        option target 'ACCEPT'

config rule
        option name 'SAMBA'
        list proto 'tcp'
        option src 'HOME'
        option src_port '445'
        option dest 'DMZ'
        list dest_ip '10.0.0.2'
        option dest_port '445'
        option target 'ACCEPT'

config rule
        option name 'ALLOW IOT/HA'
        option src 'IoT'
        option dest 'DMZ'
        list dest_ip '10.0.0.3'
        option target 'ACCEPT'

config rule
        list proto 'tcp'
        option src 'HOME'
        list src_ip '10.0.1.1'
        list src_ip '10.0.1.200'
        option src_port '66'
        option dest 'DMZ'
        list dest_ip '10.0.0.9'
        option dest_port '66'
        option target 'ACCEPT'
        option name 'SSH PC/OFA'

config rule
        option name 'ZABBIX'
        list proto 'tcp'
        option src 'DMZ'
        list src_ip '10.0.0.8'
        option src_port '10050'
        option dest 'HOME'
        option dest_port '10050'
        option target 'ACCEPT'

My zone :

What I need to do for reject all without my traffic rules ?

andyboeh · March 21, 2023, 12:46pm

I told you to start fresh, @trendy told you to start fresh. Obviously, you ignored that and ended up with an equally confusing (bad?) configuration.

Let's start step by step and with the basics:

What is your goal?
Why are there so many zones? Are they really needed?
Which zone should have access to what?
Which ports do you want to open/forward and to which target?

Then, start with a fresh configuration involving only lan and wan. Add your first zone, e.g. DMZ, and get it working. Then add the next zone and so on.

Kyar · March 21, 2023, 12:54pm

I started from scratch, all my rules have been redone and each required service is identified in the traffic rules. I am trying to understand the difference between "zones" and "traffic rules". For example, between DMZ and HOME, I only allowed 2 ports in the rules, should I put "accept" or "reject" in the zone section? This is the part that I don't understand.

andyboeh · March 21, 2023, 1:19pm

Do a web search for "Zone-based Firewall" and read some basics about firewall concepts.
Since you are - again - ignoring important questions (i.e. What is DMZ? What is HOME? What do you want to do?), I'm out.

trendy · March 21, 2023, 1:32pm

Zones and traffic rules

You have created bidirectional forwardings from HOME to DMZ, so all traffic is allowed between these two.
The mDNS rule you have will not work, as the multicast scope is not to go outside of the broadcast domain.