How to check the firewall rule really works

How to test and make sure the firewall rules is really working on your openwrt router to make sure your home network is completely secured?
I have below rules for my router:
image

That is "The $64,000 Question" and there is a complete art around that.

First thing to realize is that your home network will never be "completely secured". All you can do is get to a point of reasonable balance between time to make it more secure and time / likelihood that someone cracks it.

Basically, you have to test it. Learning to use tcpdump and wireshark are the first steps for many. They let you visually "see" if there is unexpected traffic on your net, either from outside or inside (IoT devices, "helpful" devices that open up ports, ...).

Past that, there are IDS (Intrusion Detection Systems) of varying complexity and ease of use. Most are well beyond what all-on-one routers can handle. You'd likely need a switch with monitoring capabilities and an x86-class machine to run something like snort.

The next step is probing the network with various kinds of packets. scapy is one tool used for this. nmap is another. They do different things. There are all kinds of valid and invalid packets designed to circumvent firewalls that "mere mortals" can't write iptables-style firewall rules to reject, and some that even "the gods" of iptables can't reject.

Bottom line for most home users, in my opinion?

  • Change the password to something very secure
  • Disable uPnP
  • Run a firewall
  • Don't run anything except critical services on your router (since, when compromised, your firewall is toast)
  • Use SSH port forwarding when possible for outside access; create and use a non-root account for this (or, even better, terminate the SSH session on a "hardened" host "inside")
  • Only open specific ports to specific hosts when:
    • There's a very good reason to do so
    • You've already locked down that host, as it is subject to compromise now
  • If you think you need to open more than one or two ports total, reevaluate all and why
  • Occasionally run wireshark (especially after getting new devices or new apps) to see what is going on with your network

The screenshot attached, is that ok as far as basic recommended configuration?

On the guest network, you need to accept input overall or make rule(s) allowing the guests to make requests of the router's DHCP and DNS servers.

Jeff wrote a very comprehensive answer, tho' highlighting the use of your firewalls logging cannot be understated.

I thought I understood my computer.... then i checked the logs :space_invader:

2 Likes