As title, I need to close a port from external (wan) but still enabled on lan (otherwise no more ssh access on router!)
Is this line correct?
config rule
option name 'Allow-SSH'
option target REJECT
option src 'wan'
option dest_port '22'
option proto 'tcp'
option family 'ipv4'
The default setup blocks all unsolicited traffic from the WAN. You don't need an additional rule to block port 22.
If you feel very paranoid, like writing manual fw rules, you can set dropbear to listen only on LAN interface.
This doesn't actually do what most people think it does. The listen-on interface is not about allowing/prohibiting access, but rather what addresses the server itself will listen on. That is to say that if your device has:
... the guest network could still have access by simply using the lan address 192.168.1.1. This will work even if inter-subnet traffic is not allowed in the firewall.
Specifically, the rule that governs access from any given network is the input rule. The default firewall configuration has input set to REJECT on the wan zone, and thus does not allow any unsolicited traffic to connect to the router, including ssh. And, in the example of a guest network, it is typical for the guest network to be configured to reject input, so that would prevent the hosts on that network from connecting to the router.
Now, coincidentally, the dropbear listen-on interface can actually affect wan access because of the fact that the lan address is almost certainly in the RFC1918 range, and these are not publicly routable. This means that the traffic from the wan would have to request a connection on an unroutable IP which is not going to work. However, this is a side effect, and it doesn't actually guarantee security.
The correct way to handle this is with the firewall, and that is already correctly implemented in the default configuration.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.