My firewall/security configuration

Hi all, I'm looking for comments/suggestions on my current firewall configuration. Zone-based firewall is a new-ish concept to me, so I'd like to make sure my rules make sense and don't open unnecessary stuff up.

Background - my router grabs a public IPv4 via DHCP from the ISP, hence it's directly exposed to the internet. Security measures I've taken so far besides firewall:

  • Disabled dropbear and switched to OpenSSH. SSH port changed to a higher port number and password authentication disabled. I try to use ed25519 keys whenever possible instead of RSA.
  • Installed BCP38 package
  • Installed BanIP to block known malicious IPs via ipsets
  • Router logs are sent to a server running syslog-ng; logging on all firewall zones was enabled.
  • I've written a quick bash script which looks at the iptables logs from the router, removed private LAN and other stuff like 0.0.0.0,etc. It then builds a master blacklist to be used by ipsets. Maybe it's redundant since those addresses are already blocked. Github Gist link.

It's also worth mentioning that there are two LANs in play. One provided by my ISPs router/gateway aka 192.168.2.0/24, the other one is 192.168.1.0/24 on a downstream ERX. There's no double-NAT happening since the ERX is directly grabbing a public IP and routes to WAN directly.

The part I'm worried about the most is hosting a WireGuard server on the router. I've had to create a new firewall zone and assign a wireguard interface to it. I'd appreciate for anyone to take a look and advise if I messed some options up.

/etc/config/firewall

# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option flow_offloading '1'
	option flow_offloading_hw '1'

# Do I need to assign a device/network to the zone? e.g. list device 'eth0.1'
config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'eth0.1'
	option log '1'
	option network 'lan'

# Same question here, is there any need/benefit of adding "list device" entries into the zone?
config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'eth0.2'
	list device '@wan'
	list device '@wan6'
	list device '@ROS'
	option log '1'
	option network 'ROS wan wan6'
	option conntrack '1'

# Wireguard zone. I'm a bit hesitant to have forwarding set to 'ACCEPT'.
config zone
	option name 'wg'
	option input 'REJECT'
	option masq '1'
	option output 'ACCEPT'
	list device '@wg0'
	option network 'wg0'
	option forward 'ACCEPT'

# In terms of forwarding, should I treat wireguard zone the same as LAN?
config forwarding
	option scr 'wg'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

# Allow the upstream LAN 192.168.2.0/24 access to luci and SSH.
config rule
	option target 'ACCEPT'
	option src 'wan'
	option name 'MGMT'
	option proto 'tcp'
	option src_ip '192.168.2.0/24'
	option dest_ip '192.168.1.1/24'
	option dest_port '80 443 SSH_PORT'

# Allow devices on 192.168.2.0/24 to access the home server on 192.168.1.0/24. The server has it's own firewall running that by default blocks all incoming traffic
config rule
	option target 'ACCEPT'
	option src 'wan'
	option name 'Allow-To-Home-Server'
	option family 'ipv4'
	option proto 'all'
	option src_ip '192.168.2.0/24'
	option dest 'lan'
	option dest_ip '192.168.1.X'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Drop-WAN-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'DROP'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Block-Outbound-TFTP'
	option src 'lan'
	option dest 'wan'
	option dest_port '69'
	option proto 'udp'
	option family 'any'
	option target 'REJECT'

config rule
	option name 'Block-Outbound-Syslog'
	option src 'lan'
	option dest 'wan'
	option dest_port 'SYSLOG_PORT'
	option proto 'tcp'
	option family 'any'
	option target 'REJECT'

config rule
	option name 'Block-Outbound-SNMP'
	option src 'lan'
	option dest 'wan'
	option dest_port '161 162'
	option proto 'udp'
	option family 'any'
	option target 'REJECT'

config rule
	option name 'Block-Outbound-SMB'
	option src 'lan'
	option dest 'wan'
	option dest_port '135 137 138 139 445'
	option target 'REJECT'
	option dest_remote 'wan'
	option proto 'tcp udp'

config include
	option path '/etc/firewall.user'

# Basically permit all TCP+UDP to the home server from the private WireGuard subnet. Since the server has it's own firewall running, I've chosen not to filter anything on the router itself.
config rule
	option target 'ACCEPT'
	option src 'wg'
	option name 'Allow-WireGuard-hosts-to-HomeServer'
	option dest 'lan'
	option dest_ip '192.168.1.x'
	option proto 'tcp udp'
	option dest_remote 'lan'
	option src_ip '172.x.x.0/28'

config forwarding
	option dest 'wg'
	option src 'lan'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'
	option family 'IPv4'
	option reload '1'

/etc/firewall.user

# I've used iptables instead of uci to allow WAN access to the wireguard port. Not sure if this was the best way to implement this.

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --dport WIREGUARD_PORT -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.x.x.0/28 -o eth0.2 -j MASQUERADE

Any critique, questions and suggestions will be very appreciated!

Redundant.

Most likely redundant.

No need on the server side.

Redundant, see:

iptables-save | grep -e RELATED -e MASQUERADE

Redundant, because this is managed by the zone forward policy.

Replace with a native input rule.

This doesn't look safe, so better remove it and allow management via the VPN.

1 Like

Very informative! Thanks!!

1 Like