Not sure if anyone can assist.
I'm trying to harden my firewall on OpenWRT to block all traffic except for browsing.
Within my network I have 3 vlans setup, VLAN1, VLAN2 (WAN), VLAN3.
I've set it as follow, however, whenever I select to drop ALLOUT web doesn't work anymore. I've created allow rules already for 80,443 and DNS.
It is actually really simple to do this...
Your firewall rules are all wrong -- most of them are applied to the wrong zones, but more than anything else, you've overcomplicated it. You should start by removing all of the rules you added to attempt to lock down the router. (pro-tip: it might be easier to simply revert the firewall configuration to defaults and then re-add your zone for VLAN3 and any rules associated with it... you can simply ssh into your router and then issue cp /rom/etc/config/firewall /etc/config/firewall)
Your router can handle the DNS (and does by default for DHCP clients on your network), so you don't need to make explicit rules. Although if you want to allow client machines use external DNS servers, that's pretty easy, too.
Remove the following from the firewall file (/etc/config/firewall):
config forwarding
option src lan
option dest wan
The forwarding rule (when present) allows the machines in the LAN zone to reach the WAN zone (usually the internet). By removing this, LAN clients cannot get out to the internet at all. You will want to make sure that the zone associated with VLAN3 also has this rule removed (or omitted in the first place).
Add in the following rules to allow the LAN to reach the web (ports 80 and 443), and make similar rules for your zone associated with VLAN3.
config rule
option dest_port '80'
option src 'lan'
option name 'Allow-LAN-HTTP'
option dest 'wan'
option target 'ACCEPT'
config rule
option dest_port '443'
option src 'lan'
option name 'Allow-LAN-HTTPS'
option dest 'wan'
option target 'ACCEPT'
If you do want to allow DNS from outside the network (instead of limiting DNS to the router itself, you can add in this rule, too (and do the same for your VLAN3 zone):
config rule
option dest_port '53'
option src 'lan'
option name 'Allow-LAN-DNS'
option dest 'wan'
option target 'ACCEPT'
That's it.
Now that I've given this recipe, I would also like to warn you that many things on the internet may break in the process... from messaging protocols to games to mail and so on... a lot of stuff will be non-operational, including some stuff on the web itself where you might otherwise have thought it would work. Similarly, there may be things you'd like to block that actually operate over these two ports (or can be manipulated to do so using VPN or proxy techniques among other ways). So you may not necessarily achieve what you want, but could cause a lot of collateral damage and headaches with this lockdown. So make sure that this is really what you want to do.
2 Likes