Please review and give constructive criticism on my "deny almost all" type of firewall rules

Hi all

I have a "normal" OpenWrt router for the internet. Within this OpenWrt (many Raspberries with rtorrent client) network I have another router that protects my Void Linux desktop (192.168.1.140).

Here are the firewall rules.


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option mtu_fix '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Any-HTTPS-Traffic-allowed'
	list proto 'tcp'
	option src 'lan'
	option dest 'wan'
	option dest_port '443'
	option target 'ACCEPT'
	list src_ip '192.168.1.140'

config rule
	option name 'Samba-Client-LAN2'
	option src 'lan'
	list src_ip '192.168.1.140'
	option dest 'wan'
	option dest_port '139'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	list dest_ip '192.168.87.100'
	list dest_ip '192.168.87.133'

config rule
	option name 'Mailing-Thunderbird-Receive'
	list proto 'tcp'
	option src 'lan'
	list src_ip '192.168.1.140'
	option dest 'wan'
	option dest_port '110 995 143 993'
	option target 'ACCEPT'

config rule
	option name 'Jellyfin-Client (Streaming)'
	list proto 'tcp'
	option src 'lan'
	list src_ip '192.168.1.140'
	option dest 'wan'
	list dest_ip '192.168.87.100'
	option dest_port '8096'
	option target 'ACCEPT'

config rule
	option name 'Mailing-Thunderbird-Send'
	list proto 'tcp'
	option src 'lan'
	list src_ip '192.168.1.140'
	option dest 'wan'
	option dest_port '587 465'
	option target 'ACCEPT'

What can be improved? How can I become even more "paranoid"?

Is there a big hole here?

Which security-relevant settings do I have to enable? Login to router is only possible via key (password is not accepted).

Thank you and have a nice Sunday

What are you trying to achieve from the rules? What are the threats?

1 Like