Please review and give constructive criticism on my "deny almost all" type of firewall rules

Hi all

I have a "normal" OpenWrt router for the internet. Within this OpenWrt (many Raspberries with rtorrent client) network I have another router that protects my Void Linux desktop (192.168.1.140).

Here are the firewall rules.


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option mtu_fix '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Any-HTTPS-Traffic-allowed'
	list proto 'tcp'
	option src 'lan'
	option dest 'wan'
	option dest_port '443'
	option target 'ACCEPT'
	list src_ip '192.168.1.140'

config rule
	option name 'Samba-Client-LAN2'
	option src 'lan'
	list src_ip '192.168.1.140'
	option dest 'wan'
	option dest_port '139'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	list dest_ip '192.168.87.100'
	list dest_ip '192.168.87.133'

config rule
	option name 'Mailing-Thunderbird-Receive'
	list proto 'tcp'
	option src 'lan'
	list src_ip '192.168.1.140'
	option dest 'wan'
	option dest_port '110 995 143 993'
	option target 'ACCEPT'

config rule
	option name 'Jellyfin-Client (Streaming)'
	list proto 'tcp'
	option src 'lan'
	list src_ip '192.168.1.140'
	option dest 'wan'
	list dest_ip '192.168.87.100'
	option dest_port '8096'
	option target 'ACCEPT'

config rule
	option name 'Mailing-Thunderbird-Send'
	list proto 'tcp'
	option src 'lan'
	list src_ip '192.168.1.140'
	option dest 'wan'
	option dest_port '587 465'
	option target 'ACCEPT'

What can be improved? How can I become even more "paranoid"?

Is there a big hole here?

Which security-relevant settings do I have to enable? Login to router is only possible via key (password is not accepted).

I am not allowed to describe my thread model, but I am in need of very high security.

Thank you and have a nice Sunday

Have no idea what this means? OpenWrt ToH pretty much have thousands of these…

There are a lot of this in the forum this weekend…

But what do you want us to tell you since you don’t tell us anything about the security needs and you only show us all or bits of the firewall config?

A secure home network is a lot more than the firewall.

You have a lot of rules allowing lan to wan traffic, but unless you have done other changes there should be a general lan to wan forward rule somewhere in the bottom of the config.

What is "OpenWrt ToH"?

Are there any OpenWrt plugin I need to install? What do you mean with "lot more than firewall"? Examples, please.

I removed the general lan to wan forward.

Table of Hardware

It's hard to know if you can't disclose the security threat vectors that concern you.

There are many things...I can't speak for @flygarn12 in terms of their specific thoughts around it, but I'll chime in to say that the default firewall configuration prevents unsolicited requests from entering your router or your network. It doesn't prevent your computer from initiating connections to the internet (and the subsequent replies). You can "lock down" all but the ports/services that you need -- so for example, you probably need http/https, but maybe you could block other things (you'd probably start breaking things you want to use, though). However, there's nothing that prevents a piece of malware from sending data leaked from your computer (files, keylogger data, passwords, etc.) over standard channels like https/443. So your computer must be protected against malware, and you need to protect yourself from visiting sites or running software that may have malicious payloads that they can deliver to your computers.

That is just one example.

1 Like

@psherman say it pretty well, what I can add is data integrity and data backup.

The thing I don’t understand is your advanced and super secret treat model analysis but you don’t even know the basic cyber security.

Well a lot of things will soon stop working for you, https traffic for example since you have blocked all ntp traffic.

4 Likes

Thanks, added NTP Rule

How-To secure / protect standard channels like https/443? Is there anything OpenWrt can do for me? For example privoxy, I used to use.

It all depends on the threat landscape...

You could install something like snort or other IDS/IPS (intrusion detection/protection systems), but those are very resource intensive and require a very powerful router (i.e. x86).

But without details about what threat vectors you are trying to mitigate, there's no specific advice that can be provided.

2 Likes

Standard channel!? Standard channel is http at port 80, but you have already blocked that so that will sooner or later give you high blood pressure.
Https are already as safe as today’s internet can provide.

So how exactly are you handling DNS with your firewall setup?

2 Likes

Indeed, sometimes people forget that availability is also a key factor to define security (as in the triad). But hey, deny by default is indeed the proper starting point :slight_smile: .

2 Likes

OpenWrt is running on NanoPi R4S.
It's very powerful device.

OK to go?

Is there no LuCI webUI for snort3?

How-To get started with snort3?

Why? I don't need plain HTTP

DNS over HTTPS (DoH) in Firefox