if we would like to block some applications to access the Internet.
we just need to add rules at /etc/config/firewall?
is there any example config
http(port 80)
https(port 443)
telnet(port 23)
ftp(port 21, 20)
Thanks
Without analyzing the data, it's all or nothing, on each port.
Hi frollic,
without analyzing the data, it all on selected port.
can i ust set the config as below at /etc/config/firewall to make HTTP application cannot access the Internet?
config rule 'http'
option proto 'tcp'
option dest_port '80'
option name 'DROP-HTTP'
option src 'lan'
option target 'DROP'
it looks correct, but it's 5 am, so...
If I remember correctly, DROP will cause the client request to time out, REJECT would let the client know its not allowed.
This blocks all applications:
It's not going to be easy to block applications on the router, only devices.
1 Like
If the issue the following command,
http website is block, but https website also block
how to only block http or https?
uci add firewall rule
uci set firewall.@rule[-1].name="Reject-HTTP-Forward"
uci set firewall.@rule[-1].src=""
uci set firewall.@rule[-1].dest=""
uci set firewall.@rule[-1].dest_port="80"
uci set firewall.@rule[-1].proto="tcp"
uci set firewall.@rule[-1].target="REJECT“
uci commit firewall
/etc/init.d/network restart
hi,
I suggest to define src and dest zone fields as well. it makes much clearer what you want to do and what you are actually doing.
if you only deny/reject port 80 (http) it is not impacting port 443 (https) traffic. try to explicitly specify https://example.com instead of http://example.com .
2 Likes
Hi grrr2,
is there any example setting to define src and dest zone?
Thanks,
you can use luci to create fw rules, usually it is (more) convenient than uci. though some complicated rules is easier to do via uci.
anyhow, those fields above, src/dest, could be used to specify zones.
1 Like
Hi grr2,
I do the test1 and test2, the test1 behavior is not expected, do you know how come it is not expected?
Test1:
uci add firewall rule
uci set firewall.@rule[-1].name="Allow-HTTPS-Forward"
uci set firewall.@rule[-1].src="*"
uci set firewall.@rule[-1].dest="*"
uci set firewall.@rule[-1].dest_port="443"
uci set firewall.@rule[-1].proto="tcp"
uci set firewall.@rule[-1].target="ACCEPT"
uci commit firewall
uci add firewall rule
uci set firewall.@rule[-1].name="Reject-HTTP-Forward"
uci set firewall.@rule[-1].src="*"
uci set firewall.@rule[-1].dest="*"
uci set firewall.@rule[-1].dest_port="80"
uci set firewall.@rule[-1].proto="tcp"
uci set firewall.@rule[-1].target="DROP"
uci commit firewall
Both http and https can not access the Internet
The behavior is not expected, I don't know how come the https can not access the Internet
Test2:
uci add firewall rule
uci set firewall.@rule[-1].name="Allow-HTTPS-Forward"
uci set firewall.@rule[-1].src="*"
uci set firewall.@rule[-1].dest="*"
uci set firewall.@rule[-1].dest_port="443"
uci set firewall.@rule[-1].proto="tcp"
uci set firewall.@rule[-1].target="DROP"
uci commit firewall
uci add firewall rule
uci set firewall.@rule[-1].name="Reject-HTTP-Forward"
uci set firewall.@rule[-1].src="*"
uci set firewall.@rule[-1].dest="*"
uci set firewall.@rule[-1].dest_port="80"
uci set firewall.@rule[-1].proto="tcp"
uci set firewall.@rule[-1].target="ACCEPT"
uci commit firewall
http can access the Internet, but https can not access the Internet
The behavior is expected.
you really don't need the ACCEPT rules, everythight is allowed going out towards internet/wan.
as @grrr2 wrote earlier, * might not be the best of settings, in the dest / src.
if you are trying to apply from all source zones to all destination zones, then they must be:
uci set firewall.@rule[-1].src="*"
uci set firewall.@rule[-1].dest="*"
Also keep in mind that it will be evaluated before the zone specific rules.
After each uci commit firewall you need to do a /etc/init.d/firewall restart , not network as you did.
did you modify the default firewall setup? most importantly the zone forwarding rules?
can you share your /etc/config/firewall pls?