Reject WAN zone input traffic?

Livy · December 14, 2019, 3:43pm

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

This is the default firewall rule of my router. I don't understand why input traffic is rejected. option input is the traffic flows from the wan zone to the router. If it is set to REJECT, then how can a web server on the Internet sends back the data when I make a request from lan zone?

Furthermore, if we have input traffic from lan zone to router set to ACCEPT, then the output traffic from the router to wan set to ACCEPT as well (as above), then what is the purpose of the config forwarding rule:

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config forwarding
	option src 'lan'
	option dest 'wan'

From my understanding, the traffic shall be forwarded from lan to the router, then from the router to wan anyway.

PolynomialDivision · December 14, 2019, 4:20pm

Can u please do

iptables -L

and post the stuff here?
I think the rule is just for ingoing new connections. iptables is able to record the state of connections.

The openwrt firewall is just replacing this uci config with iptable rules.

Livy · December 14, 2019, 4:27pm

This article says traffic, not TCP or UDP connections.

I know firewall3 uses iptables under the hood, but it is not what I am want to learn at the moment. I try with the easy way first.

psherman · December 14, 2019, 4:32pm

First, let me assure you that the firewall configuration elements you showed are correct, functional and secure.

Firewalls can be a bit confusing - you have to look at it from the perspective of the firewall itself rather than the data to/from the zones and consider how NAT and masquerading works.

Most of the magic is in the masquerade functionality.

But one way to look at that input rule is that it governs data that interacts with the firewall/router itself (think administration or local services hosted by the device). Data still can flow through the firewall even though it is not allowed to interact with the device itself. A simple analogy would be walking through a shopping mall when the stores are closed so you can’t go shopping, but you can still walk through the mall structure itself.

jeff · December 14, 2019, 4:52pm

Also, specific rules override the zone default. So, for example, “allow incoming SSH connections from WAN” would override a default “deny incoming connections from WAN”.

trendy · December 14, 2019, 6:17pm

Input traffic would be someone from the internet trying to access some server running on your router, e.g SSH or HTTP.
The response of a web server in the internet to some host in your lan classifies as forward traffic at first and not new, but related to a previous outgoing packet (from the lan host to the internet server) which was allowed, hence the response is also allowed.

Input and output mean traffic destined to the router or originating from the router.
The forwarding rule covers traffic traversing the router from one zone to another.

Correct, but different rules apply when the packets traverse the router and when they originate or end up to the router.

Livy · December 14, 2019, 6:24pm

It is really complicated and confusing. I suggest some moderator to edit the firewall configuration article as soon as possible, to prevent confusion to new users like me. I am a power user, and am familiar with a lot of networking concepts, but still truggle to learn OpenWrt.

input and output options apply to new connection requests, not traffic -- which I thought of as segments/packets/frames. But then, it cannot be called connection if UDP is used, as it is a connectionless protocol. It would be cool if someone can put a clear definition of what traffic means in this context.

trendy · December 14, 2019, 6:42pm

Could you be a bit more specific what is confusing?

iptables examine packets' headers primarily to decide which action to take.
The input and output options (as well as forward) specify the policy. That means what to do if all other rules don't match this packet. For Default very rarely you will find any packet reaching the default policy. They are mostly covered by other rules for individual zones.

Livy · December 14, 2019, 6:53pm

I was confused by the usage of the term traffic. For example:
input | string | no | DROP | Default policy ( ACCEPT, REJECT, DROP ) for *incoming* zone traffic.
I thought that it meant all sorts of data units (TCP segments / IP packets / Ethernet frames). And if it was set to REJECT, then all packets would be rejected, meaning no data was able to flow through at all.

trendy · December 14, 2019, 7:08pm

I don't follow you. All these exist in a frame. You cannot have just some sort of frame with TCP segment and without IP header.
But still, the default policy tells what action will be applied to the packet that has not been matched by a rule.

jeff · December 14, 2019, 7:24pm

While "zones" in OpenWrt are a construct of how the firewall is arranged, the rest of the firewall is documented by standard Linux.

UDP is considered by conntrack to be a "connection" if it is a packet that matches the same source/destination host:port quad within the time window. See http://conntrack-tools.netfilter.org/

The various netfilter points (INGRESS, PREROUTING, INPUT, OUTPUT, FORWARD, POSTROUTING) are shown, for example, at https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks

iptables itself has extensive documentation, tutorials, and examples throughout the Internet. Pick a format that meets your needs and matches your learning style for the task at hand.

system · December 24, 2019, 7:23pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.