Secure firewall configuration when using a public IP

Up until now, I was behind a CGNAT connection (which unintentionally protected me) but I will be getting a public IP tomorrow for port forwarding purposes.

I realize that this might be a crude question but since I'm a beginner, I would like to know whether the default OpenWRT firewall configuration is "good enough" when I'm exposed to the Internet on a public IP? I'm not running uhttpd or dropbear or any other services on WAN. I'm on the latest snapshot build on a TP-Link 1043N. I'm also willing to follow relevant documentation if I'm exposed to it.

This is the output of netstat -tulpen

root@OpenWrt:~# netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0*               LISTEN      1300/uhttpd
tcp        0      0  *               LISTEN      1547/dnsmasq
tcp        0      0*               LISTEN      1547/dnsmasq
tcp        0      0*               LISTEN      1547/dnsmasq
tcp        0      0*               LISTEN      1297/dropbear
tcp        0      0 ::1:53                  :::*                    LISTEN      1547/dnsmasq
tcp        0      0 fe80::724f:57ff:feae:f516:53 :::*                    LISTEN      1547/dnsmasq
udp        0      0  *                           1547/dnsmasq
udp        0      0*                           1547/dnsmasq
udp        0      0*                           1547/dnsmasq
udp        0      0    *                           1547/dnsmasq
udp        0      0 ::1:53                  :::*                                1547/dnsmasq
udp        0      0 fe80::724f:57ff:feae:f516:53 :::*                                1547/dnsmasq

Yes, the default configuration is intended to be used on devices with a public IP address, and should be good enough.

1 Like


They should be fine.

@eduperez Thanks. That's good to know.

@lleachii and port forwards should work due to this right?


  • So long as your ISP isn't blocking the port(s) you wish to open
  • So long as you create a port forward
  • FYI, the picture you displayed is not the relevant section

The ISP supposedly won't block the port once I purchase a public IP and I have created the port forwarding rules.

Oh, it isn't? Mind asking which one is?

Just for you:


You need to create a specific port forward for the particular ports you're interested in. The thing you highlighted above is necessary to detect port forwards and make them happen, but it doesn't by itself forward anything.

Oh you meant the zone_wan_prerouting rules ... I've already created the rules that I wanted ...


Thanks for the help.

Right, I was thinking that because WAN traffic is rejected by default, what is the relevant section that enables port forwards and so I highlighted that section earlier. I've created the rules that would do the actual forwarding.

Yep, that line you hilighted basically allows packets that are known to be part of a port forwarded conversation to be accepted rather than dropped. You're all set to go!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.