Secure firewall configuration when using a public IP

1043N · 2019-01-22T17:39:01.929Z

Up until now, I was behind a CGNAT connection (which unintentionally protected me) but I will be getting a public IP tomorrow for port forwarding purposes.

I realize that this might be a crude question but since I'm a beginner, I would like to know whether the default OpenWRT firewall configuration is "good enough" when I'm exposed to the Internet on a public IP? I'm not running uhttpd or dropbear or any other services on WAN. I'm on the latest snapshot build on a TP-Link 1043N. I'm also willing to follow relevant documentation if I'm exposed to it.

This is the output of netstat -tulpen

root@OpenWrt:~# netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 192.168.0.1:80          0.0.0.0:*               LISTEN      1300/uhttpd
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      1547/dnsmasq
tcp        0      0 192.168.0.1:53          0.0.0.0:*               LISTEN      1547/dnsmasq
tcp        0      0 100.73.252.66:53        0.0.0.0:*               LISTEN      1547/dnsmasq
tcp        0      0 192.168.0.1:22          0.0.0.0:*               LISTEN      1297/dropbear
tcp        0      0 ::1:53                  :::*                    LISTEN      1547/dnsmasq
tcp        0      0 fe80::724f:57ff:feae:f516:53 :::*                    LISTEN      1547/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           1547/dnsmasq
udp        0      0 192.168.0.1:53          0.0.0.0:*                           1547/dnsmasq
udp        0      0 100.73.252.66:53        0.0.0.0:*                           1547/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           1547/dnsmasq
udp        0      0 ::1:53                  :::*                                1547/dnsmasq
udp        0      0 fe80::724f:57ff:feae:f516:53 :::*                                1547/dnsmasq

eduperez · 2019-01-22T17:42:27.683Z

Yes, the default configuration is intended to be used on devices with a public IP address, and should be good enough.

lleachii · 2019-01-22T17:42:43.022Z

They should be fine.

1043N · 2019-01-22T17:45:47.387Z

@eduperez Thanks. That's good to know.

@lleachii and port forwards should work due to this right?

lleachii · 2019-01-22T17:49:43.052Z

So long as your ISP isn't blocking the port(s) you wish to open
So long as you create a port forward
FYI, the picture you displayed is not the relevant section

1043N · 2019-01-22T17:53:10.230Z

The ISP supposedly won't block the port once I purchase a public IP and I have created the port forwarding rules.

Oh, it isn't? Mind asking which one is?

lleachii · 2019-01-22T17:58:55.510Z

1043N:

Mind asking which one is?

Just for you:

Screenshot%20from%202019-01-22%2012-58-35965×147 13.6 KB

dlakelan · 2019-01-22T18:01:55.676Z

You need to create a specific port forward for the particular ports you're interested in. The thing you highlighted above is necessary to detect port forwards and make them happen, but it doesn't by itself forward anything.

1043N · 2019-01-22T18:04:33.986Z

Oh you meant the zone_wan_prerouting rules ... I've already created the rules that I wanted ...

Thanks for the help.

1043N · 2019-01-22T18:06:55.412Z

Right, I was thinking that because WAN traffic is rejected by default, what is the relevant section that enables port forwards and so I highlighted that section earlier. I've created the rules that would do the actual forwarding.

dlakelan · 2019-01-22T18:34:34.857Z

Yep, that line you hilighted basically allows packets that are known to be part of a port forwarded conversation to be accepted rather than dropped. You're all set to go!

system · 2019-02-01T18:34:34.905Z

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.