Setting up a restricted firewall test environment

Installing and Using OpenWrt
1

I've installed openWRT on a Cudy Wr1300, and I'm trying to emulate a typical corporate restrictive firewall for testing purposes. The firewall is supposed to restrict all connectings going out, except for:

  • https going out to the WAN/internet (tcp port 443)
  • dns (udp port 53)
  • dhcp (67/68)
  • SSH for allowing configuration of the router
  • mdns/wifi discoverability (so that the network can still be connected to)

So in short, this is supposed to allow visits to websites - so not an entirely air-gapped setup - but only under these strict security conditions. Everything else gets blocked. I set the rules in the below firewall config, but I don't know if they're working. I'm still able to curl http://google.com:80 and get the 301 redirect text. Is it the default rules preventing mine from working? Something else? Any help would be most appreciated.


config defaults
	option input 'DROP'
	option output 'DROP'
	option forward 'DROP'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-HTTPS'
	option src 'lan'
	option dest 'wan'
	option proto 'tcp'
	option dest_port '443'
	option target 'ACCEPT'

config rule
	option name 'Allow-DNS'
	option src 'lan'
	option proto 'tcp udp'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP'
	option src 'lan'
	option proto 'udp'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Allow-mDNS'
	option src 'lan'
	option proto 'udp'
	option dest_port '5353'
	option target 'ACCEPT'

config rule
	option name 'Allow-SSH'
	option src 'lan'
	option proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'
2

You can safely drop WAN input forward.
Probably leave global output accepted, it applies to no-zone devices, like pppoe lower device.

For LAN side you would need to allow dhcp and dns and maybe ping input as a minimum. So best you make "guest LAN" and tune rules while other device tries to use it.

3

Remove the above which is listed twice

4

https nowadays happens on 443/udp too

5

Good catch. I could have clarified that tcp was actually a condition of the test case here, hence the additional specificity on https.

6

So the global defaults don't matter as much, and I should drop output on the wan? What about the lan settings I have now, plus the existing rules - does the target (lan-to-wan) need changing on any of them?

7

Are you reading? Change 2 REJECT on wan to DROP, dont block output accept.

8

Done. Wan is now as follows:

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'

Thanks.

1 Like
9

Just fyi the forward rule permits forward one way on its own.

10

Probably this too:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns