[Solved] How secure is the preconfigured firewall?

dear community,

please help me with this. i know that "secure" is a term that is hard to define, but i hope that you can give me at least a bit of an idea.

i'm using a d-link dwr921 lte router with openwrt 18.06.1 (will upgrade to 18.06.2 when i have a new sim card).

i found this interesting statement:
https://openwrt.org/docs/guide-user/security/lede_security
which says that "LEDE is hardened by default and can be used right away, without being worried".

--> does this apply to openwrt as well?
--> is the preconfigured firewall exactly the same on all devices or does the dwr921 have settings that other devices don't have?
--> are there any possible scenarios where the default firewall configuration of openwrt would be not secure enough? (e.g. regarding the device i connect to the router with)?
--> in the next months, i plan to read and learn as much as i can about iptables, netfilter, etc. should i wait until then before i start using the router and its os or do you think that the preconfigured firewall is secure enough so I can start using the router right now?

would it be helpful to post a detailed description of my computer's operating system and my browsing habits or is this unnecessary?

i know that nobody can give me a guarantee and that terms like "secure" can be defined in various ways, i'm just asking for your opinions. thank you

• Yes, the same that goes for LEDE goes for OpenWrt.
• Yes, all devices share the same default config.
• None that I am aware of, and definitively not for the typical user.
• You can use the router as-is, just do not change any firewall settings untill you know what you are doing.

To add to what @eduperez has already said, by default the firewall in OpenWrt allows computers connected to the LAN zone to connect outbound, and does not allow inbound connections from WAN to LAN for either ipv4 or ipv6. This is secure enough for essentially all normal purposes. The main thing that this doesn't do is limit what the LAN devices can reach, which could be a useful thing for people with certain specific requirements, for example limiting access to the web or blocking certain cheap security cameras from sending data to servers in china or whatever.

Unless you have an immediate need to limit the outbound connections (like those security cameras etc), you are ok to use the router as is. If you have some devices that shouldn't get on the internet and start sending stuff or downloading updates you don't want them to have or things like that... then you should hold off until you know how to configure a limited separate guest or IoT network.

There're some risks, if you allow untrusted devices connect to your LAN/WLAN.
In that case you can add permissive firewall rules for HTTPS/SSH/DNS/DHCP/DHCPv6 and set LAN-zone input-policy to REJECT, as well as perform forwarded traffic filtering.
However, study recovery procedure for your device beforehand in case you soft-brick it.

thank you for your answers. i'm really happy to hear that it should be okay to start using the router right now

@eduperez: thanks for answering all four questions. i'm pretty optimistic that in a few months i'll know enough about firewall configuration to eventually change it

@dlakelan: sounds good, i don't use any services that would require allowing of incoming traffic. Also, I only have two laptops connecting to this router and there is no need for limiting or controlling the traffic.

i will also keep in mind the advice about how to deal with untrusted devices. i would mention this user by the name, but new users (such as me) can only mention two users...sorry

I do not want to be a party pooper but I see that everyone is very optimistic, I guess none of you have ever been hacked. I have learned that no wall is high enough, but if yours is higher than the neighbor's wall, they will jump the neighbor's wall. And OpenWrt is safer than others, its wall is a bit higher.

I think the point isn't that it's safe but that out of the box it is usable with a good degree of safety. For me the real safety comes from the offline off site backup

This my firewall rools.

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option drop_invalid '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'DROP'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Block-Outbound-TFTP'
	option src 'lan'
	option dest 'wan'
	option dest_port '69'
	option proto 'udp'
	option family 'any'
	option target 'REJECT'

config rule
	option name 'Block-Outbound-Syslog'
	option src 'lan'
	option dest 'wan'
	option dest_port '514'
	option proto 'udp'
	option family 'any'
	option target 'REJECT'

config rule
	option name 'Block-Outbound-SNMP'
	option src 'lan'
	option dest 'wan'
	option dest_port '161 162'
	option proto 'udp'
	option family 'any'
	option target 'REJECT'

config rule
	option name 'Block-Outbound-SMB'
	option src 'lan'
	option dest 'wan'
	option dest_port '135 137 138 139 445'
	option proto 'tcpudp'
	option family 'any'
	option target 'REJECT'

config rule
	option proto 'tcp'
	option dest_port '22'
	option name 'Block SSH from lan2'
	option family 'ipv4'
	option src 'lan2'
	option dest 'wan'
	option target 'REJECT'

config include
	option path '/etc/firewall.user'

One more thing you can do to stay safer is install the luci-app-bcp38 package.
https://tools.ietf.org/html/bcp38

What is BCP38 and why it is important?

For its purpose the preconfigured firewall is pretty much secure, as many have stated here. However when we talk about being hacked and insecurities we need to understand first a couple of things.
The default firewall that runs on Openwrt is a L3/L4 filter. It won't save you if you open a scam link on your browser or open a fishy attachment in your email. Likewise it cannot prevent an attack that uses an open connection that initiated from the LAN. It doesn't inspect for viruses, malware or injection type of attacks. It won't stop a brute force attack on a weak password.
BCP38 is something that should be primarily applied on the edge of the ISP (or enterprise), to confirm that only legitimate source addresses from customers are allowed. Installing it on our Openwrt router helps only to prevent an accidental (bad NAT) or malicious (infected router) spoofed IP, but other than that it won't save you if the packet arrives with a spoofed address.

A reasonable proportion of home routers will be similarly secure, as by default they will also not allow arbitrary connections into the LAN environment (as long as they don't have things like upnp running).

The main threats in the home come from elsewhere -- either due to misbehaving devices connected to the LAN (TVs and IoT style devices are major culprits), or as the poster said above because of bad user behaviour (clicking on links in spam and so on).

You can add thinks like BCP38, but compared to the kinds of threats you typically face in the home, they aren't going to lessen the attack surface all that much.

i agree, the point is that i need some time to get a good understanding about how firewall configuration works.

until then, i hope that the default configuration all in all gets the job done (and it looks like it does, but i see that there's a trade-off)

@tapper: bcp38 sounds very promising, i will have a closer look at it

i understand that things like a firewall only offer limited protection and that there are many possible threats that could make it more or less pointless, as some users have pointed out.

i definitely don't think that as long as i have a good firewall i can do whatever i feel like.

just one more question: i have just taken a quick look at the preconfigured firewall in luci and noticed the following lines:

Chain INPUT (Policy:accept)
Chain FORWARD (Policy: drop)
Chain OUTPUT (Policy: accept)

this sounds like incoming traffic is allowed by default, or am i getting something wrong? shouldn't the policy for input be something like "drop", "deny" or "reject"?

one user said incoming traffic is not allowed by default and this is also they way i would like it to be.

As others have stated, the default firewall rules provide reasonable security. Keeping your router's firmware up to date by flashing new ROMs as they become available, not enabling UPnP or similar, along with making informed decisions about which ports to open (if any!) are wise strategies.

The greatest risks, in my opinion, come from outdated firmware/software, weak passwords, poor decisions on allowing outside access, and from internal hosts and their operators (phones, desktops, and IoT devices).

It depends on the zone.
Each firewall zone has its own policy.

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan'

is the actual wan zone default. iirc, OOTB ssh is open to the WAN, so if it is not needed...

Yes, look at the zones below the "General Settings", you'll find the WAN and LAN zones have their own "Input, Output, Forward" rules, and input by default from WAN is rejected or dropped I believe.

@vgaetera: it's in the category "firewall - zone settings" under "general settings". no certain zone is mentioned

@anomeome: does this mean the allowing of incoming traffic only applies to ssh? can i safely disable ssh and change input policy to "reject"?

It's default policy.
Each interface/network is assigned to specific firewall zone.
Default policy is applied when you add new interface without firewall zone assignment.

okay, i think i understand now