--> does this apply to openwrt as well?
--> is the preconfigured firewall exactly the same on all devices or does the dwr921 have settings that other devices don't have?
--> are there any possible scenarios where the default firewall configuration of openwrt would be not secure enough? (e.g. regarding the device i connect to the router with)?
--> in the next months, i plan to read and learn as much as i can about iptables, netfilter, etc. should i wait until then before i start using the router and its os or do you think that the preconfigured firewall is secure enough so I can start using the router right now?
would it be helpful to post a detailed description of my computer's operating system and my browsing habits or is this unnecessary?
i know that nobody can give me a guarantee and that terms like "secure" can be defined in various ways, i'm just asking for your opinions. thank you
To add to what @eduperez has already said, by default the firewall in OpenWrt allows computers connected to the LAN zone to connect outbound, and does not allow inbound connections from WAN to LAN for either ipv4 or ipv6. This is secure enough for essentially all normal purposes. The main thing that this doesn't do is limit what the LAN devices can reach, which could be a useful thing for people with certain specific requirements, for example limiting access to the web or blocking certain cheap security cameras from sending data to servers in china or whatever.
Unless you have an immediate need to limit the outbound connections (like those security cameras etc), you are ok to use the router as is. If you have some devices that shouldn't get on the internet and start sending stuff or downloading updates you don't want them to have or things like that... then you should hold off until you know how to configure a limited separate guest or IoT network.
There're some risks, if you allow untrusted devices connect to your LAN/WLAN.
In that case you can add permissive firewall rules for HTTPS/SSH/DNS/DHCP/DHCPv6 and set LAN-zone input-policy to REJECT, as well as perform forwarded traffic filtering.
However, study recovery procedure for your device beforehand in case you soft-brick it.
thank you for your answers. i'm really happy to hear that it should be okay to start using the router right now
@eduperez: thanks for answering all four questions. i'm pretty optimistic that in a few months i'll know enough about firewall configuration to eventually change it
@dlakelan: sounds good, i don't use any services that would require allowing of incoming traffic. Also, I only have two laptops connecting to this router and there is no need for limiting or controlling the traffic.
i will also keep in mind the advice about how to deal with untrusted devices. i would mention this user by the name, but new users (such as me) can only mention two users...sorry
I do not want to be a party pooper but I see that everyone is very optimistic, I guess none of you have ever been hacked. I have learned that no wall is high enough, but if yours is higher than the neighbor's wall, they will jump the neighbor's wall. And OpenWrt is safer than others, its wall is a bit higher.
I think the point isn't that it's safe but that out of the box it is usable with a good degree of safety. For me the real safety comes from the offline off site backup
For its purpose the preconfigured firewall is pretty much secure, as many have stated here. However when we talk about being hacked and insecurities we need to understand first a couple of things.
The default firewall that runs on Openwrt is a L3/L4 filter. It won't save you if you open a scam link on your browser or open a fishy attachment in your email. Likewise it cannot prevent an attack that uses an open connection that initiated from the LAN. It doesn't inspect for viruses, malware or injection type of attacks. It won't stop a brute force attack on a weak password.
BCP38 is something that should be primarily applied on the edge of the ISP (or enterprise), to confirm that only legitimate source addresses from customers are allowed. Installing it on our Openwrt router helps only to prevent an accidental (bad NAT) or malicious (infected router) spoofed IP, but other than that it won't save you if the packet arrives with a spoofed address.
A reasonable proportion of home routers will be similarly secure, as by default they will also not allow arbitrary connections into the LAN environment (as long as they don't have things like upnp running).
The main threats in the home come from elsewhere -- either due to misbehaving devices connected to the LAN (TVs and IoT style devices are major culprits), or as the poster said above because of bad user behaviour (clicking on links in spam and so on).
You can add thinks like BCP38, but compared to the kinds of threats you typically face in the home, they aren't going to lessen the attack surface all that much.
@tapper: bcp38 sounds very promising, i will have a closer look at it
i understand that things like a firewall only offer limited protection and that there are many possible threats that could make it more or less pointless, as some users have pointed out.
i definitely don't think that as long as i have a good firewall i can do whatever i feel like.
just one more question: i have just taken a quick look at the preconfigured firewall in luci and noticed the following lines:
this sounds like incoming traffic is allowed by default, or am i getting something wrong? shouldn't the policy for input be something like "drop", "deny" or "reject"?
one user said incoming traffic is not allowed by default and this is also they way i would like it to be.
As others have stated, the default firewall rules provide reasonable security. Keeping your router's firmware up to date by flashing new ROMs as they become available, not enabling UPnP or similar, along with making informed decisions about which ports to open (if any!) are wise strategies.
The greatest risks, in my opinion, come from outdated firmware/software, weak passwords, poor decisions on allowing outside access, and from internal hosts and their operators (phones, desktops, and IoT devices).
Yes, look at the zones below the "General Settings", you'll find the WAN and LAN zones have their own "Input, Output, Forward" rules, and input by default from WAN is rejected or dropped I believe.
It's default policy.
Each interface/network is assigned to specific firewall zone.
Default policy is applied when you add new interface without firewall zone assignment.