i have read a lot about firewall zones in the last days, but i'm still not 100% sure if i have understood the concept correctly.
i have a d-link dwr921 c1 lte router and wwan is part of my wan zone.
this is my firewall setup (i have done no changes to the default settings):
General settings
Input : accept
Output: accept
Forward : reject
Zones:
lan: Zone Forwarding lan -> wan / Input accept / Output accept / Forward accept
wan: Zone Forwarding wan -> reject / Input reject / Output accept / Forward reject
so in the case my computer has a wireless lan connection to the router and i want to open a website, i see two possible scenarios:
data is sent from my computer to the router and first goes into the lan zone. it is recognized that the data's destination is the internet and therefore a forwarding to the wan zone is taking place. from the wan zone, the traffic is sent out to the internet (since output policy of the wan zone is accept). the requested informations go back to the router and are sent to my computer without re-entering the lan zone.
data is sent from my computer to the router and goes directly into the wan zone. rest is like the last two sentences in 1)
so which one is correct? or am i totally wrong and something else is the case?
keep in mind i'm talking about "normal" web browsing and no stuff like ssh.
Zone concept is an abstraction above chain concept, you can read something about iptables to understand it better.
The first way is pretty close to the default ruleset result if you take into account RELATED and ESTABLISHED connections.
From this point of view there's no much difference between HTTP/HTTPS and SSH assuming that destination is a host in the wan zone.
Packet enters your router's LAN zone interface LAN. It is examined and router understands that it has to be forwarded to WAN. Forwarding from LAN to WAN is accepted so the packet is sent out of wwan interface.
Wrong, the OUTPUT policy applies to packets originating from the router itself, like when you do a ping from the router or download a package with opkg.
Replies coming back to your PC are automatically allowed as previously established connections.
CORRECT...except WAN output policy part (@trendy's explanation of WAN output is correct) . The LAN WiFi packet goes to WAN because Forward was permitted to WAN. The output setting on WAN is for the WAN interface output only.
so the packet actually has to go through the firewall's wan-zone to be able to be sent through the wwan-interface (which belongs to the wan zone)?
also, is it correct that the "input: accept" setting of the lan-zone is only relevant when i try to reach the router itself (e.g. by issuing "ssh root@192.168.1.1" in a terminal after connecting the router to a pc via network cable)?
Yes, more or less. It's different forward when traversing different zones and when traversing interfaces of the same zone. First has to be explicitly allowed, the second is the forward option for each zone next to input and output.
Correct! Any connection destined to the router itself is looked up in the input rules.
okay, but since the forward policy of my wan-zone is "reject", this can only mean that the informations go directly to the wwan interface after/while entering the wan-zone, right?
the d-link dwr921 also has a "classic" wan-port (additionally to the lte modem i believe). if this wan-port was active and/or the data would go over it in some way to reach the wwan interface, forward policy of the wan-zone would have to be "accept" (since it would be forward from two interfaces in the same zone). is this what you meant?
The best way to understand the zone concept is as a set of input ports... LAN zone is the set of ways that packets can come in or out from your LAN (so, some ethernet ports, and some Wifi SSIDs). The WAN zone is a set of ways that packets can go in and out of your internet connection.... wan ethernet ports, wwan SSID clients etc.
When a packet arrives at your router it's assigned a zone based on where it was received. If it needs to be forwarded, it's decided whether it can forward based on whether there is forwarding allowed between the zone it arrived in, and the zone it needs to leave from.
When packets arrive as replies to existing connections, they are allowed through... So if you initiate a connection from your LAN, the return packets are allowed to forward even though in general forwarding from WAN to LAN may be disallowed.
Forward policy in a zone describes what should be the default action for packets traversing interfaces of the same zone. So in your example if a packet ever came from wan interface and was supposed to exit wwan interface, then it would be rejected. This will never happen in WAN, since no sane ISP will use you as a router to forward its traffic.
But it is easier to understand the consept if you have LAN zone and lan1 and lan2 interfaces. There an ACCEPT policy makes sense, to allow traffic between the 2 interfaces of the same zone.
