I'd like to know what the strictest firewall rule would be, assuming a vanilla OpenWrt 21.02 install and a very minimalist setup. A brief overview presented below:
I've read the default firewall rules, and I understand that the general default rule is to accept incoming and outgoing connection from zones, then reject forwarding.
In release 21.02, there are 3 zones defined: lan, br-lan, and wan
Further, two forwarding rules are defined:
accept incoming and outgoing traffic to wan, and drop forwards
reject all incoming and forwards from wan, and only allow outgoing (this in my understanding means that the router itself will be able to make internet connections, is this correct?)
Our setup is as follows: a router connected to a modem (modem is in full bridge mode) via PPPoE. And router connects to devices on the LAN only through wired ethernet.
Assuming, we remove all existing "traffic rules," what would be the strictest firewall rule possible? Assuming both a hostile WAN, and a potentially untrustworthy LAN (hence strict rules for LAN should also apply).
Thanks in advance.
EDIT: Naturally, the theoretical strictest would be to drop all packets in all zones. However, to clarify, the strictest firewall setting in this case should still allow the wired LAN device to access the internet via a browser (though no requirement for port forwarding/remote access/etc).
I should likely add, "the strictest possible firewall rule, while still able to browse the internet through a browser." Though nothing fancy like gaming, or any additional things which may require port forwarding/remote access/etc.
And sure, got you re ICMPv6, however, concern here is on the tighest firewall security. If that comes at the expense of iPv6, then losing iPv6 is perfectly fine.
The threat is I don't want anyone from the internet being able to access my router or any device in the LAN. Additionally, while I've taken steps to lockdown my modem and disable all Internet facing services, I still view it as an device with potential loopholes and backdoors (as with most ISP provided equipment), hence the router and other LAN devices should be shielded and isolated as much as possible.
This is of course not designed to protect against 3 letter agency threats (in which case one would likely not be using OpenWrt), but rather from targetted attacks from motivated crackers looking to exploit misconfigs and vulnerabilities.
The default firewall rules drop all unsolicited connections from the wan, except for things like ping and a few other necessities like icmpv6.
You generally don’t need to do anything more unless you have very specific threats to mitigate (often from inside your network, like malware on your computer or untrusted devices on the internal network).
Good point, what should I be looking at with regards to preventing threats from the LAN - both in terms of protecting the router and also other devices on the LAN?
If you have devices that you don't trust, consider creating a separate network/VLAN for them. You can then drop/reject all traffic from that network that would attempt to connect to your more sensitive/trusted devices and you can also restrict access to the router itself (often you want to allow DHCP and DNS, but you can block everything else). With respect to the different networks, you can make it possible for your trusted network to initiate connections to the untrusted one(s), but not the other way around. You can even prevent those things from reaching the internet if you want.
On your trusted networks, you could still prevent router access, and instead make specific management network, or limit router access to one or more allowed IP addresses on your LAN (dropping all else).
Beyond that, if you are worried about malware or other 'phone home' things that might be happening with your devices, you often need to know what they are doing so you can block those connections without breaking general functionality. However, using a PiHole or other DNS filtering techniques can target specific domains to prevent devices from accessing specific domains.
All of that said, these are general steps you can take -- but beyond that, you need to understand the nature of the threats that are of concern to craft specific mitigation measures. Sometimes certain core functions of a device/service will break when you try to restrict connectivity. As such, fine-grained security becomes a balancing act to maintain functionality and convenience (as well as ease of maintenance) while still securing against specific threats.
Thank you for the in-depth response, I'm certainly looking at VLANs for isolating devices on the LAN. However, with regards to the modem itself, is there any way where I can restrict/control any incoming connections from the modem?
The modem itself is firewalled to prevent access to it, both on the LAN and WAN. However, since it's an ISP provided device, it likely contains backdoors (my specific one, a HG8145V5 is known to contain a yet unpatched RCE vulnerability). Hence, I'm wondering what I could do to prevent a vulnerable modem potentially going rogue on my network (since my ISP doesn't allow me to replace the device - best I can do is bridge it). While I've done my best to disable all internet facing services (i.e. VOIP, TR-069, etc), I can't be 100% certain it's not phoning home, or has some other means to communicate over the internet.
Since your modem is on the wan of your openwrt router, you don’t need to do anything else to secure your networks. On the modem itself, aside from the controls that are exposed to the user, there is nothing more you can do to secure that device from the isp or otherwise. Hopefully your isp has appropriate protections on their network with respect to the administrative access they may have to certain modem functions. But regardless, your openwrt router, assuming the default firewall as active (and/or that your changes are correctly implemented), will protect your network. That is all you can really do or control.
Sounds good, thank you for validating that. A more general question, how hardened is OpenWrt to threats from the internet? i.e. it's likely not sufficient in an enterprise environment (and of course it's not catered to the enterprise or even SMB crowd anyway). However, will it hold up against targeted attacks, or would you recommend still supplementing it with dedicated firewalls such as pfSense/IPFire?
The advice on this thread is good, but you should look into iptables rules if
you want to understand how the LuCi wep app actually works.
LuCi creates ipv4 and ipv6 netfilter rules. The userspace tools for configuring netfilter rules are called iptables and ip6tables. The iptablesman pages are a good resource.
The following rules might be helpful for learning purposes. If you want to use
them, you can put them in /etc/firewall.user but that is not recommended.
It is very easy to make a mistake and leave your router with no security.
ipv4 rules
# set default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# clear all existing rules (but not default policies)
iptables -F
iptables -X
iptables -Z
# allow communications from internet in cases where the communication was
# initiated internally
iptables -A INPUT -i wan -m conntrack --cstate ESTABLISHED -j ACCEPT
# allow br-lan to talk to the router (for ssh, etc.)
iptables -A INPUT -i br-lan -j ACCEPT
# allow br-lan to talk to the interet, and the internet to respond
iptables -A FORWARD -i br-lan -o wan -j ACCEPT
iptables -A FORWARD -i wan -o br-lan -m conntrack --cstate ESTABLISHED -j ACCEPT
# allow lan to talk to the internet, and the internet to respond
iptables -A FORWARD -i lan -o wan -j ACCEPT
iptables -A FORWARD -i wan -o lan -m conntrack --cstate ESTABLISHED -j ACCEPT
# allow multiple internal ip addresses to share the single internet-facing ip
iptables -t nat -A POSTROUTING -o wan -j MASQUERADE
# these rules are superfluous given the default policies, but are a measure of
# safety in case you accidentally reset your default policies
iptables -A FORWARD -j DROP
iptables -A INPUT -j DROP
ipv6 rules
# block ipv6
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
ip6tables -F
ip6tables -X
ip6tables -Z
# disable ipv6 in the kernel
# this will be overwritten if services (such as dnsmasq) use ipv6
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1