The right way to block a port on LUCI

If I want to block TCP port 135, both incoming and outgoing what's the simplest way of doing it on LUCI?

[Openwrt terms (forwarding! forward! input! output!) are confusing like hell, I've read all about them but still. So don't give me links to read. I'm just gonna say "incoming and outgoing" and you know what I mean! It means any possible way you can imagine!]

(minor rant: moved here)

So which one is more fitting? The 1st or the 2nd or both?

1 Like

I think you need three rules to block input, output and forward. If you don't like the way you configure rules then you might use Custom Rules with shell scripting and ip(6)tables, or you could replace the firewall with something else altogether.

You need to learn the concept of zones, it's what dictates your rules.

So if you're trying to block a client from establishing an outbound connection to port 135 (A client in your LAN to a server on the internet):
source zone: LAN, source port any, destination zone: WAN, destination port 135.

And in the other direction would be (covered by default for LAN/WAN in OpenWRT unless you explicitly allow it in another rule, or modify your default zone settings for Input/Ouput/Forward):
source zone: WAN, source port any, destination zone: LAN, destination port 135.

Regardless of what you choose to do, after you setup your firewall rules make sure to run a port scan (with nmap or another port scanning tool) to check if you've actually blocked traffic flow. Make sure to scan in both directions, from the client to the server and vice versa. Sometimes you don't need to initiate a full connection to cause damage, single packets can be enough.

1 Like

Thanks for the detailed response. I have the simplest network, just lan and wan so I should never worry about forwarding? But that amazing dinkie donkie called forwarding is active from LAN to WAN. :rage:

Also I think I can improve the rules you've given:

source zone: ANY, source port 135, destination zone: ANY, destination port ANY.
source zone: ANY, source port ANY, destination zone: ANY, destination port 135.

How good is it?

It's fine, if you don't use SMB/Active Directory on your LAN.

I'm trying lock down every microsoft port you can see here. Except dns/dhcp.

Windows without Microsoft!

While we are at it, another question for you good sir!

There's a "match device" setting on advanced tab. Inbound and Outbound device... What's that?


Another question regarding the firewall, how would you block all ipv6 traffic?

This rule should be enough if the router considers itself as another zone.

source zone: ANY, source port ANY, destination zone: ANY, destination port ANY.
(Advanced Tab - Restrict to address family: Ipv6)

If it does not consider itself a zone then these should be added:

source zone: Device (Output), source port ANY, destination zone: ANY, destination port ANY.
source zone: ANY, source port ANY, destination zone: Device (Input), destination port ANY.


Would you like to block IPv6 between to zones or from your router to a zone?

in all possible ways in any machine that I own

Blocking ipv6 on the router firewall will only block traffic to and from the internet. It won't prevent local machines trying to connect to reach other by ipv6.

If it's the former you want to do then just disabling the wan6 interface should do it.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.