[LEDE-DEV] firewall question
e9hack
e9hack at gmail.com
Fri Dec 15 00:24:33 PST 2017
Hi,
I did set-up a openvpn server on my router. /etc/config/network contains the interface definition:
config interface 'vpn'
option proto 'none'
option ifname 'tun1'
In /etc/config/firewall, I've the following definitions related to vpn, lan and wan:
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan_6'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
option conntrack '1'
config zone
option name 'vpn'
option network 'vpn'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow OpenVPN Inbound on wan'
option src 'wan'
option proto 'tcpudp'
option dest_port '1194'
option extra '-m conntrack --ctstate NEW'
option target 'ACCEPT'
config forwarding
option src 'vpn'
option dest 'wan'
config rule
option name 'Block NetBios from vpn to wan'
option src 'vpn'
option dest 'wan'
list dest_port '135'
list dest_port '137-139'
list dest_port '445'
list dest_port '3389'
option proto 'tcpudp'
option target 'DROP'
This are not the complete firewall definitions, but it doesn't exist any other rule with the zone or network vpn.
I did not define any forwarding rule between vpn and lan. The lan ip range is 192.168.x.x. and a client, which is
connected to the openvpn server, gets an ip address from the range 10.8.y.y. From an openvpn client, I can access the
web interface of the router via 192.168.x.1. Why is this possible?
Regards,
Hartmut
More information about the Lede-dev
mailing list