[LEDE-DEV] firewall question

Eric Romano gelstudios at gmail.com
Fri Dec 15 09:03:37 PST 2017 

The "input" option of your LAN zone is set to ACCEPT. This means that
any traffic to the interface ip address(es) of that zone will be
allowed unless otherwise blocked by a rule.

It's not obvious but zone forwarding rules only for traffic forwarded
on behalf of clients on the network, not for traffic to and from the
router itself.

On Fri, Dec 15, 2017 at 3:24 AM, e9hack <e9hack at gmail.com> wrote:
> Hi,
>
> I did set-up a openvpn server on my router. /etc/config/network contains the interface definition:
>
> config interface 'vpn'
>         option proto 'none'
>         option ifname 'tun1'
>
> In /etc/config/firewall, I've the following definitions related to vpn, lan and wan:
>
> config zone
>         option name 'lan'
>         list network 'lan'
>         option input 'ACCEPT'
>         option output 'ACCEPT'
>         option forward 'ACCEPT'
>
> config zone
>         option name 'wan'
>         list network 'wan'
>         list network 'wan_6'
>         option input 'DROP'
>         option output 'ACCEPT'
>         option forward 'DROP'
>         option masq '1'
>         option mtu_fix '1'
>         option conntrack '1'
>
> config zone
>         option name 'vpn'
>         option network 'vpn'
>         option input 'ACCEPT'
>         option forward 'REJECT'
>         option output 'ACCEPT'
>
> config forwarding
>         option src 'lan'
>         option dest 'wan'
>
> config rule
>         option name 'Allow OpenVPN Inbound on wan'
>         option src 'wan'
>         option proto 'tcpudp'
>         option dest_port '1194'
>         option extra '-m conntrack --ctstate NEW'
>         option target 'ACCEPT'
>
> config forwarding
>         option src 'vpn'
>         option dest 'wan'
>
> config rule
>         option name 'Block NetBios from vpn to wan'
>         option src 'vpn'
>         option dest 'wan'
>         list dest_port '135'
>         list dest_port '137-139'
>         list dest_port '445'
>         list dest_port '3389'
>         option proto 'tcpudp'
>         option target 'DROP'
>
> This are not the complete firewall definitions, but it doesn't exist any other rule with the zone or network vpn.
>
> I did not define any forwarding rule between vpn and lan. The lan ip range is 192.168.x.x. and a client, which is
> connected to the openvpn server, gets an ip address from the range 10.8.y.y. From an openvpn client, I can access the
> web interface of the router via 192.168.x.1. Why is this possible?
>
> Regards,
> Hartmut
>
>
> _______________________________________________
> Lede-dev mailing list
> Lede-dev at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-dev

More information about the Lede-dev mailing list