OpenWrt 防火墙配置 /etc/config/firewall

防火墙配置 /etc/config/firewall

OpenWrt 的防火墙管理应用fw3具有三种配置机制

配置文件:

  • /etc/firewall.user
  • /etc/config/firewall

本 wiki 中的大部分信息将集中在配置文件和内容上。LuCI 和 UCI 接口是用户抽象,最终修改配置文件。

管理

  • 主要的防火墙配置文件是/etc/config/firewall,编辑此文件以修改防火墙设置
    • 在进行更改之前创建防火墙配置的备份
      • 如果更改导致与路由器的连接丢失,您需要在故障安全模式下访问它以恢复备份
    • 一旦设置被更改,并经过双重检查,通过/etc/init.d/firewall reload 重新加载防火墙
      • 这是一个简单的 shell 脚本,调用fw3 reload,并将在解析新的防火墙配置时将诊断信息打印到控制台。 检查错误!
  • # 开头用于注释,不解析
    • 注释用于描述、解释或快速注释掉某个部分
  • /etc/config/firewall涵盖了合理的NetFilter规则子集,但并非全部
    • 为了提供更多功能,UCI 防火墙配置中添加了一个include部分,用于加载包含本机 iptables 指令的文件
      • 这是作为 shell 脚本处理的,允许向其中添加任何 shell 命令,但重点是通过添加 iptables 命令来使用 netfilter 子系统
  • 尽可能使用 fw3 防火墙 UCI 配置

Web interface instructions

LuCI是一种很好的查看和修改防火墙配置的机制。

  • 它位于**网络 → 防火墙下,**并与配置文件部分紧密映射。
  • 修改防火墙配置需要更长的时间,但比配置文件具有更高的组织级别。

使用Save & Apply按钮进行更改并重新加载。

  • LuCI 将从中删除所有注释 [ #] 行/etc/config/firewall

Command-line instructions

UCI是对配置文件的低级抽象,可以通过SSH远程访问。

uci add firewall rule
uci set firewall.@rule[-1].name='Reject VPN to LAN traffic'
uci set firewall.@rule[-1].src='vpn'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].target='REJECT'
uci commit firewall
service firewall restart

显示防火墙配置:

# uci show firewall
firewall.@rule[20]=rule
firewall.@rule[20].name='Reject VPN to LAN traffic'
firewall.@rule[20].src='vpn'
firewall.@rule[20].dest='lan'
firewall.@rule[20].proto='all'
firewall.@rule[20].target='REJECT'
...

UCI对于查看防火墙配置很有用,但由于以下原因不能进行任何有意义的修改:

  • 防火墙规则需要进入规则数组的位置以使其工作(类似于iptables -I
  • uci无法识别/etc/firewall.user脚本中的内容。
  • uci commit需要保存更改,但仍需要/etc/init.d/firewall reload重新加载新表。

配置部分

以下是可能在防火墙配置中定义的部分类型的概述。

  • 路由器的最小防火墙配置通常包括一个默认部分、至少两个区域lanwan)和一个转发以允许从lan到 的流量wan
    • 当区域不超过两个时,转发部分不是严格要求的,因为可以将规则设置为该区域的“全局默认值”。

Defaults

defaults部分声明了不属于特定区域的全局防火墙设置

config defaults
	option	input			'ACCEPT'
	option	output			'ACCEPT'
	option	forward			'REJECT'
	option	custom_chains		'1'
	option	drop_invalid		'1'
	option	syn_flood		'1'
	option	synflood_burst		'50'
	option	synflood_protect	'1'
	option	tcp_ecn			'1'
	option	tcp_syncookies		'1'
	option	tcp_window_scaling	'1'

Options

NameTypeRequiredDefaultDescription
inputstringnoREJECTSet policy for the INPUT chain of the filter table.
forwardstringnoREJECTSet policy for the FORWARD chain of the filter table.
outputstringnoREJECTSet policy for the OUTPUT chain of the filter table.
drop_invalidbooleanno0Drop invalid packets (e.g. not matching any active connection).
syn_floodbooleanno0Enable [SYN flood](https://en.wikipedia.org/wiki/SYN flood) protection (obsoleted by synflood_protect setting).
synflood_protectbooleanno0Enable [SYN flood](https://en.wikipedia.org/wiki/SYN flood) protection.
synflood_ratestringno25Set rate limit (packets/second) for SYN packets above which the traffic is considered a flood.
synflood_burststringno50Set burst limit for SYN packets above which the traffic is considered a flood if it exceeds the allowed rate.
tcp_syncookiesbooleanno1Enable the use of [SYN cookies](https://en.wikipedia.org/wiki/SYN cookies).
tcp_ecnbooleanno0Enable/Disable Explicit Congestion Notification. Implemented upstream in Linux Kernel. See ip-sysctl.txt.
tcp_window_scalingbooleanno1Enable TCP window scaling.
accept_redirectsbooleanno0Accepts redirects. Implemented upstream in Linux Kernel. See ip-sysctl.txt.
accept_source_routebooleanno0Implemented upstream in Linux Kernel. See ip-sysctl.txt.
custom_chainsbooleanno1Enable generation of custom rule chain hooks for user generated rules. User rules would be typically stored in firewall.user but some packages e.g. BCP38 also make use of these hooks.
disable_ipv6booleanno0Disable IPv6 firewall rules.
flow_offloadingbooleanno0Enable software flow offloading for connections. (decrease cpu load / increase routing throughput)
flow_offloading_hwbooleanno0Enable hardware flow offloading for connections. (depends on flow_offloading and hw capability)
tcp_reject_codereject_codeno0Defined in firewall3/options.h. Seems to determine method of packet rejection; (tcp reset, or drop, vs ICMP Destination Unreachable, or closed)
any_reject_codereject_codeno1Defined in firewall3/options.h. Seems to determine method of packet rejection; (tcp reset, or drop, vs ICMP Destination Unreachable, or closed)
auto_helperboolno1Enable Conntrack helpers

Zones

zone 部分将一个或多个网络接口组合在一起,作为转发、规则和重定向的源或目的

config zone
	option	name		'wan'
	option	network		'wan wan6'
	option	input		'REJECT'
	option	output		'ACCEPT'
	option	forward		'REJECT'
	option	masq		'1'
	option	mtu_fix		'1'
  • MASQUERADE (NAT) of outgoing traffic (WAN) is controlled on a per-zone basis on the outgoing interface.

  • INPUT rules for a zone describe what happens to traffic trying to reach the router itself through an interface in that zone.

  • OUTPUT rules for a zone describe what happens to traffic originating from the router itself going through an interface in that zone.

  • FORWARD rules for a zone describe what happens to traffic passing between different interfaces belonging in the same zone.

Options

NameTypeRequiredDefaultDescription
namezone nameyes(none)Unique zone name. 11 characters is the maximum working firewall zone name length.
networklistno(none)List of interfaces attached to this zone. If omitted and neither extra* options, subnets nor devices are given, the value of name is used by default. Alias interfaces defined in the network config cannot be used as valid ‘standalone’ networks. Use list syntax.
masqbooleanno0Specifies whether outgoing zone traffic should be masqueraded. This is typically enabled on the wan zone.
masq_srclist of subnetsno0.0.0.0/0Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with !; multiple subnets are allowed.
masq_destlist of subnetsno0.0.0.0/0Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with !; multiple subnets are allowed.
masq_allow_invalidbooleanno0Do not add DROP INVALID rules, if masquerading is used. The DROP rules are supposed to prevent NAT leakage (see commit in firewall3).
mtu_fixbooleanno0Enable MSS clamping for outgoing zone traffic.
inputstringnoDROPDefault policy (ACCEPT, REJECT, DROP) for incoming zone traffic.
forwardstringnoDROPDefault policy (ACCEPT, REJECT, DROP) for forwarded zone traffic.
outputstringnoDROPDefault policy (ACCEPT, REJECT, DROP) for outgoing zone traffic.
familystringnoanyThe protocol family (ipv4, ipv6 or any) these iptables rules are for. Defaults to any, but automatically degrades to ipv4 or ipv6 if respective addresses are listed in the same section.
logintno0Bit field to enable logging in the filter and/or mangle tables, bit 0 = filter, bit 1 = mangle. (Since r6397-7cc9914aae)
log_limitstringno10/minuteLimits the amount of log messages per interval.
devicelistno(none)List of L3 network interface names attached to this zone, e.g. tun+ or ppp+ to match any TUN or PPP interface. This is specifically suitable for undeclared interfaces which lack built-in netifd support such as OpenVPN. Otherwise network is preferable and device should be avoided.
subnetlistno(none)List of IP subnets attached to this zone.
extrastringno(none)Extra arguments passed directly to iptables. Note that these options are passed to both source and destination classification rules, therefor direction-specific options like --dport should not be used here - in this case the extra_src and extra_dest options should be used instead.
extra_srcstringnoValue of extraExtra arguments passed directly to iptables for source classification rules.
extra_deststringnoValue of extraExtra arguments passed directly to iptables for destination classification rules.
custom_chainsboolno1Enable generation of custom rule chain hooks for user generated rules. Has no effect if disabled (0) in the defaults section (see above).
enabledboolnoyesif set to 0, zone is disabled
auto_helperboolno1 for non-masq zoneAdd CT helpers for zone
helpercthelperno(none)List of helpers to add to zone

Forwardings

The forwarding 控制 zone 之间的转发, and may enable MSS clamping for specific directions.

config forwarding
	option	src    'lan'
	option	dest   'wan'

一条forwarding规则只涵盖一个方向。为了允许两个区域之间的双向流量流,需要两个forwarding

NameTypeRequiredDefaultDescription
nameforward nameno(none)Unique forwarding name.
srczone nameyes(none)Specifies the traffic source zone. Refers to one of the defined zone names. For typical port forwards this usually is ‘wan’.
destzone nameyes(none)Specifies the traffic destination zone. Refers to one of the defined zone names
mtu_fixbooleanno0Enable MSS clamping for traffic flowing from the source zone to the destination zone (Deprecated and moved to zone sections in 8.09.2+)
familystringnoanyProtocol family (ipv4, ipv6 or any) to generate iptables rules for.
enabledboolnoyesif set to 0, forward is disabled

Rules

rule部分用于定义基本的接受、丢弃或拒绝规则,以允许或限制对特定端口或主机的访问。

config rule
	option	name		'Reject LAN to WAN for custom IP'
	option	src		'lan'
	option	src_ip		'192.168.1.2'
	option	src_mac		'00:11:22:33:44:55'
	option	src_port	'80'
	option	dest		'wan'
	option	dest_ip		'194.25.2.129'
	option	dest_port	'120'
	option	proto		'tcp'
	option	target		'REJECT'
  • fw3 中srcdest与目标相关联:

    • 如果给定srcdest,则规则匹配 forwarded traffic

    • 如果仅有src, 则规则匹配 incoming traffic

    • 如果仅有dest, 则规则匹配 outgoing traffic

    • 如果既没有src也没有dest给出, 则规则匹配 outgoing traffic

  • 端口范围用start:stop 指定,例如6666:6670 (类似于 iptables 语法)

Options

NameTypeRequiredDefaultDescription
namestringno(none)Name of rule
srczone nameno(none)Specifies the traffic source zone. Refers to one of the defined zone names, or * for any zone. If omitted, the rule applies to output traffic.
src_ipip addressno(none)Match incoming traffic from the specified source IP address
src_macmac addressno(none)Match incoming traffic from the specified MAC address
src_portport or rangeno(none)Match incoming traffic from the specified source port or port range, if relevant proto is specified. Multiple ports can be specified like ‘80 443 465’ 1.
protoprotocol name or numbernotcp udpMatch incoming traffic using the given protocol. Can be one (or several when using list syntax) of tcp, udp, udplite, icmp, esp, ah, sctp, or all or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. The number 0 is equivalent to all.
icmp_typelist of type names or numbersnoanyFor protocol icmp select specific ICMP types to match. Values can be either exact ICMP type numbers or type names (see below).
destzone nameno(none)Specifies the traffic destination zone. Refers to one of the defined zone names, or * for any zone. If specified, the rule applies to forwarded traffic; otherwise, it is treated as input rule.
dest_ipip addressno(none)Match incoming traffic directed to the specified destination IP address. With no dest zone, this is treated as an input rule!
dest_portport or rangeno(none)Match incoming traffic directed at the given destination port or port range, if relevant proto is specified. Multiple ports can be specified like ‘80 443 465’ 1.
ipsetstringno(none)If specified, match traffic against the given ***ipset***. The match can be inverted by prefixing the value with an exclamation mark. You can specify the direction as ‘setname src’ or ‘setname dest’. The default if neither src nor dest are added is to assume src
markmark/maskno(none)If specified, match traffic against the given firewall mark, e.g. 0xFF to match mark 255 or 0x0/0x1 to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. !0x10 to match all but mark #16.
start_datedate (yyyy-mm-dd)no(always)If specifed, only match traffic after the given date (inclusive).
stop_datedate (yyyy-mm-dd)no(always)If specified, only match traffic before the given date (inclusive).
start_timetime (hh:mm:ss)no(always)If specified, only match traffic after the given time of day (inclusive).
stop_timetime (hh:mm:ss)no(always)If specified, only match traffic before the given time of day (inclusive).
weekdayslist of weekdaysno(always)If specified, only match traffic during the given week days, e.g. sun mon thu fri to only match on sundays, mondays, thursdays and Fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ! sat sun to always match but on Saturdays and sundays.
monthdayslist of datesno(always)If specified, only match traffic during the given days of the month, e.g. 2 5 30 to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ! 31 to always match but on the 31st of the month.
utc_timebooleanno0Treat all given time values as UTC time instead of local time.
targetstringyesDROPFirewall action (ACCEPT, REJECT, DROP, MARK, NOTRACK) for matched traffic
set_markmark/maskyes for target MARK(none)Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed
set_xmarkZeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed
familystringnoanyProtocol family (ipv4, ipv6 or any) to generate iptables rules for. Defaults to any, but automatically degrades to ipv4 or ipv6 if respective addresses are listed in the same section.
limitstringno(none)Maximum average matching rate; specified as a number, with an optional /second, /minute, /hour or /day suffix. Examples: 3/minute, 3/min or 3/m.
limit_burstintegerno5Maximum initial number of packets to match, allowing a short-term average above limit
extrastringno(none)Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as -m policy --dir in for IPsec.
enabledbooleannoyesEnable or disable rule.
devicestringno[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-wv6nmfYf-1629945692459)(https://openwrt.org/lib/images/smileys/fixme.gif)]FIXME
directiondirectionno[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-2QduvSFI-1629945692467)(https://openwrt.org/lib/images/smileys/fixme.gif)]FIXME direction_out
set_helpercthelpernoFIXME[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-5NeubI9B-1629945692472)(https://openwrt.org/lib/images/smileys/fixme.gif)]
helpercthelperno[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-yhfVGShW-1629945692474)(https://openwrt.org/lib/images/smileys/fixme.gif)]FIXME

ICMP name types

address-mask-replyhost-redirectpongtime-exceeded
address-mask-requesthost-unknownport-unreachabletimestamp-reply
anyhost-unreachableprecedence-cutofftimestamp-request
communication-prohibitedip-header-badprotocol-unreachableTOS-host-redirect
destination-unreachablenetwork-prohibitedredirectTOS-host-unreachable
echo-replynetwork-redirectrequired-option-missingTOS-network-redirect
echo-requestnetwork-unknownrouter-advertisementTOS-network-unreachable
fragmentation-needednetwork-unreachablerouter-solicitationttl-exceeded
host-precedence-violationparameter-problemsource-quenchttl-zero-during-reassembly
host-prohibitedpingsource-route-failedttl-zero-during-transit

Redirects

端口转发 (DNAT) 由redirect部分定义。 端口重定向通常也称为“端口转发”或“虚拟服务器”。

  • 指定源区域上与给定规则匹配的所有传入流量都将被定向到指定的内部主机。
  • 端口范围被指定为start:stop,例如6666:6670 (类似于 iptables 语法)

Destination NAT

config redirect
	option	name		'DNAT WAN to LAN for SSH'
	option	src		'wan'
	option	src_dport	'19900'
	option	dest		'lan'
	option	dest_ip		'192.168.1.1'
	option	dest_port	'22'
	option	proto		'tcp'
	option	target		'DNAT'

如果 src_dport 未包含在 config 部分中,则在任何 port 上与其他配置选项匹配的数据包将被转发到该 config 部分中指定的目标端口。 这可能会给目标端口上运行的应用程序带来安全风险。 测试此问题的一种方法是使用 Gibson Research Corporation’s ShieldsUP! service, 并探测路由器上所需的端口. 响应可以是 open, closed, or stealth (drop). 在端口打开或关闭的情况下,数据包到达目标主机,并发送回确认/回复数据包. 而隐身(stealth)端口会丢弃数据包;从探测系统 (Gibson Research) 的角度来看,该系统无法明确知道这些数据包是否可能到达目标主机

Source NAT

伪装(Masquerade )是最常见的 SNAT 形式,将WAN的流量源更改为路由器的公共IP。SNAT 也可以手动完成:

config redirect
	option	name		'SNAT DMZ 192.168.1.250 to WAN 1.2.3.4 for ICMP'
	option	src		'dmz'
	option	src_ip		'192.168.1.250'
	option	src_dip		'1.2.3.4'
	option	dest		'wan'
	option	proto		'icmp'
	option	target		'SNAT'

Options

See also: List of SNAT options @ OpenWrt SNAPSHOT

NameTypeRequiredDefaultDescription
namestringnostringName of redirect
srczone nameyes for DNAT target(none)Specifies the traffic source zone. Refers to one of the defined zone names. For typical port forwards this usually is wan.
src_ipip addressno(none)Match incoming traffic from the specified source IP address.
src_dipip addressyes for SNAT target(none)For DNAT, match incoming traffic directed at the given destination IP address. For SNAT rewrite the source address to the given address.
src_macmac addressno(none)Match incoming traffic from the specified MAC address.
src_portport or rangeno(none)Match incoming traffic originating from the given source port or port range on the client host.
src_dportport or rangeno(none)For DNAT, match incoming traffic directed at the given destination port or port range on this host. For SNAT rewrite the source ports to the given value.
protoprotocol name or numbernotcp udpMatch incoming traffic using the given protocol. Can be one (or several when using list syntax) of tcp, udp, udplite, icmp, esp, ah, sctp, or all or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. The number 0 is equivalent to all.
destzone nameyes for SNAT target(none)Specifies the traffic destination zone. Refers to one of the defined zone names. Irrelevant for DNAT target.
dest_ipip addressno(none)For DNAT, redirect matches incoming traffic to the specified internal host. For SNAT, it matches traffic directed at the given address. For DNAT, if the dest_ip is not specified, the rule is translated in a iptables/REDIRECT rule, otherwise it is a iptables/DNAT rule.
dest_portport or rangeno(none)For DNAT, redirect matched incoming traffic to the given port on the internal host. For SNAT, match traffic directed at the given ports. Only a single port or range can be specified, not disparate ports as with Rules (below).
ipsetstringno(none)If specified, match traffic against the given ***ipset***. The match can be inverted by prefixing the value with an exclamation mark.
markstringno(none)If specified, match traffic against the given firewall mark, e.g. 0xFF to match mark 255 or 0x0/0x1 to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. !0x10 to match all but mark #16.
start_datedate (yyyy-mm-dd)no(always)If specifed, only match traffic after the given date (inclusive).
stop_datedate (yyyy-mm-dd)no(always)If specified, only match traffic before the given date (inclusive).
start_timetime (hh:mm:ss)no(always)If specified, only match traffic after the given time of day (inclusive).
stop_timetime (hh:mm:ss)no(always)If specified, only match traffic before the given time of day (inclusive).
weekdayslist of weekdaysno(always)If specified, only match traffic during the given week days, e.g. sun mon thu fri to only match on Sundays, Mondays, Thursdays and Fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ! sat sun to always match but on Saturdays and sundays.
monthdayslist of datesno(always)If specified, only match traffic during the given days of the month, e.g. 2 5 30 to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ! 31 to always match but on the 31st of the month.
utc_timebooleanno0Treat all given time values as UTC time instead of local time.
targetstringnoDNATNAT target (DNAT or SNAT) to use when generating the rule.
familystringnoanyProtocol family (ipv4, ipv6 or any) to generate iptables rules for. Defaults to any, but automatically degrades to ipv4 since IPv6 DNAT is not supported by fw3.
reflectionbooleanno1Activate NAT reflection for this redirect - applicable to DNAT targets.
reflection_srcstringnointernalThe source address to use for NAT-reflected packets if reflection is 1. This can be internal or external, specifying which interface’s address to use. Applicable to DNAT targets.
limitstringno(none)Maximum average matching rate; specified as a number, with an optional /second, /minute, /hour or /day suffix. Examples: 3/second, 3/sec or 3/s.
limit_burstintegerno5Maximum initial number of packets to match, allowing a short-term average above limit.
enabledstringno1 or yesEnable the redirect rule or not.
helpercthelperno[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-m8DnXJut-1629945692476)(https://openwrt.org/lib/images/smileys/fixme.gif)]FIXME

IP sets

See also: fw3 IP set examples

fw3 支持引用或创建IP 集以简化大型地址或端口列表的匹配,而无需为每个项目创建一个规则进行匹配。

:!: This needs the kmod-ipt-ipset kernel module installed.

Options

NameTypeRequiredDefaultDescription
enabledbooleanno1Allows to disable the declaration of the ipset without the need to delete the section.
externalstringno(none)If the external option is set to a name, the firewall will simply reference an already existing ipset pointed to by the name. If the external option is unset, the firewall will create the ipset on start and destroy it on stop.
namestringyes if external is unset no if external is set(none) if external is unset value of external if external is setSpecifies the firewall internal name of the ipset which is used to reference the set in rules or redirects.
familystringnoipv4Protocol family (ipv4 or ipv6) to create ipset for. Only applicable to storage types hash and list, the bitmap type implies ipv4.
storagestringnovariesSpecifies the storage method (bitmap, hash or list) used by the ipset, the default varies depending on the used datatypes (see match option below). In most cases the storage method can be automatically inferred from the datatype combination but in some cases multiple choices are possible (e.g. bitmap:ip vs. hash:ip).
matchlist of direction/type tuplesyes(none)Specifies the matched data types (ip, port, mac, net or set) and their direction (src or dest). The direction is joined with the datatype by an underscore to form a tuple, e.g. src_port to match source ports or dest_net to match destination CIDR ranges. When using ipsets matching on multiple elements, e.g. hash:ip,port, specify the packet fields to match on in quotes or comma-separated (i.e. “match dest_ip dest_port”).
iprangeIP rangeyes for storage type bitmap with datatype ip(none)Specifies the IP range to cover, see ipset(8). Only applicable to the hash storage type.
portrangePort rangeyes for storage type bitmap with datatype port(none)Specifies the port range to cover, see ipset(8). Only applicable to the hash storage type.
netmaskintegerno32If specified, network addresses will be stored in the set instead of IP host addresses. Value must be between 1 and 32, see ipset(8). Only applicable to the bitmap storage type with match ip or the hash storage type with match ip.
maxelemintegerno65536Limits the number of items that can be added to the set, only applicable to the hash and list storage types.
hashsizeintegerno1024Specifies the initial hash size of the set, only applicable to the hash storage type.
timeoutintegerno0Specifies the default timeout for entries added to the set. A value of 0 means no timeout.
entrysetentrynoFIXME[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-T4Xep0Qh-1629945692479)(https://openwrt.org/lib/images/smileys/fixme.gif)]
loadfilestringno[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-slc5pTfg-1629945692480)(https://openwrt.org/lib/images/smileys/fixme.gif)][外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Hqt1ssF4-1629945692481)(https://openwrt.org/lib/images/smileys/fixme.gif)]

Storage / Match Options

数据类型匹配的顺序很重要

FamilyStorageMatchNotes
ipv4bitmapipRequires iprange option
ipv4bitmapip macRequires iprange option
ipv4bitmapportRequires portrange option
anyhaship-
anyhashnet-
anyhaship port-
anyhashnet port-
anyhaship port ip-
anyhaship port net-
-listsetMeta type to create a set-of-sets

Includes

用于添加自定义的防火墙脚本

config include
	option	path		'/etc/firewall.user'
  • The /etc/firewall.user script is empty by default.

Options

NameTypeRequiredDefaultDescription
enabledbooleanno1Allows to disable the corresponding include without having to delete the section
typestringnoscriptSpecifies the type of the include, can be script for traditional shell script includes or restore for plain files in iptables-restore format
pathfile nameyes/etc/firewall.userSpecifies a shell script to execute on boot or firewall restarts
familystringnoanySpecifies the address family (ipv4, ipv6 or any) for which the include is called
reloadbooleanno0Specifies whether the include should be called on reload - this is only needed if the include injects rules into internal chains

Includes of type script may contain arbitrary commands, for example advanced iptables rules or tc commands required for traffic shaping.

  • [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-PX8hJeSH-1629945692482)(https://openwrt.org/lib/images/smileys/icon_exclaim.gif)] 由于自定义 iptables 规则比通用规则更具体,因此您必须确保使用-I *(insert)*而不是-A (append),以便规则出现默认规则之前
  • [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-WAicrzDn-1629945692483)(https://openwrt.org/lib/images/smileys/icon_exclaim.gif)] 如果规则存在于iptables中,则不会重新添加。一个标准的 iptables-I-A会添加重复规则

Example

Here is an example of /etc/firewall.user script that allows to CloudFlare.com to access HTTP 80 and HTTPS 443 ports. Use if your uhttpd is hidden behind CF proxy.

# Replace the ips-v4 with v6 if needed
for ip in `wget -qO- http://www.cloudflare.com/ips-v4`; do
  iptables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT
done

NOTE: The example uses HTTP to get the list of IPs. Using HTTP makes us vulnerable to MITM attacks. To use the more secure HTTPS and avoid MITM risks, we need to install ca-certs.

  • 2
    点赞
  • 20
    收藏
    觉得还不错? 一键收藏
  • 3
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 3
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值