OpenWrt 防火墙配置 /etc/config/firewall

防火墙配置 /etc/config/firewall

OpenWrt 的防火墙管理应用fw3具有三种配置机制

配置文件：

• /etc/firewall.user
• /etc/config/firewall

本 wiki 中的大部分信息将集中在配置文件和内容上。LuCI 和 UCI 接口是用户抽象，最终修改配置文件。

管理

• 主要的防火墙配置文件是/etc/config/firewall，编辑此文件以修改防火墙设置
  • 在进行更改之前创建防火墙配置的备份
    • 如果更改导致与路由器的连接丢失，您需要在故障安全模式下访问它以恢复备份
  • 一旦设置被更改，并经过双重检查，通过/etc/init.d/firewall reload 重新加载防火墙
    • 这是一个简单的 shell 脚本，调用fw3 reload，并将在解析新的防火墙配置时将诊断信息打印到控制台。 检查错误！
• # 开头用于注释，不解析
  • 注释用于描述、解释或快速注释掉某个部分
• /etc/config/firewall涵盖了合理的NetFilter规则子集，但并非全部
  • 为了提供更多功能，UCI 防火墙配置中添加了一个include部分，用于加载包含本机 iptables 指令的文件
    • 这是作为 shell 脚本处理的，允许向其中添加任何 shell 命令，但重点是通过添加 iptables 命令来使用 netfilter 子系统
      • 用法见fw3配置示例
• 尽可能使用 fw3 防火墙 UCI 配置
  • 有一些场景iptables需要命令
    • 有关更多信息，请参阅OpenWrt 中的 Netfilter

Web interface instructions

LuCI是一种很好的查看和修改防火墙配置的机制。

• 它位于**网络 → 防火墙下，**并与配置文件部分紧密映射。
• 修改防火墙配置需要更长的时间，但比配置文件具有更高的组织级别。

使用Save & Apply按钮进行更改并重新加载。

• LuCI 将从中删除所有注释 [ #] 行/etc/config/firewall！

Command-line instructions

UCI是对配置文件的低级抽象，可以通过SSH远程访问。

uci add firewall rule
uci set firewall.@rule[-1].name='Reject VPN to LAN traffic'
uci set firewall.@rule[-1].src='vpn'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].target='REJECT'
uci commit firewall
service firewall restart

显示防火墙配置：

# uci show firewall
firewall.@rule[20]=rule
firewall.@rule[20].name='Reject VPN to LAN traffic'
firewall.@rule[20].src='vpn'
firewall.@rule[20].dest='lan'
firewall.@rule[20].proto='all'
firewall.@rule[20].target='REJECT'
...

UCI对于查看防火墙配置很有用，但由于以下原因不能进行任何有意义的修改：

• 防火墙规则需要进入规则数组的位置以使其工作（类似于iptables -I）
• uci无法识别/etc/firewall.user脚本中的内容。
• uci commit需要保存更改，但仍需要/etc/init.d/firewall reload重新加载新表。

配置部分

以下是可能在防火墙配置中定义的部分类型的概述。

• 路由器的最小防火墙配置通常包括一个默认部分、至少两个区域（lan和wan）和一个转发以允许从lan到 的流量wan。
  • 当区域不超过两个时，转发部分不是严格要求的，因为可以将规则设置为该区域的“全局默认值”。

Defaults

该defaults部分声明了不属于特定区域的全局防火墙设置

config defaults
	option	input			'ACCEPT'
	option	output			'ACCEPT'
	option	forward			'REJECT'
	option	custom_chains		'1'
	option	drop_invalid		'1'
	option	syn_flood		'1'
	option	synflood_burst		'50'
	option	synflood_protect	'1'
	option	tcp_ecn			'1'
	option	tcp_syncookies		'1'
	option	tcp_window_scaling	'1'

Options

Name	Type	Required	Default	Description
input	string	no	REJECT	Set policy for the INPUT chain of the filter table.
forward	string	no	REJECT	Set policy for the FORWARD chain of the filter table.
output	string	no	REJECT	Set policy for the OUTPUT chain of the filter table.
drop_invalid	boolean	no	0	Drop invalid packets (e.g. not matching any active connection).
syn_flood	boolean	no	0	Enable [SYN flood](https://en.wikipedia.org/wiki/SYN flood) protection (obsoleted by synflood_protect setting).
synflood_protect	boolean	no	0	Enable [SYN flood](https://en.wikipedia.org/wiki/SYN flood) protection.
synflood_rate	string	no	25	Set rate limit (packets/second) for SYN packets above which the traffic is considered a flood.
synflood_burst	string	no	50	Set burst limit for SYN packets above which the traffic is considered a flood if it exceeds the allowed rate.
tcp_syncookies	boolean	no	1	Enable the use of [SYN cookies](https://en.wikipedia.org/wiki/SYN cookies).
tcp_ecn	boolean	no	0	Enable/Disable Explicit Congestion Notification. Implemented upstream in Linux Kernel. See ip-sysctl.txt.
tcp_window_scaling	boolean	no	1	Enable TCP window scaling.
accept_redirects	boolean	no	0	Accepts redirects. Implemented upstream in Linux Kernel. See ip-sysctl.txt.
accept_source_route	boolean	no	0	Implemented upstream in Linux Kernel. See ip-sysctl.txt.
custom_chains	boolean	no	1	Enable generation of custom rule chain hooks for user generated rules. User rules would be typically stored in firewall.user but some packages e.g. BCP38 also make use of these hooks.
disable_ipv6	boolean	no	0	Disable IPv6 firewall rules.
flow_offloading	boolean	no	0	Enable software flow offloading for connections. (decrease cpu load / increase routing throughput)
flow_offloading_hw	boolean	no	0	Enable hardware flow offloading for connections. (depends on flow_offloading and hw capability)
tcp_reject_code	reject_code	no	0	Defined in firewall3/options.h. Seems to determine method of packet rejection; (tcp reset, or drop, vs ICMP Destination Unreachable, or closed)
any_reject_code	reject_code	no	1	Defined in firewall3/options.h. Seems to determine method of packet rejection; (tcp reset, or drop, vs ICMP Destination Unreachable, or closed)
auto_helper	bool	no	1	Enable Conntrack helpers

Zones

该zone 部分将一个或多个网络接口组合在一起，作为转发、规则和重定向的源或目的

config zone
	option	name		'wan'
	option	network		'wan wan6'
	option	input		'REJECT'
	option	output		'ACCEPT'
	option	forward		'REJECT'
	option	masq		'1'
	option	mtu_fix		'1'

• MASQUERADE (NAT) of outgoing traffic (WAN) is controlled on a per-zone basis on the outgoing interface.

• INPUT rules for a zone describe what happens to traffic trying to reach the router itself through an interface in that zone.

• OUTPUT rules for a zone describe what happens to traffic originating from the router itself going through an interface in that zone.

• FORWARD rules for a zone describe what happens to traffic passing between different interfaces belonging in the same zone.

Options

Name	Type	Required	Default	Description
name	zone name	yes	(none)	Unique zone name. 11 characters is the maximum working firewall zone name length.
network	list	no	(none)	List of interfaces attached to this zone. If omitted and neither extra* options, subnets nor devices are given, the value of name is used by default. Alias interfaces defined in the network config cannot be used as valid ‘standalone’ networks. Use list syntax.
masq	boolean	no	0	Specifies whether outgoing zone traffic should be masqueraded. This is typically enabled on the wan zone.
masq_src	list of subnets	no	0.0.0.0/0	Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with !; multiple subnets are allowed.
masq_dest	list of subnets	no	0.0.0.0/0	Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with !; multiple subnets are allowed.
masq_allow_invalid	boolean	no	0	Do not add DROP INVALID rules, if masquerading is used. The DROP rules are supposed to prevent NAT leakage (see commit in firewall3).
mtu_fix	boolean	no	0	Enable MSS clamping for outgoing zone traffic.
input	string	no	DROP	Default policy (ACCEPT, REJECT, DROP) for incoming zone traffic.
forward	string	no	DROP	Default policy (ACCEPT, REJECT, DROP) for forwarded zone traffic.
output	string	no	DROP	Default policy (ACCEPT, REJECT, DROP) for outgoing zone traffic.
family	string	no	any	The protocol family (ipv4, ipv6 or any) these iptables rules are for. Defaults to any, but automatically degrades to ipv4 or ipv6 if respective addresses are listed in the same section.
log	int	no	0	Bit field to enable logging in the filter and/or mangle tables, bit 0 = filter, bit 1 = mangle. (Since r6397-7cc9914aae)
log_limit	string	no	10/minute	Limits the amount of log messages per interval.
device	list	no	(none)	List of L3 network interface names attached to this zone, e.g. tun+ or ppp+ to match any TUN or PPP interface. This is specifically suitable for undeclared interfaces which lack built-in netifd support such as OpenVPN. Otherwise network is preferable and device should be avoided.
subnet	list	no	(none)	List of IP subnets attached to this zone.
extra	string	no	(none)	Extra arguments passed directly to iptables. Note that these options are passed to both source and destination classification rules, therefor direction-specific options like --dport should not be used here - in this case the extra_src and extra_dest options should be used instead.
extra_src	string	no	Value of extra	Extra arguments passed directly to iptables for source classification rules.
extra_dest	string	no	Value of extra	Extra arguments passed directly to iptables for destination classification rules.
custom_chains	bool	no	1	Enable generation of custom rule chain hooks for user generated rules. Has no effect if disabled (0) in the defaults section (see above).
enabled	bool	no	yes	if set to 0, zone is disabled
auto_helper	bool	no	1 for non-masq zone	Add CT helpers for zone
helper	cthelper	no	(none)	List of helpers to add to zone

Forwardings

The forwarding 控制 zone 之间的转发, and may enable MSS clamping for specific directions.

config forwarding
	option	src    'lan'
	option	dest   'wan'

一条forwarding规则只涵盖一个方向。为了允许两个区域之间的双向流量流，需要两个forwarding

Name	Type	Required	Default	Description
name	forward name	no	(none)	Unique forwarding name.
src	zone name	yes	(none)	Specifies the traffic source zone. Refers to one of the defined zone names. For typical port forwards this usually is ‘wan’.
dest	zone name	yes	(none)	Specifies the traffic destination zone. Refers to one of the defined zone names
mtu_fix	boolean	no	0	Enable MSS clamping for traffic flowing from the source zone to the destination zone (Deprecated and moved to zone sections in 8.09.2+)
family	string	no	any	Protocol family (ipv4, ipv6 or any) to generate iptables rules for.
enabled	bool	no	yes	if set to 0, forward is disabled

Rules

该rule部分用于定义基本的接受、丢弃或拒绝规则，以允许或限制对特定端口或主机的访问。

config rule
	option	name		'Reject LAN to WAN for custom IP'
	option	src		'lan'
	option	src_ip		'192.168.1.2'
	option	src_mac		'00:11:22:33:44:55'
	option	src_port	'80'
	option	dest		'wan'
	option	dest_ip		'194.25.2.129'
	option	dest_port	'120'
	option	proto		'tcp'
	option	target		'REJECT'

• 在fw3 中，src和dest与目标相关联：

  • 如果给定src和dest，则规则匹配 forwarded traffic

  • 如果仅有src, 则规则匹配 incoming traffic

  • 如果仅有dest, 则规则匹配 outgoing traffic

  • 如果既没有src也没有dest给出, 则规则匹配 outgoing traffic

• 端口范围用start:stop 指定，例如6666:6670 （类似于 iptables 语法）。

Options

Name	Type	Required	Default	Description
name	string	no	(none)	Name of rule
src	zone name	no	(none)	Specifies the traffic source zone. Refers to one of the defined zone names, or * for any zone. If omitted, the rule applies to output traffic.
src_ip	ip address	no	(none)	Match incoming traffic from the specified source IP address
src_mac	mac address	no	(none)	Match incoming traffic from the specified MAC address
src_port	port or range	no	(none)	Match incoming traffic from the specified source port or port range, if relevant proto is specified. Multiple ports can be specified like ‘80 443 465’ 1.
proto	protocol name or number	no	tcp udp	Match incoming traffic using the given protocol. Can be one (or several when using list syntax) of tcp, udp, udplite, icmp, esp, ah, sctp, or all or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. The number 0 is equivalent to all.
icmp_type	list of type names or numbers	no	any	For protocol icmp select specific ICMP types to match. Values can be either exact ICMP type numbers or type names (see below).
dest	zone name	no	(none)	Specifies the traffic destination zone. Refers to one of the defined zone names, or * for any zone. If specified, the rule applies to forwarded traffic; otherwise, it is treated as input rule.
dest_ip	ip address	no	(none)	Match incoming traffic directed to the specified destination IP address. With no dest zone, this is treated as an input rule!
dest_port	port or range	no	(none)	Match incoming traffic directed at the given destination port or port range, if relevant proto is specified. Multiple ports can be specified like ‘80 443 465’ 1.
ipset	string	no	(none)	If specified, match traffic against the given ***ipset***. The match can be inverted by prefixing the value with an exclamation mark. You can specify the direction as ‘setname src’ or ‘setname dest’. The default if neither src nor dest are added is to assume src
mark	mark/mask	no	(none)	If specified, match traffic against the given firewall mark, e.g. 0xFF to match mark 255 or 0x0/0x1 to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. !0x10 to match all but mark #16.
start_date	date (yyyy-mm-dd)	no	(always)	If specifed, only match traffic after the given date (inclusive).
stop_date	date (yyyy-mm-dd)	no	(always)	If specified, only match traffic before the given date (inclusive).
start_time	time (hh:mm:ss)	no	(always)	If specified, only match traffic after the given time of day (inclusive).
stop_time	time (hh:mm:ss)	no	(always)	If specified, only match traffic before the given time of day (inclusive).
weekdays	list of weekdays	no	(always)	If specified, only match traffic during the given week days, e.g. sun mon thu fri to only match on sundays, mondays, thursdays and Fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ! sat sun to always match but on Saturdays and sundays.
monthdays	list of dates	no	(always)	If specified, only match traffic during the given days of the month, e.g. 2 5 30 to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ! 31 to always match but on the 31st of the month.
utc_time	boolean	no	0	Treat all given time values as UTC time instead of local time.
target	string	yes	DROP	Firewall action (ACCEPT, REJECT, DROP, MARK, NOTRACK) for matched traffic
set_mark	mark/mask	yes for target MARK	(none)	Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed
set_xmark	Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed
family	string	no	any	Protocol family (ipv4, ipv6 or any) to generate iptables rules for. Defaults to any, but automatically degrades to ipv4 or ipv6 if respective addresses are listed in the same section.
limit	string	no	(none)	Maximum average matching rate; specified as a number, with an optional /second, /minute, /hour or /day suffix. Examples: 3/minute, 3/min or 3/m.
limit_burst	integer	no	5	Maximum initial number of packets to match, allowing a short-term average above limit
extra	string	no	(none)	Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as -m policy --dir in for IPsec.
enabled	boolean	no	yes	Enable or disable rule.
device	string	no	[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-wv6nmfYf-1629945692459)(https://openwrt.org/lib/images/smileys/fixme.gif)]
direction	direction	no	[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-2QduvSFI-1629945692467)(https://openwrt.org/lib/images/smileys/fixme.gif)]	direction_out
set_helper	cthelper	no		[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-5NeubI9B-1629945692472)(https://openwrt.org/lib/images/smileys/fixme.gif)]
helper	cthelper	no	[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-yhfVGShW-1629945692474)(https://openwrt.org/lib/images/smileys/fixme.gif)]

ICMP name types

address-mask-reply	host-redirect	pong	time-exceeded
address-mask-request	host-unknown	port-unreachable	timestamp-reply
any	host-unreachable	precedence-cutoff	timestamp-request
communication-prohibited	ip-header-bad	protocol-unreachable	TOS-host-redirect
destination-unreachable	network-prohibited	redirect	TOS-host-unreachable
echo-reply	network-redirect	required-option-missing	TOS-network-redirect
echo-request	network-unknown	router-advertisement	TOS-network-unreachable
fragmentation-needed	network-unreachable	router-solicitation	ttl-exceeded
host-precedence-violation	parameter-problem	source-quench	ttl-zero-during-reassembly
host-prohibited	ping	source-route-failed	ttl-zero-during-transit

Redirects

端口转发 (DNAT) 由redirect部分定义。 端口重定向通常也称为“端口转发”或“虚拟服务器”。

• 指定源区域上与给定规则匹配的所有传入流量都将被定向到指定的内部主机。
• 端口范围被指定为start:stop，例如6666:6670 （类似于 iptables 语法）。

Destination NAT

config redirect
	option	name		'DNAT WAN to LAN for SSH'
	option	src		'wan'
	option	src_dport	'19900'
	option	dest		'lan'
	option	dest_ip		'192.168.1.1'
	option	dest_port	'22'
	option	proto		'tcp'
	option	target		'DNAT'

如果 src_dport 未包含在 config 部分中，则在任何 port 上与其他配置选项匹配的数据包将被转发到该 config 部分中指定的目标端口。 这可能会给目标端口上运行的应用程序带来安全风险。 测试此问题的一种方法是使用 Gibson Research Corporation’s ShieldsUP! service, 并探测路由器上所需的端口. 响应可以是 open, closed, or stealth (drop). 在端口打开或关闭的情况下，数据包到达目标主机，并发送回确认/回复数据包. 而隐身（stealth）端口会丢弃数据包；从探测系统 (Gibson Research) 的角度来看，该系统无法明确知道这些数据包是否可能到达目标主机

Source NAT

伪装(Masquerade )是最常见的 SNAT 形式，将WAN的流量源更改为路由器的公共IP。SNAT 也可以手动完成：

config redirect
	option	name		'SNAT DMZ 192.168.1.250 to WAN 1.2.3.4 for ICMP'
	option	src		'dmz'
	option	src_ip		'192.168.1.250'
	option	src_dip		'1.2.3.4'
	option	dest		'wan'
	option	proto		'icmp'
	option	target		'SNAT'

Options

See also: List of SNAT options @ OpenWrt SNAPSHOT

Name	Type	Required	Default	Description
name	string	no	string	Name of redirect
src	zone name	yes for DNAT target	(none)	Specifies the traffic source zone. Refers to one of the defined zone names. For typical port forwards this usually is wan.
src_ip	ip address	no	(none)	Match incoming traffic from the specified source IP address.
src_dip	ip address	yes for SNAT target	(none)	For DNAT, match incoming traffic directed at the given destination IP address. For SNAT rewrite the source address to the given address.
src_mac	mac address	no	(none)	Match incoming traffic from the specified MAC address.
src_port	port or range	no	(none)	Match incoming traffic originating from the given source port or port range on the client host.
src_dport	port or range	no	(none)	For DNAT, match incoming traffic directed at the given destination port or port range on this host. For SNAT rewrite the source ports to the given value.
proto	protocol name or number	no	tcp udp	Match incoming traffic using the given protocol. Can be one (or several when using list syntax) of tcp, udp, udplite, icmp, esp, ah, sctp, or all or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. The number 0 is equivalent to all.
dest	zone name	yes for SNAT target	(none)	Specifies the traffic destination zone. Refers to one of the defined zone names. Irrelevant for DNAT target.
dest_ip	ip address	no	(none)	For DNAT, redirect matches incoming traffic to the specified internal host. For SNAT, it matches traffic directed at the given address. For DNAT, if the dest_ip is not specified, the rule is translated in a iptables/REDIRECT rule, otherwise it is a iptables/DNAT rule.
dest_port	port or range	no	(none)	For DNAT, redirect matched incoming traffic to the given port on the internal host. For SNAT, match traffic directed at the given ports. Only a single port or range can be specified, not disparate ports as with Rules (below).
ipset	string	no	(none)	If specified, match traffic against the given ***ipset***. The match can be inverted by prefixing the value with an exclamation mark.
mark	string	no	(none)	If specified, match traffic against the given firewall mark, e.g. 0xFF to match mark 255 or 0x0/0x1 to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. !0x10 to match all but mark #16.
start_date	date (yyyy-mm-dd)	no	(always)	If specifed, only match traffic after the given date (inclusive).
stop_date	date (yyyy-mm-dd)	no	(always)	If specified, only match traffic before the given date (inclusive).
start_time	time (hh:mm:ss)	no	(always)	If specified, only match traffic after the given time of day (inclusive).
stop_time	time (hh:mm:ss)	no	(always)	If specified, only match traffic before the given time of day (inclusive).
weekdays	list of weekdays	no	(always)	If specified, only match traffic during the given week days, e.g. sun mon thu fri to only match on Sundays, Mondays, Thursdays and Fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ! sat sun to always match but on Saturdays and sundays.
monthdays	list of dates	no	(always)	If specified, only match traffic during the given days of the month, e.g. 2 5 30 to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ! 31 to always match but on the 31st of the month.
utc_time	boolean	no	0	Treat all given time values as UTC time instead of local time.
target	string	no	DNAT	NAT target (DNAT or SNAT) to use when generating the rule.
family	string	no	any	Protocol family (ipv4, ipv6 or any) to generate iptables rules for. Defaults to any, but automatically degrades to ipv4 since IPv6 DNAT is not supported by fw3.
reflection	boolean	no	1	Activate NAT reflection for this redirect - applicable to DNAT targets.
reflection_src	string	no	internal	The source address to use for NAT-reflected packets if reflection is 1. This can be internal or external, specifying which interface’s address to use. Applicable to DNAT targets.
limit	string	no	(none)	Maximum average matching rate; specified as a number, with an optional /second, /minute, /hour or /day suffix. Examples: 3/second, 3/sec or 3/s.
limit_burst	integer	no	5	Maximum initial number of packets to match, allowing a short-term average above limit.
enabled	string	no	1 or yes	Enable the redirect rule or not.
helper	cthelper	no	[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-m8DnXJut-1629945692476)(https://openwrt.org/lib/images/smileys/fixme.gif)]

IP sets

See also: fw3 IP set examples

fw3 支持引用或创建IP 集以简化大型地址或端口列表的匹配，而无需为每个项目创建一个规则进行匹配。

This needs the kmod-ipt-ipset kernel module installed.

Options

Name	Type	Required	Default	Description
enabled	boolean	no	1	Allows to disable the declaration of the ipset without the need to delete the section.
external	string	no	(none)	If the external option is set to a name, the firewall will simply reference an already existing ipset pointed to by the name. If the external option is unset, the firewall will create the ipset on start and destroy it on stop.
name	string	yes if external is unset no if external is set	(none) if external is unset value of external if external is set	Specifies the firewall internal name of the ipset which is used to reference the set in rules or redirects.
family	string	no	ipv4	Protocol family (ipv4 or ipv6) to create ipset for. Only applicable to storage types hash and list, the bitmap type implies ipv4.
storage	string	no	varies	Specifies the storage method (bitmap, hash or list) used by the ipset, the default varies depending on the used datatypes (see match option below). In most cases the storage method can be automatically inferred from the datatype combination but in some cases multiple choices are possible (e.g. bitmap:ip vs. hash:ip).
match	list of direction/type tuples	yes	(none)	Specifies the matched data types (ip, port, mac, net or set) and their direction (src or dest). The direction is joined with the datatype by an underscore to form a tuple, e.g. src_port to match source ports or dest_net to match destination CIDR ranges. When using ipsets matching on multiple elements, e.g. hash:ip,port, specify the packet fields to match on in quotes or comma-separated (i.e. “match dest_ip dest_port”).
iprange	IP range	yes for storage type bitmap with datatype ip	(none)	Specifies the IP range to cover, see ipset(8). Only applicable to the hash storage type.
portrange	Port range	yes for storage type bitmap with datatype port	(none)	Specifies the port range to cover, see ipset(8). Only applicable to the hash storage type.
netmask	integer	no	32	If specified, network addresses will be stored in the set instead of IP host addresses. Value must be between 1 and 32, see ipset(8). Only applicable to the bitmap storage type with match ip or the hash storage type with match ip.
maxelem	integer	no	65536	Limits the number of items that can be added to the set, only applicable to the hash and list storage types.
hashsize	integer	no	1024	Specifies the initial hash size of the set, only applicable to the hash storage type.
timeout	integer	no	0	Specifies the default timeout for entries added to the set. A value of 0 means no timeout.
entry	setentry	no		[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-T4Xep0Qh-1629945692479)(https://openwrt.org/lib/images/smileys/fixme.gif)]
loadfile	string	no	[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-slc5pTfg-1629945692480)(https://openwrt.org/lib/images/smileys/fixme.gif)]	[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Hqt1ssF4-1629945692481)(https://openwrt.org/lib/images/smileys/fixme.gif)]

Storage / Match Options

数据类型匹配的顺序很重要

Family	Storage	Match	Notes
ipv4	bitmap	ip	Requires iprange option
ipv4	bitmap	ip mac	Requires iprange option
ipv4	bitmap	port	Requires portrange option
any	hash	ip	-
any	hash	net	-
any	hash	ip port	-
any	hash	net port	-
any	hash	ip port ip	-
any	hash	ip port net	-
-	list	set	Meta type to create a set-of-sets

Includes

用于添加自定义的防火墙脚本

config include
	option	path		'/etc/firewall.user'

• The /etc/firewall.user script is empty by default.

Options

Name	Type	Required	Default	Description
enabled	boolean	no	1	Allows to disable the corresponding include without having to delete the section
type	string	no	script	Specifies the type of the include, can be script for traditional shell script includes or restore for plain files in iptables-restore format
path	file name	yes	/etc/firewall.user	Specifies a shell script to execute on boot or firewall restarts
family	string	no	any	Specifies the address family (ipv4, ipv6 or any) for which the include is called
reload	boolean	no	0	Specifies whether the include should be called on reload - this is only needed if the include injects rules into internal chains

Includes of type script may contain arbitrary commands, for example advanced iptables rules or tc commands required for traffic shaping.

• [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-PX8hJeSH-1629945692482)(https://openwrt.org/lib/images/smileys/icon_exclaim.gif)] 由于自定义 iptables 规则比通用规则更具体，因此您必须确保使用-I *(insert)*而不是-A (append)，以便规则出现在默认规则之前
• [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-WAicrzDn-1629945692483)(https://openwrt.org/lib/images/smileys/icon_exclaim.gif)] 如果规则存在于iptables中，则不会重新添加。一个标准的 iptables-I 或 -A会添加重复规则

Example

Here is an example of /etc/firewall.user script that allows to CloudFlare.com to access HTTP 80 and HTTPS 443 ports. Use if your uhttpd is hidden behind CF proxy.

# Replace the ips-v4 with v6 if needed
for ip in `wget -qO- http://www.cloudflare.com/ips-v4`; do
  iptables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT
done

NOTE: The example uses HTTP to get the list of IPs. Using HTTP makes us vulnerable to MITM attacks. To use the more secure HTTPS and avoid MITM risks, we need to install ca-certs.