防火墙配置 /etc/config/firewall
OpenWrt 的防火墙管理应用fw3具有三种配置机制
配置文件:
/etc/firewall.user/etc/config/firewall
本 wiki 中的大部分信息将集中在配置文件和内容上。LuCI 和 UCI 接口是用户抽象,最终修改配置文件。
管理
- 主要的防火墙配置文件是
/etc/config/firewall,编辑此文件以修改防火墙设置- 在进行更改之前创建防火墙配置的备份
- 如果更改导致与路由器的连接丢失,您需要在故障安全模式下访问它以恢复备份
- 一旦设置被更改,并经过双重检查,通过
/etc/init.d/firewall reload重新加载防火墙- 这是一个简单的 shell 脚本,调用
fw3 reload,并将在解析新的防火墙配置时将诊断信息打印到控制台。 检查错误!
- 这是一个简单的 shell 脚本,调用
- 在进行更改之前创建防火墙配置的备份
- # 开头用于注释,不解析
- 注释用于描述、解释或快速注释掉某个部分
/etc/config/firewall涵盖了合理的NetFilter规则子集,但并非全部- 为了提供更多功能,UCI 防火墙配置中添加了一个
include部分,用于加载包含本机 iptables 指令的文件- 这是作为 shell 脚本处理的,允许向其中添加任何 shell 命令,但重点是通过添加 iptables 命令来使用 netfilter 子系统
- 用法见fw3配置示例
- 这是作为 shell 脚本处理的,允许向其中添加任何 shell 命令,但重点是通过添加 iptables 命令来使用 netfilter 子系统
- 为了提供更多功能,UCI 防火墙配置中添加了一个
- 尽可能使用 fw3 防火墙 UCI 配置
- 有一些场景
iptables需要命令- 有关更多信息,请参阅OpenWrt 中的 Netfilter
- 有一些场景
Web interface instructions
LuCI是一种很好的查看和修改防火墙配置的机制。
- 它位于**网络 → 防火墙下,**并与配置文件部分紧密映射。
- 修改防火墙配置需要更长的时间,但比配置文件具有更高的组织级别。
使用Save & Apply按钮进行更改并重新加载。
- LuCI 将从中删除所有注释 [
#] 行/etc/config/firewall!
Command-line instructions
uci add firewall rule
uci set firewall.@rule[-1].name='Reject VPN to LAN traffic'
uci set firewall.@rule[-1].src='vpn'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].target='REJECT'
uci commit firewall
service firewall restart
显示防火墙配置:
# uci show firewall
firewall.@rule[20]=rule
firewall.@rule[20].name='Reject VPN to LAN traffic'
firewall.@rule[20].src='vpn'
firewall.@rule[20].dest='lan'
firewall.@rule[20].proto='all'
firewall.@rule[20].target='REJECT'
...
UCI对于查看防火墙配置很有用,但由于以下原因不能进行任何有意义的修改:
- 防火墙规则需要进入规则数组的位置以使其工作(类似于
iptables -I) uci无法识别/etc/firewall.user脚本中的内容。uci commit需要保存更改,但仍需要/etc/init.d/firewall reload重新加载新表。
配置部分
以下是可能在防火墙配置中定义的部分类型的概述。
- 路由器的最小防火墙配置通常包括一个默认部分、至少两个区域(
lan和wan)和一个转发以允许从lan到 的流量wan。- 当区域不超过两个时,转发部分不是严格要求的,因为可以将规则设置为该区域的“全局默认值”。
Defaults
该defaults部分声明了不属于特定区域的全局防火墙设置
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option custom_chains '1'
option drop_invalid '1'
option syn_flood '1'
option synflood_burst '50'
option synflood_protect '1'
option tcp_ecn '1'
option tcp_syncookies '1'
option tcp_window_scaling '1'
Options
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
input |
string | no | REJECT |
Set policy for the INPUT chain of the filter table. |
forward |
string | no | REJECT |
Set policy for the FORWARD chain of the filter table. |
output |
string | no | REJECT |
Set policy for the OUTPUT chain of the filter table. |
drop_invalid |
boolean | no | 0 |
Drop invalid packets (e.g. not matching any active connection). |
syn_flood |
boolean | no | 0 |
Enable [SYN flood](https://en.wikipedia.org/wiki/SYN flood) protection (obsoleted by synflood_protect setting). |
synflood_protect |
boolean | no | 0 |
Enable [SYN flood](https://en.wikipedia.org/wiki/SYN flood) protection. |
synflood_rate |
string | no | 25 |
Set rate limit (packets/second) for SYN packets above which the traffic is considered a flood. |
synflood_burst |
string | no | 50 |
Set burst limit for SYN packets above which the traffic is considered a flood if it exceeds the allowed rate. |
tcp_syncookies |
boolean | no | 1 |
Enable the use of [SYN cookies](https://en.wikipedia.org/wiki/SYN cookies). |
tcp_ecn |
boolean | no | 0 |
Enable/Disable Explicit Congestion Notification. Implemented upstream in Linux Kernel. See ip-sysctl.txt. |
tcp_window_scaling |
boolean | no | 1 |
Enable TCP window scaling. |
accept_redirects |
boolean | no | 0 |
Accepts redirects. Implemented upstream in Linux Kernel. See ip-sysctl.txt. |
accept_source_route |
boolean | no | 0 |
Implemented upstream in Linux Kernel. See ip-sysctl.txt. |
custom_chains |
boolean | no | 1 |
Enable generation of custom rule chain hooks for user generated rules. User rules would be typically stored in firewall.user but some packages e.g. BCP38 also make use of these hooks. |
disable_ipv6 |
boolean | no | 0 |
Disable IPv6 firewall rules. |
flow_offloading |
boolean | no | 0 |
Enable software flow offloading for connections. (decrease cpu load / increase routing throughput) |
flow_offloading_hw |
boolean | no | 0 |
Enable hardware flow offloading for connections. (depends on flow_offloading and hw capability) |
tcp_reject_code |
reject_code | no | 0 |
Defined in firewall3/options.h. Seems to determine method of packet rejection; (tcp reset, or drop, vs ICMP Destination Unreachable, or closed) |
any_reject_code |
reject_code | no | 1 |
Defined in firewall3/options.h. Seems to determine method of packet rejection; (tcp reset, or drop, vs ICMP Destination Unreachable, or closed) |
auto_helper |
bool | no | 1 |
Enable Conntrack helpers |
Zones
该zone 部分将一个或多个网络接口组合在一起,作为转发、规则和重定向的源或目的
config zone
option name 'wan'
option network 'wan wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
-
MASQUERADE (NAT) of outgoing traffic (WAN) is controlled on a per-zone basis on the outgoing interface.
-
INPUT rules for a zone describe what happens to traffic trying to reach the router itself through an interface in that zone.
-
OUTPUT rules for a zone describe what happens to traffic originating from the router itself going through an interface in that zone.
-
FORWARD rules for a zone describe what happens to traffic passing between different interfaces belonging in the same zone.
Options
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
name |
zone name | yes | (none) | Unique zone name. 11 characters is the maximum working firewall zone name length. |
network |
list | no | (none) | List of interfaces attached to this zone. If omitted and neither extra* options, subnets nor devices are given, the value of name is used by default. Alias interfaces defined in the network config cannot be used as valid ‘standalone’ networks. Use list syntax. |
masq |
boolean | no | 0 |
Specifies whether outgoing zone traffic should be masqueraded. This is typically enabled on the wan zone. |
masq_src |
list of subnets | no | 0.0.0.0/0 |
Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with !; multiple subnets are allowed. |
masq_dest |
list of subnets | no | 0.0.0.0/0 |
Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with !; multiple subnets are allowed. |
masq_allow_invalid |
boolean | no | 0 |
Do not add DROP INVALID rules, if masquerading is used. The DROP rules are supposed to prevent NAT leakage (see commit in firewall3). |
mtu_fix |
boolean | no | 0 |
Enable MSS clamping for outgoing zone traffic. |
input |
string | no | DROP |
Default policy (ACCEPT, REJECT, DROP) for incoming zone traffic. |
forward |
string | no | DROP |
Default policy (ACCEPT, REJECT, DROP) for forwarded zone traffic. |
output |
string | no | DROP |
Default policy (ACCEPT, REJECT, DROP) for outgoing zone traffic. |
family |
string | no | any |
The protocol family (ipv4, ipv6 or any) these iptables rules are for. Defaults to any, but automatically degrades to ipv4 or ipv6 if respective addresses are listed in the same section. |
log |
int | no | 0 |
Bit field to enable logging in the filter and/or mangle tables, bit 0 = filter, bit 1 = mangle. (Since r6397-7cc9914aae) |
log_limit |
string | no | 10/minute |
Limits the amount of log messages per interval. |
device |
list | no | (none) | List of L3 network interface names attached to this zone, e.g. tun+ or ppp+ to match any TUN or PPP interface. This is specifically suitable for undeclared interfaces which lack built-in netifd support such as OpenVPN. Otherwise network is preferable and device should be avoided. |
subnet |
list | no | (none) | List of IP subnets attached to this zone. |
extra |
string | no | (none) | Extra arguments passed directly to iptables. Note that these options are passed to both source and destination classification rules, therefor direction-specific options like --dport should not be used here - in this case the extra_src and extra_dest options should be used instead. |
extra_src |
string | no | Value of extra |
Extra arguments passed directly to iptables for source classification rules. |
extra_dest |
string | no | Value of extra |
Extra arguments passed directly to iptables for destination classification rules. |
custom_chains |
bool | no | 1 |
Enable generation of custom rule chain hooks for user generated rules. Has no effect if disabled (0) in the defaults section (see above). |
enabled |
bool | no | yes | if set to 0, zone is disabled |
auto_helper |
bool | no | 1 for non-masq zone |
Add CT helpers for zone |
helper |
cthelper | no | (none) | List of helpers to add to zone |
Forwardings
The forwarding 控制 zone 之间的转发, and may enable MSS clamping for specific directions.
config forwarding
option src 'lan'
option dest 'wan'
一条forwarding规则只涵盖一个方向。为了允许两个区域之间的双向流量流,需要两个forwarding
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
name |
forward name | no | (none) | Unique forwarding name. |
src |
zone name | yes | (none) | Specifies the traffic source zone. Refers to one of the defined zone names. For typical port forwards this usually is ‘wan’. |
dest |
zone name | yes | (none) | Specifies the traffic destination zone. Refers to one of the defined zone names |
mtu_fix |
0 |
zone sections in 8.09.2+) |
||
family |
string | no | any |
Protocol family (ipv4, ipv6 or any) to generate iptables rules for. |
enabled |
bool | no | yes | if set to 0, forward is disabled |
Rules
该rule部分用于定义基本的接受、丢弃或拒绝规则,以允许或限制对特定端口或主机的访问。
config rule
option name 'Reject LAN to WAN for custom IP'
option src 'lan'
option src_ip '192.168.1.2'
option src_mac '00:11:22:33:44:55'
option src_port '80'
option dest 'wan'
option dest_ip '194.25.2.129'
option dest_port '120'
option proto 'tcp'
option target 'REJECT'
-
在fw3 中,
src和dest与目标相关联:-
如果给定
src和dest,则规则匹配 forwarded traffic -
如果仅有
src, 则规则匹配 incoming traffic -
如果仅有
dest, 则规则匹配 outgoing traffic -
如果既没有
src也没有dest给出, 则规则匹配 outgoing traffic
-
-
端口范围用
start:stop指定,例如6666:6670(类似于 iptables 语法)。
Options
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
name |
string | no | (none) | Name of rule |
src |
zone name | no | (none) | Specifies the traffic source zone. Refers to one of the defined zone names, or * for any zone. If omitted, the rule applies to output traffic. |
src_ip |
ip address | no | (none) | Match incoming traffic from the specified source IP address |
src_mac |
mac address | no | (none) | Match incoming traffic from the specified MAC address |
src_port |
port or range | no | (none) | Match incoming traffic from the specified source port or port range, if relevant proto is specified. Multiple ports can be specified like ‘80 443 465’ 1. |
proto |
protocol name or number | no | tcp udp |
Match incoming traffic using the given protocol. Can be one (or several when using list syntax) of tcp, udp, udplite, icmp, esp, ah, sctp, or all or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. The number 0 is equivalent to all. |
icmp_type |
list of type names or numbers | no | any | For protocol icmp select specific ICMP types to match. Values can be either exact ICMP type numbers or type names (see below). |
dest |
zone name | no | (none) | Specifies the traffic destination zone. Refers to one of the defined zone names, or * for any zone. If specified, the rule applies to forwarded traffic; otherwise, it is treated as input rule. |
dest_ip |
ip address | no | (none) | Match incoming traffic directed to the specified destination IP address. With no dest zone, this is treated as an input rule! |
dest_port |
port or range | no | (none) | Match incoming traffic directed at the given destination port or port range, if relevant proto is specified. Multiple ports can be specified like ‘80 443 465’ 1. |
ipset |
string | no | (none) | If specified, match traffic against the given ***ipset***. The match can be inverted by prefixing the value with an exclamation mark. You can specify the direction as ‘setname src’ or ‘setname dest’. The default if neither src nor dest are added is to assume src |
mark |
mark/mask | no | (none) | If specified, match traffic against the given firewall mark, e.g. 0xFF to match mark 255 or 0x0/0x1 to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. !0x10 to match all but mark #16. |
start_date |
date (yyyy-mm-dd) |
no | (always) | If specifed, only match traffic after the given date (inclusive). |
stop_date |
date (yyyy-mm-dd) |
no | (always) | If specified, only match traffic before the given date (inclusive). |
start_time |
time (hh:mm:ss) |
no | (always) | If specified, only match traffic after the given time of day (inclusive). |
stop_time |
time (hh:mm:ss) |
no | (always) | If specified, only match traffic before the given time of day (inclusive). |
weekdays |
list of weekdays | no | (always) | If specified, only match traffic during the given week days, e.g. sun mon thu fri to only match on sundays, mondays, thursdays and Fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ! sat sun to always match but on Saturdays and sundays. |
monthdays |
list of dates | no | (always) | If specified, only match traffic during the given days of the month, e.g. 2 5 30 to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ! 31 to always match but on the 31st of the month. |
utc_time |
boolean | no | 0 |
Treat all given time values as UTC time instead of local time. |
target |
string | yes | DROP |
Firewall action (ACCEPT, REJECT, DROP, MARK, NOTRACK) for matched traffic |
set_mark |
mark/mask | yes for target MARK |
(none) | Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed |
set_xmark |
Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed | |||
family |
string | no | any |
Protocol family (ipv4, ipv6 or any) to generate iptables rules for. Defaults to any, but automatically degrades to ipv4 or ipv6 if respective addresses are listed in the same section. |
limit |
string | no | (none) | Maximum average matching rate; specified as a number, with an optional /second, /minute, /hour or /day suffix. Examples: 3/minute, 3/min or 3/m. |
limit_burst |
integer | no | 5 |
Maximum initial number of packets to match, allowing a short-term average above limit |
extra |
string | no | (none) | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as -m policy --dir in for IPsec. |
enabled |
boolean | no | yes | Enable or disable rule. |
device |
string | no | [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-wv6nmfYf-1629945692459)(https://openwrt.org/lib/images/smileys/fixme.gif)] |  |
direction |
direction | no | [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-2QduvSFI-1629945692467)(https://openwrt.org/lib/images/smileys/fixme.gif)] | direction_out |
set_helper |
cthelper | no | |
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-5NeubI9B-1629945692472)(https://openwrt.org/lib/images/smileys/fixme.gif)] |
helper |
cthelper | no | [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-yhfVGShW-1629945692474)(https://openwrt.org/lib/images/smileys/fixme.gif)] | |
ICMP name types
address-mask-reply |
host-redirect |
pong |
time-exceeded |
|---|---|---|---|
address-mask-request |
host-unknown |
port-unreachable |
timestamp-reply |
any |
host-unreachable |
precedence-cutoff |
timestamp-request |
communication-prohibited |
ip-header-bad |
protocol-unreachable |
TOS-host-redirect |
destination-unreachable |
network-prohibited |
redirect |
TOS-host-unreachable |
echo-reply |
network-redirect |
required-option-missing |
TOS-network-redirect |
echo-request |
network-unknown |
router-advertisement |
TOS-network-unreachable |
fragmentation-needed |
network-unreachable |
router-solicitation |
ttl-exceeded |
host-precedence-violation |
parameter-problem |
source-quench |
ttl-zero-during-reassembly |
host-prohibited |
ping |
source-route-failed |
ttl-zero-during-transit |
Redirects
端口转发 (DNAT) 由redirect部分定义。 端口重定向通常也称为“端口转发”或“虚拟服务器”。
- 指定源区域上与给定规则匹配的所有传入流量都将被定向到指定的内部主机。
- 端口范围被指定为
start:stop,例如6666:6670(类似于 iptables 语法)。
Destination NAT
config redirect
option name 'DNAT WAN to LAN for SSH'
option src 'wan'
option src_dport '19900'
option dest 'lan'
option dest_ip '192.168.1.1'
option dest_port '22'
option proto 'tcp'
option target 'DNAT'
如果 src_dport 未包含在 config 部分中,则在任何 port 上与其他配置选项匹配的数据包将被转发到该 config 部分中指定的目标端口。 这可能会给目标端口上运行的应用程序带来安全风险。 测试此问题的一种方法是使用 Gibson Research Corporation’s ShieldsUP! service, 并探测路由器上所需的端口. 响应可以是 open, closed, or stealth (drop). 在端口打开或关闭的情况下,数据包到达目标主机,并发送回确认/回复数据包. 而隐身(stealth)端口会丢弃数据包;从探测系统 (Gibson Research) 的角度来看,该系统无法明确知道这些数据包是否可能到达目标主机
Source NAT
伪装(Masquerade )是最常见的 SNAT 形式,将WAN的流量源更改为路由器的公共IP。SNAT 也可以手动完成:
config redirect
option name 'SNAT DMZ 192.168.1.250 to WAN 1.2.3.4 for ICMP'
option src 'dmz'
option src_ip '192.168.1.250'
option src_dip '1.2.3.4'
option dest 'wan'
option proto 'icmp'
option target 'SNAT'
Options
See also: List of SNAT options @ OpenWrt SNAPSHOT
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
name |
string | no | string | Name of redirect |
src |
zone name | yes for DNAT target |
(none) | Specifies the traffic source zone. Refers to one of the defined zone names. For typical port forwards this usually is wan. |
src_ip |
ip address | no | (none) | Match incoming traffic from the specified source IP address. |
src_dip |
ip address | yes for SNAT target |
(none) | For DNAT, match incoming traffic directed at the given destination IP address. For SNAT rewrite the source address to the given address. |
src_mac |
mac address | no | (none) | Match incoming traffic from the specified MAC address. |
src_port |
port or range | no | (none) | Match incoming traffic originating from the given source port or port range on the client host. |
src_dport |
port or range | no | (none) | For DNAT, match incoming traffic directed at the given destination port or port range on this host. For SNAT rewrite the source ports to the given value. |
proto |
protocol name or number | no | tcp udp | Match incoming traffic using the given protocol. Can be one (or several when using list syntax) of tcp, udp, udplite, icmp, esp, ah, sctp, or all or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. The number 0 is equivalent to all. |
dest |
zone name | yes for SNAT target |
(none) | Specifies the traffic destination zone. Refers to one of the defined zone names. Irrelevant for DNAT target. |
dest_ip |
ip address | no | (none) | For DNAT, redirect matches incoming traffic to the specified internal host. For SNAT, it matches traffic directed at the given address. For DNAT, if the dest_ip is not specified, the rule is translated in a iptables/REDIRECT rule, otherwise it is a iptables/DNAT rule. |
dest_port |
port or range | no | (none) | For DNAT, redirect matched incoming traffic to the given port on the internal host. For SNAT, match traffic directed at the given ports. Only a single port or range can be specified, not disparate ports as with Rules (below). |
ipset |
string | no | (none) | If specified, match traffic against the given ***ipset***. The match can be inverted by prefixing the value with an exclamation mark. |
mark |
string | no | (none) | If specified, match traffic against the given firewall mark, e.g. 0xFF to match mark 255 or 0x0/0x1 to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. !0x10 to match all but mark #16. |
start_date |
date (yyyy-mm-dd) |
no | (always) | If specifed, only match traffic after the given date (inclusive). |
stop_date |
date (yyyy-mm-dd) |
no | (always) | If specified, only match traffic before the given date (inclusive). |
start_time |
time (hh:mm:ss) |
no | (always) | If specified, only match traffic after the given time of day (inclusive). |
stop_time |
time (hh:mm:ss) |
no | (always) | If specified, only match traffic before the given time of day (inclusive). |
weekdays |
list of weekdays | no | (always) | If specified, only match traffic during the given week days, e.g. sun mon thu fri to only match on Sundays, Mondays, Thursdays and Fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ! sat sun to always match but on Saturdays and sundays. |
monthdays |
list of dates | no | (always) | If specified, only match traffic during the given days of the month, e.g. 2 5 30 to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ! 31 to always match but on the 31st of the month. |
utc_time |
boolean | no | 0 |
Treat all given time values as UTC time instead of local time. |
target |
string | no | DNAT |
NAT target (DNAT or SNAT) to use when generating the rule. |
family |
string | no | any |
Protocol family (ipv4, ipv6 or any) to generate iptables rules for. Defaults to any, but automatically degrades to ipv4 since IPv6 DNAT is not supported by fw3. |
reflection |
boolean | no | 1 |
Activate NAT reflection for this redirect - applicable to DNAT targets. |
reflection_src |
string | no | internal |
The source address to use for NAT-reflected packets if reflection is 1. This can be internal or external, specifying which interface’s address to use. Applicable to DNAT targets. |
limit |
string | no | (none) | Maximum average matching rate; specified as a number, with an optional /second, /minute, /hour or /day suffix. Examples: 3/second, 3/sec or 3/s. |
limit_burst |
integer | no | 5 |
Maximum initial number of packets to match, allowing a short-term average above limit. |
enabled |
string | no | 1 or yes |
Enable the redirect rule or not. |
helper |
cthelper | no | [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-m8DnXJut-1629945692476)(https://openwrt.org/lib/images/smileys/fixme.gif)] | |
IP sets
See also: fw3 IP set examples
fw3 支持引用或创建IP 集以简化大型地址或端口列表的匹配,而无需为每个项目创建一个规则进行匹配。
This needs the kmod-ipt-ipset kernel module installed.
Options
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
enabled |
boolean | no | 1 |
Allows to disable the declaration of the ipset without the need to delete the section. |
external |
string | no | (none) | If the external option is set to a name, the firewall will simply reference an already existing ipset pointed to by the name. If the external option is unset, the firewall will create the ipset on start and destroy it on stop. |
name |
string | yes if external is unset no if external is set |
(none) if external is unset value of external if external is set |
Specifies the firewall internal name of the ipset which is used to reference the set in rules or redirects. |
family |
string | no | ipv4 |
Protocol family (ipv4 or ipv6) to create ipset for. Only applicable to storage types hash and list, the bitmap type implies ipv4. |
storage |
string | no | varies | Specifies the storage method (bitmap, hash or list) used by the ipset, the default varies depending on the used datatypes (see match option below). In most cases the storage method can be automatically inferred from the datatype combination but in some cases multiple choices are possible (e.g. bitmap:ip vs. hash:ip). |
match |
list of direction/type tuples | yes | (none) | Specifies the matched data types (ip, port, mac, net or set) and their direction (src or dest). The direction is joined with the datatype by an underscore to form a tuple, e.g. src_port to match source ports or dest_net to match destination CIDR ranges. When using ipsets matching on multiple elements, e.g. hash:ip,port, specify the packet fields to match on in quotes or comma-separated (i.e. “match dest_ip dest_port”). |
iprange |
IP range | yes for storage type bitmap with datatype ip |
(none) | Specifies the IP range to cover, see ipset(8). Only applicable to the hash storage type. |
portrange |
Port range | yes for storage type bitmap with datatype port |
(none) | Specifies the port range to cover, see ipset(8). Only applicable to the hash storage type. |
netmask |
integer | no | 32 |
If specified, network addresses will be stored in the set instead of IP host addresses. Value must be between 1 and 32, see ipset(8). Only applicable to the bitmap storage type with match ip or the hash storage type with match ip. |
maxelem |
integer | no | 65536 |
Limits the number of items that can be added to the set, only applicable to the hash and list storage types. |
hashsize |
integer | no | 1024 |
Specifies the initial hash size of the set, only applicable to the hash storage type. |
timeout |
integer | no | 0 |
Specifies the default timeout for entries added to the set. A value of 0 means no timeout. |
entry |
setentry | no | |
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-T4Xep0Qh-1629945692479)(https://openwrt.org/lib/images/smileys/fixme.gif)] |
loadfile |
string | no | [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-slc5pTfg-1629945692480)(https://openwrt.org/lib/images/smileys/fixme.gif)] | [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Hqt1ssF4-1629945692481)(https://openwrt.org/lib/images/smileys/fixme.gif)] |
Storage / Match Options
数据类型匹配的顺序很重要
| Family | Storage | Match | Notes |
|---|---|---|---|
ipv4 |
bitmap |
ip |
Requires iprange option |
ipv4 |
bitmap |
ip mac |
Requires iprange option |
ipv4 |
bitmap |
port |
Requires portrange option |
| any | hash |
ip |
- |
| any | hash |
net |
- |
| any | hash |
ip port |
- |
| any | hash |
net port |
- |
| any | hash |
ip port ip |
- |
| any | hash |
ip port net |
- |
| - | list |
set |
Meta type to create a set-of-sets |
Includes
用于添加自定义的防火墙脚本
config include
option path '/etc/firewall.user'
- The
/etc/firewall.userscript is empty by default.
Options
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
enabled |
boolean | no | 1 |
Allows to disable the corresponding include without having to delete the section |
type |
string | no | script |
Specifies the type of the include, can be script for traditional shell script includes or restore for plain files in iptables-restore format |
path |
file name | yes | /etc/firewall.user |
Specifies a shell script to execute on boot or firewall restarts |
family |
string | no | any |
Specifies the address family (ipv4, ipv6 or any) for which the include is called |
reload |
boolean | no | 0 |
Specifies whether the include should be called on reload - this is only needed if the include injects rules into internal chains |
Includes of type script may contain arbitrary commands, for example advanced iptables rules or tc commands required for traffic shaping.
- [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-PX8hJeSH-1629945692482)(https://openwrt.org/lib/images/smileys/icon_exclaim.gif)] 由于自定义 iptables 规则比通用规则更具体,因此您必须确保使用
-I*(insert)*而不是-A(append),以便规则出现在默认规则之前 - [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-WAicrzDn-1629945692483)(https://openwrt.org/lib/images/smileys/icon_exclaim.gif)] 如果规则存在于iptables中,则不会重新添加。一个标准的 iptables
-I或-A会添加重复规则
Example
Here is an example of /etc/firewall.user script that allows to CloudFlare.com to access HTTP 80 and HTTPS 443 ports. Use if your uhttpd is hidden behind CF proxy.
# Replace the ips-v4 with v6 if needed
for ip in `wget -qO- http://www.cloudflare.com/ips-v4`; do
iptables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT
done
NOTE: The example uses HTTP to get the list of IPs. Using HTTP makes us vulnerable to MITM attacks. To use the more secure HTTPS and avoid MITM risks, we need to install ca-certs.