accept everything else coming from WAN and LAN.drop packets coming from WAN to be forwarded to 192.168.88.0/24 network, this will protect from attacks if the attacker knows internal network.drop packets with source-address not equal to 192.168.88.0/24 (default IP range) coming from LAN.drop globally unroutable IP`s coming from WAN.accept DHCP discovery - most of the DHCP packets are not seen by an IP firewall, but some of them are, so make sure that they are accepted.
add disabled "accept" rule - can be used to quickly disable RAW filtering without disabling all RAW rules.Raw IPv4 rules will perform the following actions: In most cases, it is advised to use src-nat instead of masquerade, however in this case when the WAN address is dynamic it is the only option.Īdd address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4Īdd address=255.255.255.255/32 comment="defconf: RFC6890" list=bad_src_ipv4Īdd address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4Īdd address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4 IPv4 RAW Rules For IPv6 it is much more simple since it does not have fast-track support.Īnother approach to solving the IPsec problem is to add RAW rules, we will talk about this method later in the RAW section Masquerade Local Networkįor local devices behind the router to be able to access the internet, local networks must be masqueraded. Whenever IPsec tunnels are used on the router this rule should be enabled.
That is why as an illustration we have added a disabled rule to accept traffic matching IPsec policies.
It is very important that IPsec encapsulated traffic bypass fast-track. If you intend to use multicast forwarding, then this address list entry should be disabled.Īdd action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedĪdd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidĪdd action=drop chain=forward src-address-list=no_forward_ipv6 comment="defconf: drop bad forward IPs"Īdd action=drop chain=forward dst-address-list=no_forward_ipv6 comment="defconf: drop bad forward IPs"Īdd action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6Īdd action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6Īdd action=accept chain=forward comment="defconf: accept HIP" protocol=139Īdd action=accept chain=forward comment="defconf: accept IKE" protocol=udp dst-port=500,4500Īdd action=accept chain=forward comment="defconf: accept AH" protocol=ipsec-ahĪdd action=accept chain=forward comment="defconf: accept ESP" protocol=ipsec-espĪdd action=accept chain=forward comment="defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsecĪdd action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN It is there because in most cases multicast is not used. Notice that in this list multicast address range is added. Add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6Īdd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedĪdd action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udpĪdd action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16Īdd action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udpĪdd action=accept chain=input comment="defconf: accept IPSec AH" protocol=ipsec-ahĪdd action=accept chain=input comment="defconf: accept IPSec ESP" protocol=ipsec-espĪdd action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN Protect the Clientsīefore the actual set of rules, let's create a necessary address-list that contains all IPv4/6 addresses that cannot be forwarded.
0 kommentar(er)
