this post was submitted on 06 Feb 2024
17 points (94.7% liked)

homelab

6602 readers
1 users here now

founded 4 years ago
MODERATORS
CMonster@lemmy.ml
17
Could someone explain these OpenWRT LuCI firewall settings to me? I am having trouble interpereting what they are saying exactly. (sh.itjust.works)
submitted 9 months ago* (last edited 9 months ago) by Kalcifer@sh.itjust.works to c/homelab@lemmy.ml
13 comments fedilink hide all child comments
 

cross-posted to: https://sh.itjust.works/post/14114626

If the rule is about forwarding traffic from the lan interface to the wan interface, then why is there also a forward rule? How would inputs, and outputs make any sense if the rule is talking about forwarding? What does it mean for wan to forward to REJECT? I interperet that as saying that wan doesn't go anywhere, but that wouldn't make sense given that the router can send, and receive over the internet.

For example I would interperet the first rule as follows:

  • lan => wan: the conditions for which connections from the lan interface are forwarded to to the wan interface.
  • Input: accept: the lan interface accepts all connections originating from the network (I wouldn't understand the point of setting this to be reject).
  • Output: accept: all connections exiting the wan interface are accepted (again, I'm not sure what the point of this would be).
  • Forward: accept: forwarding of packets from lan to wan is allowed.
  • Masquerade: I honestly don't know what the effect of enabling this would be. What would it mean to masquerade the lan interface?

I tried finding documentation, and I did come across this, and this, but, from what I could understand, they didn't really answer any of my questions.

you are viewing a single comment's thread
view the rest of the comments
[–] gratux@lemmy.blahaj.zone 7 points 9 months ago (8 children)

Disclaimer: I am not a professional network engineer, this is just what i found out after researching some iptables terminology.

the lan => wan is perhaps a bit misleading. lan is the zone, or which side of the router this firewall rule is in reference to. wan is another zone, the arrow shows where packets of type Forward are ending up.

  • Input means packets originating from another device within this zone with the router as the destination.
  • Output is a packet from the router to another device in the zone.
  • Forward is a packet originating from one zone with a destination in another zone.

When forward on the wan interface is set to reject, it essentially means no device from outside may initiate a connection. However, they may respond to already opened connection.

I don't yet know what masquerade does.

[–] N0x0n@lemmy.ml 1 points 9 months ago (1 children)

Isn't the lan -> wan interfaces refering to your packets going outside your router and lan network to the outside world (internet?).

I vaguely remember the pfsense configuration I did a while ago, where the wan interface is actually the internet connection interface.

Maybe I'm wrong and misunderstood something, if so, please correct me !

[–] gratux@lemmy.blahaj.zone 3 points 9 months ago

yes, lan is the Local Area Network, wan is the Wide Area Network. The zone lan refers to the devices on the local side, wan to the great internet.

load more comments (6 replies)