mirror/bbfdm
1
0
Fork 0
mirror of https://dev.iopsys.eu/bbf/bbfdm.git synced 2026-02-16 12:59:07 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Updated firewall design

Browse source
This commit is contained in:
vdutta 2022-04-15 15:13:43 +05:30
parent daa67e6bad
commit d526bf77ee
1 changed files with 38 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
docs/firewall.md
View file

@ -1,5 +1,38 @@
# Firewall
To configure firewall rules for all interfaces, add Device.Firewall.Chain.{i}.Rule.{i}. objects to the existing Device.Firewall.Chain.{i}. in the order in which they should be applied.
Aim of this document to explain the TR181 firewall datamodel parameter mappings with firewall and network uci.
In TR-181 firewall definition, we have Device.Firewall.Level., Deivce.Firewall.Chain. and Firewall.Chain.{i}.Rules., which does not have one to one mapping with firewall uci sections. Also due to lack of mapping between Device.IP.Interface and Firewall uci zones, its not possible to define rules for newly created interfaces.
To simplify the mappings, libbbf during bootstrap, does
- Create a Firewall zone section corresponding to the Interface section in the network uci file
- Give it the same name as the interface section in the network uci file.
- Set the default firewall zone value of input/output/forward to ACCEPT/ACCEPT/ACCEPT for all bridge interface and REJECT/ACCEPT/REJECT for all non bridge interfaces
So basically, if the network uci has this section for an interface
```bash
config interface iptv
option device ethx.y
option proto dhcp
```
Then below zone gets created by libbbf in firewall uci:
```bash
config zone iptv
option network iptv
option input REJECT
option output ACCEPT
option forward REJECT
```
Further, Per interface default policy can be configured by adding a rule in chain for each direction. So, if its required to have ACCEPT policy for input direction, then specify a rule as Chain.1.Rule.x.SourceInterface = Device.IP.Interface.3 and Rule.x.Target = ACCEPT and this result into corresponding firewall uci which does the same.
```bash
config rule x
option src iptv
option target ACCEPT
```
Similarly, to configure firewall rules for each interfaces, add rule objects in Device.Firewall.Chain.{i}.Rule.{i}. table to the existing Device.Firewall.Chain.{i}. in the order in which they should be applied.
# Limitations
- Multiple Device.Firewall.Level.{i}. objects are not supported
@ -11,3 +44,7 @@ To configure firewall rules for all interfaces, add Device.Firewall.Chain.{i}.Ru
# How Device.Firewall.Chain.{i}.Rule.{i}. Object handles the Protocol parameter:
For Firewall rule sections, if the protocol(proto option) is not defined or if there are multiple protocols defined in the rule like proto='tcp udp' then in those cases the 'Device.Firewall.Chain.{i}.Rule.{i}.Protocol' parameter will have as value '255' which is reserved in the protocol specification.
# References
1. [Firewall uci](https://openwrt.org/docs/guide-user/firewall/firewall_configuration)
2. [Network uci](https://openwrt.org/docs/guide-user/base-system/basic-networking)