mirror/bbfdm
1
0
Fork 0
mirror of https://dev.iopsys.eu/bbf/bbfdm.git synced 2025-12-10 07:44:39 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
bbfdm/docs/guide/firewall.md
suvendhu be4929300e Align with doc structure
2023-01-09 16:04:10 +05:30

54 lines
3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# TR181 Firewall datamodel mapping
Aim of this document is to explain the TR181 firewall datamodel parameter mappings with firewall and network uci.
In TR-181 firewall definition, we have Device.Firewall.Level., Deivce.Firewall.Chain. and Firewall.Chain.{i}.Rules., which does not have one to one mapping with firewall uci sections.
So for each new network interface created by libbbf, a new firewall uci zone will be created as follow:
- Create a Network interface section
- Create a Firewall zone section corresponding to the Interface section in the network uci file
- Give it the same name as the interface section in the network uci file.
- Set the default firewall zone value of input/output/forward to ACCEPT/ACCEPT/ACCEPT for all bridge interface and REJECT/ACCEPT/REJECT for all non bridge interfaces
So basically, if the network uci has this section for an interface
```bash
config interface iptv
option device ethx.y
option proto dhcp
```
Then below zone gets created by libbbf in firewall uci:
```bash
config zone iptv
option network iptv
option input REJECT
option output ACCEPT
option forward REJECT
```
Further, Per interface default policy can be configured by adding a rule in chain for each direction. So, if its required to have ACCEPT policy for input direction, then specify a rule as Chain.1.Rule.x.SourceInterface = Device.IP.Interface.3 and Rule.x.Target = ACCEPT and this result into corresponding firewall uci which does the same.
```bash
config rule x
option src iptv
option target ACCEPT
```
> Note: when trying to define a rule as Chain.1.Rule.x.SourceInterface = Device.IP.Interface.x and the zone for this interface (Device.IP.Interface.x) doesn't exist in the firewall uci file so, a new firewall zone section corresponding to this interface section will be created.
Similarly, to configure firewall rules for each interfaces, add rule objects in Device.Firewall.Chain.{i}.Rule.{i}. table to the existing Device.Firewall.Chain.{i}. in the order in which they should be applied.
# Limitations
- Multiple Device.Firewall.Level.{i}. objects are not supported
- Multiple Device.Firewall.Chain.{i}. objects are not supported
- Device.Firewall.Chain.{i}.Rule.{i}.TargetChain not supported
- Device.Firewall.Chain.{i}.Rule.{i}.Order not supported, firewall rule applied in the order in which they are created, lower index rule has higher priority.
- Device.Firewall.Config only supports 'Advanced' mode
# How Device.Firewall.Chain.{i}.Rule.{i}. Object handles the Protocol parameter:
For Firewall rule sections, if the protocol(proto option) is not defined or if there are multiple protocols defined in the rule like proto='tcp udp' then in those cases the 'Device.Firewall.Chain.{i}.Rule.{i}.Protocol' parameter will have as value '255' which is reserved in the protocol specification.
# References
1. [Firewall uci](https://openwrt.org/docs/guide-user/firewall/firewall_configuration)
2. [Network uci](https://openwrt.org/docs/guide-user/base-system/basic-networking)
Reference in a new issue View git blame Copy permalink