mirror/bbfdm
1
0
Fork 0
mirror of https://dev.iopsys.eu/bbf/bbfdm.git synced 2025-12-10 07:44:39 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
bbfdm/docs/firewall.md
vdutta d526bf77ee Updated firewall design
2022-04-15 15:13:43 +05:30

2.8 KiB
Raw Blame History

Firewall

Aim of this document to explain the TR181 firewall datamodel parameter mappings with firewall and network uci.

In TR-181 firewall definition, we have Device.Firewall.Level., Deivce.Firewall.Chain. and Firewall.Chain.{i}.Rules., which does not have one to one mapping with firewall uci sections. Also due to lack of mapping between Device.IP.Interface and Firewall uci zones, its not possible to define rules for newly created interfaces.

To simplify the mappings, libbbf during bootstrap, does

  • Create a Firewall zone section corresponding to the Interface section in the network uci file
  • Give it the same name as the interface section in the network uci file.
  • Set the default firewall zone value of input/output/forward to ACCEPT/ACCEPT/ACCEPT for all bridge interface and REJECT/ACCEPT/REJECT for all non bridge interfaces

So basically, if the network uci has this section for an interface

config interface iptv
    option device ethx.y
    option proto dhcp

Then below zone gets created by libbbf in firewall uci:

config zone iptv
    option network iptv
    option input REJECT
    option output ACCEPT
    option forward REJECT

Further, Per interface default policy can be configured by adding a rule in chain for each direction. So, if its required to have ACCEPT policy for input direction, then specify a rule as Chain.1.Rule.x.SourceInterface = Device.IP.Interface.3 and Rule.x.Target = ACCEPT and this result into corresponding firewall uci which does the same.

config rule x
    option src iptv
    option target ACCEPT

Similarly, to configure firewall rules for each interfaces, add rule objects in Device.Firewall.Chain.{i}.Rule.{i}. table to the existing Device.Firewall.Chain.{i}. in the order in which they should be applied.

Limitations

  • Multiple Device.Firewall.Level.{i}. objects are not supported
  • Multiple Device.Firewall.Chain.{i}. objects are not supported
  • Device.Firewall.Chain.{i}.Rule.{i}.TargetChain not supported
  • Device.Firewall.Chain.{i}.Rule.{i}.Order not supported, firewall rule applied in the order in which they are created, lower index rule has higher priority.
  • Device.Firewall.Config only supports 'Advanced' mode

How Device.Firewall.Chain.{i}.Rule.{i}. Object handles the Protocol parameter:

For Firewall rule sections, if the protocol(proto option) is not defined or if there are multiple protocols defined in the rule like proto='tcp udp' then in those cases the 'Device.Firewall.Chain.{i}.Rule.{i}.Protocol' parameter will have as value '255' which is reserved in the protocol specification.

References

  1. Firewall uci
  2. Network uci