Edit: my ISP says they only need the DCHP protocol and ports for basic functionality, as I have a public IP, so I will temporarily disable all the other rules and see whether that has any negative effects.

I am running a few routers at home using single board computers with OpenWrt. I never realized that OpenWRT comes with its own firewall configuration. I have firewalls set up on all my individual hosts, following this guide, and I guess the firewalls on my OpenWRT routers will serve non firewalled hosts, such as when I have friends over that connect to my network, and my own smartphones of course.

BUT!

Except for Ping, DCHPv6 and ICMPv6-Input, I don’t understand what these other ones do. All of them are facing wan and I would like to close as many wan facing ports as possible if they aren’t needed for normie consumer use. I do have a public IP because I’m running a Tor bridge to help our friends in China and Iran, but for that service, I have already opened and allowed dedicated ports and protocols not listed here. Otherwise, I’m just surfing the world wide web. No ssh , no telnet , no nothing.

Does, for instance, my ISP require DHCP-Renew to be able to rotate my public address when they need to (rarely happens)? Why would ICMPv6 messages need to be forwarded as opposed to simply be allowed in the input chain with the appropriate port? Why would a normie use IPsec (and what is ESP)?

  • DHCP-Renew
  • (Ping)
  • IGMP
  • (DHCPv6)
  • MLD
  • (ICMPv6-Input)
  • ICMPv6-Forward
  • IPSec-ESP
  • ISAKMP
  • floquant@lemmy.dbzer0.com
    2·
    2 days ago

    Setting up firewalls on the individual hosts on your network is good, but the “main” firewall is always the box that does the NAT between LAN and WAN! Assuming you’re not running a full IPv6 stack that is, in which case you’d be right to make policies for each device. But for IPv4, your OpenWRT router is what gets hit when someone tries to open a connection to your public IP. Packets can get into your LAN because of a handful of reasons:

    • It is a response packet to a LAN-initiated connection
    • There is an explicit input rule
    • There is an explicit forwarding rule
    • A client has created a port forwarding via UPnP, if allowed

    All of these happen on the router, the individual host’s firewalls only ever see packets if the router first sends them their way (again, unless IPv6, sort of), or if the packet originated from another host within the LAN.

    Now to actually answer your question, yes you need to allow DHCP to receive IP leases from your ISP. DHCP-Renew seems already like it’s the client-side only so that’s as restrictive as you can go. ICMPv6 is fundamental to IPv6 operation in general, and it needs to be forwarded because IPv6 removes the concept of NAT and gives more autonomy to each endpoint - forwarding the ping request (and other “network configuration” packets) directly to the endpoints. Whether to respond to ICMPv4 pings on WAN or not is pretty much personal preference for a residential setup, personally I don’t.

    If you are still learning networking in general, I would suggest disabling IPv6 and having fun in v4 land until you can find the time to properly study, test, and configure the whole network for it, which might be never - I still haven’t fully enough to trust my smartphone and IoT shiz to have a globally-routable public address.

    Just to be clear, I want to clarify that the statement

    I guess the firewalls on my OpenWRT routers will serve non firewalled hosts, such as when I have friends over that connect to my network, and my own smartphones of course.

    Is incorrect but in different ways depending on what IP version the packet is. For IPv4, they will always go through the OpenWRT chains first, and if forwarded then it will hit the host. For IPv6, it will be forwarded directly to the host unless explicitly forbidden in the router’s forward chain. That means that an ESP32 running whatever web interface bound on [::]:80 (v6 equivalent of 0.0.0.0:80) is now reachable by the internet. In both cases, the router has no way of knowing which endpoints are running a firewall and which don’t, so they’re treated the same.