Reply To: What are basic firewall settings for home router / gateway?

Home Page Forums Network Management Firewall, Traffic Shaping and Net Balancer What are basic firewall settings for home router / gateway? Reply To: What are basic firewall settings for home router / gateway?

#49761

Heathy
Member

@jimmyz wrote:

These are the rules I use, taken from one of the contributes on the Document page, note that ETH00 is LAN. Rule 3 I added myself for when I want to let someone ping me from the net, I disable it all the rest of the time.


Select the "INPUT" chain.

Rule #1, click "Add" and set the Input to "ETH00", changing nothing else, and click Confirm. This rule will permit all traffic from the ETH00 LAN to anywhere on the box.

Rule #2, click "Add", and check only "ESTABLISHED" and "RELATED" under
"Connection State", then click Confirm. This rule will permit response traffic from
established connections to the box to wherever they originated.

Rule #3 to be de-activated in everday use:
Add Accept input to ppp0 ICMP type 8 New.

Click "Save" to make the new input rules active.

Then change INPUT CHAIN DEFAULT policy from "ACCEPT" to "DROP"
so the rules actually take affect.

Then test your config at Shields Up

article I mentioned here: 1:1 NAT in ZeroShell

Thanks for your reply, but I’d appreciate further clarification.

It’s my understanding that these are the usages of the chains:

– Input: Traffic ingressing to ZeroShell and terminating there
– Output: Traffic originating from ZeroShell
– Forward: Traffic traversing ZeroShell (in either direction)

So how does the Input chain effect LAN to Internet & Internet to LAN traffic (unless web proxy is enabled)?

Also regarding your rule 1 why is that needed? Since the default Forward configuration is Accept so that’ll allow any LAN traffic to reach the Internet anyway and there is system specific configuration to allow the LAN to reach the web/ssh interfaces of ZS in the Input chain too as here:

Chain INPUT (policy ACCEPT 79 packets, 6162 bytes)
pkts bytes target prot opt in out source destination
223 22665 SYS_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 SYS_HTTPS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
144 16503 SYS_HTTPS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 SYS_SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

Thanks