Firewall configuration (plugin) for port forwarding
It is common and expected by users to have easy to use firewall configuration. Primary usage of that is port forwarding.
This can be either new plugin or if it makes sense it can be part of core.
We need port forwarding such as:
config redirect
option target DNAT
option src wan
option dest lan
option proto tcp
option src_dport 22
option dest_ip 192.168.1.20
option dest_port 22
option enabled 1
In our case it is easier as it is always going to be wan
and lan
. We have to just allow configuration of proto
(tcp
/udp
or both), src_dport
and dest_ip
. I am not sure if we even have to support dest_port
(user can do redirect of that type in luci or on target machine) but it should be easy to do and just frontend has to solve how to explain it to user so it is not confusing.
We should also think about including DMZ (probably almost the same way as we have guest network but with LAN access to DMZ) with this feature.
MVP
As for some kind of basic version following features are required:
-
create fw rule in uci based on user input ( port
, destination_address,destination_port
) -
extend port
anddestination_port
so it is able to accept ranges (seesrc_port
specification in https://openwrt.org/docs/guide-user/firewall/firewall_configuration#options5) -
accept only destination ips which are specified in /etc/config/dhcp
(see (https://gitlab.nic.cz/turris/foris-controller/foris-controller/-/blob/master/foris_controller_modules/lan/schema/lan.json#L119 or https://gitlab.nic.cz/turris/foris-controller/foris-controller/-/blob/master/foris_controller/schemas/definitions/common.json#L20 ) -
proto
option - by default if noproto
is used both tcp and udp are used. Ifproto
is set onlytcp/udp
redirects will be used.