OpenWrt compatible hardware for a firewall


#1

Bonjour,

Assuming we extract the iptables rules that implement the recommended firewall configuration, it should be possible to buy a retail router and set it up with OpenWrt.

Terse firewall description

Admin Subnet: 10.20.1.0/24
Admin Gateway: 10.20.1.1
Admin Workstation: 10.20.1.2

Application Subnet: 10.20.2.0/24
Application Gateway: 10.20.2.1
Application Server (OPT1): 10.20.2.2

Monitor Subnet: 10.20.3.0/24
Monitor Gateway: 10.20.3.1
Monitor Server (OPT2) : 10.20.3.2

Ports:

OSSEC: 1514
ossec_agent_auth: 1515
  • Disable DHCP
  • Disallow everything
  • Allow TCP ssh from Admin to all
  • Allow UDP OSSEC from App to Mon
  • Allow TCP ossec agent auth from App to Mon
  • Allow TCP/UDP DNS from App/Mon to IP of know name servers
  • Allow UDP NTP from App/Mon to all
  • Allow TCP any port from Mon to all
  • Allow TCP 80/443 from App/Mon to all
  • Allow TCP any port from Admin to all

OpenWrt compatible hardware:

Cheers


#3

Proposed implementation at https://github.com/freedomofpress/securedrop/pull/2717