# 防火牆的設置 ## `/etc/config/firewall`的功能 一般來說,當我們說到防火牆時,想到的是 Windows 作業系統上的防毒軟體,這些防毒軟體針對不同應用程式,給予不同的權限,避免應用程式有後門將蒐集的資訊傳到一個未允取的遠端伺服器。然而,在 OpenWRT 的設置中,其設定與功能都複雜許多。首先,我們先看一下 OpenWRT 中防火牆的設定檔: ``` # vim /etc/config/firewall config defaults option syn_flood '1' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'lan' list network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' [...] config forwarding option src 'lan' option dest 'wan' [...] config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT' [...] config redirect option target 'DNAT' option src 'wan' option dest 'lan' option proto 'tcp' option src_dport '22' option dest_ip '192.168.10.1' option dest_port '22' option name 'SSH' [...] ``` 這個檔案頗大,也不好閱讀。不過我們可以先從`config`開始,看看不同設定的分類,在設定檔中,我們可以看到有以下類別: `defaults`(默認設定)、`zone`(對某網路內部的規則)、`forwarding`(兩個網路之間的關係)、`rule`(對特定通訊協定、MAC位址、IP位址的設定)、`redirect`(NAT 的設定)。由此可知,在 OpenWRT 下,firewall負責的不只是防火牆的功能,還包含許多網路的必要設定。 ## 針對`rule`設定 在所有設定中,rule的設定最接近我們對一般防火牆的認知,於是,我們就從這裡開始。所使用的範例是 OpenWRT 官網上針對小孩網路存取的限制,來自於: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://openwrt-nctu.gitbook.io/project/openwrt-functions/openwrt-firewall.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.