userdoc:tt_firewall_overview

Firewall Overview

AstLinux provides an IPv4 / IPv6 Stateful Filtering Firewall, based on the excellent Arno's IPTABLES Firewall (AIF) script, developed by Arno van Amersfoort.

By default, with the firewall enabled and no added firewall rules, the allowed traffic flow is as follows:

Default Allow Traffic

Note -> By default any LAN to LAN traffic is not allowed.

Note -> WireGuard and OpenVPN virtual networks are treated as LANs.

Note -> Using the DMZ requires at least one LAN defined.

In networking the DMZ (DeMilitarized Zone) can have various meaning. In AstLinux, the default DMZ firewall rules are as follows:

  1. Drop all DMZ→Local traffic
  2. Drop all DMZ→LAN traffic
  3. Allow DMZ→EXT (internet)
  4. Allow LAN→DMZ (includes WireGuard and OpenVPN virtual LANs)
  5. Allow Local→DMZ

The DMZ makes a great place to place servers and LXC containers, isolated to your network and AstLinux box, but reachable from any LAN and AstLinux itself.

Given the DMZ defaults above, any DHCP, DNS, NTP requests to Local are dropped, so …

Commonly accept these:

Pass DMZ->Local UDP	0/0	53,67,68,123
Pass DMZ->Local	TCP	0/0	53

You may also want mDNS (UDP 5353)

To disable DMZ→Local logging, uncheck the following:

Firewall sub-tab:

___ Log Denied DMZ interface packets

If you later need to debug, you can re-enable this setting.

For the Pi-Hole case, the DMZ is perfect. The Pi-Hole can use AstLinux's DNS-over-TLS as it's upstream feed, and dnsmasq's DHCP can be configured to give out the Pi-Hole DMZ address for DNS.

Related Info -> Firewall Plugins

  • userdoc/tt_firewall_overview.txt
  • Last modified: 2020/05/24 16:04
  • by abelbeck