techsupport

Edit: my ISP says they only need the DCHP protocol and ports for basic functionality, as I have a public IP, so I will temporarily disable all the other rules and see whether that has any negative effects.

I am running a few routers at home using single board computers with OpenWrt. I never realized that OpenWRT comes with its own firewall configuration. I have firewalls set up on all my individual hosts, following this guide, and I guess the firewalls on my OpenWRT routers will serve non firewalled hosts, such as when I have friends over that connect to my network, and my own smartphones of course.

BUT!

Except for Ping, DCHPv6 and ICMPv6-Input, I don't understand what these other ones do. All of them are facing wan and I would like to close as many wan facing ports as possible if they aren't needed for normie consumer use. I do have a public IP because I'm running a Tor bridge to help our friends in China and Iran, but for that service, I have already opened and allowed dedicated ports and protocols not listed here. Otherwise, I'm just surfing the world wide web. No ssh , no telnet , no nothing.

Does, for instance, my ISP require DHCP-Renew to be able to rotate my public address when they need to (rarely happens)? Why would ICMPv6 messages need to be forwarded as opposed to simply be allowed in the input chain with the appropriate port? Why would a normie use IPsec (and what is ESP)?

• DHCP-Renew
• (Ping)
• IGMP
• (DHCPv6)
• MLD
• (ICMPv6-Input)
• ICMPv6-Forward
• IPSec-ESP
• ISAKMP