Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revisionBoth sides next revision
inbox:firewall:firewall_components [2018/08/22 15:40] dturvenedocs:guide-user:firewall:firewall_components [2023/10/14 06:00] – update vgaetera
Line 1: Line 1:
-====== Firewall Components ====== +====== Firewall components ====== 
-The OpenWrt firewall implementation is the mechanism by which network traffic +The OpenWrt firewall implementation is the mechanism by which network traffic is filtered coming through the router. 
-is filtered coming through the router.  At a high level, one of three outcomes +At a high level, one of three outcomes will occur: either the packet is discarded (dropped) without any further action, rejected (with an appropriate response to the source), or accepted (routed to the destination). 
-will occur: either the packet is discarded (dropped) without any further +Note that the router itself is a destination for management and monitoring.
-action, rejected (with an appropriate response to the source), or accepted +
-(routed to the destination).  Note that the router itself is a destination for  +
-management and monitoring.+
  
-The OpenWrt firewall revolves around the Linux +The OpenWrt firewall revolves around the Linux [[http://www.netfilter.org|netfilter]] project. 
-[[http://www.netfilter.org|netfilter]] project. There are the following main +There are the following main components to the OpenWrt firewall:
-components to the OpenWrt firewall:+
  
-  - the [[inbox:firewall:firewall3:overview|firewall3]] application+  - the [[docs:guide-user:firewall:overview|firewall3]] application
   - a set of netfilter hooks in the kernel networking stacks   - a set of netfilter hooks in the kernel networking stacks
   - a set of linux kernel modules that handle the inspection of network packets   - a set of linux kernel modules that handle the inspection of network packets
   - a set of kernel tuning parameters to configure the network stacks and firewall modules   - a set of kernel tuning parameters to configure the network stacks and firewall modules
  
-This documentation is based on +This documentation is based on [[releases:18.06:notes-18.06.0|OpenWrt 18.06.0]]. 
-[[https://openwrt.org/releases/18.06/notes-18.06.0|OpenWrt 18.06.0]]. +Many of the configurations have been tested against this release using the [[docs:guide-user:firewall:fw3_configurations:fw3_ref_topo|test network]]
-Many of the configurations have been tested against this release using the +
-[[inbox:firewall:fw3_configurations:fw3_ref_topo|test network]]+
  
 ===== Firewall3 (fw3) ===== ===== Firewall3 (fw3) =====
-The [[inbox:firewall:firewall3:overview|fw3 application]] package is the main +The [[docs:guide-user:firewall:overview|fw3 application]] package is the main application used to provision the firewall. 
-application used to provision the firewall.  It was developed by the OpenWrt +It was developed by the OpenWrt team specifically for the project.
-team specifically for the project.+
  
 ===== Kernel netfilter hooks ====== ===== Kernel netfilter hooks ======
-Each of the network stacks have netfilter ''hooks'' embedded at specific places +Each of the network stacks have netfilter functions call ''hooks'' embedded at specific places in the code. 
-in the code.  As a network packet moves through the stack, each hook may be +As a network packet moves through the stack, each hook is called to check the packet against possible netfilter rules bound to the hook.
-called to check the packet against the netfilter rules bound to the hook.+
  
-These hooks are placed in the kernel network stack code at specific points in +The netfilter hook code uses the ''NF_HOOK'' set of macros. 
-the packet processing.  The hook code uses the ''NF_HOOK'' set of macros. Each +Each hook takes the following arguments:
-hook takes the following arguments: +
  
   * network protocol: unspec (all), ipv4, ipv6, arp, bridge, decnet   * network protocol: unspec (all), ipv4, ipv6, arp, bridge, decnet
Line 44: Line 35:
   * a function callback if the packet passes the filter   * a function callback if the packet passes the filter
  
-===== netfilter kernel modules ===== +===== Kernel netfilter modules ===== 
-The netfilter kernel modules loaded at boot depend on the configured.  There +The netfilter kernel modules are loaded at boot depend on the configured. 
-are roughly 35 kernel modules to support the standard netfilter capabilities.+There are roughly 35 kernel modules to support the standard netfilter capabilities but there are many more depending on the requirements of the router. 
 +For example, many routers use the [[http://ipset.netfilter.org/|ipset]] feature. 
 +This adds ~16 additional kernel modules.
  
-Most of the netfilter modules are small, providing a single specific +Most of the netfilter modules are small, providing a single specific capability. 
-capability.  For example:+For example:
  
   * ''ipt_REJECT'' performs REJECT (target),   * ''ipt_REJECT'' performs REJECT (target),
Line 55: Line 48:
   * ''xt_TCPMSS'' performs Maximum Segment Size adjustment in the TCP header (target in ''mangle'' table)   * ''xt_TCPMSS'' performs Maximum Segment Size adjustment in the TCP header (target in ''mangle'' table)
  
-Several of the netfilter modules are larger. For example:+Several of the netfilter modules are larger. 
 +For example:
  
   * ''nf_conntrack'' performs connection tracking for masquerading (NAT) and packet de-fragmentation.   * ''nf_conntrack'' performs connection tracking for masquerading (NAT) and packet de-fragmentation.
  
-The number of kmods expands as netfilter capabilities are addedJust +===== Kernel tuning via sysctl ===== 
-enabling [[http://ipset.netfilter.org|ipset]] in the config adds 16 kmods!+The sysctl service is executed at boot time
 +This is a shell script that loads ''/etc/sysctl.conf'' and all files under ''/etc/sysctl.d/''
 +These set/tune kernel parameters to provide OpenWrt features. 
 +See [[man>sysctl.conf]].
  
-===== Kernel Tuning via sysctl ===== +All are parameters documented under the ''Documentation/networking'' directory of kernel source tree so the specifics will not be repeated here
-''/etc/init.d/sysctl'' is executed at boot time This is a shell script that +See ''ip-sysctl.txt'' and ''nf_conntrack-sysctl.txt'' for reference.
-loads ''/etc/sysctl.conf'' and all files under ''/etc/sysctl.d/'' These +
-set/tune kernel parameters to provide OpenWrt features.  See +
-[[http://man7.org/linux/man-pages/man5/sysctl.conf.5.html|sysctl.conf]]+
  
-All are parameters documented under the ''Documentation/networking'' directory +:!: Since the OpenWrt feature set is fairly static, the kernel parameters almost certainly do not need to tuned beyond the defaults provided in the build.
-of kernel source tree so the specifics will not be repeated here.  See +
-''ip-sysctl.txt'' and ''nf_conntrack-sysctl.txt'' for reference.+
  
-:!: Since the OpenWrt feature set is fairly static, the kernel parameters almost +:!: Notice that netfilter bridging support in the kernel is disabled! 
-certainly do not need to tuned beyond the defaults provided in the build.+See ''ip-sysctl.txt'':
  
-:!: Notice that netfilter bridging support in the kernel is disabled!  See +<code>
-''ip-sysctl.txt'': +
- +
-<file>+
 bridge-nf-call-iptables - BOOLEAN bridge-nf-call-iptables - BOOLEAN
  1 : pass bridged IPv4 traffic to iptables' chains.  1 : pass bridged IPv4 traffic to iptables' chains.
  0 : disable this.  0 : disable this.
  Default: 1  Default: 1
-</file> +</code>
- +
-FIXME : the **sysctl** directives in ''/etc/init.d/sysctl'' are a superset of +
-those in the ''/etc/sysctl.d'' files.  The files in ''/etc/sysctl.d'' are +
-entirely redundant.  This may be a product of the build process.+
  
  • Last modified: 2023/10/14 06:03
  • by vgaetera