Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
inbox:firewall:firewall_components [2018/08/22 15:40] dturvenedocs:guide-user:firewall:firewall_components [2023/10/14 06:03] (current) – formatting vgaetera
Line 1: Line 1:
-====== Firewall Components ====== +====== Firewall components ====== 
-The OpenWrt firewall implementation is the mechanism by which network traffic +The OpenWrt firewall implementation is the mechanism by which network traffic is filtered coming through the router. 
-is filtered coming through the router.  At a high level, one of three outcomes +At a high level, one of three outcomes will occur: either the packet is discarded (dropped) without any further action, rejected (with an appropriate response to the source), or accepted (routed to the destination). 
-will occur: either the packet is discarded (dropped) without any further +Note that the router itself is a destination for management and monitoring.
-action, rejected (with an appropriate response to the source), or accepted +
-(routed to the destination).  Note that the router itself is a destination for  +
-management and monitoring.+
  
-The OpenWrt firewall revolves around the Linux +The OpenWrt firewall revolves around the Linux [[http://www.netfilter.org|netfilter]] project. 
-[[http://www.netfilter.org|netfilter]] project. There are the following main +There are the following main components to the OpenWrt firewall:
-components to the OpenWrt firewall:+
  
-  - the [[inbox:firewall:firewall3:overview|firewall3]] application+  - the [[docs:guide-user:firewall:overview|firewall3]] application
   - a set of netfilter hooks in the kernel networking stacks   - a set of netfilter hooks in the kernel networking stacks
   - a set of linux kernel modules that handle the inspection of network packets   - a set of linux kernel modules that handle the inspection of network packets
   - a set of kernel tuning parameters to configure the network stacks and firewall modules   - a set of kernel tuning parameters to configure the network stacks and firewall modules
  
-This documentation is based on +This documentation is based on [[releases:18.06:notes-18.06.0|OpenWrt 18.06.0]]. 
-[[https://openwrt.org/releases/18.06/notes-18.06.0|OpenWrt 18.06.0]]. +Many of the configurations have been tested against this release using the [[docs:guide-user:firewall:fw3_configurations:fw3_ref_topo|test network]]
-Many of the configurations have been tested against this release using the +
-[[inbox:firewall:fw3_configurations:fw3_ref_topo|test network]]+
  
 ===== Firewall3 (fw3) ===== ===== Firewall3 (fw3) =====
-The [[inbox:firewall:firewall3:overview|fw3 application]] package is the main +The [[docs:guide-user:firewall:overview|fw3 application]] package is the main application used to provision the firewall. 
-application used to provision the firewall.  It was developed by the OpenWrt +It was developed by the OpenWrt team specifically for the project.
-team specifically for the project.+
  
 ===== Kernel netfilter hooks ====== ===== Kernel netfilter hooks ======
-Each of the network stacks have netfilter ''hooks'' embedded at specific places +Each of the network stacks have netfilter functions call ''hooks'' embedded at specific places in the code. 
-in the code.  As a network packet moves through the stack, each hook may be +As a network packet moves through the stack, each hook is called to check the packet against possible netfilter rules bound to the hook.
-called to check the packet against the netfilter rules bound to the hook.+
  
-These hooks are placed in the kernel network stack code at specific points in +The netfilter hook code uses the ''NF_HOOK'' set of macros. 
-the packet processing.  The hook code uses the ''NF_HOOK'' set of macros. Each +Each hook takes the following arguments:
-hook takes the following arguments: +
  
   * network protocol: unspec (all), ipv4, ipv6, arp, bridge, decnet   * network protocol: unspec (all), ipv4, ipv6, arp, bridge, decnet
Line 44: Line 35:
   * a function callback if the packet passes the filter   * a function callback if the packet passes the filter
  
-===== netfilter kernel modules ===== +===== Kernel netfilter modules ===== 
-The netfilter kernel modules loaded at boot depend on the configured.  There +The netfilter kernel modules are loaded at boot depend on the configured. 
-are roughly 35 kernel modules to support the standard netfilter capabilities.+There are roughly 35 kernel modules to support the standard netfilter capabilities but there are many more depending on the requirements of the router. 
 +For example, many routers use the [[http://ipset.netfilter.org/|ipset]] feature. 
 +This adds ~16 additional kernel modules.
  
-Most of the netfilter modules are small, providing a single specific +Most of the netfilter modules are small, providing a single specific capability. 
-capability.  For example:+For example:
  
   * ''ipt_REJECT'' performs REJECT (target),   * ''ipt_REJECT'' performs REJECT (target),
Line 55: Line 48:
   * ''xt_TCPMSS'' performs Maximum Segment Size adjustment in the TCP header (target in ''mangle'' table)   * ''xt_TCPMSS'' performs Maximum Segment Size adjustment in the TCP header (target in ''mangle'' table)
  
-Several of the netfilter modules are larger. For example:+Several of the netfilter modules are larger. 
 +For example:
  
   * ''nf_conntrack'' performs connection tracking for masquerading (NAT) and packet de-fragmentation.   * ''nf_conntrack'' performs connection tracking for masquerading (NAT) and packet de-fragmentation.
  
-The number of kmods expands as netfilter capabilities are addedJust +===== Kernel tuning via sysctl ===== 
-enabling [[http://ipset.netfilter.org|ipset]] in the config adds 16 kmods!+The ''sysctl'' service is executed at boot time
 +This is a shell script that loads ''/etc/sysctl.conf'' and all files under ''/etc/sysctl.d/''
 +These set/tune kernel parameters to provide OpenWrt features. 
 +See [[man>sysctl.conf]].
  
-===== Kernel Tuning via sysctl ===== +All are parameters documented under the ''Documentation/networking'' directory of kernel source tree so the specifics will not be repeated here
-''/etc/init.d/sysctl'' is executed at boot time This is a shell script that +See ''ip-sysctl.txt'' and ''nf_conntrack-sysctl.txt'' for reference.
-loads ''/etc/sysctl.conf'' and all files under ''/etc/sysctl.d/'' These +
-set/tune kernel parameters to provide OpenWrt features.  See +
-[[http://man7.org/linux/man-pages/man5/sysctl.conf.5.html|sysctl.conf]]+
  
-All are parameters documented under the ''Documentation/networking'' directory +:!: Since the OpenWrt feature set is fairly static, the kernel parameters almost certainly do not need to tuned beyond the defaults provided in the build.
-of kernel source tree so the specifics will not be repeated here.  See +
-''ip-sysctl.txt'' and ''nf_conntrack-sysctl.txt'' for reference.+
  
-:!: Since the OpenWrt feature set is fairly static, the kernel parameters almost +:!: Notice that netfilter bridging support in the kernel is disabled! 
-certainly do not need to tuned beyond the defaults provided in the build.+See ''ip-sysctl.txt'':
  
-:!: Notice that netfilter bridging support in the kernel is disabled!  See +<code>
-''ip-sysctl.txt'': +
- +
-<file>+
 bridge-nf-call-iptables - BOOLEAN bridge-nf-call-iptables - BOOLEAN
  1 : pass bridged IPv4 traffic to iptables' chains.  1 : pass bridged IPv4 traffic to iptables' chains.
  0 : disable this.  0 : disable this.
  Default: 1  Default: 1
-</file> +</code>
- +
-FIXME : the **sysctl** directives in ''/etc/init.d/sysctl'' are a superset of +
-those in the ''/etc/sysctl.d'' files.  The files in ''/etc/sysctl.d'' are +
-entirely redundant.  This may be a product of the build process.+
  
  • Last modified: 2023/10/14 06:03
  • by vgaetera