Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| inbox:firewall:firewall_components [2018/08/22 15:40] – dturvene | docs:guide-user:firewall:firewall_components [2023/10/14 06:03] (current) – formatting vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Firewall | + | ====== Firewall |
| - | The OpenWrt firewall implementation is the mechanism by which network traffic | + | The OpenWrt firewall implementation is the mechanism by which network traffic is filtered coming through the router. |
| - | is filtered coming through the router. | + | At a high level, one of three outcomes will occur: either the packet is discarded (dropped) without any further action, rejected (with an appropriate response to the source), or accepted (routed to the destination). |
| - | will occur: either the packet is discarded (dropped) without any further | + | Note that the router itself is a destination for management and monitoring. |
| - | action, rejected (with an appropriate response to the source), or accepted | + | |
| - | (routed to the destination). | + | |
| - | management and monitoring. | + | |
| - | The OpenWrt firewall revolves around the Linux | + | The OpenWrt firewall revolves around the Linux [[http:// |
| - | [[http:// | + | There are the following main components to the OpenWrt firewall: |
| - | components to the OpenWrt firewall: | + | |
| - | - the [[inbox:firewall:firewall3: | + | - the [[docs:guide-user:firewall: |
| - a set of netfilter hooks in the kernel networking stacks | - a set of netfilter hooks in the kernel networking stacks | ||
| - a set of linux kernel modules that handle the inspection of network packets | - a set of linux kernel modules that handle the inspection of network packets | ||
| - a set of kernel tuning parameters to configure the network stacks and firewall modules | - a set of kernel tuning parameters to configure the network stacks and firewall modules | ||
| - | This documentation is based on | + | This documentation is based on [[releases:18.06:notes-18.06.0|OpenWrt 18.06.0]]. |
| - | [[https:// | + | Many of the configurations have been tested against this release using the [[docs: |
| - | Many of the configurations have been tested against this release using the | + | |
| - | [[inbox: | + | |
| ===== Firewall3 (fw3) ===== | ===== Firewall3 (fw3) ===== | ||
| - | The [[inbox:firewall:firewall3: | + | The [[docs:guide-user:firewall: |
| - | application used to provision the firewall. | + | It was developed by the OpenWrt team specifically for the project. |
| - | team specifically for the project. | + | |
| ===== Kernel netfilter hooks ====== | ===== Kernel netfilter hooks ====== | ||
| - | Each of the network stacks have netfilter '' | + | Each of the network stacks have netfilter |
| - | in the code. As a network packet moves through the stack, each hook may be | + | As a network packet moves through the stack, each hook is called to check the packet against |
| - | called to check the packet against | + | |
| - | These hooks are placed in the kernel network stack code at specific points in | + | The netfilter |
| - | the packet processing. | + | Each hook takes the following arguments: |
| - | hook takes the following arguments: | + | |
| * network protocol: unspec (all), ipv4, ipv6, arp, bridge, decnet | * network protocol: unspec (all), ipv4, ipv6, arp, bridge, decnet | ||
| Line 44: | Line 35: | ||
| * a function callback if the packet passes the filter | * a function callback if the packet passes the filter | ||
| - | ===== netfilter | + | ===== Kernel |
| - | The netfilter kernel modules loaded at boot depend on the configured. | + | The netfilter kernel modules |
| - | are roughly 35 kernel modules to support the standard netfilter capabilities. | + | There are roughly 35 kernel modules to support the standard netfilter capabilities |
| + | For example, many routers use the [[http:// | ||
| + | This adds ~16 additional kernel modules. | ||
| - | Most of the netfilter modules are small, providing a single specific | + | Most of the netfilter modules are small, providing a single specific capability. |
| - | capability. | + | For example: |
| * '' | * '' | ||
| Line 55: | Line 48: | ||
| * '' | * '' | ||
| - | Several of the netfilter modules are larger. For example: | + | Several of the netfilter modules are larger. |
| + | For example: | ||
| * '' | * '' | ||
| - | The number of kmods expands as netfilter capabilities are added. Just | + | ===== Kernel tuning via sysctl ===== |
| - | enabling [[http://ipset.netfilter.org|ipset]] in the config adds 16 kmods! | + | The '' |
| + | This is a shell script that loads '' | ||
| + | These set/tune kernel parameters to provide OpenWrt features. | ||
| + | See [[man> | ||
| - | ===== Kernel Tuning via sysctl ===== | + | All are parameters documented under the '' |
| - | ''/ | + | See '' |
| - | loads '' | + | |
| - | set/tune kernel parameters to provide OpenWrt features. | + | |
| - | [[http:// | + | |
| - | All are parameters documented under the '' | + | :!: Since the OpenWrt feature set is fairly static, |
| - | of kernel source tree so the specifics will not be repeated here. See | + | |
| - | '' | + | |
| - | :!: Since the OpenWrt feature set is fairly static, the kernel parameters almost | + | :!: Notice that netfilter bridging support in the kernel |
| - | certainly do not need to tuned beyond the defaults provided in the build. | + | See '' |
| - | :!: Notice that netfilter bridging support in the kernel is disabled! | + | <code> |
| - | '' | + | |
| - | + | ||
| - | <file> | + | |
| bridge-nf-call-iptables - BOOLEAN | bridge-nf-call-iptables - BOOLEAN | ||
| 1 : pass bridged IPv4 traffic to iptables' | 1 : pass bridged IPv4 traffic to iptables' | ||
| 0 : disable this. | 0 : disable this. | ||
| Default: 1 | Default: 1 | ||
| - | </file> | + | </code> |
| - | + | ||
| - | FIXME : the **sysctl** directives in ''/ | + | |
| - | those in the ''/ | + | |
| - | entirely redundant. | + | |