Firewall overview
OpenWrt uses the firewall4 (fw4
) netfilter/nftables rule builder application.
It runs in user-space to parse a configuration file into a set of nftables
rules, sending each to the kernel netfilter modules.
Purpose
The netfilter rule set can be very complex for a typical router.
This is by necessity; each rule is tailored to a discrete capability provided by the router to protect its supported networks, provide NAT to conserve scarce IPv4 addresses, even mangle
the packets during routing.
A typical router has over 100 rules designed to support packet routing.
The fw4
application is used by OpenWRT to “safely” construct a rule set while hiding much of the details.
On inspecting the netfilter rule set using fw4 print
, you will see a number of netfilter/nftables rules either not explicitly defined in the firewall configuration files, or more difficult to understand (thank goodness for the --comment
match!)
The netfilter rules include:
- A number of chains (mis-termed
_rule
) for each special target and zone. - INPUT and OUTPUT for the often forgotten loopback interface.
- The
option syn_flood 1
oroption mtu_fix 1
each translate to complex nftables rules. - The
option masq 1
translates to the '-j MASQUERADE' target for NAT. mangle
rules that match bits in the packets TCP header and then modify the packet.
The firewall configuration is fairly straight forward and automatically provides the router with a base rule set of rules and an understandable configuration file for additional rules.
The rules consumed by netfilter are, at best, difficult to comprehend due to the exacting nature of netfilter. However, every rule provides desired capability or blocks malicious capability, and therefore necessary.
Process control
fw4
is managed by the firewall
service.
The shell script accepts the following
set of arguments:
boot
: this is invoked during system init (bootup)start
: parse configuration files and write to the netfilter kernel modulesstop
: flush configuration rules from the kernel modules (they will not be unloaded)restart
,reload
: read the netfilter rules from the kernel, replace using the configuration files, and write back to the netfilter kernel modules.flush
: (dangerous) delete all rules, delete non-default chains, and reset default policies toACCEPT
.
In some cases, the argument will be accompanied by additional flags to suppress log messages, or calls to internal functions as described above to verify the configuration files.
When invoking stop
, only the rules in the configuration files will be flushed.
Those rules automatically generated by fw4
will be retained.
If all the rules are flushed by invoking flush
, the default policy is set to ACCEPT
and the router will pass all packets to, or forward on, to the destination network, providing no security.
In cases where the router becomes inaccessible due to DROP
set as the default policy, access can be restored through one of two methods:
- Connecting via Serial Console
- Performing a Factory Reset