| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| inbox:firewall:overview [2018/09/16 12:09] – ↷ Page moved from inbox:firewall:firewall3:overview to inbox:firewall:overview bobafetthotmail | docs:guide-user:firewall:overview [2020/10/27 16:16] – [fw3 process control] devnrand |
|---|
| ====== fw3 Overview ====== | ====== Firewall Overview ====== |
| Firewall3 (''fw3'') is a netfilter/iptable rule builder application. It runs | OpenWrt uses the firewall3 (''fw3'') netfilter/iptable rule builder application. |
| in user-space to parse a configuration file into a set of ''iptables'' rules, | It runs in user-space to parse a configuration file into a set of ''iptables'' rules, sending each to the kernel netfilter modules. |
| sending each to the kernel netfilter modules. | |
| |
| ===== fw3 Purpose ===== | ===== fw3 Purpose ===== |
| necessity; each rule is tailored to a discrete capability provided by the router | necessity; each rule is tailored to a discrete capability provided by the router |
| to protect its supported networks, provide | to protect its supported networks, provide |
| [[inbox:firewall:fw3_configurations:fw3_nat|NAT]] to conserve scarce IPv4 | [[docs:guide-user:firewall:fw3_configurations:fw3_nat|NAT]] to conserve scarce IPv4 |
| addresses, even ''mangle'' the packets during routing. A typical router has | addresses, even ''mangle'' the packets during routing. A typical router has |
| over 100 rules designed to support packet routing. | over 100 rules designed to support packet routing. |
| | |
| ===== fw3 process control ===== | ===== fw3 process control ===== |
| The fw3 application uses the procd subsystem to for management. The conventional | ''fw3'' is typically managed by invoking the shell script ''/etc/init.d/firewall''. The shell script accepts the following |
| interface is ''/etc/init.d/firewall'', a shell script calling ''fw3'' with a small | |
| set of arguments: | set of arguments: |
| |
| * ''start'': parse configuration files and write to the netfilter kernel modules | * ''start'': parse configuration files and write to the netfilter kernel modules |
| * ''stop'': flush configuration rules from the kernel modules (they will not be unloaded) | * ''stop'': flush configuration rules from the kernel modules (they will not be unloaded) |
| * ''restart'', ''reload'': read the netfilter rules from the kernel, replace using the | * ''restart'', ''reload'': read the netfilter rules from the kernel, replace using the configuration files, and write back to the netfilter kernel modules. |
| configuration files, and write back to the netfilter kernel modules. | * ''flush'': (dangerous) delete all rules, delete non-default chains, and reset default policies to ''ACCEPT''. |
| | |
| | Behind the scenes, ''/etc/init.d/firewall'' then calls fw3, passing the argument to the binary. In some cases, the argument will be accompanied by additional flags to suppress log messages, or calls to internal functions as described above to verify the configuration files. |
| |
| :!: When invoking ''stop'', **only** the rules in the configuration files will be flushed. | :!: When invoking ''stop'', **only** the rules in the configuration files will be flushed. |
| Those rules automatically generated by ''fw3'' will be retained. If ALL the rules are flushed, | Those rules automatically generated by ''fw3'' will be retained. |
| and the default policy is set to ''DROP'' then all communication to | |
| and through the router would be dropped. Conversely if the default policy is ''ACCEPT'' then the | :!: If **all** the rules are flushed by invoking ''flush'', the default policy is set to ''ACCEPT'' and the router will pass all packets to, or forward on, to the destination network, providing **no security**. |
| router would provide no security. | |
| | In cases where the router becomes inaccessible due to ''DROP'' set as the default policy, access can be restored through one of two methods: |
| | |
| | * Connecting via [[docs:techref:hardware:port.serial|Serial Console]] |
| | * Performing a [[docs:guide-user:troubleshooting:failsafe_and_factory_reset|Factory Reset]] |
| |
| | ===== fw3 references ===== |
| | Source Code on GitHub: [[https://github.com/gigibox/fw3/]] |