Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revisionBoth sides next revision
inbox:firewall:overview [2018/09/16 12:09] – ↷ Page moved from inbox:firewall:firewall3:overview to inbox:firewall:overview bobafetthotmaildocs:guide-user:firewall:overview [2022/10/27 20:30] – fw3>fw4 update vgaetera
Line 1: Line 1:
-====== fw3 Overview  ====== +====== Firewall overview ====== 
-Firewall3 (''fw3''is a netfilter/iptable rule builder application.  It runs +OpenWrt uses the firewall4 (''fw4'') netfilter/nftables rule builder application. 
-in user-space to parse a configuration file into a set of ''iptables'' rules, +It runs in user-space to parse a configuration file into a set of ''nftables'' rules, sending each to the kernel netfilter modules.
-sending each to the kernel netfilter modules.+
  
-===== fw3 Purpose ===== +===== Purpose ===== 
-The netfilter rule set can be very complex for a typical router.  This is by +The netfilter rule set can be very complex for a typical router. 
-necessity; each rule is tailored to a discrete capability provided by the router +This is by necessity; each rule is tailored to a discrete capability provided by the router to protect its supported networks, provide [[docs:guide-user:firewall:fw3_configurations:fw3_nat|NAT]] to conserve scarce IPv4 addresses, even ''mangle'' the packets during routing. 
-to protect its supported networks, provide +A typical router has over 100 rules designed to support packet routing.
-[[inbox:firewall:fw3_configurations:fw3_nat|NAT]] to conserve scarce IPv4 +
-addresses, even ''mangle'' the packets during routing. A typical router has +
-over 100 rules designed to support packet routing.+
  
-The fw3 application is used by OpenWRT to "safely" construct a rule set while +The ''fw4'' application is used by OpenWRT to "safely" construct a rule set while hiding much of the details.
-hiding much of the details.+
  
-On inspecting the netfilter rule set using ''fw3 print'', you will see +On inspecting the netfilter rule set using ''fw4 print'', you will see a number of netfilter/nftables rules either not explicitly defined in the firewall configuration files, or more difficult to understand (thank goodness for the ''--comment'' match!)
-a number of netfilter/iptables rules either not explicitly defined in the fw3 configuration files, +
-or more difficult to understand (thank goodness for the ''--comment'' match!)+
 The netfilter rules include: The netfilter rules include:
 +  * A number of chains (mis-termed ''_rule'') for each special target and zone.
 +  * INPUT and OUTPUT for the often forgotten loopback interface.
 +  * The ''option syn_flood 1'' or ''option mtu_fix 1'' each translate to complex nftables rules.
 +  * The ''option masq 1'' translates to the '-j MASQUERADE' target for NAT.
 +  * ''mangle'' rules that match bits in the packets TCP header and then modify the packet.
  
-  * A number of chains (mis-termed ''_rule'') for each special target and zone +The firewall configuration is fairly straight forward and automatically provides the router with a base rule set of rules and an understandable configuration file for additional rules.
-  * INPUT and OUTPUT for the often forgotten loopback interface +
-  * The ''option syn_flood 1'' or ''option mtu_fix 1'' each translate to complex iptable rules +
-  * The ''option masq 1'' translates to the '-j MASQUERADE' target for NAT +
-  * ''mangle'' rules that match bits in the packets TCP header and then modify the packet+
  
-The fw3 configuration is fairly straight forward and automatically provides the router +The rules consumed by netfilter are, at best, difficult to comprehend due to the exacting nature of netfilter. 
-with a base rule set of rules and an understandable configuration file for +However, every rule provides desired capability or **blocks** malicious capability, and therefore necessary.
-additional rules. +
- +
-The rules consumed by netfilter are, at best, difficult to comprehend due to +
-the exacting nature of netfilter. However, every rule provides desired +
-capability or **blocks** malicious capability, and therefore necessary+
- +
-===== fw3 Description ===== +
-fw3 is a user-space application similar in nature to the +
-[[https://www.netfilter.org/projects/iptables/index.html|iptables]] +
-application. +
- +
-Both use the ''libiptc'' library to communication with the netfilter kernel +
-modules, and follow the same basic pattern: +
- +
-  * ''iptc_init'' to establish a socket and, using a ''getsockopt'' call, read the netfilter table into the application.  This is on a per-table (''filter'' by default) basis.  +
-  *  Modify the chains, rules, etc. in the table. **All parsing and error checking is done in user-space by ''libiptc''**. +
-  * ''iptc_commit'' to replace the table in the kernel.+
          
-===== fw3 process control ===== +===== Process control ===== 
-The fw3 application uses the procd subsystem to for management.  The conventional +''fw4'' is typically managed by invoking the shell script ''/etc/init.d/firewall''
-interface is ''/etc/init.d/firewall'', a shell script calling ''fw3'' with a small+The shell script accepts the following
 set of arguments: set of arguments:
- 
   * ''boot'': this is invoked during system init (bootup)   * ''boot'': this is invoked during system init (bootup)
   * ''start'': parse configuration files and write to the netfilter kernel modules   * ''start'': parse configuration files and write to the netfilter kernel modules
   * ''stop'': flush configuration rules from the kernel modules (they will not be unloaded)   * ''stop'': flush configuration rules from the kernel modules (they will not be unloaded)
-  * ''restart'', ''reload'': read the netfilter rules from the kernel, replace using the +  * ''restart'', ''reload'': read the netfilter rules from the kernel, replace using the configuration files, and write back to the netfilter kernel modules
-    configuration files, and write back to the netfilter kernel modules.+  * ''flush'': (dangerous) delete all rules, delete non-default chains, and reset default policies to ''ACCEPT''
 + 
 +Behind the scenes, ''/etc/init.d/firewall'' then calls ''fw4'', passing the argument to the binary. 
 +In some cases, the argument will be accompanied by additional flags to suppress log messages, or calls to internal functions as described above to verify the configuration files.
  
 :!: When invoking ''stop'', **only** the rules in the configuration files will be flushed. :!: When invoking ''stop'', **only** the rules in the configuration files will be flushed.
-Those rules automatically generated by ''fw3'' will be retained.  If ALL the rules are flushed, +Those rules automatically generated by ''fw4'' will be retained. 
-and the default policy is set to ''DROP'' then all communication to + 
-and through the router would be droppedConversely if the default policy is ''ACCEPT'' then the +:!: If **all** the rules are flushed by invoking ''flush'', the default policy is set to ''ACCEPT'' and the router will pass all packets to, or forward on, to the destination network, providing **no security**. 
-router would provide no security.+ 
 +In cases where the router becomes inaccessible due to ''DROP'' set as the default policy, access can be restored through one of two methods: 
 + 
 +  * Connecting via [[docs:techref:hardware:port.serial|Serial Console]] 
 +  * Performing a [[docs:guide-user:troubleshooting:failsafe_and_factory_reset|Factory Reset]] 
 + 
 +===== References ===== 
 +[[https://git.openwrt.org/project/firewall4.git|Source code]]
  
  • Last modified: 2023/10/14 06:04
  • by vgaetera