Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
inbox:firewall:overview [2018/09/16 12:09] – ↷ Page moved from inbox:firewall:firewall3:overview to inbox:firewall:overview bobafetthotmaildocs:guide-user:firewall:overview [2023/10/14 06:04] (current) – update vgaetera
Line 1: Line 1:
-====== fw3 Overview  ====== +====== Firewall overview ====== 
-Firewall3 (''fw3''is a netfilter/iptable rule builder application.  It runs +OpenWrt uses the firewall4 (''fw4'') netfilter/nftables rule builder application. 
-in user-space to parse a configuration file into a set of ''iptables'' rules, +It runs in user-space to parse a configuration file into a set of ''nftables'' rules, sending each to the kernel netfilter modules.
-sending each to the kernel netfilter modules.+
  
-===== fw3 Purpose ===== +===== Purpose ===== 
-The netfilter rule set can be very complex for a typical router.  This is by +The netfilter rule set can be very complex for a typical router. 
-necessity; each rule is tailored to a discrete capability provided by the router +This is by necessity; each rule is tailored to a discrete capability provided by the router to protect its supported networks, provide [[docs:guide-user:firewall:fw3_configurations:fw3_nat|NAT]] to conserve scarce IPv4 addresses, even ''mangle'' the packets during routing. 
-to protect its supported networks, provide +A typical router has over 100 rules designed to support packet routing.
-[[inbox:firewall:fw3_configurations:fw3_nat|NAT]] to conserve scarce IPv4 +
-addresses, even ''mangle'' the packets during routing. A typical router has +
-over 100 rules designed to support packet routing.+
  
-The fw3 application is used by OpenWRT to "safely" construct a rule set while +The ''fw4'' application is used by OpenWRT to "safely" construct a rule set while hiding much of the details.
-hiding much of the details.+
  
-On inspecting the netfilter rule set using ''fw3 print'', you will see +On inspecting the netfilter rule set using ''fw4 print'', you will see a number of netfilter/nftables rules either not explicitly defined in the firewall configuration files, or more difficult to understand (thank goodness for the ''--comment'' match!)
-a number of netfilter/iptables rules either not explicitly defined in the fw3 configuration files, +
-or more difficult to understand (thank goodness for the ''--comment'' match!)+
 The netfilter rules include: The netfilter rules include:
 +  * A number of chains (mis-termed ''_rule'') for each special target and zone.
 +  * INPUT and OUTPUT for the often forgotten loopback interface.
 +  * The ''option syn_flood 1'' or ''option mtu_fix 1'' each translate to complex nftables rules.
 +  * The ''option masq 1'' translates to the '-j MASQUERADE' target for NAT.
 +  * ''mangle'' rules that match bits in the packets TCP header and then modify the packet.
  
-  * A number of chains (mis-termed ''_rule'') for each special target and zone +The firewall configuration is fairly straight forward and automatically provides the router with a base rule set of rules and an understandable configuration file for additional rules.
-  * INPUT and OUTPUT for the often forgotten loopback interface +
-  * The ''option syn_flood 1'' or ''option mtu_fix 1'' each translate to complex iptable rules +
-  * The ''option masq 1'' translates to the '-j MASQUERADE' target for NAT +
-  * ''mangle'' rules that match bits in the packets TCP header and then modify the packet+
  
-The fw3 configuration is fairly straight forward and automatically provides the router +The rules consumed by netfilter are, at best, difficult to comprehend due to the exacting nature of netfilter. 
-with a base rule set of rules and an understandable configuration file for +However, every rule provides desired capability or **blocks** malicious capability, and therefore necessary.
-additional rules. +
- +
-The rules consumed by netfilter are, at best, difficult to comprehend due to +
-the exacting nature of netfilter. However, every rule provides desired +
-capability or **blocks** malicious capability, and therefore necessary+
- +
-===== fw3 Description ===== +
-fw3 is a user-space application similar in nature to the +
-[[https://www.netfilter.org/projects/iptables/index.html|iptables]] +
-application. +
- +
-Both use the ''libiptc'' library to communication with the netfilter kernel +
-modules, and follow the same basic pattern: +
- +
-  * ''iptc_init'' to establish a socket and, using a ''getsockopt'' call, read the netfilter table into the application.  This is on a per-table (''filter'' by default) basis.  +
-  *  Modify the chains, rules, etc. in the table. **All parsing and error checking is done in user-space by ''libiptc''**. +
-  * ''iptc_commit'' to replace the table in the kernel.+
          
-===== fw3 process control ===== +===== Process control ===== 
-The fw3 application uses the procd subsystem to for management.  The conventional +''fw4'' is managed by the ''firewall'' service. 
-interface is ''/etc/init.d/firewall'', a shell script calling ''fw3'' with a small+The shell script accepts the following
 set of arguments: set of arguments:
- 
   * ''boot'': this is invoked during system init (bootup)   * ''boot'': this is invoked during system init (bootup)
   * ''start'': parse configuration files and write to the netfilter kernel modules   * ''start'': parse configuration files and write to the netfilter kernel modules
   * ''stop'': flush configuration rules from the kernel modules (they will not be unloaded)   * ''stop'': flush configuration rules from the kernel modules (they will not be unloaded)
-  * ''restart'', ''reload'': read the netfilter rules from the kernel, replace using the +  * ''restart'', ''reload'': read the netfilter rules from the kernel, replace using the configuration files, and write back to the netfilter kernel modules
-    configuration files, and write back to the netfilter kernel modules.+  * ''flush'': (dangerous) delete all rules, delete non-default chains, and reset default policies to ''ACCEPT''
 + 
 +In some cases, the argument will be accompanied by additional flags to suppress log messages, or calls to internal functions as described above to verify the configuration files.
  
 :!: When invoking ''stop'', **only** the rules in the configuration files will be flushed. :!: When invoking ''stop'', **only** the rules in the configuration files will be flushed.
-Those rules automatically generated by ''fw3'' will be retained.  If ALL the rules are flushed, +Those rules automatically generated by ''fw4'' will be retained. 
-and the default policy is set to ''DROP'' then all communication to + 
-and through the router would be droppedConversely if the default policy is ''ACCEPT'' then the +:!: If **all** the rules are flushed by invoking ''flush'', the default policy is set to ''ACCEPT'' and the router will pass all packets to, or forward on, to the destination network, providing **no security**. 
-router would provide no security.+ 
 +In cases where the router becomes inaccessible due to ''DROP'' set as the default policy, access can be restored through one of two methods: 
 + 
 +  * Connecting via [[docs:techref:hardware:port.serial|Serial Console]] 
 +  * Performing a [[docs:guide-user:troubleshooting:failsafe_and_factory_reset|Factory Reset]] 
 + 
 +===== References ===== 
 +[[https://git.openwrt.org/project/firewall4.git|Source code]]
  
  • Last modified: 2023/10/14 06:04
  • by vgaetera