Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| inbox:firewall:overview [2018/09/16 12:09] – ↷ Page moved from inbox:firewall:firewall3:overview to inbox:firewall:overview bobafetthotmail | docs:guide-user:firewall:overview [2023/10/14 06:04] (current) – update vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== | + | ====== |
| - | Firewall3 | + | OpenWrt uses the firewall4 |
| - | in user-space to parse a configuration file into a set of '' | + | It runs in user-space to parse a configuration file into a set of '' |
| - | sending each to the kernel netfilter modules. | + | |
| - | ===== fw3 Purpose ===== | + | ===== Purpose ===== |
| - | The netfilter rule set can be very complex for a typical router. | + | The netfilter rule set can be very complex for a typical router. |
| - | necessity; each rule is tailored to a discrete capability provided by the router | + | This is by necessity; each rule is tailored to a discrete capability provided by the router to protect its supported networks, provide [[docs: |
| - | to protect its supported networks, provide | + | A typical router has over 100 rules designed to support packet routing. |
| - | [[inbox: | + | |
| - | addresses, even '' | + | |
| - | over 100 rules designed to support packet routing. | + | |
| - | The fw3 application is used by OpenWRT to " | + | The '' |
| - | hiding much of the details. | + | |
| - | On inspecting the netfilter rule set using '' | + | On inspecting the netfilter rule set using '' |
| - | a number of netfilter/iptables | + | |
| - | or more difficult to understand (thank goodness for the '' | + | |
| The netfilter rules include: | The netfilter rules include: | ||
| + | * A number of chains (mis-termed '' | ||
| + | * INPUT and OUTPUT for the often forgotten loopback interface. | ||
| + | * The '' | ||
| + | * The '' | ||
| + | * '' | ||
| - | * A number of chains (mis-termed '' | + | The firewall configuration is fairly straight forward |
| - | * INPUT and OUTPUT for the often forgotten loopback interface | + | |
| - | * The '' | + | |
| - | * The '' | + | |
| - | * '' | + | |
| - | The fw3 configuration is fairly straight forward and automatically provides the router | + | The rules consumed by netfilter are, at best, difficult to comprehend due to the exacting nature of netfilter. |
| - | with a base rule set of rules and an understandable configuration file for | + | However, every rule provides desired capability or **blocks** malicious capability, and therefore necessary. |
| - | additional rules. | + | |
| - | + | ||
| - | The rules consumed by netfilter are, at best, difficult to comprehend due to | + | |
| - | the exacting nature of netfilter. However, every rule provides desired | + | |
| - | capability or **blocks** malicious capability, and therefore necessary. | + | |
| - | + | ||
| - | ===== fw3 Description ===== | + | |
| - | fw3 is a user-space application similar in nature to the | + | |
| - | [[https:// | + | |
| - | application. | + | |
| - | + | ||
| - | Both use the '' | + | |
| - | modules, and follow the same basic pattern: | + | |
| - | + | ||
| - | * '' | + | |
| - | * Modify the chains, rules, etc. in the table. **All parsing and error checking is done in user-space by '' | + | |
| - | * '' | + | |
| | | ||
| - | ===== fw3 process | + | ===== Process |
| - | The fw3 application uses the procd subsystem to for management. | + | '' |
| - | interface is '' | + | The shell script |
| set of arguments: | set of arguments: | ||
| - | |||
| * '' | * '' | ||
| * '' | * '' | ||
| * '' | * '' | ||
| - | * '' | + | * '' |
| - | | + | * '' |
| + | |||
| + | In some cases, the argument will be accompanied by additional flags to suppress log messages, or calls to internal functions as described above to verify the configuration files. | ||
| :!: When invoking '' | :!: When invoking '' | ||
| - | Those rules automatically generated by '' | + | Those rules automatically generated by '' |
| - | and the default policy is set to '' | + | |
| - | and through | + | :!: If **all** |
| - | router would provide no security. | + | |
| + | In cases where the router becomes inaccessible due to '' | ||
| + | |||
| + | * Connecting via [[docs: | ||
| + | * Performing a [[docs: | ||
| + | |||
| + | ===== References ===== | ||
| + | [[https:// | ||