Firewalls: Rant

Discussion:

Firewalls: Rant

(too old to reply)

Sylvia Else

2024-12-07 08:51:30 UTC

Really?

I have to learn a THIRD way of doing firewalling?

First it was ipchains.

Then it was iptables.

Now apparently, that's not good enough, so I have to get my head around
nftables.

On, but wait, this is OpenWrt, which has yet another layer added - fw4.

And all I wanted to do was upgrade the OS to get rid of a long-standing
and very annoying race condition that would kill the WiFi at
unpredictable moments.

Yes, I know I'm using this router in a rather different way from the
usual, but sometimes people do things like that.

Sylvia.

Computer Nerd Kev

2024-12-07 21:14:59 UTC

Permalink

Post by Sylvia Else
Now apparently, that's not good enough, so I have to get my head around
nftables.
On, but wait, this is OpenWrt, which has yet another layer added - fw4.
And all I wanted to do was upgrade the OS to get rid of a long-standing
and very annoying race condition that would kill the WiFi at
unpredictable moments.
Yes, I know I'm using this router in a rather different way from the
usual, but sometimes people do things like that.

I guess it depends how different your usage is, but if you're using
OpenWrt's fw4 firewall configuration, it's supposed to accept the
same configuration syntax as fw3, so the switch to nftables
shouldn't be causing problems if you were using that
(/etc/config/firewall).

Mind you the increased bloat of current OpenWrt (or its included
software, including the Linux kernel, which have been getting
bigger with each version) has caused me problems. Including,
as it happens, issues with it killing the WiFi when it ran out of
RAM. Oh for a maintained software environment that doesn't have an
obesity problem...

--
__ __
#_ < |\| |< _#

Sylvia Else

2024-12-08 05:35:37 UTC

Permalink

Post by Computer Nerd Kev

I guess it depends how different your usage is, but if you're using
OpenWrt's fw4 firewall configuration, it's supposed to accept the
same configuration syntax as fw3, so the switch to nftables
shouldn't be causing problems if you were using that
(/etc/config/firewall).
Mind you the increased bloat of current OpenWrt (or its included
software, including the Linux kernel, which have been getting
bigger with each version) has caused me problems. Including,
as it happens, issues with it killing the WiFi when it ran out of
RAM. Oh for a maintained software environment that doesn't have an
obesity problem...

I was just iptables directly, since I know how to configure it. I need
to reverse the trust relationship, trusting wan, and not trusting lan.
In the end I've just gone through the luci stuff, replacing lan with wan
and vice versa. Now I just need to figure out the best way of blocking
access from lan to some wan subnets. Probably not difficult, though it
would help if I could find a defined syntax, rather than just examples.
Maybe I'm just looking in the wrong place.

Sylvia.

Computer Nerd Kev

2024-12-08 06:24:47 UTC

Permalink

Post by Sylvia Else
I was just iptables directly, since I know how to configure it. I need
to reverse the trust relationship, trusting wan, and not trusting lan.
In the end I've just gone through the luci stuff, replacing lan with wan
and vice versa. Now I just need to figure out the best way of blocking
access from lan to some wan subnets. Probably not difficult, though it
would help if I could find a defined syntax, rather than just examples.
Maybe I'm just looking in the wrong place.

I've never used the LuCI Web interface, but this page has plenty of
details for editing the /etc/config/firewall file:
https://openwrt.org/docs/guide-user/firewall/firewall_configuration

--
__ __
#_ < |\| |< _#

Sylvia Else

2024-12-08 10:52:08 UTC

Permalink

Post by Computer Nerd Kev

I've never used the LuCI Web interface, but this page has plenty of
https://openwrt.org/docs/guide-user/firewall/firewall_configuration

Thanks for the link.

Sylvia.

Salvador Mirzo

2024-12-11 23:39:40 UTC

Permalink

Post by Sylvia Else
Really?
I have to learn a THIRD way of doing firewalling?
First it was ipchains.
Then it was iptables.
Now apparently, that's not good enough, so I have to get my head
around nftables.

That's wild. I remember telling myself---gotta study ipchains. But
then iptables appeared and I was like---hm, interesting! Maybe my life
will be easier now. Lol. Perhaps I can be glad I never got around to
study any of them? The nftables websites says it's a successor to
iptables.

I think that's not the way to do things. We should not blindly follow
along software development. Remember---many of these things will fall.
Programming languages for instance. If you're still writing Perl or
Lisp, say, you're doing just fine. In fact, you are much more
productive if you just keep using your good tools and let the world move
on.

Of course, perhaps you work in a market that is always high on the new
kid on the block, but then perhaps the best thing is to get out of that
market.

I interviewed with a company in Paris once. They didn't hire me and
called me old school due to C and Lisp. I was a little hurt. I was
their age, but I think they don't care about my teachers' lessons.

Lawrence D'Oliveiro

2024-12-12 01:12:06 UTC

Permalink

Post by Salvador Mirzo
I think that's not the way to do things. We should not blindly follow
along software development. Remember---many of these things will fall.

These “new” ideas have been around for years, decades. They have already
proven themselves in production mission-critical use. They are now
spreading out from there to become commonplace.