OpenWrt uses the firewall4 (fw4) netfilter/nftables rule builder application.It runs in user-space to parse a configuration file into a set of nftables rules, sending each to the kernel netfilter modules.
Purpose
The netfilter rule set can be very complex for a typical router.This is by necessity; each rule is tailored to a discrete capability provided by the router to protect its supported networks, provide NAT to conserve scarce IPv4 addresses, even mangle the packets during routing.A typical router has over 100 rules designed to support packet routing.
The fw4 application is used by OpenWRT to “safely” construct a rule set while hiding much of the details.
On inspecting the netfilter rule set using fw4 print, you will see a number of netfilter/nftables rules either not explicitly defined in the firewall configuration files, or more difficult to understand (thank goodness for the --comment match!)The netfilter rules include:
A number of chains (mis-termed _rule) for each special target and zone.
INPUT and OUTPUT for the often forgotten loopback interface.
The option syn_flood 1 or option mtu_fix 1 each translate to complex nftables rules.
The option masq 1 translates to the '-j MASQUERADE' target for NAT.
mangle rules that match bits in the packets TCP header and then modify the packet.
The firewall configuration is fairly straight forward and automatically provides the router with a base rule set of rules and an understandable configuration file for additional rules.
The rules consumed by netfilter are, at best, difficult to comprehend due to the exacting nature of netfilter.However, every rule provides desired capability or blocks malicious capability, and therefore necessary.
Process control
fw4 is managed by the firewall service.The shell script accepts the followingset of arguments:
boot: this is invoked during system init (bootup)
start: parse configuration files and write to the netfilter kernel modules
stop: flush configuration rules from the kernel modules (they will not be unloaded)
restart, reload: read the netfilter rules from the kernel, replace using the configuration files, and write back to the netfilter kernel modules.
flush: (dangerous) delete all rules, delete non-default chains, and reset default policies to ACCEPT.
In some cases, the argument will be accompanied by additional flags to suppress log messages, or calls to internal functions as described above to verify the configuration files.
![[OpenWrt Wiki] Firewall overview (1)](data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw== "[OpenWrt Wiki] Firewall overview (1)")
When invoking stop, only the rules in the configuration files will be flushed.Those rules automatically generated by fw4 will be retained.
If all the rules are flushed by invoking flush, the default policy is set to ACCEPT and the router will pass all packets to, or forward on, to the destination network, providing no security.
In cases where the router becomes inaccessible due to DROP set as the default policy, access can be restored through one of two methods:
References
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
FAQs
OpenWrt uses the firewall4 ( fw4 ) netfilter/nftables rule builder application. It runs in user-space to parse a configuration file into a set of nftables rules, sending each to the kernel netfilter modules.
Where is the OpenWrt firewall file? ›
The firewall script generated by Firewall Builder for OpenWRT has a format that allows it to be placed directly in the /etc/init. d/ directory among other OpenWRT startup scripts.
What distro is OpenWrt based on? ›
OpenWrt is a highly extensible GNU/Linux distribution for embedded devices (typically wireless routers).
What is the function of OpenWrt? ›
OpenWrt provides regular bug fixes and security updates even for devices that are no longer supported by their manufacturers. OpenWrt provides exhaustive possibilities to configure common network-related features, like IPv4, IPv6, DNS, DHCP, routing, firewall, NAT, port forwarding and WPA.
Is pfSense more secure than OpenWrt? ›
Features: Both OpenWrt and pfSense include a range of networking and security features, but pfSense is generally considered to be more comprehensive and feature-rich, with a focus on providing advanced firewall and routing capabilities.
What is the advantage of using OpenWrt? ›
What are the benefits of using OpenWRT for router customization? OpenWRT enables users to enhance security, extend router functionality with third-party applications, optimize network performance, and gain access to frequent updates and community-driven support.
Does OpenWrt have VPN? ›
Routers with OpenWRT firmware have been reported to support VPNs like NordVPN.
What is the local IP of OpenWrt? ›
The default IP of the LAN ports of a OpenWrt device is 192.168. 1.1, if the addresses of the devices in the network you connect to the WAN port are 192.168. 1.
How do I disable firewall in OpenWrt? ›
System -> Startup -> firewall with Enable/Disable, Start, Restart, Stop options.
Is OpenWrt still active? ›
OpenWrt 22.03 is EOL
The last release from the OpenWrt 22.03 series is 22.03. 7, after this date we will not provide any updates for OpenWrt 22.03, not even for severe security problems. We encourage everyone to upgrade to OpenWrt 23.05 which will be supported till 2025.
16MB Flash will provide for bare minimum installed packages. Devices with more storage is recommended. 128MB RAM will provide for minimal functionality. Devices with more RAM is recommended.
What kernel does OpenWrt use? ›
OpenWrt uses official GNU/Linux kernel sources and only adds patches for the system on chip and drivers for the network interfaces.
Does OpenWrt have a firewall? ›
Firewall configuration /etc/config/firewall OpenWrt's firewall management application firewall is mainly configured through /etc/config/firewall.
What filesystem does OpenWrt support? ›
It must a filesystem of type: ext2/3/4, f2fs, btrfs, ntfs, or ubifs (note that it can not be a FAT16/32 filesystem). For most, this filesystem will be a on USB storage device. However, it could also be on an SD-Card or a SATA drive connected via e-sata or even a network block device (assuming its set up early enough).
What is the user root in OpenWrt? ›
root is the username of the main administrative user on OpenWrt. We'll need to set that after we login. Log in with the username of root and leave the password field empty. Note: If you cannot log in when the “No password set!” message is on-screen, even when the password field is blank, it could be a cookie problem.
How does a router firewall work? ›
A firewall is either a hardware device or a software application that helps protect your network from attackers. The firewall shields your network by acting as a 24/7 filter, scanning the data that attempts to enter your network and preventing anything that looks suspicious from getting through.
How does Application Gateway firewall work? ›
If a web application firewall (WAF) is in use, the application gateway checks the request headers and the body, if present, against WAF rules. This action determines if the request is valid request or a security threat. If the request is valid, it's routed to the backend.
How does firewall gateway work? ›
How does an application level gateway firewall work? Most firewalls filter incoming data packets based on port numbers and internet protocol. Meanwhile, an ALG firewall provides an additional layer of security by filtering incoming traffic using a proxy to establish connections for remote users.
How does a proxy service firewall work? ›
It determines which traffic should be allowed and denied and analyzes incoming traffic to detect signs of a potential cyberattack or malware. A proxy server firewall caches, filters, logs, and controls requests from devices to keep networks secure and prevent access to unauthorized parties and cyberattacks.
![[OpenWrt Wiki] Firewall overview (1)](https://i0.wp.com/openwrt.org/lib/images/smileys/exclaim.svg "[OpenWrt Wiki] Firewall overview (1)")
When invoking ![[OpenWrt Wiki] Firewall overview (2024)](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/h8AAvMB+NzmkbcAAAAASUVORK5CYII=)