Re: Firewalls: Rant

On 08-Dec-24 5:14 am, Computer Nerd Kev wrote:

Sylvia Else <sylvia@email.invalid> wrote:

Now apparently, that's not good enough, so I have to get my head around
nftables.
>
On, but wait, this is OpenWrt, which has yet another layer added - fw4.
>
And all I wanted to do was upgrade the OS to get rid of a long-standing
and very annoying race condition that would kill the WiFi at
unpredictable moments.
>
Yes, I know I'm using this router in a rather different way from the
usual, but sometimes people do things like that.

 I guess it depends how different your usage is, but if you're using
OpenWrt's fw4 firewall configuration, it's supposed to accept the
same configuration syntax as fw3, so the switch to nftables
shouldn't be causing problems if you were using that
(/etc/config/firewall).
 Mind you the increased bloat of current OpenWrt (or its included
software, including the Linux kernel, which have been getting
bigger with each version) has caused me problems. Including,
as it happens, issues with it killing the WiFi when it ran out of
RAM. Oh for a maintained software environment that doesn't have an
obesity problem...
 

I was just iptables directly, since I know how to configure it. I need to reverse the trust relationship, trusting wan, and not trusting lan. In the end I've just gone through the luci stuff, replacing lan with wan and vice versa. Now I just need to figure out the best way of blocking access from lan to some wan subnets. Probably not difficult, though it would help if I could find a defined syntax, rather than just examples. Maybe I'm just looking in the wrong place.
Sylvia.