Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.misc > #26254 > unrolled thread

Firewalls: Rant

Back to article view | Back to comp.misc

Contents

  Firewalls: Rant Sylvia Else <sylvia@email.invalid> - 2024-12-07 16:51 +0800
    Re: Firewalls: Rant not@telling.you.invalid (Computer Nerd Kev) - 2024-12-08 07:14 +1000
      Re: Firewalls: Rant Sylvia Else <sylvia@email.invalid> - 2024-12-08 13:35 +0800
        Re: Firewalls: Rant Computer Nerd Kev <not@telling.you.invalid> - 2024-12-08 16:24 +1000
          Re: Firewalls: Rant Sylvia Else <sylvia@email.invalid> - 2024-12-08 18:52 +0800
    Re: Firewalls: Rant Salvador Mirzo <smirzo@example.com> - 2024-12-11 20:39 -0300
      Re: Firewalls: Rant Lawrence D'Oliveiro <ldo@nz.invalid> - 2024-12-12 01:12 +0000

#26254 — Firewalls: Rant

Really?

I have to learn a THIRD way of doing firewalling?

First it was ipchains.

Then it was iptables.

Now apparently, that's not good enough, so I have to get my head around 
nftables.

On, but wait, this is OpenWrt, which has yet another layer added - fw4.

And all I wanted to do was upgrade the OS to get rid of a long-standing 
and very annoying race condition that would kill the WiFi at 
unpredictable moments.

Yes, I know I'm using this router in a rather different way from the 
usual, but sometimes people do things like that.

Sylvia.

[toc] | [next] | [standalone]

#26255

Sylvia Else <sylvia@email.invalid> wrote:
> Now apparently, that's not good enough, so I have to get my head around 
> nftables.
> 
> On, but wait, this is OpenWrt, which has yet another layer added - fw4.
> 
> And all I wanted to do was upgrade the OS to get rid of a long-standing 
> and very annoying race condition that would kill the WiFi at 
> unpredictable moments.
> 
> Yes, I know I'm using this router in a rather different way from the 
> usual, but sometimes people do things like that.

I guess it depends how different your usage is, but if you're using
OpenWrt's fw4 firewall configuration, it's supposed to accept the
same configuration syntax as fw3, so the switch to nftables
shouldn't be causing problems if you were using that
(/etc/config/firewall).

Mind you the increased bloat of current OpenWrt (or its included
software, including the Linux kernel, which have been getting
bigger with each version) has caused me problems. Including,
as it happens, issues with it killing the WiFi when it ran out of
RAM. Oh for a maintained software environment that doesn't have an
obesity problem...

-- 
__          __
#_ < |\| |< _#

[toc] | [prev] | [next] | [standalone]

#26257

On 08-Dec-24 5:14 am, Computer Nerd Kev wrote:
> Sylvia Else <sylvia@email.invalid> wrote:
>> Now apparently, that's not good enough, so I have to get my head around
>> nftables.
>>
>> On, but wait, this is OpenWrt, which has yet another layer added - fw4.
>>
>> And all I wanted to do was upgrade the OS to get rid of a long-standing
>> and very annoying race condition that would kill the WiFi at
>> unpredictable moments.
>>
>> Yes, I know I'm using this router in a rather different way from the
>> usual, but sometimes people do things like that.
> 
> I guess it depends how different your usage is, but if you're using
> OpenWrt's fw4 firewall configuration, it's supposed to accept the
> same configuration syntax as fw3, so the switch to nftables
> shouldn't be causing problems if you were using that
> (/etc/config/firewall).
> 
> Mind you the increased bloat of current OpenWrt (or its included
> software, including the Linux kernel, which have been getting
> bigger with each version) has caused me problems. Including,
> as it happens, issues with it killing the WiFi when it ran out of
> RAM. Oh for a maintained software environment that doesn't have an
> obesity problem...
> 

I was just iptables directly, since I know how to configure it. I need 
to reverse the trust relationship, trusting wan, and not trusting lan. 
In the end I've just gone through the luci stuff, replacing lan with wan 
and vice versa. Now I just need to figure out the best way of blocking 
access from lan to some wan subnets. Probably not difficult, though it 
would help if I could find a defined syntax, rather than just examples. 
Maybe I'm just looking in the wrong place.

Sylvia.

[toc] | [prev] | [next] | [standalone]

#26258

Sylvia Else <sylvia@email.invalid> wrote:
> I was just iptables directly, since I know how to configure it. I need 
> to reverse the trust relationship, trusting wan, and not trusting lan. 
> In the end I've just gone through the luci stuff, replacing lan with wan 
> and vice versa. Now I just need to figure out the best way of blocking 
> access from lan to some wan subnets. Probably not difficult, though it 
> would help if I could find a defined syntax, rather than just examples. 
> Maybe I'm just looking in the wrong place.

I've never used the LuCI Web interface, but this page has plenty of
details for editing the /etc/config/firewall file:
https://openwrt.org/docs/guide-user/firewall/firewall_configuration

-- 
__          __
#_ < |\| |< _#

[toc] | [prev] | [next] | [standalone]

#26259

On 08-Dec-24 2:24 pm, Computer Nerd Kev wrote:
> Sylvia Else <sylvia@email.invalid> wrote:
>> I was just iptables directly, since I know how to configure it. I need
>> to reverse the trust relationship, trusting wan, and not trusting lan.
>> In the end I've just gone through the luci stuff, replacing lan with wan
>> and vice versa. Now I just need to figure out the best way of blocking
>> access from lan to some wan subnets. Probably not difficult, though it
>> would help if I could find a defined syntax, rather than just examples.
>> Maybe I'm just looking in the wrong place.
> 
> I've never used the LuCI Web interface, but this page has plenty of
> details for editing the /etc/config/firewall file:
> https://openwrt.org/docs/guide-user/firewall/firewall_configuration
> 

Thanks for the link.

Sylvia.

[toc] | [prev] | [next] | [standalone]

#26285

Sylvia Else <sylvia@email.invalid> writes:

> Really?
>
> I have to learn a THIRD way of doing firewalling?
>
> First it was ipchains.
>
> Then it was iptables.
>
> Now apparently, that's not good enough, so I have to get my head
> around nftables.

That's wild.  I remember telling myself---gotta study ipchains.  But
then iptables appeared and I was like---hm, interesting!  Maybe my life
will be easier now.  Lol.  Perhaps I can be glad I never got around to
study any of them?  The nftables websites says it's a successor to
iptables.

I think that's not the way to do things.  We should not blindly follow
along software development.  Remember---many of these things will fall.
Programming languages for instance.  If you're still writing Perl or
Lisp, say, you're doing just fine.  In fact, you are much more
productive if you just keep using your good tools and let the world move
on.

Of course, perhaps you work in a market that is always high on the new
kid on the block, but then perhaps the best thing is to get out of that
market.

I interviewed with a company in Paris once.  They didn't hire me and
called me old school due to C and Lisp.  I was a little hurt.  I was
their age, but I think they don't care about my teachers' lessons.

[toc] | [prev] | [next] | [standalone]

#26290

On Wed, 11 Dec 2024 20:39:40 -0300, Salvador Mirzo wrote:

> I think that's not the way to do things.  We should not blindly follow
> along software development.  Remember---many of these things will fall.

These “new” ideas have been around for years, decades. They have already 
proven themselves in production mission-critical use. They are now 
spreading out from there to become commonplace.

[toc] | [prev] | [standalone]

Back to top | Article view | comp.misc

csiph-web