Hello new to openwrt i was wondering if it would be a security risk or possibly disable my firewall by updating packages in the software tab?
Thanks.
No, updating packages generally will not expose you to new vulnerabilities. There is alway the possibility that a new vulnerability could be discovered in a newer version of a given package (or there could be a supply chain attack), but this is not something you need to worry about normally.
That said, upgrading packages needs to be done with caution because you can damage your installation.
Upgrading packages (via the CLI opkg upgrade/apk upgrade commands or the LuCI Upgrade... button) can result in major problems. It is generally highly discouraged, unless you know what you are doing or if there is specific instruction to do so.
Would it expose me by disabling my firewall are would that be safegaurded in a event of breakage
Or from my understanding its simply a stability possible borkage thing
Are there built in safegaurds for the firewall in the event it was borked? or am i thinking of this wrong.
Updating packages cannot disable your firewall.
The default firewall is setup to be secure. You can make whatever modifications you desire, but there are no safeguards to ensure you don't create a vulnerability in your own setup insofar as it will do as it is told. So if you're making changes to the firewall, make sure you know what you're doing.
All of that said, what is prompting your concern?
I just update packages in software i thought in needed to do that and asked ai and it said it could breakmy firewall and leave me exposed so i wanted to verify. I never make changes to the wan zone of my firewall and always make sure its on the default wan settings. My question is updating these packages disable my firewall which you said it cannot.
AI does not provide meaningful answers for OpenWrt. It is almost always wrong.
AI is wrong.... it will not break your firewall. But be sure to read the warning I provided.
The firewall has a feature to abort a reload if the new ruleset would cause a syntax error with nftables, but that’s about it for safety mechanisms.
Other added or updated packages may try to add new rules to the firewall config or directly via nftables and cause issues within the existing firewall4 framework as those packages evolve.
For better or worse, firewall4 hasn’t been updated in over a year, so it’s not likely to get its own update in the near future.
Im confused now
your saying essentially.
- Ai is wrong
- my firewall will not be broken (security wise as in disabled and letting the internet in)
- updating packages can hurt stability or bork it BUT it will not disable the firewall
- If i have configed my firewall wan zone the default way i will be fine.
- If firewall wan zone is default im not comprimised by updating packages
Correct?
Right. It is worth extra emphasis on this point -- if you use AI to advise you about your OpenWrt configuration, you'll almost certainly cause more harm than good.
Correct.
Also correct. Read the information in the linked article and you'll get more information about why this can fail (TL;DR: ABI incompatibilities can sometimes be at fault, we've seen storage space fill up, and other issues).
More accurately: If you left the firewall in the default configuration, you will be fine. If you have changed it, it all depends on what you actually did.
Package installations/updates aren't going to disable the firewall or otherwise compromise your system by nature of the installation. Configuration of said packages, if done incorrectly, could of course cause problems.
Alright then i am good i am experienced with the firewall and left it default and read that post a today already i will not use AI it simply hallucinates and is unreliable Thanks!
One more question how do i verify from the LUCI UI the firewall is running. If the tab is there does that its mean running etc.
I see the tab and zones under network this i assume means its running. with my vlans configs
(Please allow users time to answer. It's a forum, not instant messaging.)
The firewall is in the kernel, you can run commands to see the loaded data (same on any Linux system). And it's available on the web GUI.
Quite simply, if you're using IPv4 in most normal contexts where NAT is required, if the firewall was disabled, your connection would fail as well (IPv4 NAT masquerading is a firewall function).
In LucI, you can navigate to Status > Firewall.
Ok it is thank you guys for the help will put a solution now
You can safely update packages with owut. Do owut check , it will tell you if there are package updates for your build.