Executing scripts at boot time

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

I am quite sympathetic to your idea. I also wanted to do this originally, as I am familiar with iptables but was new (still am) to openWrt.

I eventually decided against it though, because it became apparent that many services in openWrt rely on the fw3 firewall. Even other firewall type applications like banIP do not try to replace fw3.

If you use iptables directly and disable fw3, you actually have very little user testing on openWrt, it seems.

So kudos to you for trying anyway. Please keep us updated on this, particularly if you hit security issues. I suspect you might discover unknown edge cases in that setup at some point.

1 Like

In the Linux systems I've worked with - and I believe OpenWrt is no different - the firewall functionality is always provided by iptables. You need to flush the tables if you want to disable the firewall. From what I've read fw3 has it's own description of the firewall (in its own language) and creates iptables rules. If you disable the fw3 firewall iptables gets flushed. If you re-enable these tbles are rebuilt from the fw3 description.

I expect that other tools that need to modify iptables go through fw3 to manipulate the firewall.

I agree that having two hands on the wheel (in this case modify iptables directly and through fw3) is not a good idea.
I followed the recommendation of Pavel - I cleared the default firewall rules and added my own in the firewall.user.
All the default chains (not used by me, but possibly by other tools) are still there.
If I stop and restart the firewall (using luci) all my private rules are reconstructed. Which, of course is, would not be the case if I use a script to create these rules.

As an aside - on a soapbox - I personally do not feel fw3 adds a lot of value. Sure, creating safe firewall rules can be complex and tricky. From the fw3 description it's purpose is to simplify things. It probably depends on your past experience and the situation in which the router is deployed.
I would be quite happy with a barebone Linux system, which would permit me to use standard default Linux tools.

But, although I do have some past experience with OpenWRT from the white Russian days - I am still reacquainting myself with OpenWRT. I now have two test systems running, and these seem to work well. I do appreciate the possibilities OpenWRT opens that on the default router firmware would not be possible.

1 Like

Unfortunately, no, e.g. you are missing zone-specific chains.
Those are used for connection tracking, traffic marking, forwarding, masquerading, etc.

Don't underestimate the importance of safe config.
Even experienced users are prone to make mistakes and typos.
Modular verification applied by fw3 can significantly minimize related risks.

Moreover, iptables is on the verge of deprecation.
All modern general-purpose Linux distros should have already utilized nftables.
And the next version of OpenWrt firewall aka fw4 relies on nftables.


As long as you are happy with the plain LuCi management, fw3 seems to be OK, because even to be required.
However, in case of trying "unusual" or more advanced system setups, fw3 is a real pothole in the road to succesful implementation.
Which finally caused me to drop fw3 for all setups, even simple ones.

I do not see the benefit in inventing a new method of describing the firewall (read: iptables) rules, when the bare-bone iptables-rules would suffice. And having the advantage of the availability of a lot of docs.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.