Firewall is running?

Cris1977 · October 11, 2024, 10:50am

Dear all,
I'm a new user with a lot of doubts....
After to reboot device, I have executed "service" command,
My question is
Why firewall is enabled but it is not running...?
How I confirm that I'm protected ?

root@OpenWrt:/usr/lib/ddns# service
Usage: service <service> [command]
/etc/init.d/boot                   enabled         stopped
/etc/init.d/cron                   enabled         stopped
/etc/init.d/ddns                   enabled         stopped
/etc/init.d/dnsmasq                enabled         running
/etc/init.d/done                   enabled         stopped
/etc/init.d/dropbear               enabled         running
/etc/init.d/firewall               enabled         stopped

Thanks in advance.
BR

frollic · October 11, 2024, 10:56am

is this a fresh flash ?

have you changed anything ?

which device is it, and what file was used for flashing ?

lleachii · October 11, 2024, 11:12am

Same here. The firewall is loaded [into the Kernel] and completes.

On current OpenWrt:

nft list ruleset

Formerly:

iptables -S

Cris1977 · October 11, 2024, 11:14am

Hi, Thanks for your time.
Raspberry pi 5
Last snapshot: openwrt-bcm27xx-bcm2712-rpi-5-squashfs-factory.img.gz
fresh installation.
currently,
eth0 -> it is used for internal net.
eth1 -> tp-link working fine (I have installed specific driver)

I have internet from eth0 -> eth1

dave14305 · October 11, 2024, 11:26am

You can also look in LuCI under “status -> firewall” menu for the actual rules applied.

eduperez · October 11, 2024, 11:41am

Because there is nothing to run about... The firewall is part of the kernel, it's not an independent process, and there is nothing running while the firewall is active. What the firewall service does is to load the rules from the config files, configure the rules in the kernel, and finish.

_bernd · October 11, 2024, 12:21pm

Given that's true, but it seams counter intuitive to (new) users because on Debian, Ubuntu, redhat, you name it, the firewall (service) is active and running, i.e. if you use systemd.

(This issue never occured to me because I've also checked the state with iptables or nft, too....)

eduperez · October 11, 2024, 12:47pm

I see your point but... If I start the firewall service and it loads my rules, then a different process changes those rules (or myself, by mistake), can we tell the user that the firewall is running?

_bernd · October 11, 2024, 1:03pm

Yes I see this issue too that nobody can decide for sure which rule set is the current correct one during "runtime".

Edit ps: besides certain chains are configured to be ignored by UCI so at least the state of the UCI defined rules could be checked if still active as they are configured...

Cris1977 · October 11, 2024, 4:00pm

OK, understood. I have changed a rule defined, and firewall is working.
I would like to thanks for this clarification. As _bernd told before, for new users is not intuitive.
I close this topic.
THanks to everybody.

system · October 21, 2024, 4:00pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.