Fw3 flush dangerous, defaults policy to ACCEPT

fw3 flush has dangerous default behavior.

Even if /etc/config/firewall sets defaults to DROP, "fw3 flush" will delete all rules/chains AND reset default policies to ACCEPT.

Anyone who uses fw3 flush as a replacement for "iptables -F && iptables -X" will get burned by this.

Is there any way to (a) change this dangerous default behavior, (b) warn the user when this happens?

Looks correct.
Flush is flushing all rules as expected.

Expected and predictable behavior.

The user is supposed to understand the commands before running them.
Especially when operating in a production environment.
To minimize risks, you can experiment in a VM or some isolated testing environment.

1 Like

This argument applies to literally any design choice you make, but it is particularly unpersuasive in this case.

First, the docs suggest that flush will default to DROP in this setting: " If all the rules are flushed, and the default policy is set to DROP then all packets to, and forwarded by the router, would be dropped." [1]

Second, fw3 flush is clearly modeled after "iptables --flush" but gives no indication of resetting all policies to the most permissive setting.

Third, there are no man pages so users are almost encouraged to learn by experiment rather than be careful research.

Given that OpenWrt is where many users will first cut their teeth in networking, why build such sharp edges when it is totally unnecessary?

[1] https://openwrt.org/docs/guide-user/firewall/overview

1 Like

Unfortunately, OpenWrt docs are often outdated, incomplete and sometimes inaccurate.
You are welcome to update and correct it when you see that it doesn't match the actual behavior.
Root shell is dangerous by design and it's impossible to warn the user about all potentially harmful commands.