Need basic concepts explained in firewall documentation

I've been using OpenWrt as router and even as a server for years. I only try to use it as a firewall recently, however. Like any other open source projects, the documentation almost always assumes that the users are very experienced, and they only read the documentation in search for some advanced option (seriously?).

I have a lot of things to study, and only dive into network firewall for like 2 weeks -- I am merely a newbie. Reading the OpenWrt firewall documentation did not give me a good start. It does not explain basic concepts of firewall rules and priority (which applied from top to bottom). I have to do experiments on my company Fortigate firewall to guess how OpenWrt firewall works. To name a few things I found, which was not explained in OpenWrt documentation:

  • In zone configuration, option input, output, and forward are simply short forms of explicitly defining a config rule.
  • Same for config forwarding, which is a short form. We can define a lengthy config rule section which does the same thing.
  • Rules are applied in the order they are defined, which is from top to bottom in /etc/config/firewall. If a packet matches a rule, it is processed, and the rules below it are ignored.
  • Zone configuration and forwarding configuration have lowest priority, even if they are define at the top of /etc/config/firewall. Rules are always applied first.

Why is it so user unfriendly?

Both open source and commercial software is often this way because there is no way to know at what level the documents should be written, so no one spends (some would say "wastes") their time trying to cover all possible cases. You can use your collection of bullet points to start writing an "Introduction to Firewall Concepts", or modifying existing wiki pages, that you think will suit newcomers (although it will not be sufficient for everyone no matter how well written you make it, so that's where the forums come into play).


If it helps, I noticed that the information you listed - I never learned with OpenWrt. I learned it from general *nix firewall documentation.

Perhaps you could use such documentation to help edit the Wiki.

I didn't quite understand your terminology here, so I'll provide a link (the same applies for NFT):

Can you provide an example of what you mean?

I think you mean you discovered how to define a rule instead of a general zone forward?

It seems you discovered there's 2 ways to setup a forward rule (albeit, one appears in LuCI as a zone config, the other as a traffic rule).

1 Like

With a default network configuration:

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr ''
	option netmask ''
	option ip6assign '60'

The default firewall configuration is:

config forwarding
	option src lan
	option dest wan

I can achieve the same effect by deleting the above config forwarding section, and add a rule instead:

config rule
	option name 'accept forwarding from lan to wan'
	option src 'lan'
	list proto 'all'
	option dest 'wan'
	option target 'ACCEPT'
	option enabled '1'

I'm not sure what your point is. As is explained on the [OpenWrt Wiki] Firewall overview page, OpenWRT uses fw4 as a 'helper' application to convert the config file into the necessary nftables rules. The fact that some things can be done in more than one way shouldn't really be a surprise. But, even if it is, I'm not sure how going into extra detail explaining these multiple ways when (in this case) it can be done simply with a forwarding stanza is 'user unfriendly'.

Is the same thing with the zone input, output, and forwarding options. Yes you can create longer rule stanzas which will do the same thing. You can also directly write the nftable rules if you so wished. But, given your issue is about how not everyone is very experienced, I'm missing how adding this further, unnecessary, detail would make the documentation better for the inexperienced user.


Yea, I did understand. OK cool - it seems that the method suggested by default, the Wiki and generally on the forum would be to use the Zone method.

Your 1:1 analogy in this case is only applicable because they're Zones. In LuCI, it's analogous to deleting this from the LAN Zone config:


And proceeding to make a traffic rule instead:


As krazeh noted - I don't understand the reasoning of noting this particular method if the goal is user friendliness.

My point is: I expect the firewall documentation to have basic concepts explained, then an overview of each configuration section, their effects, and how all these interact with each other, which one is prioritized over the others. That way, the user has a better understanding of what they are going to do.

With the current format, the documentation simply lists a lot of syntax and options. It is more suitable for experienced users who go search for something they forget.

Fair enough. If I take the liberty of considering all of your points in unison - specifically the discovery of the default rules being applied last in the chain, indeed I find it profound. FYI for purposes of inclusion, there's also the General/Default rules - which apply if one fails to assign an Interface to a Zone.

It's the same discovery and "Eureka" moment I had when I understood Zone-based firewalls. I realized what companies used OpenWrt even. :wink:

Perhaps a clearly-defined section on how fw3 and fw4 are structured - in the paradigm of a *nix-based firewall would be a good intro?

What are your thoughts?

(BTW, it uses iptables/nft chains to produce the "Zone Affect".)