New challenge: App-Firewall "add-on" needed!

We need programmers to make more similar tools (which in Windows exists), why just only ONE so far in linux, for very long time?
Its called “app firewall”. In some distros its broken or not possible to have cause dependencies problem. I like to see some add-on as web extension (plus API for desktop gui clients) for OpenWRT. Anyone in? I calling you on that good challenge!… :wink:
ps: in most linux distros, by default, the firewall is set to let anything go out and communicate to wild internets, that's simply WRONG. you know, ofcource, that i'm talking about... we have to fix that was broken for so long time... its time now.
Thank you.

ps: analog software i know (for help devs to get in idea):

  1. Douane - douaneapp .com
  2. PacketFance - packetfence .org | or any another opensource NAC (like opennac, etc)
  3. Snort (just for giving idea)
  4. etc, will add it later here.

In my vision its must be implemented as (luci?) web gui + api for external users desktop gui's.
So users can operate with firewall thru web configuration OR install client-gui for own os.
How its works: everything by default is locked to output. When user start any app - router will detect network activity and trigger in gui pop-up with ask what to do: Enable app / Disable / Ignore / or something else (if any options else).
I think also its can be done on top of existed Iptables (or anything else, if you think some will be better).
Thank you.

You do know that there is a LuCI app, right?

  • Are you saying that Windows desktop app installs on each client - and allows you to control the ISP's firewall???
  • Also, are you asking the community to make a non-router software to accompany a software to be installed on the router???

You took my post in completely wrong direction as even possible. Please stop this flood if you are not programmer and dont have intentions to create something positive. Thank you.
ps: i want analog of Douane (I did even post link above). You obviously don't know what an "app-firewall" is.

If you insist.

But since you're talking about layer 7 in a layer 3 would be nicer to answer my question.

I asked a question. That's how people DON'T take things wrong.

I know, I read it, and that's why I asked.

Why do you think I asked you?

I'm trying to understand - when you hit a button on the client, what do you want the OpenWrt firewall to do...but I guess you really don't want anyone to help.

I'm also trying to understand what's "broken."

well, lets try again. and sorry for my frustrations, its was just hard day.

when you hit a button on the client, what do you want the OpenWrt firewall to do

ok. i want firewall block any traffic to any direction by default from the boot.
then any traffic is detected, i want openwrt to act this way: detect the traffic (dont know how this done in Douane, but im sure you can take a look. or maybe use snort for that, etc? idunno), recognise that APP is, flag it and send request to the GUI module.
I see "GUI module" as two parts - API for external user GUI or/and web-gui hosted on openwrt itself. So user can have better choice how to control this stuff. I not asking to wrote whole gui for windows or something else. also i think its will be even easier part, can be done even on wx-python or something similar, not big deal. So, back to GUI. its must ask user what to do for this APP - Accept, Temporary Accept (for lets say 3 minutes), Block Forever, or just keep Ignore requests (maybe another options is possible, its not general question right now, as we speak about concept/idea in general). And based or user answer work directly with firewall/iptables.
Its will be hard to implement this logic? Maybe will be possible just take Douane code and convert to openwrt? or at least look in it to learn how this logic was done.
i did mention windows above just cause i remember also long time ago i did used some similar software on it, maybe 15-20 years ago. later i heard MC even did build-in this app in to windows. i not using windows for too long already, so don't know how about now this situation were. anyway, i hope you got idea now better. thank you!

OK, this is much more clearer.

This is an extremely complex project for someone who just signed up for the community to request...but I want to tackle the actual things that you will likely have to prepare for developers to get this going [in OpenWrt itself].


You also seem versed...does this API already exist?

The reason I say this is...what you wish is actually not that bad of an idea...I understand this now:

I think you're simply referring to software/libraries that monitor interfaces. Snort inspects traffic independently of any user interaction. Also, other software exists. The only problem is:

This is a big deal, unless you're running a quad or greater Core x86_64 CPU in your router, also the packages needed to install Python won't install on most supported routers.

  • Have you envisioned how you would secure the API (I ask because OpenWrt is setup only with a user root out-of-the-box)?

  • Last question (to try to fully understand and see if similar code already exists)...what are you solving by the user interaction of an accompanying client app?

I say this because, I've requested firewall capability be added to Snort available in OpenWrt by including another package:

I forgot to mentioned the user GUI will be remote, inside lan.

Have you envisioned how you would secure the API (I ask because OpenWrt is setup only with a user root out-of-the-box)?

Don't know. But i think create user is not big problem, just click one button in gui. or not?
even its can be not system user at all. even its can be random simbols pair of user/pass, just copy/paste to user remote gui and vuala! if needs new pair - just push the button again (on openwrt side). the protocol can be even super simple, using even netcat + some crypto maybe. i not programmer, so its hard to say for me. i'm sure devs will have alot of options up to mind here.

what are you solving by the user interaction of an accompanying client app?

i receiving signals from firewall and sending commands back "Go or Not Go", so firewall just do my will.

ps: "App Firewall" is needed for any home network, just for help to stop leaking users data, at least can help to find some suspicios activity and stop some software from communicating with internets. some software even dont need any network connections for work. (for example your Paint program have no reasons to connect to network at all, just for paint some pictures, etc, etc) And this is real pain in butt and problem this days. Its why its must be fixed asap, imho.
Also i believe with this option OpenWRT can get way more popularity and respect from people.

So, by interaction with firewall (thru GUI) user will build White list and Black (block) list for software running on computers inside his network. Mostly i concern on Output rules for firewall. Input rules can be done manualy separately and by default way. and i simply dont care about that.
Then i said "must be fixed what was broken for long time" - i mean exactly this pont - by default most firewalls have rule Output accepted to ALL, without control. and this is simply not secure and wrong. Manually fix that will be very hard, so its why we need some semi-automatic tool.

As i understand the ethernet interface must in romiscuous mode and some sensor must watch all traffic. and trigering then need it. its why i was thinking about snort. its its will not works for my task then i'm sure some similar is exists already. Also is up to my mind the project PacketFence - its having "inline mode" and do similar tasks. so maybe someone can take a look in their code, if its will help. just an idea, how to create own sensor for our task.

psL i not worries about resources. cause i see it on x86 or on powerfull enough arm hardware with 2 or 4 cores.

i am kind of sympathetic to your idea but on the other side see no obvious way to make this work.

your router has no context of what application sent the packet. all it (and the alert) whill have, is ip and port, which is not really helpful in a encrypted-cloud-world.

also you will ge dos'ed with alerts if someone uses any kind of p2p software.


it's not clear what you are asking for.

the "application firewalls" I am aware of are things that run on the endpoint,
not the firewall, or they are much more sophisticated things like the Palo Alto
firewall that has no chance of running on the type of hardware that OpenWRT is
based on.

My day job is computer security, so I like to think I have a fair understanding
of the field.

David Lang


fuller, please. you didn't, obviously, your home work. i said some software do this job already and exists. so nothing is impossible.

dlang, yes, this is corporation level of firewalls only, so far. so its why i think its time to bring this security level to every home, people must have feel safety but not fake one.
and please read me carefully, your comment

no chance of running on the type of hardware

is interfere with my words above - i dont care about hardware, as we always have choice and if i need it, i can build even cluster of few of powerful arm devices, many of them exists on market already, also i working on mine own right now too. its will go as opensource. also x86 even old machine can do this job too. of cource i not talking about cheapest piece of sh*t in arm products which even can not handle basic qos/etc, who interested in them this days even (question is rhetorical)?
soo... back to the my request: anyone of devs is here, or only end-users/admins?

i want to talk to any devs ONLY, so we will not wasting time. anyone please? thank you!

Then you should adress your issues via the OpenWrt devel mailing list, see Contact


If you like to play teacher, maybe you should hire some junior developers first - if you recruit yourself, you might even get to play manager over yourself.

1 Like

what is next you will want? an app-firewall 'add-on' plugin?

Then you should adress your issues via the OpenWrt devel mailing list

So this Dev section of this forum is just fiction and not real? Why its even exists then?
thank you anyway, then i will try my luck with bsd* firewalls community. If nothing will works were too then another option is always exists - find some people with deep pockets and create it by my self. but in this case i dont think its will be available free to everyone, you must understand.

you must say this to your self first, before giving me your tips. go away, troll!

I'm not on my rush, so i have time and will better wait little bit longer, before move away. If any of you who reading this is not dev, please dont comment here. Thank you, and have nice day! :slight_smile:
peace and love, everyone!