[Not so] Minor rant

I'm an everyday Joe who just happens to care about his security and privacy, so here I am.

I had to let something out.

Do developers really hate day to day users? Do they need to make everything more complicated than it needs to be?

For example, let's look at the firewall...

We got Input and Output.

I know what you're thiking. It's simple.

No, duh... they're not what you think, "Input" is not the same as "Incoming" or "output is not the same as "Outgoing" dumbass! get rekt n00b.

ok cool sir, I spent 5 hours reading documents already, but I will continue...

Forwarding and Forward. This one was so easy. I mean who could not guess that? Why didn't we call them a monkey and a spaceship and wait until users figure it out? We use arrows to help them after all!

Maybe use more arrows pointing from Forward to Forwarding. There should be even more arrows pointing at nothing! That'll be understood huh?

Even bring in shapes like hexagonal prisms, ellipsoids, icosahedrons. Leave nothing to chance...

....

Let's look at the firewall status and you'll find everything you wanted to know... Oh.
...

Chain *forwarding_lan_rule*
Chain *forwarding_rule*
Chain *forwarding_wan_rule*
Chain *input_lan_rule*
Chain *input_rule*
Chain *input_wan_rule*
Chain *output_rule*
Chain *output_wan_rule*
Chain *reject*
Chain *syn_flood*
Chain *zone_lan_dest_ACCEPT*
Chain *zone_lan_dest_REJECT*
Chain *zone_lan_forward*
...
...
...

"Say what again kind sir?"

Did you think it was gonna be easy n00b?

No, I just came here to see the firewall rules. I though it could be easy like "incoming" or "outgoing" or whatever. Now I gotta get a network engineering degree and try again! Sure!

THE PACKAGE NAMES

  • collectd-mod-rr
  • odhcp6c
  • nlbwmon
  • iptable-mod-rpfilter
    ...
    ...
    ...

They're named perfectly and their descriptions are amazingly clear on what they do. nlbwmon? Well it's a monitor, can't you see the "mon"? nlbw part is a secret, go figure it out.

Rpfilter? It's not roleplaying dumbass. Look at the description and you'll understand. I mean who doesn't know what "reverse path filter test on a packet" means? Or how it can be a filter. Or how it is related to a firewall? Don't be ridiculous. It's a test on a packet. It's also a filter. Even my mama can understand this. Pft...

But my mama is a linux expert, so you'll have to become another linux expert, and then come back and you'll undestand!
....

End note: Not here to bash anyone or anything, just needed to let this frustration out.

Adios.

4 Likes

I get your rant, but some of this stuff just is complicated. Some of it can't be abstracted into a simpler language.
That being said, have you looked at the UCI syntax for the firewall? That's a VERY good attempt at simplifying the firewall for you. There's a layer that turns what is almost human readable rules into iptables commands and you don't even need to understand how that works.

If you really want to understand input, output and forward, try this
https://www.frozentux.net/iptables-tutorial/chunkyhtml/c962.html
It took me a while to get my head around it when I first tried, but it's not hard once you get it.

8 Likes

Any iptables based fw would look (something) like this, it's not unique for openwrt in any way.

I agree with lantis1008, the web UI does a good job here.

If you want 'simple' install shorewall, and start editing text files...

1 Like

Unfortunately, networking is hard. Consumer-Level hardware does a VERY good job at making sure said "average Joe" can use their product - this is why you don't have the configuration and control abilities you find with "more advanced" Firmware.

You're ability to know enough to be concerned for your security is a good step, but if you wanted easy, you should have taken the Blue pill :smiley:

Security is the compromise between Confidentiality, Integrity, and Access. You are choosing to give up Access(ability) for the other two. It means you will NEED to learn about what that means, yes, but it will also give you a great appreciation for what it takes.

Also, keep in mind your level of security can be excessive. Knowing your attack surface has to be balanced against just how big a target you think you might be.

I know you will sit down and hash through the issue. You will learn what you need to reach the level of satisfaction with your level of security at some point and say "Yeah, that's enough".

On the bright side, if you become the Wizard of IP Chains, it's a good paying gig :smiley:

10 Likes

The firewall words are complicated mostly base from where you look at it.
It took a while for me to get it since it is easy to think/see it from the zone viewpoint.

But if you imagine you sit in the “air traffic controller” in the CPU the forward, input and output makes more sense. Because these words makes more meaning if you let the forward data move on the airport, the input are allowed to land from a zone and go somewhere on the airport and outgoing they fly of to another zone. But you don’t sit in the actual zone.

2 Likes

Average, every day Joe user has no need to understand the firewall status and package names
if you see something you don't understand, then you don't need to (for basic operation)
if you want to understand it all, you're not the average Joe user anymore

and if you are going to ask "well why don't we make firewall status user friendly?"
the reason is, that is a huge rabbit hole that involves taking up flash space in order to rewrite every possible set of rules in plain english. Why would a developer write code to take industry standard output and rewrite it?

Also, the user friendly version already exists. Its a simple matter of you looked in the wrong place for answers, and rather should be on the firewall configuration page (Network --> Firewall) and edit a zone.

as for the zone rules, if you think of a router as a "post office" that operates "mail" its simple

input: final destination is the post office
output: original source is the post office
forward: handling other people's mail between points

Similar to confronting a real-life problem, it is nice to be exposed to advanced information you don't fully understand, because it encourages people to learn something new, if they feel like they should.

6 Likes

I feel there is a big contradiction in your post.

In many use cases (and once it has been installed), OpenWrt is just plug-and-play, there is no need to do any configuration, besides changing passwords, and perhaps configuring a PPPoE client. A noob does not need to understand all those aspects mentioned in your post.

Then, for not-so-noob use cases, there are many step-by-step guides available; and anybody can do great things with OpenWrt, without becoming an expert.

Why would a noob need to list (and understand) the firewall rules by name? OpenWrt has LuCI to make things dead easy, then uci for the more experienced user. It's like complaining that a car is difficult to drive because you got lost taking the engine apart...

7 Likes

And why do a noob analyze the name of these packages? How does a noob even find these packages?
I feel I am a advanced user now after a couple of years but I have never ever come close to feel the need to think about the meaning of these packages, not even close!

1 Like

Better this way than doing harmful things to your computer equipment.

To soothe your initial pain with OpenWrt (or linux in general), see it from the humoristical side: Technical Jargon Overload

Have fun with OpenWrt! :slight_smile:

9 Likes

Try Mikrotik

Firewall hard, git gud

I completely understand (and echo) your rant!

I mucked around with openwrt many years ago (back in the 'bad old days'(?) before the LEDE schism, which i was completely unaware of until recently), but am back now because I backed the @drandyhaas 'Maxwell' mesh project on kickstarter.

there's basically no documentation of how that system is configured, other than the system itself. it's doing stuff for which there's no LuCI webgui. ok, fine. so I went looking thru config files.

i don't know exactly (and that's why I'm replying) but there's some funky VLAN trunking going on in there that i still haven't groked, so my first attempt to add fw zones and networks & SSIDs for guest & IOT was a total failure, bricked one of the 3 routers I had, had to factory-restore all of them to get back to scratch.

and if i change the network from the default 192.168.2.0 to anything else, mesh also seems to stop working. i've searched through config files to see if the mesh has config for that that also needs to change when you change the network, but haven't found it yet...

so yeah, very steep learning curve to come up to speed on openwrt's amazing capabilities, but which obviously comes at a steep price on how to configure things, and understanding some new network trickery that didn't exists (or at least wasn't in common use) in domestic or small-biz routers that last time I had anything to do with routers in general. it's hard, just gotta read thru lots of stuff. i've also watched a bunch of youtube vids about bits of networking tech. i'm getting there. openwrt lets you do whateverthefrak you want, but also shoot yourself in the foot very easily.

i'd kill for some graphical / diagrammatic explanations of how stuff works... it's probably 'out there', somewhere...

and that's before i even begin to work out how to build openwrt from source (updated for modernity since these devices were programmed 7+ months ago) with this haasmesh add-on... i'll get there eventually, but I understand your pain!

I'm happy to work with you to put together a guide about how Maxwell mesh works behind the scenes. You're right this is useful for advanced users such as yourself who might want to customize things further using openwrt. Not to make excuses, but it is just really hard for me to do this myself - because I already know how it all works - so it's "obvious" to me. :slight_smile: It would be great if we could put something together together, where you identify the parts that need explaining. DM me if you'd like to start on that.

There's really no special "vlan trunking" or anything fancy set up in Maxwell. I tried to keep it as simple as possible. But how you set up vlans in a batman mesh is a bit different, I think. I've never tried it. I could try to point you in the right direction.

There shouldn't be any reason you can't change the subnet of the maxwell mesh, especially after the mesh has been setup. I can try to help you with that - again DM me if interested.

Building openwrt from source is pretty easy, and adding haasmesh to it is just one extra step, which is documented in the README of the haasmesh github. Again, I can help you with that if you DM me. There are some special tricks needed to get a good build capable of things like large MTU for batman wired backhaul etc, depending on what device you're targeting.

And yes, documentation for these types of open-source things like openwrt is always minimal. I also wish it could be better. But it's just a fact of life that people like us like to write code and get stuff working, and we don't like (and aren't good at) writing documentation.

It all matches exactly in naming and function to how Netfilter/IPTables have worked since the 1990s

So I guess, catch up?

1 Like

hey Andy, thanks for replying so quick.

i totally get that chasm between those who are new, and those who've somehow come up to speed & forgotten what they didn't know they didn't know ;). it's uncomfortable for me to coming at things like this from the noob side, but everyone's a noob at everything until they're not.

i'm not au fait with openwrt forum etiquette. i'm very open to the idea of helping to expand the Maxwell documentation, though I'd prefer it to not orbit around me alone. is it ok to start a new forum post, in public, to discuss this, and see if we can come up with this 'intermediary' documentation?

1 Like

That's a good idea, please do!

1 Like

Bit of a me too to agree this can be hard.

I remember compiling the Linux IP Masquerade patch into my home Linux rig c. 1996 to allow two upstream Windows computers to share the single dial-up phone line via what we now call NAT. To quote from the current document

From the original IPMASQ HOWTO author: "As a new user, I found it very confusing to setup IP masquerade on the Linux kernel, (back then, its was a 1.2.x kernel)..."

I just wanted it to work rather than mess around. But I got it figured out and it was very useful to also help me understand various things about IPv4.

As others have said if you're looking at the networking rules and components in detail it does take you into "non-trivial" land. If there are specific questions just ask "how do I..." and the answer may help you not just achieve that thing but also trigger a light-bulb as to why it does what it does.

BTW, if you lay out all the firewall rules as a "tree" you'll see that a lot of them are empty (or I did when I looked :slight_smile: ). That will probably make you roll your eyes even more!

I inferred / assumed that was indeed a "developer bright idea" / good architecture so there were a set that the system and packages could reliably mange plus a set for users to dabble with. Laying out the "tree" should help things collapse down the three main rules (INPUT, OUTPUT, FORWARD IIRC) and if you know which one you want to adjust it should be quite easy to see the one chain to put it into.

Your ranting at the wrong people.
It isn't firewall that makes it complicated. Remember it was that nut al gore's invention that created the problem. Government makes everything over complicated and incomprehensible.
Making sense and interfacing with government will never be possible. If anyone ever figures it out, they will outlaw it. :bomb:

So are you vertisiephobic? No rant about the up and down arrows to move policies up and down the chain......

Cheer up though. Just think of the fun when these trinary transistors get put in chips. Now it can be an input, output, or a forward rule all at the same time. I can't get my head around how you program for 0, 1, or both. The real nightmare has yet to start......Should make random number generators easier though :crazy_face:

You might try DD-WRT if it exists for your hardware. It has a user friendly interface. I use OpenWRT on all my access points but DD-WRT on my main router/firewall, just because of its ease of use but still many options for custom settings.

1 Like