Please help me getting basic knowledge about the packet filter

root-r · July 1, 2019, 5:43pm

hi,

i know that these are newbie questions, but i haven't found them explicitly answered and i want to make sure that i have understood everything correctly.

i have learned that the input and output policies of the lan and the wan zone are intended for data coming to or from the router itself.

i assume that the "regular" network traffic (sending data over the router when browsing the internet with a pc connected to the router) is inspected and secured by openwrt's packet filter (which makes sure only requested packets can travel from the internet over the router and then back to my pc).

so i have three questions:

is the described assumption correct?
is the packet filter enabled by default on all devices?
are the default settings of the packet filter the same on all devices?

please help me to understand this. thank you

lleachii · July 1, 2019, 5:53pm

Your assumption is correct.
Yes.
Yes.

What do you need assistance in understanding?

If you want to know why LAN traffic successfully goes to WAN with the default config, that's because they're rules:

Permitting LAN to WAN traffic
A rule on WAN that enables masquerade (NAT) on traffic exiting WAN.

See Network > Firewall screen on the LuCI web GUI.

root-r · July 1, 2019, 8:35pm

Thank you.

You wrote "why LAN traffic successfully goes to WAN ... A rule on WAN that enables masquerade (NAT) on traffic exiting WAN". what rule is that? the default (my) setting for wan is input:reject, output:accept and forward:reject.

one more thing i would like to know is: if i use tor or a vpn on my computer, isn't openwrt's packet filter then unable to inspect the packets?

lleachii · July 1, 2019, 8:55pm

Masquerade?
This one, your WAN zone rule (the masq option):

config zone                  
        option name 'wan'     
        option output 'ACCEPT' 
        option masq '1'     
        option mtu_fix '1'
        option input 'DROP'
        option forward 'DROP'
        option network 'wan wan6'

And here's the rule that permits LAN to WAN:

config forwarding                            
        option dest 'wan'                       
        option src 'lan'

On your computer!?!?
It can see the encrypted packets. It doesn't do DPI anyways, so it cannot "inspect" them (it would need the private key to do so anyways).

So that means you can block the port/IP used to connect to the VPN server.

...Are you under an impression that your firewall isn't working...you need to understand zones...what are you attempting to understand?

Have you seen: https://openwrt.org/docs/guide-user/firewall/firewall_configuration

root-r · July 1, 2019, 9:47pm

ah, okay, i thought you were just referring to the settings of input/output/forward (which i know are only relevant for the traffic coming to or from the router itself, that's why i was confused).

basically i was just attempting to understand if the packet filter works on the traffic i described in the first post and if the settings are the same for all devices. since these assumptions were confirmed to be correct, that's all i want to know so far.

to the tor/vpn situation: in my research about packet-filter firewalls, i have read that (even without deep-packet-inspection), it checks the packets e.g. for ip-addresses to know they have been requested. but as you said, when one uses tor or vpn, openwrt can only see the encrypted packets (from my understanding without ip-addresses or other significant information). so how can openwrt know if a packet has been requested then? sorry, maybe i'm blockheaded right now.

lleachii · July 1, 2019, 10:08pm

Because:

your client will request a packet
it will encrypt it in its VPN program
it will then sent that encrypted packet out on the wire to the VPN provider
Your VPN provider will decrypt it and sent the traffic to the Internet
The reply traffic is encrypted by the VPN provider and sent to your client
Hence, your OpenWrt can see traffic going to/from your client to the VPN provider; but it cannot decrypt the packets to see where the traffic is going on the Internet, nor can it see the data inside. This is the concept of what a VPN is.

root-r · July 1, 2019, 10:36pm

okay, i see. and since the vpn server should have its own firewall, all should be fine.

how in the case of using tor? i think i have understood their concept: the client encrypts the packet three times, sends it to the entry node (which removes the first encryption layer and sends it to the middle node), middle node removes second encryption layer and sends it to the exit node (which removes the last encryption layer and sends it to the internet). when replies come back, exit node encrypts it once, sends it to the middle node (which encrypts again and sends it to the entry node), entry node encrypts it once again and sends it to the client which decrypts everything.

but wouldn't it be possible that an exit node without good protection (e.g. firewall) receives unrequested and malicious data which in the end reaches the computer the client is running on? without the router's packet filter even noticing it (since it can only see that the packet comes from the entry node and not that it contains unrequested data)?

lleachii · July 1, 2019, 11:17pm

I know nothing about your VPN provider's firewall. You'd have to ask your VPN provider about that. But yes, they should have one.

I think you need to ask in a TOR forum, or read up more. In addition, research TOR exit node vulnerabilities. That's unrelated to OpenWrt.

You also need to understand the concept of:

https://www.techopedia.com/definition/10339/three-way-handshake

I think you are not synced with this philosophy, so you think packets are flying on the Internet willy-nilly. Random IPs cannot "hail" an endpoint and make it send unsolicited traffic to a different IP/port pair (it could try to spoof that traffic if the internal traffic leaving the node is ultimately unencrypted, though, e.g. HTTP).

I also think you're missing the concept of the normal packet encapsulated inside the encrypted one. Only the intended endpoint can decrypt traffic. The machine's connection state with the actual decrypted endpoint's IP/ports handles the rest.

Read up on the 3 way handshake and the notion of IP combinations with connection states - you're missing that concept. You're also forgetting that the reply packets must also traverse back through TOR encrypted network to reach you.

root-r · July 2, 2019, 12:14am

indeed, it looks like there are some points which i misunderstood.

there's still a lot to learn for me, but i think i have some good informations and clues to start with now.

thank you for spending your time in this thread and being so patient.

jeff · July 2, 2019, 2:25am

There are a few concepts that are needed to be able to understand firewalls. As a quick list:

IPv4 / IPv6 packet addressing -- source/destination, host/port "quads"
Basic routing, how a packet gets from host A to host B through routers (and back)
Media addressing (MACs for Ethernet) and ARP (IPv4) / neighbor discovery (IPv6)
Switches (why certain packets don't go "through" your router)
ICMP (control messages, like "host unreachable" or "packet too big")
Two kinds of packet flows
- Connection oriented, like TCP
- Connectionless, like UDP
Connection state and tracking ("conntrack" for Linux)
What NAT is and isn't (hint, "not a firewall")
Basic flow through a firewall

On the last one, https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks has some helpful diagrams. The key concept is that there are different things a packet can do (assuming not dropped):

Enter a router from a host, be routed, and exit the router for another host
Enter the router from a host and be "heard" by the router
Start at the router and be sent to another host

That last section is one that many people forget. "I prevented forwarding to the WAN, why can they still connect to LuCI?"