Question about firewall rule and RFC6092

Yeah... Openwrt uses iptables and nftables or more generic: the netfilter stuff within the Linux kernel...
But besides that: I can't follow what makes a Cisco or other vendor hardware appliance firewall a firewall and what makes a Linux box not a firewall ....

I honestly can't tell if yall PMed each other, and coordinated to punk or fool me. Agan, I'll take time.to honor with a response.

OpenWrt, there's already LAN and WAN setup with rules.

I.e. the same rules that don't exist in a firewall, that's being debated with me. :wink:

Exactly, the "router uses firewall modules".

But alas, I think you made that statement with no intentions of agreeing with me.

No, I disagree.

  • Firewalls pass no traffic by default, not just some chain construct called "WAN".
  • OpenWrt's WAN will respond with relevant ICMP answers by default, out of its default gateway interface (this is an issue I run into before and solve with a sysctrl setting, not a firewall rule). And you actually agreed with me on this point while discussing "stateless/stateful firewall" versus "connection state"
  • OpenWrt initiates e.g. DHCP requests
  • OpenWrt passes LAN traffic
  • OpenWrt pre configures a NAT/masquerade
  • Some firewalls perform no routing

Because no rules shoud exist by default on a firewall. :person_shrugging:

I'll reiterate differently. Given someone with authority qualified thier answer in a follow up statement that was completely baseless, I thought it was wise to beg, since I need and expect like others to have a routerd Prefix Delegation - and for its firewall to handle the traffic. :point_left: (I pray :pray: :prayer_beads: :palms_up_together: that is crystal clear to you now).


I put a line to signify that this is a general commemt:

It's really difficult to discuss with people who ...(not sure what word to use here) the RFCs.

So, feel free to call OpenWrt whatever you want if it confuses so much!

Maybe the Wiki should be changed to accurately reflect people beleive it's a firewall.

When jow said "upper layer state is not taken into account" it seems clearly understood, but when I explained and beg not to touch things because a routed Prefix Delegation was mentioned - it seems everyone lost me.

Please show me and the others the source of that definition....

Source of what definition?

I didn't provide a definition.

Are you disagreeing with a general statement?

If so, that's why I said look at any firewall, you responded:

Are you asking me to justify your statements?

Your understanding what makes a firewall a firewall and what doesn't seams to be very different from other views.

Never i have encountered such a statement.

A firewall, stateless or statefull, just accept or drop packets on input, output and or forward based on policies and rules. On layer 3 and or layer 4.

Not sure why you muddied the waters with confusion, this is where krazeh seems to wanna debate. I've never made such a distinction except to say OpenWrt's "functionality" is generally stateful (but alas, that was misunderstood too).

Nevertheless, it is important to remember that the only perfectly secure network is one that doesn't allow any data through at all

In other words, the only reason that some firewalls remain in use is because they have essentially been disabled.

~ RFC2979

(There's deep detail in that RFC. In fact, a firewall is actually described as passing no traffic and making the network unusable - essentially configuring it to communicate/ connect. :wink: )

I would call OpenWrt "essentially disabled" - definition (or an example in context) provided.

Simple question. Does OpenWRT provide a firewall? Or firewall functionally if you prefer wording it like that? Can it filter packets passing through whatever interfaces are on the device?

2 Likes

Yes!

I do prefer this more accurate wording. I think we would better understand each other saying "firewall functionality" as related to the Linux Kernel (i.e. OpenWrt in this instance).

Yes that "functionality" includes the ability to "filter packets" (but for some reason, I get the feeling you're not saying that to agree with me). Nonetheless, I conceed that comon sence notion, hopefully that brought understanding (:pray: :prayer_beads: :palms_up_together: ).

Ummm I'm not sure about localhost or loopback
..but I generally agree. Notwithstanding the fact, I noted a firewall blocks all traffic.

A RFC of the status informational, written by a single person... I can not take it as a source of truth. The is probably some value in it and many aspects are certainly correct but this is at the end of the day the view of a single person.

A firewall filters traffic. I doubt that it's the defined by the default policy.

Excellent!

So we agree we shouldn't be debating RFC6092 - which is merely informational too?

I'm glad there's finally understanding.

(Alas, I get a feeling again you weren't agreeing with me; but rathar discounting my quoted RFC instead. In giving equal weight to Informational RFCs, both should be discounted then, and that truly makes this moot.)

:wink:

So we can agree that OpenWRT has a firewall?

Always and without exception? That would make it a little pointless wouldn't it? Or do you mean the default is to block all traffic and you can then add rules to allow traffic?

For clarity, is Cisco ASA 5505 Adaptive Security Appliance - Cisco something that would fit your definition of a firewall?

I can simply not follow your argument why a "firewall" is only a "firewall" if it only knows how to DROP by default.

NEVER I have encountered such a claim. A firewall filters packets (and not frames) is the only "definition" I have ever heard of. (But I /assume/ that on the 90ies people also refereed to filtering on layer-2 as "firewalls", too. So I would not want to make that a hard claim...) but never was the default policy part of a "definition".

That's not the point. The point is to evaluate the CONTENT of the RFC and in what context it was written in it. There are RFC which are "just" informational or experimental but are used in the wild heavily, and there are standard track RFC which are just useless, or at least full of errors aka when these standards got used it was shown that the assumptions made did not hold stand in the real world.

"Has a firewall???"

I don't even understand that terminology. No, we used another term. We were making good progress:

I'm not sure why you reverted.

Not pointless.

I was asked to provide a definition. Maybe because it was discounted: here

Yes, you essentially disable the firewall to make traffic work!

Yes, you're understanding now!

As I recall, all ASA products do.

I've also never heard someone say drop by default, since there's no rules to begin with.

When did we start discussing frames?

Lol, OK sir. I understood you simply wanted to disount my quoted RFC out of hand.

Yes. Cisco ASA is not a firewall. It's an instrument of torture. Personal advise: If confronted with these at $dayjob. Just leave, or let it fall on the floor and say "upsi". /shitpost

Wow, but one of the few firewall models that meet standards.

Other companies are getting in the game in last 5-10 years though.

A default policy (to drop) is a "rule" in itself because it describes behavior.

You're refering to configured behaviors - but I essentially agree.

That's where I kept loosing the other gentleman. Not design (e.g. on chip/code/firmware - modules add confusion, and I think that's the contention here).

So as far as you're concerned the functionality of filtering packets to determine whether to allow, drop, or reject them cannot be termed a 'firewall'?

I've read RFC2979 and it's not saying what you think it's saying. At no point does it say that a firewall is only a firewall if it passes no traffic. The point of the RFC is to discuss how firewalls should operate to maintain a suitable trade off between security and usability. The comment about firewalls being disabled is a reference to poorly designed firewalls still only being in use at that time because people were disabling them, rather than fixing the flaws in their design.

That doesn't sound like it blocks all traffic by default to me... Maybe it's not a firewall then??

What's the difference in final functionality between a rule that's configured and one that's hardcoded in firmware or in the SoC design?

And you keep 'loosing' me by insisting implementing a recommendation about how you should configure firewalls to filter traffic is something that could only be done by altering the IP stack or low level firmware coding. As if firewalls (of whatever type you think they are) can't be configured once they have been built/flashed. Oh, and the insistence that somehow OpenWRT doesn't have a firewall.

Yes, I'm lost why you quote the page then claim the opposite. We can all see it, you know.

  • Did you forget nothing is defined on the ASA, so that doesn't work by default, you need to say what interfaces, what's higher, etc.?
  • You ignored:

That's a firewall.

I'm lost why you had to make the firewall a router to attempt a point. Maybe that's because of misunderstanding what a firewall is. :wink:

  • So you switch to Layer 2 examples when it's clear we were discussing Layer 3?

I'm specifically referring to making a Linux device with IP Forwarding Enabled (i.e. a router), make the RFC recommended replies (or lack thereof). Yes, these are coded there.

Regarding firmware etc. - I'm refrencing how firewalls don't pass traffic, an opposite analogy is how the hardware switch in consumer routers acts dumb and passes traffic if there is software failure (e.g. bricked).

That would be horrible and unacceptable in a real firewall, yet it's seems livable if it happens in the forums.