Question about firewall rule and RFC6092

I can't really believe that you don't understand, so I would say simply test a Ci$co appliance or something like that. You'll clearly see in seconds that OpenWrt isn't a firewall, nothing close.

I just beg (moreso the OP), please don't keep trying to inquire or postulate if you don't understand clearly. I (and I'm sure others) don't want their routers having issues because someone got the notion it's a firewall and removes those rules from default.

Otherwise, this seems like something for upstream and various Kernel changes. But as I noted, most exist in sysctrl/Kernel already (i.e. ICMPV6 responses are Related traffic - unrelated to the firewall entries the OP highlighted). The OpenWrt is routing/forwarding that unrelated traffic in the firewall rule.

I also noted these are stateless recommendations in the RFC - but somehow the debate continues on stateful firewall rules? :person_shrugging:

This is why I tried to highlight the sillyness of testing by making stateful firewall changes. Somehow, it was taken as some credence supporting your pont-of-view. The test would be to remove the rule, it should still work on Established traffic (hence, in code).

So then its noted (or rathar, my statements seem discounted by you) - because you see stateful rules?

I'm not sure how that's difficult or confusing (i.e. stateful vs. stateless), but I've tried my best to offer clarity. I do appreciate the level-headed collegiate discussion, but I think it's ran the course.

As I said, not sure how my statements were unclear; but nonetheless, carry on.

You missed my point (it almost seem on purpose and comical). I actually can't tell if you're j/k; but I don't beleive you'd persist if that were the case - so I wanted to respectfully formulate a coherent response to you.

Again, thanks for the scholarly discussion.

Perhaps I'm wrong,'s possible too.

I'm postulating? I merely use the terminology that's used in the OpenWrt documentation where it's referred to as a firewall. I thought I made it very clear that I'm ignorant about how the firewall in OpenWrt works, and that's why I'm asking the questions I'm asking. I don't really see why there's any point in continuing this discussion as jow has pretty much settled the issue now.

My bad. Again, thanks for the scholarly discussion - nothing meant by the statement.

Again, his statement is completely unrelated (hence my request - actually begging - to not mess anything up from the developer's side). But for the sake of the fact you're the OP - OK. Lastly, I stated:

So again, thanks. There is no further discussion on the topic on my part. Feel free to respond, not respond, or clarify, not clarify, etc.

So what is it? Does it provide firewall functionality or not?

This just doesn't make sense. Why would some remove the rules, even if they did decide that OpenWRT was a hardware firewall appliance, rather than routing software that incorporates a software firewall?

Is it related traffic or unrelated traffic? Does it need a firewall rule or not? Because you seem to be saying both things within 2 sentences.

The recommendation isn't stateless. That's the whole goddamn point of it. It's that you shouldn't be forwarding those ICMPv6 messages unless there is an existing state. Stateless and connectionless are not the same things. Traffic involving connectionless protocols can have a tracked state within a firewall.

Well yes, but what the hell has that got to do with anything? The issue isn't about already established traffic being allowed through the firewall. It never has been. Which is why your 'test' made no sense.

I really don't get how you think this is the case.

Do you agree that OpenWRT contains a software firewall that allows it to filter packets according to rules defined by the end user?
Do you agree that said firewall will, by default, and unless told otherwise reject any traffic received on the WAN interface that isn't involved in an existing traffic flow? i.e. one that has a tracked session in the firewall.
Do you agree that connectionless protocols can have a tracked session within a stateful firewall?

If we can agree on those points, do you then also agree that there is a default firewall rule within OpenWRT that allows certain types of ICMPv6 traffic through the firewall (the one right at the beginning of this thread)?

If we can also agree on that, then what is your understanding of how that rule operates if the firewall were to receive a ICMPv6 "Destination Unreachable" packet but there was no associated traffic session, i.e. it wasn't part of an established traffic flow? Would the packet be rejected or would it be forwarded to whatever host it's intended for?

Yeah... Openwrt uses iptables and nftables or more generic: the netfilter stuff within the Linux kernel...
But besides that: I can't follow what makes a Cisco or other vendor hardware appliance firewall a firewall and what makes a Linux box not a firewall ....

I honestly can't tell if yall PMed each other, and coordinated to punk or fool me. Agan, I'll take honor with a response.

OpenWrt, there's already LAN and WAN setup with rules.

I.e. the same rules that don't exist in a firewall, that's being debated with me. :wink:

Exactly, the "router uses firewall modules".

But alas, I think you made that statement with no intentions of agreeing with me.

No, I disagree.

  • Firewalls pass no traffic by default, not just some chain construct called "WAN".
  • OpenWrt's WAN will respond with relevant ICMP answers by default, out of its default gateway interface (this is an issue I run into before and solve with a sysctrl setting, not a firewall rule). And you actually agreed with me on this point while discussing "stateless/stateful firewall" versus "connection state"
  • OpenWrt initiates e.g. DHCP requests
  • OpenWrt passes LAN traffic
  • OpenWrt pre configures a NAT/masquerade
  • Some firewalls perform no routing

Because no rules shoud exist by default on a firewall. :person_shrugging:

I'll reiterate differently. Given someone with authority qualified thier answer in a follow up statement that was completely baseless, I thought it was wise to beg, since I need and expect like others to have a routerd Prefix Delegation - and for its firewall to handle the traffic. :point_left: (I pray :pray: :prayer_beads: :palms_up_together: that is crystal clear to you now).

I put a line to signify that this is a general commemt:

It's really difficult to discuss with people who ...(not sure what word to use here) the RFCs.

So, feel free to call OpenWrt whatever you want if it confuses so much!

Maybe the Wiki should be changed to accurately reflect people beleive it's a firewall.

When jow said "upper layer state is not taken into account" it seems clearly understood, but when I explained and beg not to touch things because a routed Prefix Delegation was mentioned - it seems everyone lost me.

Please show me and the others the source of that definition....

Source of what definition?

I didn't provide a definition.

Are you disagreeing with a general statement?

If so, that's why I said look at any firewall, you responded:

Are you asking me to justify your statements?

Your understanding what makes a firewall a firewall and what doesn't seams to be very different from other views.

Never i have encountered such a statement.

A firewall, stateless or statefull, just accept or drop packets on input, output and or forward based on policies and rules. On layer 3 and or layer 4.

Not sure why you muddied the waters with confusion, this is where krazeh seems to wanna debate. I've never made such a distinction except to say OpenWrt's "functionality" is generally stateful (but alas, that was misunderstood too).

Nevertheless, it is important to remember that the only perfectly secure network is one that doesn't allow any data through at all

In other words, the only reason that some firewalls remain in use is because they have essentially been disabled.

~ RFC2979

(There's deep detail in that RFC. In fact, a firewall is actually described as passing no traffic and making the network unusable - essentially configuring it to communicate/ connect. :wink: )

I would call OpenWrt "essentially disabled" - definition (or an example in context) provided.

Simple question. Does OpenWRT provide a firewall? Or firewall functionally if you prefer wording it like that? Can it filter packets passing through whatever interfaces are on the device?



I do prefer this more accurate wording. I think we would better understand each other saying "firewall functionality" as related to the Linux Kernel (i.e. OpenWrt in this instance).

Yes that "functionality" includes the ability to "filter packets" (but for some reason, I get the feeling you're not saying that to agree with me). Nonetheless, I conceed that comon sence notion, hopefully that brought understanding (:pray: :prayer_beads: :palms_up_together: ).

Ummm I'm not sure about localhost or loopback
..but I generally agree. Notwithstanding the fact, I noted a firewall blocks all traffic.

A RFC of the status informational, written by a single person... I can not take it as a source of truth. The is probably some value in it and many aspects are certainly correct but this is at the end of the day the view of a single person.

A firewall filters traffic. I doubt that it's the defined by the default policy.


So we agree we shouldn't be debating RFC6092 - which is merely informational too?

I'm glad there's finally understanding.

(Alas, I get a feeling again you weren't agreeing with me; but rathar discounting my quoted RFC instead. In giving equal weight to Informational RFCs, both should be discounted then, and that truly makes this moot.)


So we can agree that OpenWRT has a firewall?

Always and without exception? That would make it a little pointless wouldn't it? Or do you mean the default is to block all traffic and you can then add rules to allow traffic?

For clarity, is Cisco ASA 5505 Adaptive Security Appliance - Cisco something that would fit your definition of a firewall?

I can simply not follow your argument why a "firewall" is only a "firewall" if it only knows how to DROP by default.

NEVER I have encountered such a claim. A firewall filters packets (and not frames) is the only "definition" I have ever heard of. (But I /assume/ that on the 90ies people also refereed to filtering on layer-2 as "firewalls", too. So I would not want to make that a hard claim...) but never was the default policy part of a "definition".

That's not the point. The point is to evaluate the CONTENT of the RFC and in what context it was written in it. There are RFC which are "just" informational or experimental but are used in the wild heavily, and there are standard track RFC which are just useless, or at least full of errors aka when these standards got used it was shown that the assumptions made did not hold stand in the real world.

"Has a firewall???"

I don't even understand that terminology. No, we used another term. We were making good progress:

I'm not sure why you reverted.

Not pointless.

I was asked to provide a definition. Maybe because it was discounted: here

Yes, you essentially disable the firewall to make traffic work!

Yes, you're understanding now!

As I recall, all ASA products do.

I've also never heard someone say drop by default, since there's no rules to begin with.

When did we start discussing frames?

Lol, OK sir. I understood you simply wanted to disount my quoted RFC out of hand.

Yes. Cisco ASA is not a firewall. It's an instrument of torture. Personal advise: If confronted with these at $dayjob. Just leave, or let it fall on the floor and say "upsi". /shitpost

Wow, but one of the few firewall models that meet standards.

Other companies are getting in the game in last 5-10 years though.