I would like to study usage of fwbuilder to generate firewalling rules for LEDE as an alternative firewall.
This is now my #1 issue on my radar.
Here is a background why I would like to move to fwbuilder:
This is linked to this post about logging:
Today, there are official recommendation for firewalling rules, especially targeted at companies and institutions .
Those rules do not abide by the law ... but could abide sooner or later.
Take the example of French National Security Agency (ANSSI), which produces recommendations:
In particular, each firewall rule should be numbered, labeled and when logging is enabled, it should include the rule number. This is clearly impossible (or really difficult) using LEDE embedded firewall,
ANSSI rules allow you to quickly analyze a situation using the logs. This is currently not possible with LEDE firewall, which does not label rules, does not number them and does not log them. Luci firewall does not provide a customizable reject rules on bottom of a zone. Personally, I think that the current LEDE firewalling rules put us at risk and are the weakest point of LEDE.
A possible solution would be to delegate writing iptables rules to fwbuilder Free Software, which seems (IMHO) to comply with ANSSI rules. Fwbuilder includes an OpenWRT firewalling template and has full support for detailed logging (even to databases) and much more. It includes an OpenWRT template, which is only IPv4, but with some work it could target current LEDE ipv6 implementation.
OpenWRT (LEDE) if officially supported by fwBuilder:
Are some of you already using fwbuilder as a firewall generator for LEDE and documenting it? Would you like to collaborate with me around a short study of fwbuilder with documentation back on LEDE.
Any thoughts, comments and replies are welcome.