Path: ...!feeds.phibee-telecom.net!3.eu.feeder.erje.net!feeder.erje.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: Sylvia Else Newsgroups: comp.misc Subject: Re: Firewalls: Rant Date: Sun, 8 Dec 2024 13:35:37 +0800 Lines: 37 Message-ID: References: <6754bad3@news.ausics.net> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Trace: individual.net lqbq+XXyCuK9fiD0lua15wIkIR6qBNaupw2YC3USdrcAgdN/r/ Cancel-Lock: sha1:D/2/nQdYgG4lhnufgtCD5/XFH8E= sha256:wrYhu8KIL/tyte8+Hpks6Kq6UfL35koErEGgfKtcjBE= User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 Content-Language: en-US In-Reply-To: <6754bad3@news.ausics.net> Bytes: 2612 On 08-Dec-24 5:14 am, Computer Nerd Kev wrote: > Sylvia Else wrote: >> Now apparently, that's not good enough, so I have to get my head around >> nftables. >> >> On, but wait, this is OpenWrt, which has yet another layer added - fw4. >> >> And all I wanted to do was upgrade the OS to get rid of a long-standing >> and very annoying race condition that would kill the WiFi at >> unpredictable moments. >> >> Yes, I know I'm using this router in a rather different way from the >> usual, but sometimes people do things like that. > > I guess it depends how different your usage is, but if you're using > OpenWrt's fw4 firewall configuration, it's supposed to accept the > same configuration syntax as fw3, so the switch to nftables > shouldn't be causing problems if you were using that > (/etc/config/firewall). > > Mind you the increased bloat of current OpenWrt (or its included > software, including the Linux kernel, which have been getting > bigger with each version) has caused me problems. Including, > as it happens, issues with it killing the WiFi when it ran out of > RAM. Oh for a maintained software environment that doesn't have an > obesity problem... > I was just iptables directly, since I know how to configure it. I need to reverse the trust relationship, trusting wan, and not trusting lan. In the end I've just gone through the luci stuff, replacing lan with wan and vice versa. Now I just need to figure out the best way of blocking access from lan to some wan subnets. Probably not difficult, though it would help if I could find a defined syntax, rather than just examples. Maybe I'm just looking in the wrong place. Sylvia.