Really?

I have to learn a THIRD way of doing firewalling?

First it was ipchains.

Then it was iptables.

Now apparently, that's not good enough, so I have to get my head around
nftables.

On, but wait, this is OpenWrt, which has yet another layer added - fw4.

And all I wanted to do was upgrade the OS to get rid of a long-standing
and very annoying race condition that would kill the WiFi at
unpredictable moments.

Yes, I know I'm using this router in a rather different way from the
usual, but sometimes people do things like that.

Sylvia.

Sylvia Else <sylvia@email.invalid> wrote:
> Now apparently, that's not good enough, so I have to get my head around
> nftables.
>
> On, but wait, this is OpenWrt, which has yet another layer added - fw4.
>
> And all I wanted to do was upgrade the OS to get rid of a long-standing
> and very annoying race condition that would kill the WiFi at
> unpredictable moments.
>
> Yes, I know I'm using this router in a rather different way from the
> usual, but sometimes people do things like that.

I guess it depends how different your usage is, but if you're using
OpenWrt's fw4 firewall configuration, it's supposed to accept the
same configuration syntax as fw3, so the switch to nftables
shouldn't be causing problems if you were using that
(/etc/config/firewall).

Mind you the increased bloat of current OpenWrt (or its included
software, including the Linux kernel, which have been getting
bigger with each version) has caused me problems. Including,
as it happens, issues with it killing the WiFi when it ran out of
RAM. Oh for a maintained software environment that doesn't have an
obesity problem...

--
__ __
#_ < |\| |< _#

On 08-Dec-24 5:14 am, Computer Nerd Kev wrote:
> Sylvia Else <sylvia@email.invalid> wrote:
>> Now apparently, that's not good enough, so I have to get my head around
>> nftables.
>>
>> On, but wait, this is OpenWrt, which has yet another layer added - fw4.
>>
>> And all I wanted to do was upgrade the OS to get rid of a long-standing
>> and very annoying race condition that would kill the WiFi at
>> unpredictable moments.
>>
>> Yes, I know I'm using this router in a rather different way from the
>> usual, but sometimes people do things like that.
>
> I guess it depends how different your usage is, but if you're using
> OpenWrt's fw4 firewall configuration, it's supposed to accept the
> same configuration syntax as fw3, so the switch to nftables
> shouldn't be causing problems if you were using that
> (/etc/config/firewall).
>
> Mind you the increased bloat of current OpenWrt (or its included
> software, including the Linux kernel, which have been getting
> bigger with each version) has caused me problems. Including,
> as it happens, issues with it killing the WiFi when it ran out of
> RAM. Oh for a maintained software environment that doesn't have an
> obesity problem...
>

I was just iptables directly, since I know how to configure it. I need
to reverse the trust relationship, trusting wan, and not trusting lan.
In the end I've just gone through the luci stuff, replacing lan with wan
and vice versa. Now I just need to figure out the best way of blocking
access from lan to some wan subnets. Probably not difficult, though it
would help if I could find a defined syntax, rather than just examples.
Maybe I'm just looking in the wrong place.

Sylvia.

Sylvia Else <sylvia@email.invalid> wrote:
> I was just iptables directly, since I know how to configure it. I need
> to reverse the trust relationship, trusting wan, and not trusting lan.
> In the end I've just gone through the luci stuff, replacing lan with wan
> and vice versa. Now I just need to figure out the best way of blocking
> access from lan to some wan subnets. Probably not difficult, though it
> would help if I could find a defined syntax, rather than just examples.
> Maybe I'm just looking in the wrong place.

I've never used the LuCI Web interface, but this page has plenty of
details for editing the /etc/config/firewall file:
https://openwrt.org/docs/guide-user/firewall/firewall_configuration

--
__ __
#_ < |\| |< _#

On 08-Dec-24 2:24 pm, Computer Nerd Kev wrote:
> Sylvia Else <sylvia@email.invalid> wrote:
>> I was just iptables directly, since I know how to configure it. I need
>> to reverse the trust relationship, trusting wan, and not trusting lan.
>> In the end I've just gone through the luci stuff, replacing lan with wan
>> and vice versa. Now I just need to figure out the best way of blocking
>> access from lan to some wan subnets. Probably not difficult, though it
>> would help if I could find a defined syntax, rather than just examples.
>> Maybe I'm just looking in the wrong place.
>
> I've never used the LuCI Web interface, but this page has plenty of
> details for editing the /etc/config/firewall file:
> https://openwrt.org/docs/guide-user/firewall/firewall_configuration
>

Thanks for the link.

Sylvia.

Sylvia Else <sylvia@email.invalid> writes:

> Really?
>
> I have to learn a THIRD way of doing firewalling?
>
> First it was ipchains.
>
> Then it was iptables.
>
> Now apparently, that's not good enough, so I have to get my head
> around nftables.

That's wild. I remember telling myself---gotta study ipchains. But
then iptables appeared and I was like---hm, interesting! Maybe my life
will be easier now. Lol. Perhaps I can be glad I never got around to
study any of them? The nftables websites says it's a successor to
iptables.

I think that's not the way to do things. We should not blindly follow
along software development. Remember---many of these things will fall.
Programming languages for instance. If you're still writing Perl or
Lisp, say, you're doing just fine. In fact, you are much more
productive if you just keep using your good tools and let the world move
on.

Of course, perhaps you work in a market that is always high on the new
kid on the block, but then perhaps the best thing is to get out of that
market.

I interviewed with a company in Paris once. They didn't hire me and
called me old school due to C and Lisp. I was a little hurt. I was
their age, but I think they don't care about my teachers' lessons.

On Wed, 11 Dec 2024 20:39:40 -0300, Salvador Mirzo wrote:

> I think that's not the way to do things. We should not blindly follow
> along software development. Remember---many of these things will fall.

These “new” ideas have been around for years, decades. They have already
proven themselves in production mission-critical use. They are now
spreading out from there to become commonplace.