[OpenWrt-Devel] Firewall Documentation

Alberto Bursi bobafetthotmail at gmail.com
Thu Aug 9 18:39:06 EDT 2018



On 09/08/2018 16:55, Dave Turvene - Work wrote:
>> On 06/08/2018 22:07, Dave Turvene - Work wrote:
>>> Greetings -
>>>
>>> I cleaned up the documentation in
>>>
>>> https://openwrt.org/docs/guide-user/base-system/log.essentials
>>>
>>> as a prelude to adding a section on iptable logging rules.  The wiki
>>> source just has the following snippet:
>>> "pagequery>@:docs:guide-user:firewall:netfilter-iptables *"
>>>
>>> How do I go about adding a page under (git directory?)
>>> netfilter-iptables so I can document my iptable logging chains/rules?
>>>
>>> Thanks,
>>>
>>> David Turvene
>> you can create the new page by writing the link to it in the browser and
>> then editing the page you land in.
>>
>> For example this is a link to a page called "asdadasd"
>> https://openwrt.org/docs/guide-user/services/automation/asdasdasd
>> Which does not exist yet. Click on the pencil button on the right to
>> edit/create it.
>>
>> You can write the link however you like and it will land in the same
>> "there is no page yet" page and you will be able to create a page there.
>>
> https://openwrt.org/docs/guide-user/services/automation/domoticz_another_page
>> The page made with that link will then appear automatically in the
>> "automation" category in other pages that show all pages from a specific
>> category, like here
>> https://openwrt.org/docs/guide-user/services/automation/start
>>
>> We actually discussed wiki plugins to let people add new pages with a
> more intuitive way here
>> https://forum.openwrt.org/t/lede-openwrt-wiki-merge/10861/108 but I
> didn't yet find the time to do that.
>> -Alberto
> Thanks, I added a page to the firewall configuration section:
>
> https://openwrt.org/docs/guide-user/firewall/iptables-log-forwarded-packets
>
> and then I looked at other pages in the firewall section.  Many, if not
> most, are very old and no longer a good way to set up the firewall.
>
> I started adding a warning to those pages I KNOW are inaccurate but that
> became tedious - especially considering some of the pages are still
> valid but there is a better/less-difficult mechanism.   One repeated
> issue I see is  the openwrt firewall3 (fw3) user-space executable has
> replaced the need for still-referenced but un-supported executables used
> to generate iptable chains/rules (fwBuilder,  Essence, Shorewall).
> Many of the iptable shell scripts are suspicious, confusing, or specific
> to a device configuration - and appear to be from the freifunk effort.
> There are several references to ebtables and nftables - one appears to
> be deprecated and one not integrated.  All the netfilter kernel modules
> and openwrt packages are concisely documented for the 2.6.32 kernel.
>
> So there is a good amount of work to clean up the firewall section -
> which is central to the purpose of openwrt.  I'm willing to clean it up
> but not through-the-web.  I would use emacs to edit multiple markup
> pages quickly.
>
> Maybe it's better to leave this section alone for historical purposes
> and with a deprecation warning like the old wiki.openwrt.org pages?
>
> David Turvene
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Yeah I saw that. Wiki maintainers are notified of each edit in the wiki.
Looks good, follows wiki guidelines.
I cannot say how good it actually is, as I don't know much about manual 
firewall usage.

That said, many thanks for volunteering to do a cleanup, I know it's not 
trivial,
  and it needs someone that actually *knows* how to use the firewall in 
the first place,
which isn't a so common skill apparently.

I'd say you can go ahead, afaik there is nothing that really *needs* to 
be saved in the firewall section.

Pretty much all current firewall documentation was cloned from the old wiki
(which is now the read-only wiki.openwrt.org), and was at best split up 
or re-arranged a bit by me.
You can easily check this for yourself, if it's already in the old wiki 
(and it's obsolete stuff) it can be safely removed.

People can still access the original legacy info from the old read-only 
wiki,
if they need legacy info.

-Alberto

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list