12.2. OpenWRT

To use Firewall Builder with OpenWRT you need to install the following packages on the firewall, using the "ipkg install package.ipk" command:

  • ip

  • ip6tables (if you need IPv6)

  • iptables-mod-extra

  • iptables-utils

  • kmod-ipt-extra

Note

The firewall script generated by Firewall Builder for OpenWRT has a format that allows it to be placed directly in the /etc/init.d/ directory among other OpenWRT startup scripts. Its default name, however, is different from the name of the OpenWRT standard firewall script (which is "firewall"). The script generated by Firewall Builder has name "firewall.fw" by default so it does not overwrite the standard script "firewall". This is done as a precaution, since support for OpenWRT was only added in Firewall Builder v4.0 and we haven't accumulated enough experience with it. If you feel it works well and can be used as a replacement for the standard firewall script, just change the name of the script to "firewall" in the "Compiler" tab of the firewall settings dialog. Instructions in this section explain how to activate the script generated by Firewall Builder, assuming it has the default name "firewall.fw". This way, the standard script is still going to be present on the firewall and you can always switch back to it.

Firewall Builder uses name "fwbuilder.fw" for the generated script for OpenWRT and places it in directory "/etc/init.d/" on the firewall. To make the firewall run it during boot sequence, install the script using the built-in policy installer or copy it to this directory manually, then run the command

/etc/init.d/fwbuilder.fw enable
    

and disable the standard firewall script:

/etc/init.d/firewall disable
    

To activate the firewall and load policy generated by Firewall Builder, use command

/etc/init.d/fwbuilder.fw start
    

To stop the firewall and block all traffic use the command

/etc/init.d/fwbuilder.fw stop
    

An option in the "Compiler" tab of the firewall object in Firewall Builder GUI allows you to make the firewall block all traffic when stopped but still permit ssh connections from preconfigured address of the management machine. This method works both on stable Kamikaze (v7.06) and the latest OpenWRT (v8.09 at the time of Firewall Builder v4.0 release).

In test mode Firewall Builder copies generated firewall script to directory /tmp on the firewall.

 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.