|
| 1 | +# OpenWrt Firewall Relationship Visualiser |
| 2 | + |
| 3 | +A single-page browser application for visualising `/etc/config/firewall` relationships. Paste or upload an OpenWrt firewall configuration, map devices to zones, and visually inspect zone-to-zone and device-to-device connectivity. |
| 4 | + |
| 5 | +## Features |
| 6 | + |
| 7 | +- **No Backend Required** — All parsing and analysis happens in your browser; no server, database, or build step needed |
| 8 | +- **Local-First Privacy** — Firewall configs and device mappings stay on your computer and are saved to `localStorage` |
| 9 | +- **Visual Relationship Mapping** — Interactive Cytoscape.js graph showing zone and device connectivity |
| 10 | +- **Zone Analysis** — View zone policies, forwardings, rules, and connectivity matrix |
| 11 | +- **Device Path Testing** — Test specific source-to-destination reachability with optional protocol and port filters |
| 12 | +- **Bulk Host Import** — Import devices from host lists, ARP tables, DHCP leases, or `CSV export` |
| 13 | +- **Session Export/Import** — Save and restore complete analysis sessions as JSON |
| 14 | +- **Multiple Graph Layouts** — Force-directed, circular, and breadth-first layouts |
| 15 | +- **Relationship Filtering** — Show all paths, allowed only, blocked only, zone-only, or device-only relationships |
| 16 | + |
| 17 | +## Quick Start |
| 18 | + |
| 19 | +1. **Open the app**: Open [`public/index.html`](public/index.html) in any modern browser |
| 20 | +2. **Paste your firewall config**: Copy `/etc/config/firewall` from your OpenWrt router and paste it into the textarea |
| 21 | +3. **Map devices to zones**: Add devices with names, IP addresses, and their associated firewall zones (via import or manually) |
| 22 | +4. **Visualise relationships**: The graph renders automatically showing zones, devices, and their connectivity |
| 23 | + |
| 24 | +--- |
| 25 | + |
| 26 | +### Getting Firewall Config from OpenWrt |
| 27 | + |
| 28 | +On your OpenWrt router: |
| 29 | + |
| 30 | +```bash |
| 31 | +cat /etc/config/firewall |
| 32 | +``` |
| 33 | + |
| 34 | +Or copy it remotely: |
| 35 | + |
| 36 | +```bash |
| 37 | +scp root@<router-ip>:/etc/config/firewall ./firewall.conf |
| 38 | +``` |
| 39 | + |
| 40 | +### Importing Devices |
| 41 | + |
| 42 | +Use the **Import** section to bulk-load devices from: |
| 43 | + |
| 44 | +- **Host lists** — Plain text format: `IP Hostname zone` |
| 45 | +- **Neighbour/ARP tables** — Output from `ip neighbour` or `arp -a` |
| 46 | +- **DHCP leases** — Output from `/tmp/dhcp.leases` |
| 47 | +- **OpenWrt export CSV** — Generated by the included script |
| 48 | + |
| 49 | +#### Using the Export Script |
| 50 | + |
| 51 | +The `scripts/openwrt_export_hosts.sh` script generates a CSV of all known hosts: |
| 52 | + |
| 53 | +```bash |
| 54 | +scp scripts/openwrt_export_hosts.sh root@<router-ip>:/tmp/ |
| 55 | +ssh root@<router-ip> |
| 56 | +sh /tmp/openwrt_export_hosts.sh |
| 57 | +``` |
| 58 | + |
| 59 | +Output format: `ip,hostname,zone,mac` |
| 60 | + |
| 61 | +### Importing Subnet Mappings |
| 62 | + |
| 63 | +The `scripts/openwrt_export_subnet_mappings.sh` script generates UCI outputs which can be pasted into Subnet Mappings and `Import UCI Subnets` |
| 64 | + |
| 65 | +--- |
| 66 | + |
| 67 | +## Technology Stack |
| 68 | + |
| 69 | +| Component | Technology | |
| 70 | +| --- | --- | |
| 71 | +| Markup | HTML5 with semantic structure | |
| 72 | +| Styling | Custom CSS with dark theme and CSS variables | |
| 73 | +| Logic | Vanilla JavaScript (no frameworks or build tools) | |
| 74 | +| Graph Rendering | Cytoscape.js v3.30.4 (loaded from CDN) | |
| 75 | +| Deployment | Static files in `public/` directory | |
| 76 | + |
| 77 | +--- |
| 78 | + |
| 79 | +## Limitations |
| 80 | + |
| 81 | +- **Simplified firewall model** — Does not simulate every fw3/fw4, nftables, iptables, NAT, conntrack, or bridge behavior |
| 82 | +- **Manual device mapping** — Device context depends on user input (not auto-inferred) |
| 83 | +- **Parser scope** — Does not process include files, generated fragments, or complex quoting |
| 84 | +- **No protocol/port matching** — Handles common patterns but not all OpenWrt match expressions |
| 85 | +- **Per-browser storage** — `localStorage` is browser/profile-specific; export sessions to share |
| 86 | + |
| 87 | +--- |
| 88 | + |
| 89 | +## Security & Privacy |
| 90 | + |
| 91 | +✅ **No backend** — All data stays in your browser |
| 92 | +✅ **No external requests** — Cytoscape is run locally is for graph rendering |
| 93 | +✅ **Safe parsing** — User-controlled strings are escaped before HTML insertion |
| 94 | +✅ **Static files** — Can be hosted on any static web server with no special permissions |
| 95 | +✅ **Local persistence** — Uses browser `localStorage` only |
| 96 | + |
| 97 | +--- |
| 98 | + |
| 99 | +## Contributing |
| 100 | + |
| 101 | +For bugs, feature requests, or improvements, see [ARCHITECTURE.md](ARCHITECTURE.md) for technical details about the codebase structure. |
| 102 | + |
| 103 | +## License |
| 104 | + |
| 105 | +See repository for license details. |
0 commit comments