From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QCtNk-0004zK-5s for garchives@archives.gentoo.org; Thu, 21 Apr 2011 12:53:16 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 43EF2E0408; Thu, 21 Apr 2011 12:51:38 +0000 (UTC) Received: from ns1.bonedaddy.net (ns1.bonedaddy.net [70.91.141.202]) by pigeon.gentoo.org (Postfix) with ESMTP id 0BE67E0408 for ; Thu, 21 Apr 2011 12:51:37 +0000 (UTC) Received: from ns1.bonedaddy.net (localhost [127.0.0.1]) by ns1.bonedaddy.net (8.14.4/8.14.4) with ESMTP id p3LCMTV3030539 for ; Thu, 21 Apr 2011 08:22:29 -0400 Received: (from tgoodman@localhost) by ns1.bonedaddy.net (8.14.4/8.14.4/Submit) id p3LCMTXx030538 for gentoo-user@lists.gentoo.org; Thu, 21 Apr 2011 08:22:29 -0400 X-Authentication-Warning: ns1.bonedaddy.net: tgoodman set sender to tsg@bonedaddy.net using -f Date: Thu, 21 Apr 2011 08:22:29 -0400 From: Todd Goodman To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs Message-ID: <20110421122229.GA9766@ns1.bonedaddy.net> References: <878vv69asl.fsf@newsguy.com> <8739lceqmm.fsf@newsguy.com> <87fwpcd8ol.fsf@newsguy.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87fwpcd8ol.fsf@newsguy.com> User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: X-Archives-Hash: 715ccf7e0b75689880c3d93c316c528b * Harry Putnam [110420 15:03]: > Paul Hartman writes: > > > Apr 20 14:41:08 ddwrt kern.warn kernel: [2814955.710000] DROP IN=eth1 > > OUT= MAC=ff:ff:ff:ff:ff:ff:00:1b:54:c9:4b:d9:08:00 SRC=10.166.128.1 > > DST=255.255.255.255 LEN=325 TOS=0x00 PREC=0x00 TTL=255 ID=34279 > > PROTO=UDP SPT=67 DPT=68 LEN=305 > > Apr 20 14:41:08 ddwrt kern.warn kernel: [2814956.130000] DROP IN=eth1 > > OUT= MAC=ff:ff:ff:ff:ff:ff:00:1b:54:c9:4b:d9:08:00 SRC=10.166.128.1 > > DST=255.255.255.255 LEN=325 TOS=0x00 PREC=0x00 TTL=255 ID=34287 > > PROTO=UDP SPT=67 DPT=68 LEN=305 > > Apr 20 14:41:10 ddwrt kern.warn kernel: [2814957.770000] DROP IN=eth1 > > OUT= MAC=ff:ff:ff:ff:ff:ff:00:1b:54:c9:4b:d9:08:00 SRC=172.16.129.29 > > DST=255.255.255.255 LEN=365 TOS=0x00 PREC=0x00 TTL=255 ID=34300 > > PROTO=UDP SPT=67 DPT=68 LEN=345 > > > > So it looks like ordinary linux firewall logging... I'm sure you can > > customize it if you want to, just as you would on a normal machine. > > > > Hope that helps :) > > Yes, thanks for taking the trouble... When I asked that, I hadn't > realized that both dd-wrt and openWRT were actually tiny linux OS. > > I've reading more about them since. > > It sounds from your report that dd-wrt has some kind of basic firewall > script in place by default. > > Whereas openWRT sounds like you may need to role your own iptables > script right off the bat. at least judging from a few posts I've now > read from their mailing list where people seem to be asking the kinds > of iptables questions you might find on that list.. > There is a basic firewall in place with OpenWRT (enabled by default.) There is a a web GUI for OpenWRT (as well as with DD-WRT.) The web GUI supports the usual config pages as with other similar home routers. There's a status page showing the iptables chains with the packet counts for each rule (the most complicated page to view I'd say.) There's config pages for overall firewall config with default policies and other things such as zone config. There's a "traffic control" page which lets you define your filter rules and a "Traffic Redirection" page which allows you to set up your port forwarding (DNAT.) It's quite easy to configure and doesn't require iptables knowledge. Though I like very much that the option is there if I want to take advantage of it. I've used LEAF for a long time (a small Linux Embedded Firewall Appliance) and it's great but DD-WRT and OpenWRT have nice GUIs on top of them and it was very easy to reflash my Buffalo to DD-WRT and then upgrade from that to OpenWRT.