* Harry Putnam <rea...@newsguy.com> [110420 15:03]: > Paul Hartman <paul.hartman+gen...@gmail.com> writes: > > > Apr 20 14:41:08 ddwrt kern.warn kernel: [2814955.710000] DROP IN=eth1 > > OUT= MAC=ff:ff:ff:ff:ff:ff:00:1b:54:c9:4b:d9:08:00 SRC=10.166.128.1 > > DST=255.255.255.255 LEN=325 TOS=0x00 PREC=0x00 TTL=255 ID=34279 > > PROTO=UDP SPT=67 DPT=68 LEN=305 > > Apr 20 14:41:08 ddwrt kern.warn kernel: [2814956.130000] DROP IN=eth1 > > OUT= MAC=ff:ff:ff:ff:ff:ff:00:1b:54:c9:4b:d9:08:00 SRC=10.166.128.1 > > DST=255.255.255.255 LEN=325 TOS=0x00 PREC=0x00 TTL=255 ID=34287 > > PROTO=UDP SPT=67 DPT=68 LEN=305 > > Apr 20 14:41:10 ddwrt kern.warn kernel: [2814957.770000] DROP IN=eth1 > > OUT= MAC=ff:ff:ff:ff:ff:ff:00:1b:54:c9:4b:d9:08:00 SRC=172.16.129.29 > > DST=255.255.255.255 LEN=365 TOS=0x00 PREC=0x00 TTL=255 ID=34300 > > PROTO=UDP SPT=67 DPT=68 LEN=345 > > > > So it looks like ordinary linux firewall logging... I'm sure you can > > customize it if you want to, just as you would on a normal machine. > > > > Hope that helps :) > > Yes, thanks for taking the trouble... When I asked that, I hadn't > realized that both dd-wrt and openWRT were actually tiny linux OS. > > I've reading more about them since. > > It sounds from your report that dd-wrt has some kind of basic firewall > script in place by default. > > Whereas openWRT sounds like you may need to role your own iptables > script right off the bat. at least judging from a few posts I've now > read from their mailing list where people seem to be asking the kinds > of iptables questions you might find on that list.. >
There is a basic firewall in place with OpenWRT (enabled by default.) There is a a web GUI for OpenWRT (as well as with DD-WRT.) The web GUI supports the usual config pages as with other similar home routers. There's a status page showing the iptables chains with the packet counts for each rule (the most complicated page to view I'd say.) There's config pages for overall firewall config with default policies and other things such as zone config. There's a "traffic control" page which lets you define your filter rules and a "Traffic Redirection" page which allows you to set up your port forwarding (DNAT.) It's quite easy to configure and doesn't require iptables knowledge. Though I like very much that the option is there if I want to take advantage of it. I've used LEAF for a long time (a small Linux Embedded Firewall Appliance) and it's great but DD-WRT and OpenWRT have nice GUIs on top of them and it was very easy to reflash my Buffalo to DD-WRT and then upgrade from that to OpenWRT.
