Posted: Mon Jun 12, 2006 20:56 Post subject: Feature Request - Packet Filtering
First of all, I want to say tha DD-WRT is great. I don't think I could function without it now.
I didn't see any formal thread for feature requests, I I'll put it here...
Is there anything in the works for an easy GUI form to add firewall/iptables filters? I know it can be done through telnet/ssh, but I think it would be much better and simpler to be able to do it through a form in the GUI.
Last edited by WeRD on Tue Jun 13, 2006 13:38; edited 1 time in total
Hmm, well technically because of the way I worded my question, this is a valid answer. I was aware of this feature, however, it's not quite what I meant. Let me be more specific...
Basically, I'm looking for something like a new sub-tab under (presumably) the Security section for Packet Filtering. It would be a web form that would provide an iterface to the iptables command itself.
For instance; say I wanted to block access for specific computers on my network to a specific IP address on the internet; or perhaps I want to prevent a certain internal computer from sending ICMP packets, etc. Using iptables, I can specify a single network ip address, a range of ips, or even a whole group (192.168.1.0/24).
Basically, a GUI interface to the iptables shell command. Something to make it easy to add AND delete rules.
Joined: 07 Jun 2006 Posts: 980 Location: Coal Creek Canyon, Colorado
Posted: Mon Jun 12, 2006 23:43 Post subject:
that would be sweet!
there are some soho routers that attempt this but most interfaces are clumsy compared to dd-wrt's UI.
sounds like a lot of systems engineering though to nail down the requirements and make it flexible enough to be usefull without being too complex on the front-end and cumbersome on the back-end....
maybe not for the immediate upcoming release ??? _________________ linksys GSv2, Gv4, Gv2, GLv1, G-TM, Buffalo wbr2, whr, whr-hp, whr-g125, wli-tx4-g54hp, Moto wr850gp, Alix.3C2
I can see an iptables editable textarea form but coding the interface to work the way you say just seems like a hell of a lot of work. There's an application to do it for you. I think it's called firewall builder or something to that sort. _________________ WRT54G 3.1
DD-WRT v23 SP1 Final (05/16/06) std
Joined: 06 Jun 2006 Posts: 3763 Location: I'm the one on the plate.
Posted: Tue Jun 13, 2006 1:31 Post subject: Re: Feature Request
WeRD wrote:
Is there anything in the works for an easy GUI form to add firewall/iptables filters?
Look at the DI-604. I carry 2 with me for the times I need to install a router with firewall rules, only 30 bux. BrainSlayer is a busy man. He knows how much we want good firewall rules, and we all know that it takes money to live. Keep paying him so he can keep writing !
It already has a template for WRT. I think the template refers to Svea$oft but it can be used with DD-WRT as well (it only depends on the interfaces). The interfaces are not changed between Svea$oft and DD-WRT.
It is free for Linux. Windows users are charged a small amount.
Posted: Tue Jun 13, 2006 13:37 Post subject: Feature Request - Packet Filtering
BG wrote:
I can see an iptables editable textarea form but coding the interface to work the way you say just seems like a hell of a lot of work. There's an application to do it for you. I think it's called firewall builder or something to that sort.
It already has a template for WRT. I think the template refers to Svea$oft but it can be used with DD-WRT as well (it only depends on the interfaces). The interfaces are not changed between Svea$oft and DD-WRT.
It is free for Linux. Windows users are charged a small amount.
Firewall Builder seems like it would do the job, but wouldn't it be nice if it was integrated right into the firmware? If I can find enough free time, I think I might have a go at it myself. I don't have much experience with asp, and as of yet I haven't even looked at the DD-WRT web interface source, but a large part of my job is web coding/design so I'm pretty sure I can do it. I have more experience with PHP, so maybe I'll write a "proof of concept" in PHP for everyone to check out what I mean. Then, if that goes well, I'll port it over to the linksys. (PHP is what I'm good at, and I currently don't have access to any servers that can handle asp - and I don't feel like setting it up )
Like I said, if I can find some free time, I'll let you know how it goes.
I may have gotten myself in over my head . Although, the web interface itself isn't what freaks me out...
I had used some simple firewall rules before, but after doing some research, I realized how in-depth and confusing iptables can be.
Even if I did do this, it would have to be somewhat basic/limited. I don't know if it would even be possible to come up with a web form to support all the iptables features (or even most of them).
you have seen why there is no interfaces for firewalls. yes you can do the simple stuff like block a network od unblock a port etc. etc. but if you want to build a realy nice firewall you will need to go old school, open the prompt and write the lines.
btw it's not a bad idea to have some simple interface similar to port forwarding page on the router just to block or unblock ip's subnets and ports
I had a few ideas and was considering doing this myself.
First off I think you can reuse alot of code from the qos rules, especially the L7 filters, they should translate since they are just iptables rules.
Then I think a simplistic set of allow and deny based on port or L7 rules, then maybe like 10-15 checkboxes of "good security" features, like drop source routed frames, or enable syn cookies. whatever. Then maybe have a box that allows you to insert a hand written line of ipchains into the current rules.
then after all that maybe some kind of fail safe that won't let you make your router totally unusable, like start a counter and if the browser doesnt connect within a certain time, it reverts to no rules or whatever. I don't know a good way to do this, just an idea.
anyway let me know whaty ou think, and if you would like help.