Feature Request - Packet Filtering

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
WeRD
DD-WRT Novice


Joined: 12 Jun 2006
Posts: 9

PostPosted: Mon Jun 12, 2006 20:56    Post subject: Feature Request - Packet Filtering Reply with quote
First of all, I want to say tha DD-WRT is great. I don't think I could function without it now.

I didn't see any formal thread for feature requests, I I'll put it here...

Is there anything in the works for an easy GUI form to add firewall/iptables filters? I know it can be done through telnet/ssh, but I think it would be much better and simpler to be able to do it through a form in the GUI.


Last edited by WeRD on Tue Jun 13, 2006 13:38; edited 1 time in total
Sponsor
Matthiaz
DD-WRT Guru


Joined: 12 Jun 2006
Posts: 634

PostPosted: Mon Jun 12, 2006 20:59    Post subject: Reply with quote
Administration -> Commands Wink
WeRD
DD-WRT Novice


Joined: 12 Jun 2006
Posts: 9

PostPosted: Mon Jun 12, 2006 21:23    Post subject: Reply with quote
Hmm, well technically because of the way I worded my question, this is a valid answer. Wink I was aware of this feature, however, it's not quite what I meant. Let me be more specific...

Basically, I'm looking for something like a new sub-tab under (presumably) the Security section for Packet Filtering. It would be a web form that would provide an iterface to the iptables command itself.

For instance; say I wanted to block access for specific computers on my network to a specific IP address on the internet; or perhaps I want to prevent a certain internal computer from sending ICMP packets, etc. Using iptables, I can specify a single network ip address, a range of ips, or even a whole group (192.168.1.0/24).

Basically, a GUI interface to the iptables shell command. Something to make it easy to add AND delete rules.
dicksons
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 980
Location: Coal Creek Canyon, Colorado

PostPosted: Mon Jun 12, 2006 23:43    Post subject: Reply with quote
that would be sweet!

there are some soho routers that attempt this but most interfaces are clumsy compared to dd-wrt's UI.

sounds like a lot of systems engineering though to nail down the requirements and make it flexible enough to be usefull without being too complex on the front-end and cumbersome on the back-end....

maybe not for the immediate upcoming release ???

_________________
linksys GSv2, Gv4, Gv2, GLv1, G-TM, Buffalo wbr2, whr, whr-hp, whr-g125, wli-tx4-g54hp, Moto wr850gp, Alix.3C2
dicksons
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 980
Location: Coal Creek Canyon, Colorado

PostPosted: Mon Jun 12, 2006 23:43    Post subject: Reply with quote
sorry duplicate post
_________________
linksys GSv2, Gv4, Gv2, GLv1, G-TM, Buffalo wbr2, whr, whr-hp, whr-g125, wli-tx4-g54hp, Moto wr850gp, Alix.3C2
BG
DD-WRT User


Joined: 07 Jun 2006
Posts: 69
Location: AL/GA

PostPosted: Tue Jun 13, 2006 1:05    Post subject: Reply with quote
I can see an iptables editable textarea form but coding the interface to work the way you say just seems like a hell of a lot of work. There's an application to do it for you. I think it's called firewall builder or something to that sort.
_________________
WRT54G 3.1
DD-WRT v23 SP1 Final (05/16/06) std

ScrapeTorrent.com -- My Bittorrent Search Site
GeeTek
DD-WRT Guru


Joined: 06 Jun 2006
Posts: 3763
Location: I'm the one on the plate.

PostPosted: Tue Jun 13, 2006 1:31    Post subject: Re: Feature Request Reply with quote
WeRD wrote:
Is there anything in the works for an easy GUI form to add firewall/iptables filters?


Look at the DI-604. I carry 2 with me for the times I need to install a router with firewall rules, only 30 bux. BrainSlayer is a busy man. He knows how much we want good firewall rules, and we all know that it takes money to live. Keep paying him so he can keep writing !
ghost48
DD-WRT User


Joined: 07 Jun 2006
Posts: 51

PostPosted: Tue Jun 13, 2006 12:08    Post subject: Reply with quote
You can use Firewall Builder.

It already has a template for WRT. I think the template refers to Svea$oft but it can be used with DD-WRT as well (it only depends on the interfaces). The interfaces are not changed between Svea$oft and DD-WRT.

It is free for Linux. Windows users are charged a small amount. Smile
WeRD
DD-WRT Novice


Joined: 12 Jun 2006
Posts: 9

PostPosted: Tue Jun 13, 2006 13:37    Post subject: Feature Request - Packet Filtering Reply with quote
BG wrote:
I can see an iptables editable textarea form but coding the interface to work the way you say just seems like a hell of a lot of work. There's an application to do it for you. I think it's called firewall builder or something to that sort.

ghost48 wrote:
You can use Firewall Builder.

It already has a template for WRT. I think the template refers to Svea$oft but it can be used with DD-WRT as well (it only depends on the interfaces). The interfaces are not changed between Svea$oft and DD-WRT.

It is free for Linux. Windows users are charged a small amount. Smile


Firewall Builder seems like it would do the job, but wouldn't it be nice if it was integrated right into the firmware? Wink If I can find enough free time, I think I might have a go at it myself. I don't have much experience with asp, and as of yet I haven't even looked at the DD-WRT web interface source, but a large part of my job is web coding/design so I'm pretty sure I can do it. I have more experience with PHP, so maybe I'll write a "proof of concept" in PHP for everyone to check out what I mean. Then, if that goes well, I'll port it over to the linksys. (PHP is what I'm good at, and I currently don't have access to any servers that can handle asp - and I don't feel like setting it up Smile )

Like I said, if I can find some free time, I'll let you know how it goes.

(I changed the topic title to provide more info)
WeRD
DD-WRT Novice


Joined: 12 Jun 2006
Posts: 9

PostPosted: Tue Jun 13, 2006 15:18    Post subject: Reply with quote
I may have gotten myself in over my head Embarassed . Although, the web interface itself isn't what freaks me out...

I had used some simple firewall rules before, but after doing some research, I realized how in-depth and confusing iptables can be. Shocked

Even if I did do this, it would have to be somewhat basic/limited. I don't know if it would even be possible to come up with a web form to support all the iptables features (or even most of them).

We shall see...
mrks
DD-WRT Novice


Joined: 12 Jun 2006
Posts: 15

PostPosted: Tue Jun 13, 2006 19:06    Post subject: Reply with quote
you have seen why there is no interfaces for firewalls. yes you can do the simple stuff like block a network od unblock a port etc. etc. but if you want to build a realy nice firewall you will need to go old school, open the prompt and write the lines.

btw it's not a bad idea to have some simple interface similar to port forwarding page on the router just to block or unblock ip's subnets and ports

Regards
BigL
DD-WRT User


Joined: 07 Jun 2006
Posts: 79

PostPosted: Wed Jun 14, 2006 16:48    Post subject: Reply with quote
Maybe you should take a look here - http://www.dd-wrt.com/wiki/index.php/Firewall_Builder
Marcel
DD-WRT Novice


Joined: 14 Jun 2006
Posts: 1

PostPosted: Wed Jun 14, 2006 23:12    Post subject: Reply with quote
mrks wrote:
you have seen why there is no interfaces for firewalls. yes you can do the simple stuff like block a network od unblock a port etc. etc.


I've seen an iptables editor in webmin (www.webmin.com), it is pretty advanced. But it is scripted in Perl.

Here's an example, it's in french, but you'll get the idea.
http://www.adella.org/spip/article.php3?id_article=23

regards,
M.
WeRD
DD-WRT Novice


Joined: 12 Jun 2006
Posts: 9

PostPosted: Thu Jun 15, 2006 1:28    Post subject: Reply with quote
Marcel wrote:
mrks wrote:
you have seen why there is no interfaces for firewalls. yes you can do the simple stuff like block a network od unblock a port etc. etc.


I've seen an iptables editor in webmin (www.webmin.com), it is pretty advanced. But it is scripted in Perl.

Here's an example, it's in french, but you'll get the idea.
http://www.adella.org/spip/article.php3?id_article=23

regards,
M.


Thanks! I think this will be a big help in designing an interface.
brakits
DD-WRT Novice


Joined: 16 Jun 2006
Posts: 8

PostPosted: Tue Jun 20, 2006 16:43    Post subject: Reply with quote
are you still planning on doing this?

I had a few ideas and was considering doing this myself.

First off I think you can reuse alot of code from the qos rules, especially the L7 filters, they should translate since they are just iptables rules.

Then I think a simplistic set of allow and deny based on port or L7 rules, then maybe like 10-15 checkboxes of "good security" features, like drop source routed frames, or enable syn cookies. whatever. Then maybe have a box that allows you to insert a hand written line of ipchains into the current rules.

then after all that maybe some kind of fail safe that won't let you make your router totally unusable, like start a counter and if the browser doesnt connect within a certain time, it reverts to no rules or whatever. I don't know a good way to do this, just an idea.

anyway let me know whaty ou think, and if you would like help.

thanks
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum