What's new

Merlin Firewall...???

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

philippeannet

New Around Here
I know Merlin's approach is not to come up with packs of (new) features, but there's one thing I'm seriously lacking in my AC88U's firewall (running Merlin 380.59), namely the ability to define 'cascaded' rules, with a 'deny' or 'allow' tag...

The Network Services Filter is the most appropriate place, but (as far as I could test...) allows only to work in white- or black-list mode, but not both... which is really a pain !! In this form, this is close to unusable...

A sequential list of rules (like in fact on any 'serious' firewall) is really not far away from the current implementation (just allow active 'deny' and active 'allow' rules simultaneously, and the notion of 'priority' in the rules...)

Don't know whether DD-WRT offers this, but anyway, I'd really prefer to stick to Merlin...
 
The router has a number of routing and packet filtering rules and the nat translation that allows multiple lan clients to share the same WAN IP provides some protection against the wild internet, but is it really even a firewall? By default any reply to outgoing messages are allowed through, so you should still use outgoing software firewalls on your PCs to prevent rogue processes 'phoning home'.
You can do whatever you want with Merlin or dd-wrt, they will both be using the Linux iptables configured netfilter tables and chains, which you can modify with user defined scripts. As you understand the order of rules is critical and operate in a first match used mode, but every check needs CPU clock cycles so organisation critical for max throughput.
What specifically do you want to do that you cannot from current web gui? NB see many other threads on use of ipset to block specific countries, or specific users at certain times to specific https websites - it is really not that easy to put something in that your average teenager who understands MAC addresses and proxies won't be able to get around!
 
The first 'stupid' example I had (there are others) was that I have a Xerox printer for which I want to block everything excepted SMTP on port 587 (TCP only, as it's over HTTPS), so I've in fact to block everything from 1:586 in one rule, and another one for the range 588:65535... not really handy...
With white-listing, it's worse... I can say IP xyz (the printer) allowed for port 587... but that will be the only access allowed at all... :-(

The fact that only white- XOR black-list is possible is really poor !!! I'd have removed that, and put a 'deny' or 'allow' flag in the rule itself... I'm aware that this is probably too far away from the original philosophy, but together with the notion of priority, 128 (as the limit is now...) 'allow/deny' rules would already be a HUGE jump forward in functionality...

Now... I'm not stuck in fact... iptables are the way to go... it's just that I don't really see the (real) added value of the Network Services Filter as it's implemented (and/or presented in the GUI) right now... I might also have a look at FirewallBuilder & Co

And for the teens... you're rigth... but ultimately, they'll revert to activating the hotspot on their 4G iPhone's... ;-)

I had already 802.1x (with certificates) running (just for fun...), but I should probably add authentication to the scheme (for the FW), but ultimately, if it's for my wife and myself, I've maybe better things to do...

Regards,
Philippe
 
The Services and Filter page is what is supposed to act as a user-customizable firewall. It's unfortunately not very well designed, and re-implementing it would be beyond the scope of this project.
 
Fully understandable... I'm in fact looking to things like FirewallBuilder (which looks nice... to check whether the output is usable with Merlin...?)
or put an ASA 5508X in the loop... old(er) men also need toys, sometimes... ;-
 
Fully understandable... I'm in fact looking to things like FirewallBuilder (which looks nice... to check whether the output is usable with Merlin...?)
or put an ASA 5508X in the loop... old(er) men also need toys, sometimes... ;-

You can also manually customize the iptables rules through firewall-start or nat-start scripts.
 
Hello Everyone,
I'm running this very nice firmware on my AC88U from some time and the lack of a real GUI usable firewall as astonished me as well.
I work on Check Point appliances so I would like something like the Check Point GUI. Obviously, because I know the costs of that technology I don't expect something equal but at least something with the same working schema so the possibility to write a sequence of Accept/Drop/Reject rules even without objects but with plane IPs.
For example something like this was available on the Billion routers, and when I was considering the acquisition of an home router I selected Asus because of the great Wifi performance and the availability of many things (graphs on usage etc) that wasn't available on Check Point small boxes that were also not running a full version of their O.S. (GAIA).
I really didn't think that the packet filter option was so limited and definitively unused.
I will try with iptables scripts, but I think that the dropped/accepted packet log will not be readable from the GUI and will require SSH access and a tail/grep on some king of log file to store on an external USB key (to make it permanent)?
Because more than one year passed from the last reply on this post, there were any changes on the possibility to implement a real firewall in then GUI?

Thanks in advance
Simone
 
Simone-
You might want to check out https://www.snbforums.com/threads/s...mic-malware-country-manual-ip-blocking.16798/
It's a pretty popular add-on script to Merlin's firmware, along with ab-solution. I would suggest you start with installing entware-ng, then the amtm script to get you rolling with ad-blocking and the SkyNet firewall. if you can ssh into your router with a terminal and copy/paste some commands, everything else is basically taken care of for you, so who needs a GUI?
Buon Natale
 
You may want to look at Skynet it's pretty awesome. you can install from within amtm.
 
I know Merlin's approach is not to come up with packs of (new) features, but there's one thing I'm seriously lacking in my AC88U's firewall (running Merlin 380.59), namely the ability to define 'cascaded' rules, with a 'deny' or 'allow' tag...

The Network Services Filter is the most appropriate place, but (as far as I could test...) allows only to work in white- or black-list mode, but not both... which is really a pain !! In this form, this is close to unusable...

A sequential list of rules (like in fact on any 'serious' firewall) is really not far away from the current implementation (just allow active 'deny' and active 'allow' rules simultaneously, and the notion of 'priority' in the rules...)

Don't know whether DD-WRT offers this, but anyway, I'd really prefer to stick to Merlin...
have you tested a new a newer build such as 380.69, to see if its more to your tastes.
 
Simone-
You might want to check out https://www.snbforums.com/threads/s...mic-malware-country-manual-ip-blocking.16798/
It's a pretty popular add-on script to Merlin's firmware, along with ab-solution. I would suggest you start with installing entware-ng, then the amtm script to get you rolling with ad-blocking and the SkyNet firewall. if you can ssh into your router with a terminal and copy/paste some commands, everything else is basically taken care of for you, so who needs a GUI?
Buon Natale

Thanks heysoundude and Merry Christmas :) I'm really new of Merlin's world so I'm studying the hints you and others gave me about the amtm script manager software.
Let me say: For sure having a fully working accept/drop/deny firewall managed by gui will be drammatically faster to manage (and much more geek oriented) than having to handle scripts by CLI.
Also I've still not clear how hard will be to have a quick and undestandable view of the packets that are being accepted/dropped.
Let me go deeper and I will come back with my ideas on that. Up to now let me thank everyone who gave me a very good starting point.

Regards
Simone
 
This evening I had some time. Other than the prophetic name, Skynet is a huge and considerably articulated script that creates a set of objects (by ipset) and use them (and also single IPs and or Nets) in iptables to achieve an additional protection.
I didn't understand yet how this script has the ability to learn new entries (the autoban features) but I'm sure that trying to study about 90KByte of text will teach me a lot :)
If I want to add specific drop/permit rules I understood I'll have to write another set of iptables commands to do so.
For example if I want to strictly control a cheap webcam to avoid it to talk to someone that is not me, I'll have to fix his IP and to drop everything that is not NTP or SMTP to my provider's servers to allow the motion detection's alarms to be sent.
I'll not allow anything more because I don't want the cam (or any other cheap IOT device) to be, for example, directly reachable from internet, but only from internal network after having connected to the router by VPN.
I'm not so skilled on iptables but I'll have to turn into :)
 
Hello Vexira, I installed the latest 382_1.2 and the packet filter section is the same (and really poor) as the official firmware.

Regards
Simone
try one of the prebeta test builds see if thiers any changes.
 
try one of the prebeta test builds see if thiers any changes.
I don't think that minor revisions in the firmware will add an entirely new firewall interface. At least not on the scale that @Scheggiaimpazzita is looking for.

103603.png
 
I don't think that minor revisions in the firmware will add an entirely new firewall interface. At least not on the scale that @Scheggiaimpazzita is looking for.

103603.png

Ahahah, love it! Should be fantastic, but even something like this should be fine:
7800%20VoIP%20setup%20firewall.jpg


Because of the base of a GUI is already present on the official firmware, I hope someone will try to realize a full GUI versus iptables.
 
Skynet is powerful but because of my near zero knowledge on iptables is very hard for me to understand how to set up new and specific rules like:
- Allow one specific private IP of my lan to access some external IP or FQDN on specific ports
- Block all other connection "to" and "from" the private lan IP logging them to check what is trying to do that IP and to check for other ports/FQDNs/IPs to allow

I think that new iptables command must be added to /jffs/scripts/firewall-start after the first line that recalls skynet. I'm reading about iptables on various how to but iptables is as powerful as hard to handle and I don't find any specific thread in the forum with the instruction to follow.
 

Thanks, its very similar to other tutorials that I read during these days.
My problem is that even if I'm really familiar with network & security, there are a lot of aspects more related to the linux word that I don't know and I feel myself lost trying to give an explanation.
For example, what are the "chains"? If I issue the following command on my router running Skynet:
iptables -L | grep Chain

I get the following output:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
Chain FORWARD (policy DROP 0 packets, 0 bytes)
Chain OUTPUT (policy ACCEPT 313K packets, 99M bytes)
Chain ACCESS_RESTRICTION (0 references)
Chain FUPNP (0 references)
Chain INPUT_ICMP (1 references)
Chain NSFW (1 references)
Chain PControls (0 references)
Chain PTCSRVLAN (1 references)
Chain PTCSRVWAN (1 references)
Chain SECURITY (1 references)
Chain default_block (0 references)
Chain logaccept (0 references)
Chain logdrop (8 references)
What is the scope/use of each chain? I read something on this:
https://www.digitalocean.com/commun...dive-into-iptables-and-netfilter-architecture
and
https://wiki.archlinux.org/index.php/iptables

but for AsusWRT I didn't find a specific howto with the chain traversal order for the possible flows that can exist.

If I issue a "iptables -L " I got an output only partially readable for me like this:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun21 any anywhere anywhere
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:1194
0 0 logdrop icmp -- eth0 any anywhere anywhere icmp echo-request
218K 42M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
1344 58410 logdrop all -- any any anywhere anywhere state INVALID
58144 9797K PTCSRVWAN all -- !br0 any anywhere anywhere

What is the "target" column?
What is the column after "destination"?

If I issue the same command with -vv after the first part related to the chains I got something more similar to an enterprise approach with rules in sequence, but even there, I have many dark points:

Table `filter'
Hooks: pre/in/fwd/out/post = ffffffff/0/818/f18/ffffffff
Underflows: pre/in/fwd/out/post = ffffffff/780/e80/f18/ffffffff
Entry 0 (0):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `tun21'/XXXXXX..........to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT

According to the previous http link there is not only the filter table but I didn't find a command to show alla tables present so I can only search the ones listed in the link so:
filter
nat
mangle
raw
table security seems to be not existent in AsusWRT

What is the number between parentesis after the one that seems to be the rule ID?
What are Hooks and Underflows?
What is "Invflags"? (Inverse flag, related to SPI?)
What are the "Target name", "verdict" and "Match name" fields that may appear in some rules?

Also, when an iptables command is issued I see that are always present the following options that I don't know how to use/manage:
- Chain related, so the new/append/delete/check
- Match (-m) that seems to be something mandatory that tells iptables whats coming next, so if the rule that is going to be set will match destination port or state or ip address or whatever
- Jump (-j) that seems to be something that tells the kernel that after having matched the rule it must jump to another section. That look strange because I expect that there will be the "first match" behavior.

Where have I to put a rule if for example I want to drop all packet to/from internet coming from/to a specific internal host except for some specific sourceIP-destinationIP-SourcePort-DestinationPort sets? Which Table& Chain? I can think that the table is "filter" and the chain is "input"
What kind of match/jump? If I want to log all dropped packet only for that specific host, what have I to do?

I tried to issue a sh /jffs/scripts/firewall stats

but I don't find any of the autoban IP in any rules of all 4 tables, nor with ip address than under the Blacklist label used in the ipset.
I used these commands:
iptables -vL (or -vvL) -t filter
iptables -vL (or -vvL) -t nat
iptables -vL (or -vvL) -t mangle
iptables -vL (or -vvL) -t raw

even using | grep with the IP address or the keywords
Blacklist
BanMalware
Skynet (that from ipsets seems to be a composite objects like group of groups"

To close that very long post (I apologize for that), with enterprise firewalls and their GUI its really easy to do that than with iptables. You have simply to put a permit rule for each allowed flow, add nat if needed, and add a drop rule for specific host with log enabled or relay on the "any drop" rule that every serious enterprise firewall must be set up with. Then you can see logs with another application and search or do statistics as you want.
With iptables it seems a frustrating nightmare, I like to know exactly what I'm doing and I have a lot to walk to reach even a just decent knowledge. There are plenty of pages with explanations but not a single one that explains all in a clear order with schemas and whatelse. Building a puzzle in which every piece is almost new is really challenging :)
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top