Questions about firewall config (and a quick one about WPA2)

[dekaru]

Hey. I just took the plunge and flashed Gargoyle 1.5.10 to my WR1043ND. Everything looks peachy, except I have some questions. First off, and this is an easy one - I assume the "WPA 2 PSK" uses AES, right? I mean that would be the logical thing, but wanted to check anyway.

Second, I'd like to know if there are any tutorials on what each option in /etc/config/firewall does. I've taken a look at the OpenWRT wiki page on the matter, but that's quite complicated and convoluted. Yes, it probably features all possible options, but doesn't actually explain the defaults, if you know what I mean. I also saw that there are some Gargoyle-specific settings relating to the firewall.

What I'd like is to understand the defaults, and possibly get a guide to see what I could change (granularly).

For example, in the default config the router responds to ICMP requests. Yes, it rejects them, but I'd like it not to respond at all (stealth and all that). The TP-LINK firmware has a handy option "Ignore ping from WAN", I checked it - and it's done. However, I tried editing the relevant ICMP entry in /etc/config/firewall, from 'REJECT' to 'DROP' and there's no change. (Btw, feature request - add an easy to use toggle for this).

What I'd basically like is to find out how much more (or less) secure the default Gargoyle firewall configuration is compared to the TP-LINK firmware I'm coming from (where I did enable the firewall, SPI, DDos protection, and disabled every "passthrough" option in there). And how I can easily change things.

I have googled this a bit, and did not find anything satisfactory on the matter. People seem to be a lot more preoccupied with QoS and stuff like that rather than the firewall. Well, I'm different (the connection is so good I don't really need QoS), so I thought I'd ask here.

Thanks a bunch in advance.

Oh, and to the devs - thanks for amazing work on this project.

[BashfulBladder]

The WPA2 PSK is CCMP (AES based).

No idea about the firewall questions.

[dekaru]

Thanks.

Honestly, I would have expected a lot more focus to be on security (and the firewall) than what I can see in the wiki and here in the forums.

Hopefully someone can enlighten me still.

[kollas24]

Hello.

I am also really interested in this matter of subject.

Is there any information about the security aspect of Gargoyle?

Regards,
kollas

[DoesItMatter]

For Security - you're going to have to setup a lot of that stuff
via the command line (putty ssh into the router and configure this)

You can find firewall / iptables info on the OpenWRT website/wiki

Sometimes you have to reboot for rules to take effect

As far as the WPA2 - yes, by default its WPA2-AES as that
is required by the Wireless-N specification

[jclarkw]

For Security - you're going to have to setup a lot of that stuff
via the command line (putty ssh into the router and configure this)...

Bummer! This should be a key feature request. Yes, it's great to have the nice GUI configuration of bandwidth allocation, but isn't a primary function of a router to provide security? Wouldn't one expect GUI configuration page(s) for that too? -- jclarkw