[iTeth]

Mod note: Post split from x86 build thread and duplicate post deleted from Broadcom thread because there was no need to cross-post. -kp69

From the point of view of today's network traffic - especially with simultaneous use of VPNs, online gaming, IPTV, streaming, and a staged web server - the default limits (especially 5 packets/sec for UDP and ICMP) are sometimes too low and can cause false blocking of legitimate traffic. I suggest other default values, especially since the defaults will cause problems in most cases, as I also experienced after the update from r60217, which made available in the Firewall configuration, among other things: Filter TCP-SYN floods, Filter UDP floods, Filter Ping Echo request floods:

TCP-SYN: about 300-600 packets/min.
UDP: 50-100 packets/s (especially for VPN, gaming and streaming).
ICMP (Ping): 20-50 packets/s depending on diagnostic needs.

You can start with the defaults:
Filter TCP-SYN floods: 300
Filter UDP floods: 50
Filter Ping Echo request floods: 20

[lexridge]

These new settings do beg some questions.

- Port Scan Blocking: How is this better than just being completely stealth, especially if we have no outside ports opened. If you have ports opened, then it seems more useful.

- When having Tarpit enabled, while the ports are not actually opened, they appear to be. I would think this would potentially create more attacks, as it would make the attacker suspicious and get their friends involved, creating even more unwanted (but totally hung) traffic. Again, stealth mode just seems better, unless you have intentionally opened ports.

- This is a great addition to DD-WRT. The fine tuning will be the key to it.

[Alozaros]

hmmm my R7000 is a VPN client, and ever since i installed the last build 60269 i ve no complains on it streaming, youtube, qbittorent, VPN, videos and ect...all work fine...the odd bit is activate firewall log, high high doesn't produce any output in the log... VPN on or off... I even tested port scanning VPN off or on ... it goes trough no problems...speeds are also fine....checking nvram values all new security futures enabled...as expected this leads me to believe are those working at all...or the log output function is not ok...

for the record: on R7000 Im using the new security futures default values, i do have a security policy with a few risk and ndpi functions enabled (not sure if those are working either as it shows 0 filtered packets interface any and selected IP range and few mac's)
I dont have any troubles with DNS but im using DNScypt-proxyv2 via Entware along with DNSmasq...

I dont have serial on this unit...so not much output i can provide...sry...only router logs...but they show nothing...

Im also behind another router that i believe it could be the coolprint ...

R7000 Its the only router i can test ATM as i can access it physically...im not gonna update R7800 or any other unit until im near by those units...

[TrueAudio]

[ewo32]

[egc]

[lexridge]

[egc]

[strange]

This is weird. I have not been to the grc website in a very long time. With all the discussion about the new firewall features, I figured that it would be a good idea to check my router out. I had my ports probed and everything came back "stealth" but it said that I had failed the test with:

"Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation."

I have "Anonymous WAN requests (ping)" enabled. WTH? Any ideas?

Edit: I am using a VPN, is it possible that reply is coming from the VPN server?

[lexridge]

[strange]

Thank you for your input. I suspected that it was the VPN.

[kernel-panic69]