Background: I'm running a very barebones Kamikaze 7.07 on Asus WL500gp. I'm using 2.6 (openwrt-brcm47xx-2.6-squashfs.trx). I'm new to Kamikaze, but very comfortable with Linux and command line/config files. I don't want wireless, so 2.6 is just fine.

Aside from the random seg faults (https://dev.openwrt.org/ticket/2035), things do seem to be working. I've been testing the port forwarding of the router and sustained transfers and so far so good.

I'd appreciate any help with the following questions:

1) I disabled crond (/etc/init.d/crond disable) and httpd. I don't want httpd. cron didn't seem to have any actual cron jobs to run, so it didn't seem like it was necessary. Any issues with that?

2) Where are the log files? The usual suspects are running (logger, syslogd, klogd), but there is nothing /var/log. If these are disabled somehow, is there anyway to enable them? I seem to have plenty of free ram (only 10M of 32M is in active use; I wouldn't mind using a couple of megs towards non-persistent logs).

3) I really like /etc/config/firewall. It tremendously simplifies iptables usage. There is one thing I can't figure out how to do: I'd like to "drop" certain ports, but only if they're on the WAN side. For example, I don't want anyone to be able to see port 22 (ssh) from the WAN side, but should be allowed from the LAN side. Is there a simple syntax for this in config/firewall? If not, what is equivalent iptables command and where do I put that?

4) I'm a bit confused about what files are permanent and which are not.  Are all changes to the file system written back to flash storage? If not, which directories (other than /etc/config) are saved? Can I make changes in /etc/rc.d and expect those to survive a reboot?

5) /etc/modules.d enables both ppp and madwifi. I don't want either of those.  Can I just remove those files and will it be permanent? are any of those modules necessary for a plain router on a broadband connection (no wireless)?

6) This may sound a bit crazy, but I gotta ask. Is there a way to disable all file system modifications once I'm happy with my configuration? Can I put the router in read-only mode for security purposes? The only way to change something should be via physical access to the device.

Thanks
Moh
P.S. It might be time to change the Sticky at the top of the forum. Kamikaze seems far enough along now :-) Pretty impressive stuff.

Sorry, where's the question? "Is it safe to disable crond"? As far as I know, yes it is.

Type "logread"

I think you'll find this is the default: everything is enabled from the LAN side, but blocked from the WAN side. Try it and see.

All files in the filesystem are permanent, except those mounted as ramdisk (i.e. /tmp)

In fact, the root filesystem is a union view of the immutable squashfs filesystem in the original image (which you can find under /rom) and a jffs2 filesystem containing your changes (which you can find under /jffs).

However, if you reflash your unit with a new squashfs image, all your jffs changes will be lost.

Clearly you don't need madwifi if not using wifi. You might need ppp for your broadband connection, if you are running as a PPPoE client.

"Removing" files won't actually save any space, as it just marks them in /jffs as being invisible. They still exist under /rom. If you want to save space in your image then you'll need to build your own squashfs filesystem from scratch, either using the ImageBuilder (if you have an x86_64 PC) or by rebuilding the whole of OpenWrt entirely from source, This is easier than it sounds: it's really just "make menuconfig" then "make"

I *believe* it's possible to run an entirely jffs system, i.e. jffs root with no squashfs, but have never tried this. This is a risky strategy as it's much easier to brick your router. It also makes less efficient use of flash space, as squashfs compresses lots of small files very well.

Well, you could modify the startup scripts to leave the root filesystem mounted read-only. Look in /sbin/mount_root. Maybe just changing "remount,rw" to "remount" will be sufficient (but if you brick your router doing this, you are on your own). But someone logging in as root could still remount the filesystem as rw.

Once you're happy that you can build squashfs filesystems, then I guess you could build an image without jffs2 support at all. It really would be unchangeable - all config files would have to be set up at the time you built the image. But I'm not sure this gives you "security". Consider using a strong root password instead, or using requiring RSA authentication for ssh access.

Thanks for the answers. They were quite helpful.

Ah! I didn't realize even the system daemons were just busybox. Reading through the busybox man page was informative.

You're right! An external port scan shows everything as closed. That's great.

I seem to have plenty of space so that really wasn't the concern. I just want a lean, mean kernel with no extra baggage. Everything is working fine without ppp and madwifi.

One last question, the basic install (http://forum.openwrt.org/viewtopic.php?id=11451) says to add

        option gateway  192.168.1.254
        option dns      192.168.1.254

what are those for? The gateway and dns options are not completely explained in the docs. There is nothing at that address (.254). So what's up with these entries?

Thanks
Moh

It just goes to show, don't believe everything you read

You are already picking up defaultroute and DNS settings via DHCP from the DHCP server on your WAN port. That's all you need. You definitely should not add these extra settings pointing to a router that you don't have.

I run an asus wl500gp with standard settings (kamikaze 7.09) -- well, except from those two lines. Without them I can only access the internet from the router, but not from a machine in the lan. I am quite surprised that those lines are needed for basic functionality but are not included in the default config and are not mentioned in any documentation except the post mentioned above.

So what do those entries do? What is the reason that I need to add them for a standard router config?

Details:

#### VLAN configuration 
config switch eth0
    option vlan0    "1 2 3 4 5*"
    option vlan1    "0 5"


#### Loopback configuration
config interface loopback
    option ifname    "lo"
    option proto    static
    option ipaddr    127.0.0.1
    option netmask    255.0.0.0


#### LAN configuration
config interface lan
    option type     bridge
    option ifname    "eth0.0"
    option proto    static
    option ipaddr    '192.168.23.69'
    option netmask    255.255.255.0
    option gateway    '192.168.23.254'
    option dns    '192.168.23.254'

#### WAN configuration
config interface    wan
    option ifname    "eth0.1"
    option proto    'pppoe'
    option username    'username'
    option password    'password'

Best regards,
Jens

(Last edited by pflantz on 22 Feb 2008, 21:58)