[gentoo-user] [OT router advice] a router capable of detailed logs

[gentoo-user] [OT router advice] a router capable of detailed logs

[Harry Putnam]

This is way OT, but this list is such a great resource I suspect the
advice gotten here will be more to the point. ( I have posted to a
network hardware group as well)

I've bumped my home lan router to a gigabit from the old 10/100
(NETGEAR FVS318).

I made the move for the gigabit lan ports mainly.  That is, I was
happy with other aspects of the old router.  I ended up with a cisco
RVS4000 v2.

The cisco solved the gigabit problem with 4 lan ports and even a
gigabit on the Internet port... (which is probably not really doing
any thing on a cable connection).  And it wasn't hideously
expensive ($112.91).

I could have solved the problem with gigabit switches behind the
router for lan usage, just as well, and may go to that yet, and move
back to the old NETGEAR router.  But somehow I expected the cisco to
be something that was `excitingly' new and fun to play with.

I'm disappointed in the cisco so far as logging is concerned.

The logs give only bare information like this:

Mar 10 10:24:21  - [Firewall Log-PORT SCAN] TCP Packet - 60.173.11.56 --> 98.217.231.32
Mar 10 10:24:21  - [Firewall Log-PORT SCAN] TCP Packet - 60.173.11.56 --> 98.217.231.32
[...]

No mention of which port is involved.  Not only on port scans but
ports are never reported.  And of course if you wanted to pursue any
of it by way of google, you'd need the port number.

The Old Netgear sent logs like this (wrapped for mail):

 Sat, 2007-07-28 12:00:11 - TCP packet - Source: 161.170.244.20 -
  Destination: 70.131.83.195 - [Invalid sequence number received with
   Reset, dropping packet Src 443 Dst 1385 from WAN]

-------        ---------       ---=---       ---------      -------- 

I went for the cisco instead of a newer `gigabit' NETGEAR after seeing
several bad reviews about them.  And I just assumed the cisco would
have as good or better other features.

Another little problem is that the Cicso had reached its end of life
and was reported as such by cisco, well before I bought it.  But of
course, retailers (not cisco) don't bother to give that kind of info,
but the result is that a kind of blackball list that was part of the
deal is no longer kept up to date.

So, cutting to the chase; can anyone recommend from actual use, a home
lan router that has gigabit lan ports and very configurable/
informative logging options?

ps - I'm not interested in running an old linux or openbsd, machine as
router.  Having a silent cool router the size and weight of a medium
book is too appealing.

Re: [gentoo-user] [OT router advice] a router capable of detailed logs

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 446 bytes --]

On Tuesday 19 April 2011 04:31:38 Harry Putnam wrote:

> So, cutting to the chase; can anyone recommend from actual use, a home
> lan router that has gigabit lan ports and very configurable/
> informative logging options?

Have you gone through the documentation to see if there isn't a more verbose 
option for the logs?

Do you get the same condensed format when you capture the logs in your LAN 
syslog server?
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Harry Putnam]

Mick <michaelkintzios@gmail.com> writes:

> On Tuesday 19 April 2011 04:31:38 Harry Putnam wrote:
>
>> So, cutting to the chase; can anyone recommend from actual use, a home
>> lan router that has gigabit lan ports and very configurable/
>> informative logging options?
>
> Have you gone through the documentation to see if there isn't a more verbose 
> option for the logs?

Yes

> Do you get the same condensed format when you capture the logs in your LAN 
> syslog server?

I did not try that, but is there some reason to expect a difference?

I have channeled logs to Syslog running on gentoo with at least 2
different routers in the past and saw no difference in the logs.

Do you notice a difference?

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1020 bytes --]

On Wednesday 20 April 2011 16:56:15 Harry Putnam wrote:
> Mick <michaelkintzios@gmail.com> writes:

> > Do you get the same condensed format when you capture the logs in your
> > LAN syslog server?
> 
> I did not try that, but is there some reason to expect a difference?

No, it shouldn't - after all it is the same log file that you are accessing, 
but wasn't sure if the gui condensed what's reported to fit it in the screen.


> I have channeled logs to Syslog running on gentoo with at least 2
> different routers in the past and saw no difference in the logs.
> 
> Do you notice a difference?

I do not have a Cisco router to try it just now, but could you have a look at 
how your access lists are defined?  Extended ACLs *should* show ports, as long 
as ports are used in permit/deny statements and asked to be logged; e.g.

 access-list 102 permit tcp host 10.10.10.2 eq 0 any eq 0 log

of course IOS versions may change things, but that's how I remember it worked.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1222 bytes --]

On Thursday 21 April 2011 06:55:41 Mick wrote:
> On Wednesday 20 April 2011 16:56:15 Harry Putnam wrote:
> > Mick <michaelkintzios@gmail.com> writes:
> > > Do you get the same condensed format when you capture the logs in your
> > > LAN syslog server?
> > 
> > I did not try that, but is there some reason to expect a difference?
> 
> No, it shouldn't - after all it is the same log file that you are
> accessing, but wasn't sure if the gui condensed what's reported to fit it
> in the screen.
> 
> > I have channeled logs to Syslog running on gentoo with at least 2
> > different routers in the past and saw no difference in the logs.
> > 
> > Do you notice a difference?
> 
> I do not have a Cisco router to try it just now, but could you have a look
> at how your access lists are defined?  Extended ACLs *should* show ports,
> as long as ports are used in permit/deny statements and asked to be
> logged; e.g.
> 
>  access-list 102 permit tcp host 10.10.10.2 eq 0 any eq 0 log
> 
> of course IOS versions may change things, but that's how I remember it
> worked.

Ah!  Here's what I found:

http://blog.ioshints.info/2007/06/port-number-not-shown-in-access-list.html
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Harry Putnam]

Mick <michaelkintzios@gmail.com> writes:


[...]

> Ah!  Here's what I found:
> http://blog.ioshints.info/2007/06/port-number-not-shown-in-access-list.html

Thanks for doing so much legwork.  

On the cisco RVS4000 v2.. I see no way to enter the syntax shown at
the URL or in your previous post.

I've put a few screen shots online that shows shots of the interface
pages involving IP acls.  

They should load in order where the top is a view of the basic
settings.

Next is the page showing existing acls and how they are displayed.

Finally the page available to add/delete acls.

[NOTE: There may be someway to just edit a text file of acls, but if
so I am not aware of it]

www.jtan.com/~reader/vu3/disp.cgi

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Mick]

On 22 April 2011 20:28, Harry Putnam <reader@newsguy.com> wrote:

> On the cisco RVS4000 v2.. I see no way to enter the syntax shown at
> the URL or in your previous post.

The syntax is meant to be used in the cisco configuration file itself.
 Using IOS commands you should be able to set up the same ACLs from a
terminal.


> I've put a few screen shots online that shows shots of the interface
> pages involving IP acls.
>
> They should load in order where the top is a view of the basic
> settings.
>
> Next is the page showing existing acls and how they are displayed.
>
> Finally the page available to add/delete acls.

I see what you mean - this GUI seems dumbed down.  In this case you
will probably have to get your hands dirty with the CLI.


> [NOTE: There may be someway to just edit a text file of acls, but if
> so I am not aware of it]

On a typical Cisco router you should be able to download/edit/upload
the configuration file from/to the router using tftp and a text
editor, or minicom and a serial cable if the router has a serial port,
or easiest method should be to login via telnet or ssh from your PC
using a terminal and run IOS configuration commands.  The Cisco
website has loads of documentation on IOS.  Something like this will
show you the ropes (although details vary depending on the version of
your firmware and platform):

http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/12_4/cf_12_4_book.html

BTW, your first step should be to make a back up of the current
configuration file just in case you mess things up!

HTH.
-- 
Regards,
Mick

[gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Harry Putnam]

Mick <michaelkintzios@gmail.com> writes:

> On a typical Cisco router you should be able to download/edit/upload
> the configuration file from/to the router using tftp and a text
> editor, or minicom and a serial cable if the router has a serial
> port,

When I export the config file, its a binary file, not accessible by
text editor. 

I can get a pile of humpty dumpty bunk using `strings' so apparently
not intended for text editing at all.

> or easiest method should be to login via telnet or ssh from your PC
> using a terminal and run IOS configuration commands.  The Cisco
> website has loads of documentation on IOS.  Something like this will
> show you the ropes (although details vary depending on the version of
> your firmware and platform):
>
> http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/12_4/cf_12_4_book.html

Thanks for the site.  After looking around there a while I'm not
seeing how to gain a terminal to execute any ios commands. 

Neither ssh or telnet are accepted at the router.

Surely its not really  necessary to use a special cable and minicom?

A search of the full manual on `ssh' or tftp for that matter, turns up
no hits.

Even the term `command line' turns up nothing useful in the admin
manual.

If I enable `remote admin' it is clearly intended for browser access
on port 8080, and again no obvious route to any cli opportunities.  In
fact its not clear even how to connect via a browser for remote admin.

After turning remote admin on, and setting a single IP address to be
able to connect... I still cannot access it for remote admin on 8080.

It seems a really poor users manual or either it expects user to
already have serious knowledge of cisco setups and only require the
most general help.

It appears the intent by cisco is that one should use only the poorly
documented interface for setting up the router.

Of course I can connect using its lan IP and user/passwd, but even
there I see no opportunity to set anything for cmdline access.

Diddling around on ciscos pages seems a serious time waster.

Entering the Router model continually leads to a manual for a
different (wireless) model.

Its exasperating because I know there is good information there
somewhere but they do not make it easy to find.

The Disc that came with the router contains the Quick start guide and
a chicken pukky Admin guide that is so bland and uninformative as to
rate as nearly useless.

I'm probably jumping the gun, but this RVS4000 is looking more and
more like some pretty sorry junk to me.

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Paul Hartman]

On Mon, Apr 25, 2011 at 12:37 PM, Harry Putnam <reader@newsguy.com> wrote:
> Thanks for the site.  After looking around there a while I'm not
> seeing how to gain a terminal to execute any ios commands.
>
> Neither ssh or telnet are accepted at the router.

This page shows how to enable the telnet service via a hidden web config page:

http://rootit.org/2008/06/linksys-rvs4000-p1/

I don't have one, so I haven't tried it myself.

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 723 bytes --]

On Monday 25 April 2011 19:20:55 Paul Hartman wrote:
> On Mon, Apr 25, 2011 at 12:37 PM, Harry Putnam <reader@newsguy.com> wrote:
> > Thanks for the site.  After looking around there a while I'm not
> > seeing how to gain a terminal to execute any ios commands.
> > 
> > Neither ssh or telnet are accepted at the router.
> 
> This page shows how to enable the telnet service via a hidden web config
> page:
> 
> http://rootit.org/2008/06/linksys-rvs4000-p1/
> 
> I don't have one, so I haven't tried it myself.

Ah!  Good find Paul.

It seems that this router is running Linux, rather than Cisco IOS ...

The trick then is to access the telnet interface and secure it with iptables.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2783 bytes --]

On Monday 25 April 2011 18:37:31 Harry Putnam wrote:
> Mick <michaelkintzios@gmail.com> writes:
> > On a typical Cisco router you should be able to download/edit/upload
> > the configuration file from/to the router using tftp and a text
> > editor, or minicom and a serial cable if the router has a serial
> > port,
> 
> When I export the config file, its a binary file, not accessible by
> text editor.

Huh?  This is rather strange.  It *should* be a plain text file ... o_O

Would it require some expensive Cisco desktop application to be able to 
read/edit it off the machine?!


> Thanks for the site.  After looking around there a while I'm not
> seeing how to gain a terminal to execute any ios commands.
> 
> Neither ssh or telnet are accepted at the router.

Please try using your browser first to enable telnet:

http://$ROUTER_IP/Hidden_telnet.htm

====================================
WARNING!

I'm not sure if this service will be firewalled on the Internet side of your 
network!  I've heard stories where access is opened on the public network and 
is unprotected.  Disconnect your router from the Internet before you try this.
====================================

According to this document there should be a page where you can enable/disable 
IP services:

http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Frouters%2Fcsbr%2Frvs4000%2Fadministration%2Fguide%2FRVS4000_AG_OL-22605.pdf&pos=2&strqueryid=2&websessionid=1ZZPcuEr9CUldszOmUrXpJy

Not sure if applicable to your router.


> Surely its not really  necessary to use a special cable and minicom?

I had a look and can't see a serial port on your machine, so minicom will not 
be of use in this case.


> A search of the full manual on `ssh' or tftp for that matter, turns up
> no hits.
> 
> Even the term `command line' turns up nothing useful in the admin
> manual.
> 
> If I enable `remote admin' it is clearly intended for browser access
> on port 8080, and again no obvious route to any cli opportunities.  In
> fact its not clear even how to connect via a browser for remote admin.
> 
> After turning remote admin on, and setting a single IP address to be
> able to connect... I still cannot access it for remote admin on 8080.

Did you try this from the Internet, or from within your LAN?


> I'm probably jumping the gun, but this RVS4000 is looking more and
> more like some pretty sorry junk to me.

I can but sympathise with your frustration.  They seem to have offered a 
dumbed down version of something here which is not readily recognisable as a 
Cisco machine.  Perhaps all this additional functionality is only available 
for their professional grade platforms?

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Jake Moe]

I haven't followed this entire thread, but is there any chance this
isn't really a "Cisco" device as you know it, but a rebranded
"Linksys"?  After seeing a picture of the device, and reading that it's
a "Small Business" router, I'd suspect it's a device that came out of
their acquisition of Linksys.  That'd explain the different config style
you're seeing.

On 04/26/11 04:44, Mick wrote:
> On Monday 25 April 2011 18:37:31 Harry Putnam wrote:
>> I'm probably jumping the gun, but this RVS4000 is looking more and
>> more like some pretty sorry junk to me.
> I can but sympathise with your frustration.  They seem to have offered a 
> dumbed down version of something here which is not readily recognisable as a 
> Cisco machine.  Perhaps all this additional functionality is only available 
> for their professional grade platforms

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 799 bytes --]

On Monday 25 April 2011 23:23:07 Jake Moe wrote:
> I haven't followed this entire thread, but is there any chance this
> isn't really a "Cisco" device as you know it, but a rebranded
> "Linksys"?  After seeing a picture of the device, and reading that it's
> a "Small Business" router, I'd suspect it's a device that came out of
> their acquisition of Linksys.  That'd explain the different config style
> you're seeing.

Snap!

I was about to say that from what Harry's describing this is more of a cheaper 
'cisco appliance' than a cisco router.  Linksys is a very probable candidate.  
In that case you may be able to blast the firmware and install OpenWRT and the 
like.  Check the chipset first for hardware compatibility to make sure you 
won't brick it!

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Harry Putnam]

Mick <michaelkintzios@gmail.com> writes:

>> After turning remote admin on, and setting a single IP address to be
>> able to connect... I still cannot access it for remote admin on 8080.
>
> Did you try this from the Internet, or from within your LAN?

Inside lan.  I guess you are saying that connection is expected be from
outside?

Haven't had the opportunity for that yet.  The only remote machine I
have access is to is a shell account on a gentoo machine, so lynx, and
I've seen on home lan that the device responds to lynx telling me I
need a newer browser, when I hit it by IP using lynx.

Jumping up the thread a bit now, after Pauls excellent input.  I see
that iptables cmd is known on the OS, but man I really had not wanted
to pound my way thru iptables to the point of competency.

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1427 bytes --]

On Tuesday 26 April 2011 23:27:06 Harry Putnam wrote:
> Mick <michaelkintzios@gmail.com> writes:
> >> After turning remote admin on, and setting a single IP address to be
> >> able to connect... I still cannot access it for remote admin on 8080.
> > 
> > Did you try this from the Internet, or from within your LAN?
> 
> Inside lan.  I guess you are saying that connection is expected be from
> outside?

Well, I don't really know what we're dealing with here.  If it were a pure 
Cisco machine (as opposed to a Linksys) then it may not have loopback 
configured and the "remote" admin would only be accessible from the WAN.  It 
would truly be remote access.


> Haven't had the opportunity for that yet.  The only remote machine I
> have access is to is a shell account on a gentoo machine, so lynx, and
> I've seen on home lan that the device responds to lynx telling me I
> need a newer browser, when I hit it by IP using lynx.
> 
> Jumping up the thread a bit now, after Pauls excellent input.  I see
> that iptables cmd is known on the OS, but man I really had not wanted
> to pound my way thru iptables to the point of competency.

Count yourself lucky.  I'd rather have to deal with Linux IP Tables than IOS 
any time!

Once you access it via telnet, have a look for any log rules in IP Tables 
(/sbin/iptables -L -v -n) and perhaps all we need to do is modify those.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Harry Putnam]

Mick <michaelkintzios@gmail.com> writes:

>> Jumping up the thread a bit now, after Pauls excellent input.  I see
>> that iptables cmd is known on the OS, but man I really had not wanted
>> to pound my way thru iptables to the point of competency.
>
> Count yourself lucky.  I'd rather have to deal with Linux IP Tables than IOS 
> any time!

Hehe

> Once you access it via telnet, have a look for any log rules in IP Tables 
> (/sbin/iptables -L -v -n) and perhaps all we need to do is modify those.

Yeah I had a look at the lines containing LOG and of course had no
idea of what they meant or how to alter them.

The entire iptables is inlined below... maybe you will know how to alter
them so that ports show up in logs.  That is, only if you are still
patient enough to continue.... so far, no one has complained about the
OT thread... but I fear I must be nearing the end of your patient
willingness to continue, if not the lists willingness to allow my OT
thread.

-------        ---------       ---=---       ---------      -------- 
There only 4 instances of LOG in the tables.  But I wonder if it might
just be an increase in log level that is required.

I wanted to try that out, but was a bit chicken, thinking I'd destroy
whatever setup there is that invokes the iptable rules.

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:23
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:4500
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:500
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp flags:
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABL
INPUT_UDP  udp  --  0.0.0.0/0            0.0.0.0/0
INPUT_TCP  tcp  --  0.0.0.0/0            0.0.0.0/0
DOS        icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state NEW

Chain FORWARD (policy DROP)
target     prot opt source               destination
ip_filter  all  --  0.0.0.0/0            0.0.0.0/0
POLICY     icmp --  0.0.0.0/0            0.0.0.0/0
POLICY     udp  --  0.0.0.0/0            0.0.0.0/0
TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02
POLICY     tcp  --  0.0.0.0/0            0.0.0.0/0
TREND_MICRO  tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80 http me
DMZ_PASS   all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABL
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state NEW
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
DROP       icmp --  0.0.0.0/0            0.0.0.0/0          state INVALID

Chain BLOCK (0 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 4
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain DMZ_PASS (1 references)
target     prot opt source               destination

Chain DOS (6 references)
target     prot opt source               destination
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0          limit: avg 200/sec b
RETURN     udp  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABL
RETURN     udp  --  0.0.0.0/0            0.0.0.0/0          limit: avg 200/sec b
RETURN     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 limit: a
LOG        all  --  0.0.0.0/0            0.0.0.0/0          limit: avg 10/sec bu
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD_TCP (1 references)
target     prot opt source               destination
DOS        tcp  --  0.0.0.0/0            0.0.0.0/0          state INVALID,NEW tc
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD_UDP (1 references)
target     prot opt source               destination
DOS        udp  --  0.0.0.0/0            0.0.0.0/0
RETURN     udp  --  0.0.0.0/0            0.0.0.0/0

Chain HTTP (0 references)
target     prot opt source               destination

Chain INPUT_TCP (1 references)
target     prot opt source               destination
SCAN       all  --  0.0.0.0/0            0.0.0.0/0          psd weight-threshold
DOS        tcp  --  0.0.0.0/0            0.0.0.0/0          state INVALID,NEW tc
ACCEPT     tcp  --  0.0.0.0/0            192.168.0.20       tcp dpt:30443
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          multiport dports 23,
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0

Chain INPUT_UDP (1 references)
target     prot opt source               destination
SCAN       all  --  0.0.0.0/0            0.0.0.0/0          psd weight-threshold
DOS        udp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  68.87.72.13          0.0.0.0/0          udp spt:67 dpt:68
RETURN     udp  --  0.0.0.0/0            0.0.0.0/0

Chain POLICY (3 references)
target     prot opt source               destination
PORT_FORWARD  all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain PORT_FORWARD (1 references)
target     prot opt source               destination
DOS        icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8
FORWARD_TCP  tcp  --  0.0.0.0/0            0.0.0.0/0
FORWARD_UDP  udp  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain SCAN (2 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0          limit: avg 10/sec bu
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain TREND_MICRO (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain ip_filter (1 references)
target     prot opt source               destination

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Todd Goodman]

* Harry Putnam <reader@newsguy.com> [110428 01:06]:
> Yeah I had a look at the lines containing LOG and of course had no
> idea of what they meant or how to alter them.
> 
> The entire iptables is inlined below... maybe you will know how to alter
> them so that ports show up in logs.  That is, only if you are still
> patient enough to continue.... so far, no one has complained about the
> OT thread... but I fear I must be nearing the end of your patient
> willingness to continue, if not the lists willingness to allow my OT
> thread.
> 
> -------        ---------       ---=---       ---------      -------- 
> There only 4 instances of LOG in the tables.  But I wonder if it might
> just be an increase in log level that is required.

I don't think so.  That's the syslog level and changing it might change
if you see the logged entries at all (depending on your syslog config.)

> 
> I wanted to try that out, but was a bit chicken, thinking I'd destroy
> whatever setup there is that invokes the iptable rules.

You won't really break anything by changing the log levels.

If you're changing things using iptables commands from the shell then
it's unlikely any changes are permanent anyway (everything will go back
to how it was.)  To make a permanent change you'll need to figure how
and where the iptables rules are being loaded from when the system comes
up (it might be using iptable-save and iptables-restore or a firewall
script or similar.)

Now I'm not an expert on iptables logging and I'm sure Mick and/or
someone else will respond too.

I think your iptables output is truncated at 80 columns too so some of
the info is missing at the ends of some of the lines.

Also, I apologize but I forget exactly the traffic for which you're
trying to get the port #'s logged?

But let's go through what's there (apologies if you already know what
I mention:)

First, iptables has different tables that it (netfilter in the kernel)
uses for different purposes.  The one you're interested in (and which
you dumped and is the default for the iptables command if you don't
specify one) is the filter table.

Other tables that are of interest for other things are the nat table
and, for most people, to a lessor degree the mangle table.

Inside tables there are standard chains of rules and there are
(potentially) user-defined chains.

The path a packet takes in the system determines which tables and chains
are processed.

> 
> Chain INPUT (policy DROP)

The filter table INPUT chain is used when a packet is destined for the
box itself (i.e., not sourced on the box and not being forwarded through
the box.)

The policy is to DROP any packets that aren't matched by terminating
rules (e.g., ACCEPT) in the chain.

> target     prot opt source               destination
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:23
> ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:4500
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:500

These ACCEPT rules allow certain traffic destined for the router itself.

> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          state NEW tcp flags:

Other TCP traffic that's not allowed above is dropped if it's a NEW TCP
connection to the router itself (i.e., not a response to TCP traffic
initiated by the router.)

> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABL

This accepts any traffic that's part of a flow initiated from the
router.

> INPUT_UDP  udp  --  0.0.0.0/0            0.0.0.0/0

Go process the the user defined INPUT_UDP chain if the packet is a UDP
packet.  If that chain reaches the end of its rule list without matching
a terminating rule it will return back here (as with all jumps to other
chains.)

> INPUT_TCP  tcp  --  0.0.0.0/0            0.0.0.0/0

Go process the the user defined INPUT_TCP chain if the packet is a TCP
packet

> DOS        icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8

Go process the the user defined DOS chain if the packet is a ICMP
packet with icmp type 8

> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state NEW

ACCEPT all traffic that's in state NEW to the router.  Presumably if a
packet hasn't been dropped above or in the user defined chains then the
router wants to see that traffic.

> 
> Chain FORWARD (policy DROP)

The filter table FORWARD chain is used when a packet is being forwarded
by the system.  The default policy is to DROP packets not matched by any
terminating rules in the chain.

> target     prot opt source               destination
> ip_filter  all  --  0.0.0.0/0            0.0.0.0/0

Go process the user defined ip_filter chain for all packets

> POLICY     icmp --  0.0.0.0/0            0.0.0.0/0

Go process the user defined POLICY chain for ICMP packets

> POLICY     udp  --  0.0.0.0/0            0.0.0.0/0

Go process the user defined POLICY chain for UDP packets

> TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02

Go process the user defined TCPMSS chain for TCP packets with certain
flags set in the packet

> POLICY     tcp  --  0.0.0.0/0            0.0.0.0/0

Go process the user defined POLICY chain for all TCP packets

> TREND_MICRO  tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80 http me

Go process the user defined TREND_MICRO chain for tcp traffic destined
for TCP port 80 (HTTP)

> DMZ_PASS   all  --  0.0.0.0/0            0.0.0.0/0

Go process the user defined DMZ_PASS chain for all traffic

> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABL

ACCEPT any traffic that's already been set up (state RELATED or
ESTABLISHED.)

> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state NEW

ACCEPT any traffic that's being initiated

> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

ACCEPT any traffic

> 
> Chain OUTPUT (policy ACCEPT)

The filter table OUTPUT chain is for traffic sourced by the router
itself.  The default policy is to ACCEPT any traffic initiated by the
router.

> target     prot opt source               destination
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0

Allow any ICMP packets from the router

> DROP       icmp --  0.0.0.0/0            0.0.0.0/0          state INVALID

Drop any invalid ICMP packets 

> 
> Chain BLOCK (0 references)

User defined chain BLOCK.  It's not used by anyone (0 references) so we
can ignore it

> target     prot opt source               destination
> LOG        all  --  0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 4
> DROP       all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain DMZ_PASS (1 references)
> target     prot opt source               destination

Empty user defined chaing DMZ_PASS

> 
> Chain DOS (6 references)

User defined DOS chain

> target     prot opt source               destination
> RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0          limit: avg 200/sec b

rate limit TCP packets (return to caller if it's OK)

> RETURN     udp  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABL

Return to caller if it's a RELATED or ESTABLISHED UDP packet

> RETURN     udp  --  0.0.0.0/0            0.0.0.0/0          limit: avg 200/sec b

Rate limit UDP packets (return to caller if it's OK)

> RETURN     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 limit: a

Rate limit ICMP type 8 packets (return to caller if it's OK)

> LOG        all  --  0.0.0.0/0            0.0.0.0/0          limit: avg 10/sec bu

Create a log entry

> DROP       all  --  0.0.0.0/0            0.0.0.0/0

And then drop the packet
> 
> Chain FORWARD_TCP (1 references)

The user defined FORWARD_TCP chain.

> target     prot opt source               destination
> DOS        tcp  --  0.0.0.0/0            0.0.0.0/0          state INVALID,NEW tc

Call DOS if it's an INVALID or NEW TCP connection

> RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0

Return if it's a TCP packet (it's going to return anyway...)

> 
> Chain FORWARD_UDP (1 references)

The user defined FORWARD_UDP chain

> target     prot opt source               destination
> DOS        udp  --  0.0.0.0/0            0.0.0.0/0

Call DOS if it's a UDP packet

> RETURN     udp  --  0.0.0.0/0            0.0.0.0/0

Return if it's a UDP packet

> 
> Chain HTTP (0 references)

User defined HTTP chain.  No one is using it so we can ignore it.

> target     prot opt source               destination
> 
> Chain INPUT_TCP (1 references)

User defined INPUT_TCP chain.

> target     prot opt source               destination
> SCAN       all  --  0.0.0.0/0            0.0.0.0/0          psd weight-threshold

Call SCAN for any packet that's part of a port scanning attempt (as
defined by the parameters to the psd match.)

> DOS        tcp  --  0.0.0.0/0            0.0.0.0/0          state INVALID,NEW tc

Call DOS for any INVALID or NEW TCP packet

> ACCEPT     tcp  --  0.0.0.0/0            192.168.0.20       tcp dpt:30443

ACCEPT any TCP packet destined for port 30443 and change the destination
IP address to 192.168.0.20

> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          multiport dports 23,

DROP any TCP traffic matching destination ports 23 and the rest that are
truncated.

> RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0

Return if it's a TCP packet

> 
> Chain INPUT_UDP (1 references)

The user defined INPUT_UDP chain

> target     prot opt source               destination
> SCAN       all  --  0.0.0.0/0            0.0.0.0/0          psd weight-threshold

Call SCAN if it matches the psd match

> DOS        udp  --  0.0.0.0/0            0.0.0.0/0

Call DOS if it's a UDP packet

> ACCEPT     udp  --  68.87.72.13          0.0.0.0/0          udp spt:67 dpt:68

Accept UDP traffic from host 68.87.72.13 with a source port of 67 and a
destination port of 68

> RETURN     udp  --  0.0.0.0/0            0.0.0.0/0

Return if it's a UDP packet

> 
> Chain POLICY (3 references)

User defined POLICY chain

> target     prot opt source               destination
> PORT_FORWARD  all  --  0.0.0.0/0            0.0.0.0/0

Call PORT_FORWARD for all packets

> RETURN     all  --  0.0.0.0/0            0.0.0.0/0

RETURN for all packets

> 
> Chain PORT_FORWARD (1 references)

User defined PORT_FORWARD chain

> target     prot opt source               destination
> DOS        icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8

Call DOS if it's an ICMP type 8 packet

> FORWARD_TCP  tcp  --  0.0.0.0/0            0.0.0.0/0

Call FORWARD_TCP if it's a TCP packet

> FORWARD_UDP  udp  --  0.0.0.0/0            0.0.0.0/0

Call FORWARD_UDP if it's a UDP packet

> RETURN     all  --  0.0.0.0/0            0.0.0.0/0

RETURN for any packet

> 
> Chain SCAN (2 references)

User defined SCAN chain

> target     prot opt source               destination
> LOG        all  --  0.0.0.0/0            0.0.0.0/0          limit: avg 10/sec bu

Log the packet but not more than 10/sec

> DROP       all  --  0.0.0.0/0            0.0.0.0/0

DROP the packet

> 
> Chain TREND_MICRO (1 references)

User defined TREND_MICRO chain.  It doesn't really do anything

> target     prot opt source               destination
> RETURN     all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain ip_filter (1 references)

User defined ip_filter chain.  Doesn't do anything

> target     prot opt source               destination
> 

OK, so that's what is going on in your iptables.

Without knowing what specific traffic (and the situation) I'm not sure
where to look at the LOG rules.  Sorry I forget this.

All this being said, my LOG rules always include source and destination
ports for TCP and UDP traffic.

Can you post (or send me in private email) some of your log output to
look at?

Thanks,

Todd

[gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Harry Putnam]

Todd Goodman <tsg@bonedaddy.net> writes:

[...]

> You won't really break anything by changing the log levels.

Todd, your post was really a boost for me.  And thanks for you kind
offer of looking things over.

[...]

Mick wrote:
> No worries!  I'm no iptables guru, but I'm still here!  ;-)

[...]

Mick, your post was another really info packed and helpful response.

This really sucks since I think right now is the proper time to pursue
this stuff full tilt.

However, life is intervening and I am leaving for Atlanta (from Gary
IN) tomorrow with an old beatup 1979 1 ton ford pulling a gooseneck
trailer.  I have quite a lot to do suddenly to get things ready with
the old beater so it will be a good while before I can get back to
this.

I suspect I've about worn out the OT thread by now, so won't renew it,
but I hope I will not be wearing out my welcome if I call on either of
you by private email if I get in deep doo doo, when I do get back at
this.

I think both of your input on this is so full and thorough that I may
be able to get it figured out now without further pestering.

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Todd Goodman]

* Harry Putnam <reader@newsguy.com> [110430 00:03]:
> Todd Goodman <tsg@bonedaddy.net> writes:
> 
> [...]
> 
> > You won't really break anything by changing the log levels.
> 
> Todd, your post was really a boost for me.  And thanks for you kind
> offer of looking things over.
> 
> [...]
> 
> Mick wrote:
> > No worries!  I'm no iptables guru, but I'm still here!  ;-)
> 
> [...]
> 
> Mick, your post was another really info packed and helpful response.
> 
> This really sucks since I think right now is the proper time to pursue
> this stuff full tilt.
> 
> However, life is intervening and I am leaving for Atlanta (from Gary
> IN) tomorrow with an old beatup 1979 1 ton ford pulling a gooseneck
> trailer.  I have quite a lot to do suddenly to get things ready with
> the old beater so it will be a good while before I can get back to
> this.
> 
> I suspect I've about worn out the OT thread by now, so won't renew it,
> but I hope I will not be wearing out my welcome if I call on either of
> you by private email if I get in deep doo doo, when I do get back at
> this.
> 
> I think both of your input on this is so full and thorough that I may
> be able to get it figured out now without further pestering.
> 

You're welcome and are welcome to contact me via private email.

Good luck on your trip!

Todd

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Mick]

On 28 April 2011 06:31, Harry Putnam <reader@newsguy.com> wrote:
> Mick <michaelkintzios@gmail.com> writes:

>> Once you access it via telnet, have a look for any log rules in IP Tables
>> (/sbin/iptables -L -v -n) and perhaps all we need to do is modify those.
>
> Yeah I had a look at the lines containing LOG and of course had no
> idea of what they meant or how to alter them.

OK, let's see what's you got here.  The first logging rule is this:

> Chain BLOCK (0 references)
> target     prot opt source               destination
> LOG        all  --  0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 4
> DROP       all  --  0.0.0.0/0            0.0.0.0/0

In the chain called BLOCK you have rule No.1 with target LOG which is
used to ... log:

  all protocols
  no options
  any source
  any destination
  all(?) flags
  level 4 of verbosity

I assume that setting this to level 6 would show ports too.


> The entire iptables is inlined below... maybe you will know how to alter
> them so that ports show up in logs.  That is, only if you are still
> patient enough to continue.... so far, no one has complained about the
> OT thread... but I fear I must be nearing the end of your patient
> willingness to continue, if not the lists willingness to allow my OT
> thread.

No worries!  I'm no iptables guru, but I'm still here!  ;-)


> There only 4 instances of LOG in the tables.  But I wonder if it might
> just be an increase in log level that is required.

Yes, level 6, or level 7 (debug) should give you more than the
verbosity required.  Careful though you don't overdo it and flood your
logs.  To guard against this options like --limit-burst or
--limit-rate will only capture some of the initial similar packets and
quietly drop the rest.


> I wanted to try that out, but was a bit chicken, thinking I'd destroy
> whatever setup there is that invokes the iptable rules.

Yes, that's wise.  You don't want to be inadvertently opening holes in
your firewall ...

This is why you can back up the existing set of rules and then
reinstate it when you need to.  In Gentoo we can see in our
/etc/conf.d/iptables:
==========================================
# /etc/conf.d/iptables

# Location in which iptables initscript will save set rules on
# service shutdown
IPTABLES_SAVE="/var/lib/iptables/rules-save"

# Options to pass to iptables-save and iptables-restore
SAVE_RESTORE_OPTIONS="-c"

# Save state on stopping iptables
SAVE_ON_STOP="yes"
==========================================

Unless you are running some special script at boot up, there's where
all your running rules will be saved:

# /etc/init.d/iptables --verbose save
 * Saving iptables state ...                                            [ ok ]

Then run any commands you want to alter your rule set and if you don't
like it restart/reload your iptables (without saving first) to restore
your previous configuration.

I would therefore recommend that you experiment on your desktop to
achieve the logging level you want and then run the same commands on
the router.  I guess in the router you'll have to reboot it to reset
the rules, or you will need to find the Linksys equivalent command
that will save the running rule set (it may be different to
/etc/init.d/iptables save - most probably something like
/sbin/iptables-save with redirection to a file).

The command you want to run is /sbin/iptables --replace:

-R, --replace chain rulenum rule-specification
              Replace a rule in the selected chain.  If the source and/or des‐
              tination names resolve to multiple addresses, the  command  will
              fail.  Rules are numbered starting at 1.

So, to modify the above rule you would run something like:

/sbin/iptables --replace BLOCK 1 -m limit --limit 15/minute -j LOG
--log-level 6 --log -prefix "Blocked packets"

This will only replace the above number 1 rule in the BLOCK chain.


> Chain DOS (6 references)
> target     prot opt source               destination
> RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0          limit: avg 200/sec b
> RETURN     udp  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABL
> RETURN     udp  --  0.0.0.0/0            0.0.0.0/0          limit: avg 200/sec b
> RETURN     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 limit: a
> LOG        all  --  0.0.0.0/0            0.0.0.0/0          limit: avg 10/sec bu
> DROP       all  --  0.0.0.0/0            0.0.0.0/0

To replace the above number 5 rule in the DOS chain you need to follow
my example, but first you have to see more than the options shown
above - I think that your terminal only showed up to a "burst" option
and chopped the rest off?


> Chain SCAN (2 references)
> target     prot opt source               destination
> LOG        all  --  0.0.0.0/0            0.0.0.0/0          limit: avg 10/sec bu
> DROP       all  --  0.0.0.0/0            0.0.0.0/0

Ditto here, you want to replace rule number 1, of the SCAN chain, but
you need to see the complete rule options in the original so that you
can also add them in your command, increasing the level to 6 of
course.  Have a look in man iptables for details of the different
options.

As I said, try it all out in your desktop, see that you are happy with
the result and then run the 3 commands on your router.  If it gives
you the results you want, then save them in the configuration - once
you find where these rules are saved of course.  Perhaps clicking on
the save button of the GUI will achieve the same result after you have
made all these changes - give it a try and see if it works.

HTH.
-- 
Regards,
Mick

Re: [gentoo-user] [OT router advice] a router capable of detailed logs

[Joost Roeleveld]

On Monday 18 April 2011 22:31:38 Harry Putnam wrote:
<snipped - Not familiar with CISCO specifics>

> So, cutting to the chase; can anyone recommend from actual use, a home
> lan router that has gigabit lan ports and very configurable/
> informative logging options?

Not familiar with specific types, but I've had best results with the routers 
from Zyxel. The one I used to use (ADSL) would provide a lot of information 
via SNMP and other logging-options.
Also, this one had no problem with multiple (1000+) simultaneous connections. 
Which is something other brands suffer from regularly.

> ps - I'm not interested in running an old linux or openbsd, machine as
> router.  Having a silent cool router the size and weight of a medium
> book is too appealing.

I understand the sentiment. I've since stopped using pre-made routers as I had 
the machine running anyway as a home-server and moving the router/firewall/... 
onto the server wasn't too much of a change and did mean I could switch off a 
small device.

--
Joost

[gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Harry Putnam]

Joost Roeleveld <joost@antarean.org> writes:

Harry wrote:
>> So, cutting to the chase; can anyone recommend from actual use, a home
>> lan router that has gigabit lan ports and very configurable/
>> informative logging options?

Joost replied:
> Not familiar with specific types, but I've had best results with the routers 
> from Zyxel. The one I used to use (ADSL) would provide a lot of information 
> via SNMP and other logging-options.
> Also, this one had no problem with multiple (1000+) simultaneous connections. 
> Which is something other brands suffer from regularly.

They appear to have only 2 wired routers: P-335Plus and P-334

And only 1 or 2 wireless with gigabit.  The top of the line NBG-460N
looks promising but hard to find a price on... I found it listed as
low as $128, so may be a good choice.

Re: [gentoo-user] [OT router advice] a router capable of detailed logs

[Peter Humphrey]

On Tuesday 19 April 2011 04:31:38 Harry Putnam wrote:

> I'm not interested in running an old linux or openbsd, machine as router. 
> Having a silent cool router the size and weight of a medium book is too
> appealing.

I'm gazing at an Atom box sitting on my window-sill that would be ideal. It's 
silent and it has gigabit LAN connections. It's 8" square by 1 3/8". Have a look 
at www.aleutia.com.

-- 
Rgds
Peter

[gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Harry Putnam]

Peter Humphrey <peter@humphrey.ukfsn.org> writes:

> On Tuesday 19 April 2011 04:31:38 Harry Putnam wrote:
>
>> I'm not interested in running an old linux or openbsd, machine as router. 
>> Having a silent cool router the size and weight of a medium book is too
>> appealing.
>
> I'm gazing at an Atom box sitting on my window-sill that would be ideal. It's 
> silent and it has gigabit LAN connections. It's 8" square by 1 3/8". Have a look 
> at www.aleutia.com.

Nice, only you can't get a price there for love nor money.  Clicking
on any of the `products' and then the Buy now link doesn't ever show
any price but `0'.   Maybe I should order a dozen or so...

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Dale]

[-- Attachment #1: Type: text/plain, Size: 1561 bytes --]

Harry Putnam wrote:
> Peter Humphrey<peter@humphrey.ukfsn.org>  writes:
>
>    
>> On Tuesday 19 April 2011 04:31:38 Harry Putnam wrote:
>>
>>      
>>> I'm not interested in running an old linux or openbsd, machine as router.
>>> Having a silent cool router the size and weight of a medium book is too
>>> appealing.
>>>        
>> I'm gazing at an Atom box sitting on my window-sill that would be ideal. It's
>> silent and it has gigabit LAN connections. It's 8" square by 1 3/8". Have a look
>> at www.aleutia.com.
>>      
> Nice, only you can't get a price there for love nor money.  Clicking
> on any of the `products' and then the Buy now link doesn't ever show
> any price but `0'.   Maybe I should order a dozen or so...
>
>    

This may give you a idea.  I got this off their site, after selecting a 
configuration for one:

*Product* 	*Quantity* 	*Price* 	*Amount*
T1 Fanless PC with 2GB RAM 		199.00 	199.00
250GB Western Digital Hard Drive (5400RPM, 8MB Cache) 		45.00 	45.00
3) Select WLAN 		0.00 	0.00
No Serial Ports 		0.00 	0.00
No Operating System 		0.00 	0.00
Standard build & test ships 6 days after order is placed 		0.00 	0.00
1 Year Standard Return to Base Warranty - Free 		0.00 	0.00
------------------------------------------------------------------------
*All prices are in British Pounds* 	*Subtotal* 	244.00
*Delivery* 	0.00
------------------------------------------------------------------------
*TOTAL* 	244.00



I guess one could use Froogle if you can't buy it across the pond.  
Cheap little thing tho.  o_O

Dale

:-)  :-)

[-- Attachment #2: Type: text/html, Size: 5789 bytes --]

[gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Harry Putnam]

Dale <rdalek1967@gmail.com> writes:

[...]

> I guess one could use Froogle if you can't buy it across the pond.
> Cheap little thing tho.  o_O
>

What is the cpu?

I couldn't tell if you were joking about cheap... ... so is the final
price about $400 US?

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Dale]

Harry Putnam wrote:
> Dale<rdalek1967@gmail.com>  writes:
>
> [...]
>
>    
>> I guess one could use Froogle if you can't buy it across the pond.
>> Cheap little thing tho.  o_O
>>
>>      
> What is the cpu?
>    

Intel Atom 1.6GHz CPU

> I couldn't tell if you were joking about cheap... ... so is the final
> price about $400 US?
>
>
>    

I don't really know.  I would assume as I had it configured, that was 
the price.  That would sort of be bare bones but for a router, you most 
likely don't need anything fancy, unless you are routing some serious 
traffic.

I just picked the one I thought was small and cute.  lol

Dale

:-)  :-)

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Peter Humphrey]

On Wednesday 20 April 2011 20:50:51 Dale wrote:
> Harry Putnam wrote:
> > What is the cpu?
> 
> Intel Atom 1.6GHz CPU

N270.

> > I couldn't tell if you were joking about cheap... ... so is the final
> > price about $400 US?
> 
> I don't really know.  I would assume as I had it configured, that was
> the price.  That would sort of be bare bones but for a router, you most
> likely don't need anything fancy, unless you are routing some serious
> traffic.

That's just about identical to the one I have. For a router you'd need to choose 
a different model with more Ethernet ports.

> I just picked the one I thought was small and cute.  lol

Oh, it is. Lovely.

Now all I need to do is to find out what's causing the disk to spin up every few 
seconds. I suspect smartd.

-- 
Rgds
Peter

[gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Harry Putnam]

Dale <rdalek1967@gmail.com> writes:

> Harry Putnam wrote:
>> Dale<rdalek1967@gmail.com>  writes:
>>
>> [...]
>>
>>    
>>> I guess one could use Froogle if you can't buy it across the pond.
>>> Cheap little thing tho.  o_O
>>>
>>>      
>> What is the cpu?
>>    
>
> Intel Atom 1.6GHz CPU
>
>> I couldn't tell if you were joking about cheap... ... so is the final
>> price about $400 US?

> I don't really know.  I would assume as I had it configured, that was
> the price.  That would sort of be bare bones but for a router, you
> most likely don't need anything fancy, unless you are routing some
> serious traffic.
>
> I just picked the one I thought was small and cute.  lol

Your previous post showed this as total.

*All prices are in British Pounds* 	*Subtotal* 	244.00
*Delivery* 	0.00
------------------------------------------------------------------------
*TOTAL* 	244.00

244 british pounds is just a hair under $400

So do you think $400 is pretty cheap for an home lan router?

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Dale]

Harry Putnam wrote:
> Dale<rdalek1967@gmail.com>  writes:
>
>    
>> Harry Putnam wrote:
>>      
>>> Dale<rdalek1967@gmail.com>   writes:
>>>
>>> [...]
>>>
>>>
>>>        
>>>> I guess one could use Froogle if you can't buy it across the pond.
>>>> Cheap little thing tho.  o_O
>>>>
>>>>
>>>>          
>>> What is the cpu?
>>>
>>>        
>> Intel Atom 1.6GHz CPU
>>
>>      
>>> I couldn't tell if you were joking about cheap... ... so is the final
>>> price about $400 US?
>>>        
>    
>> I don't really know.  I would assume as I had it configured, that was
>> the price.  That would sort of be bare bones but for a router, you
>> most likely don't need anything fancy, unless you are routing some
>> serious traffic.
>>
>> I just picked the one I thought was small and cute.  lol
>>      
> Your previous post showed this as total.
>
> *All prices are in British Pounds* 	*Subtotal* 	244.00
> *Delivery* 	0.00
> ------------------------------------------------------------------------
> *TOTAL* 	244.00
>
> 244 british pounds is just a hair under $400
>
> So do you think $400 is pretty cheap for an home lan router?
>
>    

Well, I have no idea what the conversion from British Pounds to US 
dollars would be.  I assume you are correct.  I was thinking it was the 
other way around tho.  That said, since he wants something more than a 
LinkSys router, it's going to cost something.  Me, I got me a $10.00 
refurbed LinkSys and called it a day.  Thing is, I don't need anything 
fast or expensive.  I did want something that was cheap on power tho.  
Trying to cut back a bit on the old watt meter.  I already got two 
freezers running here.  One could build a bare bones rig and just use 
that.  I'm not sure it would be much cheaper tho.  May use more power 
from the wall too.  That is why I picked the fanless version.  I figured 
if it needed no fans, it can't pull to much power.  It also seemed to 
have lots of CPU speed for a router.

$400.00 for a router . . . that better be one HECK of a router.  Maybe 
wash dishes or something too.  o_O

Dale

:-)  :-)

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Pandu Poluan]

On Thu, Apr 21, 2011 at 06:35, Dale <rdalek1967@gmail.com> wrote:
> Harry Putnam wrote:
>>
>> Dale<rdalek1967@gmail.com>  writes:
>>
>> Your previous post showed this as total.
>>
>> *All prices are in British Pounds*      *Subtotal*      244.00
>> *Delivery*      0.00
>> ------------------------------------------------------------------------
>> *TOTAL*         244.00
>>
>> 244 british pounds is just a hair under $400
>>
>> So do you think $400 is pretty cheap for an home lan router?
>>
>>
>
> Well, I have no idea what the conversion from British Pounds to US dollars
> would be.  I assume you are correct.  I was thinking it was the other way
> around tho.  That said, since he wants something more than a LinkSys router,
> it's going to cost something.  Me, I got me a $10.00 refurbed LinkSys and
> called it a day.  Thing is, I don't need anything fast or expensive.  I did
> want something that was cheap on power tho.  Trying to cut back a bit on the
> old watt meter.  I already got two freezers running here.  One could build a
> bare bones rig and just use that.  I'm not sure it would be much cheaper
> tho.  May use more power from the wall too.  That is why I picked the
> fanless version.  I figured if it needed no fans, it can't pull to much
> power.  It also seemed to have lots of CPU speed for a router.
>
> $400.00 for a router . . . that better be one HECK of a router.  Maybe wash
> dishes or something too.  o_O
>
> Dale
>
> :-)  :-)
>
>

Meh. With $400, you can buy 5 (five!) of those Mikrotik RB750G @ $70

http://routerboard.com/index.php?showProduct=90

(Excl. S&H, of course)

Rgds,
-- 
Pandu E Poluan
~ IT Optimizer ~
Visit my Blog: http://pepoluan.posterous.com

Re: [gentoo-user] [OT router advice] a router capable of detailed logs

[Pandu Poluan]

On Tue, Apr 19, 2011 at 10:31, Harry Putnam <reader@newsguy.com> wrote:
> This is way OT, but this list is such a great resource I suspect the
> advice gotten here will be more to the point. ( I have posted to a
> network hardware group as well)
>
> I've bumped my home lan router to a gigabit from the old 10/100
> (NETGEAR FVS318).
>
> I made the move for the gigabit lan ports mainly.  That is, I was
> happy with other aspects of the old router.  I ended up with a cisco
> RVS4000 v2.
>
> The cisco solved the gigabit problem with 4 lan ports and even a
> gigabit on the Internet port... (which is probably not really doing
> any thing on a cable connection).  And it wasn't hideously
> expensive ($112.91).
>
> I could have solved the problem with gigabit switches behind the
> router for lan usage, just as well, and may go to that yet, and move
> back to the old NETGEAR router.  But somehow I expected the cisco to
> be something that was `excitingly' new and fun to play with.
>
> I'm disappointed in the cisco so far as logging is concerned.
>
> The logs give only bare information like this:
>
> Mar 10 10:24:21  - [Firewall Log-PORT SCAN] TCP Packet - 60.173.11.56 --> 98.217.231.32
> Mar 10 10:24:21  - [Firewall Log-PORT SCAN] TCP Packet - 60.173.11.56 --> 98.217.231.32
> [...]
>
> No mention of which port is involved.  Not only on port scans but
> ports are never reported.  And of course if you wanted to pursue any
> of it by way of google, you'd need the port number.
>
> The Old Netgear sent logs like this (wrapped for mail):
>
>  Sat, 2007-07-28 12:00:11 - TCP packet - Source: 161.170.244.20 -
>  Destination: 70.131.83.195 - [Invalid sequence number received with
>   Reset, dropping packet Src 443 Dst 1385 from WAN]
>
> -------        ---------       ---=---       ---------      --------
>
> I went for the cisco instead of a newer `gigabit' NETGEAR after seeing
> several bad reviews about them.  And I just assumed the cisco would
> have as good or better other features.
>
> Another little problem is that the Cicso had reached its end of life
> and was reported as such by cisco, well before I bought it.  But of
> course, retailers (not cisco) don't bother to give that kind of info,
> but the result is that a kind of blackball list that was part of the
> deal is no longer kept up to date.
>
> So, cutting to the chase; can anyone recommend from actual use, a home
> lan router that has gigabit lan ports and very configurable/
> informative logging options?
>
> ps - I'm not interested in running an old linux or openbsd, machine as
> router.  Having a silent cool router the size and weight of a medium
> book is too appealing.
>

Have you checked out Mikrotik's RB750G? 5 GbE ports:

http://routerboard.com/pricelist/download_file.php?file_id=256

Mikrotik OS is Linux-based, the firewall is Netfilter-based, and it's
Lua-scriptable.

Rgds,
--
Pandu E Poluan
~ IT Optimizer ~
Visit my Blog: http://pepoluan.posterous.com

Re: [gentoo-user] [OT router advice] a router capable of detailed logs

[Stroller]

On 19/4/2011, at 4:31am, Harry Putnam wrote:
> ...
> So, cutting to the chase; can anyone recommend from actual use, a home
> lan router that has gigabit lan ports and very configurable/
> informative logging options?
> 
> ps - I'm not interested in running an old linux or openbsd, machine as
> router.  Having a silent cool router the size and weight of a medium
> book is too appealing.

Consider OpenWRT. You can run it on something like the Netgear WNR2000, the Buffalo WZR-HP-G300NH, or something even cheaper if you don't need wifi.

Stroller.

Re: [gentoo-user] [OT router advice] a router capable of detailed logs

[Paul Hartman]

On Tue, Apr 19, 2011 at 5:18 AM, Stroller
<stroller@stellar.eclipse.co.uk> wrote:
>
> On 19/4/2011, at 4:31am, Harry Putnam wrote:
>> ...
>> So, cutting to the chase; can anyone recommend from actual use, a home
>> lan router that has gigabit lan ports and very configurable/
>> informative logging options?
>>
>> ps - I'm not interested in running an old linux or openbsd, machine as
>> router.  Having a silent cool router the size and weight of a medium
>> book is too appealing.
>
> Consider OpenWRT. You can run it on something like the Netgear WNR2000, the Buffalo WZR-HP-G300NH, or something even cheaper if you don't need wifi.

I have WZR-HP-G300NH (running DD-WRT), if you don't plan on using wifi
it would be great. The wifi is really unstable and I couldn't
recommend this device if you're a heavy wifi user, but the wired
portion works great, the device itself is by far the fastest I've ever
owned, and it has a USB port so you can attach external storage in
case you want to use it as a server, too.

If your wifi users are limited to web browsing/email it would probably
be okay for that, but if you do anything with persistent open
connections (ssh, gaming, streaming movies) then you'll quickly pull
your hair out in frustration at the constant wifi stalls and
disconnects.

The good news about the bad wifi is that the constant negative reviews
and dissatisfied customers have forced the price down really low, I
got mine for about $50. :)

Re: [gentoo-user] [OT router advice] a router capable of detailed logs

[W.Kenworthy]

On Tue, 2011-04-19 at 09:50 -0500, Paul Hartman wrote:
> On Tue, Apr 19, 2011 at 5:18 AM, Stroller
> <stroller@stellar.eclipse.co.uk> wrote:
> >
> > On 19/4/2011, at 4:31am, Harry Putnam wrote:
> >> ...
> >> So, cutting to the chase; can anyone recommend from actual use, a home
> >> lan router that has gigabit lan ports and very configurable/
> >> informative logging options?
> >>
> >> ps - I'm not interested in running an old linux or openbsd, machine as
> >> router.  Having a silent cool router the size and weight of a medium
> >> book is too appealing.
> >
> > Consider OpenWRT. You can run it on something like the Netgear WNR2000, the Buffalo WZR-HP-G300NH, or something even cheaper if you don't need wifi.
> 
> I have WZR-HP-G300NH (running DD-WRT), if you don't plan on using wifi
> it would be great. The wifi is really unstable and I couldn't
> recommend this device if you're a heavy wifi user, but the wired
> portion works great, the device itself is by far the fastest I've ever
> owned, and it has a USB port so you can attach external storage in
> case you want to use it as a server, too.
> 
> If your wifi users are limited to web browsing/email it would probably
> be okay for that, but if you do anything with persistent open
> connections (ssh, gaming, streaming movies) then you'll quickly pull
> your hair out in frustration at the constant wifi stalls and
> disconnects.
> 
> The good news about the bad wifi is that the constant negative reviews
> and dissatisfied customers have forced the price down really low, I
> got mine for about $50. :)
> 

I have this device and am using Firmware: DD-WRT v24-sp2 (08/07/10) std
- its been totally stable since I dumped the buffalo firmware.  My son
plays windoze online games and I often move large files around as well
as stream mythtv across it - no problems at all.  Until I started
powering the systems down at night (power charges went up :) it would
stay up for over a month at a time and it was never a crash as to why it
was restarted - usually power, or reconfiguration.

BillK

[gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Harry Putnam]

"W.Kenworthy" <billk@iinet.net.au> writes:

> I have this device and am using Firmware: DD-WRT v24-sp2 (08/07/10) std
> - its been totally stable since I dumped the buffalo firmware.  My son
> plays windoze online games and I often move large files around as well
> as stream mythtv across it - no problems at all.  Until I started
> powering the systems down at night (power charges went up :) it would
> stay up for over a month at a time and it was never a crash as to why it
> was restarted - usually power, or reconfiguration.

Sorry to bug you again after already asking about logs, but I'm having
trouble really telling much about the system at dd-wrt.com/wiki.

Can you set it up so that logs are mailed rather than sent to syslog?

[gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Harry Putnam]

Stroller <stroller@stellar.eclipse.co.uk> writes:

> Consider OpenWRT. You can run it on something like the Netgear
> WNR2000, the Buffalo WZR-HP-G300NH, or something even cheaper if you
> don't need wifi.

I don't need wifi, but of course OpenWRT won't run on the cisco
But that WZR-HP-G300NH is looking promising.

Paul Hartman <paul.hartman+gentoo@gmail.com> writes:

[...]

> I have WZR-HP-G300NH (running DD-WRT), if you don't plan on using wifi
> it would be great. The wifi is really unstable and I couldn't
> recommend this device if you're a heavy wifi user, but the wired
> portion works great, the device itself is by far the fastest I've ever
> owned, and it has a USB port so you can attach external storage in
> case you want to use it as a server, too.

Can you make any comment about the logging capabilities?

"W.Kenworthy" <billk@iinet.net.au> writes:

[...]

> I have this device and am using Firmware: DD-WRT v24-sp2 (08/07/10) std
> - its been totally stable since I dumped the buffalo firmware.  My son
> plays windoze online games and I often move large files around as well
> as stream mythtv across it - no problems at all.  Until I started
> powering the systems down at night (power charges went up :) it would
> stay up for over a month at a time and it was never a crash as to why it
> was restarted - usually power, or reconfiguration.

Maybe you can make some comment about logging capablities?  Maybe one
or both of you might be willing to post a log sample?

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Todd Goodman]

* Harry Putnam <reader@newsguy.com> [110420 13:51]:
> Stroller <stroller@stellar.eclipse.co.uk> writes:
> 
> > Consider OpenWRT. You can run it on something like the Netgear
> > WNR2000, the Buffalo WZR-HP-G300NH, or something even cheaper if you
> > don't need wifi.
> 
> I don't need wifi, but of course OpenWRT won't run on the cisco
> But that WZR-HP-G300NH is looking promising.

I've just purchased one and it arrived today and I installed DD-WRT and
then upgraded to OpenWRT.  It's working well but obviously I've only
just started working with it.

> 
> Paul Hartman <paul.hartman+gentoo@gmail.com> writes:
> 
> [...]
> 
> > I have WZR-HP-G300NH (running DD-WRT), if you don't plan on using wifi
> > it would be great. The wifi is really unstable and I couldn't
> > recommend this device if you're a heavy wifi user, but the wired
> > portion works great, the device itself is by far the fastest I've ever
> > owned, and it has a USB port so you can attach external storage in
> > case you want to use it as a server, too.
> 
> Can you make any comment about the logging capabilities?

OpenWRT is running the BusyBox syslogd by default.  I doubt it would take
much to build a syslog-ng (or whatever other logger you prefer) if there
isn't already a package for it.

Oh, I see that there already are syslog-ng (1.6.12-2) and syslog-ng3
(3.0.5-1) packages

You have iptables support so you can do pretty much anything you like
with regards to logging.

Todd


> 
> "W.Kenworthy" <billk@iinet.net.au> writes:
> 
> [...]
> 
> > I have this device and am using Firmware: DD-WRT v24-sp2 (08/07/10) std
> > - its been totally stable since I dumped the buffalo firmware.  My son
> > plays windoze online games and I often move large files around as well
> > as stream mythtv across it - no problems at all.  Until I started
> > powering the systems down at night (power charges went up :) it would
> > stay up for over a month at a time and it was never a crash as to why it
> > was restarted - usually power, or reconfiguration.
> 
> Maybe you can make some comment about logging capablities?  Maybe one
> or both of you might be willing to post a log sample?
> 

[gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Harry Putnam]

Todd Goodman <tsg@bonedaddy.net> writes:

> OpenWRT is running the BusyBox syslogd by default.  I doubt it would take
> much to build a syslog-ng (or whatever other logger you prefer) if there
> isn't already a package for it.
>
> Oh, I see that there already are syslog-ng (1.6.12-2) and syslog-ng3
> (3.0.5-1) packages
>
> You have iptables support so you can do pretty much anything you like
> with regards to logging.

Ahh, thanks.  

I just posted again about logging and mentioned I couldn't tell much
about it at the dd-wrt wiki.   

However, now I see a lot more info at the dd-wrt wiki than I saw
at first too .... er... I take it all back.

http://www.dd-wrt.com/wiki/index.php/Logging_with_DD-WRT

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Paul Hartman]

On Wed, Apr 20, 2011 at 1:15 PM, Harry Putnam <reader@newsguy.com> wrote:
> Maybe you can make some comment about logging capablities?  Maybe one
> or both of you might be willing to post a log sample?

Ultimately it's just a linux box, you can run syslogd and log
kernel/firewall/etc to a local or remote syslog. Since the device
itself has no built-in storage, logging is disabled by default (in
DD-WRT anyway). I've never enabled the logging, but I'll do it right
now to see how it looks.

In DD-WRT, you can enable syslogd (either to write local to
/var/log/messages or to a remote machine), and then in the firewall
section you can set the logging level (low/medium/high) and choose
whether to log dropped/accepted/rejected.

I just enabled high logging with everything enabled, and I get a flood
of this kind of message in /var/log/messages:

Apr 20 14:41:08 ddwrt kern.warn kernel: [2814955.710000] DROP IN=eth1
OUT= MAC=ff:ff:ff:ff:ff:ff:00:1b:54:c9:4b:d9:08:00 SRC=10.166.128.1
DST=255.255.255.255 LEN=325 TOS=0x00 PREC=0x00 TTL=255 ID=34279
PROTO=UDP SPT=67 DPT=68 LEN=305
Apr 20 14:41:08 ddwrt kern.warn kernel: [2814956.130000] DROP IN=eth1
OUT= MAC=ff:ff:ff:ff:ff:ff:00:1b:54:c9:4b:d9:08:00 SRC=10.166.128.1
DST=255.255.255.255 LEN=325 TOS=0x00 PREC=0x00 TTL=255 ID=34287
PROTO=UDP SPT=67 DPT=68 LEN=305
Apr 20 14:41:10 ddwrt kern.warn kernel: [2814957.770000] DROP IN=eth1
OUT= MAC=ff:ff:ff:ff:ff:ff:00:1b:54:c9:4b:d9:08:00 SRC=172.16.129.29
DST=255.255.255.255 LEN=365 TOS=0x00 PREC=0x00 TTL=255 ID=34300
PROTO=UDP SPT=67 DPT=68 LEN=345

So it looks like ordinary linux firewall logging... I'm sure you can
customize it if you want to, just as you would on a normal machine.

Hope that helps :)

[gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Harry Putnam]

Paul Hartman <paul.hartman+gentoo@gmail.com> writes:

> Apr 20 14:41:08 ddwrt kern.warn kernel: [2814955.710000] DROP IN=eth1
> OUT= MAC=ff:ff:ff:ff:ff:ff:00:1b:54:c9:4b:d9:08:00 SRC=10.166.128.1
> DST=255.255.255.255 LEN=325 TOS=0x00 PREC=0x00 TTL=255 ID=34279
> PROTO=UDP SPT=67 DPT=68 LEN=305
> Apr 20 14:41:08 ddwrt kern.warn kernel: [2814956.130000] DROP IN=eth1
> OUT= MAC=ff:ff:ff:ff:ff:ff:00:1b:54:c9:4b:d9:08:00 SRC=10.166.128.1
> DST=255.255.255.255 LEN=325 TOS=0x00 PREC=0x00 TTL=255 ID=34287
> PROTO=UDP SPT=67 DPT=68 LEN=305
> Apr 20 14:41:10 ddwrt kern.warn kernel: [2814957.770000] DROP IN=eth1
> OUT= MAC=ff:ff:ff:ff:ff:ff:00:1b:54:c9:4b:d9:08:00 SRC=172.16.129.29
> DST=255.255.255.255 LEN=365 TOS=0x00 PREC=0x00 TTL=255 ID=34300
> PROTO=UDP SPT=67 DPT=68 LEN=345
>
> So it looks like ordinary linux firewall logging... I'm sure you can
> customize it if you want to, just as you would on a normal machine.
>
> Hope that helps :)

Yes, thanks for taking the trouble... When I asked that, I hadn't
realized that both dd-wrt and openWRT were actually tiny linux OS.

I've reading more about them since.

It sounds from your report that dd-wrt has some kind of basic firewall
script in place by default.

Whereas openWRT sounds like you may need to role your own iptables
script right off the bat.  at least judging from a few posts I've now
read from their mailing list where people seem to be asking the kinds
of iptables questions you might find on that list..

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Paul Hartman]

On Wed, Apr 20, 2011 at 2:28 PM, Harry Putnam <reader@newsguy.com> wrote:
>
> Whereas openWRT sounds like you may need to role your own iptables
> script right off the bat.  at least judging from a few posts I've now
> read from their mailing list where people seem to be asking the kinds
> of iptables questions you might find on that list..

Right, OpenWRT is more of a "do-it-yourself" distro, with a package
manager, you install what you want to use and configure it yourself.
DD-WRT is more of the "ubuntu-style" router OS, it comes with a bunch
of services pre-installed and pre-configured, with a pretty GUI, and
you only have to enable or disable them and the defaults are set up
for your hardware already.

Under the surface, both are very similar, in fact I read that new
versions of DD-WRT are going to be developed on top of OpenWRT. Both
can be configured via telnet/ssh or via a web GUI.

I think that if someone can handle Gentoo, they can definitely handle
OpenWRT. I have 3 Buffalo routers (all different models) and I'm using
DD-WRT on 2 of them and OpenWRT on the other, though I'm not doing
anything particularly complicated on any of them.

[gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Harry Putnam]

Paul Hartman <paul.hartman+gentoo@gmail.com> writes:

> On Wed, Apr 20, 2011 at 2:28 PM, Harry Putnam <reader@newsguy.com> wrote:
>>
>> Whereas openWRT sounds like you may need to role your own iptables
>> script right off the bat.  at least judging from a few posts I've now
>> read from their mailing list where people seem to be asking the kinds
>> of iptables questions you might find on that list..
>
> Right, OpenWRT is more of a "do-it-yourself" distro, with a package
> manager, you install what you want to use and configure it yourself.
> DD-WRT is more of the "ubuntu-style" router OS, it comes with a bunch
> of services pre-installed and pre-configured, with a pretty GUI, and
> you only have to enable or disable them and the defaults are set up
> for your hardware already.
>
> Under the surface, both are very similar, in fact I read that new
> versions of DD-WRT are going to be developed on top of OpenWRT. Both
> can be configured via telnet/ssh or via a web GUI.
>
> I think that if someone can handle Gentoo, they can definitely handle
> OpenWRT. 

What I see is somewhat difficult is learning enough iptables to be
competent with it.

As I recall from yrs ago it is not that easy to keep from shooting
yourself in the foot and ending up hacked or such with iptables.

> . . . . . I have 3 Buffalo routers (all different models) and I'm using
> DD-WRT on 2 of them and OpenWRT on the other, though I'm not doing
> anything particularly complicated on any of them.

What I have to do is probably a lot simpler than what you are doing
with any of them.  Just a home lan router/firewall.  But if I had to
learn iptables, that throws `simple' right out the door.

Are you running iptables on any of them?

Does the one using openWRT have a basic firewall in place and some
wrapper around iptables to make the creation of rules a bit easier.? 

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Todd Goodman]

* Harry Putnam <reader@newsguy.com> [110420 15:03]:
> Paul Hartman <paul.hartman+gentoo@gmail.com> writes:
> 
> > Apr 20 14:41:08 ddwrt kern.warn kernel: [2814955.710000] DROP IN=eth1
> > OUT= MAC=ff:ff:ff:ff:ff:ff:00:1b:54:c9:4b:d9:08:00 SRC=10.166.128.1
> > DST=255.255.255.255 LEN=325 TOS=0x00 PREC=0x00 TTL=255 ID=34279
> > PROTO=UDP SPT=67 DPT=68 LEN=305
> > Apr 20 14:41:08 ddwrt kern.warn kernel: [2814956.130000] DROP IN=eth1
> > OUT= MAC=ff:ff:ff:ff:ff:ff:00:1b:54:c9:4b:d9:08:00 SRC=10.166.128.1
> > DST=255.255.255.255 LEN=325 TOS=0x00 PREC=0x00 TTL=255 ID=34287
> > PROTO=UDP SPT=67 DPT=68 LEN=305
> > Apr 20 14:41:10 ddwrt kern.warn kernel: [2814957.770000] DROP IN=eth1
> > OUT= MAC=ff:ff:ff:ff:ff:ff:00:1b:54:c9:4b:d9:08:00 SRC=172.16.129.29
> > DST=255.255.255.255 LEN=365 TOS=0x00 PREC=0x00 TTL=255 ID=34300
> > PROTO=UDP SPT=67 DPT=68 LEN=345
> >
> > So it looks like ordinary linux firewall logging... I'm sure you can
> > customize it if you want to, just as you would on a normal machine.
> >
> > Hope that helps :)
> 
> Yes, thanks for taking the trouble... When I asked that, I hadn't
> realized that both dd-wrt and openWRT were actually tiny linux OS.
> 
> I've reading more about them since.
> 
> It sounds from your report that dd-wrt has some kind of basic firewall
> script in place by default.
> 
> Whereas openWRT sounds like you may need to role your own iptables
> script right off the bat.  at least judging from a few posts I've now
> read from their mailing list where people seem to be asking the kinds
> of iptables questions you might find on that list..
> 

There is a basic firewall in place with OpenWRT (enabled by default.)

There is a a web GUI for OpenWRT (as well as with DD-WRT.)

The web GUI supports the usual config pages as with other similar home
routers.

There's a status page showing the iptables chains with the packet
counts for each rule (the most complicated page to view I'd say.)

There's config pages for overall firewall config with default policies
and other things such as zone config.  There's a "traffic control" page
which lets you define your filter rules and a "Traffic Redirection" page
which allows you to set up your port forwarding (DNAT.)

It's quite easy to configure and doesn't require iptables knowledge.

Though I like very much that the option is there if I want to take
advantage of it.

I've used LEAF for a long time (a small Linux Embedded  Firewall
Appliance) and it's great but DD-WRT and OpenWRT have nice GUIs on top
of them and it was very easy to reflash my Buffalo to DD-WRT and then
upgrade from that to OpenWRT.

[gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Harry Putnam]

Todd Goodman <tsg@bonedaddy.net> writes:

> There is a basic firewall in place with OpenWRT (enabled by default.)
>
> There is a a web GUI for OpenWRT (as well as with DD-WRT.)
>
> The web GUI supports the usual config pages as with other similar home
> routers.
>
> There's a status page showing the iptables chains with the packet
> counts for each rule (the most complicated page to view I'd say.)
>
> There's config pages for overall firewall config with default policies
> and other things such as zone config.  There's a "traffic control" page
> which lets you define your filter rules and a "Traffic Redirection" page
> which allows you to set up your port forwarding (DNAT.)
>
> It's quite easy to configure and doesn't require iptables knowledge.
>
> Though I like very much that the option is there if I want to take
> advantage of it.

[...] 

I want to thank you for providing such detailed information. It is a
very helpful reply... thanks

Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Todd Goodman]

* Harry Putnam <reader@newsguy.com> [110422 16:00]:
> Todd Goodman <tsg@bonedaddy.net> writes:
> 
> > There is a basic firewall in place with OpenWRT (enabled by default.)
> >
> > There is a a web GUI for OpenWRT (as well as with DD-WRT.)
> >
> > The web GUI supports the usual config pages as with other similar home
> > routers.
> >
> > There's a status page showing the iptables chains with the packet
> > counts for each rule (the most complicated page to view I'd say.)
> >
> > There's config pages for overall firewall config with default policies
> > and other things such as zone config.  There's a "traffic control" page
> > which lets you define your filter rules and a "Traffic Redirection" page
> > which allows you to set up your port forwarding (DNAT.)
> >
> > It's quite easy to configure and doesn't require iptables knowledge.
> >
> > Though I like very much that the option is there if I want to take
> > advantage of it.
> 
> [...] 
> 
> I want to thank you for providing such detailed information. It is a
> very helpful reply... thanks
> 

You're welcome.

BTW, rereading what I wrote above, I didn't mean to imply that DD-WRT
doesn't have a basic firewall in place by default (I don't know if it
does, I'd assume so.)

Also, I've been running lots of traffic through the wireless on that
Buffalo OpenWRT box and haven't experienced any drops (the same traffic
caused a LinkSys and TrendNet box running the commercial firmware to
drop the wireless connections.)

So I'm happy with at this point.

Todd

[gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Harry Putnam]

Stroller <stroller@stellar.eclipse.co.uk> writes:

> On 19/4/2011, at 4:31am, Harry Putnam wrote:
>> ...
>> So, cutting to the chase; can anyone recommend from actual use, a home
>> lan router that has gigabit lan ports and very configurable/
>> informative logging options?
>> 
>> ps - I'm not interested in running an old linux or openbsd, machine as
>> router.  Having a silent cool router the size and weight of a medium
>> book is too appealing.
>
> Consider OpenWRT. You can run it on something like the Netgear
> WNR2000, the Buffalo WZR-HP-G300NH, or something even cheaper if you
> don't need wifi.


All good, except then you have to muck around with iptables.  I once
knew a bit about that when it first replaced ipchains in linux
distros... thats' been yrs ago, and I've completely forgotten whatever
I may have learned back then.  I ended up switching to PF filter on
OpenBSD for firewall/router... and have now forgotten all about that too.

Are you using openWRT on a router yourself?

If so, is there a basic iptables script rigged up for numbskulls to be
able to add and subtract from it readily?

I actually wrote such a thing for myself way back when. (The part for
numbskulls, not iptables) but would not look forward to trying to
remaster what ever I need to know about iptables to use openWRT.

[gentoo-user] Re: [OT router advice] a router capable of detailed logs

[James]

Harry Putnam <reader <at> newsguy.com> writes:


> All good, except then you have to muck around with iptables.  I once
> knew a bit about that when it first replaced ipchains in linux
> distros... thats' been yrs ago, and I've completely forgotten whatever
> I may have learned back then. 

Hello Harry,

These links may provide the theoretical information
you seek, for logging on an embedded linux device.

http://www.netfilter.org/projects/conntrack-tools/index.html

http://conntrack-tools.netfilter.org/


However, this is not a painless path, but one full
of reward and fine_grain control of logging information.

hth,
James