Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
This could be useful for dnsmasq config.
https://github.com/notracking/hosts-blocklists
OpenWrt SNAPSHOT, r10391-3d8d528939
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
https://github.com/Grommish/Itus_Shield_v2/commit/77213cf5ceb6969a666a945043e8582c77a30350
New Commit. I've not yet had time to look at your updated snort script, Gnomad. But i did get this figured out - for the most part. The requests for the bad URLs and Hostnames are now being redirected successfully. Something about the snort rules I'm running is blocking SSH.. Real pain it the ass.. But, I've got no reduction in bandwidth this way.
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Much neater! and speeds back to normal.
However, same situation if the source ever gets corrupted - I'll take a look at piping it through sed again to make sure all point to 0.0.0.0 (or ::) I'm experiencing a new variation of the network interfaces not coming up properly on boot lately.. ifconfig shows everything as expected via a console connection, but I can't ping, navigate or SCP directly to 10.10.10.10 from the local network. Despite that, regular internet browsing and other traffic still seems to route through the Shield fine. A reboot or two solves the issue. Seen this at all?
OpenWrt SNAPSHOT, r10391-3d8d528939
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
I think it's a snort rule blocking ssh. I had to turn snort off in order to push that last commit. I've not had time to track it down. I did get Hans's Shield in the mail today, though. Question for the crowd. I've got access to the email addresses now. Any thoughts about sending a "This is something Shield owners should look at" email out to the user base? On Thu, Sep 19, 2019, 9:55 PM Gnomad [via Itus Networks Owners Forum] <[hidden email]> wrote: Much neater! and speeds back to normal.
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Hmm.. It'd have to be blocking more than just ssh to prevent pings & browsing to the UI, but I suppose a snort rule could be the culprit (as to why it's inconsistent though..) Re: emails, you mean (current/former) users of this forum? I suppose couldn't hurt to put a call out to "technical users that ran their Shields in router configuration, interested in beta testing an update", in case there are any left that aren't monitoring this thread. Could also get a list of any that have moved on & would be willing to pass on their Shields in case someone else is up for handling postage.. On Fri, 20 Sep 2019 at 10:00, Grommish [via Itus Networks Owners Forum] <[hidden email]> wrote:
... [show rest of quote]
OpenWrt SNAPSHOT, r10391-3d8d528939
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
When you run into the issue with the no response from the Shield, check your local machine's IP and make sure it's in the 10.10.10.x range.
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
In reply to this post by Grommish
Definitely! Sure there’s lots of members who don’t check this forum these days who would love to know of you guys great progress. Also, a guide on how to install your fw (when it’s ready for prime time) would be really helpful for those of us who are not so technically skilled ! Thanks again
Running v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
I can tell you it is very, very easy to install. I'm still trying to see about the update feature and how to get it to work properly. My time has been real short here, recently, but the new domain blacklist don't seem to be breaking anything. Once we finish the updates that need to be working, I'm ready to call it done. Opkg support from OpenWrt means people can add whatever they want. Between that and Python support, there just isn't much left to do. We've been focused on router mode. Is there an immediate need for bridge and gateway? On Mon, Oct 7, 2019, 2:18 AM Turrican [via Itus Networks Owners Forum] <[hidden email]> wrote: Definitely! Sure there’s lots of members who don’t check this forum these days who would love to know of you guys great progress. ... [show rest of quote]
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Thanks for the update, sounds like you’re really close. Personally I used to use it in bridge mode but router mode would work better for me now, can’t speak for anyone else though. Gateway was never really working anyway if I recall. So this will be an auto updating unit? From an openwrt and snort perspective?
Running v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
Snort and dnsmasq rules will Auto update. Snort 3 support is still up in the air as they keep screwing with the dependencies. Suricata support was tabled/dropped because of programming language limitations. As for the firmware itself, we should be able to use the update function in luCi, assuming I can get it to work right. This is important because it's live code and will continue to be updated by OpenWrt upstream, if nothing else. And even if I don't keep it updated for some reason, someone else can. What I need is someone who can explain what they expect bridge mode to do. What are the key differences between router and bridge modes? On Tue, Oct 8, 2019, 1:55 AM Turrican [via Itus Networks Owners Forum] <[hidden email]> wrote: Thanks for the update, sounds like you’re really close. Personally I used to use it in bridge mode but router mode would work better for me now, can’t speak for anyone else though. Gateway was never really working anyway if I recall. So this will be an auto updating unit? From an openwrt and snort perspective?
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
For me, bridge mode meant that I could keep my avm fritzbox as my primary router and have the shield between my cable modem and router to filter the traffic. My router was feature rich so I used it for parental control of device on/off times, voip etc. I think bridge would still be a good option to have. Not sure technically what the differences we’re aside from using the 192.168.111.x range.
Running v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
So, bridge mode wouldn't have the firewall on the Shield, but would have Snort and dnsmasq. It would need DHCP on eth0, and have to relay DHCP to the lan, but no dchp server on eth2?
While I'm thinking about it, on the router, do we want a dmz zone on eth1?
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Eth2 would go to the wan port of the router, see quick start guide http://itus.accessinnov.com/file/n24/SP1-Quick-Start-Guide-12-6-1.pdf
Running v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
Ok, so they are just misnamed. Bridges are used to connect different types of networks. Ethernet to Ethernet shouldn't be called bridge, but I think i can work with it.
I'm working on the update system, seeing if I can fix it. If/Once we get the ability to update the firmware/system itself without losing EVERYTHING, it'll be a huge boon.
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
In reply to this post by Turrican
Same story applies for me. I am not technically inclined, but i often follows this thread.
I am awaiting the day to get the "new" firmware installed.:)) |
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
Next time I can validate a build, I will let you know. The image currently works in "router" format, as far as IP addressing and whatnot. If you normally use the R selector on the Shield, it is exactly what you'd expect. Even better, it won't remove or alter your current R-selected image. As another small update: I added some default dnsmasq blacklist rules. Otherwise, it fails to start and it breaks the network. I'm also still working on the update system. I'm elbow-deep in the kernel because something didn't get defined right or something.. meh.
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Yeah, I'm still having some network grief, haven't had the time to get far with it since I had to start reading up about dnsmasq from scratch.. My router doesn't still seem to be forwarding DNS queries properly to the Shield either, might be related? So let me know when you can post your latest build & I'll happily give it a whirl!
OpenWrt SNAPSHOT, r10391-3d8d528939
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
Well, if the blacklist files get deleted somehow and the service restarts for dnsmasq, it'll silently die. This makes the dns on the Shield inop, including to itself. You can ping IP addresses all day, but no dns. And, you can't run the updater to get the files, because... no dns :D As long as you're running from eth1/2 to your router's WAN port, I don't know why it wouldn't process requests. The router's dns will be set to the Shield (by the Shield's DHCP response). It should just daisy-chain up the line. My personal network, which is a mess at the moment, goes: Build Laptop -> Dlink router -> Shield -> Dlink router -> Netgear 48-port switch -> Edge Router -> Cable OPE. And, just for giggles, my first domain's DNS/DHCP is handled by my server rather than the initial Dlink for the stub. I suspect the issue you're seeing are just dnsmasq not running and not telling anyone it wasn't running. Check your `ps` from the console and make sure it's there. If not, grab the files and toss them onto your Shield.. Or.. At the bottom of your /etc/dnsmasq.conf, comment out the following lines and reboot (or service dnsmasq restart) # Import bad URL and Domains for blocking addn-hosts=/etc/snort/rules/bad-domains.txt conf-file=/etc/snort/rules/bad-hostnames.txt Then you should be able to get dnsmasq running, run the update script manually, and then uncomment them again.
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
Just a small "I'm still here!" post. Between being super busy with things and being sidelined by an illness for nearly two weeks, I've not had time to do much to the test image. Hopefully, I'll be able to pick it back up this week, although I see some updates are in order for security stuff.
Is there any specific requests for a feature before I close it out and start the finalization process? I still need to put the mode hooks in places that need settings specific to Router, Gateway, etc. One thing I was thinking was ditching one of the Itus modes since it really was misnamed. A bridge device connects two networks running the same protocol (TCP/IP, for example) while a gateway device converts from one protocol to another (Ethernet to ATM) Since the Shield only has Ethernet adapters, Gateway mode is just filler. So, thoughts on something like: Router - 10.10.10.10, eth0 WAN, eth1/2 LAN Bridge - 192.168.0.111, eth0 WAN, eth1 Administration, eth2 LAN These are standard for the Shield, but I was thinking of seeing if I could do a Router hybrid mode to DMZ a segment. Router Hybrid - eth0 WAN, eth1 DMZ on it's own collision domain, eth2 LAN So maybe the Shield can be 10.10.10.10 on eth2, but 10.11.11.11 on eth1 with all unsolicited inbound traffic going there. Webservers, mail servers, IoT devices can be hooked to a router and kept separate from the internal LAN that way. Thoughts or suggestions?
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
This post was updated on Oct 30, 2019; 7:13am.
Hi Grommish
Hope you’re feeling better! Thanks for the update. I really like the idea of a dedicated and isolated iot network, this would be a really valuable addition! Edit: the more I think about it, this added feature (iot isolation) really makes this little box relevant again and stays true to the reason it was born, i.e. to provide enterprise (ish) protection to home users. Network segregation is not generally attainable for the home user. Wondering if this would have been the path itus would have gone should they still have been around? Thanks!
Running v2 Firmware
|
Free forum by Nabble | Edit this page |