[FIRMWARE] Itus Shield v2

Since the consensus is they want something that is drop and go, here is the latest image.  It has Snort3, AdBlock, banIP, OpenVPN and WireGuard support.

Load it as always, do a rm /.norwits and then reboot

At least on that build the networking should be solid..

ItusgatewayImage

Yes, it goes in the Gateway slot, but acts in router mode

Sorry!  I did post-edit a link in, but only now realized the few of you who only check the emails wouldn't see it.

https://drive.google.com/file/d/1ZupmVj6vuo4f8ySy-a7rJgoqxxwIKm6C/view?usp=sharing

Maybe Grommish falling asleep on the keyboard......

hahah..  I bricked the Shield and had to recover it.. TFTP of a 100MB file takes... a long time.. (like.. an hour and 40 minutes worth of long time!)

But, it's working now, better than ever actually..  I'm making some real progress..  The "base" image is 17MB.  This has network functionality (defaults to router, but can be configured for bridge by hand right now, if that is what someone wants), but nothing else.  I'll probably make a separate device image for bridge at some point.

Now.. the question is, does anyone know who OWNS the itus.accessinnov.com domain?  Would they be open to hosting the ipks and whatnot?  I'm not even sure what the size for everything would be (i'll check), but if I have to start hosting it online, I'll have to see what I can do.

I've gotten to the point where I am looking for a place to hold the compiled images and .ipks.  It looks like we are going to have to maintain our own repo for the packages because I compile with support for the Octeon III rather than just Octeon+ (-march=octeon3), so the OpenWrt official repo comes up as No Valid Architecture.

My goal is to make an actual base package people can do what they want with.  From there, I can worry about pre-made packages (or just release a auto-configuration package that sets up things like Snort, Adblock, banip, etc)

Fantastic Grommish - 100MB image installed & running!

How on earth did you get your new image down to 17MB?
Does it grow much adding banIp, WireGuard & AdBlock?

For hosting ipks and compiled images, you could just continue to host alongside your existing repo as Packages at https://github.com/Grommish/Itus_Shield_v2/packages

Or if you'd prefer distinct repos for different aspects, looks like I have rights to create new repositories under https://github.com/ItusShield.
Let me know what you need and I should be able to grant you access to each individually from there.
(I don't have the ability to add you as a top-level member of ItusShield, but @user8446 does if he's listening in?)

Some other default packages to consider:
bcp38
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing

stubby
Acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine to a DNS Privacy resolver increasing end user privacy.

sqm
Smart Queue Management to improve speeds

vpn-policy-routing 
(with OpenVPN / WireGuard)  to allow VPNs to apply to specific devices

And perhaps consider some of these recommendations..
https://openwrt.org/docs/guide-user/security/secure.access

Gnomad wrote

Fantastic Grommish - 100MB image installed & running!

How on earth did you get your new image down to 17MB?
Does it grow much adding banIp, WireGuard & AdBlock?

For hosting ipks and compiled images, you could just continue to host alongside your existing repo as Packages at https://github.com/Grommish/Itus_Shield_v2/packages

Or if you'd prefer distinct repos for different aspects, looks like I have rights to create new repositories under https://github.com/ItusShield.
Let me know what you need and I should be able to grant you access to each individually from there.
(I don't have the ability to add you as a top-level member of ItusShield, but @user8446 does if he's listening in?)

First, thanks to all of you for being awesome during the devel time..

Second, Gnomad, you rock..  I went and created a AWS S3 bucket to hold things (fully expecting to stay within the free tier), but I completely blanked on Github as a resource.  That should be totally do-able and it really doesn't matter what the URL is, because you won't ever really see it..

Third, that image you're running contains many, many things.  It was a very long journey to figure out why the network did and didn't work sometimes..  Put it this way, that 100MB image file actually has FULL Python3 support :D (among other things) which makes it entirely bloated..  Unless you WANT Python3, which the Shield actually can support..

But.. I've LEARNED things along the way, too.  Because the image is RAM resident at boot, AND contains the kernel (in the BIN image, NOT as a vmlinux file!).. it doesn't really get unloaded from RAM, which means my idle when I have the bone-stock image looks like this (Granted, I'm not running ~600MB of RAM towards Snort yet!)



More RAM = More playspace..  Especially if I can figure out a legit upgrade path (and I'm working on it).  We will NEVER be able to get away from rebooting the device because of the kernel issue (AFAIK, anyway, I've been wrong before), but we can make it quicker.  Right now (again, not counting Snort, which you are running and takes a LOT of resources)..  my "boot" time is about 60-70 seconds..

[   58.465366] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready

 and the network it up and running..

Gnomad wrote

Some other default packages to consider:
bcp38
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing

stubby
Acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine to a DNS Privacy resolver increasing end user privacy.

sqm
Smart Queue Management to improve speeds

vpn-policy-routing
(with OpenVPN / WireGuard)  to allow VPNs to apply to specific devices

And perhaps consider some of these recommendations..
https://openwrt.org/docs/guide-user/security/secure.access

... [show rest of quote]

See, this is why I would really like to do the platform, rather than a turnkey (I know, I know).    This way, anyone who wants whatever can grab it..

I've never heard of bcp38, but I will look at it (and see if it's an OpenWrt package or not)..  How does SQM interact with QOS?  Are they the same, different, completely different?  Currently, pre-installed on the image is DNSMASQ, which acts like the DNS/DHCP resolver and server.  I'm sure there is a way to have DNSMASQ use DoH, but I only looked at it quickly in the beginning.  So, DoH is a solution, though it would be available only for Router mode, of course..

Wireguard is available..  OpenVPN is available.  Both are accessable thru luCi even.  I know OpenVPN will work, because I've tested it.  Wireguard will work, but I can't test because my VPN doesn't have publicly available WG info (they make you use their client..) but it IS in there for those that can.

AND..  For those who REALLY don't like CLI..

I'd added a luCi shell page..

In the U-Boot firmware:

bridge=mmc dev 1;fatload mmc 1 $(loadaddr) brigdeImage;bootoctlinux $(loadaddr) mem=0 numcores=2

They mispelled bridgeImage as brigdeImage..

So I don't think BRIDGE mode ever really worked.. it would have defaulted to either another image or the recovery image..

Interesting..  I'm just posting it here in case someone run across it in the future :)

Also, for those who are Linux buffs..

linux_mmc=fatload mmc 1 $(loadaddr) vmlinux.64;bootoctlinux $(loadaddr) mem=0 numcores=2

This was in uBoot as well..

So we could boot a full Linux Distro if I put it on there..

Depending on the image you have, yes, it should have BanIP in it..  Check the luCi page.

As of right now, opkg is not install anything.  Not only is it the wrong build, but the wrong kernel, to what is on the OpenWrt repo.  I'm in the process of trying to address that next.

I'm building out (or attempting to) ALL of the packages for OpenWrt, built and cross-compiled for our kernel.  These I will put on Github, assuming they'll let me house that much data, and then you should be able to grab the base image and install anything  you want via opkg.  That is the goal I'm after at the moment.

1.2G bin/packages/mips64_octeon3/packages
41M bin/packages/mips64_octeon3/telephony
83M bin/packages/mips64_octeon3/base
5.0M bin/packages/mips64_octeon3/routing
15M bin/packages/mips64_octeon3/luci
1.3G bin/packages/mips64_octeon3
44K bin/packages/mips64_octeonplus/packages
20K bin/packages/mips64_octeonplus/telephony
2.2M bin/packages/mips64_octeonplus/base
20K bin/packages/mips64_octeonplus/routing
464K bin/packages/mips64_octeonplus/luci
2.7M bin/packages/mips64_octeonplus
1.3G bin/packages
25M bin/targets/octeon/generic/packages
54M bin/targets/octeon/generic
54M bin/targets/octeon
54M bin/targets
1.4G bin

I literally just got the compile done (takes forever, and then I had issues with a broken PC again I'd rather not discuss hahaha)..  So I'll have to try and get it up to Github

I'll let you all know!

And.. TADA..



If you want in on the goodness..  Check out (and I'd recommend following the repo) https://github.com/Grommish/shield_opkgs

You can find the Installation image here, just remember to RENAME it to ItusxxxxxxImage (Itusgateway is what I use) before you copy it over.

Also, remember to remove your /.norwits file!  I'm working towards an upgrade system but that will take much more testing and there isn't any reason to wait for you all.

Now..  ONE thing you all have to do if you test this is change out the /etc/opkg/distfeeds.conf file with this one distfeeds.conf, then  you can do your opkg update either via CLI or luCI.

I did just test this.  I installed banip and the luci app for it via the Software tab and opkg repo I made.  It not only installed the package, but ALL the deps and libs with it! YAY!  I did have to refresh the page for Services to show up tho :p

BTW, the reason I didn't bake in the distfeeds.conf change in this round is that if I did, and recompiled, I'd have to re-upload all 1.4GB hehe.. Seems like a waste for something so small.. but it'll be in the next update, although there really isn't all that much left to practically do.

And yes, it even does system utilities..

Just install latest image 17mb in size, renamed and working but no service tab,

Installed adblock and banip all went well but can't find  the luci app which you talked about, I presume you have to install luci to get the service tab.
Rebooted started fine.

Roadrunneruk

Sorted the service tab issue, in my case I installed banip and adblock but you have to install these as well to get the service tab

luci-app-banip

luci-app-adblock



Roadrunneruk

Right..    I was going to mention that but you had already figured it out already.

The entire buildroot is like that and I don't even think about it anymore or I would have said something.  luCI stuff is separated into their own packages (luci-app- is a physically different package than the app itself.)

The whole upgrade system is still not-functional, but at least this part is.  Something to keep in mind though, is that if you do an opkg search and do NOT see a corrisponding luci-* entry for it, it means there isn't one.

No luCi package for Snort, for example:


Lots of luci packages for Adblock, however:


Helpful tip:

If you are installing something that HAS a luci hook (like Adblock).. If you install the luci-app-adblock, it'll force the install of Adblock (since it's a dependency of the luci app)

It seems I missed at least one default setting (probably more), and I'll put them into the future builds (along with the distfeeds.conf file), but for now.. If you are testing, make sure you enable the following:

uci set firewall.@defaults[0].flow_offloading_hw='1'
uci commit firewall

or, under luCi:

Go to Network -> Firewall -> Routing/NAT Offloading -> Enable Hardware flow offloading.  Software flow offloading should already be checked, but I didn't default Hardware offloading to be on, so make sure BOTH of them are enabled.  This will effect max throughput, so..

Heads up, if you've not updated yet, you should hold off.  Not because it's bad, but because I have a new image AND a new process for installing it that I'm doing final testing for.

I think we are in the home stretch

Can’t wait! Just updated to the latest one but sounds great Grommish