| 1 |
Hi |
| 2 |
|
| 3 |
Thanks for the reply! |
| 4 |
|
| 5 |
> Method 1 |
| 6 |
> http://conntrack-tools.netfilter.org/ |
| 7 |
|
| 8 |
Super - actually I just discovered ulogd which is I guess the preferred |
| 9 |
userspace logger now. I think I'm a bit out of date on iptables because |
| 10 |
that appears to be able to do even per connection statistics... Only |
| 11 |
skimming the docs at present, anyone got any experience using this in anger? |
| 12 |
|
| 13 |
> |
| 14 |
> Your going to overwhelm an embedded system with all of this |
| 15 |
> accounting and database, so split it across several |
| 16 |
> systems. |
| 17 |
|
| 18 |
Actually, although not stated, the WAN connections will be generally |
| 19 |
quite slow and expensive (satellite), and the number of users normally |
| 20 |
small. So I'm not expecting a ton of traffic to log in general |
| 21 |
|
| 22 |
|
| 23 |
> |
| 24 |
> Method 2 |
| 25 |
> Adapt an excellent high end NMS (Network Management System) |
| 26 |
> Such as Nagios or JFFNMS to your needs |
| 27 |
|
| 28 |
I hadn't come across JFFNMS before - very cool |
| 29 |
|
| 30 |
I presume you have seen that Nagios has very firmly forked to become Icinga? |
| 31 |
|
| 32 |
|
| 33 |
> in Gentoo. JFFNMS also supports TACAS and |
| 34 |
> TACAS+, which, if it encompasses what |
| 35 |
> you need, would be your best route to avoid |
| 36 |
> a monstrous amount of coding on your own. |
| 37 |
|
| 38 |
I don't see that TACAS+ offers the accounting side? From a quick google |
| 39 |
it appears to handle the authentication side only? |
| 40 |
|
| 41 |
My requirements for authentication are going to be fairly |
| 42 |
straightforward, largely just yes/no. |
| 43 |
|
| 44 |
|
| 45 |
From a few mins reading up my initial design is looking a little like: |
| 46 |
|
| 47 |
- FreeRadius on sqlite (perhaps mysql) |
| 48 |
- HostAPD |
| 49 |
- IPTables to limit access (with daemon to talk to DHCP server) |
| 50 |
- ulogd to log most of the traffic. Custom app loggers to add |
| 51 |
granularity where needed |
| 52 |
|
| 53 |
It's the accounting side and the use of iptables to limit access which |
| 54 |
is still looking rather hairy. If anyone has any experience of fiddling |
| 55 |
with this stuff then please let me know? Also any other features of |
| 56 |
iptables that I might have not noticed would be useful? (I see packet |
| 57 |
marking, vlans, mac matching, conntrack based accounting - anything else?) |
| 58 |
|
| 59 |
Thanks for the hints |
| 60 |
|
| 61 |
Ed W |
Archives