1 |
Hi |
2 |
|
3 |
Thanks for the reply! |
4 |
|
5 |
> Method 1 |
6 |
> http://conntrack-tools.netfilter.org/ |
7 |
|
8 |
Super - actually I just discovered ulogd which is I guess the preferred |
9 |
userspace logger now. I think I'm a bit out of date on iptables because |
10 |
that appears to be able to do even per connection statistics... Only |
11 |
skimming the docs at present, anyone got any experience using this in anger? |
12 |
|
13 |
> |
14 |
> Your going to overwhelm an embedded system with all of this |
15 |
> accounting and database, so split it across several |
16 |
> systems. |
17 |
|
18 |
Actually, although not stated, the WAN connections will be generally |
19 |
quite slow and expensive (satellite), and the number of users normally |
20 |
small. So I'm not expecting a ton of traffic to log in general |
21 |
|
22 |
|
23 |
> |
24 |
> Method 2 |
25 |
> Adapt an excellent high end NMS (Network Management System) |
26 |
> Such as Nagios or JFFNMS to your needs |
27 |
|
28 |
I hadn't come across JFFNMS before - very cool |
29 |
|
30 |
I presume you have seen that Nagios has very firmly forked to become Icinga? |
31 |
|
32 |
|
33 |
> in Gentoo. JFFNMS also supports TACAS and |
34 |
> TACAS+, which, if it encompasses what |
35 |
> you need, would be your best route to avoid |
36 |
> a monstrous amount of coding on your own. |
37 |
|
38 |
I don't see that TACAS+ offers the accounting side? From a quick google |
39 |
it appears to handle the authentication side only? |
40 |
|
41 |
My requirements for authentication are going to be fairly |
42 |
straightforward, largely just yes/no. |
43 |
|
44 |
|
45 |
From a few mins reading up my initial design is looking a little like: |
46 |
|
47 |
- FreeRadius on sqlite (perhaps mysql) |
48 |
- HostAPD |
49 |
- IPTables to limit access (with daemon to talk to DHCP server) |
50 |
- ulogd to log most of the traffic. Custom app loggers to add |
51 |
granularity where needed |
52 |
|
53 |
It's the accounting side and the use of iptables to limit access which |
54 |
is still looking rather hairy. If anyone has any experience of fiddling |
55 |
with this stuff then please let me know? Also any other features of |
56 |
iptables that I might have not noticed would be useful? (I see packet |
57 |
marking, vlans, mac matching, conntrack based accounting - anything else?) |
58 |
|
59 |
Thanks for the hints |
60 |
|
61 |
Ed W |