Nethserver-arpwatch: Needs Tests

I did a little code review and it’s almost good!

I agree with Stephan on interface property, it should be a comma-separated list of roles.
The template can than expand the role into interfaces names (but I don’t know how arpwatch deals with multiple interfaces).
If you set the default value of interface property to green, you can leave the daemon enabled by default.

Last, the template fragment /etc/e-smith/templates/etc/sysconfig/arpwatch/ALL should be renamed to /etc/e-smith/templates/etc/sysconfig/arpwatch/10base, but this is not mandatory, it’s only a best practice.

I have the answer, arpwatch can use only one nic at the same time, except if you launch one deamon instance for each NIC, see Everything about nothing: arpwatch on multiple interfaces
But the init.d script must be customised and become a new template if you want to keep it after an upgrade.

The same solution has been found by debian for the same purpose.

@dz00te don’t be hidden…we wish only the best for you

wow lot of useful info here tnx @stephdl @giacomo @davidep …
unluckily i did not have (and i will not have) much time this week and considering that i’m not a dev i really need lot of time
but i’ve done some tests based on first infos steph gave me, and it works correctly with only one eth, then i’ve tried with multiple green and after some tests i’ve found the same link posted above to have the daemon working on multiple eth … then my son wakes up and no more perl or rpm
So considering that this is a training i was thinking that maybe the correct way to proceed could be (ordered by increasing difficulty):

1. do the correction to package implementing yours advice, to have arpwatch

• Started after install
• Configured on first green ethx found
• Use nethserver-arpwatch-update and nethserver-arpwatch-save

2. implement a script to update ethercodes.dat using Sanitized IEEE OUI Date (oui.txt) (or put it in the file to separate rpm, or … honestly i’m not sure at the moment how to do but i would like to have it updated :))

3. try to implement arpwatch for multiple eth (with multiple arp.dat, with a customized init script), the idea is to have at the end the opportunity to select for role or for single eth

4. a gui (???) if i will ever complete points 2 and 3

do you think it could be a good work path, while trying to learn something?

i’m sorry to have posted a incomplete version and i’m a little bit ashamed to do so basic questions, but i’ve done most of this one month ago, and the idea was that putting it on the public forum could help me to don’t forgive the study of perl/nethserver…
i hope to post soon an update to close the point 1… tnx again

Don’t say sorry, we’re all here to learn from others.

You are a padawan developer, the way is sometime much more longer than we would

@dz00te these are you and @stephdl on your shoulders

This rpm comes from SME Server which was supposed to have only one Internal NIC, therefore the rpm was not intended to find which NIC has a green role, but NethServer lets a lot of freedom on the choices of your network. IMHO the rpm needs to be adapted to this case of configuration, and we must implement the multiple NIC case (one deamon and one arp-etX.dat file for each NIC).

A fallback choice should be to propose the rpm like you did and let the sysadmin decide which unique NIC is monitored.

From my point of view, the gui is really not a mandatory, this rpm is aimed to be to the destination of sysadmin who have the need to keep informations about IP/Mac which are connected to their local network, but of course, since it is said, someone will come with this need

With smeserver-geoip we have the same issue, the geoip database needs to be updated sometime, by a cron each month, and following the installation.

finally today i’ve had some hours to dedicate to code (well, to try to code )
i think i’ve solved how to find multiple eth on green and generate correct config, and tested with the customized init.d script it works… what is not clear to me is this part:

do you know where i can find some info or some examples in other contribs, or have any hints in how overwrite the init.d script?

tnx

simply make a new template of the initscript, I mean this

/etc/e-smith/template/etc/rc.d/init.d/arpwatch/10base

then of course expand it with nethserver-arpwatch-{update,save}

you will need probably to set owner ship and permisions : Templates — NethServer 7 documentation

create a file /etc/e-smith/template.metadata/etc/rc.d/init.d/arpwatch with the relevant content
for example

 UID="root"
GID="root"
PERMS=0755

Another solution could be to create an upstart job, see /etc/e-smith/templates.metadata/etc/init/httpd-admin.conf for example.

If I recall well the documentation the upstart init script has the priority against a sysvinit script,so it is used first…but I have not played with upstart script so I have no example with my modules I can point you as examples.

I am interested in how this is going

@dz00te would you like to add it on our NethForge? @giacomo @davidep how can we move forward?

I’ve been watching this thread for some time, this package does something very similar to that of a shell script/daemon I wrote. But my shell script/daemon takes it a step further; when it recognizes a new device on the network (not within a open DHCP range) is adds the IP/MAC address to available linux firewalls on the network. This is the default setup, I can change the sensitivity to be strict it would add the IP/MAC address of a newly discovered device in the open DHCP range to the firewalls. The script must have sudo access of course because iptables command requires it, it also must be able to login to other linux boxes without a SSH password.

Adding IP addresses on Linux firewalls is relatively simple but finding a way to do this on NethServer was challenging. Instead I opted to use MAC addresses. In order to do that I needed to create a custom template for shorewall where the BLACKLIST option changed to “NEW,UNVALID,UNTRACKED” so that I can dynamically add and remove the MAC’s.

The shell script/daemon consists of three files, a configuration file, daemon and shell commands itself. If anyone is interested in looking at the concept I can certainly upload it to github. It may take some time because I’d have to remove a number of personal settings.

@alefattorini
honestly… i don’t remember what i miss to finish the package, i’ll check it and will update the status soon. And, yes if ever will be finished/stable, the idea is to put it on netforge, but i must admit that lately in my short time available, ns7alpha has an high priority

@islipfd19
nice idea, if i ever finished the package i’ll ask you the script, tnx

@islipfd19 as we have introduce fail2ban we can make things work through it

Great idea! I’m thinking some type of trigger from arpwatch to fail2ban to blacklist the offending MAC/IP address and then a way to whitelist it after additional review.

I failed to mention that my shell script also sends notifications using the any of the mail apps; such as postfix or sendmail. As long as its configure properly of course. My shell script also has a mechanism to whitelist the MAC/IP address; CLI driven. Again, my script detects any unknown IP/MAC on the local network. At the heart of the script is nmap that performs a ping sweep of the network and grabs all the MAC addresses, compares them to a predefined list of MAC’s in it’s configuration file and the list of MAC’s obtained from the DHCP config file. When time permits I’ll upload it to github.

When the author think the packages is finished, we can move it to the forge.
We can also give access directly to the forge

@islipfd19 please attach log, I have created an issue on Fail2ban so they could help to develop arpwatch log monitoring.

I don’t have a log, there may have been some confusion. I currently don’t use Fail2ban or arpwatch, the script I’m referring to is something that I designed and wrote. I believe it would be a “Nice to have” feature for both.

I have submitted logs to Fail2ban already, so wait for new Jail