Comment by Amadou
12 years ago
Can anyone recommend a consumer grade router that has a good GUI for tracking outgoing connections in real-time and setting up rules to control them?
I am imagining some kind of add-on to DD-WRT or derivatives that will put up a real-time graph of devices on my home network and draw lines representing outgoing TCP and UDP connections while also logging them in a tabular format. Both forms would be clickable to drill down for more details (including session packet captures if enabled) as well as set policies like a per device white-list of acceptable IP addresses to connect with.
I know all of this is possible with individual tools like tcpdump or wireshark and ip-tables configs, but that is too painful. I'm looking for a robust GUI on top of all that.
I tried analyzing all outgoing traffic on my laptop for a couple days, there is a surprising amount of noise [1]. Very hard to spot anything nefarious. It's challenging to find anything meaningful without some sort of automation.
Unless it's a low traffic device, like a TV.
But in my research I didn't come across any router level software that did this in a meaningful way (with a GUI).
Maybe a startup opportunity here? +1 with network intrusion detection for home networks. I'd donate to a crowdfund for that.
[1] http://www.tcpdump.org/
Better a crowd sourced classification algorithm for good an bad traffic? Built-in anomaly detection?
Challenging...
I'm a fan of pfsense:
http://pfsense.org/
It might be a little more complicated than a standard consumer-grade router, but it's powerful enough to do almost anything. It's based on FreeBSD and has a reasonably pretty GUI on top of pf.
I've used it on alix embedded hardware before, and have it currently running on an atom supermicro board - both work great.
pfSense is awesome. It won't help a lot with this specific problem (without a lot of manual work). But it's still a great solution. I've been using its multi-WAN capabilities on a Soekris box for a few years now.
You can use Squid on PFsense (available as package):
https://doc.pfsense.org/index.php/Setup_Squid_as_a_Transpare...
but I don't think it would be trivial to configure for an end-user
I'll second the pfsense option. I just bought a great little Alix based firewall running pfsense (2.1) [1]. I wanted something that was open-source and less of a black box (firewall inside a consumer grade router/modem).
One thing I'm now noticing - Android (nexus7) is quite noisy. I need to get wireshark looking at what this constant trafic is from the tablet to Google (and the BBC sometimes).
[1] ALIX 2D3 LX800
Ya, I've noticed that, too. My wireless VLAN has blocked outgoing traffic on several uncommon ports.
Carambola2[1] runs FreeBSD[2] and thus a version (it's way different than OpenBSD's these days) of Packet Filter[3]. Putting the ADSL modem in bridge mode and this very cheap device as an advanced firewall can keep you safe. You have to write the rules manually, it's a time-consuming procedure (a little bit like programming) because it takes a lot of reading, etc. But once you get the hand of it, writing rules your self gives an absolute control of what goes in and out of your network.
[1] http://8devices.com/carambola-2
[2] https://code.google.com/p/freebsd-wifi-build/wiki/Carambola2
[3] http://www.freebsd.org/doc/handbook/firewalls-pf.html
Not a networking guy here, and this is nowhere near all you're asking for, but here's a classic GUI-controlled router setup which allowed me to totally block my son's internet access when needed. Sounds like your TV needs that too:
* Router was a Linksys WRT54GL [1] re-flashed with Tomato [2] firmware
IIRC it took two steps to stabilize things:
* One of the menu options [sorry, don't recall which one] allows watching the MAC and IP addresses of connected devices in real time as they come and go. You can somehow assign names to devices in this list to help sort them out. Unhook or power off off everything else or use the OUI lookup or somehow otherwise identify the TV. Click on 'static' so as to force Tomato's DHCP service to make the current IP address fixed for the TV's MAC.
* Now that the TV has a static IP on your LAN, you can use Tomato's 'Access Restriction' on that IP to disallow all outside access. Works as well for restricting one's kids' access to reasonable time ranges -- and cutting them off when necessary ;).
--------
[1] http://www.newegg.com/Product/Product.aspx?Item=N82E16833124...
[2] http://www.polarcloud.com/tomato
And unfortunately totally doesn't work for a "Smart TV" where you want the TV to be able to browse YouTube but you don't want it to send the names of your local files to anybody.
We need much more capable filtering.
It seems that because of these immoral corporations (hm, aren't they by definition that way?) we as users have to implement the "Great firewall of China" for our own networks. Bad times.
And as Terr_ notes on this page, we should actually fight for the legal mechanisms to forbid such practices and punish the companies who invade our privacy.
The UK (where these TVs are being sold), much like the rest of the EU, does have legal mechanisms to forbid such practices and punish infringers, under the Data Protection Act 1998 [1]. The fact that LG still sold these TVs in the UK shows that legal mechanisms are not sufficient.
Sure, one can argue that this particular mechanism is not sufficient, while others would be, but we often don't know that until the deed is done.
[1] http://en.wikipedia.org/wiki/Data_Protection_Act_1998
I setup a vm to collect net flows from my ddwrt enabled router, and used the http://nfdump.sourceforge.net package to collect and parse them into a daily report of all tcp/Udp connections sorted by bytes...
The real challenge is filtering out all the google and ec2 hosts that you come into contact with while using various services...
Surplus PC with an extra NIC and OpenBSD.
Edit: oops sorry you wanted a GUI. I'm guessing there are some GUI tools for pf around but I don't know of any.
The de-facto standard packet logging and tracing UI is wireshark, so if you're going to go the surplus PC route then run wireshark on it. I have no idea if it's available for OpenBSD but it's certainly available for linux and windows.
OpenWRT allows you to track connections with LUCi.
I have a Buffalo Router, it a DD-WRT firmware, I have a new LG tv too, just bought the stupid thing 1 week ago. Anyways, you can block the websites using this router. Good news is it works.
If in the UK take it back to the shop and tell them why. It is faulty - it is sending personal data out to the internet.