Monday, 16 November 2009

Cisco / Linksys SPA3102 ... 'Time' for a Dial Plan

A lateral approach to time based dial plan enforcement (or... 'Hacky / Sippy / Timey')

PLUG STUFF IN HERE - WOW YOUR FRIENDS!



So you've talked up a good 'home IT' solution to the finance manager (i.e. The Wife) - you've visited Amazon (or Kikatek in my case), splashed your green all over the internet .... bemoaned the fact that you allowed the thing to be shipped 2nd class to save yourself circa £1.50 in delivery costs ... danced with glee as Pat and Jess come knocking on your door with a parcel ... powered the thing up, only to find that something is wrong. Terribly wrong in fact.


IT DOESN'T DO WHAT IT'S SUPPOSED TO!!!



You can take that statement two ways. Either the manufacturer advertised functionality that wasn't present upon inspection - or - whilst you were dreaming up a nerdy home IT solution, you allowed your imagination to colour in some feature that you really really wanted but actually found out all too late wasn't ever promised. Worse still - you either have to make it work, or explain to the finance manager why the thing you just purchased might not quite work the way you had promised.


And so it was for me with the SPA3102. The IP telephony and PSTN convergence unit did everything it promised - but it did not promise time based / scheduled dial plans. You see, I had foolishly promised the wife that I would be able to use the SPA3102 to seamlessly switch between cheap voip calls during the working day and free BT calls in the evenings and weekends. "I don't want any more fuss" she said. "I can't be arsed with all this messing about so if it's more hassle for me then it's going straight back and you can live with the expensive and lengthy phone calls to my mother." However, the SPA3102 would not let me so this! I could have one dial plan .. and bleedin well like it!!



YES - A CISCO/LINKSYS SPA3102. IF YOU DIDN'T KNOW THIS ALREADY AND HAD READ THIS FAR .. THEN I'M IMPRESSED! AWARD YOURSELF A COOKIE.










As a starter for 10, I configured the plan to dial voip by default for all but emergency calls - but allowed the option of routing through PSTN by virtue of prefixing all numbers with a '9'. Let me tell you, the 'dial 9 for a line - evenings and weekends' awareness program in our house didn't go down very well. I could sing it .. I could dance it .. I could stick it in my pipe and smoke it.


There was no option, I had to find a way round the issue. At the back of my mind I already knew that it would require Linux somwhere and some extensive time at the University of Google. Determination (plus a few lucky page hits) paid off and I've now found a way to switch between to separate dial plans for the SPA3102 - abandoning the need to hit 9 for PSTN in the evenings.

So here follows my mini 'How To' for time based dial plan scheduling on the SPA3102. Please note - these are 'guidelines' explaining how I managed to get this working. You follow them at your own risk. At the very least - ensure that you have tested backup and restore prior to messing around with your config. I also assume that this is your kit and that you don't mind if it breaks. I don't want anyone to visit supermonkeyhaha land with a broken SPA3102 and a baseball bat.
AIM: Get the Cisco Linksys SPA3102 unit to switch dial plans on a timed basis.

REQUIRED: Basic understanding of HTML / A Linux server on the LAN / Firefox web browser / SPA3102 (this may well work with other similar units) and a general understanding of how that unit operates. If you require a configuration guide (UK) then I recommend: Andrew Oakley's brilliant guide which can be found here: http://www.aoakley.com/articles/2008-01-08.php

ASSUMPTION: Your SPA3102 is sitting on an existing LAN converging VOIP and PSTN - not acting as a gateway. This process will briefly reboot your SPA3102 and result in loss of gateway services (probably).


OVERVIEW: We're going to dump out different configurations that we would like to use on the SPA3102 (including our varying dial plans) - then we're going to convert that extracted data in to separate uncomplicated dial plan scripts. We will then set up a schedule to trigger the scripts to update the SPA3102 with the required dial plan.


In my example, I'm going to create one script for VOIP centric calls between midnight and 6pm and then another to route all calls via PSTN between 6pm and midnight.

METHOD:

First things first. Key to this solution is an understanding of the manual 'save as' backup and recovery method found here - http://voipstuff.net.au/SPA3000.html#toc10

As you will see - it's surprisingly easy to copy out and restore back configs to the SPA3102 without the need for fancy tools. Now what we need is to save a backup for each version of the dial plan that we want in our time based schedule. Let's say I've called mine voip.htm and pstn.htm

Now - edit each file using a text editor (notepad etc) and search for the form tag. Switch the method from POST to GET. Additionally - amend the action so that it's action=http://*your SPA3102 name or IP goes here*/admin/asipura.spa


If you then load the page with Firefox (I had issues trying this with IE 8) and submit the form - lo and behold, your address bar is absolutely packed with all the config variables that you need. Copy them out somewhere for safe keeping (notepad etc).

Now - log on to your Linux server and change in to your scrpits directory (or create one). Mine is /opt/scripts

Create a script file for each plan you wish to schedule and make it executable. So for my voip dial plan it would be:

cd /opt/scripts
touch voip
chmod +x voip

Open it with your favourate text editor and add #!/bin/bash to the first line. On the next line type curl -d ""

Now return to the data you copied out of Firefox. Copy everything apart from the URL (basically the entire SPA3102 config) and then switch back to the script on your Linux host. Past the contents between the quotes.

Now go back to the Firefox data and copy the URL (excluding the ? at the end) and place that in your Linux script right at the end ensuring that there is a space before http://

You should now have a script file that goes something like this:

#!/bin/bash
curl -d "xxxxxxx lots and lots of config data goes here" http://myspa3102/admin/asipura.spa

Now save the file.

If you don't have curl installed - install it using standard repository tools for your distro (apt-get or yum install .. etc etc).

Rinse and repeat for each dial plan variant you have captured. Now you're ready to test the scripts individually to see if curl posts the config to the SPA3102. So, for my voip script, from the command line it's: ./voip

After this has run - you will get a text based equivalent of the confirmation page in the console notifying you that change is about to be applied. Wait 10 seconds and then log in to the SPA3102 and check your dial plan. If everything has gone according to plan, you should see the dial plan info relating to the script that you've just submitted. Now repeat the process for another dial plan to ensure that the dial plan changes accordingly.

OK .. all being well, you'll have seen the dial plans switch purely by scripting. The next step is to enable time based scheduling with cron

Edit crontab with the command: crontab -e

Here's an example of my crontab. Two entries listed - the first to run at 23:59 Sunday to Thursday. 59th minute - 23rd hour - every day of the month - every month - days 0 (Sunday) to 4 (Thursday) - invoking /opt/scripts/voip

The second second runs /opt/scripts/pstn at 6pm - Monday to Friday

# m h dom mon dow command
59 23 * * 0-4 /opt/scripts/voip
0 18 * * 1-5 /opt/scripts/pstn

Now you have your crontab in place, your dial plan configs should be set according to your schedule and hey presto - no more 9 for a line. Just remember that if you make changes to your system - unless you update your scripts to reflect those changes, you'll lose them next time cron kicks in.

Hey! I never said it was perfect!

Friday, 12 September 2008

Goodbye China!

If using a "biscuit tin as a firewall" was the answer - then the question had to be "How the hell do I stop China over-running my mail server?"

This is dedicated to anyone who runs their own mail server. Whether you're a business user supporting an enterprise deployment or a pokey home user just looking to get a little bit of IMAP love in your life - they day you find where the mail logs reside is the beginning of a vengeful game of strike and counter strike.

Perhaps some people are happy with it - but for me, reading the mail logs is an irritation. From time to time you expect the occasional prod from some random point in the country attempting to relay off your mail server but the constant drip drip offensive from one international region in particular is quite literally like Chinese water torture.

Almost 95% of relay attempts against my mail server, when processed through whois on dnsstuff.com, turned out to be from China. Perhaps they thought there was a gold medal in the offing?!!

The alliteration of attempts was impressive and it showed that although the majority of engagements failed trying to handshake my mail server (HERRO instead of EHLO perhaps?) - some were far less bot driven and much more sneakey in their attempts to trick my MTA in to relaying fun time Pr0n mail to the masses. Eventually it drove the fear of God in to me. Who knows what they get up to in the labs over there? The Xenophobe in me kicked in. Visions of faithful party members - miniturised and deployed inside ethernet frames - raiding my mail server with all manner of technoexploit know how meant that I could not rely on my MTA alone to deal with it. They had to be stopped at the perimiter!!!

Don't get me wrong here. I had hardened my Postfix implementation after a lengthy (5 minute) trawl through the first page of Google search results on the issue. I had also burnt the midnight oil on more than one occassion, taking the time to deploy my own domain local blacklist and also real time black listing (rbl). But the joy in rejecting mail from specific domains with my own custom FU 550 reject message was fleeting and the logs still showed presence of chinanet users enjoying all night exploitathons on my IP address. I felt that it was only a matter of time before they partied hard enough to break on through to the other side.

That was why I decided to retract the hospitality that was generally afforded on port 25 to the rest of the world. A bit drastic? Not really - the last time I looked, Hu Jintao wasn't in my Facebook so what do I care.

So I traded up and got myself a nice Netgear firewall router from the Prosafe range. The FVG318 fitted the bill perfectly. It had some great features and also included the explicit ability to block either individual IP addresses or supernet IP blocks. Perfect! The spam relay attempts came in - left their dirty finger prints all over my logs - associated ip ranges looked up and were then entered in to the 'no no' list. Moohahahahahaha!

Imagine my disappointment when I discovered that a so say professional device (that is where the pro in prosafe comes from --- right?) rejected my 21st attempt at entering a firewall rule.

Netgear and the art of WTF??!!!!
When the FVG318 says those three little words, it's hard to hide the rejection when you read "Too Many Entries" ! Tear my heart out why don't you!!!

Firmware Version: v2.1.2-67R - you're a dirty love rat!











Frankly - I don't know if it's unacceptable or not to have such a limitation in an off the shelf product. I could cry all I liked and Netgear were unlikely to fix my issue for me. As a result, it was time for Linux. Specifically - Smoothwall.

How and why I came to this decision - and how I built the damn thing have been blogged HERE

So how could Smoothwall be of benefit? Quite simple really. Give me the power to block the extensive range of IP addresses I needed in order to exact my vengeful nature upon the far east! At the same time, it would allow me to do it in a manner that meant I didn't have to enter the IP blocks one at a sodding time. Lucky for me, Smoothwall is the mutts nuts (or the dogs danglies if you prefer - choices choices eh! That's western living for yah).

Ok, if I was pedestrian about it - Smoothwall would allow me to plod through my hate list one item at a time, adding them via GUI interface. If I wanted to step up a gear then there was always the direct route. By enabling SSH access and having a quick prod about, it didn't take long to find the config file for the ipblock function under /var/smoothwall/ipblock

Putty and the art of TFFT!
As any responsible citizen should, all material of a sensitive nature has been removed to protect the innocent.










Smoothwall supports VI if you fancy your elite text based editor skills. Alternatively, you could always use WINSCP to provide you with graphical access to the directory structure and locate the ipblock config file for editing. You may want to make a backup before you balls it up though.

Smoothwall allows for IP blocks to be specified by CIDR notation. The ipblock file takes a comma separated list of parameters in this apparent order: (ip details) address/CIDR range, (logging) on/off, (punishment) drop/reject, (enable) on/off,

e.g - 220.152.128.0/17,off,DROP,on, China

That's great - but where the hell am I going to find a list of chinese IP blocks? The internet being the community it is, you can guarantee that this issue has been pissing people off for long enough to ensure that someone has already done the leg work for you. Enter the OKEAN web site. If I were a small dog, I would be humping this guys leg right now. Both Chinese and Korean IP blocks in contiguous / CIDR and dnsbl zone format. It's this kind of selflessness that makes the web a better place (rather than a virtual high street).


If I were a little dog!
Okean ... where are yooooou?
















With the IP booty in the swag bag (thanks Okean) all it needs now is for a quick cut and paste of the data in to the /var/smoothwall/ipblock/config file and bob is your aunty. The list appears immediately in the smoothwall ipblock list via the browser. A quick reload of the firewall to be on the safe side and there we go. China begone.

The sad reality is that a small percentage of people are either willingly or unwittingly helping their country gain an unsavoury reputation. A quick browse on the net shows that plenty of people are considering similar actions in order to protect their infrastructure from abuse. It could make the internet a very hit and miss affair for China over the next decade.

Wednesday, 3 September 2008

Part 2 - Getting my parts out and playing with them

With all the kit safely back at base, it was time to put it all together. What were the chances that the kit would power up let alone let me put a firewall on it? Surprisingly (for me at least) it came up first time.

Now the thing about this solution is that it's all going to have to squeeze in to a small box and I didn't want to put it all together only to find that some hardware configuration or limitation (i.e. supported hardware issue) meant I needed to open it up again. So as soon as I could get the bare bones operational, I decided to find a firewall distribution that met the criteria and give it a whirl.






Must have:
  • NAT firewall with spi
  • IP blocking features allowing single IP or IP range blocking - (without the 20 or so rule limit I had on my router!!!!)
  • Port forwarding
  • PPP support - I need it to connect to my ethernet modem and log me on to the net
  • SQUID. (I didn't really need this but it was an itch I've been meaning to scratch for ages) - preferrably transparent.
  • Good logging features
  • Be able to run on a reletively low power system without dragging down my surfing experience.
Dream team:
  • IPSEC VPN endpoint functionality
  • Pretty graphs
  • Good community support (do not undervalue this aspect)
  • NTP, DHCP and DNS (in case I ever decide to consolidate these services away from my existing systems)
  • Intrusion Detection System (IDS) ... another 'want to play with' thing.
  • QOS so that when my kids grow up - I can QOS their bandwidth hogging activities out of existence
  • IM proxy. Again, when my kids grow up I'll need to snoop - err responsibly monitor who they're talking to.
I trawled my backside off looking through the various features - seeing what did the trick. M0n0wall looked like a fantastic development able to run on skinny kit but didn't appear to have the web proxy functionality I was looking for. Untangle also looked quite tasty but I was put off with the beefy (ok - non wimpy) hardware requirements.

Much more up my street were IPCOP and Smoothwall Express. Both scored highly and it was hard to choose between them. Being technically minded, I went for IPCOP because my Dad was a copper back in the day - and somewhere in the back of my head the name gave me the impression of The Sweeney meets Tron. That's how the IT decisions are made when I'm spending the money!

So I downloaded the latest release from sourceforge, burnt the disk and fired it up. Remember what I said above about supported hardware issues? Well that's where IPCOP fell on its arse for me in the first instance. It's not everybodys experience but I couldn't get it to run on my kit. It appeared for all the world to me that during the installer process, IPCOP was looking for the install files from my SATA disk rather than the CDROM with the install disk in. Actually - I proved this for myself by breaking in to a console session and browsing the device it was trying to read from - which was my SATA drive. The community advice was 'search the forum for SATA'. Something that showed mixed success.

I'm not going to knock the regional cummunity support forum but suffice to say I didn't get the warm fuzzies from it! I wasn't expecting flowers or anything but, well ..

So there I was with a dining room table full of hardware and one option left. Time for Smoothwall Express. The name wasn't as funky but the base functionality was pretty close (IPCOP being a fork of Smoothwall by all accounts). Would it run on my cobbled hardware or would I have some explaining to do to my wife when we examined the accounts!?

To start with, the answer was no! *cry* For a moment I thought I had compatibility issues when the installed keeled over repeatedly with an obscure message at the end of the file installation process. But checking the md5sum gave surprising results and it transpired that my iso was corrupted. A first for me. After a second download and a successful md5sum check - the next attempt worked like a dream.

The wrong kind of chips on this dining table (according to me wife at least!!!) The farmhouse dining table and chairs gave it a Star Wars meets the Waltons feel.












And if you think I'm going to narrate my firewall configuration across the blogosphere you can, of course, forget it. There's plenty of time to comment on Smoothwall in later blog sessions after a healthy evaluation.

With the harmonious union of hardware and software witnessed in front of the creator, it was time to build them a house before the honeymoon could commence. In this world though, considering the economic climate, credit crunch and the high price of accommodation - it would have to be a humble dwelling.

If you've seen my first entry then you will have seen the 'Urban Myth' game box that I proposed to turn in to a case. How had I come to the conclusion that it would do the job? I tipped out the cards and checked to see if the mobo would fit inside. That was the scope of my groundwork! The last time I worked with metal was approx 22 years ago back in school when I made a two piece replica concorde. All I had at my disposal this time was a medium sized hand drill, a small pair of wire clippers and a pair of sturdy scissors - swiped from the kitchen. Before long I had made a few 'functional' modifications to the case.

Before








Almost certainly after .. unless the event was subject to a time paradox. Look closely - two holes - as the actress said to the bishop.

















Now the parts have to be fixed to the case. First off - the PicoPSU power supply. Do I fix it in a practical position - or somewhere stupid & impractical but slightly amusing?

That's what your face looks like when you have a PicoPSU wired in an impractical place. Suit your sir! oooh!


















Almost in focus. I think the 'shiny behind' had a dazzling effect!













Funny (mildly) but in a space efficient environment - not very clever! Next - fasten the mobo to the case.

A bit wonkey but it fits and there is still hope to cram the rest of the bits in.













With the PSU wired in and the mobo fitted - all that was left was to slot in the hard drive (somewhere) and shut the thing together. I managed to squeeze the drive in to the lid without too much issue. Closing the case was about a third of the job though!! It turns out that I had set a world record for owning the worlds most inflexible SATA lead. Lucky for me I had a draw packed full of the things - every one of them at least twice as flexible as the one I had chosen earlier!

The professional job on the metal work had introduced a certain amount of fatigue to the structure. It closed well enough but the chicken in me compelled me to add a bit of tape to ensure integrity. And here it is - the final product. Ladies and gentlemen - may I present to you, the Urban Myth Smoothwall.


What tape?

Closing comments - it's alive!! It will probably need a bit of further refinement to secure the case in order to remove the tape. As for a 533mhz system with 256 MB of memory running smoothwall and squid - for home use it's bloody fantastic.

Tuesday, 2 September 2008

Part 1 - A firewall Valerie Singleton would be proud of ...


Double sided sticking tape (check) - loo roll (check) - old washing up liquid bottle (check) - dog named 'Shep' (check) .... OK, we're ready. Now you may need an adult to help you with this .......

Anyone who's discovered Linux will probably have gone through the same curve that I have. "What? An O/S for free?" - "I don't understand - why so many distributions!?" - "So most of the internet runs on this?" - "I just jab in apt-get and it ends up on my box?!". All this is great, but for me, the biggest thing about the GNU revolution has to be that it changes us from dumb consumers to controlling creators.

Let's say for example that you bought yourself a firewall router. You pimped your arse out all week for your pound or dollar - picked your make and model, only to find that it has poor firmware (that bricks your box), and some really cheap limitations that hinder the scope of its use. At least that was my most recent experience. What do you do? Buy another one in the hope you're not let down again? Or perhaps you make your own! Consumer or creator?

Frankly, I've gone through about five firewall routers in as many years and, cheap or pricey, I've not been entirely happy with any of them (fussy fussy). Combining a few years exposure to open source radiation with some rabid ebaying would surely be a recipie for success? The prospect was tempting and Linux being as versitile as it is, there were bound to be a multitude of distro's ready to take up residence on my hard drive.

OK, so if you're going to do this there is probably a right way and a wrong way. I imagine the right way to be a) Draw up a list of requirements - b) Pick the software that meets those requirements - c) Check the hardware compatibility list and then buy / build the kit. But I had read the propaganda and had bought into the mantra that told me that I could throw any old hardware together and come up with a solution. That suited me fine because it meant I could be guided by cost rather than need, safe in the knowledge that somehow it would work - right?

In terms of the hardware, I wanted small / low power / low cost.

Required hardware:



  • A case
  • A motherboard with at least two nics.
  • A small hard drive
  • Memory
  • Suitable PSU
  • Adapter

After a bit of poking around on e-bay I managed to find an integrated motherboard with two nics and a 533 Mhz VIA Mark processor for £30. Bargain. See for yourself: http://www.jenlogix.co.nz/products/wafer-mark.htm

The SATA controllers on the wafer-mark meant that I could make use of a spare Seagate 2.5" hard drive that I had recently hatched from it's external USB housing. Curiosity got the better of me on that one. Like a Kinder egg - I had to crack it open for the toy.

I decided that I wasn't going to spend more than £10 on memory and managed to get 256 MB of pc 133 for the price.

Finding a DC DC PSU and an adapter was a real pain in the backside - mainly because the whole thing was an education for me. I picked up a 12V 90W PicoPSU-90 brand new from Linitx.com (nothing cheap enough on ebay) which will provide much more power than I need. That was another £30 (ish). The 4 pin molex would provide the +5v but being an ATX PSU - it would need to be tricked by adding a home made jumper between a couple of the pins (read up and undertake at your own risk).

Back to ebay for the 12v 5a Adapter plus a 2.1mm to 2.5mm barrel adapter (needed to fit the power point on the PicoPSU). Another £15 ish.

So that's £85 I've forked out already even with the free hard drive. Being a tight arse and also bathing in the inspirational light of the mini-itx projects page I decided I would find something around the house to mod as a case. The prices for the tiny cases were just too much. After a great deal of hunting around in cupboards and head scratching, I found a card game called 'Urban Myth' that happened to be packaged in a handy mini-itx sized aluminium case.

Now for some pictures:

WAFER-MARK 533 - With a couple of juicy nics *drool*
Note the two USB ports over on the left side. Although only USB 1.1 - you need a way to deliver the O/S to the system. Trust me - telepathy isn't a great medium for transferring data to disk.












URBAN MYTH - The card game - and now the firewall !!!
Take a look at that mouth. It comes in handy later.














Kinder egg toy or hard drive? You decide!

Although the SATA cable appears to obscure the picture - the artists amongst us will know that it lies on the Golden Section and therefore is mathematically guaranteed to be a work of art.












Well - that's the hardware procured. Next - instalment - putting it all together.