Re: [IPCop-user] SNMP Support for IPCOP

[Greg D. <gr...@de...>]

Richard Fennell wrote:

>Will SNMP be introduced into IPCOP at all?
>
>Reason i ask is because i use rrdtool to create so graphs of my network and
>red in/out, green in/out, blocked packets and others would be really nice to
>put on my network admin webpage. This will enable me to identify trends in
>attacks/bandwidth usage and better inform me of my IPCOP's usage and
>performance?
>
>If no one has done it would anyone know how to?
>
>Is this gonna make my box insecure?
>
>Does anyone else like sexeh graphs  ;-)
>
>Thanks
>Richy
>
>BTW rrdtool rox, should be used on IPCOP instead of MRTG.
>
>  
>
Hi Richy-
    I also looked into this.  I thought about adding SNMP to IPCop, but 
I haven't had the time (let alone my fears of security problems being 
introduced).  When I read a bit about RRD, I found that it is possible 
to utilize a script on IPCop (similar to the existing GUI pages) which 
can be lynx'd by the RRDtool host.  A good source of info is quoted 
below and written by John Edwards.  Note that the scripts are written 
for IPCop 0.1.1 using ipac, and would need to be modified for version 
1.3 and the newer ipac-ng.  I haven't tried any of this, but it sounds 
safer than installing SNMP.  Good luck.
-Greg


Quote from http://marc.theaimsgroup.com/?l=ipcop-user&m=102310689025602&w=2

I would avoid SNMP on a firewall - too many security problems. MRTG has 
an alternative for non-SNMP devices where you can use *any* shell 
program in the 'Target' field with backticks '`'. The program should 
produce 4 lines of output - incoming bytes, outgoing bytes, uptime and 
name. For more details see the "External Monitoring Scripts" in the MRTG 
Reference Manual: 
http://people.ee.ethz.ch/~oetiker/webtools/mrtg/reference.html 
<http://people.ee.ethz.ch/%7Eoetiker/webtools/mrtg/reference.html>

A couple of months ago Nick Heinemans posted a cgi script for IPCop that 
would produce these 4 lines of stats from ifconfig and an MRTG config 
files which used lynx to download them. I've modified them to use the 
ipac IP Accounting package, which is already used for the traffic graphs 
on the web interface. If you're interested the mrtg files I used are 
here: http://www.supporting-role.net/software/ipcop/software-list.php

-- John Edwards sh...@co...


Here's the excert from the MRTG Reference Page (because it's a pain to 
find the right section):
http://people.ee.ethz.ch/~oetiker/webtools/mrtg/reference.html

*External Monitoring Scripts*
    If you want to monitor something which does not provide data via
    snmp you can use some external program to do the data gathering. 

    The external command must return 4 lines of output:

    *Line 1*
        current state of the first variable, normally 'incoming bytes
        count' 
    *Line 2*
        current state of the second variable, normally 'outgoing bytes
        count' 
    *Line 3*
        string (in any human readable format), telling the uptime of the
        target. 
    *Line 4*
        string, telling the name of the target. 

    Depending on the type of data your script returns you might want to
    use the 'gauge' or 'absolute' arguments for the /Options/ keyword.

    Example:

Target[ipcop]: `/usr/bin/lynx -source http://gateway:81/cgi-bin/mrtg/ipac.cgi` [note: Greg changed this to reflect IPCop]

    Note the use of the backticks (`), not apostrophes (') around the
    command.

    If you want to use a backtick in the command name this can be done
    but you must escape it with a backslash ...

    If your script does not have any data to return but does not want
    mrtg to complain about invalid data, it can return 'UNKNOWN' instead
    of a number. Note though that only rrdtool is realy equipped to
    handle unknown data well.