SSH daemon - do we really need this?

[Oleg]

Guys,
I've seen Linksys WRT54G fans are adding ssh support to the box, cause they have 1.5 Mb free in the flash (the reason for that is what WRT54G does not have USB support&related things, and more importantly uses uclibc instead of glibc).
As for ASUS - the current firmware occupies almost all the flash, so it's very hard to add anything. But it's possible to free up 350-400k in the current firmware by stripping the comments & notes in the binaries of the current firmware. So it's seems be possible to add the sshd to the firmware file. I've succeeded building test version of the dropbear ssh daemon, which is probably will fit to this extra 400k (Now it's 307k in size, but we also need scp compiled in, so it will be larger).
But do we really need this? As for me - the only benefit is the scp...

[tunga2001]

imho, we dont really need ssh. specially when there isnt much space available... wouldnt it be better to use that free space for iptables modules (libipt_*.so stuff, conntracking for ftp, irc and the likes, etc) and improve the router/firewall side of the asus, instead?

[bramfm]

Originally posted by tunga2001
imho, we dont really need ssh. specially when there isnt much space available... wouldnt it be better to use that free space for iptables modules (libipt_*.so stuff, conntracking for ftp, irc and the likes, etc) and improve the router/firewall side of the asus, instead?

If there is something to change in the WL500g than it would be the DHCPd, since it lacks one hell of an option: static DHCP (map a mac to address).
Sshd can run from the usb flash drive, so I think there is no need to build it in.

[Oleg]

As for dhcpd - yes it's possible to make it serve static addresses, but ASUS have modified udhcp sources, at least it use different leases file (but it's possible, that wrt54g use the same thing). Another problem the web interface for that.

[bramfm]

Originally posted by Oleg
As for dhcpd - yes it's possible to make it serve static addresses, but ASUS have modified udhcp sources, at least it use different leases file (but it's possible, that wrt54g use the same thing). Another problem the web interface for that.

The webinterface can be a problem I agree, however people using servers behind a firewall know what they are doing (I presume), so a telnet (or secure shell) interface interface would be enough. I thought uDHCPD was not capable of doing static DHCP?

[Oleg]

It has an ability to read the leases file on startup (but it's binary) built-in. Another option is to use wrt54g patch which is adding this ability http://www.fmf.nl/~orion/wrt54g-staticdhcp+dns.patch
I've checked the dhcpd/dhcpc are the same as one used in the wrt54g, but dns cache different (wrt54g uses dnsmasq, wl500g uses dproxy)

[Oleg]

Originally posted by tunga2001
imho, we dont really need ssh. specially when there isnt much space available... wouldnt it be better to use that free space for iptables modules (libipt_*.so stuff, conntracking for ftp, irc and the likes, etc) and improve the router/firewall side of the asus, instead?

Which modules exactly would you like to see? "Built-in" are:

# ls /usr/local/lib/iptables/
libipt_DNAT.so libipt_SNAT.so libipt_standard.so
libipt_LOG.so libipt_TCPMSS.so libipt_tcp.so
libipt_MASQUERADE.so libipt_icmp.so libipt_udp.so
libipt_REDIRECT.so libipt_limit.so

[tunga2001]

ive bought the asus only two days ago, but from what ive seen so far (using telnet with your firmware) theres is no sign of stateful packet inspection anywhere... the default iptables configs are absolutely awful, like having your router totally open to the internet and blocking only a few ports as needed? worst of all, doesnt the box advertise SPI? the "state" module is probably the most important then.. the rest should be a question of free space. "mac" would probably be cool too.

but like i said, i havent played with it much yet, so please correct me if im wrong in any of my assumptions...

[bramfm]

Originally posted by tunga2001
worst of all, doesnt the box advertise SPI?

according to http://www.asus.com/prog/spec.asp?m=WL-500g&langs=01
it does:
Firewall NAT and SPI

[Oleg]

If you are using NAT there is always SPI from WAN to LAN. Anyway, it's possible to add more modules to iptables, so let's play more to figure out what we really need.

[tunga2001]

Originally posted by Oleg
If you are using NAT there is always SPI from WAN to LAN. Anyway, it's possible to add more modules to iptables, so let's play more to figure out what we really need.

well, im not putting NAT and SPI in the same bag... and neither does asus, or they would have no need to write SPI on the box. NAT would be enough, it would imply the packet inspection youre talking about. i cant help but feel a bit cheated since nothing in the asus keeps track of tcp/udp connection states... i would never have bought it if i knew this.

anyways, at least we seem to have enough expertise to get around it.. thanks for your help! im gonna take a look at these firewall init scripts when i have the time.. see what can be done differently.