Pakon issueshttps://gitlab.nic.cz/turris/pakon/-/issues2024-03-12T14:09:57+01:00https://gitlab.nic.cz/turris/pakon/-/issues/32In Pakon log is missing devices from guest wifi2024-03-12T14:09:57+01:00uzivatel457In Pakon log is missing devices from guest wifiI don't trust all home appliances (heat pump, thermometer, ...), so I have most of them on the wifi network for guests. Now I wanted to find out where they connect to, but Pakon doesn't monitor devices on the guest wifi network. Can this...I don't trust all home appliances (heat pump, thermometer, ...), so I have most of them on the wifi network for guests. Now I wanted to find out where they connect to, but Pakon doesn't monitor devices on the guest wifi network. Can this setting be changed?https://gitlab.nic.cz/turris/pakon/-/issues/31refactor2023-08-16T13:57:50+02:00Filip Hronrefactormake some cli commands to better handle corner cases that might occur in app.make some cli commands to better handle corner cases that might occur in app.https://gitlab.nic.cz/turris/pakon/-/issues/30Tagged version 2.0.0 shows 1.2.2 version2023-05-16T10:37:31+02:00Josef SchlehoferTagged version 2.0.0 shows 1.2.2 versionFilip HronFilip Hronhttps://gitlab.nic.cz/turris/pakon/-/issues/29Creating multiple times database leads to non-functional2022-10-26T10:51:15+02:00Josef SchlehoferCreating multiple times database leads to non-functionalHi,
This command:
```
/usr/bin/pakon-maintain create-databases
```
does not give any output and I already had the database and it was working, but when I try to call it, then it leads to this error:
```
root@turris:~# pakon-show
Traceb...Hi,
This command:
```
/usr/bin/pakon-maintain create-databases
```
does not give any output and I already had the database and it was working, but when I try to call it, then it leads to this error:
```
root@turris:~# pakon-show
Traceback (most recent call last):
File "/usr/bin/pakon-show", line 33, in <module>
sys.exit(load_entry_point('pakon==1.2.2', 'console_scripts', 'pakon-show')())
File "/usr/lib/python3.9/site-packages/pakon/show/__main__.py", line 116, in main
File "/usr/lib/python3.9/json/__init__.py", line 346, in loads
File "/usr/lib/python3.9/json/decoder.py", line 337, in decode
File "/usr/lib/python3.9/json/decoder.py", line 355, in raw_decode
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
```
The script should check, if the database is alright and don't create a new one.Filip HronFilip Hronhttps://gitlab.nic.cz/turris/pakon/-/issues/28Improve documentation2022-05-12T09:02:20+02:00Josef SchlehoferImprove documentationI am not able to send query as said in the documentation by using Postman as suggested by @fhron . It throws me error every single time.
I tried to improve both README's in this repository in turris/pakon!18, but there are some todos mo...I am not able to send query as said in the documentation by using Postman as suggested by @fhron . It throws me error every single time.
I tried to improve both README's in this repository in turris/pakon!18, but there are some todos most likely with the Postman.Filip HronFilip Hronhttps://gitlab.nic.cz/turris/pakon/-/issues/27Pakon unindependent on Suricata2022-05-13T11:50:58+02:00Filip HronPakon unindependent on SuricataStep to improve Pakon loadStep to improve Pakon loadPakon 1.4.0Filip HronFilip Hronhttps://gitlab.nic.cz/turris/pakon/-/issues/25Pakon Improvements2021-11-01T09:01:38+01:00Filip HronPakon Improvements# Outline
In order to refactor Pakon code, here are some ideas how to overall improve
- it's performance
- code readability
- database load
- etc.
# Content
- [ ] move from `pakon-handler` and provide API to frontend directly
- quer...# Outline
In order to refactor Pakon code, here are some ideas how to overall improve
- it's performance
- code readability
- database load
- etc.
# Content
- [ ] move from `pakon-handler` and provide API to frontend directly
- query database in API
- remove ``pakon-query/pakon-handler``
- [ ] ``run-check`` outside the `monitor` module
- [ ] determine and refactor when is ``ConntrackScriptSource`` vs ``UnixSocketSource``, for now if not set in `uci` user does not see the difference
- [ ] make sure we have option to feed name data from various sources (currently Suricata, in future DNS resolver, maybe separate TLS dump)
## Database improvements
- [ ] Amend data instead of having daily database squash (squas on insert)
- (TRIGGER perhaps?)
- [x] Split database into two
- avoid copy to ram and back to flash
- short term in `/var/cache` with non-aggregated data
- long term in `/srv` with aggregated data
- do aggregation from short term to long term one
- [ ] ORM based DB access
- [ ] use ``peewee`` over ``SQLAlchemy`` as ``peewee`` seems is already used on router
```sh
BusyBox v1.30.1 () built-in shell (ash)
(...)
TurrisOS 5.3.0, Turris Mox
(...)
In [1]: import SQLAlchemy
---------------------------------------------------------------------------
ModuleNotFoundError Traceback (most recent call last)
<ipython-input-1-8a440f506672> in <module>
----> 1 import SQLAlchemy
ModuleNotFoundError: No module named 'SQLAlchemy'
In [2]: import peewee
In [3]:
```
## Refactor
- [ ] remove new device alert
- [ ] light-remove suricata
- knot resolverFilip HronFilip Hronhttps://gitlab.nic.cz/turris/pakon/-/issues/17Project: pakon-standalone2022-10-17T21:29:35+02:00Filip HronProject: pakon-standalone## Vision
There is a requirement to make Pakon stand-alone package. There are three parts that will make this happen without need running it on any Turris device. In short, without having Foris type UI. In order to archieve the goal we ...## Vision
There is a requirement to make Pakon stand-alone package. There are three parts that will make this happen without need running it on any Turris device. In short, without having Foris type UI. In order to archieve the goal we need to prepare each part in small steps.
1. contemporary __pakon-light__ repository and project:
- Refactor code to meet our company project standards. (python proj. structure, ``pytest``, _installer_)
- (more importantly) Introduce way to filter data from database in __CLI__ command.
2. __pakon-api__
- Prepare __JSON__ schema for frontend.
- Create __API__ wrapper.
3. React based __web-ui__
- Analyze and get back with more detail. ``< TODO``
important note:
- Projects __2.__ and __3.__ may share the same _wsgi_ wrapper as both are based.
## Project structure, requirements
- [x] https://gitlab.nic.cz/turris/pakon/-/issues/26
- [ ] https://gitlab.nic.cz/turris/pakon/-/issues/27
- [ ] Create front-end standalone UIFilip HronFilip Hronhttps://gitlab.nic.cz/turris/pakon/-/issues/15Make sure DNS traffic is accounted for as well2020-12-07T22:57:58+01:00Michal HruseckyMake sure DNS traffic is accounted for as wellDouble check that we are not ignoring DNS traffic as we swallow it to provide metadata about the real traffic.Double check that we are not ignoring DNS traffic as we swallow it to provide metadata about the real traffic.https://gitlab.nic.cz/turris/pakon/-/issues/14Add ability to reset database2021-10-01T14:06:54+02:00Martin MatějekAdd ability to reset databaseAdd some sort of control interface to enable easier manipulation with pakon database either from cli or from Foris.
Depends on: #12Add some sort of control interface to enable easier manipulation with pakon database either from cli or from Foris.
Depends on: #12https://gitlab.nic.cz/turris/pakon/-/issues/6Feature request: warnings2019-10-24T18:02:35+02:00Bernd WechnerFeature request: warningsGiven how central Pakon promises to be for parental control (hence the name), I suspect a key feature into the future will be a warning system. That is a way of configuring it (if through config files or web UI matters little to me) to s...Given how central Pakon promises to be for parental control (hence the name), I suspect a key feature into the future will be a warning system. That is a way of configuring it (if through config files or web UI matters little to me) to send a notification (the standard Omnia notification mechanism suffices for me as I get them emailed to me anyhow, but you could support other notification methods) when a client (matching a given RE) visits a host (given an RE). And/or provide easy access to a standard list of "unsafe" sites ... which must exist already somewhere - known sites not safe for kids. Of course there may be different sites for different age groups. But one imagines for example we might see pornhub on all of them ;-).
In any case, some means of configuring notifications when children are accessing dodgy material is a good thing.https://gitlab.nic.cz/turris/pakon/-/issues/5pakon-show: Add client filter2021-03-02T19:05:29+01:00Bernd Wechnerpakon-show: Add client filterPakon-show has a MAC filter, but not a client filter (yet). A client filter is needed, to show recent activity for a given client (family member's device, in the game of monitoring children).Pakon-show has a MAC filter, but not a client filter (yet). A client filter is needed, to show recent activity for a given client (family member's device, in the game of monitoring children).https://gitlab.nic.cz/turris/pakon/-/issues/4Add some hostname resolution fallbacks ...2019-10-24T18:02:10+02:00Bernd WechnerAdd some hostname resolution fallbacks ...The latest PaKon rocks! I LOVE it. Setting real standards here that MajorDomo let us down on, and alone making an investment into the Turris Omnia worth it (I say that as a parent raising kids and a desire to keep a tab on their internet...The latest PaKon rocks! I LOVE it. Setting real standards here that MajorDomo let us down on, and alone making an investment into the Turris Omnia worth it (I say that as a parent raising kids and a desire to keep a tab on their internet visits!). It is so slick and clean.
Now, What I love is that my Clients are identified by name (seemingly a lookup on my DHCP staic leases, which BRILLIANT!) and hostnames are resolved (which I presume is my dream come true, basically sniffing all requests kresd receives to resolve names and keeping a table of name to IP mappings). This is all totally amazing and I need to say it!
I still see some IP addresses under the hostname though. And I can illustrate this best with a small screen snippet:
![image](/uploads/47b322a11edad4598847258f7e355933/image.png)
You can see two IP addresses there, and both would have good fallback resolution methods that I suspect are easily implemented. To wit I would ask kindly to consider implementing such fallbacks. Namely if resolution of IP to name fails with the primary method of DNS sniffed lookups then:
1. If it's a LAN address, use same method as for client (static DHCP leases).
2. If it's a WAN address, use a whois and perhaps report a name from that. The challenge is what name of course. The example IP turns out to have an Organization of "Amazon Technologies Inc. (AT-88-Z)" and a CustName of "Salesforce.com, Inc." so I'd say that was a Salesforce connection, and I suspect it sneaks past the DNS sniff because no name is ever resolved to that IP, but they've hardcoded some AJAX call to their own IP. Of course, it's all guesswork from whois and so perhaps is best reported with some markup like a different text style or colour or braces "{Salesforce.com, Inc.}" for example with a tooltip or note on the page that explains the notation's meaning. Perhaps just a footnote like a superscripted *, e.g. "Salesforce.com, Inc.*" with a footnote at bottom of page, could have a different footnote for each fallback mechanism even.
In any case a few simple fallbacks would see IP addresses almost if not completely disappear from the list!https://gitlab.nic.cz/turris/pakon/-/issues/1Reconsider src_mac2020-04-07T23:52:57+02:00Martin PetráčekReconsider src_macIn case of "normal" traffic (outgoing connection from local network to the internet), src_mac is mostly fine. But in case of incoming connection, when IP address is from WAN network, src_mac will be from the outer network as well, which ...In case of "normal" traffic (outgoing connection from local network to the internet), src_mac is mostly fine. But in case of incoming connection, when IP address is from WAN network, src_mac will be from the outer network as well, which is probably something we don't want. Also when router connects/sends something to the local network, we don't get any MAC address at all (this is due to NFQUEUE MAC address handling). This should be addressed somehow.