Synology Inc.

[dino]

The following links provide all necessary packages and kernel modules to get moblock 0.8 or 0.9 up and running on a PPC8533 machine:

Packages:
http://users.skynet.be/synology/iptable ... owerpc.ipk
http://users.skynet.be/synology/libnetf ... owerpc.ipk
http://users.skynet.be/synology/libnfne ... owerpc.ipk

the packages can be easily installed by executing ipkg install /pathtothpackage

Kernel modules ppc8533
http://users.skynet.be/synology/syno-ke ... pc8533.zip

Later today I'll update the post with the link to the moblock 0.9 package.

Please do not spam me already with howto setup everyting since I'm busy writing a little howto for this.

Have fun

[zdDog]

This would be great! but Since I have 8544 I'm hoping the kernel modules get compiled for my ds409+

I cannot imagine anyone using the download station without IP blocking (works like peerguardian)

would be seriously stupid IMHO

[tommyhj]

This would be great! but Since I have 8544 I'm hoping the kernel modules get compiled for my ds409+
I cannot imagine anyone using the download station without IP blocking (works like peerguardian)
would be seriously stupid IMHO

I'd say it would depend on your choice of trackers

[dino]

As I promised a while ago, here a little tuturial howto setup moblock on a PPC8533 diskstation. It took me hours and hours to get moblock and the kernel modules compiled but here it is:

Using FW914, the firewall must be enabled to activate the kernel modules which ship with the firmware. After activating, make sure the modules without a * are present
iptable_filter /lib/modules/iptable_filter.ko
ip_tables /lib/modules/ip_tables.ko
* ipt_REJECT /opt/lib/modules/ipt_REJECT.ko
nf_conntrack /lib/modules/nf_conntrack.ko
nf_conntrack_ipv4 /lib/modules/nf_conntrack_ipv4.ko
x_tables /lib/modules/x_tables.ko
* xt_iprange
* xt_mark
xt_multiport /lib/modules/xt_multiport.ko
* xt_NFQUEUE
xt_state /lib/modules/xt_state.ko
xt_tcpudp /lib/modules/xt_tcpudp.ko
* nfnetlink /lib/modules/nfnetlink.ko
* nfnetlink_queue /lib/modules/nfnetlink_queue.ko

Install needed ipkg packages from optware feed:
ipkg install findutils
ipkg install module-init-tools

Needed packages from http://users.skynet.be/synology
ipkg install http://users.skynet.be/synology/moblock ... owerpc.ipk
ipkg install http://users.skynet.be/synology/moblock ... owerpc.ipk
ipkg install http://users.skynet.be/synology/moblock ... owerpc.ipk
ipkg install http://users.skynet.be/synology/moblock ... owerpc.ipk

Download and unzip the following file:
http://users.skynet.be/synology/moblock/moblock.zip

The zip file contains 2 main directories

1/ iptables-syno-kernel-2-6-24-ppc8533 containing the kernel modules needed + insmod/rmmod script to insert/remove kernel modules:
ipt_iprange.ko
ipt_REJECT.ko
nfnetlink.ko
nfnetlink_queue.ko
xt_conntrack.ko
xt_mark.ko
xt_NFQUEUE.ko

script_insmod.sh
script_rmmod.sh

copy all kernel modules to /opt/lib/modules/2.6.24/ and execute sh script_insmod.sh
=> you should see the kernel modules installed now by executing lsmod

2/ opt containing the scripts / libraries for blockcontrol written by jre and adjusted by me to work on the disk station. The opt directory has the following structure:
opt
--var
----lib
------blockcontrol > this is the path where the downloaded lists will be stored
--lib
----blockcontrol
------blockcontrol.defaults
------blockcontrol.main
------blockcontrol.lib
----lsb
------init-functions
--bin
----blockcontrol
----blockcontrol.watchdog
--etc
----blockcontrol
------blockcontrol.conf
------blocklists.list
------allow.p2p

copy this directory structure to your bootstrapped disk station exactly as it is.
=> check and uncheck the blocklists you want to include in blocklists.list. Make sure exclude TBG Bogon since it will block your land addresses according to RFC???
=> edit blockcontrol.conf to allow certain ports to bypass moblock (eg. mangement port etc...)

Start moblock by using /opt/bin/blockcontrol start
or use other script options:
start
stop
restart
reload
update
status
test
stats
reset_stats
show_config
search

After starting moblock, using iptables -L -nv, you should see somthing like:

Chain INPUT (policy ACCEPT 12562 packets, 910K bytes)
pkts bytes target prot opt in out source destination
1761 118K blockcontrol_in all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW MARK match !0x14
26M 35G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
23669 1681K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 blockcontrol_fw all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW MARK match !0x14

Chain OUTPUT (policy ACCEPT 24M packets, 12G bytes)
pkts bytes target prot opt in out source destination
2454 172K blockcontrol_out all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW MARK match !0x1 4

Chain blockcontrol_fw (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0xa
0 0 RETURN all -- * * 0.0.0.0/0 192.168.111.1
0 0 RETURN all -- * * 192.168.111.0/24 192.168.111.0/24
0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 92

Chain blockcontrol_in (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0xa
441 29560 RETURN all -- lo * 0.0.0.0/0 0.0.0.0/0
688 54923 RETURN all -- * * 192.168.111.0/24 0.0.0.0/0
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
2 1312 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5070
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5070
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8088
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8050
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
32 1616 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5001
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5000
598 30207 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 92

Chain blockcontrol_out (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0xa reject-with icmp- port-unreachable
441 29560 RETURN all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 192.168.111.1
59 7924 RETURN all -- * * 0.0.0.0/0 192.168.111.0/24
33 2181 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5070
25 16163 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8050
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8088
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5001
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5000
10 600 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
39 2340 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
1847 114K NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 92


Known issues (so far):
* when moblock blocks a packet, something like this is written in the log file:
Aug 13 20:47:42 kernel: nf_queue: error creating packet message
Aug 13 20:47:43 kernel: nf_queue: error creating packet message
Aug 13 20:47:48 kernel: printk: 4 messages suppressed.

Many thanks to jre (Maintainer of http://moblock-deb.sourceforge.net: MoBlock, mobloquer, blockcontrol and NFBlock Debian packages.
Author of blockcontrol, previously moblock-control) to help me sort out a lot of things and get moblock up and running on a ppc8533 synology disk station.

Have moblock fun

[dino]

NFBlock for powerpc => http://users.skynet.be/synology/nfblock ... owerpc.ipk

compiled with:
# Set DBUS to yes if you want to be able to use DBUS.

DBUS ?= no

# Set ZLIB to yes if you want to be able to load compressed blocklists.

ZLIB ?= yes

# LOWMEM disables storing of textual range descriptions in RAM.
# Set to yes if you are building a version for embedded devices
# like router or NAS box.

LOWMEM ?= yes


Next todo is to pack blockcontrol into an ipkg, but first I'll write a howto setup openvpn with the lastest powerpc build openvpn_2.1_rc19-1_powerpc.ipk which can be found here http://users.skynet.be/synology/openvpn ... owerpc.ipk since there's more demand for.

[seanm]

I have tried to get this working but got this error trying to load one of the modules:

NAS> ./script_insmod.sh
insmod: error inserting '/opt/lib/modules/2.6.24/nfnetlink_queue.ko': -1 Unknown symbol in module

Performing lsmod I get :
NAS> ./script_lsmod.sh
xt_conntrack 2848 0
nf_conntrack 56284 3 xt_conntrack,xt_state,nf_conntrack_ipv4
x_tables 13476 9 xt_mark,ipt_iprange,ipt_REJECT,xt_conntrack,xt_NFQUEUE,xt_state,xt_tcpudp,xt_multiport,ip_tables
nfnetlink 4088 0
ipt_REJECT 3904 0
x_tables 13476 9 xt_mark,ipt_iprange,ipt_REJECT,xt_conntrack,xt_NFQUEUE,xt_state,xt_tcpudp,xt_multiport,ip_tables
ipt_iprange 1632 0
x_tables 13476 9 xt_mark,ipt_iprange,ipt_REJECT,xt_conntrack,xt_NFQUEUE,xt_state,xt_tcpudp,xt_multiport,ip_tables
xt_NFQUEUE 1760 0
x_tables 13476 9 xt_mark,ipt_iprange,ipt_REJECT,xt_conntrack,xt_NFQUEUE,xt_state,xt_tcpudp,xt_multiport,ip_tables
xt_mark 1696 0
x_tables 13476 9 xt_mark,ipt_iprange,ipt_REJECT,xt_conntrack,xt_NFQUEUE,xt_state,xt_tcpudp,xt_multiport,ip_tables


And then if I run blockcontrol I get:

/bin/pidof: invalid option -- o
BusyBox v1.1.0 (2009.07.14-16:20+0000) multi-call binary

Usage: pidof process-name [OPTION] [process-name ...]

moblock is not running failed!

Any help appreciated?

[dino]

*what is your processor type: the modules are compiled for ppc8533
*regarding pidof, i guess you have to install coreutils

[seanm]

oops .... I have the DS508 which is a slightly different CPU

DS508 Freescale mpc8543 PPC Processor SATA, 64-bit Memory Bus, 512MB of RAM



I'll wait for the package!
Thanks Dino!

[rmetrich]

Hi Dino!

I have a DS209+II which runs a 2.6.24 kernel (synology firmware #850) but on a different CPU model:
DS209> cat /proc/cpuinfo
processor : 0
cpu : e500v2
clock : 1066.560000MHz
revision : 2.2 (pvr 8021 0022)
bogomips : 133.12
timebase : 66660000
platform : MPC8544 DS
Vendor : Freescale Semiconductor
PVR : 0x80210022
SVR : 0x80340011
PLL setting : 0x4
Memory : 512 MB

Please provide a tun driver for that platform. I'd like to run openvpn. I tried the one on http://ipkg.nslu2-linux.org/feeds/optwa ... /unstable/ but although it loads well, it crashes when setting up the device for use by openvpn (openvpn sets it up at startup):
Sep 3 21:37:51 kernel: Unable to handle kernel paging request for data at address 0x00000028
Sep 3 21:37:51 kernel: Faulting instruction address: 0xc1019854
Sep 3 21:37:51 kernel: Oops: Kernel access of bad area, sig: 11 [#1]
Sep 3 21:37:51 kernel: MPC8544 DS
Sep 3 21:37:51 kernel: Modules linked in: tun usbhid hid input_core usblp usb_storage uhci_hcd ohci_hcd ehci_hcd ds508_synobios(Sep 3 21:37:51 kernel: NIP: c1019854 LR: a020ed34 CTR: 00000000
Sep 3 21:37:51 kernel: REGS: bf3f5d60 TRAP: 0300 Tainted: P (2.6.24)
Sep 3 21:37:51 kernel: MSR: 00029000 <EE,ME> CR: 80002444 XER: 20000000
Sep 3 21:37:51 kernel: DEAR: 00000028, ESR: 00800000
Sep 3 21:37:51 kernel: TASK = bf86e4f0[4483] 'openvpn' THREAD: bf3f4000
Sep 3 21:37:51 kernel: NIP [c1019854] tun_setup+0x24/0x90 [tun]
Sep 3 21:37:51 kernel: LR [a020ed34] alloc_netdev_mq+0xa8/0xe8
Sep 3 21:37:51 kernel: Call Trace:
Sep 3 21:37:51 kernel: [bf3f5e10] [000080d0] 0x80d0 (unreliable)
Sep 3 21:37:51 kernel: [bf3f5e40] [a020ed34] alloc_netdev_mq+0xa8/0xe8
Sep 3 21:37:51 kernel: [bf3f5e60] [c1019e28] tun_chr_ioctl+0x568/0x6d8 [tun]
Sep 3 21:37:51 kernel: [bf3f5ee0] [a008a2a0] do_ioctl+0x68/0x9c
Sep 3 21:37:51 kernel: [bf3f5ef0] [a008a38c] vfs_ioctl+0xb8/0x3e8
Sep 3 21:37:51 kernel: [bf3f5f10] [a008a6fc] sys_ioctl+0x40/0x74
Sep 3 21:37:51 kernel: [bf3f5f40] [a000e250] ret_from_syscall+0x0/0x3c
Sep 3 21:37:51 kernel: Instruction dump:
Sep 3 21:37:51 kernel: 4bffff80 3aa0fff5 4bfffe80 9421ffd0 7c0802a6 90010034 bf810020 38000000
Sep 3 21:37:51 kernel: 7c7c1b78 83a30194 393d0020 387d0018 <90090008> 913d0020 91290004 48000b21
Sep 3 21:37:51 kernel: ---[ end trace 66bc665a03d12477 ]---

regards

[JarJar]

Hi Dino,
I'm having a problem installing the Moblock on my DS409+ (8533 processor) following the instructions above. I have the new DSM 2.2-0942 firmware installed and have run through the instructions but get the following errors when I run the insmod script
insmod: error inserting '/opt/lib/modules/2.6.24/xt_NFQUEUE.ko': -1 Unknown symbol in module
insmod: error inserting '/opt/lib/modules/2.6.24/xt_conntrack.ko': -1 Unknown symbol in module
insmod: error inserting '/opt/lib/modules/2.6.24/nfnetlink_queue.ko': -1 Unknown symbol in module
insmod: error inserting '/opt/lib/modules/2.6.24/ipt_REJECT.ko': -1 Unknown symbol in module
insmod: error inserting '/opt/lib/modules/2.6.24/ipt_iprange.ko': -1 Unknown symbol in module
insmod: error inserting '/opt/lib/modules/2.6.24/xt_mark.ko': -1 Unknown symbol in module

When I look into the logs the error is
xt_NFQUEUE: Unknown symbol xt_unregister_targets
xt_NFQUEUE: Unknown symbol xt_register_targets
xt_conntrack: Unknown symbol xt_register_match
xt_conntrack: Unknown symbol nf_conntrack_untracked
xt_conntrack: Unknown symbol nf_ct_l3proto_module_put
xt_conntrack: Unknown symbol xt_unregister_match
xt_conntrack: Unknown symbol nf_ct_l3proto_try_module_get
Netfilter messages via NETLINK v0.30.
nfnetlink_queue: Unknown symbol kmalloc_caches
ipt_REJECT: Unknown symbol xt_register_target
ipt_REJECT: Unknown symbol xt_unregister_target
ipt_iprange: Unknown symbol xt_register_match
ipt_iprange: Unknown symbol xt_unregister_match
xt_mark: Unknown symbol xt_unregister_matches
xt_mark: Unknown symbol xt_register_matches

Any help you can provide would be greatly appreciated!

[dino]

Guys, you do not have the correct kernel to insert those modules in. Read carefully the post first, because doing not can brick your synology not booting anymore! Those modules are compiled for a different proc, that's the reason why you get symbol errors inserting the modules. Of course I could spend all my time in compiling all modules for each synology proc, but I just don't have the time to do so. There are good docs about howto do that. I'll try to do my best for those who really want to get this up and running, but need some support from others too. Anyway, I hope synology will release the new toolchain and gpl's for branch 946 so we can do some more testing. I've noticed that for example the tun.ko module crashes on some diskstations.

As I said before, everybody is screeming to have moblock on the ds running, but appearantly I'm pretty alone putting effort in this.

[rmetrich]

Hi Dino,

I think I have the right proc. but indeed, as Synology is not releasing the GPL sources in time, issues can occur.
I chose Synology for my NAS solution because I thought they were proactive. Looks like they're not ...

[dino]

Your machine has a 8544 proc, the modules are compiled for 8533...................slight different, but I'm pretty sure that's the reason why you get the error inserting the modules

[dino]

This is probably not the right forum to put this post, but my experience is that synology is not the company to release fw updates every week, but when they release, it's pretty stable. Other well known vendors like qnap release much more fw's in short time, but they lack of stability and by the way, they consume much more power implementing led displays and christmas tree lights on their devices which are mostly located somewhere in a closet or whatever. for me it's much more important to have a stable product which can be modified by a user who knows what she/he is doing. Take an example of the lateast feature, the media server, it's not a product they bought from a 3rdparty, but developped their own. I guess they do this because they want to have control of what is happening in their product instead of having giant number of support calls they can't handle.

Anyway, my experience with synology is very positive up to now (also with the online support), but of cource, as everything, it could be better. The only time my ds was not working was my fault (for example inserting wrong modules etc).

What I share among a lot of users is that they could implement a lot of enhancements like apache modules not compiled into their apache web server and let the user decide what to use and what not, but again, I guess this is a company specific policy. How many procent of the users do you think are interested in features asked in the "mod" forum?

I believe people who spend that much of money to a NAS are convinced they bought a product to host their data and backups, but I you could't rely on a storage system anymore, you have a problem nowadays.

As I said, wrong forum to discuss about this.

[JarJar]

Hi Dino,
According to the Synology wiki, the DS409+ (as well as the DS209+ & DS209+II) all use the 8533
http://forum.synology.com/wiki/index.ph ... y_NAS_have

That being said, when you check the cpu info on the box, it shows up as 8543 but this discrepancy is discussed
viewtopic.php?f=141&t=15884

Cheers