forksand
/
forksand-it-manual
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Started glossary, firewall split, added attachments, minor fixes,

Browse Source
master
Linreigns 7 years ago
parent bc946519eb
commit a8fe815539
26 changed files with 1227 additions and 640 deletions
Show Stats Download Patch File Download Diff File

3
.gitignore vendored
Unescape View File

@ -2,6 +2,8 @@ forksand-it-manual.pdf
*~
.~lock.*#
*.aux
*.glg
*.ist
*.bbl
*.blg
.fuse_hidden*
@ -19,6 +21,7 @@ _minted-*
*.swp
*.toc
*.xdv
*.xdy
*.zip
*.fls
*.fdb_latexmk

2
build.sh
Unescape View File

@ -27,6 +27,8 @@ xelatex \
-interaction=nonstopmode \
forksand-it-manual.tex
makeglossaries-lite "forksand-it-manual"
for i in $(ls *.pdf); do mv -f $i ../$i ; done # in windows every file must be processed explicitly
exit 0

2
source/Ansible.tex
Unescape View File

@ -123,7 +123,7 @@ The following applications are required to utilize this this section objectives.
Ansible can be installed using Python PIP.
\begin{itemize}
\item \texttt{Ansible} 2.4.x+
\item \texttt{Python} 2.7.9+
\item \texttt{Python} 2.7.x+
\textcolor[rgb]{0.80,0.00,0.00}{Todo clarify confusion over version requirements}
\end{itemize}

12
source/Clouds/Flokinet.tex
Unescape View File

@ -32,7 +32,7 @@ We encourage you to do so! We are able to supply secure and stable environments
FlokiNET runs Tor exit and relay nodes.
\begin{figure}[h!]
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-flokinet.png}
\caption{Flokinet Website}
\label{fig:www-flokinet}
@ -141,11 +141,11 @@ FlokiNET Pros:
\item The entire reason for FlokiNET to exist is to help people publish in repressive environments.
\item Strong dedication to privacy.
\item Based in Iceland.
\item Dedicated servers aren't too expensive.
\item \Glspl{dedicatedserver} aren't too expensive.
\item Romanian VPS is OpenVZ and KVM.
\item Finnish VPS is KVM.
\item Has private domain registration services.
\item Colocation available.
\item \Gls{colocation} available.
\item ``FlokiNET is proud to be completly Tor Project logo-friendly. Feel free to host a TOR-node with us!''
\item ``DDoS mitigation cloud has 950 Gbps filtering capacity.''
\item Finland and Iceland are free speech friendlier countries.
@ -163,7 +163,7 @@ FlokiNET Cons:
\begin{itemize}
\item Iceland Virtual Private Server uses VMWare.
\item Dedicated servers look like older HP models.
\item \Glspl{dedicatedserver} look like older HP models.
\item Bandwidth is OK, but not great as they are on a remote island.
\item VoIP URL is 404 \url{https://flokinet.is/en/learnsecurevoip.php}.
\item Uses WHMCS for account services management (non-free software).
@ -184,7 +184,7 @@ is4423 tty1 - 02:24 2:16m 0.17s 0.08s -bash
\subsection{FlokiNET Unknown}
\begin{itemize}
\item IPMI on dedicated servers?
\item IPMI on \glspl{dedicatedserver}?
\item The IP in \texttt{/etc/hosts} for the hostname wasn't the same as used for SSH.
Either a mistake or firewall forwarded for security (???). Appears to be mistake.
Either a mistake or \gls{firewall} forwarded for security (???). Appears to be mistake.
\end{itemize}

10
source/Clouds/Sharktech.tex
Unescape View File

@ -16,13 +16,13 @@ Looks good. Manually provisions servers over a few days.
Good local speed and latency.
\url{https://sharktech.net/}
\begin{figure}[h!]
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-sharktech.png}
\caption{Sharktech Website}
\label{fig:www-sharktech}
\end{figure}
\begin{figure}[h!]
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-sharktech-dashboard-services.png}
\caption{Sharktech Dashboard Services Web Page}
\label{fig:www-sharktech-dashboard-services}
@ -54,17 +54,17 @@ Firmware Build Time : 2015-01-05
# XXX takes 7 minutes to reboot.
\end{minted}
\begin{figure}[h!]
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{sharktech-reboot-dhcp.png}
\caption{Sharktech Reboot DHCP Hang}
\label{fig:sharktech-reboot-dhcp}
\end{figure}
\begin{figure}[h!]
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{sharktech-reboot-dhcp-2.png}
\caption{Sharktech Reboot DHCP Hang 2}
\label{fig:sharktech-reboot-dhcp-2}
\end{figure}
\begin{figure}[h!]
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{sharktech-reboot-grub.png}
\caption{Sharktech Reboot GRUB}
\label{fig:sharktech-reboot-grub}

4
source/Distros.tex
Unescape View File

@ -15,8 +15,8 @@
The following operating systems will be used:
\begin{itemize}
\item Debian GNU/Linux --- For Utility, Ceph, and OpenNebula Servers.
\item OPNSense --- Firewalls.
\item Debian \gls{gnulinux} --- For Utility, Ceph, and OpenNebula Servers.
\item OPNSense --- \Glspl{firewall}.
\end{itemize}
\input{Distros/Debian}

4
source/Distros/Debian.tex
Unescape View File

@ -13,7 +13,7 @@
\section{Debian}
Debian is a free software GNU/Linux distribution.
\begin{figure}[h!]
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-debian.png}
\caption{Debian Website}
\label{fig:www-debian}
@ -56,7 +56,7 @@ Here are some for Debian...
The \texttt{packer} application in Debian looks particularly useful.
\begin{figure}[h!]
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-packer.png}
\caption{Packer Website}
\label{fig:www-packer}

2
source/Distros/Distros-tmpl.tex
Unescape View File

@ -12,7 +12,7 @@
\section{DISTRO}
Website: % \url{https://www.distro.org}
%\begin{figure}[h!]
%\begin{figure}[!htb]
%\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-distro.png}
% \caption{DISTRO Website}
% \label{fig:www-distro}

607
source/Firewall-opnsense.tex
Unescape View File

@ -0,0 +1,607 @@
%
% Firewall-opnsense.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Issued by Oleksandr Papevis
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{Hardware Overview}
\begin{itemize}
\item OPNsense is based on FreeBSD \\ \url{https://opnsense.org/}
\\ \url{https://wiki.opnsense.org/index.html}
\item Iris FW1100 datasheet \\ \url{https://www.supermicro.com/products/system/1U/1018/SYS-1018D-FRN8T.cfm}
\end{itemize}
The Supermicro SuperServer 1018D-FRN8T is a 1U server with front I/O.
That means that both the rear I/O ports as well as the I/O expansion
ports are found along the front side of the rack. In many cases this
is a desirable configuration as it can make cabling very simple.
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ss-front.png}
\caption{Supermicro SuperServer 1018D-FRN8T Front}
\label{fig:supermicroSSfront}
\end{figure}
The rear of the unit has a redundant 400W power supply. Rated at 80
Plus Platinum the power supplies are efficient as well. The remainder
of the rear is simply a bezel for fans.
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ss-rear.png}
\caption{Supermicro SuperServer 1018D-FRN8T Rear}
\label{fig:supermicroSSrear}
\end{figure}
The onboard I/O is plentiful. There are two USB 3.0 ports along with
a VGA port for KVM carts. Above the USB ports there is a RJ-45
Ethernet port for out-0f-band management that can be directly
connected to a dedicated management network.
%-------------------
Furthermore there are
six 1GbE ports connected to two Intel i210-at controllers and an
Intel i350-am4 controller. The two SFP+ ports are controlled by the
Xeon Ds Intel X552 NIC. For \glspl{firewall} and other appliances, this is
a very strong configuration.
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/iris-fw1100-front.png}
\caption{Supermicro SuperServer 1018D-FRN8T interfaces}
\label{fig:supermicroSSinterfaces}
\end{figure}
Inside the system we see a redundant set of fans near the PSU bezel
and a very small motherboard inside. One can see our two stacks of
Seagate Enterprise Capacity V3 1TB 7200rpm drives as well. We removed
the PCIe riser and the airflow shroud from this picture to show off
the internals better.
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ss-noshroud.png}
\caption{Supermicro SuperServer 1018D-FRN8T Internal no shroud}
\label{fig:supermicroSSnoshroud}
\end{figure}
\subsection{Remote Management}
Supermicros IPMI and KVM-over-IP enables deployment flexibility.
One can do remote power up, power down, and reset of the server in
the event that it becomes unresponsive.
\begin{itemize}
\item fan speeds, chassis intrusion sensors, thermal sensors,
and etc. can be monitored remotely
\item remote power control. One can do remote power up, power
down, and reset of the server in the event that it becomes
unresponsive.
\item alerts can be setup to notify the admins of issues.
\item remotely mount CD images and floppy images to the machine
over the dedicated management Ethernet controller. This keeps
maintenance traffic off of the primary Intel NICs.
At the same time it removes the need for an optical disk to
be connected to the Supermicro motherboard.
\end{itemize}
Supermicro's BIOS has a feature: the BMC IP address shows
up on the post screen!
If you have a KVM cart hooked up to the system, it gives an
indicator of which machine one is connected to during post.
Supermicro does include KVM-over-IP functionality with the motherboard.
\begin{itemize}
\item Default IPMI connection is in cleartext http.
\item SSL certificate for Supermicro IPMI is bad (like all of them).
\item Can't change password on IPMI.
%\item Root password for server and IPMI is sent via email.
%\item There is an attack window between their machine imaging and first login.
%\item Customer should control timing of first power on.
%\item System is also possibly vuln during the ISP's initial power up and commissioning period.
%\item First reboot, the system hung (.png XXX).
%\item Hard reset, lots of DHCP queries at boot.
%\item A \texttt{debian} user was on the system, password unknown. Check \texttt{/home}!
%\item They block NTP to prevent DDoS, so you have to use their time server
% \texttt{time.sharktech.net}
\end{itemize}
\subsection{Supermicro Setup over IPMI bios}
{{\grenewcommand{\currentColor}{secondary-brown}}}
{{\grenewcommand{\currentTextColor}{ao-black}}}
\providecommand{\sharkIPConfigItem}[4]{}
\renewcommand{\sharkIPConfigItem}[4]{
\rowcolor{\currentColor} \vspace{-1pt}
\rule[-0.3em]{0pt}{-0.5em} \vspace{-1pt}
\small{\textcolor{\currentTextColor}{#1}} & \vspace{-1pt}
\small{\textcolor{\currentTextColor}{#2}} \\
}
\providecommand{\sharkIPConfigLastItem}[4]{}
\renewcommand{\sharkIPConfigLastItem}[4]{
\rowcolor{\currentColor} \vspace{-1pt}
\rule[-1.0em]{0pt}{1em} \vspace{-1pt}
\small{\textcolor{\currentTextColor}{#1}} & \vspace{-1pt}
\small{\textcolor{\currentTextColor}{#2}} \\
\tabucline[2pt]{1-2}
}
\providecommand{\SIPCCwidth}{3.5cm}
\renewcommand{\SIPCCwidth}{5cm}
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-ipmi-init.png}
\caption{Supermicro SuperServer 1018D-FRN8T PEI-IPMI Initialization}
\label{fig:supermicroSSCIpmiInit}
\end{figure}
Before IPMI Initialization, choose in Boot Agent GE an entry PXE
(Preboot eXecution Environment)
In Aptio Setup Utility set the following Boot Features:
\begin{table}[!htb]
\caption{sf-fw BIOS configs}% \label{tab:sharkNodeIPConfig}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Boot Feature}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { SMCBiosActionFlag }{ \char`[0\char`] }{}{}
\sharkIPConfigItem { SumBbsSupportFlag }{ 48 }{}{}
\sharkIPConfigLastItem{ Bridge ports }{ \char`[Disabled\char`] }{}{}
\sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Force BIOS\char`] }{}{}
\sharkIPConfigItem { SumBbsSupportFlag }{ \char`[On\char`] }{}{}
\sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Disabled\char`] }{}{}
\sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Immediate\char`] }{}{}
\sharkIPConfigLastItem{ Subnet mask }{ \char`[Disabled\char`] }{}{}
\end{tabu}
\end{table}
Set system Date/Time
\newpage
\subsection*{\textcolor{ao-white}{ Supermicro Setup over IPMI bios1}}
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-ipmi-boot1.png}
\caption{Supermicro SuperServer 1018D-FRN8T Bios prompt for boot-menu}
\label{fig:supermicroSSCIpmiBoot1}
\end{figure}
\begin{table}[!htb]
\caption{sf-fw BIOS configs continued}% \label{tab:sharkNodeIPConfig}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Boot Feature}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Power Configuration }{}{}{}
\sharkIPConfigItem { Watch Dog Function }{ \char`[Disabled\char`] }{}{}
\sharkIPConfigItem { Power button Function }{ \char`[4 Seconds Override\char`] }{}{}
\sharkIPConfigLastItem{ Subnet mask }{ \char`[Power On\char`] }{}{}
\end{tabu}
\end{table}
\newpage
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-ipmi-boot2.png}
\caption{Supermicro SuperServer 1018D-FRN8T Bootstrap loader}
\label{fig:supermicroSSCIpmiBoot2}
\end{figure}
\begin{table}[!htb]
\caption{sf-fw BIOS configs continued}% \label{tab:sharkNodeIPConfig}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Boot Feature}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Onboard LAN1 OPROM }{ \char`[Disabled\char`] }{}{}
\sharkIPConfigItem { Onboard LAN2 OPROM }{ \char`[Disabled\char`] }{}{}
\sharkIPConfigLastItem{ Onboard LAN3 - LAN8 OPROM }{ \char`[Disabled\char`] }{}{}
\sharkIPConfigItem { Legacy Boot Order \char`#1}{ \char`[USB Key:Virtual Disk\char`] }{}{}
\sharkIPConfigLastItem{ Legacy Boot Order \char`#2 - \char`#7}{ \char`[Disabled\char`] }{}{}
\end{tabu}
\end{table}
\newpage
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-ipmi-opnsense-boot1.png}
\caption{Supermicro SuperServer OPNsense Boot variant}
\label{fig:supermicroSSCIpmiOpnsenseBoot1}
\end{figure}
Let default option 5 execute.
\begin{table}[!htb]
\caption{sf-fw LSI Corp Config Utility}% \label{tab:sharkNodeIPConfig}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Adapter }{LSI2116-IT}{}{}
\sharkIPConfigItem { PCI Slot }{0B}{}{}
\sharkIPConfigItem { PCI Address(Bus/Dev) }{02:00}{}{}
\sharkIPConfigItem { MPT Firmware Revision }{20.00.07.00-IT}{}{}
\sharkIPConfigItem { SAS Address }{50030480:1E300A01}{}{}
\sharkIPConfigItem { NVDATA Version }{14.01.40.00}{}{}
\sharkIPConfigItem { Status }{Disabled}{}{}
\sharkIPConfigItem { Boot Order}{0}{}{}
\sharkIPConfigLastItem{ Boot Support}{ \char`[Disabled\char`] }{}{}
\end{tabu}
\end{table}
\newpage
\subsection{Configurate with OPNsense Dashboard}
{{\grenewcommand{\currentColor}{primary-blue}}}
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash1.png}
\caption{Supermicro SuperServer OPNsense Dashboard}
\label{fig:supermicroSSCIpmiOpnsenseDash1}
\end{figure}
\begin{table}[!htb]
\caption{sf-fw LSI Corp Config Utility}% \label{tab:sharkNodeIPConfig}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Hostname }{sf-fw1}{}{}
\sharkIPConfigItem { Domain }{forksand.com}{}{}
\sharkIPConfigItem { Language }{English}{}{}
\sharkIPConfigItem { Primary DNS Server }{216.146.35.35}{}{}
\sharkIPConfigItem { Secondary DNS Server }{208.67.222.222}{}{}
\sharkIPConfigLastItem{ Override DNS }{unchecked}{}{}
\sharkIPConfigLastItem{ Enable Resolver}{checked}{}{}
\sharkIPConfigLastItem{ Others }{leave unchecked}{}{}
\end{tabu}
\end{table}
\begin{itemize}
\item Set server time information
\item Configure WAN interface, DHCP, subnet masks /32, Block .. Flags checked, others empty
\item Configure WAN interface, IP 192.168.1.1 change to 192.168.110.21, subnet mask /24
\item Set Web GUI Password
\item Reload to apply changes
\item Finished initial configuration, click a href "continue to the dashboard"
\item Configure console appears, refer to table
\ref{tab:supermicroSSCIpmiOpnsenseDash2} on p. \pageref{tab:supermicroSSCIpmiOpnsenseDash2}
\item Set root password and reboot
\item Re-enter Aptio Setup Utility Boot tab
\item Switch Legacy Boot Order \char`#1 \char` to [Hard Disk: SATADOM-...\char`]
\item Start the boot
\item OPNsense: Let default option 5 execute
\end{itemize}
{{\grenewcommand{\currentColor}{secondary-brown}}}
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash2.png}
\caption{Supermicro SuperServer OPNsense Dashboard Continued}
\label{fig:supermicroSSCIpmiOpnsenseDash2}
\end{figure}
\begin{table}[!htb]
\caption{sf-fw LSI Corp Config Utility} \label{tab:supermicroSSCIpmiOpnsenseDash2}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Configure Console }{Accept these Settings}{}{}
\sharkIPConfigItem { Select task }{Guided installation}{}{}
\sharkIPConfigItem { Select a disk }{ada0: 600.00MB/s transfers (SATA 3.x, UDMA6, PIO 512bytes)}{}{}
\sharkIPConfigItem { Select install mode }{GPT/UEFI mode}{}{}
\sharkIPConfigItem { Swap Partition }{yes}{}{}
\sharkIPConfigLastItem{ Enable Resolver}{checked}{}{}
\end{tabu}
\end{table}
{{\grenewcommand{\currentColor}{primary-blue}}}
\subsection{Update OPNsense Firmware using Dashboard}
\begin{itemize}
\item Enter OPNsense dashboard and make a backup, System -> Configuration -> Backups, save the XML
\item Execute update firmware, refer to figure
\ref{fig:supermicroSSCIpmiOpnsenseDash3} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash3}
\end{itemize}
\newpage
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash3-update.png}
\caption{Supermicro SuperServer OPNsense Dashboard Update Firmware}
\label{fig:supermicroSSCIpmiOpnsenseDash3}
\end{figure}
\begin{itemize}
\item Standby until updating finished, refer to figure
\ref{fig:supermicroSSCIpmiOpnsenseDash4} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash4}
\item Switch to tab Settings, refer to figure
\ref{fig:supermicroSSCIpmiOpnsenseDash5} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash5}
\end{itemize}
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash4-update.png}
\caption{Supermicro SuperServer OPNsense Dashboard Update Firmware Continued}
\label{fig:supermicroSSCIpmiOpnsenseDash4}
\end{figure}
\newpage
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash5-fw.png}
\caption{Supermicro SuperServer OPNsense Dashboard Firmware Settings}
\label{fig:supermicroSSCIpmiOpnsenseDash5}
\end{figure}
\begin{itemize}
\item Set mirror to LeaseWeb (San Francisco, US)
\item Set Flavour to LibreSSL
\item Set Release Type to Production
\item Click save and return to Updates tab.
\end{itemize}
\newpage
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash6-fw-updates.png}
\caption{Supermicro SuperServer OPNsense Dashboard Firmware Pending Updates}
\label{fig:supermicroSSCIpmiOpnsenseDash6}
\end{figure}
\begin{itemize}
\item Click Update now.
\item Standby until Update is completed.
\item Restore configs from XML, refer to figure
\ref{fig:supermicroSSCIpmiOpnsenseDash8} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash8}
\end{itemize}
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash7-fw-update.png}
\caption{Supermicro SuperServer OPNsense Dashboard Firmware Update Processing}
\label{fig:supermicroSSCIpmiOpnsenseDash7}
\end{figure}
\newpage
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash8-fw-backupandreboot.png}
\caption{Supermicro SuperServer OPNsense Dashboard restore from XML config backup}
\label{fig:supermicroSSCIpmiOpnsenseDash8}
\end{figure}
\begin{itemize}
\item Upload the config and restore
\item Add a user, refer to figure
\ref{fig:supermicroSSCIpmiOpnsenseDash9} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash9}
using parameters from table
\ref{tab:supermicroSSCIpmiOpnsenseAddUser} on p. \pageref{tab:supermicroSSCIpmiOpnsenseAddUser}
\end{itemize}
\newpage
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash9-user.png}
\caption{Supermicro SuperServer OPNsense Dashboard Add User}
\label{fig:supermicroSSCIpmiOpnsenseDash9}
\end{figure}
\begin{table}[!htb]
\caption{sf-fw OPNsense Dashboard Add User} \label{tab:supermicroSSCIpmiOpnsenseAddUser}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Username }{jebba}{}{}
\sharkIPConfigItem { Disabled }{unchecked}{}{}
\sharkIPConfigItem { Full name }{Jeff Moe}{}{}
\sharkIPConfigItem { E-mail }{moe@forksand.com}{}{}
\sharkIPConfigItem { Comment }{}{}{}
\sharkIPConfigItem { Expiration date }{}{}{}
\sharkIPConfigLastItem{ Group Memberships }{Member of admins}{}{}
\sharkIPConfigItem { Certificate }{unchecked}{}{}
\sharkIPConfigLastItem{ OTP seed }{}{}{}
\end{tabu}
\end{table}
\newpage
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash10-dhcpv4.png}
\caption{Supermicro SuperServer OPNsense Dashboard DHCPv4}
\label{fig:supermicroSSCIpmiOpnsenseDash10}
\end{figure}
\begin{itemize}
\item Disable DHCPv4
\end{itemize}
\begin{table}[!htb]
\caption{sf-fw OPNsense Dashboard DHCPv4} \label{tab:supermicroSSCIpmiOpnsenseDhcpv4}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Enable }{unchecked}{}{}
\sharkIPConfigItem { Deny unknown clients }{unchecked}{}{}
\sharkIPConfigItem { Subnet }{192.168.110.0}{}{}
\sharkIPConfigItem { Subnet mask }{255.255.255.0}{}{}
\sharkIPConfigLastItem{ Range }{192.168.110.10 - 192.168.110.245}{}{}
\sharkIPConfigLastItem{ Others }{leave unchanged}{}{}
\end{tabu}
\end{table}
\newpage
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash11-plugins.png}
\includegraphics[keepaspectratio=true,trim=360mm 190mm 10mm 80mm,clip,width=1.0\textwidth,angle=0]
{sf-fw/ssc-opns-dash11-plugins.png}
\caption{Supermicro SuperServer OPNsense Dashboard Plugin Installation}
\label{fig:supermicroSSCIpmiOpnsenseDash11}
\end{figure}
\begin{itemize}
\item Make sure os-dyndns plugin installed
\item Install os-acme-client
\end{itemize}
%\begin{table}[!htb]
% \caption{sf-fw OPNsense Dashboard Plugins} \label{tab:supermicroSSCIpmiOpnsensePlugins}
% \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
% \tabucline[2pt]{1-2}
% \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
% \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
% \tabucline[2pt]{1-2}
% \sharkIPConfigItem { Enable }{unchecked}{}{}
% \sharkIPConfigItem { Deny unknown clients }{unchecked}{}{}
% \sharkIPConfigItem { Subnet }{192.168.110.0}{}{}
% \sharkIPConfigItem { Subnet mask }{255.255.255.0}{}{}
% \sharkIPConfigLastItem{ Range }{192.168.110.10 - 192.168.110.245}{}{}
% \sharkIPConfigLastItem{ Others }{leave unchanged}{}{}
% \end{tabu}
%\end{table}
\newpage
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash12-lea.png}
\caption{Supermicro SuperServer OPNsense Dashboard add Let's Encrypt account}
\label{fig:supermicroSSCIpmiOpnsenseDash12}
\end{figure}
\begin{itemize}
\item Add Let's Encrypt account
\item Modify global Let's Encrypt settings
\item Apply Let's Encrypt settings
\item Refer to Certificates menu
\end{itemize}
\begin{table}[!htb]
\caption{sf-fw OPNsense Dashboard Let's Encrypt account and settings} \label{tab:supermicroSSCIpmiOpnsenseLea}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Enable }{checked}{}{}
\sharkIPConfigItem { Name }{sf-fw1}{}{}
\sharkIPConfigItem { Description }{\Gls{sharkfork} \Gls{firewall} 1}{}{}
\sharkIPConfigLastItem{ E-Mail address }{sharkfork@forksand.com}{}{}
\sharkIPConfigItem { Enable Plugin }{checked}{}{}
\sharkIPConfigItem { Auto Renewal }{checked}{}{}
\sharkIPConfigItem { Let's Encrypt Environment }{Production Environment \char`[Default\char`]}{}{}
\sharkIPConfigLastItem{ HAProxy Integration }{unchecked}{}{}
\end{tabu}
\end{table}
\newpage
%\begin{figure}[!htb]
% \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
% {sf-fw/ssc-opns-dash13-cert.png}
% \caption{Supermicro SuperServer OPNsense Dashboard add Certificate}
% \label{fig:supermicroSSCIpmiOpnsenseDash12}
%\end{figure}
\begin{itemize}
\item Add Validation Method
\item Add Certificate
\item Apply ``Issue/Renew Certificates Now''
\end{itemize}
\begin{table}[!htb]
\caption{sf-fw OPNsense Dashboard Let's Encrypt validation} \label{tab:supermicroSSCIpmiOpnsenseLeaValid}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Validation Method }{}{}{}
\sharkIPConfigItem { Enable }{checked}{}{}
\sharkIPConfigItem { Name }{sf-fw1-http}{}{}
\sharkIPConfigItem { Description }{\Gls{sharkfork} \Gls{firewall} 1 http validation}{}{}
\sharkIPConfigLastItem{ Challenge Type }{HTTP-01}{}{}
\sharkIPConfigLastItem{ HTTP Service }{OPNsense Web Service (automatic port forward)}{}{}
\sharkIPConfigItem { IP Auto-Discovery }{checked}{}{}
\sharkIPConfigItem { Interface }{WAN}{}{}
\sharkIPConfigLastItem{ IP Addresses }{}{}{}
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Certificate }{}{}{}
\sharkIPConfigItem { Enable }{checked}{}{}
\sharkIPConfigItem { Common Name }{sf-fw1.forksand.com}{}{}
\sharkIPConfigItem { Description }{\Gls{sharkfork} \Gls{firewall} 1}{}{}
\sharkIPConfigItem { Alt Names }{}{}{}
\sharkIPConfigItem { LE Account }{sf-fw1}{}{}
\sharkIPConfigItem { Validation Method }{sf-fw1-http}{}{}
\sharkIPConfigItem { Restart Actions }{}{}{}
\sharkIPConfigItem { Auto Renewal }{checked}{}{}
\sharkIPConfigLastItem{ Renewal Interval }{60}{}{}
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Interfaces -\char`> Lan }{}{}{}
\sharkIPConfigItem { Enable }{checked}{}{}
\sharkIPConfigItem { Lock }{checked}{}{}
\sharkIPConfigItem { Description }{LAN}{}{}
\sharkIPConfigItem { IPv4 Configuration Type }{Static IPv4}{}{}
\sharkIPConfigLastItem{ IPv6 Configuration Type }{none}{}{}
\end{tabu}
\end{table}
\begin{itemize}
\item Refer to System -\char`> Gateways -\char`> Single -\char`> WAN\char`_DHCP6
\item Set Disabled flag to checked
\item Press Apply changes
\item Modify LAN and WAN interfaces, disable IPv6 at both
\item Modify \Gls{firewall} Rules, disable IPv6
\item Add new rula to \Gls{firewall} Rules WAN
\end{itemize}
\begin{table}[!htb]
\caption{sf-fw OPNsense Dashboard \Gls{firewall} Rules} \label{tab:supermicroSSCIpmiOpnsenseLeaRules}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Interfaces -\char`> WAN }{}{}{}
\sharkIPConfigItem { Enable }{checked}{}{}
\sharkIPConfigItem { Lock }{checked}{}{}
\sharkIPConfigItem { Description }{WAN}{}{}
\sharkIPConfigItem { IPv4 Configuration Type }{DHCP}{}{}
\sharkIPConfigLastItem{ IPv6 Configuration Type }{none}{}{}
\tabucline[2pt]{1-2}
\sharkIPConfigItem { \Gls{firewall} -\char`> Settings -\char`> Advanced }{}{}{}
\sharkIPConfigLastItem{ Allow IPv6 }{unchecked}{}{}
\tabucline[2pt]{1-2}
\sharkIPConfigItem { \Gls{firewall} -\char`> Rules -\char`> WAN }{}{}{}
\sharkIPConfigItem { Action }{Pass}{}{}
\sharkIPConfigItem { Disabled }{unchecked}{}{}
\sharkIPConfigItem { Interface }{WAN}{}{}
\sharkIPConfigItem { TCP/IP Version }{IPv4}{}{}
\sharkIPConfigItem { Protocol }{TCP}{}{}
\sharkIPConfigItem { Source/Invert }{unchecked}{}{}
\sharkIPConfigItem { Source }{any}{}{}
\sharkIPConfigItem { Destination/Invert }{unchecked}{}{}
\sharkIPConfigItem { Destination }{This \Gls{firewall}}{}{}
\sharkIPConfigItem { Destination port range }{https to https}{}{}
\sharkIPConfigItem { Log }{unchecked}{}{}
\sharkIPConfigItem { Category }{}{}{}
\sharkIPConfigItem { Discription }{Enable https to \Gls{firewall}}{}{}
\sharkIPConfigItem { Source OS }{Any}{}{}
\sharkIPConfigItem { No XMLRPC Sync }{unchecked}{}{}
\sharkIPConfigItem { Shedule }{none}{}{}
\sharkIPConfigLastItem{ Gateway }{default}{}{}
\end{tabu}
\end{table}
\newpage
\section{Alternatives Hardware Overview}
Some resellers:
\begin{itemize}
\item \url{https://www.deciso.com/}
\item \url{https://www.pfwhardware.com/}
\item \url{https://www.osnet.eu/}
\end{itemize}
\begin{itemize}
\item (8) 1 gig ethernet ports
Connects to (1) 100M ethernet upstream fiber optic
Connects to (1) 100M ethernet upstream wifi
Various LAN
\item (Hot swap?) Dual Power Supplies
\item (How swap?) RAID (Linux md), with SSD storage.
\item 2.5'' drive bays
\item Total ~8GHz CPU
\item ~8-16 gigs RAM ? Depends on OS.
\item Two servers total, for standby/failover
\end{itemize}

570
source/Firewalls.tex
Unescape View File

@ -10,581 +10,38 @@
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
Firewalls keep the bad packets out, mostly. And let some good packets out.
\Glspl{firewall} keep the bad packets out, mostly. And let some good packets out.
\section{Overview}
What is the network doing?
\begin{itemize}
\item snort
\item MRTG
\item Aguri
%\item MRTG
%\item Aguri
\end{itemize}
\section{Authentication}
Two-factor authentication using TOTP.
\section{Firewall Hardware Overview}
Hardware.
\begin{itemize}
\item OPNsense is based on FreeBSD \\ \url{https://opnsense.org/}
\\ \url{https://wiki.opnsense.org/index.html}
\item Iris FW1100 datasheet \\ \url{https://www.supermicro.com/products/system/1U/1018/SYS-1018D-FRN8T.cfm}
\end{itemize}
The Supermicro SuperServer 1018D-FRN8T is a 1U server with front I/O.
That means that both the rear I/O ports as well as the I/O expansion
ports are found along the front side of the rack. In many cases this
is a desirable configuration as it can make cabling very simple.
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ss-front.png}
\caption{Supermicro SuperServer 1018D-FRN8T Front}
\label{fig:supermicroSSfront}
\end{figure}
The rear of the unit has a redundant 400W power supply. Rated at 80
Plus Platinum the power supplies are efficient as well. The remainder
of the rear is simply a bezel for fans.
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ss-rear.png}
\caption{Supermicro SuperServer 1018D-FRN8T Rear}
\label{fig:supermicroSSrear}
\end{figure}
The onboard I/O is plentiful. There are two USB 3.0 ports along with
a VGA port for KVM carts. Above the USB ports there is a RJ-45
Ethernet port for out-0f-band management that can be directly
connected to a dedicated management network.
%-------------------
Furthermore there are
six 1GbE ports connected to two Intel i210-at controllers and an
Intel i350-am4 controller. The two SFP+ ports are controlled by the
Xeon Ds Intel X552 NIC. For firewalls and other appliances, this is
a very strong configuration.
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/iris-fw1100-front.png}
\caption{Supermicro SuperServer 1018D-FRN8T interfaces}
\label{fig:supermicroSSinterfaces}
\end{figure}
Inside the system we see a redundant set of fans near the PSU bezel
and a very small motherboard inside. One can see our two stacks of
Seagate Enterprise Capacity V3 1TB 7200rpm drives as well. We removed
the PCIe riser and the airflow shroud from this picture to show off
the internals better.
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ss-noshroud.png}
\caption{Supermicro SuperServer 1018D-FRN8T Internal no shroud}
\label{fig:supermicroSSnoshroud}
\end{figure}
\subsection{Remote Management}
Supermicros IPMI and KVM-over-IP enables deployment flexibility.
One can do remote power up, power down, and reset of the server in
the event that it becomes unresponsive.
\begin{itemize}
\item fan speeds, chassis intrusion sensors, thermal sensors,
and etc. can be monitored remotely
\item remote power control. One can do remote power up, power
down, and reset of the server in the event that it becomes
unresponsive.
\item alerts can be setup to notify the admins of issues.
\item remotely mount CD images and floppy images to the machine
over the dedicated management Ethernet controller. This keeps
maintenance traffic off of the primary Intel NICs.
At the same time it removes the need for an optical disk to
be connected to the Supermicro motherboard.
\end{itemize}
Supermicros BIOS has a feature: the BMC IP address shows
up on the post screen!
If you have a KVM cart hooked up to the system, it gives an
indicator of which machine one is connected to during post.
Supermicro does include KVM-over-IP functionality with the motherboard.
\begin{itemize}
\item Default IPMI connection is in cleartext http.
\item SSL certificate for Supermicro IPMI is bad (like all of them).
\item Can't change password on IPMI.
%\item Root password for server and IPMI is sent via email.
%\item There is an attack window between their machine imaging and first login.
%\item Customer should control timing of first power on.
%\item System is also possibly vuln during the ISP's initial power up and commissioning period.
%\item First reboot, the system hung (.png XXX).
%\item Hard reset, lots of DHCP queries at boot.
%\item A \texttt{debian} user was on the system, password unknown. Check \texttt{/home}!
%\item They block NTP to prevent DDoS, so you have to use their time server
% \texttt{time.sharktech.net}
\end{itemize}
\subsection{Supermicro Setup over IPMI bios}
{{\grenewcommand{\currentColor}{secondary-brown}}}
{{\grenewcommand{\currentTextColor}{ao-black}}}
\providecommand{\sharkIPConfigItem}[4]{}
\renewcommand{\sharkIPConfigItem}[4]{
\rowcolor{\currentColor} \vspace{-1pt}
\rule[-0.3em]{0pt}{-0.5em} \vspace{-1pt}
\small{\textcolor{\currentTextColor}{#1}} & \vspace{-1pt}
\small{\textcolor{\currentTextColor}{#2}} \\
}
\providecommand{\sharkIPConfigLastItem}[4]{}
\renewcommand{\sharkIPConfigLastItem}[4]{
\rowcolor{\currentColor} \vspace{-1pt}
\rule[-1.0em]{0pt}{1em} \vspace{-1pt}
\small{\textcolor{\currentTextColor}{#1}} & \vspace{-1pt}
\small{\textcolor{\currentTextColor}{#2}} \\
\tabucline[2pt]{1-2}
}
\providecommand{\SIPCCwidth}{3.5cm}
\renewcommand{\SIPCCwidth}{5cm}
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-ipmi-init.png}
\caption{Supermicro SuperServer 1018D-FRN8T PEI-IPMI Initialization}
\label{fig:supermicroSSCIpmiInit}
\end{figure}
Before IPMI Initialization, choose in Boot Agent GE an entry PXE
(Preboot eXecution Environment)
In Aptio Setup Utility set the following Boot Features:
\begin{table}[!htb]
\caption{sf-fw BIOS configs}% \label{tab:sharkNodeIPConfig}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Boot Feature}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { SMCBiosActionFlag }{ \char`[0\char`] }{}{}
\sharkIPConfigItem { SumBbsSupportFlag }{ 48 }{}{}
\sharkIPConfigLastItem{ Bridge ports }{ \char`[Disabled\char`] }{}{}
\sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Force BIOS\char`] }{}{}
\sharkIPConfigItem { SumBbsSupportFlag }{ \char`[On\char`] }{}{}
\sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Disabled\char`] }{}{}
\sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Immediate\char`] }{}{}
\sharkIPConfigLastItem{ Subnet mask }{ \char`[Disabled\char`] }{}{}
\end{tabu}
\end{table}
Set system Date/Time
\newpage
\subsection*{\textcolor{ao-white}{ Supermicro Setup over IPMI bios1}}
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-ipmi-boot1.png}
\caption{Supermicro SuperServer 1018D-FRN8T Bios prompt for boot-menu}
\label{fig:supermicroSSCIpmiBoot1}
\end{figure}
\begin{table}[!htb]
\caption{sf-fw BIOS configs continued}% \label{tab:sharkNodeIPConfig}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Boot Feature}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Power Configuration }{}{}{}
\sharkIPConfigItem { Watch Dog Function }{ \char`[Disabled\char`] }{}{}
\sharkIPConfigItem { Power button Function }{ \char`[4 Seconds Override\char`] }{}{}
\sharkIPConfigLastItem{ Subnet mask }{ \char`[Power On\char`] }{}{}
\end{tabu}
\end{table}
\newpage
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-ipmi-boot2.png}
\caption{Supermicro SuperServer 1018D-FRN8T Bootstrap loader}
\label{fig:supermicroSSCIpmiBoot2}
\end{figure}
\begin{table}[!htb]
\caption{sf-fw BIOS configs continued}% \label{tab:sharkNodeIPConfig}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Boot Feature}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Onboard LAN1 OPROM }{ \char`[Disabled\char`] }{}{}
\sharkIPConfigItem { Onboard LAN2 OPROM }{ \char`[Disabled\char`] }{}{}
\sharkIPConfigLastItem{ Onboard LAN3 - LAN8 OPROM }{ \char`[Disabled\char`] }{}{}
\sharkIPConfigItem { Legacy Boot Order \char`#1}{ \char`[USB Key:Virtual Disk\char`] }{}{}
\sharkIPConfigLastItem{ Legacy Boot Order \char`#2 - \char`#7}{ \char`[Disabled\char`] }{}{}
\end{tabu}
\end{table}
\newpage
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-ipmi-opnsense-boot1.png}
\caption{Supermicro SuperServer OPNsense Boot variant}
\label{fig:supermicroSSCIpmiOpnsenseBoot1}
\end{figure}
Let default option 5 execute.
\begin{table}[!htb]
\caption{sf-fw LSI Corp Config Utility}% \label{tab:sharkNodeIPConfig}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Adapter }{LSI2116-IT}{}{}
\sharkIPConfigItem { PCI Slot }{0B}{}{}
\sharkIPConfigItem { PCI Address(Bus/Dev) }{02:00}{}{}
\sharkIPConfigItem { MPT Firmware Revision }{20.00.07.00-IT}{}{}
\sharkIPConfigItem { SAS Address }{50030480:1E300A01}{}{}
\sharkIPConfigItem { NVDATA Version }{14.01.40.00}{}{}
\sharkIPConfigItem { Status }{Disabled}{}{}
\sharkIPConfigItem { Boot Order}{0}{}{}
\sharkIPConfigLastItem{ Boot Support}{ \char`[Disabled\char`] }{}{}
\end{tabu}
\end{table}
\newpage
{{\grenewcommand{\currentColor}{primary-blue}}}
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash1.png}
\caption{Supermicro SuperServer OPNsense Dashboard}
\label{fig:supermicroSSCIpmiOpnsenseDash1}
\end{figure}
\begin{table}[!htb]
\caption{sf-fw LSI Corp Config Utility}% \label{tab:sharkNodeIPConfig}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Hostname }{sf-fw1}{}{}
\sharkIPConfigItem { Domain }{forksand.com}{}{}
\sharkIPConfigItem { Language }{English}{}{}
\sharkIPConfigItem { Primary DNS Server }{216.146.35.35}{}{}
\sharkIPConfigItem { Secondary DNS Server }{208.67.222.222}{}{}
\sharkIPConfigLastItem{ Override DNS }{unchecked}{}{}
\sharkIPConfigLastItem{ Enable Resolver}{checked}{}{}
\sharkIPConfigLastItem{ Others }{leave unchecked}{}{}
\end{tabu}
\end{table}
\begin{itemize}
\item Set server time information
\item Configure WAN interface, DHCP, subnet masks /32, Block .. Flags checked, others empty
\item Configure WAN interface, IP 192.168.1.1 change to 192.168.110.21, subnet mask /24
\item Set Web GUI Password
\item Reload to apply changes
\item Finished initial configuration, click a href "continue to the dashboard"
\item Configure console appears, refer to table
\ref{tab:supermicroSSCIpmiOpnsenseDash2} on p. \pageref{tab:supermicroSSCIpmiOpnsenseDash2}
\item Set root password and reboot
\item Re-enter Aptio Setup Utility Boot tab
\item Switch Legacy Boot Order \char`#1 \char` to [Hard Disk: SATADOM-...\char`]
\item Start the boot
\item OPNsense: Let default option 5 execute
\end{itemize}
{{\grenewcommand{\currentColor}{secondary-brown}}}
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash2.png}
\caption{Supermicro SuperServer OPNsense Dashboard Continued}
\label{fig:supermicroSSCIpmiOpnsenseDash2}
\end{figure}
\begin{table}[!htb]
\caption{sf-fw LSI Corp Config Utility} \label{tab:supermicroSSCIpmiOpnsenseDash2}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Configure Console }{Accept these Settings}{}{}
\sharkIPConfigItem { Select task }{Guided installation}{}{}
\sharkIPConfigItem { Select a disk }{ada0: 600.00MB/s transfers (SATA 3.x, UDMA6, PIO 512bytes)}{}{}
\sharkIPConfigItem { Select install mode }{GPT/UEFI mode}{}{}
\sharkIPConfigItem { Swap Partition }{yes}{}{}
\sharkIPConfigLastItem{ Enable Resolver}{checked}{}{}
\end{tabu}
\end{table}
{{\grenewcommand{\currentColor}{primary-blue}}}
\begin{itemize}
\item Enter OPNsense dashboard and make a backup, System -> Configuration -> Backups, save the XML
\item Execute update firmware, refer to figure
\ref{fig:supermicroSSCIpmiOpnsenseDash3} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash3}
\end{itemize}
\newpage
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash3-update.png}
\caption{Supermicro SuperServer OPNsense Dashboard Update Firmware}
\label{fig:supermicroSSCIpmiOpnsenseDash3}
\end{figure}
\begin{itemize}
\item Standby until updating finished, refer to figure
\ref{fig:supermicroSSCIpmiOpnsenseDash4} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash4}
\item Switch to tab Settings, refer to figure
\ref{fig:supermicroSSCIpmiOpnsenseDash5} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash5}
\end{itemize}
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash4-update.png}
\caption{Supermicro SuperServer OPNsense Dashboard Update Firmware Continued}
\label{fig:supermicroSSCIpmiOpnsenseDash4}
\end{figure}
\newpage
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash5-fw.png}
\caption{Supermicro SuperServer OPNsense Dashboard Firmware Settings}
\label{fig:supermicroSSCIpmiOpnsenseDash5}
\end{figure}
\begin{itemize}
\item Set mirror to LeaseWeb (San Francisco, US)
\item Set Flavour to LibreSSL
\item Set Release Type to Production
\item Click save and return to Updates tab.
\end{itemize}
\newpage
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash6-fw-updates.png}
\caption{Supermicro SuperServer OPNsense Dashboard Firmware Pending Updates}
\label{fig:supermicroSSCIpmiOpnsenseDash6}
\end{figure}
\begin{itemize}
\item Click Update now.
\item Standby until Update is completed.
\item Restore configs from XML, refer to figure
\ref{fig:supermicroSSCIpmiOpnsenseDash8} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash8}
\end{itemize}
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash7-fw-update.png}
\caption{Supermicro SuperServer OPNsense Dashboard Firmware Update Processing}
\label{fig:supermicroSSCIpmiOpnsenseDash7}
\end{figure}
\newpage
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash8-fw-backupandreboot.png}
\caption{Supermicro SuperServer OPNsense Dashboard restore from XML config backup}
\label{fig:supermicroSSCIpmiOpnsenseDash8}
\end{figure}
\begin{itemize}
\item Upload the config and restore
\item Add a user, refer to figure
\ref{fig:supermicroSSCIpmiOpnsenseDash9} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash9}
using parameters from table
\ref{tab:supermicroSSCIpmiOpnsenseAddUser} on p. \pageref{tab:supermicroSSCIpmiOpnsenseAddUser}
\end{itemize}
\newpage
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash9-user.png}
\caption{Supermicro SuperServer OPNsense Dashboard Add User}
\label{fig:supermicroSSCIpmiOpnsenseDash9}
\end{figure}
\begin{table}[!htb]
\caption{sf-fw OPNsense Dashboard Add User} \label{tab:supermicroSSCIpmiOpnsenseAddUser}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Username }{jebba}{}{}
\sharkIPConfigItem { Disabled }{unchecked}{}{}
\sharkIPConfigItem { Full name }{Jeff Moe}{}{}
\sharkIPConfigItem { E-mail }{moe@forksand.com}{}{}
\sharkIPConfigItem { Comment }{}{}{}
\sharkIPConfigItem { Expiration date }{}{}{}
\sharkIPConfigLastItem{ Group Memberships }{Member of admins}{}{}
\sharkIPConfigItem { Certificate }{unchecked}{}{}
\sharkIPConfigLastItem{ OTP seed }{}{}{}
\end{tabu}
\end{table}
\newpage
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash10-dhcpv4.png}
\caption{Supermicro SuperServer OPNsense Dashboard DHCPv4}
\label{fig:supermicroSSCIpmiOpnsenseDash10}
\end{figure}
\begin{itemize}
\item Disable DHCPv4
\end{itemize}
\begin{table}[!htb]
\caption{sf-fw OPNsense Dashboard DHCPv4} \label{tab:supermicroSSCIpmiOpnsenseDhcpv4}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Enable }{unchecked}{}{}
\sharkIPConfigItem { Deny unknown clients }{unchecked}{}{}
\sharkIPConfigItem { Subnet }{192.168.110.0}{}{}
\sharkIPConfigItem { Subnet mask }{255.255.255.0}{}{}
\sharkIPConfigLastItem{ Range }{192.168.110.10 - 192.168.110.245}{}{}
\sharkIPConfigLastItem{ Others }{leave unchanged}{}{}
\end{tabu}
\end{table}
\newpage
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash11-plugins.png}
\includegraphics[keepaspectratio=true,trim=360mm 190mm 10mm 80mm,clip,width=1.0\textwidth,angle=0]
{sf-fw/ssc-opns-dash11-plugins.png}
\caption{Supermicro SuperServer OPNsense Dashboard Plugin Installation}
\label{fig:supermicroSSCIpmiOpnsenseDash11}
\end{figure}
\begin{itemize}
\item Make sure os-dyndns plugin installed
\item Install os-acme-client
\end{itemize}
%\begin{table}[!htb]
% \caption{sf-fw OPNsense Dashboard Plugins} \label{tab:supermicroSSCIpmiOpnsensePlugins}
% \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
% \tabucline[2pt]{1-2}
% \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
% \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
% \tabucline[2pt]{1-2}
% \sharkIPConfigItem { Enable }{unchecked}{}{}
% \sharkIPConfigItem { Deny unknown clients }{unchecked}{}{}
% \sharkIPConfigItem { Subnet }{192.168.110.0}{}{}
% \sharkIPConfigItem { Subnet mask }{255.255.255.0}{}{}
% \sharkIPConfigLastItem{ Range }{192.168.110.10 - 192.168.110.245}{}{}
% \sharkIPConfigLastItem{ Others }{leave unchanged}{}{}
% \end{tabu}
%\end{table}
\newpage
\begin{figure}[!ht]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{sf-fw/ssc-opns-dash12-lea.png}
\caption{Supermicro SuperServer OPNsense Dashboard add Let's Encrypt account}
\label{fig:supermicroSSCIpmiOpnsenseDash12}
\end{figure}
\begin{itemize}
\item Add Let's Encrypt account
\item Modify global Let's Encrypt settings
\item Apply Let's Encrypt settings
\item Refer to Certificates menu
\end{itemize}
\begin{table}[!htb]
\caption{sf-fw OPNsense Dashboard Let's Encrypt account and settings} \label{tab:supermicroSSCIpmiOpnsenseLea}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Enable }{checked}{}{}
\sharkIPConfigItem { Name }{sf-fw1}{}{}
\sharkIPConfigItem { Description }{SharkFork Firewall 1}{}{}
\sharkIPConfigLastItem{ E-Mail address }{sharkfork@forksand.com}{}{}
\sharkIPConfigItem { Enable Plugin }{checked}{}{}
\sharkIPConfigItem { Auto Renewal }{checked}{}{}
\sharkIPConfigItem { Let's Encrypt Environment }{Production Environment \char`[Default\char`]}{}{}
\sharkIPConfigLastItem{ HAProxy Integration }{unchecked}{}{}
\end{tabu}
\end{table}
\newpage
%\begin{figure}[!ht]
% \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
% {sf-fw/ssc-opns-dash13-cert.png}
% \caption{Supermicro SuperServer OPNsense Dashboard add Certificate}
% \label{fig:supermicroSSCIpmiOpnsenseDash12}
%\end{figure}
\begin{itemize}
\item Add Validation Method
\item Add Certificate
\item Apply ``Issue/Renew Certificates Now''
\end{itemize}
\begin{table}[!htb]
\caption{sf-fw OPNsense Dashboard Let's Encrypt account and settings} \label{tab:supermicroSSCIpmiOpnsenseLea}
\begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]}
\tabucline[2pt]{1-2}
\multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}&
\multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Validation Method }{}{}{}
\sharkIPConfigItem { Enable }{checked}{}{}
\sharkIPConfigItem { Name }{sf-fw1-http}{}{}
\sharkIPConfigItem { Description }{SharkFork Firewall 1 http validation}{}{}
\sharkIPConfigLastItem{ Challenge Type }{HTTP-01}{}{}
\sharkIPConfigLastItem{ HTTP Service }{OPNsense Web Service (automatic port forward)}{}{}
\sharkIPConfigItem { IP Auto-Discovery }{checked}{}{}
\sharkIPConfigItem { Interface }{WAN}{}{}
\sharkIPConfigLastItem{ IP Addresses }{}{}{}
\tabucline[2pt]{1-2}
\sharkIPConfigItem { Certificate }{}{}{}
\sharkIPConfigItem { Enable }{checked}{}{}
\sharkIPConfigItem { Common Name }{sf-fw1.forksand.com}{}{}
\sharkIPConfigItem { Description }{SharkFork Firewall 1}{}{}
\sharkIPConfigItem { Alt Names }{}{}{}
\sharkIPConfigItem { LE Account }{sf-fw1}{}{}
\sharkIPConfigItem { Validation Method }{sf-fw1-http}{}{}
\sharkIPConfigItem { Restart Actions }{}{}{}
\sharkIPConfigItem { Auto Renewal }{checked}{}{}
\sharkIPConfigLastItem{ Renewal Interval }{60}{}{}
\end{tabu}
\end{table}
\newpage
\section{Alternatives Firewalls Hardware Overview}
Some resellers:
\begin{itemize}
\item \url{https://www.deciso.com/}
\item \url{https://www.pfwhardware.com/}
\item \url{https://www.osnet.eu/}
\end{itemize}
\begin{itemize}
\item (8) 1 gig ethernet ports
Connects to (1) 100M ethernet upstream fiber optic
Connects to (1) 100M ethernet upstream wifi
Various LAN
\item (Hot swap?) Dual Power Supplies
\item (How swap?) RAID (Linux md), with SSD storage.
\item 2.5'' drive bays
\item Total ~8GHz CPU
\item ~8-16 gigs RAM ? Depends on OS.
\item Two servers total, for standby/failover
\end{itemize}
\section{IP-tables Firewall}
\section{IPtables-firewall}
\subsection{Overview}
Most servers and workstations run GNU/Linux, which uses iptables.
\subsection{iptables}
iptables is part of the Netfilter project and has been included by default in
the Linux kernel for many years.
\begin{figure}[h!]
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-netfilter.png}
\caption{Netfilter Website}
\label{fig:www-netfilter}
\end{figure}
\subsection{Requirements}
There are a lot of operating systems to consider to use as a firewall...
There are a lot of operating systems to consider to use as a \gls{firewall}...
Notes on some requirements in a firewall.
Notes on some requirements in a \gls{firewall}.
\begin{itemize}
\item Must be free software.
@ -617,24 +74,23 @@ Notes on some requirements in a firewall.
\end{itemize}
\subsection{Firewall Operating Systems in Use}
\Large{Debian}
\subsection{\Gls{firewall} Operating Systems in Use}
\href{https://www.debian.org/}{Debian}
\Large{\href{https://www.debian.org/}{Debian}}
Debian is used for nearly everything. It could easily be used as a
router/firewall. There are better, more tuned options.
router-firewall. There are better, more tuned options.
Linux's iptables is used on servers.
\begin{figure}[h!]
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-debian.png}
\caption{Debian Website}
\label{fig:www-debian-in-firewalls-chapter}
\end{figure}
\Large{Proxmox setups iptables-firewall}
During Proxmox installation on the nodes, firewall is being confugured.
During Proxmox installation on the nodes, \gls{firewall} is being confugured.
Some of nodes configurations can be found in chapter Free software under
path apps/forksand-nodes-bootstrap/...
@ -669,7 +125,7 @@ Find out why mention of firewall in hk1 node is discarded.
# Datacenter --> Firewall --> Add.
\end{minted}
Also Nextcloud chapter mentiones configs of iptables firewall \ref{ssec:nextcloudfirewall} on p.\pageref{ssec:nextcloudfirewall}.
Also Nextcloud chapter mentiones configs of iptables-firewall \ref{ssec:nextcloudfirewall} on p.\pageref{ssec:nextcloudfirewall}.
Also certain Ansible including virtual machines enable iptables configuratiion.
For example ansible-debian-male contains mikegleasonjr.firewall.

65
source/Hardware.tex
Unescape View File

@ -10,45 +10,41 @@
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{Hardware}
\section{Cluster Diagram}
\raggedright
\vspace{0.4cm}
Dedicated servers discarded.
Colocation cabinet buffered only with a firewall.
\Glspl{dedicatedserver} discarded.
\vspace{0.4cm}
\centering
\includegraphics[width=210mm,trim=20mm 20mm 20mm 20mm]
\begin{figure}[!htb]
\includegraphics[width=210mm,trim=20mm 20mm 20mm 20mm]
{sharkfork-cabling-4-final-colocation.pdf} \\ %
\vspace{0.2cm}
\raggedright
\newpage
\caption{\Gls{sharkfork} \Gls{colocation} \gls{cluster} cabling diagram}
\end{figure}
\section{Cluster Hardware Overview}
The cluster will require rackmountable equipment:
\Gls{colocation} \Gls{cabinet} buffered only with a \gls{firewall}.
One step from autonouos structure.
\section{Hardware Cluster Overview}
The \gls{cluster} will require rackmountable equipment.
\newpage
\Large{\textbf{\Gls{sharkfork} 21U hardware instance}}
\begin{itemize}
\item GNU/Linux Servers
\item \Glspl{firewall}
\item Switches
\item File storages
\end{itemize}
\begin{minipage}{0.9\textwidth}
\subsection{Sharkfork 21U hardware instance} \label{sec:hardware-sharkfork-21U}
%\includepdf[width=150mm,offset=0 15,clip]
%{sharkfork-21U.pdf}
\includegraphics[keepaspectratio=true,height=0.80\textheight,width=150mm,angle=0]
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=0.75\textheight,width=150mm,angle=0]
{sharkfork-21U.png}
% \vspace{150mm}
\label{fig:sharkfork-21U}
%\vspace{60mm}
\end{minipage}
\label{fig:sharkfork-21U}
\end{figure}
%\subsubsection{\Gls{sharkfork} 21U detail hardware description} \label{sec:hardware-description-sharkfork-21U}
\newpage
%\subsubsection{Sharkfork 21U detail hardware description} \label{sec:hardware-description-sharkfork-21U}
\newcommand{\nodeUnitName}[4]{
\rowcolor{#3}\vspace{-1pt}
{{\grenewcommand{\currentColor}{#3}}}
@ -90,7 +86,7 @@ The cluster will require rackmountable equipment:
\multicolumn {1}{p{13cm}|[2pt]}{ Description} \\ \tabucline[2pt]{1-2}
%%% UNIT %%%
% Unit name
\nodeUnitName{2}{Iris FW1100 - Firewall System}{secondary-brown}{ao-black}
\nodeUnitName{2}{Iris FW1100 - \Gls{firewall} System}{secondary-brown}{ao-black}
% Unit configuration parameters
\nodeUnitParameter{ 1U Form Factor ~~- Single Intel Xeon D-1587 CPU }
\nodeUnitParameter{ Up to 128GB DDR4 ECC Reg Memory }
@ -108,6 +104,21 @@ The cluster will require rackmountable equipment:
%\nodeUnitSetNotes { none }
%%% END UNIT %%%
% Unit name
\nodeUnitName{2}{Netgear XS716T - 16-Port 10G Smart Managed Plus Switch}{secondary-brown}{ao-black}
% Unit configuration parameters
\nodeUnitParameter{ 1U Form Factor ~~- 600 MHz Cortex-A9 Single Core }
\nodeUnitParameter{ 512MB RAM }
\nodeUnitParameter{ 16-Port RJ45 10G SFP+ and Six Gigabit Ethernet }
\nodeUnitLastParameter{ 100W Power Supply }
% Unit has a set of components parameters
\nodeUnitSetItem {1}{ 8MB SPI + 256 NAND FLASH }
\nodeUnitSetLastItem {1}{ 2 shared (combo) 1G/10G Copper/SFP+ (fiber) ports }
% Unit ends with notes, pass "none" parameter if no notes
%\nodeUnitSetNotes { none }
%%% END UNIT %%%
%%% UNIT %%%
% Unit name
\nodeUnitName{1}{Iris NV2225}{primary-blue}{ao-black}
@ -316,7 +327,7 @@ Who we'll get hardware from.
\end{itemize}
\newcommand{\includescreen}[3]{
\begin{figure}[!ht]
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{#1}
\caption{#2}
#3

20
source/History.tex
Unescape View File

@ -13,9 +13,9 @@
\section{History}
\subsection{Cluster Evolution}
Forksand started deployment on dedicated servers.
Forksand started deployment on \glspl{dedicatedserver}.
\vspace{0.6cm}
First stage. Exclusively dedicated servers (deprecated)
First stage. Exclusively \glspl{dedicatedserver} (deprecated)
\vspace{0.4cm}
\centering
\includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm]
@ -23,20 +23,20 @@ Forksand started deployment on dedicated servers.
%
\vspace{0.2cm}
\raggedright
Second stage. Dedicated servers along with a colocation
cabinet. Flat hierarchy. (deprecated)
Second stage. \Glspl{dedicatedserver} along with a \Gls{colocation}
\Gls{cabinet}. Flat hierarchy. (deprecated)
\vspace{0.1cm}
In progress, services were being migrated one after another to
a colocation instance. On the next stage hierarchy becomes vertical. \\
a \Gls{colocation} instance. On the next stage hierarchy becomes vertical. \\
\vspace{0.1cm}
\centering
\includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm]
{sharkfork-cabling-2-mixed-vlan.pdf} \\ %
%
\raggedright
Third stage. Dedicated servers buffered by
a colocation cabinet. Vertical hierarchy. (deprecated)
Third stage. \Glspl{dedicatedserver} buffered by
a \Gls{colocation} \Gls{cabinet}. Vertical hierarchy. (deprecated)
\vspace{0.4cm}
\centering
\includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm]
@ -44,8 +44,8 @@ Forksand started deployment on dedicated servers.
%
\vspace{0.2cm}
\raggedright
Fourth stage. Dedicated servers discarded.
Colocation cabinet buffered only with a firewall. (current)
Fourth stage. \Glspl{dedicatedserver} discarded.
\Gls{colocation} \Gls{cabinet} buffered only with a \gls{firewall}. (current)
\vspace{0.4cm}
\centering
\includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm]
@ -53,7 +53,7 @@ Forksand started deployment on dedicated servers.
%
\vspace{0.2cm}
\raggedright
Final stage. Firewall discarded. Single colocation cabinet. (in process)
Final stage. \Gls{Firewall} discarded. Single \Gls{colocation} \Gls{cabinet}. (in process)
\vspace{0.4cm}
\centering
%\includegraphics[width=115mm,trim=10mm 10mm 10mm 10mm]

24
source/Network.tex
Unescape View File

@ -21,7 +21,7 @@ The first diagram is an overview, with networks listed, without the admin networ
XXX Diagram.
%\begin{figure}[h!]
%\begin{figure}[!htb]
%\includegraphics[keepaspectratio=true,height=1.00\textheight,width=1.00\textwidth,angle=90]{fs-cloud-net-overview.pdf}
% \caption{Fork Sand IT Manual Network Overview without Admin Net}
% \label{fig:fs-cloud-net-overview}
@ -31,7 +31,7 @@ The second network, shows most servers, without the admin network.
XXX Diagram.
%\begin{figure}[h!]
%\begin{figure}[!htb]
%\includegraphics[keepaspectratio=true,height=1.00\textheight,width=1.00\textwidth,angle=90]{ao-cloud-net.pdf}
% \caption{Fork Sand IT Manual Network without Admin Net}
% \label{fig:ao-cloud-net}
@ -47,6 +47,26 @@ be able to use... For now we will be using:
\item Netgear 16-port 10 Gigabit RJ-45
\end{itemize}
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{s-TL-SG1048}
\caption{TP-link 48 port 1 Gigabit switch TL-SG1048 overview}
\label{fig:swichTLSG1048overview}
\end{figure}
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{s-XS716T.png}
\caption{Netgear 16 port 10 Gigabit switch XS716T overview}
\label{fig:swichXS716Toverview}
\end{figure}
\newpage
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
{s-XS716T-si.png}
\caption{Netgear 16 port 10 Gigabit switch XS716T System Information}
\label{fig:swichXS716Tsysteminfo}
\end{figure}
\section{IPMI Administration}
The servers have low level administration done via HTML5 IPMI.

17
source/Proxmox.tex
Unescape View File

@ -26,7 +26,7 @@ there is an installation manual for 5.x version, which is great.
Documentation:
\url{https://pve.proxmox.com/wiki/Documentation}
\begin{figure}[h!]
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-proxmox.png}
\caption{Proxmox Website}
\label{fig:www-proxmox}
@ -54,7 +54,7 @@ containers and all necessary resources
$\cdot$ Web based management interface for using the toolset
\item Debian Stretch admin guide: \\
\url{file:///C:/Users/P/Downloads/pve-admin-guide.pdf}
\url{https://pve.proxmox.com/pve-docs/pve-admin-guide.pdf}
\end{itemize}
@ -84,16 +84,16 @@ The following servers will be deployed to host Proxmox and the KVMs:
%virtual images.
%
%\subsection{Proxmox Web GUI Servers}
%A Proxmox's Web GUI for administration of the cluster.
%A Proxmox's Web GUI for administration of the \gls{cluster}.
\subsection{Virtual Machine Nodes}
Virtual machine nodes. Fast CPU, with lots of RAM. Uses Ceph to store
virtual images.
Every node includes a Proxmox's Web GUI service for administration of the cluster.
Any nodes included into the cluster may be configured by requesting to any node's GUI.
Every node includes a Proxmox's Web GUI service for administration of the \gls{cluster}.
Any nodes included into the \gls{cluster} may be configured by requesting to any node's GUI.
\begin{figure}[h!]
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{proxmox-gui.png}
\caption{Proxmox Sunstone Web Admin GUI}
\label{fig:proxmox-gui}
@ -134,13 +134,14 @@ URL: \url{http://localhost:8002/}, for shark2 \\
URL: \url{http://localhost:8003/}, for shark3 \\
URL: \url{http://localhost:8004/}, for shark4 \\
See example at fig. \ref{fig:proxmox-gui-port}:
\begin{figure}[!ht]
\begin{figure}[!htb]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{shark2/23.png}
\label{fig:proxmox-gui-port}
\caption{Browse shark2 node, visible port No.}
\end{figure}
Info: This goes through https with self-signed certificate.
\item \texttt{Hostname} Changing the hostname and IP is not possible after cluster creation. Unlike OpenNebula.
\item \texttt{Hostname} Changing the hostname and IP is not possible after
\gls{cluster} creation. Unlike OpenNebula.
%\item Click \texttt{Infrastructure}.
%\item Click \texttt{Hosts}.
%\item Click The \texttt{+} plus icon.

4
source/Software-daemons.tex
Unescape View File

@ -54,7 +54,7 @@ IMAP server, typically using Icedove or aomail (roundcube using IMAP).
\section{\href{https://www.erlang.org/}{Erlang}}
Virtual machine (ejabberd).
\section{{iptables}{Firewalls}}
\section{{iptables}{\Glspl{firewall}}}
Linux's iptables.
\section{\href{http://www.fail2ban.org/}{fail2ban}}
@ -419,7 +419,7 @@ Copy Gandi file for SSL authentication to /var/www/html/
After Gandi verifies it, remove the file.
Then disable port 80 in the firewall again:
Then disable port 80 in the \gls{firewall} again:
\begin{minted}{sh}
vim /etc/iptables.test.rules
\end{minted}

81
source/forksand-it-manual.tex
Unescape View File

@ -89,8 +89,20 @@ leftmargin=1cm,rightmargin=1cm
%\usepackage{url} % /usr/share/doc/texlive-doc/latex/url/url.pdf % Use hyperref.
\graphicspath{{./resources/}{./resources/images/}{./resources/drawings/}}
\makeindex
\makeglossary
\usepackage
[
% acronym,
% %nopostdot,
% toc,
% shortcuts,
% xindy
automake
]
{glossaries-extra}
\renewcommand*{\glstextformat}[1]{\textcolor{secondary-dark-brown}{\textbf{#1}}}
%\makeindex
%\makeglossary
\makeglossaries
\usepackage{color} % Docs: /usr/share/doc/texlive-latex-base-doc/latex/graphics/grfguide.pdf
\usepackage{colortbl}
@ -233,8 +245,8 @@ leftmargin=1cm,rightmargin=1cm
%%% END FOOTNOTES %%%
%%% COLORS %%%
\definecolor{ao-purple}{cmyk}{0.50,0.60,0.00,0.43} % ???
%\definecolor{ao-purple}{cmyk}{0.85 0.90 0.00 0.05} % ???
\definecolor{ao-purple}{cmyk}{0.50,0.60,0.00,0.43}
\definecolor{ao-fork}{cmyk}{1.00 0.00 0.00 0.80}
\definecolor{ao-dark-blue}{cmyk}{0.83 0.24 0.00 0.12}
\definecolor{ao-light-blue}{cmyk}{0.41 0.15 0.00 0.09}
\definecolor{ao-light-orange}{cmyk}{0.00 0.40 0.88 0.03}
@ -244,10 +256,11 @@ leftmargin=1cm,rightmargin=1cm
\definecolor{ao-white}{cmyk}{0.00 0.00 0.00 0.00}
\definecolor{ao-black}{cmyk}{1.00 1.00 1.00 1.00}
\definecolor{lulzbot-green}{cmyk}{0.11 0.00 0.78 0.15}
\definecolor{secondary-brown}{HTML}{F3E2C3} % HEX # F3E2C3 R:243 G:226 B:195 C:0 M:7 Y:20 K:5
\definecolor{primary-blue}{HTML}{A1F4FF} % HEX # A1F4FF R:161 G:244 B:255 C:37 M:4 Y:0 K:0
\definecolor{primary-brown}{HTML}{B07E3B} % HEX # B07E3B R:176 G:126 B:56 C:0 M:28 Y:68 K:31
\definecolor{nonbrand-dark-blue}{HTML}{184B6D} % HEX # 184B6D R:19 G:70 B:109 C:0 M:28 Y:68 K:31
\definecolor{secondary-dark-brown}{cmyk}{0.00 0.38 0.74 0.48}
\definecolor{secondary-brown}{cmyk}{0.00 0.07 0.20 0.05}
\definecolor{primary-blue}{cmyk}{0.37 0.04 0.00 0.00}
\definecolor{primary-brown}{cmyk}{0.00 0.28 0.68 0.31}
\definecolor{nonbrand-dark-blue}{cmyk}{0.83 0.28 0.00 0.57}
%%% END COLORS %%%
@ -257,6 +270,39 @@ leftmargin=1cm,rightmargin=1cm
%\typeoutstandardlayout
%%% END DEBUG %%%
\newglossaryentry{cluster}{name={cluster},plural={clusters},
description={, computer cluster is a set of loosely or
tightly connected computers that work together so that, in
many respects, they can be viewed as a single system.}}
\newglossaryentry{dedicatedserver}{
name={dedicated server},plural={dedicated servers},
description={, or managed hosting service
is a type of Internet hosting in which the client leases
an entire server not shared with anyone else.}}
\newglossaryentry{sharkfork}{
name={SharkFork},
description={is a SharkTech provided \Gls{colocation} for a
\gls{cluster} with Fork Sand \Gls{colocation} \Gls{cabinet}}}
\newglossaryentry{colocation}{name={colocation},plural={colocations},
description={ centre (also spelled co-location, or colo) or "carrier
hotel", is a type of data centre where equipment, space,
and bandwidth are available for rental to retail customers.}}
\newglossaryentry{cabinet}{name={cabinet},plural={cabinets},
description={, inside a data center, is a locking unit
that holds a server rack.}}
\newglossaryentry{gnulinux}{name={GNU/Linux},
description={ is a term promoted by the Free Software Foundation
(FSF) and its founder Richard Stallman.[6] Proponents call for
the correction of the more extended term, on the grounds that it
doesn't give credit to the major contributor and the associated
free software philosophy.}}
\newglossaryentry{firewall}{name={firewall},plural={firewalls},
description={ In computing, a firewall is a network security system
that monitors and controls incoming and outgoing network traffic
based on predetermined security rules.[1] A firewall typically
establishes a barrier between a trusted internal network and
untrusted external network, such as the Internet.}}
%%% END OF PREAMBLE %%%
\begin{document}
@ -387,14 +433,14 @@ leftmargin=1cm,rightmargin=1cm
\chapterconf{Firewall-opnsense}{OPNSense Firewall}{Use OPNSense}
\chapterconf{Proxmox}{Proxmox}{Virtual Machines}
\chapterconf{Ansible}{Ansible}{Cluster Administration}
\chapterconf{DNS}{Domain Name Service (DNS)}{Who Names You?}
\chapterconf{NTP}{Network Time Protocol}{A Hole in Time}
\chapterconf{Firmware}{Firmware}{Embedded Software}
\chapterconf{History}{History}{Evolution History}
%%% Appendix %%%
%\part{Appendix} % XXX
\appendix
\chapterconf{Source}{Free Software}{Free Software and Configurations}
%\chapterconf{DNS}{Domain Name Service (DNS)}{Who Names You?}
%\chapterconf{NTP}{Network Time Protocol}{A Hole in Time}
%\chapterconf{Firmware}{Firmware}{Embedded Software}
%\chapterconf{History}{History}{Evolution History}
%%%% Appendix %%%
%%\part{Appendix} % XXX
%\appendix
%\chapterconf{Source}{Free Software}{Free Software and Configurations}
%% END MAINMATTER CHAPTERS %%%
@ -414,7 +460,8 @@ leftmargin=1cm,rightmargin=1cm
\renewcommand{\memglonum}[1]{}
\clearpage
\printglossary
%\addcontentsline{toc}{chapter}{Glossary}
\printglossaries
%%% END GLOSSARY %%%
%%% CONTACT %%%

440
source/glossary.sty
Unescape View File

@ -0,0 +1,440 @@
%%
%% This is file `glossary.sty',
%% generated with the docstrip utility.
%%
%% The original source files were:
%%
%% glossary.dtx (with options: `package')
%% Copyright (C) 2000 Nicola Talbot, all rights reserved.
%% If you modify this file, you must change its name first.
%% You are NOT ALLOWED to distribute this file alone. You are NOT
%% ALLOWED to take money for the distribution or use of either this
%% file or a changed version, except for a nominal charge for copying
%% etc.
%% \CharacterTable
%% {Upper-case \A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\W\X\Y\Z
%% Lower-case \a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\u\v\w\x\y\z
%% Digits \0\1\2\3\4\5\6\7\8\9
%% Exclamation \! Double quote \" Hash (number) \#
%% Dollar \$ Percent \% Ampersand \&
%% Acute accent \' Left paren \( Right paren \)
%% Asterisk \* Plus \+ Comma \,
%% Minus \- Point \. Solidus \/
%% Colon \: Semicolon \; Less than \<
%% Equals \= Greater than \> Question mark \?
%% Commercial at \@ Left bracket \[ Backslash \\
%% Right bracket \] Circumflex \^ Underscore \_
%% Grave accent \` Left brace \{ Vertical bar \|
%% Right brace \} Tilde \~}
\NeedsTeXFormat{LaTeX2e}
\ProvidesPackage{glossary}[2004/11/02 2.12 (NLCT)]
\RequirePackage{ifthen}
\RequirePackage{keyval}
\define@key{gloss}
{style}
{\ifthenelse{\equal{#1}{list} \or \equal{#1}{altlist} \or \equal{#1}{super} \or \equal{#1}{long}}
{\def\gls@style{#1}}
{\PackageError{glossary}
{Unknown glossary style '#1'}
{Available styles are: list, altlist, super and long}}}
\define@key{gloss}
{header}[plain]{\ifthenelse{\equal{#1}{none} \or \equal{#1}{plain}}
{\def\gls@header{#1}}
{\PackageError{glossary}
{Unknown glossary style '#1'}
{Available styles are: none and plain}}}
\define@key{gloss}
{border}[plain]{\ifthenelse{\equal{#1}{none} \or \equal{#1}{plain}}
{\def\gls@border{#1}}
{\PackageError{glossary}
{Unknown glossary border '#1'}
{Available styles are: none and plain}}}
\newcount\gls@cols
\define@key{gloss}{cols}{\gls@cols=#1\relax
\ifthenelse{\gls@cols<2 \or \gls@cols>3}
{\PackageError{glossary}
{invalid number of columns}
{The cols option can only be 2 or 3}}
{}}
\define@key{gloss}
{number}
{\ifthenelse{\equal{#1}{none}\or\equal{#1}{page}\or\equal{#1}{section}}
{\def\gls@number{#1}}
{\PackageError{glossary}
{Unknown glossary number style '#1'}
{Available styles are: none, page and section}}}
\newif\ifgls@toc
\define@key{gloss}{toc}[true]{\ifthenelse{\equal{#1}{true} \or \equal{#1}{false}}
{\csname gls@toc#1\endcsname}
{\PackageError{glossary}{Glossary option 'toc' is boolean}
{The value of 'toc' can only be set to 'true' or 'false'}}}
\newif\ifgls@section
\define@key{gloss}{section}[true]{\ifthenelse{\equal{#1}{true} \or \equal{#1}{false}}
{\csname gls@section#1\endcsname}
{\PackageError{glossary}{Glossary option 'section' is boolean}
{The value of 'section' can only be set to 'true' or 'false'}}}
\gls@sectionfalse
\newif\ifglshyper
\define@key{gloss}{hyper}[true]{\ifthenelse{\equal{#1}{true} \or \equal{#1}{false}}
{\csname glshyper#1\endcsname}
{\PackageError{glossary}{Glossary option 'hyper' is boolean}
{The value of 'hyper' can only be set to 'true' or 'false'}}}
\def\gls@style{long}
\def\gls@header{none}
\def\gls@border{none}
\def\gls@number{page}
\gls@cols=2\relax
\gls@tocfalse
\@ifundefined{hyperpage}{\glshyperfalse}{\glshypertrue}
\DeclareOption*{\edef\@pkg@ptions{\noexpand\setkeys{gloss}{\CurrentOption}}
\ifthenelse{\equal{\CurrentOption}{}}{}{\@pkg@ptions}}
\ProcessOptions
\ifthenelse{\(\equal{\gls@style}{list} \or \equal{\gls@style}{altlist}\) \and \(\not\equal{\gls@header}{none} \or \not\equal{\gls@border}{none} \or \gls@cols=3\)}
{\PackageError{glossary}{You can't have option 'style=list' or 'style=altlist' in combination with any of the other options}
{The 'list' and 'altlist' options don't have a header, border or number of columns option.}}
{}
\define@key{wrgloss}{name}{\def\@n@me{#1}}
\define@key{wrgloss}{description}{\def\@descr{#1}}
\define@key{wrgloss}{sort}{\def\@s@rt{#1}}
\define@key{wrgloss}{format}{\def\@f@rm@t{#1}}
\renewcommand{\@wrglossary}[1]{\relax
\def\@n@me{}\def\@descr{}\def\@s@rt{}\def\@f@rm@t{}\relax
\setkeys{wrgloss}{#1}\relax
\ifthenelse{\equal{\@s@rt}{}}
{\relax
\ifthenelse{\equal{\@f@rm@t}{}}
{\protected@write\@glossaryfile{}{\string\glossaryentry{\@n@me @{\@n@me}\@descr\string\relax|glsnumformat}{\theglossarynum}}}
{\protected@write\@glossaryfile{}{\string\glossaryentry{\@n@me @{\@n@me}\@descr\string\relax|\@f@rm@t}{\theglossarynum}}}\relax
}{\relax
\ifthenelse{\equal{\@f@rm@t}{}}
{\protected@write\@glossaryfile{}{\string\glossaryentry{\@s@rt @{\@n@me}\@descr\string\relax|glsnumformat}{\theglossarynum}}}
{\protected@write\@glossaryfile{}{\string\glossaryentry{\@s@rt @{\@n@me}\@descr\string\relax|\@f@rm@t}{\theglossarynum}}}\relax
}\relax
\endgroup\@esphack
}
\ifthenelse{\equal{\gls@number}{page}}{
\newcommand{\theglossarynum}{\thepage}
\newcommand{\pagecompositor}{-}
\newcommand{\delimN}{, }
\newcommand{\delimR}{--}
\ifglshyper\newcommand{\glsnumformat}[1]{\hyperrm{#1}}\else\newcommand{\glsnumformat}[1]{#1}\fi}
{\ifthenelse{\equal{\gls@number}{section}}
{\newcommand{\theglossarynum}{\thesection}
\newcommand{\pagecompositor}{.}
\newcommand{\delimN}{, }
\newcommand{\delimR}{--}
\ifglshyper\newcommand{\glsnumformat}[1]{\hyperrm{#1}}\else\newcommand{\glsnumformat}[1]{#1}\fi}
{\newcommand{\theglossarynum}{\thepage}
\newcommand{\pagecompositor}{-}
\newcommand{\delimN}{}
\newcommand{\delimR}{}
\newcommand{\glsnumformat}[1]{}}}
\newcommand\printglossary{\@input@{\jobname.gls}}
\newcommand{\glossaryname}{Glossary}
\newcommand{\entryname}{Notation}
\newcommand{\descriptionname}{Description}
\newcommand{\istfilename}{\jobname.ist}
\newenvironment{theglossary}
{\@ifundefined{chapter}
{\section*{\glossaryname}\ifgls@toc\addcontentsline{toc}{section}{\glossaryname}\fi}
{\ifthenelse{\boolean{gls@section}}{\section*{\glossaryname}\ifgls@toc\addcontentsline{toc}{section}{\glossaryname}\fi}
{\chapter*{\glossaryname}\ifgls@toc\addcontentsline{toc}{chapter}{\glossaryname}\fi}}
\glossarypreamble\@bef@reglos}
{\@ftergl@s\glossarypostamble}
\newcommand{\glossarypreamble}{}
\newcommand{\glossarypostamble}{}
\newif\ifgloitemfirst
\newcommand{\@bef@reglos}{\global\gloitemfirsttrue\beforeglossary}
\newcommand{\@ftergl@s}{\afterglossary\global\gloitemfirstfalse}
\ifthenelse{\equal{\gls@style}{list} \or \equal{\gls@style}{altlist}}
{
\newcommand{\beforeglossary}{\begin{description}}
\newcommand{\afterglossary}{\end{description}}
\newcommand{\gloskip}{\indexspace}
\ifthenelse{\equal{\gls@style}{list}}
{\newcommand{\gloitem}[1]{\item[#1]}
\newcommand{\glodelim}{, }}
{\newcommand{\gloitem}[1]{\item[#1]\mbox{}\par}
\newcommand{\glodelim}{ }}
}{
\ifthenelse{\equal{\gls@style}{super}}{
\IfFileExists{supertab.sty}{\RequirePackage{supertab}}
{\IfFileExists{supertabular.sty}{\RequirePackage{supertabular}}
{\PackageError{glossary}{Option "super" chosen, but can't find "supertab" package}
{If you want the "super" option, you have to have the "supertab" package installed.}}}
}
{\RequirePackage{longtable}}
\newlength{\descriptionwidth}
\setlength{\descriptionwidth}{0.6\textwidth}
\ifthenelse{\equal{\gls@header}{none}}
{
\ifthenelse{\equal{\gls@border}{none}}
{\newcommand{\glossaryheader}{}}
{\newcommand{\glossaryheader}{\hline }}
}
{
\ifnum\gls@cols=2\relax
\ifthenelse{\equal{\gls@border}{none}}
{\newcommand{\glossaryheader}
{\bfseries\entryname & \bfseries \descriptionname\\}}
{\newcommand{\glossaryheader}
{\hline\bfseries\entryname & \bfseries\descriptionname
\\\hline\hline}}
\else
\ifthenelse{\equal{\gls@border}{none}}
{\newcommand{\glossaryheader}
{\bfseries\entryname & \bfseries \descriptionname & \\}}
{\newcommand{\glossaryheader}
{\hline\bfseries\entryname &\bfseries\descriptionname &
\\\hline\hline}}
\fi
}
\ifthenelse{\equal{\gls@border}{none}}
{
\ifnum\gls@cols=2\relax
\@ifundefined{newcolumntype}{\newcommand{\glossaryalignment}{@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}}}{
\newcolumntype{G}{@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}}}
\else
\@ifundefined{newcolumntype}{\newcommand{\glossaryalignment}{@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}l}}{
\newcolumntype{G}{@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}l}}
\fi
\ifthenelse{\equal{\gls@style}{super}}{
\newcommand{\afterglossary}{ \\\end{supertabular}}
}
{
\newcommand{\afterglossary}{ \\\end{longtable}}
}
\newcommand{\glosstail}{}
}
{
\ifnum\gls@cols=2\relax
\@ifundefined{newcolumntype}{\newcommand{\glossaryalignment}{|@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}|}}{
\newcolumntype{G}{|@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}|}}
\else
\@ifundefined{newcolumntype}{\newcommand{\glossaryalignment}{|@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}l|}}{
\newcolumntype{G}{|@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}l|}}
\fi
\ifthenelse{\equal{\gls@style}{super}}{
\newcommand{\afterglossary}{ \\\hline\end{supertabular}}
}
{
\newcommand{\afterglossary}{ \\\hline\end{longtable}}
}
\newcommand{\glosstail}{\hline}
}
\ifthenelse{\equal{\gls@style}{super}}
{
\@ifundefined{newcolumntype}{
\newcommand{\beforeglossary}
{\tablehead{\glossaryheader}\tabletail{\glosstail}
\begin{supertabular}{\glossaryalignment}}}
{\newcommand{\beforeglossary}
{\tablehead{\glossaryheader}\tabletail{\glosstail}
\begin{supertabular}{G}}}
}
{
\@ifundefined{newcolumntype}{\newcommand{\beforeglossary}
{\begin{longtable}{\glossaryalignment}
\glossaryheader\endhead\glosstail\endfoot}}
{\newcommand{\beforeglossary}
{\begin{longtable}{G}
\glossaryheader\endhead\glosstail\endfoot}}
}
\ifnum\gls@cols=2\relax
\newcommand{\gloskip}{\ifgloitemfirst\global\gloitemfirstfalse \else\\ \fi &}
\newcommand{\glodelim}{, }
\else
\newcommand{\gloskip}{\ifgloitemfirst\global\gloitemfirstfalse \else\\ \fi & &}
\newcommand{\glodelim}{& }
\fi
\newcommand{\gloitem}[1]{\ifgloitemfirst\global\gloitemfirstfalse #1 \else \\#1 \fi &}
}
\ifthenelse{\equal{\gls@number}{none} \and \gls@cols<3}{\renewcommand{\glodelim}{}}{}
\newif\ifist
\let\noist=\istfalse
\if@filesw\isttrue\else\istfalse\fi
\newwrite\istfile
\catcode`\%11\relax
\newcommand{\writeist}{
\openout\istfile=\istfilename
\write\istfile{% makeindex style file created by LaTeX for document "\jobname" on \the\year-\the\month-\the\day}
\write\istfile{keyword "\string\\glossaryentry"}
\write\istfile{preamble "\string\\begin{theglossary}"}
\write\istfile{postamble "\string\n\string\\end{theglossary}\string\n"}
\write\istfile{group_skip "\string\\gloskip "}
\write\istfile{item_0 "\string\n\string\\gloitem "}
\write\istfile{delim_0 "\string\n\string\\glodelim "}
\write\istfile{page_compositor "\pagecompositor"}
\write\istfile{delim_n "\string\\delimN "}
\write\istfile{delim_r "\string\\delimR "}
\closeout\istfile
}
\catcode`\%14\relax
\renewcommand{\makeglossary}{
\newwrite\@glossaryfile
\immediate\openout\@glossaryfile=\jobname.glo
\def\glossary{\@bsphack \begingroup \@sanitize \@wrglossary }
\typeout {Writing glossary file \jobname .glo }
\let \makeglossary \@empty
\ifist\writeist\fi
\noist}
\newcommand{\newglossarytype}[3]{
\@ifundefined{#1}{%
\def\@glstype{#1}\def\@glsout{#2}\def\@glsin{#3}%
\expandafter\edef\csname make\@glstype\endcsname{\noexpand\@m@kegl@ss{\@glstype}{\@glsout}}
\expandafter\edef\csname \@glstype\endcsname{\noexpand\@gl@ss@ary{\@glstype}}
\expandafter\edef\csname print\@glstype\endcsname{\noexpand\@prntgl@ss@ry{\@glsin}}
}{\PackageError{glossary}{Command \expandafter\string\csname #1\endcsname \space already defined}{%
You can't call your new glossary type '#1' because there already exists a command with this name}}
}
\newcommand\@m@kegl@ss[2]{
\expandafter\newwrite\csname @#1file\endcsname
\expandafter\immediate\expandafter\openout\csname @#1file\endcsname=\jobname.#2
\typeout {Writing #1 file \jobname .#2 }
\expandafter\let \csname make#1\endcsname \@empty
\ifist\writeist\fi
\expandafter\def\csname the#1num\endcsname{\thepage}
\noist
}
\newcommand{\@wrgl@ss@ry}[2]{\relax
\def\@n@me{}\def\@descr{}\def\@s@rt{}\def\@f@rm@t{}\relax
\setkeys{wrgloss}{#2}\relax
\ifthenelse{\equal{\@s@rt}{}}
{\relax
\ifthenelse{\equal{\@f@rm@t}{}}
{\expandafter\protected@write\csname @#1file\endcsname{}{\string\glossaryentry{\@n@me @{\@n@me}\@descr\string\relax|glsnumformat}{\csname the#1num\endcsname}}}
{\expandafter\protected@write\csname @#1file\endcsname{}{\string\glossaryentry{\@n@me @{\@n@me}\@descr\string\relax|\@f@rm@t}{\csname the#1num\endcsname}}}\relax
}{\relax
\ifthenelse{\equal{\@f@rm@t}{}}
{\expandafter\protected@write\csname @#1file\endcsname{}{\string\glossaryentry{\@s@rt @{\@n@me}\@descr\string\relax|glsnumformat}{\csname the#1num\endcsname}}}
{\expandafter\protected@write\csname @#1file\endcsname{}{\string\glossaryentry{\@s@rt @{\@n@me}\@descr\string\relax|\@f@rm@t}{\csname the#1num\endcsname}}}\relax
}\relax
\endgroup\@esphack
}
\newcommand\@gl@ss@ary[1]{\@ifundefined{@#1file}{\@bsphack\begingroup \@sanitize \@index}{\@bsphack \begingroup \@sanitize \@wrgl@ss@ry{#1}}}
\newcommand\@prntgl@ss@ry[1]{\@input@{\jobname.#1}}
\@onlypreamble{\newglossarytype}
\newcommand\@acrnmsh{}
\newcommand\@acrnmln{}
\newcommand\@acrnmcmd{}
\newcommand\@acrnmgls{}
\newcommand\@acrnmins{}
\newcommand{\glsprimaryfmt}[1]{\textbf{\glsnumformat{#1}}}
\newcommand{\newacronym}[4][]{%
\ifthenelse{\equal{#1}{}}{\renewcommand\@acrnmcmd{#2}}{\renewcommand\@acrnmcmd{#1}}
\@ifundefined{\@acrnmcmd}{%
\renewcommand\@acrnmsh{#2}
\renewcommand\@acrnmln{#3}
\expandafter\gdef\csname @\@acrnmcmd @glsentry\endcsname{{name={#3 (#2)},format=glsnumformat,#4}}%
\newboolean{\@acrnmcmd first}\setboolean{\@acrnmcmd first}{true}%
\expandafter\edef\csname @\@acrnmcmd\endcsname{\noexpand\ifthenelse{\noexpand\boolean{\@acrnmcmd first}}%
{\@acrnmln\noexpand\@acrnmins\ (\@acrnmsh)\noexpand\expandafter\noexpand\glossary\expandafter\noexpand\csname @\@acrnmcmd @glsentry\endcsname%
\noexpand\global\noexpand\let\expandafter\noexpand\csname if\@acrnmcmd first\endcsname=\noexpand\iffalse
}%
{\@acrnmsh\noexpand\@acrnmins\noexpand\expandafter\noexpand\glossary\expandafter\noexpand\csname @\@acrnmcmd @glsentry\endcsname}}
\expandafter\edef\csname @s@\@acrnmcmd\endcsname{\noexpand\ifthenelse{\noexpand\boolean{\@acrnmcmd first}}%
{\noexpand\MakeUppercase\@acrnmln\noexpand\@acrnmins\ (\@acrnmsh)\noexpand\expandafter\noexpand\glossary\expandafter\noexpand\csname @\@acrnmcmd @glsentry\endcsname%
\noexpand\global\noexpand\let\expandafter\noexpand\csname if\@acrnmcmd first\endcsname=\noexpand\iffalse
}%
{\noexpand\MakeUppercase\@acrnmsh\noexpand\@acrnmins\noexpand\expandafter\noexpand\glossary\expandafter\noexpand\csname @\@acrnmcmd @glsentry\endcsname}}
\expandafter\edef\csname\@acrnmcmd\endcsname{\noexpand\@ifstar\expandafter\noexpand\csname @s@\@acrnmcmd\endcsname
\expandafter\noexpand\csname @\@acrnmcmd\endcsname}%
}
{\PackageError{glossary}{Command '\expandafter\string\csname\@acrnmcmd\endcsname' already defined}{
The command name specified by \string\newacronym already exists.}}}
\newcommand{\useacronym}{\@ifstar\@suseacronym\@useacronym}
\newcommand{\@suseacronym}[2][]{{\def\@acrnmins{#1}\csname @s@#2\endcsname}}
\newcommand{\@useacronym}[2][]{{\def\@acrnmins{#1}\csname @#2\endcsname}}
\ifglshyper
\def\glshyperpage#1{\@glshyperpage#1\delimR \delimR \\}
\def\@glshyperpage#1\delimR #2\delimR #3\\{%
\ifx\\#2\\%
\@delimNhyperpage{#1}%
\else
\@ifundefined{hyperlink}{#1\delimR #2}{\hyperlink{page.#1}{#1}\delimR \hyperlink{page.#2}{#2}}%
\fi
}
\def\@delimNhyperpage#1{\@@delimNhyperpage#1\delimN \delimN\\}
\def\@@delimNhyperpage#1\delimN #2\delimN #3\\{%
\ifx\\#2\\%
\@ifundefined{hyperlink}{#1}{\hyperlink{page.#1}{#1}}%
\else
\@ifundefined{hyperlink}{#1\delimN #2}{\hyperlink{page.#1}{#1}\delimN \hyperlink{page.#2}{#2}}%
\fi
}
\def\glshypersection#1{\@glshypersection#1\delimR \delimR \\}
\def\@glshypersection#1\delimR #2\delimR #3\\{%
\ifx\\#2\\%
\@delimNhypersection{#1}%
\else
\@ifundefined{hyperlink}{#1\delimR #2}{\hyperlink{section.#1}{#1}\delimR \hyperlink{section.#2}{#2}}%
\fi
}
\def\@delimNhypersection#1{\@@delimNhypersection#1\delimN \delimN\\}
\def\@@delimNhypersection#1\delimN #2\delimN #3\\{%
\ifx\\#2\\%
\@ifundefined{hyperlink}{#1}{\hyperlink{section.#1}{#1}}%
\else
\@ifundefined{hyperlink}{#1\delimN #2}{\hyperlink{section.#1}{#1}\delimN \hyperlink{section.#2}{#2}}%
\fi
}
\ifthenelse{\equal{\gls@number}{section}}{
\ifglshyper
\@ifundefined{chapter}
{}
{\let\@gls@old@chapter\@chapter
\def\@chapter[#1]#2{\@gls@old@chapter[{#1}]{#2}\@ifundefined{hyperdef}{}{\hyperdef{section}{\thechapter.0}{}}}}
\fi
\providecommand\hyperrm[1]{\textrm{\glshypersection{#1}}}
\providecommand\hypersf[1]{\textsf{\glshypersection{#1}}}
\providecommand\hypertt[1]{\texttt{\glshypersection{#1}}}
\providecommand\hyperbf[1]{\textbf{\glshypersection{#1}}}
\providecommand\hyperit[1]{\textit{\glshypersection{#1}}}
}
{
\providecommand\hyperrm[1]{\textrm{\glshyperpage{#1}}}
\providecommand\hypersf[1]{\textsf{\glshyperpage{#1}}}
\providecommand\hypertt[1]{\texttt{\glshyperpage{#1}}}
\providecommand\hyperbf[1]{\textbf{\glshyperpage{#1}}}
\providecommand\hyperit[1]{\textit{\glshyperpage{#1}}}
}
\else
\providecommand\hyperrm[1]{\textsf{#1}}
\providecommand\hypersf[1]{\textsf{#1}}
\providecommand\hypertt[1]{\texttt{#1}}
\providecommand\hyperbf[1]{\textbf{#1}}
\providecommand\hyperit[1]{\textit{#1}}
\fi
\endinput
%%
%% End of file `glossary.sty'.

BIN
source/resources/images/s-TL-SG1048.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 180 KiB

BIN
source/resources/images/s-XS716T-si.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 204 KiB

BIN
source/resources/images/s-XS716T.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 779 KiB

BIN
source/resources/images/sf-fw/ssc-opns-dash13-admin1.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 158 KiB

BIN
source/resources/images/sf-fw/ssc-opns-dash14-admin2.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 150 KiB

BIN
source/resources/images/sf-fw/ssc-opns-dash15-notif.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 142 KiB

BIN
source/resources/images/sf-fw/ssc-opns-dash16-misc1.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 176 KiB

BIN
source/resources/images/sf-fw/ssc-opns-dash17-misc2.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 166 KiB

BIN
source/resources/images/sf-fw/ssc-opns-dash18-misc3.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 181 KiB

Write Preview
Loading…
Cancel
Save