diff --git a/.gitignore b/.gitignore index 8782067..08c8596 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,8 @@ forksand-it-manual.pdf *~ .~lock.*# *.aux +*.glg +*.ist *.bbl *.blg .fuse_hidden* @@ -19,6 +21,7 @@ _minted-* *.swp *.toc *.xdv +*.xdy *.zip *.fls *.fdb_latexmk diff --git a/build.sh b/build.sh index f72ca05..f43067f 100755 --- a/build.sh +++ b/build.sh @@ -27,6 +27,8 @@ xelatex \ -interaction=nonstopmode \ forksand-it-manual.tex +makeglossaries-lite "forksand-it-manual" + for i in $(ls *.pdf); do mv -f $i ../$i ; done # in windows every file must be processed explicitly exit 0 diff --git a/source/Ansible.tex b/source/Ansible.tex index 747c7b4..c0729a4 100644 --- a/source/Ansible.tex +++ b/source/Ansible.tex @@ -123,7 +123,7 @@ The following applications are required to utilize this this section objectives. Ansible can be installed using Python PIP. \begin{itemize} \item \texttt{Ansible} 2.4.x+ - \item \texttt{Python} 2.7.9+ + \item \texttt{Python} 2.7.x+ \textcolor[rgb]{0.80,0.00,0.00}{Todo clarify confusion over version requirements} \end{itemize} diff --git a/source/Clouds/Flokinet.tex b/source/Clouds/Flokinet.tex index f2a7f30..8c12127 100644 --- a/source/Clouds/Flokinet.tex +++ b/source/Clouds/Flokinet.tex @@ -32,7 +32,7 @@ We encourage you to do so! We are able to supply secure and stable environments FlokiNET runs Tor exit and relay nodes. -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-flokinet.png} \caption{Flokinet Website} \label{fig:www-flokinet} @@ -141,11 +141,11 @@ FlokiNET Pros: \item The entire reason for FlokiNET to exist is to help people publish in repressive environments. \item Strong dedication to privacy. \item Based in Iceland. - \item Dedicated servers aren't too expensive. + \item \Glspl{dedicatedserver} aren't too expensive. \item Romanian VPS is OpenVZ and KVM. \item Finnish VPS is KVM. \item Has private domain registration services. - \item Colocation available. + \item \Gls{colocation} available. \item ``FlokiNET is proud to be completly Tor Project logo-friendly. Feel free to host a TOR-node with us!'' \item ``DDoS mitigation cloud has 950 Gbps filtering capacity.'' \item Finland and Iceland are free speech friendlier countries. @@ -163,7 +163,7 @@ FlokiNET Cons: \begin{itemize} \item Iceland Virtual Private Server uses VMWare. - \item Dedicated servers look like older HP models. + \item \Glspl{dedicatedserver} look like older HP models. \item Bandwidth is OK, but not great as they are on a remote island. \item VoIP URL is 404 \url{https://flokinet.is/en/learnsecurevoip.php}. \item Uses WHMCS for account services management (non-free software). @@ -184,7 +184,7 @@ is4423 tty1 - 02:24 2:16m 0.17s 0.08s -bash \subsection{FlokiNET Unknown} \begin{itemize} - \item IPMI on dedicated servers? + \item IPMI on \glspl{dedicatedserver}? \item The IP in \texttt{/etc/hosts} for the hostname wasn't the same as used for SSH. - Either a mistake or firewall forwarded for security (???). Appears to be mistake. + Either a mistake or \gls{firewall} forwarded for security (???). Appears to be mistake. \end{itemize} diff --git a/source/Clouds/Sharktech.tex b/source/Clouds/Sharktech.tex index eb258f5..2088846 100644 --- a/source/Clouds/Sharktech.tex +++ b/source/Clouds/Sharktech.tex @@ -16,13 +16,13 @@ Looks good. Manually provisions servers over a few days. Good local speed and latency. \url{https://sharktech.net/} -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-sharktech.png} \caption{Sharktech Website} \label{fig:www-sharktech} \end{figure} -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-sharktech-dashboard-services.png} \caption{Sharktech Dashboard Services Web Page} \label{fig:www-sharktech-dashboard-services} @@ -54,17 +54,17 @@ Firmware Build Time : 2015-01-05 # XXX takes 7 minutes to reboot. \end{minted} -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{sharktech-reboot-dhcp.png} \caption{Sharktech Reboot DHCP Hang} \label{fig:sharktech-reboot-dhcp} \end{figure} -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{sharktech-reboot-dhcp-2.png} \caption{Sharktech Reboot DHCP Hang 2} \label{fig:sharktech-reboot-dhcp-2} \end{figure} -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{sharktech-reboot-grub.png} \caption{Sharktech Reboot GRUB} \label{fig:sharktech-reboot-grub} diff --git a/source/Distros.tex b/source/Distros.tex index ca11a18..bdaba3e 100644 --- a/source/Distros.tex +++ b/source/Distros.tex @@ -15,8 +15,8 @@ The following operating systems will be used: \begin{itemize} - \item Debian GNU/Linux --- For Utility, Ceph, and OpenNebula Servers. - \item OPNSense --- Firewalls. + \item Debian \gls{gnulinux} --- For Utility, Ceph, and OpenNebula Servers. + \item OPNSense --- \Glspl{firewall}. \end{itemize} \input{Distros/Debian} diff --git a/source/Distros/Debian.tex b/source/Distros/Debian.tex index 25658f4..0a795da 100644 --- a/source/Distros/Debian.tex +++ b/source/Distros/Debian.tex @@ -13,7 +13,7 @@ \section{Debian} Debian is a free software GNU/Linux distribution. -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-debian.png} \caption{Debian Website} \label{fig:www-debian} @@ -56,7 +56,7 @@ Here are some for Debian... The \texttt{packer} application in Debian looks particularly useful. -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-packer.png} \caption{Packer Website} \label{fig:www-packer} diff --git a/source/Distros/Distros-tmpl.tex b/source/Distros/Distros-tmpl.tex index 87c427d..3000984 100644 --- a/source/Distros/Distros-tmpl.tex +++ b/source/Distros/Distros-tmpl.tex @@ -12,7 +12,7 @@ \section{DISTRO} Website: % \url{https://www.distro.org} -%\begin{figure}[h!] +%\begin{figure}[!htb] %\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-distro.png} % \caption{DISTRO Website} % \label{fig:www-distro} diff --git a/source/Firewall-opnsense.tex b/source/Firewall-opnsense.tex new file mode 100644 index 0000000..a57fa42 --- /dev/null +++ b/source/Firewall-opnsense.tex @@ -0,0 +1,607 @@ +% +% Firewall-opnsense.tex +% +% Fork Sand IT Manual +% +% Copyright (C) 2018, Fork Sand, Inc. +% Issued by Oleksandr Papevis +% +% This document is licensed under the Creative Commons Attribution 4.0 +% International Public License (CC BY-SA 4.0) by Fork Sand, Inc. +% + +\section{Hardware Overview} + +\begin{itemize} + \item OPNsense is based on FreeBSD \\ \url{https://opnsense.org/} + \\ \url{https://wiki.opnsense.org/index.html} + \item Iris FW1100 datasheet \\ \url{https://www.supermicro.com/products/system/1U/1018/SYS-1018D-FRN8T.cfm} +\end{itemize} + +The Supermicro SuperServer 1018D-FRN8T is a 1U server with front I/O. +That means that both the rear I/O ports as well as the I/O expansion +ports are found along the front side of the rack. In many cases this +is a desirable configuration as it can make cabling very simple. + +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ss-front.png} + \caption{Supermicro SuperServer 1018D-FRN8T Front} + \label{fig:supermicroSSfront} +\end{figure} + +The rear of the unit has a redundant 400W power supply. Rated at 80 +Plus Platinum the power supplies are efficient as well. The remainder +of the rear is simply a bezel for fans. + +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ss-rear.png} + \caption{Supermicro SuperServer 1018D-FRN8T Rear} + \label{fig:supermicroSSrear} +\end{figure} + +The onboard I/O is plentiful. There are two USB 3.0 ports along with +a VGA port for KVM carts. Above the USB ports there is a RJ-45 +Ethernet port for out-0f-band management that can be directly +connected to a dedicated management network. +%------------------- +Furthermore there are +six 1GbE ports connected to two Intel i210-at controllers and an +Intel i350-am4 controller. The two SFP+ ports are controlled by the +Xeon D’s Intel X552 NIC. For \glspl{firewall} and other appliances, this is +a very strong configuration. + +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/iris-fw1100-front.png} + \caption{Supermicro SuperServer 1018D-FRN8T interfaces} + \label{fig:supermicroSSinterfaces} +\end{figure} + +Inside the system we see a redundant set of fans near the PSU bezel +and a very small motherboard inside. One can see our two stacks of +Seagate Enterprise Capacity V3 1TB 7200rpm drives as well. We removed +the PCIe riser and the airflow shroud from this picture to show off +the internals better. + +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ss-noshroud.png} + \caption{Supermicro SuperServer 1018D-FRN8T Internal no shroud} + \label{fig:supermicroSSnoshroud} +\end{figure} + +\subsection{Remote Management} + +Supermicro’s IPMI and KVM-over-IP enables deployment flexibility. +One can do remote power up, power down, and reset of the server in +the event that it becomes unresponsive. + +\begin{itemize} + \item fan speeds, chassis intrusion sensors, thermal sensors, + and etc. can be monitored remotely + \item remote power control. One can do remote power up, power + down, and reset of the server in the event that it becomes + unresponsive. + \item alerts can be setup to notify the admins of issues. + \item remotely mount CD images and floppy images to the machine + over the dedicated management Ethernet controller. This keeps + maintenance traffic off of the primary Intel NICs. + At the same time it removes the need for an optical disk to + be connected to the Supermicro motherboard. +\end{itemize} + +Supermicro's BIOS has a feature: the BMC IP address shows +up on the post screen! +If you have a KVM cart hooked up to the system, it gives an +indicator of which machine one is connected to during post. + +Supermicro does include KVM-over-IP functionality with the motherboard. + +\begin{itemize} + \item Default IPMI connection is in cleartext http. + \item SSL certificate for Supermicro IPMI is bad (like all of them). + \item Can't change password on IPMI. + %\item Root password for server and IPMI is sent via email. + %\item There is an attack window between their machine imaging and first login. + %\item Customer should control timing of first power on. + %\item System is also possibly vuln during the ISP's initial power up and commissioning period. + %\item First reboot, the system hung (.png XXX). + %\item Hard reset, lots of DHCP queries at boot. + %\item A \texttt{debian} user was on the system, password unknown. Check \texttt{/home}! + %\item They block NTP to prevent DDoS, so you have to use their time server + % \texttt{time.sharktech.net} +\end{itemize} + +\subsection{Supermicro Setup over IPMI bios} +{{\grenewcommand{\currentColor}{secondary-brown}}} +{{\grenewcommand{\currentTextColor}{ao-black}}} +\providecommand{\sharkIPConfigItem}[4]{} +\renewcommand{\sharkIPConfigItem}[4]{ + \rowcolor{\currentColor} \vspace{-1pt} + \rule[-0.3em]{0pt}{-0.5em} \vspace{-1pt} + \small{\textcolor{\currentTextColor}{#1}} & \vspace{-1pt} + \small{\textcolor{\currentTextColor}{#2}} \\ +} +\providecommand{\sharkIPConfigLastItem}[4]{} +\renewcommand{\sharkIPConfigLastItem}[4]{ + \rowcolor{\currentColor} \vspace{-1pt} + \rule[-1.0em]{0pt}{1em} \vspace{-1pt} + \small{\textcolor{\currentTextColor}{#1}} & \vspace{-1pt} + \small{\textcolor{\currentTextColor}{#2}} \\ + \tabucline[2pt]{1-2} +} +\providecommand{\SIPCCwidth}{3.5cm} +\renewcommand{\SIPCCwidth}{5cm} + +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-ipmi-init.png} + \caption{Supermicro SuperServer 1018D-FRN8T PEI-IPMI Initialization} + \label{fig:supermicroSSCIpmiInit} +\end{figure} + +Before IPMI Initialization, choose in Boot Agent GE an entry PXE +(Preboot eXecution Environment) + +In Aptio Setup Utility set the following Boot Features: + +\begin{table}[!htb] + \caption{sf-fw BIOS configs}% \label{tab:sharkNodeIPConfig} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Boot Feature}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { SMCBiosActionFlag }{ \char`[0\char`] }{}{} + \sharkIPConfigItem { SumBbsSupportFlag }{ 48 }{}{} + \sharkIPConfigLastItem{ Bridge ports }{ \char`[Disabled\char`] }{}{} + \sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Force BIOS\char`] }{}{} + \sharkIPConfigItem { SumBbsSupportFlag }{ \char`[On\char`] }{}{} + \sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Disabled\char`] }{}{} + \sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Immediate\char`] }{}{} + \sharkIPConfigLastItem{ Subnet mask }{ \char`[Disabled\char`] }{}{} + \end{tabu} +\end{table} + +Set system Date/Time + +\newpage +\subsection*{\textcolor{ao-white}{ Supermicro Setup over IPMI bios1}} +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-ipmi-boot1.png} + \caption{Supermicro SuperServer 1018D-FRN8T Bios prompt for boot-menu} + \label{fig:supermicroSSCIpmiBoot1} +\end{figure} +\begin{table}[!htb] + \caption{sf-fw BIOS configs continued}% \label{tab:sharkNodeIPConfig} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Boot Feature}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Power Configuration }{}{}{} + \sharkIPConfigItem { Watch Dog Function }{ \char`[Disabled\char`] }{}{} + \sharkIPConfigItem { Power button Function }{ \char`[4 Seconds Override\char`] }{}{} + \sharkIPConfigLastItem{ Subnet mask }{ \char`[Power On\char`] }{}{} + \end{tabu} +\end{table} + +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-ipmi-boot2.png} + \caption{Supermicro SuperServer 1018D-FRN8T Bootstrap loader} + \label{fig:supermicroSSCIpmiBoot2} +\end{figure} +\begin{table}[!htb] + \caption{sf-fw BIOS configs continued}% \label{tab:sharkNodeIPConfig} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Boot Feature}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Onboard LAN1 OPROM }{ \char`[Disabled\char`] }{}{} + \sharkIPConfigItem { Onboard LAN2 OPROM }{ \char`[Disabled\char`] }{}{} + \sharkIPConfigLastItem{ Onboard LAN3 - LAN8 OPROM }{ \char`[Disabled\char`] }{}{} + \sharkIPConfigItem { Legacy Boot Order \char`#1}{ \char`[USB Key:Virtual Disk\char`] }{}{} + \sharkIPConfigLastItem{ Legacy Boot Order \char`#2 - \char`#7}{ \char`[Disabled\char`] }{}{} + \end{tabu} +\end{table} +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-ipmi-opnsense-boot1.png} + \caption{Supermicro SuperServer OPNsense Boot variant} + \label{fig:supermicroSSCIpmiOpnsenseBoot1} +\end{figure} +Let default option 5 execute. +\begin{table}[!htb] + \caption{sf-fw LSI Corp Config Utility}% \label{tab:sharkNodeIPConfig} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Adapter }{LSI2116-IT}{}{} + \sharkIPConfigItem { PCI Slot }{0B}{}{} + \sharkIPConfigItem { PCI Address(Bus/Dev) }{02:00}{}{} + \sharkIPConfigItem { MPT Firmware Revision }{20.00.07.00-IT}{}{} + \sharkIPConfigItem { SAS Address }{50030480:1E300A01}{}{} + \sharkIPConfigItem { NVDATA Version }{14.01.40.00}{}{} + \sharkIPConfigItem { Status }{Disabled}{}{} + \sharkIPConfigItem { Boot Order}{0}{}{} + \sharkIPConfigLastItem{ Boot Support}{ \char`[Disabled\char`] }{}{} + \end{tabu} +\end{table} + +\newpage +\subsection{Configurate with OPNsense Dashboard} +{{\grenewcommand{\currentColor}{primary-blue}}} +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash1.png} + \caption{Supermicro SuperServer OPNsense Dashboard} + \label{fig:supermicroSSCIpmiOpnsenseDash1} +\end{figure} +\begin{table}[!htb] + \caption{sf-fw LSI Corp Config Utility}% \label{tab:sharkNodeIPConfig} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Hostname }{sf-fw1}{}{} + \sharkIPConfigItem { Domain }{forksand.com}{}{} + \sharkIPConfigItem { Language }{English}{}{} + \sharkIPConfigItem { Primary DNS Server }{216.146.35.35}{}{} + \sharkIPConfigItem { Secondary DNS Server }{208.67.222.222}{}{} + \sharkIPConfigLastItem{ Override DNS }{unchecked}{}{} + \sharkIPConfigLastItem{ Enable Resolver}{checked}{}{} + \sharkIPConfigLastItem{ Others }{leave unchecked}{}{} + \end{tabu} +\end{table} + +\begin{itemize} + \item Set server time information + \item Configure WAN interface, DHCP, subnet masks /32, Block .. Flags checked, others empty + \item Configure WAN interface, IP 192.168.1.1 change to 192.168.110.21, subnet mask /24 + \item Set Web GUI Password + \item Reload to apply changes + \item Finished initial configuration, click a href "continue to the dashboard" + \item Configure console appears, refer to table + \ref{tab:supermicroSSCIpmiOpnsenseDash2} on p. \pageref{tab:supermicroSSCIpmiOpnsenseDash2} + \item Set root password and reboot + \item Re-enter Aptio Setup Utility Boot tab + \item Switch Legacy Boot Order \char`#1 \char` to [Hard Disk: SATADOM-...\char`] + \item Start the boot + \item OPNsense: Let default option 5 execute +\end{itemize} +{{\grenewcommand{\currentColor}{secondary-brown}}} +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash2.png} + \caption{Supermicro SuperServer OPNsense Dashboard Continued} + \label{fig:supermicroSSCIpmiOpnsenseDash2} +\end{figure} +\begin{table}[!htb] + \caption{sf-fw LSI Corp Config Utility} \label{tab:supermicroSSCIpmiOpnsenseDash2} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Configure Console }{Accept these Settings}{}{} + \sharkIPConfigItem { Select task }{Guided installation}{}{} + \sharkIPConfigItem { Select a disk }{ada0: 600.00MB/s transfers (SATA 3.x, UDMA6, PIO 512bytes)}{}{} + \sharkIPConfigItem { Select install mode }{GPT/UEFI mode}{}{} + \sharkIPConfigItem { Swap Partition }{yes}{}{} + \sharkIPConfigLastItem{ Enable Resolver}{checked}{}{} + \end{tabu} +\end{table} +{{\grenewcommand{\currentColor}{primary-blue}}} +\subsection{Update OPNsense Firmware using Dashboard} +\begin{itemize} + \item Enter OPNsense dashboard and make a backup, System -> Configuration -> Backups, save the XML + \item Execute update firmware, refer to figure + \ref{fig:supermicroSSCIpmiOpnsenseDash3} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash3} +\end{itemize} + +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash3-update.png} + \caption{Supermicro SuperServer OPNsense Dashboard Update Firmware} + \label{fig:supermicroSSCIpmiOpnsenseDash3} +\end{figure} +\begin{itemize} + \item Standby until updating finished, refer to figure + \ref{fig:supermicroSSCIpmiOpnsenseDash4} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash4} + \item Switch to tab Settings, refer to figure + \ref{fig:supermicroSSCIpmiOpnsenseDash5} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash5} +\end{itemize} +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash4-update.png} + \caption{Supermicro SuperServer OPNsense Dashboard Update Firmware Continued} + \label{fig:supermicroSSCIpmiOpnsenseDash4} +\end{figure} + +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash5-fw.png} + \caption{Supermicro SuperServer OPNsense Dashboard Firmware Settings} + \label{fig:supermicroSSCIpmiOpnsenseDash5} +\end{figure} +\begin{itemize} + \item Set mirror to LeaseWeb (San Francisco, US) + \item Set Flavour to LibreSSL + \item Set Release Type to Production + \item Click save and return to Updates tab. +\end{itemize} + +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash6-fw-updates.png} + \caption{Supermicro SuperServer OPNsense Dashboard Firmware Pending Updates} + \label{fig:supermicroSSCIpmiOpnsenseDash6} +\end{figure} +\begin{itemize} + \item Click Update now. + \item Standby until Update is completed. + \item Restore configs from XML, refer to figure + \ref{fig:supermicroSSCIpmiOpnsenseDash8} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash8} +\end{itemize} +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash7-fw-update.png} + \caption{Supermicro SuperServer OPNsense Dashboard Firmware Update Processing} + \label{fig:supermicroSSCIpmiOpnsenseDash7} +\end{figure} + +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash8-fw-backupandreboot.png} + \caption{Supermicro SuperServer OPNsense Dashboard restore from XML config backup} + \label{fig:supermicroSSCIpmiOpnsenseDash8} +\end{figure} +\begin{itemize} + \item Upload the config and restore + \item Add a user, refer to figure + \ref{fig:supermicroSSCIpmiOpnsenseDash9} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash9} + using parameters from table + \ref{tab:supermicroSSCIpmiOpnsenseAddUser} on p. \pageref{tab:supermicroSSCIpmiOpnsenseAddUser} +\end{itemize} +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash9-user.png} + \caption{Supermicro SuperServer OPNsense Dashboard Add User} + \label{fig:supermicroSSCIpmiOpnsenseDash9} +\end{figure} +\begin{table}[!htb] + \caption{sf-fw OPNsense Dashboard Add User} \label{tab:supermicroSSCIpmiOpnsenseAddUser} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Username }{jebba}{}{} + \sharkIPConfigItem { Disabled }{unchecked}{}{} + \sharkIPConfigItem { Full name }{Jeff Moe}{}{} + \sharkIPConfigItem { E-mail }{moe@forksand.com}{}{} + \sharkIPConfigItem { Comment }{}{}{} + \sharkIPConfigItem { Expiration date }{}{}{} + \sharkIPConfigLastItem{ Group Memberships }{Member of admins}{}{} + \sharkIPConfigItem { Certificate }{unchecked}{}{} + \sharkIPConfigLastItem{ OTP seed }{}{}{} + \end{tabu} +\end{table} + +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash10-dhcpv4.png} + \caption{Supermicro SuperServer OPNsense Dashboard DHCPv4} + \label{fig:supermicroSSCIpmiOpnsenseDash10} +\end{figure} +\begin{itemize} + \item Disable DHCPv4 +\end{itemize} +\begin{table}[!htb] + \caption{sf-fw OPNsense Dashboard DHCPv4} \label{tab:supermicroSSCIpmiOpnsenseDhcpv4} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Enable }{unchecked}{}{} + \sharkIPConfigItem { Deny unknown clients }{unchecked}{}{} + \sharkIPConfigItem { Subnet }{192.168.110.0}{}{} + \sharkIPConfigItem { Subnet mask }{255.255.255.0}{}{} + \sharkIPConfigLastItem{ Range }{192.168.110.10 - 192.168.110.245}{}{} + \sharkIPConfigLastItem{ Others }{leave unchanged}{}{} + \end{tabu} +\end{table} + +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash11-plugins.png} + \includegraphics[keepaspectratio=true,trim=360mm 190mm 10mm 80mm,clip,width=1.0\textwidth,angle=0] + {sf-fw/ssc-opns-dash11-plugins.png} + \caption{Supermicro SuperServer OPNsense Dashboard Plugin Installation} + \label{fig:supermicroSSCIpmiOpnsenseDash11} +\end{figure} +\begin{itemize} + \item Make sure os-dyndns plugin installed + \item Install os-acme-client +\end{itemize} +%\begin{table}[!htb] +% \caption{sf-fw OPNsense Dashboard Plugins} \label{tab:supermicroSSCIpmiOpnsensePlugins} +% \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} +% \tabucline[2pt]{1-2} +% \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& +% \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ +% \tabucline[2pt]{1-2} +% \sharkIPConfigItem { Enable }{unchecked}{}{} +% \sharkIPConfigItem { Deny unknown clients }{unchecked}{}{} +% \sharkIPConfigItem { Subnet }{192.168.110.0}{}{} +% \sharkIPConfigItem { Subnet mask }{255.255.255.0}{}{} +% \sharkIPConfigLastItem{ Range }{192.168.110.10 - 192.168.110.245}{}{} +% \sharkIPConfigLastItem{ Others }{leave unchanged}{}{} +% \end{tabu} +%\end{table} + +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash12-lea.png} + \caption{Supermicro SuperServer OPNsense Dashboard add Let's Encrypt account} + \label{fig:supermicroSSCIpmiOpnsenseDash12} +\end{figure} +\begin{itemize} + \item Add Let's Encrypt account + \item Modify global Let's Encrypt settings + \item Apply Let's Encrypt settings + \item Refer to Certificates menu +\end{itemize} +\begin{table}[!htb] + \caption{sf-fw OPNsense Dashboard Let's Encrypt account and settings} \label{tab:supermicroSSCIpmiOpnsenseLea} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Enable }{checked}{}{} + \sharkIPConfigItem { Name }{sf-fw1}{}{} + \sharkIPConfigItem { Description }{\Gls{sharkfork} \Gls{firewall} 1}{}{} + \sharkIPConfigLastItem{ E-Mail address }{sharkfork@forksand.com}{}{} + \sharkIPConfigItem { Enable Plugin }{checked}{}{} + \sharkIPConfigItem { Auto Renewal }{checked}{}{} + \sharkIPConfigItem { Let's Encrypt Environment }{Production Environment \char`[Default\char`]}{}{} + \sharkIPConfigLastItem{ HAProxy Integration }{unchecked}{}{} + \end{tabu} +\end{table} + +\newpage +%\begin{figure}[!htb] +% \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] +% {sf-fw/ssc-opns-dash13-cert.png} +% \caption{Supermicro SuperServer OPNsense Dashboard add Certificate} +% \label{fig:supermicroSSCIpmiOpnsenseDash12} +%\end{figure} +\begin{itemize} + \item Add Validation Method + \item Add Certificate + \item Apply ``Issue/Renew Certificates Now'' +\end{itemize} +\begin{table}[!htb] + \caption{sf-fw OPNsense Dashboard Let's Encrypt validation} \label{tab:supermicroSSCIpmiOpnsenseLeaValid} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Validation Method }{}{}{} + \sharkIPConfigItem { Enable }{checked}{}{} + \sharkIPConfigItem { Name }{sf-fw1-http}{}{} + \sharkIPConfigItem { Description }{\Gls{sharkfork} \Gls{firewall} 1 http validation}{}{} + \sharkIPConfigLastItem{ Challenge Type }{HTTP-01}{}{} + \sharkIPConfigLastItem{ HTTP Service }{OPNsense Web Service (automatic port forward)}{}{} + \sharkIPConfigItem { IP Auto-Discovery }{checked}{}{} + \sharkIPConfigItem { Interface }{WAN}{}{} + \sharkIPConfigLastItem{ IP Addresses }{}{}{} + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Certificate }{}{}{} + \sharkIPConfigItem { Enable }{checked}{}{} + \sharkIPConfigItem { Common Name }{sf-fw1.forksand.com}{}{} + \sharkIPConfigItem { Description }{\Gls{sharkfork} \Gls{firewall} 1}{}{} + \sharkIPConfigItem { Alt Names }{}{}{} + \sharkIPConfigItem { LE Account }{sf-fw1}{}{} + \sharkIPConfigItem { Validation Method }{sf-fw1-http}{}{} + \sharkIPConfigItem { Restart Actions }{}{}{} + \sharkIPConfigItem { Auto Renewal }{checked}{}{} + \sharkIPConfigLastItem{ Renewal Interval }{60}{}{} + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Interfaces -\char`> Lan }{}{}{} + \sharkIPConfigItem { Enable }{checked}{}{} + \sharkIPConfigItem { Lock }{checked}{}{} + \sharkIPConfigItem { Description }{LAN}{}{} + \sharkIPConfigItem { IPv4 Configuration Type }{Static IPv4}{}{} + \sharkIPConfigLastItem{ IPv6 Configuration Type }{none}{}{} + \end{tabu} +\end{table} +\begin{itemize} + \item Refer to System -\char`> Gateways -\char`> Single -\char`> WAN\char`_DHCP6 + \item Set Disabled flag to checked + \item Press Apply changes + \item Modify LAN and WAN interfaces, disable IPv6 at both + \item Modify \Gls{firewall} Rules, disable IPv6 + \item Add new rula to \Gls{firewall} Rules WAN +\end{itemize} +\begin{table}[!htb] + \caption{sf-fw OPNsense Dashboard \Gls{firewall} Rules} \label{tab:supermicroSSCIpmiOpnsenseLeaRules} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Interfaces -\char`> WAN }{}{}{} + \sharkIPConfigItem { Enable }{checked}{}{} + \sharkIPConfigItem { Lock }{checked}{}{} + \sharkIPConfigItem { Description }{WAN}{}{} + \sharkIPConfigItem { IPv4 Configuration Type }{DHCP}{}{} + \sharkIPConfigLastItem{ IPv6 Configuration Type }{none}{}{} + \tabucline[2pt]{1-2} + \sharkIPConfigItem { \Gls{firewall} -\char`> Settings -\char`> Advanced }{}{}{} + \sharkIPConfigLastItem{ Allow IPv6 }{unchecked}{}{} + \tabucline[2pt]{1-2} + \sharkIPConfigItem { \Gls{firewall} -\char`> Rules -\char`> WAN }{}{}{} + \sharkIPConfigItem { Action }{Pass}{}{} + \sharkIPConfigItem { Disabled }{unchecked}{}{} + \sharkIPConfigItem { Interface }{WAN}{}{} + \sharkIPConfigItem { TCP/IP Version }{IPv4}{}{} + \sharkIPConfigItem { Protocol }{TCP}{}{} + \sharkIPConfigItem { Source/Invert }{unchecked}{}{} + \sharkIPConfigItem { Source }{any}{}{} + \sharkIPConfigItem { Destination/Invert }{unchecked}{}{} + \sharkIPConfigItem { Destination }{This \Gls{firewall}}{}{} + \sharkIPConfigItem { Destination port range }{https to https}{}{} + \sharkIPConfigItem { Log }{unchecked}{}{} + \sharkIPConfigItem { Category }{}{}{} + \sharkIPConfigItem { Discription }{Enable https to \Gls{firewall}}{}{} + \sharkIPConfigItem { Source OS }{Any}{}{} + \sharkIPConfigItem { No XMLRPC Sync }{unchecked}{}{} + \sharkIPConfigItem { Shedule }{none}{}{} + \sharkIPConfigLastItem{ Gateway }{default}{}{} + \end{tabu} +\end{table} + +\newpage +\section{Alternatives Hardware Overview} +Some resellers: +\begin{itemize} + \item \url{https://www.deciso.com/} + \item \url{https://www.pfwhardware.com/} + \item \url{https://www.osnet.eu/} +\end{itemize} + +\begin{itemize} + \item (8) 1 gig ethernet ports + Connects to (1) 100M ethernet upstream fiber optic + Connects to (1) 100M ethernet upstream wifi + Various LAN + \item (Hot swap?) Dual Power Supplies + \item (How swap?) RAID (Linux md), with SSD storage. + \item 2.5'' drive bays + \item Total ~8GHz CPU + \item ~8-16 gigs RAM ? Depends on OS. + \item Two servers total, for standby/failover +\end{itemize} + diff --git a/source/Firewalls.tex b/source/Firewalls.tex index 22f1382..f3f515d 100644 --- a/source/Firewalls.tex +++ b/source/Firewalls.tex @@ -10,581 +10,38 @@ % This document is licensed under the Creative Commons Attribution 4.0 % International Public License (CC BY-SA 4.0) by Fork Sand, Inc. % -Firewalls keep the bad packets out, mostly. And let some good packets out. +\Glspl{firewall} keep the bad packets out, mostly. And let some good packets out. \section{Overview} What is the network doing? \begin{itemize} \item snort - \item MRTG - \item Aguri + %\item MRTG + %\item Aguri \end{itemize} \section{Authentication} Two-factor authentication using TOTP. -\section{Firewall Hardware Overview} -Hardware. - -\begin{itemize} - \item OPNsense is based on FreeBSD \\ \url{https://opnsense.org/} - \\ \url{https://wiki.opnsense.org/index.html} - \item Iris FW1100 datasheet \\ \url{https://www.supermicro.com/products/system/1U/1018/SYS-1018D-FRN8T.cfm} -\end{itemize} - -The Supermicro SuperServer 1018D-FRN8T is a 1U server with front I/O. -That means that both the rear I/O ports as well as the I/O expansion -ports are found along the front side of the rack. In many cases this -is a desirable configuration as it can make cabling very simple. - -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ss-front.png} - \caption{Supermicro SuperServer 1018D-FRN8T Front} - \label{fig:supermicroSSfront} -\end{figure} - -The rear of the unit has a redundant 400W power supply. Rated at 80 -Plus Platinum the power supplies are efficient as well. The remainder -of the rear is simply a bezel for fans. - -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ss-rear.png} - \caption{Supermicro SuperServer 1018D-FRN8T Rear} - \label{fig:supermicroSSrear} -\end{figure} - -The onboard I/O is plentiful. There are two USB 3.0 ports along with -a VGA port for KVM carts. Above the USB ports there is a RJ-45 -Ethernet port for out-0f-band management that can be directly -connected to a dedicated management network. -%------------------- -Furthermore there are -six 1GbE ports connected to two Intel i210-at controllers and an -Intel i350-am4 controller. The two SFP+ ports are controlled by the -Xeon D’s Intel X552 NIC. For firewalls and other appliances, this is -a very strong configuration. - -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/iris-fw1100-front.png} - \caption{Supermicro SuperServer 1018D-FRN8T interfaces} - \label{fig:supermicroSSinterfaces} -\end{figure} - -Inside the system we see a redundant set of fans near the PSU bezel -and a very small motherboard inside. One can see our two stacks of -Seagate Enterprise Capacity V3 1TB 7200rpm drives as well. We removed -the PCIe riser and the airflow shroud from this picture to show off -the internals better. - -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ss-noshroud.png} - \caption{Supermicro SuperServer 1018D-FRN8T Internal no shroud} - \label{fig:supermicroSSnoshroud} -\end{figure} - -\subsection{Remote Management} - -Supermicro’s IPMI and KVM-over-IP enables deployment flexibility. -One can do remote power up, power down, and reset of the server in -the event that it becomes unresponsive. - -\begin{itemize} - \item fan speeds, chassis intrusion sensors, thermal sensors, - and etc. can be monitored remotely - \item remote power control. One can do remote power up, power - down, and reset of the server in the event that it becomes - unresponsive. - \item alerts can be setup to notify the admins of issues. - \item remotely mount CD images and floppy images to the machine - over the dedicated management Ethernet controller. This keeps - maintenance traffic off of the primary Intel NICs. - At the same time it removes the need for an optical disk to - be connected to the Supermicro motherboard. -\end{itemize} - -Supermicro’s BIOS has a feature: the BMC IP address shows -up on the post screen! -If you have a KVM cart hooked up to the system, it gives an -indicator of which machine one is connected to during post. - -Supermicro does include KVM-over-IP functionality with the motherboard. - -\begin{itemize} - \item Default IPMI connection is in cleartext http. - \item SSL certificate for Supermicro IPMI is bad (like all of them). - \item Can't change password on IPMI. - %\item Root password for server and IPMI is sent via email. - %\item There is an attack window between their machine imaging and first login. - %\item Customer should control timing of first power on. - %\item System is also possibly vuln during the ISP's initial power up and commissioning period. - %\item First reboot, the system hung (.png XXX). - %\item Hard reset, lots of DHCP queries at boot. - %\item A \texttt{debian} user was on the system, password unknown. Check \texttt{/home}! - %\item They block NTP to prevent DDoS, so you have to use their time server - % \texttt{time.sharktech.net} -\end{itemize} - -\subsection{Supermicro Setup over IPMI bios} -{{\grenewcommand{\currentColor}{secondary-brown}}} -{{\grenewcommand{\currentTextColor}{ao-black}}} -\providecommand{\sharkIPConfigItem}[4]{} -\renewcommand{\sharkIPConfigItem}[4]{ - \rowcolor{\currentColor} \vspace{-1pt} - \rule[-0.3em]{0pt}{-0.5em} \vspace{-1pt} - \small{\textcolor{\currentTextColor}{#1}} & \vspace{-1pt} - \small{\textcolor{\currentTextColor}{#2}} \\ -} -\providecommand{\sharkIPConfigLastItem}[4]{} -\renewcommand{\sharkIPConfigLastItem}[4]{ - \rowcolor{\currentColor} \vspace{-1pt} - \rule[-1.0em]{0pt}{1em} \vspace{-1pt} - \small{\textcolor{\currentTextColor}{#1}} & \vspace{-1pt} - \small{\textcolor{\currentTextColor}{#2}} \\ - \tabucline[2pt]{1-2} -} -\providecommand{\SIPCCwidth}{3.5cm} -\renewcommand{\SIPCCwidth}{5cm} - -\begin{figure}[!htb] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-ipmi-init.png} - \caption{Supermicro SuperServer 1018D-FRN8T PEI-IPMI Initialization} - \label{fig:supermicroSSCIpmiInit} -\end{figure} - -Before IPMI Initialization, choose in Boot Agent GE an entry PXE -(Preboot eXecution Environment) - -In Aptio Setup Utility set the following Boot Features: - -\begin{table}[!htb] - \caption{sf-fw BIOS configs}% \label{tab:sharkNodeIPConfig} - \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} - \tabucline[2pt]{1-2} - \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Boot Feature}}& - \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ - \tabucline[2pt]{1-2} - \sharkIPConfigItem { SMCBiosActionFlag }{ \char`[0\char`] }{}{} - \sharkIPConfigItem { SumBbsSupportFlag }{ 48 }{}{} - \sharkIPConfigLastItem{ Bridge ports }{ \char`[Disabled\char`] }{}{} - \sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Force BIOS\char`] }{}{} - \sharkIPConfigItem { SumBbsSupportFlag }{ \char`[On\char`] }{}{} - \sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Disabled\char`] }{}{} - \sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Immediate\char`] }{}{} - \sharkIPConfigLastItem{ Subnet mask }{ \char`[Disabled\char`] }{}{} - \end{tabu} -\end{table} - -Set system Date/Time - -\newpage -\subsection*{\textcolor{ao-white}{ Supermicro Setup over IPMI bios1}} -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-ipmi-boot1.png} - \caption{Supermicro SuperServer 1018D-FRN8T Bios prompt for boot-menu} - \label{fig:supermicroSSCIpmiBoot1} -\end{figure} -\begin{table}[!htb] - \caption{sf-fw BIOS configs continued}% \label{tab:sharkNodeIPConfig} - \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} - \tabucline[2pt]{1-2} - \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Boot Feature}}& - \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ - \tabucline[2pt]{1-2} - \sharkIPConfigItem { Power Configuration }{}{}{} - \sharkIPConfigItem { Watch Dog Function }{ \char`[Disabled\char`] }{}{} - \sharkIPConfigItem { Power button Function }{ \char`[4 Seconds Override\char`] }{}{} - \sharkIPConfigLastItem{ Subnet mask }{ \char`[Power On\char`] }{}{} - \end{tabu} -\end{table} - -\newpage -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-ipmi-boot2.png} - \caption{Supermicro SuperServer 1018D-FRN8T Bootstrap loader} - \label{fig:supermicroSSCIpmiBoot2} -\end{figure} -\begin{table}[!htb] - \caption{sf-fw BIOS configs continued}% \label{tab:sharkNodeIPConfig} - \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} - \tabucline[2pt]{1-2} - \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Boot Feature}}& - \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ - \tabucline[2pt]{1-2} - \sharkIPConfigItem { Onboard LAN1 OPROM }{ \char`[Disabled\char`] }{}{} - \sharkIPConfigItem { Onboard LAN2 OPROM }{ \char`[Disabled\char`] }{}{} - \sharkIPConfigLastItem{ Onboard LAN3 - LAN8 OPROM }{ \char`[Disabled\char`] }{}{} - \sharkIPConfigItem { Legacy Boot Order \char`#1}{ \char`[USB Key:Virtual Disk\char`] }{}{} - \sharkIPConfigLastItem{ Legacy Boot Order \char`#2 - \char`#7}{ \char`[Disabled\char`] }{}{} - \end{tabu} -\end{table} -\newpage -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-ipmi-opnsense-boot1.png} - \caption{Supermicro SuperServer OPNsense Boot variant} - \label{fig:supermicroSSCIpmiOpnsenseBoot1} -\end{figure} -Let default option 5 execute. -\begin{table}[!htb] - \caption{sf-fw LSI Corp Config Utility}% \label{tab:sharkNodeIPConfig} - \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} - \tabucline[2pt]{1-2} - \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& - \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ - \tabucline[2pt]{1-2} - \sharkIPConfigItem { Adapter }{LSI2116-IT}{}{} - \sharkIPConfigItem { PCI Slot }{0B}{}{} - \sharkIPConfigItem { PCI Address(Bus/Dev) }{02:00}{}{} - \sharkIPConfigItem { MPT Firmware Revision }{20.00.07.00-IT}{}{} - \sharkIPConfigItem { SAS Address }{50030480:1E300A01}{}{} - \sharkIPConfigItem { NVDATA Version }{14.01.40.00}{}{} - \sharkIPConfigItem { Status }{Disabled}{}{} - \sharkIPConfigItem { Boot Order}{0}{}{} - \sharkIPConfigLastItem{ Boot Support}{ \char`[Disabled\char`] }{}{} - \end{tabu} -\end{table} - -\newpage -{{\grenewcommand{\currentColor}{primary-blue}}} -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash1.png} - \caption{Supermicro SuperServer OPNsense Dashboard} - \label{fig:supermicroSSCIpmiOpnsenseDash1} -\end{figure} -\begin{table}[!htb] - \caption{sf-fw LSI Corp Config Utility}% \label{tab:sharkNodeIPConfig} - \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} - \tabucline[2pt]{1-2} - \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& - \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ - \tabucline[2pt]{1-2} - \sharkIPConfigItem { Hostname }{sf-fw1}{}{} - \sharkIPConfigItem { Domain }{forksand.com}{}{} - \sharkIPConfigItem { Language }{English}{}{} - \sharkIPConfigItem { Primary DNS Server }{216.146.35.35}{}{} - \sharkIPConfigItem { Secondary DNS Server }{208.67.222.222}{}{} - \sharkIPConfigLastItem{ Override DNS }{unchecked}{}{} - \sharkIPConfigLastItem{ Enable Resolver}{checked}{}{} - \sharkIPConfigLastItem{ Others }{leave unchecked}{}{} - \end{tabu} -\end{table} - -\begin{itemize} - \item Set server time information - \item Configure WAN interface, DHCP, subnet masks /32, Block .. Flags checked, others empty - \item Configure WAN interface, IP 192.168.1.1 change to 192.168.110.21, subnet mask /24 - \item Set Web GUI Password - \item Reload to apply changes - \item Finished initial configuration, click a href "continue to the dashboard" - \item Configure console appears, refer to table - \ref{tab:supermicroSSCIpmiOpnsenseDash2} on p. \pageref{tab:supermicroSSCIpmiOpnsenseDash2} - \item Set root password and reboot - \item Re-enter Aptio Setup Utility Boot tab - \item Switch Legacy Boot Order \char`#1 \char` to [Hard Disk: SATADOM-...\char`] - \item Start the boot - \item OPNsense: Let default option 5 execute -\end{itemize} -{{\grenewcommand{\currentColor}{secondary-brown}}} -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash2.png} - \caption{Supermicro SuperServer OPNsense Dashboard Continued} - \label{fig:supermicroSSCIpmiOpnsenseDash2} -\end{figure} -\begin{table}[!htb] - \caption{sf-fw LSI Corp Config Utility} \label{tab:supermicroSSCIpmiOpnsenseDash2} - \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} - \tabucline[2pt]{1-2} - \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& - \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ - \tabucline[2pt]{1-2} - \sharkIPConfigItem { Configure Console }{Accept these Settings}{}{} - \sharkIPConfigItem { Select task }{Guided installation}{}{} - \sharkIPConfigItem { Select a disk }{ada0: 600.00MB/s transfers (SATA 3.x, UDMA6, PIO 512bytes)}{}{} - \sharkIPConfigItem { Select install mode }{GPT/UEFI mode}{}{} - \sharkIPConfigItem { Swap Partition }{yes}{}{} - \sharkIPConfigLastItem{ Enable Resolver}{checked}{}{} - \end{tabu} -\end{table} -{{\grenewcommand{\currentColor}{primary-blue}}} -\begin{itemize} - \item Enter OPNsense dashboard and make a backup, System -> Configuration -> Backups, save the XML - \item Execute update firmware, refer to figure - \ref{fig:supermicroSSCIpmiOpnsenseDash3} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash3} -\end{itemize} - -\newpage -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash3-update.png} - \caption{Supermicro SuperServer OPNsense Dashboard Update Firmware} - \label{fig:supermicroSSCIpmiOpnsenseDash3} -\end{figure} -\begin{itemize} - \item Standby until updating finished, refer to figure - \ref{fig:supermicroSSCIpmiOpnsenseDash4} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash4} - \item Switch to tab Settings, refer to figure - \ref{fig:supermicroSSCIpmiOpnsenseDash5} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash5} -\end{itemize} -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash4-update.png} - \caption{Supermicro SuperServer OPNsense Dashboard Update Firmware Continued} - \label{fig:supermicroSSCIpmiOpnsenseDash4} -\end{figure} - -\newpage -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash5-fw.png} - \caption{Supermicro SuperServer OPNsense Dashboard Firmware Settings} - \label{fig:supermicroSSCIpmiOpnsenseDash5} -\end{figure} -\begin{itemize} - \item Set mirror to LeaseWeb (San Francisco, US) - \item Set Flavour to LibreSSL - \item Set Release Type to Production - \item Click save and return to Updates tab. -\end{itemize} - -\newpage -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash6-fw-updates.png} - \caption{Supermicro SuperServer OPNsense Dashboard Firmware Pending Updates} - \label{fig:supermicroSSCIpmiOpnsenseDash6} -\end{figure} -\begin{itemize} - \item Click Update now. - \item Standby until Update is completed. - \item Restore configs from XML, refer to figure - \ref{fig:supermicroSSCIpmiOpnsenseDash8} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash8} -\end{itemize} -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash7-fw-update.png} - \caption{Supermicro SuperServer OPNsense Dashboard Firmware Update Processing} - \label{fig:supermicroSSCIpmiOpnsenseDash7} -\end{figure} - -\newpage -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash8-fw-backupandreboot.png} - \caption{Supermicro SuperServer OPNsense Dashboard restore from XML config backup} - \label{fig:supermicroSSCIpmiOpnsenseDash8} -\end{figure} -\begin{itemize} - \item Upload the config and restore - \item Add a user, refer to figure - \ref{fig:supermicroSSCIpmiOpnsenseDash9} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash9} - using parameters from table - \ref{tab:supermicroSSCIpmiOpnsenseAddUser} on p. \pageref{tab:supermicroSSCIpmiOpnsenseAddUser} -\end{itemize} -\newpage -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash9-user.png} - \caption{Supermicro SuperServer OPNsense Dashboard Add User} - \label{fig:supermicroSSCIpmiOpnsenseDash9} -\end{figure} -\begin{table}[!htb] - \caption{sf-fw OPNsense Dashboard Add User} \label{tab:supermicroSSCIpmiOpnsenseAddUser} - \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} - \tabucline[2pt]{1-2} - \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& - \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ - \tabucline[2pt]{1-2} - \sharkIPConfigItem { Username }{jebba}{}{} - \sharkIPConfigItem { Disabled }{unchecked}{}{} - \sharkIPConfigItem { Full name }{Jeff Moe}{}{} - \sharkIPConfigItem { E-mail }{moe@forksand.com}{}{} - \sharkIPConfigItem { Comment }{}{}{} - \sharkIPConfigItem { Expiration date }{}{}{} - \sharkIPConfigLastItem{ Group Memberships }{Member of admins}{}{} - \sharkIPConfigItem { Certificate }{unchecked}{}{} - \sharkIPConfigLastItem{ OTP seed }{}{}{} - \end{tabu} -\end{table} - -\newpage -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash10-dhcpv4.png} - \caption{Supermicro SuperServer OPNsense Dashboard DHCPv4} - \label{fig:supermicroSSCIpmiOpnsenseDash10} -\end{figure} -\begin{itemize} - \item Disable DHCPv4 -\end{itemize} -\begin{table}[!htb] - \caption{sf-fw OPNsense Dashboard DHCPv4} \label{tab:supermicroSSCIpmiOpnsenseDhcpv4} - \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} - \tabucline[2pt]{1-2} - \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& - \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ - \tabucline[2pt]{1-2} - \sharkIPConfigItem { Enable }{unchecked}{}{} - \sharkIPConfigItem { Deny unknown clients }{unchecked}{}{} - \sharkIPConfigItem { Subnet }{192.168.110.0}{}{} - \sharkIPConfigItem { Subnet mask }{255.255.255.0}{}{} - \sharkIPConfigLastItem{ Range }{192.168.110.10 - 192.168.110.245}{}{} - \sharkIPConfigLastItem{ Others }{leave unchanged}{}{} - \end{tabu} -\end{table} - -\newpage -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash11-plugins.png} - \includegraphics[keepaspectratio=true,trim=360mm 190mm 10mm 80mm,clip,width=1.0\textwidth,angle=0] - {sf-fw/ssc-opns-dash11-plugins.png} - \caption{Supermicro SuperServer OPNsense Dashboard Plugin Installation} - \label{fig:supermicroSSCIpmiOpnsenseDash11} -\end{figure} -\begin{itemize} - \item Make sure os-dyndns plugin installed - \item Install os-acme-client -\end{itemize} -%\begin{table}[!htb] -% \caption{sf-fw OPNsense Dashboard Plugins} \label{tab:supermicroSSCIpmiOpnsensePlugins} -% \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} -% \tabucline[2pt]{1-2} -% \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& -% \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ -% \tabucline[2pt]{1-2} -% \sharkIPConfigItem { Enable }{unchecked}{}{} -% \sharkIPConfigItem { Deny unknown clients }{unchecked}{}{} -% \sharkIPConfigItem { Subnet }{192.168.110.0}{}{} -% \sharkIPConfigItem { Subnet mask }{255.255.255.0}{}{} -% \sharkIPConfigLastItem{ Range }{192.168.110.10 - 192.168.110.245}{}{} -% \sharkIPConfigLastItem{ Others }{leave unchanged}{}{} -% \end{tabu} -%\end{table} - -\newpage -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash12-lea.png} - \caption{Supermicro SuperServer OPNsense Dashboard add Let's Encrypt account} - \label{fig:supermicroSSCIpmiOpnsenseDash12} -\end{figure} -\begin{itemize} - \item Add Let's Encrypt account - \item Modify global Let's Encrypt settings - \item Apply Let's Encrypt settings - \item Refer to Certificates menu -\end{itemize} -\begin{table}[!htb] - \caption{sf-fw OPNsense Dashboard Let's Encrypt account and settings} \label{tab:supermicroSSCIpmiOpnsenseLea} - \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} - \tabucline[2pt]{1-2} - \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& - \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ - \tabucline[2pt]{1-2} - \sharkIPConfigItem { Enable }{checked}{}{} - \sharkIPConfigItem { Name }{sf-fw1}{}{} - \sharkIPConfigItem { Description }{SharkFork Firewall 1}{}{} - \sharkIPConfigLastItem{ E-Mail address }{sharkfork@forksand.com}{}{} - \sharkIPConfigItem { Enable Plugin }{checked}{}{} - \sharkIPConfigItem { Auto Renewal }{checked}{}{} - \sharkIPConfigItem { Let's Encrypt Environment }{Production Environment \char`[Default\char`]}{}{} - \sharkIPConfigLastItem{ HAProxy Integration }{unchecked}{}{} - \end{tabu} -\end{table} - -\newpage -%\begin{figure}[!ht] -% \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] -% {sf-fw/ssc-opns-dash13-cert.png} -% \caption{Supermicro SuperServer OPNsense Dashboard add Certificate} -% \label{fig:supermicroSSCIpmiOpnsenseDash12} -%\end{figure} -\begin{itemize} - \item Add Validation Method - \item Add Certificate - \item Apply ``Issue/Renew Certificates Now'' -\end{itemize} -\begin{table}[!htb] - \caption{sf-fw OPNsense Dashboard Let's Encrypt account and settings} \label{tab:supermicroSSCIpmiOpnsenseLea} - \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} - \tabucline[2pt]{1-2} - \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& - \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ - \tabucline[2pt]{1-2} - \sharkIPConfigItem { Validation Method }{}{}{} - \sharkIPConfigItem { Enable }{checked}{}{} - \sharkIPConfigItem { Name }{sf-fw1-http}{}{} - \sharkIPConfigItem { Description }{SharkFork Firewall 1 http validation}{}{} - \sharkIPConfigLastItem{ Challenge Type }{HTTP-01}{}{} - \sharkIPConfigLastItem{ HTTP Service }{OPNsense Web Service (automatic port forward)}{}{} - \sharkIPConfigItem { IP Auto-Discovery }{checked}{}{} - \sharkIPConfigItem { Interface }{WAN}{}{} - \sharkIPConfigLastItem{ IP Addresses }{}{}{} - \tabucline[2pt]{1-2} - \sharkIPConfigItem { Certificate }{}{}{} - \sharkIPConfigItem { Enable }{checked}{}{} - \sharkIPConfigItem { Common Name }{sf-fw1.forksand.com}{}{} - \sharkIPConfigItem { Description }{SharkFork Firewall 1}{}{} - \sharkIPConfigItem { Alt Names }{}{}{} - \sharkIPConfigItem { LE Account }{sf-fw1}{}{} - \sharkIPConfigItem { Validation Method }{sf-fw1-http}{}{} - \sharkIPConfigItem { Restart Actions }{}{}{} - \sharkIPConfigItem { Auto Renewal }{checked}{}{} - \sharkIPConfigLastItem{ Renewal Interval }{60}{}{} - \end{tabu} -\end{table} - -\newpage -\section{Alternatives Firewalls Hardware Overview} -Some resellers: -\begin{itemize} - \item \url{https://www.deciso.com/} - \item \url{https://www.pfwhardware.com/} - \item \url{https://www.osnet.eu/} -\end{itemize} - -\begin{itemize} - \item (8) 1 gig ethernet ports - Connects to (1) 100M ethernet upstream fiber optic - Connects to (1) 100M ethernet upstream wifi - Various LAN - \item (Hot swap?) Dual Power Supplies - \item (How swap?) RAID (Linux md), with SSD storage. - \item 2.5'' drive bays - \item Total ~8GHz CPU - \item ~8-16 gigs RAM ? Depends on OS. - \item Two servers total, for standby/failover -\end{itemize} - -\section{IP-tables Firewall} +\section{IPtables-firewall} \subsection{Overview} Most servers and workstations run GNU/Linux, which uses iptables. - \subsection{iptables} iptables is part of the Netfilter project and has been included by default in the Linux kernel for many years. -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-netfilter.png} \caption{Netfilter Website} \label{fig:www-netfilter} \end{figure} \subsection{Requirements} -There are a lot of operating systems to consider to use as a firewall... +There are a lot of operating systems to consider to use as a \gls{firewall}... -Notes on some requirements in a firewall. +Notes on some requirements in a \gls{firewall}. \begin{itemize} \item Must be free software. @@ -617,24 +74,23 @@ Notes on some requirements in a firewall. \end{itemize} -\subsection{Firewall Operating Systems in Use} -\Large{Debian} +\subsection{\Gls{firewall} Operating Systems in Use} -\href{https://www.debian.org/}{Debian} +\Large{\href{https://www.debian.org/}{Debian}} Debian is used for nearly everything. It could easily be used as a -router/firewall. There are better, more tuned options. +router-firewall. There are better, more tuned options. Linux's iptables is used on servers. -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-debian.png} \caption{Debian Website} \label{fig:www-debian-in-firewalls-chapter} \end{figure} \Large{Proxmox setups iptables-firewall} -During Proxmox installation on the nodes, firewall is being confugured. +During Proxmox installation on the nodes, \gls{firewall} is being confugured. Some of nodes configurations can be found in chapter Free software under path apps/forksand-nodes-bootstrap/... @@ -669,7 +125,7 @@ Find out why mention of firewall in hk1 node is discarded. # Datacenter --> Firewall --> Add. \end{minted} -Also Nextcloud chapter mentiones configs of iptables firewall \ref{ssec:nextcloudfirewall} on p.\pageref{ssec:nextcloudfirewall}. +Also Nextcloud chapter mentiones configs of iptables-firewall \ref{ssec:nextcloudfirewall} on p.\pageref{ssec:nextcloudfirewall}. Also certain Ansible including virtual machines enable iptables configuratiion. For example ansible-debian-male contains mikegleasonjr.firewall. diff --git a/source/Hardware.tex b/source/Hardware.tex index 5268172..9753523 100644 --- a/source/Hardware.tex +++ b/source/Hardware.tex @@ -10,45 +10,41 @@ % This document is licensed under the Creative Commons Attribution 4.0 % International Public License (CC BY-SA 4.0) by Fork Sand, Inc. % -\section{Hardware} - \section{Cluster Diagram} -\raggedright - \vspace{0.4cm} - Dedicated servers discarded. - Colocation cabinet buffered only with a firewall. +\Glspl{dedicatedserver} discarded. - \vspace{0.4cm} -\centering -\includegraphics[width=210mm,trim=20mm 20mm 20mm 20mm] +\begin{figure}[!htb] + \includegraphics[width=210mm,trim=20mm 20mm 20mm 20mm] {sharkfork-cabling-4-final-colocation.pdf} \\ % - \vspace{0.2cm} -\raggedright -\newpage + \caption{\Gls{sharkfork} \Gls{colocation} \gls{cluster} cabling diagram} +\end{figure} -\section{Cluster Hardware Overview} -The cluster will require rackmountable equipment: +\Gls{colocation} \Gls{cabinet} buffered only with a \gls{firewall}. +One step from autonouos structure. + +\section{Hardware Cluster Overview} + +The \gls{cluster} will require rackmountable equipment. +\newpage +\Large{\textbf{\Gls{sharkfork} 21U hardware instance}} \begin{itemize} \item GNU/Linux Servers + \item \Glspl{firewall} + \item Switches + \item File storages \end{itemize} -\begin{minipage}{0.9\textwidth} - \subsection{Sharkfork 21U hardware instance} \label{sec:hardware-sharkfork-21U} - %\includepdf[width=150mm,offset=0 15,clip] - %{sharkfork-21U.pdf} - \includegraphics[keepaspectratio=true,height=0.80\textheight,width=150mm,angle=0] +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=0.75\textheight,width=150mm,angle=0] {sharkfork-21U.png} -% \vspace{150mm} - \label{fig:sharkfork-21U} - %\vspace{60mm} -\end{minipage} + \label{fig:sharkfork-21U} +\end{figure} +%\subsubsection{\Gls{sharkfork} 21U detail hardware description} \label{sec:hardware-description-sharkfork-21U} \newpage -%\subsubsection{Sharkfork 21U detail hardware description} \label{sec:hardware-description-sharkfork-21U} - \newcommand{\nodeUnitName}[4]{ \rowcolor{#3}\vspace{-1pt} {{\grenewcommand{\currentColor}{#3}}} @@ -90,7 +86,7 @@ The cluster will require rackmountable equipment: \multicolumn {1}{p{13cm}|[2pt]}{ Description} \\ \tabucline[2pt]{1-2} %%% UNIT %%% % Unit name - \nodeUnitName{2}{Iris FW1100 - Firewall System}{secondary-brown}{ao-black} + \nodeUnitName{2}{Iris FW1100 - \Gls{firewall} System}{secondary-brown}{ao-black} % Unit configuration parameters \nodeUnitParameter{ 1U Form Factor ~~- Single Intel Xeon D-1587 CPU } \nodeUnitParameter{ Up to 128GB DDR4 ECC Reg Memory } @@ -108,6 +104,21 @@ The cluster will require rackmountable equipment: %\nodeUnitSetNotes { none } %%% END UNIT %%% +% Unit name + \nodeUnitName{2}{Netgear XS716T - 16-Port 10G Smart Managed Plus Switch}{secondary-brown}{ao-black} +% Unit configuration parameters + \nodeUnitParameter{ 1U Form Factor ~~- 600 MHz Cortex-A9 Single Core } + + \nodeUnitParameter{ 512MB RAM } + \nodeUnitParameter{ 16-Port RJ45 10G SFP+ and Six Gigabit Ethernet } + \nodeUnitLastParameter{ 100W Power Supply } +% Unit has a set of components parameters + \nodeUnitSetItem {1}{ 8MB SPI + 256 NAND FLASH } + \nodeUnitSetLastItem {1}{ 2 shared (combo) 1G/10G Copper/SFP+ (fiber) ports } +% Unit ends with notes, pass "none" parameter if no notes + %\nodeUnitSetNotes { none } +%%% END UNIT %%% + %%% UNIT %%% % Unit name \nodeUnitName{1}{Iris NV2225}{primary-blue}{ao-black} @@ -316,7 +327,7 @@ Who we'll get hardware from. \end{itemize} \newcommand{\includescreen}[3]{ - \begin{figure}[!ht] + \begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{#1} \caption{#2} #3 diff --git a/source/History.tex b/source/History.tex index ae1b238..10a47ae 100644 --- a/source/History.tex +++ b/source/History.tex @@ -13,9 +13,9 @@ \section{History} \subsection{Cluster Evolution} -Forksand started deployment on dedicated servers. +Forksand started deployment on \glspl{dedicatedserver}. \vspace{0.6cm} - First stage. Exclusively dedicated servers (deprecated) + First stage. Exclusively \glspl{dedicatedserver} (deprecated) \vspace{0.4cm} \centering \includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm] @@ -23,20 +23,20 @@ Forksand started deployment on dedicated servers. % \vspace{0.2cm} \raggedright - Second stage. Dedicated servers along with a colocation - cabinet. Flat hierarchy. (deprecated) + Second stage. \Glspl{dedicatedserver} along with a \Gls{colocation} + \Gls{cabinet}. Flat hierarchy. (deprecated) \vspace{0.1cm} In progress, services were being migrated one after another to - a colocation instance. On the next stage hierarchy becomes vertical. \\ + a \Gls{colocation} instance. On the next stage hierarchy becomes vertical. \\ \vspace{0.1cm} \centering \includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm] {sharkfork-cabling-2-mixed-vlan.pdf} \\ % % \raggedright - Third stage. Dedicated servers buffered by - a colocation cabinet. Vertical hierarchy. (deprecated) + Third stage. \Glspl{dedicatedserver} buffered by + a \Gls{colocation} \Gls{cabinet}. Vertical hierarchy. (deprecated) \vspace{0.4cm} \centering \includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm] @@ -44,8 +44,8 @@ Forksand started deployment on dedicated servers. % \vspace{0.2cm} \raggedright - Fourth stage. Dedicated servers discarded. - Colocation cabinet buffered only with a firewall. (current) + Fourth stage. \Glspl{dedicatedserver} discarded. + \Gls{colocation} \Gls{cabinet} buffered only with a \gls{firewall}. (current) \vspace{0.4cm} \centering \includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm] @@ -53,7 +53,7 @@ Forksand started deployment on dedicated servers. % \vspace{0.2cm} \raggedright - Final stage. Firewall discarded. Single colocation cabinet. (in process) + Final stage. \Gls{Firewall} discarded. Single \Gls{colocation} \Gls{cabinet}. (in process) \vspace{0.4cm} \centering %\includegraphics[width=115mm,trim=10mm 10mm 10mm 10mm] diff --git a/source/Network.tex b/source/Network.tex index 5f72138..371dbab 100644 --- a/source/Network.tex +++ b/source/Network.tex @@ -21,7 +21,7 @@ The first diagram is an overview, with networks listed, without the admin networ XXX Diagram. -%\begin{figure}[h!] +%\begin{figure}[!htb] %\includegraphics[keepaspectratio=true,height=1.00\textheight,width=1.00\textwidth,angle=90]{fs-cloud-net-overview.pdf} % \caption{Fork Sand IT Manual Network Overview without Admin Net} % \label{fig:fs-cloud-net-overview} @@ -31,7 +31,7 @@ The second network, shows most servers, without the admin network. XXX Diagram. -%\begin{figure}[h!] +%\begin{figure}[!htb] %\includegraphics[keepaspectratio=true,height=1.00\textheight,width=1.00\textwidth,angle=90]{ao-cloud-net.pdf} % \caption{Fork Sand IT Manual Network without Admin Net} % \label{fig:ao-cloud-net} @@ -47,6 +47,26 @@ be able to use... For now we will be using: \item Netgear 16-port 10 Gigabit RJ-45 \end{itemize} +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {s-TL-SG1048} + \caption{TP-link 48 port 1 Gigabit switch TL-SG1048 overview} + \label{fig:swichTLSG1048overview} +\end{figure} +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {s-XS716T.png} + \caption{Netgear 16 port 10 Gigabit switch XS716T overview} + \label{fig:swichXS716Toverview} +\end{figure} + +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {s-XS716T-si.png} + \caption{Netgear 16 port 10 Gigabit switch XS716T System Information} + \label{fig:swichXS716Tsysteminfo} +\end{figure} \section{IPMI Administration} The servers have low level administration done via HTML5 IPMI. diff --git a/source/Proxmox.tex b/source/Proxmox.tex index c93ff1c..55715e0 100644 --- a/source/Proxmox.tex +++ b/source/Proxmox.tex @@ -26,7 +26,7 @@ there is an installation manual for 5.x version, which is great. Documentation: \url{https://pve.proxmox.com/wiki/Documentation} -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-proxmox.png} \caption{Proxmox Website} \label{fig:www-proxmox} @@ -54,7 +54,7 @@ containers and all necessary resources $\cdot$ Web based management interface for using the toolset \item Debian Stretch admin guide: \\ - \url{file:///C:/Users/P/Downloads/pve-admin-guide.pdf} + \url{https://pve.proxmox.com/pve-docs/pve-admin-guide.pdf} \end{itemize} @@ -84,16 +84,16 @@ The following servers will be deployed to host Proxmox and the KVMs: %virtual images. % %\subsection{Proxmox Web GUI Servers} -%A Proxmox's Web GUI for administration of the cluster. +%A Proxmox's Web GUI for administration of the \gls{cluster}. \subsection{Virtual Machine Nodes} Virtual machine nodes. Fast CPU, with lots of RAM. Uses Ceph to store virtual images. -Every node includes a Proxmox's Web GUI service for administration of the cluster. -Any nodes included into the cluster may be configured by requesting to any node's GUI. +Every node includes a Proxmox's Web GUI service for administration of the \gls{cluster}. +Any nodes included into the \gls{cluster} may be configured by requesting to any node's GUI. -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{proxmox-gui.png} \caption{Proxmox Sunstone Web Admin GUI} \label{fig:proxmox-gui} @@ -134,13 +134,14 @@ URL: \url{http://localhost:8002/}, for shark2 \\ URL: \url{http://localhost:8003/}, for shark3 \\ URL: \url{http://localhost:8004/}, for shark4 \\ See example at fig. \ref{fig:proxmox-gui-port}: -\begin{figure}[!ht] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{shark2/23.png} \label{fig:proxmox-gui-port} \caption{Browse shark2 node, visible port No.} \end{figure} Info: This goes through https with self-signed certificate. -\item \texttt{Hostname} Changing the hostname and IP is not possible after cluster creation. Unlike OpenNebula. +\item \texttt{Hostname} Changing the hostname and IP is not possible after + \gls{cluster} creation. Unlike OpenNebula. %\item Click \texttt{Infrastructure}. %\item Click \texttt{Hosts}. %\item Click The \texttt{+} plus icon. diff --git a/source/Software-daemons.tex b/source/Software-daemons.tex index abdbb3a..45b3324 100644 --- a/source/Software-daemons.tex +++ b/source/Software-daemons.tex @@ -54,7 +54,7 @@ IMAP server, typically using Icedove or aomail (roundcube using IMAP). \section{\href{https://www.erlang.org/}{Erlang}} Virtual machine (ejabberd). -\section{{iptables}{Firewalls}} +\section{{iptables}{\Glspl{firewall}}} Linux's iptables. \section{\href{http://www.fail2ban.org/}{fail2ban}} @@ -419,7 +419,7 @@ Copy Gandi file for SSL authentication to /var/www/html/ After Gandi verifies it, remove the file. -Then disable port 80 in the firewall again: +Then disable port 80 in the \gls{firewall} again: \begin{minted}{sh} vim /etc/iptables.test.rules \end{minted} diff --git a/source/forksand-it-manual.tex b/source/forksand-it-manual.tex index 0873f7b..0252d6b 100644 --- a/source/forksand-it-manual.tex +++ b/source/forksand-it-manual.tex @@ -89,8 +89,20 @@ leftmargin=1cm,rightmargin=1cm %\usepackage{url} % /usr/share/doc/texlive-doc/latex/url/url.pdf % Use hyperref. \graphicspath{{./resources/}{./resources/images/}{./resources/drawings/}} -\makeindex -\makeglossary +\usepackage + [ + % acronym, + % %nopostdot, + % toc, + % shortcuts, + % xindy + automake + ] + {glossaries-extra} +\renewcommand*{\glstextformat}[1]{\textcolor{secondary-dark-brown}{\textbf{#1}}} +%\makeindex +%\makeglossary +\makeglossaries \usepackage{color} % Docs: /usr/share/doc/texlive-latex-base-doc/latex/graphics/grfguide.pdf \usepackage{colortbl} @@ -233,8 +245,8 @@ leftmargin=1cm,rightmargin=1cm %%% END FOOTNOTES %%% %%% COLORS %%% -\definecolor{ao-purple}{cmyk}{0.50,0.60,0.00,0.43} % ??? -%\definecolor{ao-purple}{cmyk}{0.85 0.90 0.00 0.05} % ??? +\definecolor{ao-purple}{cmyk}{0.50,0.60,0.00,0.43} +\definecolor{ao-fork}{cmyk}{1.00 0.00 0.00 0.80} \definecolor{ao-dark-blue}{cmyk}{0.83 0.24 0.00 0.12} \definecolor{ao-light-blue}{cmyk}{0.41 0.15 0.00 0.09} \definecolor{ao-light-orange}{cmyk}{0.00 0.40 0.88 0.03} @@ -244,10 +256,11 @@ leftmargin=1cm,rightmargin=1cm \definecolor{ao-white}{cmyk}{0.00 0.00 0.00 0.00} \definecolor{ao-black}{cmyk}{1.00 1.00 1.00 1.00} \definecolor{lulzbot-green}{cmyk}{0.11 0.00 0.78 0.15} -\definecolor{secondary-brown}{HTML}{F3E2C3} % HEX # F3E2C3 R:243 G:226 B:195 C:0 M:7 Y:20 K:5 -\definecolor{primary-blue}{HTML}{A1F4FF} % HEX # A1F4FF R:161 G:244 B:255 C:37 M:4 Y:0 K:0 -\definecolor{primary-brown}{HTML}{B07E3B} % HEX # B07E3B R:176 G:126 B:56 C:0 M:28 Y:68 K:31 -\definecolor{nonbrand-dark-blue}{HTML}{184B6D} % HEX # 184B6D R:19 G:70 B:109 C:0 M:28 Y:68 K:31 +\definecolor{secondary-dark-brown}{cmyk}{0.00 0.38 0.74 0.48} +\definecolor{secondary-brown}{cmyk}{0.00 0.07 0.20 0.05} +\definecolor{primary-blue}{cmyk}{0.37 0.04 0.00 0.00} +\definecolor{primary-brown}{cmyk}{0.00 0.28 0.68 0.31} +\definecolor{nonbrand-dark-blue}{cmyk}{0.83 0.28 0.00 0.57} %%% END COLORS %%% @@ -257,6 +270,39 @@ leftmargin=1cm,rightmargin=1cm %\typeoutstandardlayout %%% END DEBUG %%% +\newglossaryentry{cluster}{name={cluster},plural={clusters}, + description={, computer cluster is a set of loosely or + tightly connected computers that work together so that, in + many respects, they can be viewed as a single system.}} +\newglossaryentry{dedicatedserver}{ + name={dedicated server},plural={dedicated servers}, + description={, or managed hosting service + is a type of Internet hosting in which the client leases + an entire server not shared with anyone else.}} +\newglossaryentry{sharkfork}{ + name={SharkFork}, + description={is a SharkTech provided \Gls{colocation} for a + \gls{cluster} with Fork Sand \Gls{colocation} \Gls{cabinet}}} +\newglossaryentry{colocation}{name={colocation},plural={colocations}, + description={ centre (also spelled co-location, or colo) or "carrier + hotel", is a type of data centre where equipment, space, + and bandwidth are available for rental to retail customers.}} +\newglossaryentry{cabinet}{name={cabinet},plural={cabinets}, + description={, inside a data center, is a locking unit + that holds a server rack.}} +\newglossaryentry{gnulinux}{name={GNU/Linux}, + description={ is a term promoted by the Free Software Foundation + (FSF) and its founder Richard Stallman.[6] Proponents call for + the correction of the more extended term, on the grounds that it + doesn't give credit to the major contributor and the associated + free software philosophy.}} +\newglossaryentry{firewall}{name={firewall},plural={firewalls}, + description={ In computing, a firewall is a network security system + that monitors and controls incoming and outgoing network traffic + based on predetermined security rules.[1] A firewall typically + establishes a barrier between a trusted internal network and + untrusted external network, such as the Internet.}} + %%% END OF PREAMBLE %%% \begin{document} @@ -387,14 +433,14 @@ leftmargin=1cm,rightmargin=1cm \chapterconf{Firewall-opnsense}{OPNSense Firewall}{Use OPNSense} \chapterconf{Proxmox}{Proxmox}{Virtual Machines} \chapterconf{Ansible}{Ansible}{Cluster Administration} -\chapterconf{DNS}{Domain Name Service (DNS)}{Who Names You?} -\chapterconf{NTP}{Network Time Protocol}{A Hole in Time} -\chapterconf{Firmware}{Firmware}{Embedded Software} -\chapterconf{History}{History}{Evolution History} -%%% Appendix %%% -%\part{Appendix} % XXX -\appendix -\chapterconf{Source}{Free Software}{Free Software and Configurations} +%\chapterconf{DNS}{Domain Name Service (DNS)}{Who Names You?} +%\chapterconf{NTP}{Network Time Protocol}{A Hole in Time} +%\chapterconf{Firmware}{Firmware}{Embedded Software} +%\chapterconf{History}{History}{Evolution History} +%%%% Appendix %%% +%%\part{Appendix} % XXX +%\appendix +%\chapterconf{Source}{Free Software}{Free Software and Configurations} %% END MAINMATTER CHAPTERS %%% @@ -414,7 +460,8 @@ leftmargin=1cm,rightmargin=1cm \renewcommand{\memglonum}[1]{} \clearpage -\printglossary +%\addcontentsline{toc}{chapter}{Glossary} +\printglossaries %%% END GLOSSARY %%% %%% CONTACT %%% diff --git a/source/glossary.sty b/source/glossary.sty new file mode 100644 index 0000000..aaeddd6 --- /dev/null +++ b/source/glossary.sty @@ -0,0 +1,440 @@ +%% +%% This is file `glossary.sty', +%% generated with the docstrip utility. +%% +%% The original source files were: +%% +%% glossary.dtx (with options: `package') +%% Copyright (C) 2000 Nicola Talbot, all rights reserved. +%% If you modify this file, you must change its name first. +%% You are NOT ALLOWED to distribute this file alone. You are NOT +%% ALLOWED to take money for the distribution or use of either this +%% file or a changed version, except for a nominal charge for copying +%% etc. +%% \CharacterTable +%% {Upper-case \A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\W\X\Y\Z +%% Lower-case \a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\u\v\w\x\y\z +%% Digits \0\1\2\3\4\5\6\7\8\9 +%% Exclamation \! Double quote \" Hash (number) \# +%% Dollar \$ Percent \% Ampersand \& +%% Acute accent \' Left paren \( Right paren \) +%% Asterisk \* Plus \+ Comma \, +%% Minus \- Point \. Solidus \/ +%% Colon \: Semicolon \; Less than \< +%% Equals \= Greater than \> Question mark \? +%% Commercial at \@ Left bracket \[ Backslash \\ +%% Right bracket \] Circumflex \^ Underscore \_ +%% Grave accent \` Left brace \{ Vertical bar \| +%% Right brace \} Tilde \~} +\NeedsTeXFormat{LaTeX2e} +\ProvidesPackage{glossary}[2004/11/02 2.12 (NLCT)] +\RequirePackage{ifthen} +\RequirePackage{keyval} +\define@key{gloss} + {style} + {\ifthenelse{\equal{#1}{list} \or \equal{#1}{altlist} \or \equal{#1}{super} \or \equal{#1}{long}} + {\def\gls@style{#1}} + {\PackageError{glossary} + {Unknown glossary style '#1'} + {Available styles are: list, altlist, super and long}}} + +\define@key{gloss} + {header}[plain]{\ifthenelse{\equal{#1}{none} \or \equal{#1}{plain}} + {\def\gls@header{#1}} + {\PackageError{glossary} + {Unknown glossary style '#1'} + {Available styles are: none and plain}}} + +\define@key{gloss} + {border}[plain]{\ifthenelse{\equal{#1}{none} \or \equal{#1}{plain}} + {\def\gls@border{#1}} + {\PackageError{glossary} + {Unknown glossary border '#1'} + {Available styles are: none and plain}}} +\newcount\gls@cols +\define@key{gloss}{cols}{\gls@cols=#1\relax +\ifthenelse{\gls@cols<2 \or \gls@cols>3} + {\PackageError{glossary} + {invalid number of columns} + {The cols option can only be 2 or 3}} + {}} + +\define@key{gloss} + {number} + {\ifthenelse{\equal{#1}{none}\or\equal{#1}{page}\or\equal{#1}{section}} + {\def\gls@number{#1}} + {\PackageError{glossary} + {Unknown glossary number style '#1'} + {Available styles are: none, page and section}}} + +\newif\ifgls@toc +\define@key{gloss}{toc}[true]{\ifthenelse{\equal{#1}{true} \or \equal{#1}{false}} + {\csname gls@toc#1\endcsname} + {\PackageError{glossary}{Glossary option 'toc' is boolean} + {The value of 'toc' can only be set to 'true' or 'false'}}} + +\newif\ifgls@section +\define@key{gloss}{section}[true]{\ifthenelse{\equal{#1}{true} \or \equal{#1}{false}} + {\csname gls@section#1\endcsname} + {\PackageError{glossary}{Glossary option 'section' is boolean} + {The value of 'section' can only be set to 'true' or 'false'}}} +\gls@sectionfalse + +\newif\ifglshyper +\define@key{gloss}{hyper}[true]{\ifthenelse{\equal{#1}{true} \or \equal{#1}{false}} + {\csname glshyper#1\endcsname} + {\PackageError{glossary}{Glossary option 'hyper' is boolean} + {The value of 'hyper' can only be set to 'true' or 'false'}}} +\def\gls@style{long} +\def\gls@header{none} +\def\gls@border{none} +\def\gls@number{page} +\gls@cols=2\relax +\gls@tocfalse +\@ifundefined{hyperpage}{\glshyperfalse}{\glshypertrue} + +\DeclareOption*{\edef\@pkg@ptions{\noexpand\setkeys{gloss}{\CurrentOption}} +\ifthenelse{\equal{\CurrentOption}{}}{}{\@pkg@ptions}} + +\ProcessOptions +\ifthenelse{\(\equal{\gls@style}{list} \or \equal{\gls@style}{altlist}\) \and \(\not\equal{\gls@header}{none} \or \not\equal{\gls@border}{none} \or \gls@cols=3\)} +{\PackageError{glossary}{You can't have option 'style=list' or 'style=altlist' in combination with any of the other options} +{The 'list' and 'altlist' options don't have a header, border or number of columns option.}} +{} +\define@key{wrgloss}{name}{\def\@n@me{#1}} +\define@key{wrgloss}{description}{\def\@descr{#1}} +\define@key{wrgloss}{sort}{\def\@s@rt{#1}} +\define@key{wrgloss}{format}{\def\@f@rm@t{#1}} +\renewcommand{\@wrglossary}[1]{\relax +\def\@n@me{}\def\@descr{}\def\@s@rt{}\def\@f@rm@t{}\relax + \setkeys{wrgloss}{#1}\relax + \ifthenelse{\equal{\@s@rt}{}} + {\relax + \ifthenelse{\equal{\@f@rm@t}{}} + {\protected@write\@glossaryfile{}{\string\glossaryentry{\@n@me @{\@n@me}\@descr\string\relax|glsnumformat}{\theglossarynum}}} + {\protected@write\@glossaryfile{}{\string\glossaryentry{\@n@me @{\@n@me}\@descr\string\relax|\@f@rm@t}{\theglossarynum}}}\relax + }{\relax + \ifthenelse{\equal{\@f@rm@t}{}} + {\protected@write\@glossaryfile{}{\string\glossaryentry{\@s@rt @{\@n@me}\@descr\string\relax|glsnumformat}{\theglossarynum}}} + {\protected@write\@glossaryfile{}{\string\glossaryentry{\@s@rt @{\@n@me}\@descr\string\relax|\@f@rm@t}{\theglossarynum}}}\relax + }\relax + \endgroup\@esphack +} +\ifthenelse{\equal{\gls@number}{page}}{ + \newcommand{\theglossarynum}{\thepage} + \newcommand{\pagecompositor}{-} + \newcommand{\delimN}{, } + \newcommand{\delimR}{--} + \ifglshyper\newcommand{\glsnumformat}[1]{\hyperrm{#1}}\else\newcommand{\glsnumformat}[1]{#1}\fi} + {\ifthenelse{\equal{\gls@number}{section}} + {\newcommand{\theglossarynum}{\thesection} + \newcommand{\pagecompositor}{.} + \newcommand{\delimN}{, } + \newcommand{\delimR}{--} + \ifglshyper\newcommand{\glsnumformat}[1]{\hyperrm{#1}}\else\newcommand{\glsnumformat}[1]{#1}\fi} + {\newcommand{\theglossarynum}{\thepage} + \newcommand{\pagecompositor}{-} + \newcommand{\delimN}{} + \newcommand{\delimR}{} + \newcommand{\glsnumformat}[1]{}}} +\newcommand\printglossary{\@input@{\jobname.gls}} +\newcommand{\glossaryname}{Glossary} +\newcommand{\entryname}{Notation} +\newcommand{\descriptionname}{Description} +\newcommand{\istfilename}{\jobname.ist} +\newenvironment{theglossary} + {\@ifundefined{chapter} + {\section*{\glossaryname}\ifgls@toc\addcontentsline{toc}{section}{\glossaryname}\fi} + {\ifthenelse{\boolean{gls@section}}{\section*{\glossaryname}\ifgls@toc\addcontentsline{toc}{section}{\glossaryname}\fi} +{\chapter*{\glossaryname}\ifgls@toc\addcontentsline{toc}{chapter}{\glossaryname}\fi}} + \glossarypreamble\@bef@reglos} + {\@ftergl@s\glossarypostamble} + +\newcommand{\glossarypreamble}{} +\newcommand{\glossarypostamble}{} + +\newif\ifgloitemfirst +\newcommand{\@bef@reglos}{\global\gloitemfirsttrue\beforeglossary} +\newcommand{\@ftergl@s}{\afterglossary\global\gloitemfirstfalse} + +\ifthenelse{\equal{\gls@style}{list} \or \equal{\gls@style}{altlist}} +{ +\newcommand{\beforeglossary}{\begin{description}} +\newcommand{\afterglossary}{\end{description}} +\newcommand{\gloskip}{\indexspace} +\ifthenelse{\equal{\gls@style}{list}} + {\newcommand{\gloitem}[1]{\item[#1]} + \newcommand{\glodelim}{, }} + {\newcommand{\gloitem}[1]{\item[#1]\mbox{}\par} + \newcommand{\glodelim}{ }} +}{ +\ifthenelse{\equal{\gls@style}{super}}{ +\IfFileExists{supertab.sty}{\RequirePackage{supertab}} +{\IfFileExists{supertabular.sty}{\RequirePackage{supertabular}} +{\PackageError{glossary}{Option "super" chosen, but can't find "supertab" package} +{If you want the "super" option, you have to have the "supertab" package installed.}}} +} +{\RequirePackage{longtable}} + +\newlength{\descriptionwidth} +\setlength{\descriptionwidth}{0.6\textwidth} + +\ifthenelse{\equal{\gls@header}{none}} +{ + \ifthenelse{\equal{\gls@border}{none}} + {\newcommand{\glossaryheader}{}} + {\newcommand{\glossaryheader}{\hline }} +} +{ +\ifnum\gls@cols=2\relax + \ifthenelse{\equal{\gls@border}{none}} + {\newcommand{\glossaryheader} + {\bfseries\entryname & \bfseries \descriptionname\\}} + {\newcommand{\glossaryheader} + {\hline\bfseries\entryname & \bfseries\descriptionname + \\\hline\hline}} +\else + \ifthenelse{\equal{\gls@border}{none}} + {\newcommand{\glossaryheader} + {\bfseries\entryname & \bfseries \descriptionname & \\}} + {\newcommand{\glossaryheader} + {\hline\bfseries\entryname &\bfseries\descriptionname & + \\\hline\hline}} +\fi +} + +\ifthenelse{\equal{\gls@border}{none}} +{ +\ifnum\gls@cols=2\relax + \@ifundefined{newcolumntype}{\newcommand{\glossaryalignment}{@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}}}{ + \newcolumntype{G}{@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}}} +\else + \@ifundefined{newcolumntype}{\newcommand{\glossaryalignment}{@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}l}}{ + \newcolumntype{G}{@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}l}} +\fi + + \ifthenelse{\equal{\gls@style}{super}}{ + \newcommand{\afterglossary}{ \\\end{supertabular}} + } + { + \newcommand{\afterglossary}{ \\\end{longtable}} + } + + \newcommand{\glosstail}{} +} +{ +\ifnum\gls@cols=2\relax + \@ifundefined{newcolumntype}{\newcommand{\glossaryalignment}{|@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}|}}{ + \newcolumntype{G}{|@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}|}} +\else + \@ifundefined{newcolumntype}{\newcommand{\glossaryalignment}{|@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}l|}}{ + \newcolumntype{G}{|@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}l|}} +\fi + + \ifthenelse{\equal{\gls@style}{super}}{ + \newcommand{\afterglossary}{ \\\hline\end{supertabular}} + } + { + \newcommand{\afterglossary}{ \\\hline\end{longtable}} + } + + \newcommand{\glosstail}{\hline} +} + +\ifthenelse{\equal{\gls@style}{super}} +{ + \@ifundefined{newcolumntype}{ + \newcommand{\beforeglossary} + {\tablehead{\glossaryheader}\tabletail{\glosstail} + \begin{supertabular}{\glossaryalignment}}} + {\newcommand{\beforeglossary} + {\tablehead{\glossaryheader}\tabletail{\glosstail} + \begin{supertabular}{G}}} +} +{ + \@ifundefined{newcolumntype}{\newcommand{\beforeglossary} + {\begin{longtable}{\glossaryalignment} + \glossaryheader\endhead\glosstail\endfoot}} + {\newcommand{\beforeglossary} + {\begin{longtable}{G} + \glossaryheader\endhead\glosstail\endfoot}} +} + +\ifnum\gls@cols=2\relax +\newcommand{\gloskip}{\ifgloitemfirst\global\gloitemfirstfalse \else\\ \fi &} +\newcommand{\glodelim}{, } +\else +\newcommand{\gloskip}{\ifgloitemfirst\global\gloitemfirstfalse \else\\ \fi & &} +\newcommand{\glodelim}{& } +\fi +\newcommand{\gloitem}[1]{\ifgloitemfirst\global\gloitemfirstfalse #1 \else \\#1 \fi &} +} + +\ifthenelse{\equal{\gls@number}{none} \and \gls@cols<3}{\renewcommand{\glodelim}{}}{} +\newif\ifist +\let\noist=\istfalse +\if@filesw\isttrue\else\istfalse\fi + +\newwrite\istfile +\catcode`\%11\relax +\newcommand{\writeist}{ +\openout\istfile=\istfilename +\write\istfile{% makeindex style file created by LaTeX for document "\jobname" on \the\year-\the\month-\the\day} +\write\istfile{keyword "\string\\glossaryentry"} +\write\istfile{preamble "\string\\begin{theglossary}"} +\write\istfile{postamble "\string\n\string\\end{theglossary}\string\n"} +\write\istfile{group_skip "\string\\gloskip "} +\write\istfile{item_0 "\string\n\string\\gloitem "} +\write\istfile{delim_0 "\string\n\string\\glodelim "} +\write\istfile{page_compositor "\pagecompositor"} +\write\istfile{delim_n "\string\\delimN "} +\write\istfile{delim_r "\string\\delimR "} +\closeout\istfile +} +\catcode`\%14\relax +\renewcommand{\makeglossary}{ +\newwrite\@glossaryfile +\immediate\openout\@glossaryfile=\jobname.glo +\def\glossary{\@bsphack \begingroup \@sanitize \@wrglossary } +\typeout {Writing glossary file \jobname .glo } +\let \makeglossary \@empty +\ifist\writeist\fi +\noist} +\newcommand{\newglossarytype}[3]{ +\@ifundefined{#1}{% +\def\@glstype{#1}\def\@glsout{#2}\def\@glsin{#3}% +\expandafter\edef\csname make\@glstype\endcsname{\noexpand\@m@kegl@ss{\@glstype}{\@glsout}} +\expandafter\edef\csname \@glstype\endcsname{\noexpand\@gl@ss@ary{\@glstype}} +\expandafter\edef\csname print\@glstype\endcsname{\noexpand\@prntgl@ss@ry{\@glsin}} +}{\PackageError{glossary}{Command \expandafter\string\csname #1\endcsname \space already defined}{% +You can't call your new glossary type '#1' because there already exists a command with this name}} +} +\newcommand\@m@kegl@ss[2]{ +\expandafter\newwrite\csname @#1file\endcsname +\expandafter\immediate\expandafter\openout\csname @#1file\endcsname=\jobname.#2 +\typeout {Writing #1 file \jobname .#2 } +\expandafter\let \csname make#1\endcsname \@empty +\ifist\writeist\fi +\expandafter\def\csname the#1num\endcsname{\thepage} +\noist +} +\newcommand{\@wrgl@ss@ry}[2]{\relax +\def\@n@me{}\def\@descr{}\def\@s@rt{}\def\@f@rm@t{}\relax + \setkeys{wrgloss}{#2}\relax + \ifthenelse{\equal{\@s@rt}{}} + {\relax + \ifthenelse{\equal{\@f@rm@t}{}} + {\expandafter\protected@write\csname @#1file\endcsname{}{\string\glossaryentry{\@n@me @{\@n@me}\@descr\string\relax|glsnumformat}{\csname the#1num\endcsname}}} + {\expandafter\protected@write\csname @#1file\endcsname{}{\string\glossaryentry{\@n@me @{\@n@me}\@descr\string\relax|\@f@rm@t}{\csname the#1num\endcsname}}}\relax + }{\relax + \ifthenelse{\equal{\@f@rm@t}{}} + {\expandafter\protected@write\csname @#1file\endcsname{}{\string\glossaryentry{\@s@rt @{\@n@me}\@descr\string\relax|glsnumformat}{\csname the#1num\endcsname}}} + {\expandafter\protected@write\csname @#1file\endcsname{}{\string\glossaryentry{\@s@rt @{\@n@me}\@descr\string\relax|\@f@rm@t}{\csname the#1num\endcsname}}}\relax + }\relax + \endgroup\@esphack +} +\newcommand\@gl@ss@ary[1]{\@ifundefined{@#1file}{\@bsphack\begingroup \@sanitize \@index}{\@bsphack \begingroup \@sanitize \@wrgl@ss@ry{#1}}} +\newcommand\@prntgl@ss@ry[1]{\@input@{\jobname.#1}} +\@onlypreamble{\newglossarytype} +\newcommand\@acrnmsh{} +\newcommand\@acrnmln{} +\newcommand\@acrnmcmd{} +\newcommand\@acrnmgls{} +\newcommand\@acrnmins{} + +\newcommand{\glsprimaryfmt}[1]{\textbf{\glsnumformat{#1}}} + +\newcommand{\newacronym}[4][]{% +\ifthenelse{\equal{#1}{}}{\renewcommand\@acrnmcmd{#2}}{\renewcommand\@acrnmcmd{#1}} +\@ifundefined{\@acrnmcmd}{% +\renewcommand\@acrnmsh{#2} +\renewcommand\@acrnmln{#3} +\expandafter\gdef\csname @\@acrnmcmd @glsentry\endcsname{{name={#3 (#2)},format=glsnumformat,#4}}% +\newboolean{\@acrnmcmd first}\setboolean{\@acrnmcmd first}{true}% +\expandafter\edef\csname @\@acrnmcmd\endcsname{\noexpand\ifthenelse{\noexpand\boolean{\@acrnmcmd first}}% +{\@acrnmln\noexpand\@acrnmins\ (\@acrnmsh)\noexpand\expandafter\noexpand\glossary\expandafter\noexpand\csname @\@acrnmcmd @glsentry\endcsname% +\noexpand\global\noexpand\let\expandafter\noexpand\csname if\@acrnmcmd first\endcsname=\noexpand\iffalse +}% +{\@acrnmsh\noexpand\@acrnmins\noexpand\expandafter\noexpand\glossary\expandafter\noexpand\csname @\@acrnmcmd @glsentry\endcsname}} +\expandafter\edef\csname @s@\@acrnmcmd\endcsname{\noexpand\ifthenelse{\noexpand\boolean{\@acrnmcmd first}}% +{\noexpand\MakeUppercase\@acrnmln\noexpand\@acrnmins\ (\@acrnmsh)\noexpand\expandafter\noexpand\glossary\expandafter\noexpand\csname @\@acrnmcmd @glsentry\endcsname% +\noexpand\global\noexpand\let\expandafter\noexpand\csname if\@acrnmcmd first\endcsname=\noexpand\iffalse +}% +{\noexpand\MakeUppercase\@acrnmsh\noexpand\@acrnmins\noexpand\expandafter\noexpand\glossary\expandafter\noexpand\csname @\@acrnmcmd @glsentry\endcsname}} +\expandafter\edef\csname\@acrnmcmd\endcsname{\noexpand\@ifstar\expandafter\noexpand\csname @s@\@acrnmcmd\endcsname +\expandafter\noexpand\csname @\@acrnmcmd\endcsname}% +} +{\PackageError{glossary}{Command '\expandafter\string\csname\@acrnmcmd\endcsname' already defined}{ +The command name specified by \string\newacronym already exists.}}} + +\newcommand{\useacronym}{\@ifstar\@suseacronym\@useacronym} +\newcommand{\@suseacronym}[2][]{{\def\@acrnmins{#1}\csname @s@#2\endcsname}} +\newcommand{\@useacronym}[2][]{{\def\@acrnmins{#1}\csname @#2\endcsname}} +\ifglshyper +\def\glshyperpage#1{\@glshyperpage#1\delimR \delimR \\} +\def\@glshyperpage#1\delimR #2\delimR #3\\{% + \ifx\\#2\\% + \@delimNhyperpage{#1}% + \else + \@ifundefined{hyperlink}{#1\delimR #2}{\hyperlink{page.#1}{#1}\delimR \hyperlink{page.#2}{#2}}% + \fi +} + +\def\@delimNhyperpage#1{\@@delimNhyperpage#1\delimN \delimN\\} +\def\@@delimNhyperpage#1\delimN #2\delimN #3\\{% + \ifx\\#2\\% + \@ifundefined{hyperlink}{#1}{\hyperlink{page.#1}{#1}}% + \else + \@ifundefined{hyperlink}{#1\delimN #2}{\hyperlink{page.#1}{#1}\delimN \hyperlink{page.#2}{#2}}% + \fi +} + +\def\glshypersection#1{\@glshypersection#1\delimR \delimR \\} +\def\@glshypersection#1\delimR #2\delimR #3\\{% + \ifx\\#2\\% + \@delimNhypersection{#1}% + \else + \@ifundefined{hyperlink}{#1\delimR #2}{\hyperlink{section.#1}{#1}\delimR \hyperlink{section.#2}{#2}}% + \fi +} + +\def\@delimNhypersection#1{\@@delimNhypersection#1\delimN \delimN\\} +\def\@@delimNhypersection#1\delimN #2\delimN #3\\{% + \ifx\\#2\\% + \@ifundefined{hyperlink}{#1}{\hyperlink{section.#1}{#1}}% + \else + \@ifundefined{hyperlink}{#1\delimN #2}{\hyperlink{section.#1}{#1}\delimN \hyperlink{section.#2}{#2}}% + \fi +} + +\ifthenelse{\equal{\gls@number}{section}}{ +\ifglshyper +\@ifundefined{chapter} + {} + {\let\@gls@old@chapter\@chapter + \def\@chapter[#1]#2{\@gls@old@chapter[{#1}]{#2}\@ifundefined{hyperdef}{}{\hyperdef{section}{\thechapter.0}{}}}} +\fi + +\providecommand\hyperrm[1]{\textrm{\glshypersection{#1}}} +\providecommand\hypersf[1]{\textsf{\glshypersection{#1}}} +\providecommand\hypertt[1]{\texttt{\glshypersection{#1}}} +\providecommand\hyperbf[1]{\textbf{\glshypersection{#1}}} +\providecommand\hyperit[1]{\textit{\glshypersection{#1}}} +} +{ +\providecommand\hyperrm[1]{\textrm{\glshyperpage{#1}}} +\providecommand\hypersf[1]{\textsf{\glshyperpage{#1}}} +\providecommand\hypertt[1]{\texttt{\glshyperpage{#1}}} +\providecommand\hyperbf[1]{\textbf{\glshyperpage{#1}}} +\providecommand\hyperit[1]{\textit{\glshyperpage{#1}}} +} +\else +\providecommand\hyperrm[1]{\textsf{#1}} +\providecommand\hypersf[1]{\textsf{#1}} +\providecommand\hypertt[1]{\texttt{#1}} +\providecommand\hyperbf[1]{\textbf{#1}} +\providecommand\hyperit[1]{\textit{#1}} +\fi +\endinput +%% +%% End of file `glossary.sty'. diff --git a/source/resources/images/s-TL-SG1048.png b/source/resources/images/s-TL-SG1048.png new file mode 100644 index 0000000..653fed5 Binary files /dev/null and b/source/resources/images/s-TL-SG1048.png differ diff --git a/source/resources/images/s-XS716T-si.png b/source/resources/images/s-XS716T-si.png new file mode 100644 index 0000000..6be8165 Binary files /dev/null and b/source/resources/images/s-XS716T-si.png differ diff --git a/source/resources/images/s-XS716T.png b/source/resources/images/s-XS716T.png new file mode 100644 index 0000000..6eb8994 Binary files /dev/null and b/source/resources/images/s-XS716T.png differ diff --git a/source/resources/images/sf-fw/ssc-opns-dash13-admin1.png b/source/resources/images/sf-fw/ssc-opns-dash13-admin1.png new file mode 100644 index 0000000..e2e3d0f Binary files /dev/null and b/source/resources/images/sf-fw/ssc-opns-dash13-admin1.png differ diff --git a/source/resources/images/sf-fw/ssc-opns-dash14-admin2.png b/source/resources/images/sf-fw/ssc-opns-dash14-admin2.png new file mode 100644 index 0000000..a4480de Binary files /dev/null and b/source/resources/images/sf-fw/ssc-opns-dash14-admin2.png differ diff --git a/source/resources/images/sf-fw/ssc-opns-dash15-notif.png b/source/resources/images/sf-fw/ssc-opns-dash15-notif.png new file mode 100644 index 0000000..29d0e2c Binary files /dev/null and b/source/resources/images/sf-fw/ssc-opns-dash15-notif.png differ diff --git a/source/resources/images/sf-fw/ssc-opns-dash16-misc1.png b/source/resources/images/sf-fw/ssc-opns-dash16-misc1.png new file mode 100644 index 0000000..6f1b1c3 Binary files /dev/null and b/source/resources/images/sf-fw/ssc-opns-dash16-misc1.png differ diff --git a/source/resources/images/sf-fw/ssc-opns-dash17-misc2.png b/source/resources/images/sf-fw/ssc-opns-dash17-misc2.png new file mode 100644 index 0000000..fdf4afe Binary files /dev/null and b/source/resources/images/sf-fw/ssc-opns-dash17-misc2.png differ diff --git a/source/resources/images/sf-fw/ssc-opns-dash18-misc3.png b/source/resources/images/sf-fw/ssc-opns-dash18-misc3.png new file mode 100644 index 0000000..3aec05e Binary files /dev/null and b/source/resources/images/sf-fw/ssc-opns-dash18-misc3.png differ