From a8fe81553906fbf9f5cbcf5ed9b6e93e9944f32b Mon Sep 17 00:00:00 2001 From: Linreigns Date: Sat, 26 May 2018 11:34:45 +0300 Subject: [PATCH] Started glossary, firewall split, added attachments, minor fixes, --- .gitignore | 3 + build.sh | 2 + source/Ansible.tex | 2 +- source/Clouds/Flokinet.tex | 12 +- source/Clouds/Sharktech.tex | 10 +- source/Distros.tex | 4 +- source/Distros/Debian.tex | 4 +- source/Distros/Distros-tmpl.tex | 2 +- source/Firewall-opnsense.tex | 607 ++++++++++++++++++ source/Firewalls.tex | 570 +--------------- source/Hardware.tex | 65 +- source/History.tex | 20 +- source/Network.tex | 24 +- source/Proxmox.tex | 17 +- source/Software-daemons.tex | 4 +- source/forksand-it-manual.tex | 81 ++- source/glossary.sty | 440 +++++++++++++ source/resources/images/s-TL-SG1048.png | Bin 0 -> 184364 bytes source/resources/images/s-XS716T-si.png | Bin 0 -> 208969 bytes source/resources/images/s-XS716T.png | Bin 0 -> 798119 bytes .../images/sf-fw/ssc-opns-dash13-admin1.png | Bin 0 -> 161860 bytes .../images/sf-fw/ssc-opns-dash14-admin2.png | Bin 0 -> 154021 bytes .../images/sf-fw/ssc-opns-dash15-notif.png | Bin 0 -> 145395 bytes .../images/sf-fw/ssc-opns-dash16-misc1.png | Bin 0 -> 180170 bytes .../images/sf-fw/ssc-opns-dash17-misc2.png | Bin 0 -> 170164 bytes .../images/sf-fw/ssc-opns-dash18-misc3.png | Bin 0 -> 184928 bytes 26 files changed, 1227 insertions(+), 640 deletions(-) create mode 100644 source/Firewall-opnsense.tex create mode 100644 source/glossary.sty create mode 100644 source/resources/images/s-TL-SG1048.png create mode 100644 source/resources/images/s-XS716T-si.png create mode 100644 source/resources/images/s-XS716T.png create mode 100644 source/resources/images/sf-fw/ssc-opns-dash13-admin1.png create mode 100644 source/resources/images/sf-fw/ssc-opns-dash14-admin2.png create mode 100644 source/resources/images/sf-fw/ssc-opns-dash15-notif.png create mode 100644 source/resources/images/sf-fw/ssc-opns-dash16-misc1.png create mode 100644 source/resources/images/sf-fw/ssc-opns-dash17-misc2.png create mode 100644 source/resources/images/sf-fw/ssc-opns-dash18-misc3.png diff --git a/.gitignore b/.gitignore index 8782067..08c8596 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,8 @@ forksand-it-manual.pdf *~ .~lock.*# *.aux +*.glg +*.ist *.bbl *.blg .fuse_hidden* @@ -19,6 +21,7 @@ _minted-* *.swp *.toc *.xdv +*.xdy *.zip *.fls *.fdb_latexmk diff --git a/build.sh b/build.sh index f72ca05..f43067f 100755 --- a/build.sh +++ b/build.sh @@ -27,6 +27,8 @@ xelatex \ -interaction=nonstopmode \ forksand-it-manual.tex +makeglossaries-lite "forksand-it-manual" + for i in $(ls *.pdf); do mv -f $i ../$i ; done # in windows every file must be processed explicitly exit 0 diff --git a/source/Ansible.tex b/source/Ansible.tex index 747c7b4..c0729a4 100644 --- a/source/Ansible.tex +++ b/source/Ansible.tex @@ -123,7 +123,7 @@ The following applications are required to utilize this this section objectives. Ansible can be installed using Python PIP. \begin{itemize} \item \texttt{Ansible} 2.4.x+ - \item \texttt{Python} 2.7.9+ + \item \texttt{Python} 2.7.x+ \textcolor[rgb]{0.80,0.00,0.00}{Todo clarify confusion over version requirements} \end{itemize} diff --git a/source/Clouds/Flokinet.tex b/source/Clouds/Flokinet.tex index f2a7f30..8c12127 100644 --- a/source/Clouds/Flokinet.tex +++ b/source/Clouds/Flokinet.tex @@ -32,7 +32,7 @@ We encourage you to do so! We are able to supply secure and stable environments FlokiNET runs Tor exit and relay nodes. -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-flokinet.png} \caption{Flokinet Website} \label{fig:www-flokinet} @@ -141,11 +141,11 @@ FlokiNET Pros: \item The entire reason for FlokiNET to exist is to help people publish in repressive environments. \item Strong dedication to privacy. \item Based in Iceland. - \item Dedicated servers aren't too expensive. + \item \Glspl{dedicatedserver} aren't too expensive. \item Romanian VPS is OpenVZ and KVM. \item Finnish VPS is KVM. \item Has private domain registration services. - \item Colocation available. + \item \Gls{colocation} available. \item ``FlokiNET is proud to be completly Tor Project logo-friendly. Feel free to host a TOR-node with us!'' \item ``DDoS mitigation cloud has 950 Gbps filtering capacity.'' \item Finland and Iceland are free speech friendlier countries. @@ -163,7 +163,7 @@ FlokiNET Cons: \begin{itemize} \item Iceland Virtual Private Server uses VMWare. - \item Dedicated servers look like older HP models. + \item \Glspl{dedicatedserver} look like older HP models. \item Bandwidth is OK, but not great as they are on a remote island. \item VoIP URL is 404 \url{https://flokinet.is/en/learnsecurevoip.php}. \item Uses WHMCS for account services management (non-free software). @@ -184,7 +184,7 @@ is4423 tty1 - 02:24 2:16m 0.17s 0.08s -bash \subsection{FlokiNET Unknown} \begin{itemize} - \item IPMI on dedicated servers? + \item IPMI on \glspl{dedicatedserver}? \item The IP in \texttt{/etc/hosts} for the hostname wasn't the same as used for SSH. - Either a mistake or firewall forwarded for security (???). Appears to be mistake. + Either a mistake or \gls{firewall} forwarded for security (???). Appears to be mistake. \end{itemize} diff --git a/source/Clouds/Sharktech.tex b/source/Clouds/Sharktech.tex index eb258f5..2088846 100644 --- a/source/Clouds/Sharktech.tex +++ b/source/Clouds/Sharktech.tex @@ -16,13 +16,13 @@ Looks good. Manually provisions servers over a few days. Good local speed and latency. \url{https://sharktech.net/} -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-sharktech.png} \caption{Sharktech Website} \label{fig:www-sharktech} \end{figure} -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-sharktech-dashboard-services.png} \caption{Sharktech Dashboard Services Web Page} \label{fig:www-sharktech-dashboard-services} @@ -54,17 +54,17 @@ Firmware Build Time : 2015-01-05 # XXX takes 7 minutes to reboot. \end{minted} -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{sharktech-reboot-dhcp.png} \caption{Sharktech Reboot DHCP Hang} \label{fig:sharktech-reboot-dhcp} \end{figure} -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{sharktech-reboot-dhcp-2.png} \caption{Sharktech Reboot DHCP Hang 2} \label{fig:sharktech-reboot-dhcp-2} \end{figure} -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{sharktech-reboot-grub.png} \caption{Sharktech Reboot GRUB} \label{fig:sharktech-reboot-grub} diff --git a/source/Distros.tex b/source/Distros.tex index ca11a18..bdaba3e 100644 --- a/source/Distros.tex +++ b/source/Distros.tex @@ -15,8 +15,8 @@ The following operating systems will be used: \begin{itemize} - \item Debian GNU/Linux --- For Utility, Ceph, and OpenNebula Servers. - \item OPNSense --- Firewalls. + \item Debian \gls{gnulinux} --- For Utility, Ceph, and OpenNebula Servers. + \item OPNSense --- \Glspl{firewall}. \end{itemize} \input{Distros/Debian} diff --git a/source/Distros/Debian.tex b/source/Distros/Debian.tex index 25658f4..0a795da 100644 --- a/source/Distros/Debian.tex +++ b/source/Distros/Debian.tex @@ -13,7 +13,7 @@ \section{Debian} Debian is a free software GNU/Linux distribution. -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-debian.png} \caption{Debian Website} \label{fig:www-debian} @@ -56,7 +56,7 @@ Here are some for Debian... The \texttt{packer} application in Debian looks particularly useful. -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-packer.png} \caption{Packer Website} \label{fig:www-packer} diff --git a/source/Distros/Distros-tmpl.tex b/source/Distros/Distros-tmpl.tex index 87c427d..3000984 100644 --- a/source/Distros/Distros-tmpl.tex +++ b/source/Distros/Distros-tmpl.tex @@ -12,7 +12,7 @@ \section{DISTRO} Website: % \url{https://www.distro.org} -%\begin{figure}[h!] +%\begin{figure}[!htb] %\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-distro.png} % \caption{DISTRO Website} % \label{fig:www-distro} diff --git a/source/Firewall-opnsense.tex b/source/Firewall-opnsense.tex new file mode 100644 index 0000000..a57fa42 --- /dev/null +++ b/source/Firewall-opnsense.tex @@ -0,0 +1,607 @@ +% +% Firewall-opnsense.tex +% +% Fork Sand IT Manual +% +% Copyright (C) 2018, Fork Sand, Inc. +% Issued by Oleksandr Papevis +% +% This document is licensed under the Creative Commons Attribution 4.0 +% International Public License (CC BY-SA 4.0) by Fork Sand, Inc. +% + +\section{Hardware Overview} + +\begin{itemize} + \item OPNsense is based on FreeBSD \\ \url{https://opnsense.org/} + \\ \url{https://wiki.opnsense.org/index.html} + \item Iris FW1100 datasheet \\ \url{https://www.supermicro.com/products/system/1U/1018/SYS-1018D-FRN8T.cfm} +\end{itemize} + +The Supermicro SuperServer 1018D-FRN8T is a 1U server with front I/O. +That means that both the rear I/O ports as well as the I/O expansion +ports are found along the front side of the rack. In many cases this +is a desirable configuration as it can make cabling very simple. + +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ss-front.png} + \caption{Supermicro SuperServer 1018D-FRN8T Front} + \label{fig:supermicroSSfront} +\end{figure} + +The rear of the unit has a redundant 400W power supply. Rated at 80 +Plus Platinum the power supplies are efficient as well. The remainder +of the rear is simply a bezel for fans. + +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ss-rear.png} + \caption{Supermicro SuperServer 1018D-FRN8T Rear} + \label{fig:supermicroSSrear} +\end{figure} + +The onboard I/O is plentiful. There are two USB 3.0 ports along with +a VGA port for KVM carts. Above the USB ports there is a RJ-45 +Ethernet port for out-0f-band management that can be directly +connected to a dedicated management network. +%------------------- +Furthermore there are +six 1GbE ports connected to two Intel i210-at controllers and an +Intel i350-am4 controller. The two SFP+ ports are controlled by the +Xeon D’s Intel X552 NIC. For \glspl{firewall} and other appliances, this is +a very strong configuration. + +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/iris-fw1100-front.png} + \caption{Supermicro SuperServer 1018D-FRN8T interfaces} + \label{fig:supermicroSSinterfaces} +\end{figure} + +Inside the system we see a redundant set of fans near the PSU bezel +and a very small motherboard inside. One can see our two stacks of +Seagate Enterprise Capacity V3 1TB 7200rpm drives as well. We removed +the PCIe riser and the airflow shroud from this picture to show off +the internals better. + +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ss-noshroud.png} + \caption{Supermicro SuperServer 1018D-FRN8T Internal no shroud} + \label{fig:supermicroSSnoshroud} +\end{figure} + +\subsection{Remote Management} + +Supermicro’s IPMI and KVM-over-IP enables deployment flexibility. +One can do remote power up, power down, and reset of the server in +the event that it becomes unresponsive. + +\begin{itemize} + \item fan speeds, chassis intrusion sensors, thermal sensors, + and etc. can be monitored remotely + \item remote power control. One can do remote power up, power + down, and reset of the server in the event that it becomes + unresponsive. + \item alerts can be setup to notify the admins of issues. + \item remotely mount CD images and floppy images to the machine + over the dedicated management Ethernet controller. This keeps + maintenance traffic off of the primary Intel NICs. + At the same time it removes the need for an optical disk to + be connected to the Supermicro motherboard. +\end{itemize} + +Supermicro's BIOS has a feature: the BMC IP address shows +up on the post screen! +If you have a KVM cart hooked up to the system, it gives an +indicator of which machine one is connected to during post. + +Supermicro does include KVM-over-IP functionality with the motherboard. + +\begin{itemize} + \item Default IPMI connection is in cleartext http. + \item SSL certificate for Supermicro IPMI is bad (like all of them). + \item Can't change password on IPMI. + %\item Root password for server and IPMI is sent via email. + %\item There is an attack window between their machine imaging and first login. + %\item Customer should control timing of first power on. + %\item System is also possibly vuln during the ISP's initial power up and commissioning period. + %\item First reboot, the system hung (.png XXX). + %\item Hard reset, lots of DHCP queries at boot. + %\item A \texttt{debian} user was on the system, password unknown. Check \texttt{/home}! + %\item They block NTP to prevent DDoS, so you have to use their time server + % \texttt{time.sharktech.net} +\end{itemize} + +\subsection{Supermicro Setup over IPMI bios} +{{\grenewcommand{\currentColor}{secondary-brown}}} +{{\grenewcommand{\currentTextColor}{ao-black}}} +\providecommand{\sharkIPConfigItem}[4]{} +\renewcommand{\sharkIPConfigItem}[4]{ + \rowcolor{\currentColor} \vspace{-1pt} + \rule[-0.3em]{0pt}{-0.5em} \vspace{-1pt} + \small{\textcolor{\currentTextColor}{#1}} & \vspace{-1pt} + \small{\textcolor{\currentTextColor}{#2}} \\ +} +\providecommand{\sharkIPConfigLastItem}[4]{} +\renewcommand{\sharkIPConfigLastItem}[4]{ + \rowcolor{\currentColor} \vspace{-1pt} + \rule[-1.0em]{0pt}{1em} \vspace{-1pt} + \small{\textcolor{\currentTextColor}{#1}} & \vspace{-1pt} + \small{\textcolor{\currentTextColor}{#2}} \\ + \tabucline[2pt]{1-2} +} +\providecommand{\SIPCCwidth}{3.5cm} +\renewcommand{\SIPCCwidth}{5cm} + +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-ipmi-init.png} + \caption{Supermicro SuperServer 1018D-FRN8T PEI-IPMI Initialization} + \label{fig:supermicroSSCIpmiInit} +\end{figure} + +Before IPMI Initialization, choose in Boot Agent GE an entry PXE +(Preboot eXecution Environment) + +In Aptio Setup Utility set the following Boot Features: + +\begin{table}[!htb] + \caption{sf-fw BIOS configs}% \label{tab:sharkNodeIPConfig} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Boot Feature}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { SMCBiosActionFlag }{ \char`[0\char`] }{}{} + \sharkIPConfigItem { SumBbsSupportFlag }{ 48 }{}{} + \sharkIPConfigLastItem{ Bridge ports }{ \char`[Disabled\char`] }{}{} + \sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Force BIOS\char`] }{}{} + \sharkIPConfigItem { SumBbsSupportFlag }{ \char`[On\char`] }{}{} + \sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Disabled\char`] }{}{} + \sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Immediate\char`] }{}{} + \sharkIPConfigLastItem{ Subnet mask }{ \char`[Disabled\char`] }{}{} + \end{tabu} +\end{table} + +Set system Date/Time + +\newpage +\subsection*{\textcolor{ao-white}{ Supermicro Setup over IPMI bios1}} +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-ipmi-boot1.png} + \caption{Supermicro SuperServer 1018D-FRN8T Bios prompt for boot-menu} + \label{fig:supermicroSSCIpmiBoot1} +\end{figure} +\begin{table}[!htb] + \caption{sf-fw BIOS configs continued}% \label{tab:sharkNodeIPConfig} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Boot Feature}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Power Configuration }{}{}{} + \sharkIPConfigItem { Watch Dog Function }{ \char`[Disabled\char`] }{}{} + \sharkIPConfigItem { Power button Function }{ \char`[4 Seconds Override\char`] }{}{} + \sharkIPConfigLastItem{ Subnet mask }{ \char`[Power On\char`] }{}{} + \end{tabu} +\end{table} + +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-ipmi-boot2.png} + \caption{Supermicro SuperServer 1018D-FRN8T Bootstrap loader} + \label{fig:supermicroSSCIpmiBoot2} +\end{figure} +\begin{table}[!htb] + \caption{sf-fw BIOS configs continued}% \label{tab:sharkNodeIPConfig} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Boot Feature}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Onboard LAN1 OPROM }{ \char`[Disabled\char`] }{}{} + \sharkIPConfigItem { Onboard LAN2 OPROM }{ \char`[Disabled\char`] }{}{} + \sharkIPConfigLastItem{ Onboard LAN3 - LAN8 OPROM }{ \char`[Disabled\char`] }{}{} + \sharkIPConfigItem { Legacy Boot Order \char`#1}{ \char`[USB Key:Virtual Disk\char`] }{}{} + \sharkIPConfigLastItem{ Legacy Boot Order \char`#2 - \char`#7}{ \char`[Disabled\char`] }{}{} + \end{tabu} +\end{table} +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-ipmi-opnsense-boot1.png} + \caption{Supermicro SuperServer OPNsense Boot variant} + \label{fig:supermicroSSCIpmiOpnsenseBoot1} +\end{figure} +Let default option 5 execute. +\begin{table}[!htb] + \caption{sf-fw LSI Corp Config Utility}% \label{tab:sharkNodeIPConfig} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Adapter }{LSI2116-IT}{}{} + \sharkIPConfigItem { PCI Slot }{0B}{}{} + \sharkIPConfigItem { PCI Address(Bus/Dev) }{02:00}{}{} + \sharkIPConfigItem { MPT Firmware Revision }{20.00.07.00-IT}{}{} + \sharkIPConfigItem { SAS Address }{50030480:1E300A01}{}{} + \sharkIPConfigItem { NVDATA Version }{14.01.40.00}{}{} + \sharkIPConfigItem { Status }{Disabled}{}{} + \sharkIPConfigItem { Boot Order}{0}{}{} + \sharkIPConfigLastItem{ Boot Support}{ \char`[Disabled\char`] }{}{} + \end{tabu} +\end{table} + +\newpage +\subsection{Configurate with OPNsense Dashboard} +{{\grenewcommand{\currentColor}{primary-blue}}} +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash1.png} + \caption{Supermicro SuperServer OPNsense Dashboard} + \label{fig:supermicroSSCIpmiOpnsenseDash1} +\end{figure} +\begin{table}[!htb] + \caption{sf-fw LSI Corp Config Utility}% \label{tab:sharkNodeIPConfig} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Hostname }{sf-fw1}{}{} + \sharkIPConfigItem { Domain }{forksand.com}{}{} + \sharkIPConfigItem { Language }{English}{}{} + \sharkIPConfigItem { Primary DNS Server }{216.146.35.35}{}{} + \sharkIPConfigItem { Secondary DNS Server }{208.67.222.222}{}{} + \sharkIPConfigLastItem{ Override DNS }{unchecked}{}{} + \sharkIPConfigLastItem{ Enable Resolver}{checked}{}{} + \sharkIPConfigLastItem{ Others }{leave unchecked}{}{} + \end{tabu} +\end{table} + +\begin{itemize} + \item Set server time information + \item Configure WAN interface, DHCP, subnet masks /32, Block .. Flags checked, others empty + \item Configure WAN interface, IP 192.168.1.1 change to 192.168.110.21, subnet mask /24 + \item Set Web GUI Password + \item Reload to apply changes + \item Finished initial configuration, click a href "continue to the dashboard" + \item Configure console appears, refer to table + \ref{tab:supermicroSSCIpmiOpnsenseDash2} on p. \pageref{tab:supermicroSSCIpmiOpnsenseDash2} + \item Set root password and reboot + \item Re-enter Aptio Setup Utility Boot tab + \item Switch Legacy Boot Order \char`#1 \char` to [Hard Disk: SATADOM-...\char`] + \item Start the boot + \item OPNsense: Let default option 5 execute +\end{itemize} +{{\grenewcommand{\currentColor}{secondary-brown}}} +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash2.png} + \caption{Supermicro SuperServer OPNsense Dashboard Continued} + \label{fig:supermicroSSCIpmiOpnsenseDash2} +\end{figure} +\begin{table}[!htb] + \caption{sf-fw LSI Corp Config Utility} \label{tab:supermicroSSCIpmiOpnsenseDash2} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Configure Console }{Accept these Settings}{}{} + \sharkIPConfigItem { Select task }{Guided installation}{}{} + \sharkIPConfigItem { Select a disk }{ada0: 600.00MB/s transfers (SATA 3.x, UDMA6, PIO 512bytes)}{}{} + \sharkIPConfigItem { Select install mode }{GPT/UEFI mode}{}{} + \sharkIPConfigItem { Swap Partition }{yes}{}{} + \sharkIPConfigLastItem{ Enable Resolver}{checked}{}{} + \end{tabu} +\end{table} +{{\grenewcommand{\currentColor}{primary-blue}}} +\subsection{Update OPNsense Firmware using Dashboard} +\begin{itemize} + \item Enter OPNsense dashboard and make a backup, System -> Configuration -> Backups, save the XML + \item Execute update firmware, refer to figure + \ref{fig:supermicroSSCIpmiOpnsenseDash3} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash3} +\end{itemize} + +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash3-update.png} + \caption{Supermicro SuperServer OPNsense Dashboard Update Firmware} + \label{fig:supermicroSSCIpmiOpnsenseDash3} +\end{figure} +\begin{itemize} + \item Standby until updating finished, refer to figure + \ref{fig:supermicroSSCIpmiOpnsenseDash4} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash4} + \item Switch to tab Settings, refer to figure + \ref{fig:supermicroSSCIpmiOpnsenseDash5} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash5} +\end{itemize} +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash4-update.png} + \caption{Supermicro SuperServer OPNsense Dashboard Update Firmware Continued} + \label{fig:supermicroSSCIpmiOpnsenseDash4} +\end{figure} + +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash5-fw.png} + \caption{Supermicro SuperServer OPNsense Dashboard Firmware Settings} + \label{fig:supermicroSSCIpmiOpnsenseDash5} +\end{figure} +\begin{itemize} + \item Set mirror to LeaseWeb (San Francisco, US) + \item Set Flavour to LibreSSL + \item Set Release Type to Production + \item Click save and return to Updates tab. +\end{itemize} + +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash6-fw-updates.png} + \caption{Supermicro SuperServer OPNsense Dashboard Firmware Pending Updates} + \label{fig:supermicroSSCIpmiOpnsenseDash6} +\end{figure} +\begin{itemize} + \item Click Update now. + \item Standby until Update is completed. + \item Restore configs from XML, refer to figure + \ref{fig:supermicroSSCIpmiOpnsenseDash8} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash8} +\end{itemize} +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash7-fw-update.png} + \caption{Supermicro SuperServer OPNsense Dashboard Firmware Update Processing} + \label{fig:supermicroSSCIpmiOpnsenseDash7} +\end{figure} + +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash8-fw-backupandreboot.png} + \caption{Supermicro SuperServer OPNsense Dashboard restore from XML config backup} + \label{fig:supermicroSSCIpmiOpnsenseDash8} +\end{figure} +\begin{itemize} + \item Upload the config and restore + \item Add a user, refer to figure + \ref{fig:supermicroSSCIpmiOpnsenseDash9} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash9} + using parameters from table + \ref{tab:supermicroSSCIpmiOpnsenseAddUser} on p. \pageref{tab:supermicroSSCIpmiOpnsenseAddUser} +\end{itemize} +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash9-user.png} + \caption{Supermicro SuperServer OPNsense Dashboard Add User} + \label{fig:supermicroSSCIpmiOpnsenseDash9} +\end{figure} +\begin{table}[!htb] + \caption{sf-fw OPNsense Dashboard Add User} \label{tab:supermicroSSCIpmiOpnsenseAddUser} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Username }{jebba}{}{} + \sharkIPConfigItem { Disabled }{unchecked}{}{} + \sharkIPConfigItem { Full name }{Jeff Moe}{}{} + \sharkIPConfigItem { E-mail }{moe@forksand.com}{}{} + \sharkIPConfigItem { Comment }{}{}{} + \sharkIPConfigItem { Expiration date }{}{}{} + \sharkIPConfigLastItem{ Group Memberships }{Member of admins}{}{} + \sharkIPConfigItem { Certificate }{unchecked}{}{} + \sharkIPConfigLastItem{ OTP seed }{}{}{} + \end{tabu} +\end{table} + +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash10-dhcpv4.png} + \caption{Supermicro SuperServer OPNsense Dashboard DHCPv4} + \label{fig:supermicroSSCIpmiOpnsenseDash10} +\end{figure} +\begin{itemize} + \item Disable DHCPv4 +\end{itemize} +\begin{table}[!htb] + \caption{sf-fw OPNsense Dashboard DHCPv4} \label{tab:supermicroSSCIpmiOpnsenseDhcpv4} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Enable }{unchecked}{}{} + \sharkIPConfigItem { Deny unknown clients }{unchecked}{}{} + \sharkIPConfigItem { Subnet }{192.168.110.0}{}{} + \sharkIPConfigItem { Subnet mask }{255.255.255.0}{}{} + \sharkIPConfigLastItem{ Range }{192.168.110.10 - 192.168.110.245}{}{} + \sharkIPConfigLastItem{ Others }{leave unchanged}{}{} + \end{tabu} +\end{table} + +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash11-plugins.png} + \includegraphics[keepaspectratio=true,trim=360mm 190mm 10mm 80mm,clip,width=1.0\textwidth,angle=0] + {sf-fw/ssc-opns-dash11-plugins.png} + \caption{Supermicro SuperServer OPNsense Dashboard Plugin Installation} + \label{fig:supermicroSSCIpmiOpnsenseDash11} +\end{figure} +\begin{itemize} + \item Make sure os-dyndns plugin installed + \item Install os-acme-client +\end{itemize} +%\begin{table}[!htb] +% \caption{sf-fw OPNsense Dashboard Plugins} \label{tab:supermicroSSCIpmiOpnsensePlugins} +% \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} +% \tabucline[2pt]{1-2} +% \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& +% \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ +% \tabucline[2pt]{1-2} +% \sharkIPConfigItem { Enable }{unchecked}{}{} +% \sharkIPConfigItem { Deny unknown clients }{unchecked}{}{} +% \sharkIPConfigItem { Subnet }{192.168.110.0}{}{} +% \sharkIPConfigItem { Subnet mask }{255.255.255.0}{}{} +% \sharkIPConfigLastItem{ Range }{192.168.110.10 - 192.168.110.245}{}{} +% \sharkIPConfigLastItem{ Others }{leave unchanged}{}{} +% \end{tabu} +%\end{table} + +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {sf-fw/ssc-opns-dash12-lea.png} + \caption{Supermicro SuperServer OPNsense Dashboard add Let's Encrypt account} + \label{fig:supermicroSSCIpmiOpnsenseDash12} +\end{figure} +\begin{itemize} + \item Add Let's Encrypt account + \item Modify global Let's Encrypt settings + \item Apply Let's Encrypt settings + \item Refer to Certificates menu +\end{itemize} +\begin{table}[!htb] + \caption{sf-fw OPNsense Dashboard Let's Encrypt account and settings} \label{tab:supermicroSSCIpmiOpnsenseLea} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Enable }{checked}{}{} + \sharkIPConfigItem { Name }{sf-fw1}{}{} + \sharkIPConfigItem { Description }{\Gls{sharkfork} \Gls{firewall} 1}{}{} + \sharkIPConfigLastItem{ E-Mail address }{sharkfork@forksand.com}{}{} + \sharkIPConfigItem { Enable Plugin }{checked}{}{} + \sharkIPConfigItem { Auto Renewal }{checked}{}{} + \sharkIPConfigItem { Let's Encrypt Environment }{Production Environment \char`[Default\char`]}{}{} + \sharkIPConfigLastItem{ HAProxy Integration }{unchecked}{}{} + \end{tabu} +\end{table} + +\newpage +%\begin{figure}[!htb] +% \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] +% {sf-fw/ssc-opns-dash13-cert.png} +% \caption{Supermicro SuperServer OPNsense Dashboard add Certificate} +% \label{fig:supermicroSSCIpmiOpnsenseDash12} +%\end{figure} +\begin{itemize} + \item Add Validation Method + \item Add Certificate + \item Apply ``Issue/Renew Certificates Now'' +\end{itemize} +\begin{table}[!htb] + \caption{sf-fw OPNsense Dashboard Let's Encrypt validation} \label{tab:supermicroSSCIpmiOpnsenseLeaValid} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Validation Method }{}{}{} + \sharkIPConfigItem { Enable }{checked}{}{} + \sharkIPConfigItem { Name }{sf-fw1-http}{}{} + \sharkIPConfigItem { Description }{\Gls{sharkfork} \Gls{firewall} 1 http validation}{}{} + \sharkIPConfigLastItem{ Challenge Type }{HTTP-01}{}{} + \sharkIPConfigLastItem{ HTTP Service }{OPNsense Web Service (automatic port forward)}{}{} + \sharkIPConfigItem { IP Auto-Discovery }{checked}{}{} + \sharkIPConfigItem { Interface }{WAN}{}{} + \sharkIPConfigLastItem{ IP Addresses }{}{}{} + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Certificate }{}{}{} + \sharkIPConfigItem { Enable }{checked}{}{} + \sharkIPConfigItem { Common Name }{sf-fw1.forksand.com}{}{} + \sharkIPConfigItem { Description }{\Gls{sharkfork} \Gls{firewall} 1}{}{} + \sharkIPConfigItem { Alt Names }{}{}{} + \sharkIPConfigItem { LE Account }{sf-fw1}{}{} + \sharkIPConfigItem { Validation Method }{sf-fw1-http}{}{} + \sharkIPConfigItem { Restart Actions }{}{}{} + \sharkIPConfigItem { Auto Renewal }{checked}{}{} + \sharkIPConfigLastItem{ Renewal Interval }{60}{}{} + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Interfaces -\char`> Lan }{}{}{} + \sharkIPConfigItem { Enable }{checked}{}{} + \sharkIPConfigItem { Lock }{checked}{}{} + \sharkIPConfigItem { Description }{LAN}{}{} + \sharkIPConfigItem { IPv4 Configuration Type }{Static IPv4}{}{} + \sharkIPConfigLastItem{ IPv6 Configuration Type }{none}{}{} + \end{tabu} +\end{table} +\begin{itemize} + \item Refer to System -\char`> Gateways -\char`> Single -\char`> WAN\char`_DHCP6 + \item Set Disabled flag to checked + \item Press Apply changes + \item Modify LAN and WAN interfaces, disable IPv6 at both + \item Modify \Gls{firewall} Rules, disable IPv6 + \item Add new rula to \Gls{firewall} Rules WAN +\end{itemize} +\begin{table}[!htb] + \caption{sf-fw OPNsense Dashboard \Gls{firewall} Rules} \label{tab:supermicroSSCIpmiOpnsenseLeaRules} + \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} + \tabucline[2pt]{1-2} + \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& + \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ + \tabucline[2pt]{1-2} + \sharkIPConfigItem { Interfaces -\char`> WAN }{}{}{} + \sharkIPConfigItem { Enable }{checked}{}{} + \sharkIPConfigItem { Lock }{checked}{}{} + \sharkIPConfigItem { Description }{WAN}{}{} + \sharkIPConfigItem { IPv4 Configuration Type }{DHCP}{}{} + \sharkIPConfigLastItem{ IPv6 Configuration Type }{none}{}{} + \tabucline[2pt]{1-2} + \sharkIPConfigItem { \Gls{firewall} -\char`> Settings -\char`> Advanced }{}{}{} + \sharkIPConfigLastItem{ Allow IPv6 }{unchecked}{}{} + \tabucline[2pt]{1-2} + \sharkIPConfigItem { \Gls{firewall} -\char`> Rules -\char`> WAN }{}{}{} + \sharkIPConfigItem { Action }{Pass}{}{} + \sharkIPConfigItem { Disabled }{unchecked}{}{} + \sharkIPConfigItem { Interface }{WAN}{}{} + \sharkIPConfigItem { TCP/IP Version }{IPv4}{}{} + \sharkIPConfigItem { Protocol }{TCP}{}{} + \sharkIPConfigItem { Source/Invert }{unchecked}{}{} + \sharkIPConfigItem { Source }{any}{}{} + \sharkIPConfigItem { Destination/Invert }{unchecked}{}{} + \sharkIPConfigItem { Destination }{This \Gls{firewall}}{}{} + \sharkIPConfigItem { Destination port range }{https to https}{}{} + \sharkIPConfigItem { Log }{unchecked}{}{} + \sharkIPConfigItem { Category }{}{}{} + \sharkIPConfigItem { Discription }{Enable https to \Gls{firewall}}{}{} + \sharkIPConfigItem { Source OS }{Any}{}{} + \sharkIPConfigItem { No XMLRPC Sync }{unchecked}{}{} + \sharkIPConfigItem { Shedule }{none}{}{} + \sharkIPConfigLastItem{ Gateway }{default}{}{} + \end{tabu} +\end{table} + +\newpage +\section{Alternatives Hardware Overview} +Some resellers: +\begin{itemize} + \item \url{https://www.deciso.com/} + \item \url{https://www.pfwhardware.com/} + \item \url{https://www.osnet.eu/} +\end{itemize} + +\begin{itemize} + \item (8) 1 gig ethernet ports + Connects to (1) 100M ethernet upstream fiber optic + Connects to (1) 100M ethernet upstream wifi + Various LAN + \item (Hot swap?) Dual Power Supplies + \item (How swap?) RAID (Linux md), with SSD storage. + \item 2.5'' drive bays + \item Total ~8GHz CPU + \item ~8-16 gigs RAM ? Depends on OS. + \item Two servers total, for standby/failover +\end{itemize} + diff --git a/source/Firewalls.tex b/source/Firewalls.tex index 22f1382..f3f515d 100644 --- a/source/Firewalls.tex +++ b/source/Firewalls.tex @@ -10,581 +10,38 @@ % This document is licensed under the Creative Commons Attribution 4.0 % International Public License (CC BY-SA 4.0) by Fork Sand, Inc. % -Firewalls keep the bad packets out, mostly. And let some good packets out. +\Glspl{firewall} keep the bad packets out, mostly. And let some good packets out. \section{Overview} What is the network doing? \begin{itemize} \item snort - \item MRTG - \item Aguri + %\item MRTG + %\item Aguri \end{itemize} \section{Authentication} Two-factor authentication using TOTP. -\section{Firewall Hardware Overview} -Hardware. - -\begin{itemize} - \item OPNsense is based on FreeBSD \\ \url{https://opnsense.org/} - \\ \url{https://wiki.opnsense.org/index.html} - \item Iris FW1100 datasheet \\ \url{https://www.supermicro.com/products/system/1U/1018/SYS-1018D-FRN8T.cfm} -\end{itemize} - -The Supermicro SuperServer 1018D-FRN8T is a 1U server with front I/O. -That means that both the rear I/O ports as well as the I/O expansion -ports are found along the front side of the rack. In many cases this -is a desirable configuration as it can make cabling very simple. - -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ss-front.png} - \caption{Supermicro SuperServer 1018D-FRN8T Front} - \label{fig:supermicroSSfront} -\end{figure} - -The rear of the unit has a redundant 400W power supply. Rated at 80 -Plus Platinum the power supplies are efficient as well. The remainder -of the rear is simply a bezel for fans. - -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ss-rear.png} - \caption{Supermicro SuperServer 1018D-FRN8T Rear} - \label{fig:supermicroSSrear} -\end{figure} - -The onboard I/O is plentiful. There are two USB 3.0 ports along with -a VGA port for KVM carts. Above the USB ports there is a RJ-45 -Ethernet port for out-0f-band management that can be directly -connected to a dedicated management network. -%------------------- -Furthermore there are -six 1GbE ports connected to two Intel i210-at controllers and an -Intel i350-am4 controller. The two SFP+ ports are controlled by the -Xeon D’s Intel X552 NIC. For firewalls and other appliances, this is -a very strong configuration. - -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/iris-fw1100-front.png} - \caption{Supermicro SuperServer 1018D-FRN8T interfaces} - \label{fig:supermicroSSinterfaces} -\end{figure} - -Inside the system we see a redundant set of fans near the PSU bezel -and a very small motherboard inside. One can see our two stacks of -Seagate Enterprise Capacity V3 1TB 7200rpm drives as well. We removed -the PCIe riser and the airflow shroud from this picture to show off -the internals better. - -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ss-noshroud.png} - \caption{Supermicro SuperServer 1018D-FRN8T Internal no shroud} - \label{fig:supermicroSSnoshroud} -\end{figure} - -\subsection{Remote Management} - -Supermicro’s IPMI and KVM-over-IP enables deployment flexibility. -One can do remote power up, power down, and reset of the server in -the event that it becomes unresponsive. - -\begin{itemize} - \item fan speeds, chassis intrusion sensors, thermal sensors, - and etc. can be monitored remotely - \item remote power control. One can do remote power up, power - down, and reset of the server in the event that it becomes - unresponsive. - \item alerts can be setup to notify the admins of issues. - \item remotely mount CD images and floppy images to the machine - over the dedicated management Ethernet controller. This keeps - maintenance traffic off of the primary Intel NICs. - At the same time it removes the need for an optical disk to - be connected to the Supermicro motherboard. -\end{itemize} - -Supermicro’s BIOS has a feature: the BMC IP address shows -up on the post screen! -If you have a KVM cart hooked up to the system, it gives an -indicator of which machine one is connected to during post. - -Supermicro does include KVM-over-IP functionality with the motherboard. - -\begin{itemize} - \item Default IPMI connection is in cleartext http. - \item SSL certificate for Supermicro IPMI is bad (like all of them). - \item Can't change password on IPMI. - %\item Root password for server and IPMI is sent via email. - %\item There is an attack window between their machine imaging and first login. - %\item Customer should control timing of first power on. - %\item System is also possibly vuln during the ISP's initial power up and commissioning period. - %\item First reboot, the system hung (.png XXX). - %\item Hard reset, lots of DHCP queries at boot. - %\item A \texttt{debian} user was on the system, password unknown. Check \texttt{/home}! - %\item They block NTP to prevent DDoS, so you have to use their time server - % \texttt{time.sharktech.net} -\end{itemize} - -\subsection{Supermicro Setup over IPMI bios} -{{\grenewcommand{\currentColor}{secondary-brown}}} -{{\grenewcommand{\currentTextColor}{ao-black}}} -\providecommand{\sharkIPConfigItem}[4]{} -\renewcommand{\sharkIPConfigItem}[4]{ - \rowcolor{\currentColor} \vspace{-1pt} - \rule[-0.3em]{0pt}{-0.5em} \vspace{-1pt} - \small{\textcolor{\currentTextColor}{#1}} & \vspace{-1pt} - \small{\textcolor{\currentTextColor}{#2}} \\ -} -\providecommand{\sharkIPConfigLastItem}[4]{} -\renewcommand{\sharkIPConfigLastItem}[4]{ - \rowcolor{\currentColor} \vspace{-1pt} - \rule[-1.0em]{0pt}{1em} \vspace{-1pt} - \small{\textcolor{\currentTextColor}{#1}} & \vspace{-1pt} - \small{\textcolor{\currentTextColor}{#2}} \\ - \tabucline[2pt]{1-2} -} -\providecommand{\SIPCCwidth}{3.5cm} -\renewcommand{\SIPCCwidth}{5cm} - -\begin{figure}[!htb] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-ipmi-init.png} - \caption{Supermicro SuperServer 1018D-FRN8T PEI-IPMI Initialization} - \label{fig:supermicroSSCIpmiInit} -\end{figure} - -Before IPMI Initialization, choose in Boot Agent GE an entry PXE -(Preboot eXecution Environment) - -In Aptio Setup Utility set the following Boot Features: - -\begin{table}[!htb] - \caption{sf-fw BIOS configs}% \label{tab:sharkNodeIPConfig} - \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} - \tabucline[2pt]{1-2} - \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Boot Feature}}& - \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ - \tabucline[2pt]{1-2} - \sharkIPConfigItem { SMCBiosActionFlag }{ \char`[0\char`] }{}{} - \sharkIPConfigItem { SumBbsSupportFlag }{ 48 }{}{} - \sharkIPConfigLastItem{ Bridge ports }{ \char`[Disabled\char`] }{}{} - \sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Force BIOS\char`] }{}{} - \sharkIPConfigItem { SumBbsSupportFlag }{ \char`[On\char`] }{}{} - \sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Disabled\char`] }{}{} - \sharkIPConfigItem { SumBbsSupportFlag }{ \char`[Immediate\char`] }{}{} - \sharkIPConfigLastItem{ Subnet mask }{ \char`[Disabled\char`] }{}{} - \end{tabu} -\end{table} - -Set system Date/Time - -\newpage -\subsection*{\textcolor{ao-white}{ Supermicro Setup over IPMI bios1}} -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-ipmi-boot1.png} - \caption{Supermicro SuperServer 1018D-FRN8T Bios prompt for boot-menu} - \label{fig:supermicroSSCIpmiBoot1} -\end{figure} -\begin{table}[!htb] - \caption{sf-fw BIOS configs continued}% \label{tab:sharkNodeIPConfig} - \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} - \tabucline[2pt]{1-2} - \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Boot Feature}}& - \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ - \tabucline[2pt]{1-2} - \sharkIPConfigItem { Power Configuration }{}{}{} - \sharkIPConfigItem { Watch Dog Function }{ \char`[Disabled\char`] }{}{} - \sharkIPConfigItem { Power button Function }{ \char`[4 Seconds Override\char`] }{}{} - \sharkIPConfigLastItem{ Subnet mask }{ \char`[Power On\char`] }{}{} - \end{tabu} -\end{table} - -\newpage -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-ipmi-boot2.png} - \caption{Supermicro SuperServer 1018D-FRN8T Bootstrap loader} - \label{fig:supermicroSSCIpmiBoot2} -\end{figure} -\begin{table}[!htb] - \caption{sf-fw BIOS configs continued}% \label{tab:sharkNodeIPConfig} - \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} - \tabucline[2pt]{1-2} - \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Boot Feature}}& - \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ - \tabucline[2pt]{1-2} - \sharkIPConfigItem { Onboard LAN1 OPROM }{ \char`[Disabled\char`] }{}{} - \sharkIPConfigItem { Onboard LAN2 OPROM }{ \char`[Disabled\char`] }{}{} - \sharkIPConfigLastItem{ Onboard LAN3 - LAN8 OPROM }{ \char`[Disabled\char`] }{}{} - \sharkIPConfigItem { Legacy Boot Order \char`#1}{ \char`[USB Key:Virtual Disk\char`] }{}{} - \sharkIPConfigLastItem{ Legacy Boot Order \char`#2 - \char`#7}{ \char`[Disabled\char`] }{}{} - \end{tabu} -\end{table} -\newpage -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-ipmi-opnsense-boot1.png} - \caption{Supermicro SuperServer OPNsense Boot variant} - \label{fig:supermicroSSCIpmiOpnsenseBoot1} -\end{figure} -Let default option 5 execute. -\begin{table}[!htb] - \caption{sf-fw LSI Corp Config Utility}% \label{tab:sharkNodeIPConfig} - \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} - \tabucline[2pt]{1-2} - \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& - \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ - \tabucline[2pt]{1-2} - \sharkIPConfigItem { Adapter }{LSI2116-IT}{}{} - \sharkIPConfigItem { PCI Slot }{0B}{}{} - \sharkIPConfigItem { PCI Address(Bus/Dev) }{02:00}{}{} - \sharkIPConfigItem { MPT Firmware Revision }{20.00.07.00-IT}{}{} - \sharkIPConfigItem { SAS Address }{50030480:1E300A01}{}{} - \sharkIPConfigItem { NVDATA Version }{14.01.40.00}{}{} - \sharkIPConfigItem { Status }{Disabled}{}{} - \sharkIPConfigItem { Boot Order}{0}{}{} - \sharkIPConfigLastItem{ Boot Support}{ \char`[Disabled\char`] }{}{} - \end{tabu} -\end{table} - -\newpage -{{\grenewcommand{\currentColor}{primary-blue}}} -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash1.png} - \caption{Supermicro SuperServer OPNsense Dashboard} - \label{fig:supermicroSSCIpmiOpnsenseDash1} -\end{figure} -\begin{table}[!htb] - \caption{sf-fw LSI Corp Config Utility}% \label{tab:sharkNodeIPConfig} - \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} - \tabucline[2pt]{1-2} - \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& - \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ - \tabucline[2pt]{1-2} - \sharkIPConfigItem { Hostname }{sf-fw1}{}{} - \sharkIPConfigItem { Domain }{forksand.com}{}{} - \sharkIPConfigItem { Language }{English}{}{} - \sharkIPConfigItem { Primary DNS Server }{216.146.35.35}{}{} - \sharkIPConfigItem { Secondary DNS Server }{208.67.222.222}{}{} - \sharkIPConfigLastItem{ Override DNS }{unchecked}{}{} - \sharkIPConfigLastItem{ Enable Resolver}{checked}{}{} - \sharkIPConfigLastItem{ Others }{leave unchecked}{}{} - \end{tabu} -\end{table} - -\begin{itemize} - \item Set server time information - \item Configure WAN interface, DHCP, subnet masks /32, Block .. Flags checked, others empty - \item Configure WAN interface, IP 192.168.1.1 change to 192.168.110.21, subnet mask /24 - \item Set Web GUI Password - \item Reload to apply changes - \item Finished initial configuration, click a href "continue to the dashboard" - \item Configure console appears, refer to table - \ref{tab:supermicroSSCIpmiOpnsenseDash2} on p. \pageref{tab:supermicroSSCIpmiOpnsenseDash2} - \item Set root password and reboot - \item Re-enter Aptio Setup Utility Boot tab - \item Switch Legacy Boot Order \char`#1 \char` to [Hard Disk: SATADOM-...\char`] - \item Start the boot - \item OPNsense: Let default option 5 execute -\end{itemize} -{{\grenewcommand{\currentColor}{secondary-brown}}} -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash2.png} - \caption{Supermicro SuperServer OPNsense Dashboard Continued} - \label{fig:supermicroSSCIpmiOpnsenseDash2} -\end{figure} -\begin{table}[!htb] - \caption{sf-fw LSI Corp Config Utility} \label{tab:supermicroSSCIpmiOpnsenseDash2} - \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} - \tabucline[2pt]{1-2} - \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& - \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ - \tabucline[2pt]{1-2} - \sharkIPConfigItem { Configure Console }{Accept these Settings}{}{} - \sharkIPConfigItem { Select task }{Guided installation}{}{} - \sharkIPConfigItem { Select a disk }{ada0: 600.00MB/s transfers (SATA 3.x, UDMA6, PIO 512bytes)}{}{} - \sharkIPConfigItem { Select install mode }{GPT/UEFI mode}{}{} - \sharkIPConfigItem { Swap Partition }{yes}{}{} - \sharkIPConfigLastItem{ Enable Resolver}{checked}{}{} - \end{tabu} -\end{table} -{{\grenewcommand{\currentColor}{primary-blue}}} -\begin{itemize} - \item Enter OPNsense dashboard and make a backup, System -> Configuration -> Backups, save the XML - \item Execute update firmware, refer to figure - \ref{fig:supermicroSSCIpmiOpnsenseDash3} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash3} -\end{itemize} - -\newpage -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash3-update.png} - \caption{Supermicro SuperServer OPNsense Dashboard Update Firmware} - \label{fig:supermicroSSCIpmiOpnsenseDash3} -\end{figure} -\begin{itemize} - \item Standby until updating finished, refer to figure - \ref{fig:supermicroSSCIpmiOpnsenseDash4} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash4} - \item Switch to tab Settings, refer to figure - \ref{fig:supermicroSSCIpmiOpnsenseDash5} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash5} -\end{itemize} -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash4-update.png} - \caption{Supermicro SuperServer OPNsense Dashboard Update Firmware Continued} - \label{fig:supermicroSSCIpmiOpnsenseDash4} -\end{figure} - -\newpage -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash5-fw.png} - \caption{Supermicro SuperServer OPNsense Dashboard Firmware Settings} - \label{fig:supermicroSSCIpmiOpnsenseDash5} -\end{figure} -\begin{itemize} - \item Set mirror to LeaseWeb (San Francisco, US) - \item Set Flavour to LibreSSL - \item Set Release Type to Production - \item Click save and return to Updates tab. -\end{itemize} - -\newpage -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash6-fw-updates.png} - \caption{Supermicro SuperServer OPNsense Dashboard Firmware Pending Updates} - \label{fig:supermicroSSCIpmiOpnsenseDash6} -\end{figure} -\begin{itemize} - \item Click Update now. - \item Standby until Update is completed. - \item Restore configs from XML, refer to figure - \ref{fig:supermicroSSCIpmiOpnsenseDash8} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash8} -\end{itemize} -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash7-fw-update.png} - \caption{Supermicro SuperServer OPNsense Dashboard Firmware Update Processing} - \label{fig:supermicroSSCIpmiOpnsenseDash7} -\end{figure} - -\newpage -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash8-fw-backupandreboot.png} - \caption{Supermicro SuperServer OPNsense Dashboard restore from XML config backup} - \label{fig:supermicroSSCIpmiOpnsenseDash8} -\end{figure} -\begin{itemize} - \item Upload the config and restore - \item Add a user, refer to figure - \ref{fig:supermicroSSCIpmiOpnsenseDash9} on p. \pageref{fig:supermicroSSCIpmiOpnsenseDash9} - using parameters from table - \ref{tab:supermicroSSCIpmiOpnsenseAddUser} on p. \pageref{tab:supermicroSSCIpmiOpnsenseAddUser} -\end{itemize} -\newpage -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash9-user.png} - \caption{Supermicro SuperServer OPNsense Dashboard Add User} - \label{fig:supermicroSSCIpmiOpnsenseDash9} -\end{figure} -\begin{table}[!htb] - \caption{sf-fw OPNsense Dashboard Add User} \label{tab:supermicroSSCIpmiOpnsenseAddUser} - \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} - \tabucline[2pt]{1-2} - \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& - \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ - \tabucline[2pt]{1-2} - \sharkIPConfigItem { Username }{jebba}{}{} - \sharkIPConfigItem { Disabled }{unchecked}{}{} - \sharkIPConfigItem { Full name }{Jeff Moe}{}{} - \sharkIPConfigItem { E-mail }{moe@forksand.com}{}{} - \sharkIPConfigItem { Comment }{}{}{} - \sharkIPConfigItem { Expiration date }{}{}{} - \sharkIPConfigLastItem{ Group Memberships }{Member of admins}{}{} - \sharkIPConfigItem { Certificate }{unchecked}{}{} - \sharkIPConfigLastItem{ OTP seed }{}{}{} - \end{tabu} -\end{table} - -\newpage -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash10-dhcpv4.png} - \caption{Supermicro SuperServer OPNsense Dashboard DHCPv4} - \label{fig:supermicroSSCIpmiOpnsenseDash10} -\end{figure} -\begin{itemize} - \item Disable DHCPv4 -\end{itemize} -\begin{table}[!htb] - \caption{sf-fw OPNsense Dashboard DHCPv4} \label{tab:supermicroSSCIpmiOpnsenseDhcpv4} - \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} - \tabucline[2pt]{1-2} - \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& - \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ - \tabucline[2pt]{1-2} - \sharkIPConfigItem { Enable }{unchecked}{}{} - \sharkIPConfigItem { Deny unknown clients }{unchecked}{}{} - \sharkIPConfigItem { Subnet }{192.168.110.0}{}{} - \sharkIPConfigItem { Subnet mask }{255.255.255.0}{}{} - \sharkIPConfigLastItem{ Range }{192.168.110.10 - 192.168.110.245}{}{} - \sharkIPConfigLastItem{ Others }{leave unchanged}{}{} - \end{tabu} -\end{table} - -\newpage -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash11-plugins.png} - \includegraphics[keepaspectratio=true,trim=360mm 190mm 10mm 80mm,clip,width=1.0\textwidth,angle=0] - {sf-fw/ssc-opns-dash11-plugins.png} - \caption{Supermicro SuperServer OPNsense Dashboard Plugin Installation} - \label{fig:supermicroSSCIpmiOpnsenseDash11} -\end{figure} -\begin{itemize} - \item Make sure os-dyndns plugin installed - \item Install os-acme-client -\end{itemize} -%\begin{table}[!htb] -% \caption{sf-fw OPNsense Dashboard Plugins} \label{tab:supermicroSSCIpmiOpnsensePlugins} -% \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} -% \tabucline[2pt]{1-2} -% \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& -% \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ -% \tabucline[2pt]{1-2} -% \sharkIPConfigItem { Enable }{unchecked}{}{} -% \sharkIPConfigItem { Deny unknown clients }{unchecked}{}{} -% \sharkIPConfigItem { Subnet }{192.168.110.0}{}{} -% \sharkIPConfigItem { Subnet mask }{255.255.255.0}{}{} -% \sharkIPConfigLastItem{ Range }{192.168.110.10 - 192.168.110.245}{}{} -% \sharkIPConfigLastItem{ Others }{leave unchanged}{}{} -% \end{tabu} -%\end{table} - -\newpage -\begin{figure}[!ht] - \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] - {sf-fw/ssc-opns-dash12-lea.png} - \caption{Supermicro SuperServer OPNsense Dashboard add Let's Encrypt account} - \label{fig:supermicroSSCIpmiOpnsenseDash12} -\end{figure} -\begin{itemize} - \item Add Let's Encrypt account - \item Modify global Let's Encrypt settings - \item Apply Let's Encrypt settings - \item Refer to Certificates menu -\end{itemize} -\begin{table}[!htb] - \caption{sf-fw OPNsense Dashboard Let's Encrypt account and settings} \label{tab:supermicroSSCIpmiOpnsenseLea} - \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} - \tabucline[2pt]{1-2} - \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& - \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ - \tabucline[2pt]{1-2} - \sharkIPConfigItem { Enable }{checked}{}{} - \sharkIPConfigItem { Name }{sf-fw1}{}{} - \sharkIPConfigItem { Description }{SharkFork Firewall 1}{}{} - \sharkIPConfigLastItem{ E-Mail address }{sharkfork@forksand.com}{}{} - \sharkIPConfigItem { Enable Plugin }{checked}{}{} - \sharkIPConfigItem { Auto Renewal }{checked}{}{} - \sharkIPConfigItem { Let's Encrypt Environment }{Production Environment \char`[Default\char`]}{}{} - \sharkIPConfigLastItem{ HAProxy Integration }{unchecked}{}{} - \end{tabu} -\end{table} - -\newpage -%\begin{figure}[!ht] -% \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] -% {sf-fw/ssc-opns-dash13-cert.png} -% \caption{Supermicro SuperServer OPNsense Dashboard add Certificate} -% \label{fig:supermicroSSCIpmiOpnsenseDash12} -%\end{figure} -\begin{itemize} - \item Add Validation Method - \item Add Certificate - \item Apply ``Issue/Renew Certificates Now'' -\end{itemize} -\begin{table}[!htb] - \caption{sf-fw OPNsense Dashboard Let's Encrypt account and settings} \label{tab:supermicroSSCIpmiOpnsenseLea} - \begin{tabu}{|[2pt]p{\SIPCCwidth}|[2pt]p{\SIPCCwidth*2}|[2pt]} - \tabucline[2pt]{1-2} - \multicolumn {1}{|[2pt]l|[2pt]}{\rule[-0.7em]{0pt}{2em} \cellcolor{\currentColor}{Parameter}}& - \multicolumn {1}{l|[2pt]}{\cellcolor{\currentColor}{Value}} \\ - \tabucline[2pt]{1-2} - \sharkIPConfigItem { Validation Method }{}{}{} - \sharkIPConfigItem { Enable }{checked}{}{} - \sharkIPConfigItem { Name }{sf-fw1-http}{}{} - \sharkIPConfigItem { Description }{SharkFork Firewall 1 http validation}{}{} - \sharkIPConfigLastItem{ Challenge Type }{HTTP-01}{}{} - \sharkIPConfigLastItem{ HTTP Service }{OPNsense Web Service (automatic port forward)}{}{} - \sharkIPConfigItem { IP Auto-Discovery }{checked}{}{} - \sharkIPConfigItem { Interface }{WAN}{}{} - \sharkIPConfigLastItem{ IP Addresses }{}{}{} - \tabucline[2pt]{1-2} - \sharkIPConfigItem { Certificate }{}{}{} - \sharkIPConfigItem { Enable }{checked}{}{} - \sharkIPConfigItem { Common Name }{sf-fw1.forksand.com}{}{} - \sharkIPConfigItem { Description }{SharkFork Firewall 1}{}{} - \sharkIPConfigItem { Alt Names }{}{}{} - \sharkIPConfigItem { LE Account }{sf-fw1}{}{} - \sharkIPConfigItem { Validation Method }{sf-fw1-http}{}{} - \sharkIPConfigItem { Restart Actions }{}{}{} - \sharkIPConfigItem { Auto Renewal }{checked}{}{} - \sharkIPConfigLastItem{ Renewal Interval }{60}{}{} - \end{tabu} -\end{table} - -\newpage -\section{Alternatives Firewalls Hardware Overview} -Some resellers: -\begin{itemize} - \item \url{https://www.deciso.com/} - \item \url{https://www.pfwhardware.com/} - \item \url{https://www.osnet.eu/} -\end{itemize} - -\begin{itemize} - \item (8) 1 gig ethernet ports - Connects to (1) 100M ethernet upstream fiber optic - Connects to (1) 100M ethernet upstream wifi - Various LAN - \item (Hot swap?) Dual Power Supplies - \item (How swap?) RAID (Linux md), with SSD storage. - \item 2.5'' drive bays - \item Total ~8GHz CPU - \item ~8-16 gigs RAM ? Depends on OS. - \item Two servers total, for standby/failover -\end{itemize} - -\section{IP-tables Firewall} +\section{IPtables-firewall} \subsection{Overview} Most servers and workstations run GNU/Linux, which uses iptables. - \subsection{iptables} iptables is part of the Netfilter project and has been included by default in the Linux kernel for many years. -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-netfilter.png} \caption{Netfilter Website} \label{fig:www-netfilter} \end{figure} \subsection{Requirements} -There are a lot of operating systems to consider to use as a firewall... +There are a lot of operating systems to consider to use as a \gls{firewall}... -Notes on some requirements in a firewall. +Notes on some requirements in a \gls{firewall}. \begin{itemize} \item Must be free software. @@ -617,24 +74,23 @@ Notes on some requirements in a firewall. \end{itemize} -\subsection{Firewall Operating Systems in Use} -\Large{Debian} +\subsection{\Gls{firewall} Operating Systems in Use} -\href{https://www.debian.org/}{Debian} +\Large{\href{https://www.debian.org/}{Debian}} Debian is used for nearly everything. It could easily be used as a -router/firewall. There are better, more tuned options. +router-firewall. There are better, more tuned options. Linux's iptables is used on servers. -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-debian.png} \caption{Debian Website} \label{fig:www-debian-in-firewalls-chapter} \end{figure} \Large{Proxmox setups iptables-firewall} -During Proxmox installation on the nodes, firewall is being confugured. +During Proxmox installation on the nodes, \gls{firewall} is being confugured. Some of nodes configurations can be found in chapter Free software under path apps/forksand-nodes-bootstrap/... @@ -669,7 +125,7 @@ Find out why mention of firewall in hk1 node is discarded. # Datacenter --> Firewall --> Add. \end{minted} -Also Nextcloud chapter mentiones configs of iptables firewall \ref{ssec:nextcloudfirewall} on p.\pageref{ssec:nextcloudfirewall}. +Also Nextcloud chapter mentiones configs of iptables-firewall \ref{ssec:nextcloudfirewall} on p.\pageref{ssec:nextcloudfirewall}. Also certain Ansible including virtual machines enable iptables configuratiion. For example ansible-debian-male contains mikegleasonjr.firewall. diff --git a/source/Hardware.tex b/source/Hardware.tex index 5268172..9753523 100644 --- a/source/Hardware.tex +++ b/source/Hardware.tex @@ -10,45 +10,41 @@ % This document is licensed under the Creative Commons Attribution 4.0 % International Public License (CC BY-SA 4.0) by Fork Sand, Inc. % -\section{Hardware} - \section{Cluster Diagram} -\raggedright - \vspace{0.4cm} - Dedicated servers discarded. - Colocation cabinet buffered only with a firewall. +\Glspl{dedicatedserver} discarded. - \vspace{0.4cm} -\centering -\includegraphics[width=210mm,trim=20mm 20mm 20mm 20mm] +\begin{figure}[!htb] + \includegraphics[width=210mm,trim=20mm 20mm 20mm 20mm] {sharkfork-cabling-4-final-colocation.pdf} \\ % - \vspace{0.2cm} -\raggedright -\newpage + \caption{\Gls{sharkfork} \Gls{colocation} \gls{cluster} cabling diagram} +\end{figure} -\section{Cluster Hardware Overview} -The cluster will require rackmountable equipment: +\Gls{colocation} \Gls{cabinet} buffered only with a \gls{firewall}. +One step from autonouos structure. + +\section{Hardware Cluster Overview} + +The \gls{cluster} will require rackmountable equipment. +\newpage +\Large{\textbf{\Gls{sharkfork} 21U hardware instance}} \begin{itemize} \item GNU/Linux Servers + \item \Glspl{firewall} + \item Switches + \item File storages \end{itemize} -\begin{minipage}{0.9\textwidth} - \subsection{Sharkfork 21U hardware instance} \label{sec:hardware-sharkfork-21U} - %\includepdf[width=150mm,offset=0 15,clip] - %{sharkfork-21U.pdf} - \includegraphics[keepaspectratio=true,height=0.80\textheight,width=150mm,angle=0] +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=0.75\textheight,width=150mm,angle=0] {sharkfork-21U.png} -% \vspace{150mm} - \label{fig:sharkfork-21U} - %\vspace{60mm} -\end{minipage} + \label{fig:sharkfork-21U} +\end{figure} +%\subsubsection{\Gls{sharkfork} 21U detail hardware description} \label{sec:hardware-description-sharkfork-21U} \newpage -%\subsubsection{Sharkfork 21U detail hardware description} \label{sec:hardware-description-sharkfork-21U} - \newcommand{\nodeUnitName}[4]{ \rowcolor{#3}\vspace{-1pt} {{\grenewcommand{\currentColor}{#3}}} @@ -90,7 +86,7 @@ The cluster will require rackmountable equipment: \multicolumn {1}{p{13cm}|[2pt]}{ Description} \\ \tabucline[2pt]{1-2} %%% UNIT %%% % Unit name - \nodeUnitName{2}{Iris FW1100 - Firewall System}{secondary-brown}{ao-black} + \nodeUnitName{2}{Iris FW1100 - \Gls{firewall} System}{secondary-brown}{ao-black} % Unit configuration parameters \nodeUnitParameter{ 1U Form Factor ~~- Single Intel Xeon D-1587 CPU } \nodeUnitParameter{ Up to 128GB DDR4 ECC Reg Memory } @@ -108,6 +104,21 @@ The cluster will require rackmountable equipment: %\nodeUnitSetNotes { none } %%% END UNIT %%% +% Unit name + \nodeUnitName{2}{Netgear XS716T - 16-Port 10G Smart Managed Plus Switch}{secondary-brown}{ao-black} +% Unit configuration parameters + \nodeUnitParameter{ 1U Form Factor ~~- 600 MHz Cortex-A9 Single Core } + + \nodeUnitParameter{ 512MB RAM } + \nodeUnitParameter{ 16-Port RJ45 10G SFP+ and Six Gigabit Ethernet } + \nodeUnitLastParameter{ 100W Power Supply } +% Unit has a set of components parameters + \nodeUnitSetItem {1}{ 8MB SPI + 256 NAND FLASH } + \nodeUnitSetLastItem {1}{ 2 shared (combo) 1G/10G Copper/SFP+ (fiber) ports } +% Unit ends with notes, pass "none" parameter if no notes + %\nodeUnitSetNotes { none } +%%% END UNIT %%% + %%% UNIT %%% % Unit name \nodeUnitName{1}{Iris NV2225}{primary-blue}{ao-black} @@ -316,7 +327,7 @@ Who we'll get hardware from. \end{itemize} \newcommand{\includescreen}[3]{ - \begin{figure}[!ht] + \begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{#1} \caption{#2} #3 diff --git a/source/History.tex b/source/History.tex index ae1b238..10a47ae 100644 --- a/source/History.tex +++ b/source/History.tex @@ -13,9 +13,9 @@ \section{History} \subsection{Cluster Evolution} -Forksand started deployment on dedicated servers. +Forksand started deployment on \glspl{dedicatedserver}. \vspace{0.6cm} - First stage. Exclusively dedicated servers (deprecated) + First stage. Exclusively \glspl{dedicatedserver} (deprecated) \vspace{0.4cm} \centering \includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm] @@ -23,20 +23,20 @@ Forksand started deployment on dedicated servers. % \vspace{0.2cm} \raggedright - Second stage. Dedicated servers along with a colocation - cabinet. Flat hierarchy. (deprecated) + Second stage. \Glspl{dedicatedserver} along with a \Gls{colocation} + \Gls{cabinet}. Flat hierarchy. (deprecated) \vspace{0.1cm} In progress, services were being migrated one after another to - a colocation instance. On the next stage hierarchy becomes vertical. \\ + a \Gls{colocation} instance. On the next stage hierarchy becomes vertical. \\ \vspace{0.1cm} \centering \includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm] {sharkfork-cabling-2-mixed-vlan.pdf} \\ % % \raggedright - Third stage. Dedicated servers buffered by - a colocation cabinet. Vertical hierarchy. (deprecated) + Third stage. \Glspl{dedicatedserver} buffered by + a \Gls{colocation} \Gls{cabinet}. Vertical hierarchy. (deprecated) \vspace{0.4cm} \centering \includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm] @@ -44,8 +44,8 @@ Forksand started deployment on dedicated servers. % \vspace{0.2cm} \raggedright - Fourth stage. Dedicated servers discarded. - Colocation cabinet buffered only with a firewall. (current) + Fourth stage. \Glspl{dedicatedserver} discarded. + \Gls{colocation} \Gls{cabinet} buffered only with a \gls{firewall}. (current) \vspace{0.4cm} \centering \includegraphics[width=115mm,trim=20mm 20mm 20mm 20mm] @@ -53,7 +53,7 @@ Forksand started deployment on dedicated servers. % \vspace{0.2cm} \raggedright - Final stage. Firewall discarded. Single colocation cabinet. (in process) + Final stage. \Gls{Firewall} discarded. Single \Gls{colocation} \Gls{cabinet}. (in process) \vspace{0.4cm} \centering %\includegraphics[width=115mm,trim=10mm 10mm 10mm 10mm] diff --git a/source/Network.tex b/source/Network.tex index 5f72138..371dbab 100644 --- a/source/Network.tex +++ b/source/Network.tex @@ -21,7 +21,7 @@ The first diagram is an overview, with networks listed, without the admin networ XXX Diagram. -%\begin{figure}[h!] +%\begin{figure}[!htb] %\includegraphics[keepaspectratio=true,height=1.00\textheight,width=1.00\textwidth,angle=90]{fs-cloud-net-overview.pdf} % \caption{Fork Sand IT Manual Network Overview without Admin Net} % \label{fig:fs-cloud-net-overview} @@ -31,7 +31,7 @@ The second network, shows most servers, without the admin network. XXX Diagram. -%\begin{figure}[h!] +%\begin{figure}[!htb] %\includegraphics[keepaspectratio=true,height=1.00\textheight,width=1.00\textwidth,angle=90]{ao-cloud-net.pdf} % \caption{Fork Sand IT Manual Network without Admin Net} % \label{fig:ao-cloud-net} @@ -47,6 +47,26 @@ be able to use... For now we will be using: \item Netgear 16-port 10 Gigabit RJ-45 \end{itemize} +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {s-TL-SG1048} + \caption{TP-link 48 port 1 Gigabit switch TL-SG1048 overview} + \label{fig:swichTLSG1048overview} +\end{figure} +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {s-XS716T.png} + \caption{Netgear 16 port 10 Gigabit switch XS716T overview} + \label{fig:swichXS716Toverview} +\end{figure} + +\newpage +\begin{figure}[!htb] + \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0] + {s-XS716T-si.png} + \caption{Netgear 16 port 10 Gigabit switch XS716T System Information} + \label{fig:swichXS716Tsysteminfo} +\end{figure} \section{IPMI Administration} The servers have low level administration done via HTML5 IPMI. diff --git a/source/Proxmox.tex b/source/Proxmox.tex index c93ff1c..55715e0 100644 --- a/source/Proxmox.tex +++ b/source/Proxmox.tex @@ -26,7 +26,7 @@ there is an installation manual for 5.x version, which is great. Documentation: \url{https://pve.proxmox.com/wiki/Documentation} -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-proxmox.png} \caption{Proxmox Website} \label{fig:www-proxmox} @@ -54,7 +54,7 @@ containers and all necessary resources $\cdot$ Web based management interface for using the toolset \item Debian Stretch admin guide: \\ - \url{file:///C:/Users/P/Downloads/pve-admin-guide.pdf} + \url{https://pve.proxmox.com/pve-docs/pve-admin-guide.pdf} \end{itemize} @@ -84,16 +84,16 @@ The following servers will be deployed to host Proxmox and the KVMs: %virtual images. % %\subsection{Proxmox Web GUI Servers} -%A Proxmox's Web GUI for administration of the cluster. +%A Proxmox's Web GUI for administration of the \gls{cluster}. \subsection{Virtual Machine Nodes} Virtual machine nodes. Fast CPU, with lots of RAM. Uses Ceph to store virtual images. -Every node includes a Proxmox's Web GUI service for administration of the cluster. -Any nodes included into the cluster may be configured by requesting to any node's GUI. +Every node includes a Proxmox's Web GUI service for administration of the \gls{cluster}. +Any nodes included into the \gls{cluster} may be configured by requesting to any node's GUI. -\begin{figure}[h!] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{proxmox-gui.png} \caption{Proxmox Sunstone Web Admin GUI} \label{fig:proxmox-gui} @@ -134,13 +134,14 @@ URL: \url{http://localhost:8002/}, for shark2 \\ URL: \url{http://localhost:8003/}, for shark3 \\ URL: \url{http://localhost:8004/}, for shark4 \\ See example at fig. \ref{fig:proxmox-gui-port}: -\begin{figure}[!ht] +\begin{figure}[!htb] \includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{shark2/23.png} \label{fig:proxmox-gui-port} \caption{Browse shark2 node, visible port No.} \end{figure} Info: This goes through https with self-signed certificate. -\item \texttt{Hostname} Changing the hostname and IP is not possible after cluster creation. Unlike OpenNebula. +\item \texttt{Hostname} Changing the hostname and IP is not possible after + \gls{cluster} creation. Unlike OpenNebula. %\item Click \texttt{Infrastructure}. %\item Click \texttt{Hosts}. %\item Click The \texttt{+} plus icon. diff --git a/source/Software-daemons.tex b/source/Software-daemons.tex index abdbb3a..45b3324 100644 --- a/source/Software-daemons.tex +++ b/source/Software-daemons.tex @@ -54,7 +54,7 @@ IMAP server, typically using Icedove or aomail (roundcube using IMAP). \section{\href{https://www.erlang.org/}{Erlang}} Virtual machine (ejabberd). -\section{{iptables}{Firewalls}} +\section{{iptables}{\Glspl{firewall}}} Linux's iptables. \section{\href{http://www.fail2ban.org/}{fail2ban}} @@ -419,7 +419,7 @@ Copy Gandi file for SSL authentication to /var/www/html/ After Gandi verifies it, remove the file. -Then disable port 80 in the firewall again: +Then disable port 80 in the \gls{firewall} again: \begin{minted}{sh} vim /etc/iptables.test.rules \end{minted} diff --git a/source/forksand-it-manual.tex b/source/forksand-it-manual.tex index 0873f7b..0252d6b 100644 --- a/source/forksand-it-manual.tex +++ b/source/forksand-it-manual.tex @@ -89,8 +89,20 @@ leftmargin=1cm,rightmargin=1cm %\usepackage{url} % /usr/share/doc/texlive-doc/latex/url/url.pdf % Use hyperref. \graphicspath{{./resources/}{./resources/images/}{./resources/drawings/}} -\makeindex -\makeglossary +\usepackage + [ + % acronym, + % %nopostdot, + % toc, + % shortcuts, + % xindy + automake + ] + {glossaries-extra} +\renewcommand*{\glstextformat}[1]{\textcolor{secondary-dark-brown}{\textbf{#1}}} +%\makeindex +%\makeglossary +\makeglossaries \usepackage{color} % Docs: /usr/share/doc/texlive-latex-base-doc/latex/graphics/grfguide.pdf \usepackage{colortbl} @@ -233,8 +245,8 @@ leftmargin=1cm,rightmargin=1cm %%% END FOOTNOTES %%% %%% COLORS %%% -\definecolor{ao-purple}{cmyk}{0.50,0.60,0.00,0.43} % ??? -%\definecolor{ao-purple}{cmyk}{0.85 0.90 0.00 0.05} % ??? +\definecolor{ao-purple}{cmyk}{0.50,0.60,0.00,0.43} +\definecolor{ao-fork}{cmyk}{1.00 0.00 0.00 0.80} \definecolor{ao-dark-blue}{cmyk}{0.83 0.24 0.00 0.12} \definecolor{ao-light-blue}{cmyk}{0.41 0.15 0.00 0.09} \definecolor{ao-light-orange}{cmyk}{0.00 0.40 0.88 0.03} @@ -244,10 +256,11 @@ leftmargin=1cm,rightmargin=1cm \definecolor{ao-white}{cmyk}{0.00 0.00 0.00 0.00} \definecolor{ao-black}{cmyk}{1.00 1.00 1.00 1.00} \definecolor{lulzbot-green}{cmyk}{0.11 0.00 0.78 0.15} -\definecolor{secondary-brown}{HTML}{F3E2C3} % HEX # F3E2C3 R:243 G:226 B:195 C:0 M:7 Y:20 K:5 -\definecolor{primary-blue}{HTML}{A1F4FF} % HEX # A1F4FF R:161 G:244 B:255 C:37 M:4 Y:0 K:0 -\definecolor{primary-brown}{HTML}{B07E3B} % HEX # B07E3B R:176 G:126 B:56 C:0 M:28 Y:68 K:31 -\definecolor{nonbrand-dark-blue}{HTML}{184B6D} % HEX # 184B6D R:19 G:70 B:109 C:0 M:28 Y:68 K:31 +\definecolor{secondary-dark-brown}{cmyk}{0.00 0.38 0.74 0.48} +\definecolor{secondary-brown}{cmyk}{0.00 0.07 0.20 0.05} +\definecolor{primary-blue}{cmyk}{0.37 0.04 0.00 0.00} +\definecolor{primary-brown}{cmyk}{0.00 0.28 0.68 0.31} +\definecolor{nonbrand-dark-blue}{cmyk}{0.83 0.28 0.00 0.57} %%% END COLORS %%% @@ -257,6 +270,39 @@ leftmargin=1cm,rightmargin=1cm %\typeoutstandardlayout %%% END DEBUG %%% +\newglossaryentry{cluster}{name={cluster},plural={clusters}, + description={, computer cluster is a set of loosely or + tightly connected computers that work together so that, in + many respects, they can be viewed as a single system.}} +\newglossaryentry{dedicatedserver}{ + name={dedicated server},plural={dedicated servers}, + description={, or managed hosting service + is a type of Internet hosting in which the client leases + an entire server not shared with anyone else.}} +\newglossaryentry{sharkfork}{ + name={SharkFork}, + description={is a SharkTech provided \Gls{colocation} for a + \gls{cluster} with Fork Sand \Gls{colocation} \Gls{cabinet}}} +\newglossaryentry{colocation}{name={colocation},plural={colocations}, + description={ centre (also spelled co-location, or colo) or "carrier + hotel", is a type of data centre where equipment, space, + and bandwidth are available for rental to retail customers.}} +\newglossaryentry{cabinet}{name={cabinet},plural={cabinets}, + description={, inside a data center, is a locking unit + that holds a server rack.}} +\newglossaryentry{gnulinux}{name={GNU/Linux}, + description={ is a term promoted by the Free Software Foundation + (FSF) and its founder Richard Stallman.[6] Proponents call for + the correction of the more extended term, on the grounds that it + doesn't give credit to the major contributor and the associated + free software philosophy.}} +\newglossaryentry{firewall}{name={firewall},plural={firewalls}, + description={ In computing, a firewall is a network security system + that monitors and controls incoming and outgoing network traffic + based on predetermined security rules.[1] A firewall typically + establishes a barrier between a trusted internal network and + untrusted external network, such as the Internet.}} + %%% END OF PREAMBLE %%% \begin{document} @@ -387,14 +433,14 @@ leftmargin=1cm,rightmargin=1cm \chapterconf{Firewall-opnsense}{OPNSense Firewall}{Use OPNSense} \chapterconf{Proxmox}{Proxmox}{Virtual Machines} \chapterconf{Ansible}{Ansible}{Cluster Administration} -\chapterconf{DNS}{Domain Name Service (DNS)}{Who Names You?} -\chapterconf{NTP}{Network Time Protocol}{A Hole in Time} -\chapterconf{Firmware}{Firmware}{Embedded Software} -\chapterconf{History}{History}{Evolution History} -%%% Appendix %%% -%\part{Appendix} % XXX -\appendix -\chapterconf{Source}{Free Software}{Free Software and Configurations} +%\chapterconf{DNS}{Domain Name Service (DNS)}{Who Names You?} +%\chapterconf{NTP}{Network Time Protocol}{A Hole in Time} +%\chapterconf{Firmware}{Firmware}{Embedded Software} +%\chapterconf{History}{History}{Evolution History} +%%%% Appendix %%% +%%\part{Appendix} % XXX +%\appendix +%\chapterconf{Source}{Free Software}{Free Software and Configurations} %% END MAINMATTER CHAPTERS %%% @@ -414,7 +460,8 @@ leftmargin=1cm,rightmargin=1cm \renewcommand{\memglonum}[1]{} \clearpage -\printglossary +%\addcontentsline{toc}{chapter}{Glossary} +\printglossaries %%% END GLOSSARY %%% %%% CONTACT %%% diff --git a/source/glossary.sty b/source/glossary.sty new file mode 100644 index 0000000..aaeddd6 --- /dev/null +++ b/source/glossary.sty @@ -0,0 +1,440 @@ +%% +%% This is file `glossary.sty', +%% generated with the docstrip utility. +%% +%% The original source files were: +%% +%% glossary.dtx (with options: `package') +%% Copyright (C) 2000 Nicola Talbot, all rights reserved. +%% If you modify this file, you must change its name first. +%% You are NOT ALLOWED to distribute this file alone. You are NOT +%% ALLOWED to take money for the distribution or use of either this +%% file or a changed version, except for a nominal charge for copying +%% etc. +%% \CharacterTable +%% {Upper-case \A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\W\X\Y\Z +%% Lower-case \a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\u\v\w\x\y\z +%% Digits \0\1\2\3\4\5\6\7\8\9 +%% Exclamation \! Double quote \" Hash (number) \# +%% Dollar \$ Percent \% Ampersand \& +%% Acute accent \' Left paren \( Right paren \) +%% Asterisk \* Plus \+ Comma \, +%% Minus \- Point \. Solidus \/ +%% Colon \: Semicolon \; Less than \< +%% Equals \= Greater than \> Question mark \? +%% Commercial at \@ Left bracket \[ Backslash \\ +%% Right bracket \] Circumflex \^ Underscore \_ +%% Grave accent \` Left brace \{ Vertical bar \| +%% Right brace \} Tilde \~} +\NeedsTeXFormat{LaTeX2e} +\ProvidesPackage{glossary}[2004/11/02 2.12 (NLCT)] +\RequirePackage{ifthen} +\RequirePackage{keyval} +\define@key{gloss} + {style} + {\ifthenelse{\equal{#1}{list} \or \equal{#1}{altlist} \or \equal{#1}{super} \or \equal{#1}{long}} + {\def\gls@style{#1}} + {\PackageError{glossary} + {Unknown glossary style '#1'} + {Available styles are: list, altlist, super and long}}} + +\define@key{gloss} + {header}[plain]{\ifthenelse{\equal{#1}{none} \or \equal{#1}{plain}} + {\def\gls@header{#1}} + {\PackageError{glossary} + {Unknown glossary style '#1'} + {Available styles are: none and plain}}} + +\define@key{gloss} + {border}[plain]{\ifthenelse{\equal{#1}{none} \or \equal{#1}{plain}} + {\def\gls@border{#1}} + {\PackageError{glossary} + {Unknown glossary border '#1'} + {Available styles are: none and plain}}} +\newcount\gls@cols +\define@key{gloss}{cols}{\gls@cols=#1\relax +\ifthenelse{\gls@cols<2 \or \gls@cols>3} + {\PackageError{glossary} + {invalid number of columns} + {The cols option can only be 2 or 3}} + {}} + +\define@key{gloss} + {number} + {\ifthenelse{\equal{#1}{none}\or\equal{#1}{page}\or\equal{#1}{section}} + {\def\gls@number{#1}} + {\PackageError{glossary} + {Unknown glossary number style '#1'} + {Available styles are: none, page and section}}} + +\newif\ifgls@toc +\define@key{gloss}{toc}[true]{\ifthenelse{\equal{#1}{true} \or \equal{#1}{false}} + {\csname gls@toc#1\endcsname} + {\PackageError{glossary}{Glossary option 'toc' is boolean} + {The value of 'toc' can only be set to 'true' or 'false'}}} + +\newif\ifgls@section +\define@key{gloss}{section}[true]{\ifthenelse{\equal{#1}{true} \or \equal{#1}{false}} + {\csname gls@section#1\endcsname} + {\PackageError{glossary}{Glossary option 'section' is boolean} + {The value of 'section' can only be set to 'true' or 'false'}}} +\gls@sectionfalse + +\newif\ifglshyper +\define@key{gloss}{hyper}[true]{\ifthenelse{\equal{#1}{true} \or \equal{#1}{false}} + {\csname glshyper#1\endcsname} + {\PackageError{glossary}{Glossary option 'hyper' is boolean} + {The value of 'hyper' can only be set to 'true' or 'false'}}} +\def\gls@style{long} +\def\gls@header{none} +\def\gls@border{none} +\def\gls@number{page} +\gls@cols=2\relax +\gls@tocfalse +\@ifundefined{hyperpage}{\glshyperfalse}{\glshypertrue} + +\DeclareOption*{\edef\@pkg@ptions{\noexpand\setkeys{gloss}{\CurrentOption}} +\ifthenelse{\equal{\CurrentOption}{}}{}{\@pkg@ptions}} + +\ProcessOptions +\ifthenelse{\(\equal{\gls@style}{list} \or \equal{\gls@style}{altlist}\) \and \(\not\equal{\gls@header}{none} \or \not\equal{\gls@border}{none} \or \gls@cols=3\)} +{\PackageError{glossary}{You can't have option 'style=list' or 'style=altlist' in combination with any of the other options} +{The 'list' and 'altlist' options don't have a header, border or number of columns option.}} +{} +\define@key{wrgloss}{name}{\def\@n@me{#1}} +\define@key{wrgloss}{description}{\def\@descr{#1}} +\define@key{wrgloss}{sort}{\def\@s@rt{#1}} +\define@key{wrgloss}{format}{\def\@f@rm@t{#1}} +\renewcommand{\@wrglossary}[1]{\relax +\def\@n@me{}\def\@descr{}\def\@s@rt{}\def\@f@rm@t{}\relax + \setkeys{wrgloss}{#1}\relax + \ifthenelse{\equal{\@s@rt}{}} + {\relax + \ifthenelse{\equal{\@f@rm@t}{}} + {\protected@write\@glossaryfile{}{\string\glossaryentry{\@n@me @{\@n@me}\@descr\string\relax|glsnumformat}{\theglossarynum}}} + {\protected@write\@glossaryfile{}{\string\glossaryentry{\@n@me @{\@n@me}\@descr\string\relax|\@f@rm@t}{\theglossarynum}}}\relax + }{\relax + \ifthenelse{\equal{\@f@rm@t}{}} + {\protected@write\@glossaryfile{}{\string\glossaryentry{\@s@rt @{\@n@me}\@descr\string\relax|glsnumformat}{\theglossarynum}}} + {\protected@write\@glossaryfile{}{\string\glossaryentry{\@s@rt @{\@n@me}\@descr\string\relax|\@f@rm@t}{\theglossarynum}}}\relax + }\relax + \endgroup\@esphack +} +\ifthenelse{\equal{\gls@number}{page}}{ + \newcommand{\theglossarynum}{\thepage} + \newcommand{\pagecompositor}{-} + \newcommand{\delimN}{, } + \newcommand{\delimR}{--} + \ifglshyper\newcommand{\glsnumformat}[1]{\hyperrm{#1}}\else\newcommand{\glsnumformat}[1]{#1}\fi} + {\ifthenelse{\equal{\gls@number}{section}} + {\newcommand{\theglossarynum}{\thesection} + \newcommand{\pagecompositor}{.} + \newcommand{\delimN}{, } + \newcommand{\delimR}{--} + \ifglshyper\newcommand{\glsnumformat}[1]{\hyperrm{#1}}\else\newcommand{\glsnumformat}[1]{#1}\fi} + {\newcommand{\theglossarynum}{\thepage} + \newcommand{\pagecompositor}{-} + \newcommand{\delimN}{} + \newcommand{\delimR}{} + \newcommand{\glsnumformat}[1]{}}} +\newcommand\printglossary{\@input@{\jobname.gls}} +\newcommand{\glossaryname}{Glossary} +\newcommand{\entryname}{Notation} +\newcommand{\descriptionname}{Description} +\newcommand{\istfilename}{\jobname.ist} +\newenvironment{theglossary} + {\@ifundefined{chapter} + {\section*{\glossaryname}\ifgls@toc\addcontentsline{toc}{section}{\glossaryname}\fi} + {\ifthenelse{\boolean{gls@section}}{\section*{\glossaryname}\ifgls@toc\addcontentsline{toc}{section}{\glossaryname}\fi} +{\chapter*{\glossaryname}\ifgls@toc\addcontentsline{toc}{chapter}{\glossaryname}\fi}} + \glossarypreamble\@bef@reglos} + {\@ftergl@s\glossarypostamble} + +\newcommand{\glossarypreamble}{} +\newcommand{\glossarypostamble}{} + +\newif\ifgloitemfirst +\newcommand{\@bef@reglos}{\global\gloitemfirsttrue\beforeglossary} +\newcommand{\@ftergl@s}{\afterglossary\global\gloitemfirstfalse} + +\ifthenelse{\equal{\gls@style}{list} \or \equal{\gls@style}{altlist}} +{ +\newcommand{\beforeglossary}{\begin{description}} +\newcommand{\afterglossary}{\end{description}} +\newcommand{\gloskip}{\indexspace} +\ifthenelse{\equal{\gls@style}{list}} + {\newcommand{\gloitem}[1]{\item[#1]} + \newcommand{\glodelim}{, }} + {\newcommand{\gloitem}[1]{\item[#1]\mbox{}\par} + \newcommand{\glodelim}{ }} +}{ +\ifthenelse{\equal{\gls@style}{super}}{ +\IfFileExists{supertab.sty}{\RequirePackage{supertab}} +{\IfFileExists{supertabular.sty}{\RequirePackage{supertabular}} +{\PackageError{glossary}{Option "super" chosen, but can't find "supertab" package} +{If you want the "super" option, you have to have the "supertab" package installed.}}} +} +{\RequirePackage{longtable}} + +\newlength{\descriptionwidth} +\setlength{\descriptionwidth}{0.6\textwidth} + +\ifthenelse{\equal{\gls@header}{none}} +{ + \ifthenelse{\equal{\gls@border}{none}} + {\newcommand{\glossaryheader}{}} + {\newcommand{\glossaryheader}{\hline }} +} +{ +\ifnum\gls@cols=2\relax + \ifthenelse{\equal{\gls@border}{none}} + {\newcommand{\glossaryheader} + {\bfseries\entryname & \bfseries \descriptionname\\}} + {\newcommand{\glossaryheader} + {\hline\bfseries\entryname & \bfseries\descriptionname + \\\hline\hline}} +\else + \ifthenelse{\equal{\gls@border}{none}} + {\newcommand{\glossaryheader} + {\bfseries\entryname & \bfseries \descriptionname & \\}} + {\newcommand{\glossaryheader} + {\hline\bfseries\entryname &\bfseries\descriptionname & + \\\hline\hline}} +\fi +} + +\ifthenelse{\equal{\gls@border}{none}} +{ +\ifnum\gls@cols=2\relax + \@ifundefined{newcolumntype}{\newcommand{\glossaryalignment}{@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}}}{ + \newcolumntype{G}{@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}}} +\else + \@ifundefined{newcolumntype}{\newcommand{\glossaryalignment}{@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}l}}{ + \newcolumntype{G}{@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}l}} +\fi + + \ifthenelse{\equal{\gls@style}{super}}{ + \newcommand{\afterglossary}{ \\\end{supertabular}} + } + { + \newcommand{\afterglossary}{ \\\end{longtable}} + } + + \newcommand{\glosstail}{} +} +{ +\ifnum\gls@cols=2\relax + \@ifundefined{newcolumntype}{\newcommand{\glossaryalignment}{|@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}|}}{ + \newcolumntype{G}{|@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}|}} +\else + \@ifundefined{newcolumntype}{\newcommand{\glossaryalignment}{|@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}l|}}{ + \newcolumntype{G}{|@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}l|}} +\fi + + \ifthenelse{\equal{\gls@style}{super}}{ + \newcommand{\afterglossary}{ \\\hline\end{supertabular}} + } + { + \newcommand{\afterglossary}{ \\\hline\end{longtable}} + } + + \newcommand{\glosstail}{\hline} +} + +\ifthenelse{\equal{\gls@style}{super}} +{ + \@ifundefined{newcolumntype}{ + \newcommand{\beforeglossary} + {\tablehead{\glossaryheader}\tabletail{\glosstail} + \begin{supertabular}{\glossaryalignment}}} + {\newcommand{\beforeglossary} + {\tablehead{\glossaryheader}\tabletail{\glosstail} + \begin{supertabular}{G}}} +} +{ + \@ifundefined{newcolumntype}{\newcommand{\beforeglossary} + {\begin{longtable}{\glossaryalignment} + \glossaryheader\endhead\glosstail\endfoot}} + {\newcommand{\beforeglossary} + {\begin{longtable}{G} + \glossaryheader\endhead\glosstail\endfoot}} +} + +\ifnum\gls@cols=2\relax +\newcommand{\gloskip}{\ifgloitemfirst\global\gloitemfirstfalse \else\\ \fi &} +\newcommand{\glodelim}{, } +\else +\newcommand{\gloskip}{\ifgloitemfirst\global\gloitemfirstfalse \else\\ \fi & &} +\newcommand{\glodelim}{& } +\fi +\newcommand{\gloitem}[1]{\ifgloitemfirst\global\gloitemfirstfalse #1 \else \\#1 \fi &} +} + +\ifthenelse{\equal{\gls@number}{none} \and \gls@cols<3}{\renewcommand{\glodelim}{}}{} +\newif\ifist +\let\noist=\istfalse +\if@filesw\isttrue\else\istfalse\fi + +\newwrite\istfile +\catcode`\%11\relax +\newcommand{\writeist}{ +\openout\istfile=\istfilename +\write\istfile{% makeindex style file created by LaTeX for document "\jobname" on \the\year-\the\month-\the\day} +\write\istfile{keyword "\string\\glossaryentry"} +\write\istfile{preamble "\string\\begin{theglossary}"} +\write\istfile{postamble "\string\n\string\\end{theglossary}\string\n"} +\write\istfile{group_skip "\string\\gloskip "} +\write\istfile{item_0 "\string\n\string\\gloitem "} +\write\istfile{delim_0 "\string\n\string\\glodelim "} +\write\istfile{page_compositor "\pagecompositor"} +\write\istfile{delim_n "\string\\delimN "} +\write\istfile{delim_r "\string\\delimR "} +\closeout\istfile +} +\catcode`\%14\relax +\renewcommand{\makeglossary}{ +\newwrite\@glossaryfile +\immediate\openout\@glossaryfile=\jobname.glo +\def\glossary{\@bsphack \begingroup \@sanitize \@wrglossary } +\typeout {Writing glossary file \jobname .glo } +\let \makeglossary \@empty +\ifist\writeist\fi +\noist} +\newcommand{\newglossarytype}[3]{ +\@ifundefined{#1}{% +\def\@glstype{#1}\def\@glsout{#2}\def\@glsin{#3}% +\expandafter\edef\csname make\@glstype\endcsname{\noexpand\@m@kegl@ss{\@glstype}{\@glsout}} +\expandafter\edef\csname \@glstype\endcsname{\noexpand\@gl@ss@ary{\@glstype}} +\expandafter\edef\csname print\@glstype\endcsname{\noexpand\@prntgl@ss@ry{\@glsin}} +}{\PackageError{glossary}{Command \expandafter\string\csname #1\endcsname \space already defined}{% +You can't call your new glossary type '#1' because there already exists a command with this name}} +} +\newcommand\@m@kegl@ss[2]{ +\expandafter\newwrite\csname @#1file\endcsname +\expandafter\immediate\expandafter\openout\csname @#1file\endcsname=\jobname.#2 +\typeout {Writing #1 file \jobname .#2 } +\expandafter\let \csname make#1\endcsname \@empty +\ifist\writeist\fi +\expandafter\def\csname the#1num\endcsname{\thepage} +\noist +} +\newcommand{\@wrgl@ss@ry}[2]{\relax +\def\@n@me{}\def\@descr{}\def\@s@rt{}\def\@f@rm@t{}\relax + \setkeys{wrgloss}{#2}\relax + \ifthenelse{\equal{\@s@rt}{}} + {\relax + \ifthenelse{\equal{\@f@rm@t}{}} + {\expandafter\protected@write\csname @#1file\endcsname{}{\string\glossaryentry{\@n@me @{\@n@me}\@descr\string\relax|glsnumformat}{\csname the#1num\endcsname}}} + {\expandafter\protected@write\csname @#1file\endcsname{}{\string\glossaryentry{\@n@me @{\@n@me}\@descr\string\relax|\@f@rm@t}{\csname the#1num\endcsname}}}\relax + }{\relax + \ifthenelse{\equal{\@f@rm@t}{}} + {\expandafter\protected@write\csname @#1file\endcsname{}{\string\glossaryentry{\@s@rt @{\@n@me}\@descr\string\relax|glsnumformat}{\csname the#1num\endcsname}}} + {\expandafter\protected@write\csname @#1file\endcsname{}{\string\glossaryentry{\@s@rt @{\@n@me}\@descr\string\relax|\@f@rm@t}{\csname the#1num\endcsname}}}\relax + }\relax + \endgroup\@esphack +} +\newcommand\@gl@ss@ary[1]{\@ifundefined{@#1file}{\@bsphack\begingroup \@sanitize \@index}{\@bsphack \begingroup \@sanitize \@wrgl@ss@ry{#1}}} +\newcommand\@prntgl@ss@ry[1]{\@input@{\jobname.#1}} +\@onlypreamble{\newglossarytype} +\newcommand\@acrnmsh{} +\newcommand\@acrnmln{} +\newcommand\@acrnmcmd{} +\newcommand\@acrnmgls{} +\newcommand\@acrnmins{} + +\newcommand{\glsprimaryfmt}[1]{\textbf{\glsnumformat{#1}}} + +\newcommand{\newacronym}[4][]{% +\ifthenelse{\equal{#1}{}}{\renewcommand\@acrnmcmd{#2}}{\renewcommand\@acrnmcmd{#1}} +\@ifundefined{\@acrnmcmd}{% +\renewcommand\@acrnmsh{#2} +\renewcommand\@acrnmln{#3} +\expandafter\gdef\csname @\@acrnmcmd @glsentry\endcsname{{name={#3 (#2)},format=glsnumformat,#4}}% +\newboolean{\@acrnmcmd first}\setboolean{\@acrnmcmd first}{true}% +\expandafter\edef\csname @\@acrnmcmd\endcsname{\noexpand\ifthenelse{\noexpand\boolean{\@acrnmcmd first}}% +{\@acrnmln\noexpand\@acrnmins\ (\@acrnmsh)\noexpand\expandafter\noexpand\glossary\expandafter\noexpand\csname @\@acrnmcmd @glsentry\endcsname% +\noexpand\global\noexpand\let\expandafter\noexpand\csname if\@acrnmcmd first\endcsname=\noexpand\iffalse +}% +{\@acrnmsh\noexpand\@acrnmins\noexpand\expandafter\noexpand\glossary\expandafter\noexpand\csname @\@acrnmcmd @glsentry\endcsname}} +\expandafter\edef\csname @s@\@acrnmcmd\endcsname{\noexpand\ifthenelse{\noexpand\boolean{\@acrnmcmd first}}% +{\noexpand\MakeUppercase\@acrnmln\noexpand\@acrnmins\ (\@acrnmsh)\noexpand\expandafter\noexpand\glossary\expandafter\noexpand\csname @\@acrnmcmd @glsentry\endcsname% +\noexpand\global\noexpand\let\expandafter\noexpand\csname if\@acrnmcmd first\endcsname=\noexpand\iffalse +}% +{\noexpand\MakeUppercase\@acrnmsh\noexpand\@acrnmins\noexpand\expandafter\noexpand\glossary\expandafter\noexpand\csname @\@acrnmcmd @glsentry\endcsname}} +\expandafter\edef\csname\@acrnmcmd\endcsname{\noexpand\@ifstar\expandafter\noexpand\csname @s@\@acrnmcmd\endcsname +\expandafter\noexpand\csname @\@acrnmcmd\endcsname}% +} +{\PackageError{glossary}{Command '\expandafter\string\csname\@acrnmcmd\endcsname' already defined}{ +The command name specified by \string\newacronym already exists.}}} + +\newcommand{\useacronym}{\@ifstar\@suseacronym\@useacronym} +\newcommand{\@suseacronym}[2][]{{\def\@acrnmins{#1}\csname @s@#2\endcsname}} +\newcommand{\@useacronym}[2][]{{\def\@acrnmins{#1}\csname @#2\endcsname}} +\ifglshyper +\def\glshyperpage#1{\@glshyperpage#1\delimR \delimR \\} +\def\@glshyperpage#1\delimR #2\delimR #3\\{% + \ifx\\#2\\% + \@delimNhyperpage{#1}% + \else + \@ifundefined{hyperlink}{#1\delimR #2}{\hyperlink{page.#1}{#1}\delimR \hyperlink{page.#2}{#2}}% + \fi +} + +\def\@delimNhyperpage#1{\@@delimNhyperpage#1\delimN \delimN\\} +\def\@@delimNhyperpage#1\delimN #2\delimN #3\\{% + \ifx\\#2\\% + \@ifundefined{hyperlink}{#1}{\hyperlink{page.#1}{#1}}% + \else + \@ifundefined{hyperlink}{#1\delimN #2}{\hyperlink{page.#1}{#1}\delimN \hyperlink{page.#2}{#2}}% + \fi +} + +\def\glshypersection#1{\@glshypersection#1\delimR \delimR \\} +\def\@glshypersection#1\delimR #2\delimR #3\\{% + \ifx\\#2\\% + \@delimNhypersection{#1}% + \else + \@ifundefined{hyperlink}{#1\delimR #2}{\hyperlink{section.#1}{#1}\delimR \hyperlink{section.#2}{#2}}% + \fi +} + +\def\@delimNhypersection#1{\@@delimNhypersection#1\delimN \delimN\\} +\def\@@delimNhypersection#1\delimN #2\delimN #3\\{% + \ifx\\#2\\% + \@ifundefined{hyperlink}{#1}{\hyperlink{section.#1}{#1}}% + \else + \@ifundefined{hyperlink}{#1\delimN #2}{\hyperlink{section.#1}{#1}\delimN \hyperlink{section.#2}{#2}}% + \fi +} + +\ifthenelse{\equal{\gls@number}{section}}{ +\ifglshyper +\@ifundefined{chapter} + {} + {\let\@gls@old@chapter\@chapter + \def\@chapter[#1]#2{\@gls@old@chapter[{#1}]{#2}\@ifundefined{hyperdef}{}{\hyperdef{section}{\thechapter.0}{}}}} +\fi + +\providecommand\hyperrm[1]{\textrm{\glshypersection{#1}}} +\providecommand\hypersf[1]{\textsf{\glshypersection{#1}}} +\providecommand\hypertt[1]{\texttt{\glshypersection{#1}}} +\providecommand\hyperbf[1]{\textbf{\glshypersection{#1}}} +\providecommand\hyperit[1]{\textit{\glshypersection{#1}}} +} +{ +\providecommand\hyperrm[1]{\textrm{\glshyperpage{#1}}} +\providecommand\hypersf[1]{\textsf{\glshyperpage{#1}}} +\providecommand\hypertt[1]{\texttt{\glshyperpage{#1}}} +\providecommand\hyperbf[1]{\textbf{\glshyperpage{#1}}} +\providecommand\hyperit[1]{\textit{\glshyperpage{#1}}} +} +\else +\providecommand\hyperrm[1]{\textsf{#1}} +\providecommand\hypersf[1]{\textsf{#1}} +\providecommand\hypertt[1]{\texttt{#1}} +\providecommand\hyperbf[1]{\textbf{#1}} +\providecommand\hyperit[1]{\textit{#1}} +\fi +\endinput +%% +%% End of file `glossary.sty'. diff --git a/source/resources/images/s-TL-SG1048.png b/source/resources/images/s-TL-SG1048.png new file mode 100644 index 0000000000000000000000000000000000000000..653fed52210a28aa6d0b4d32069a7ab6db0278e8 GIT binary patch literal 184364 zcmeEti8EXO`)`64trqdIeYBPcilS(#EkSLurPUI96s7jI_BGLJQCfRZTU%7s5^L$2r=OHV-7lwKKz|EET|ni~CF1D?i@T1Q4ggS{bpH7MnbT|b zM@BaO0Kmo0{~W*!*^5E|0HYYLr*kjFah=ZE=x1k1U?f~PfA)?}y5wZXq*+q;+s@Zu z&-HFTo>y{jA6}mXg)1OCE8|3+3qQxPF)w=>ALE3FNS@)L9J z1^x<|3%0|`L%IHmiYp|S2&jMM7F6M}I?hGozm6GK4YtYZ%QOFF_|#oyS)Y8p@n43@ z^hKs1@1FlUgnU?m|4p(>%PZV7%zu+yJ!>$d)A8RVPx=;ah&uf@$=(ekL0nb;m&bni z{~!DRT+079-}VaafN?@#*ezqJr|Vq3q4iJCttbCe!45vuUuHi!)xR?hm$wMj8$Me6 zJ$sKI{O@I_7jHZl)0s7ph(A+ z)wBP)*bn1^9qnd+&D9o{=MV4YH#~O4dCxq?Z8VwXP(xiNS5JPhK)6>Ig9&5+>4U>PHJY|Wae%LN680~wi>&&ls*(MT$ zkm2>#Ttg^ybMH;=qw$Z&dkk7@4!Htdj4p9dTkBu%w)kc430oO12v?@pNxYh|j&buN z)V8-BxZ)TQO?cu*Z1W&}Lon+w%NNQSen?Q++uX}PY^^WKp-%5UqFOej59z8sm#1s4 zY~F{4)3Ssv{ZLu+X%)iLEkTFQUWmFr&Gw3)?$B^MMjO2VSrAz^eE2@RB~sXE7?{1& zgKP3u_3|r-_s$rO+{_5~&7uE1%on8AX4M+?5cWzPTf%zs9pHa!%X3!>9!mK~IQu8A zz-Ckxd?+#{bX%y89bsyYBxD%bo`m!8E6j13^hC^rLRDLCcIT7JXm8crTF^Pc+iw;& z_%k-T@-c&$IV&w^%lQiW44ytyQlhotQBtD0EM4Lb-ODa1fzgRxG{NDJZlcX_*e~ML zaMXcq4Sfj#U31(0emaK?cdfM&t2+cL#QXFXq5vLAQti3VC@r97k0BWQ!*ix?A{H=b z5%M5G!2jxlW>>$~?(CjzW!Rp-JAF7!%~xq-LjA>1;hLpgAJ!#%(X?T5Has2g;dy$9>E8Z!Bmf1$5<-0!r!f^u_l%k!~#~GmC3f2NU&Jcg@A@ zvhRD-xWgqPg3*`LHP4h90|?ot4Koy63bAueHejzhgGs z(FZFN?pX*IY2tWzJ5jwoCaV7+r1HU7J`FeAUqEX@S^K~kdyJiZ?{*XV${Q*|&?TjS z@f@Y;wU)+ExJpGGcQINIXi1D6ScT8m6BGPC$|{eFrXuilq>N)UC6lp6#2;s(Y$AV- zG5WE`hhykdyII^vG1ky_J~1Ni#YxnAeu>@3<0yLl7@FpX53?GT?o&VcAjJqJ9?B+| z)6vJ%4Eq5_^W->Vg+U!0!!m{mH|Y(_)<0_*(^v*p8GV4Fi{PW&7%2RXT?v8S2D6?a zx;dbB*G~T=KWeW5y;go)fZxHJTtgde*iN-J<#<1 z89YtHT_x~=b1s9NgRefANOBNS4_xG;-Tv1wZ-et>l@ozy#G)Umw4Y3)k4w-s)2puv z3&J)CbUMK<@SqQ2=fOdS9WTOcea2T#>-(XPs9}#*V@i2dx_K4$DA^1f|heI(vXy_RTej>J-z-=2&V9Pdn#Rphe+4^u?$Yzcqd zavalew8;4sjys|!p&0e`gDZGO63U@KPNGF!SZ!IV&Y}HtgXrSz~6m_nG{9h_l!Vde;jt7NuD)Eu)$HdMn^o?8J zEmwwP@i%2Is<#(#!!iYqYE4jq)ps0@@1?r;ok`G)?33y*NJsF|l$WaYOY-R+Ch{&w z20O(&r9_^x-czv4Q>M9Gim)4yf>ET)G@tvXh|sDvQJ~~Ie`aTl>9A+<&>m|pE3mcEWtnQ=o_9^eq6Z~)@ch}zt4$U+h5{N z3R$v+?s6lSxC!Lhl33U}cS)?)ev3JQa+y;jav~TSF^;A+!1nje2>WttTDd~)`d`=3 zmN+~})@jgQ3>jW)z4sBes>7*1y8=B_o23i|J1*Zq?cG2Gx2-uKuqPyJRM@MDkXK`~ zn?Vg@vs+Pz^{(NsCK_k5TmO2^(M?Z(4KLS4PqeiE9cA43^~A0qviFjLM{5g#p6|Z+ z*-ygG0w4Z+(Xk|aZm-_z4&or7FUT~o{jhnW4H;T7(L79?JB-?>Js`h4vCBSqU9mXh zwYDhm(f<11xk>8p6)4s}Y-1v7R(WJDEnywIr;ZH{o1KWHkFB-MMI!H@mh1WHXLhF# z9lITt0yp=Xy=Y{|6*2j%N{hIr8TKjVH;)9~5_Cjk_!xP5rTDu6EX{zWweDyi4 zI|Wpt1{uBQcd{`?ptqnI`@tte1iLl#njbxHjBql84)z)ILP|}Y%n`x|#t00WUm%s0 zG4EsUN4D~d3|ni6ni-pE9h}LV+uWGDpV1IG(*Wb~!8M?1=#a43;3Gr#pyC7AaV#UG zf>DUxe_et;P9k`Wm*NLnT4#uPb3_O8t>dAsu&|Y4^Evv-R@0lU##O=|kkfuSkB`>U zMhh|6AqNwqaU3L58%yMMKP;n&jLTv-#HHiAV^wMC5?Ggp;|#afO`@*WAAdq03=fmmMfR#if~k{e z%1#NI^0?p;wNd|M*@7{tuew&S4=;$IA{nH+R+JdTQBghJ?_{tf54wE!WRR!~UDPQ- z(CQE{`Wl*ET7q!sN7IN5UpdC?Gw9krF~N*tQ$TMjJEk$VDP<8mnGsXAQ9~;yv12Rf zFZ_A!s|ol3IsE*2{L%h%)V@TC0%cSI7CDYYZxFwr7#F-~u!uSS-1gnF_P_h}s#+oA z=q_XwndsGiur@S}qTf(;C`At<3)(l=L?XhrZ?&K7zaku)m0(Y%v1+sX^H`0@y@sd( zVov*V4wCZ5kM?WqR{M^SRl#u`CDrffqo1bM{(V9y6}NSCFxC)7Yp4jKR6!&EvtU$usR9-+jhEVF@O8W63a>P)%F6~C)olfUHGmU z3b$c2bQ#R&*^d8+P)5cU`M8eg=Q|3~3rygQX;{r9psz=3lf4WOJ-t7D>gN$!T0}Ua zU6Ad~IEdC9c3d5c({?DgPUm@glZdJ!p9Q)CHJ%&1n3YU3H-BVvjzP9rj*7 z91Cyw9KIDsXhjz^w7R1jTc4roR@*yhtFx}C?xS4=M*kRkdnjrM4~zWk9(6$U&kRQ9 zZMzgQej?}%CFsK~=-z%`!7+BC@g4o0#MwChde{yRW8C(o_(GzIC29E- z^uY*YVV^yL0b}rsv~*vsHkSUC!g>6T)5c|vHDaC>3pQ_Outxm&m$}Ozh{{Qw=hSLD zq#dV?g}1JRSL~2awstV}|M+LyZMy6?B_I|=eV4K z3M4npZa8|*Ho(WL<)7f_mf-tn2{wU+<&Q&_RV$h+YDh1%&JQT55K7tyDeQnsG-iqB z1I(e=1kqPq(eL}y3#cm*%v4pJ)NNIr7 z(_JeZ6ar2+P1PH!HFHikVgu>*>1a9Y)uok6N#s=+X@-LZxr^A;ra_`dZr8S_m-liX6=N-qdbdX&@R&!@rSLSm% z>r@JR2=tmRpl!jn5;0<~)9Xh307~d7!Yvtg)Sk)l%v{&`0fdl_|_j{NAtkq7Sq$3?NY3`lv=K0Dla0c-Iis zeO{Cqf6Vj^5XizQHpbb%eMMs1HIIlw0x&^^JG8(X12buaPh>X$4XMiLm$WZ^DSZp$h1wFI{zybICm?_7CX zc9^rkOg0DFfC?j%xvI zlc(YiD_o^^i}gMvgID;nUqyJds8k}CSmA57q7I~Whr5wr@5;h(zWXol5qWkN3OVy4 zRdHd5VozPK`Yi4d=YCAV7@NGP$iM#Du|{IH`3l4EVXXW2+OAEC?}vBpnRMB9k}Lv6 zeSoSqHwb~nH3vTnLABl@p%}@2_5_J7dmhm_4LwpqruyjfL@~<(d@I^Wuq{=1gzCMu zzw0ZG?9GZ701N*};55o?+$Ne_x~B8ZV6`hP$;LSe7cX3`Z~8Js%q1@Ks93I2%$DSA zvy|w-aqIhJ*DZ;*kWZC*UlZ?-8f!|JJ&Lbi*o4^xa9SJhIwqKZZ)ea6{&Iwk*-doV z@blJqVt{jNbCv?@L!^R8uY}pE{;#Ef$kV%-x%Vnl3*CHkz=wUWmQBFuO*2zp|0hk& zzoB~(0swh7yYjRO4D=jk28R4`)NxH)dT+{6l$V`B(U{Aq6d zB<2j_fXLs^{7wjmA8^a|ISO(Cn7}pw zrmA<>!_RB}U={toe)d{A8}GHRh*?v`0_}6RpFI+@#+=ij_lP0Scib7RE=xl=#*ItS z%Mdmu5E4pGH2ws|eD8dpZq?5W?}A3IYh*S7rspB0;?7oIldm{&?l?~vRNC^^Qj0H$ zey)|x$&&)O>XlDLKrt)E9ejCIGt?p39U?bhN;e}MSF9ajq#1scUw)`BpQx%4i>lZl z6+7pU7<(&i3=yj7Jr0--6YE z>bAm;f(tGuSt>qF-U-%>vn{q%3Zox+2&I{M*cbJDPE`UGRro$&*U|OPC?d@yjK~5W&?H4ea>R%+IqkPZfn>NFy@gAIBs2Zei5Q`G#1Y(=@4fb zRBdSQk#T-RM!qybxni_7!GD3jrt8JS_*m!M$!^t};-aLG`1i)(H|Emal9D)Rh?w7& zi>`Nk&qDpAmP>@5X(I9s=hBN^9W~cCPvV;G?^TLT?`HqjUy^DvtIVNP=6*6qZRUms z{$1HUf;jz&*2?92{b|m1qw{*_(j%T8Sznuo``QA#mX6EgR*CDiqwIZ2yjA?Qa$j#C zJAS){?N*;=h9#L{rJ3sDR#teU7}?Q`$kgftD~I0v$YC_qXQNh&eGI2n+)hgQ2+zkg z4;Zm{A{sKZo(ATd?&{%iKH*fen(ID&bz5**9XQM9gV3ncfa%0tw&!}btirU0cjU9_ z$5-C$*3oqbKYhqkV29dvsgz21hg*26av;vg`U`9{!`I~NkhoJy#Xdwy<$+{rsuei9 zT3XzJyUOTSdD^r1PiT7>*;r6%0o^<{TGOh+f@yCghg?sQH0%PwOhUE(aN2saKcJl_ifH&;ERsJ)LBoY)1Av0mYW&J z5l_coW~qyYj_Gy-90NNt03|8%k1l`ctJ>Wc)&dhzT<4eKi;!TDH(NT0 z-6`Rrm^FLb;*I>M$Y!JA*Gmt1T*MQ4c^`i_N?QyvC-qtuaZEY;A6qr8(talkzt^qY z*Z+wtD)(|mRorZP5tp{;|Em77-AW=?i-M7~h{{O>vDr874ecvqrk(!YtDw^I@QsO7go*0%4lF zYN6Hs_HS%ux&k$~`nS@aSyP|hpYQi~`K9>{8kdYh>mr&4tNSI52L_hco`i!gvMF5Q zmQEe=oNSiCeUbZfDXq`y+h3OY-HX9TUS23XE6ec8LR?o`{1oa^10KXu?sLLdzB>lp z7&BL(q$)H;SqY4IE)RHGcdi+*Tf1Iy4oLY9wVVBkV7eZukgCN{8`4*bJna1ysuVw# zu2sM`_RBA|v|>Bk^`&>@0o!Q$REgp!QtHg>fnMX*%Bat(eZTafP^#2W^0=#(W&rtX@ylenwkUz01X@W*`bGZbpEEPYHW zw(RGxTz45T;Jp1wRvg8$8W#tIMEb@(Eah?K_{6@><$BI&!4M<1SOYXkxe8!=$ke?0 z-Fl4KE&6&<8Q}@QE$*LdXM2gU0XNDnej2G3VisUI`Af=DLU$-Wf^&&s?)CkW$qobj z^U#v1F~IF)oXAed;d_@`uyX`x*H(FS0WxOyph{sr_wu~{ZH(In;0EYde_RkoD2{b9 zI;@!fugIPGXGUU*P_sRox9T9bWho`M`t#Bwl5uQkmhU9Nr%#i&#p2k%TER|aZEU79 zBEcmJ?{8sjBkztP|7E?S8N)FpS)-TXgAJGhLb@{(w}ezhaR1 z9__O4fpQ%q2W;8a>*BcN4h1|u1kc)0Mn4*U{ax6Lbe)QP^-y{i=^8&5xdk=I(v-~y zN;r?z8mvq$F50;4X%b;R)KIIboLr|e&eF~7LymB_j5(eyQ@zi@u?4up*pMyL*FR?X zMYi&4g0p8e%4hXn9^SLzhzkfMWH`sC7EJ04v;OgXUdAp8=8G5GCoNRe!*?Ybf~0&Gd=_EDUU>eN zc?4NW!JihWiOzDT-4!GAyMqppFEIMee|P_ups6L;g3DB&iM7)bL;hyyaCl|Wxh9K} zwX{w->47cHg?cIOf~ow2(t`GxgM5M&*mNRQivUj^8k0)9x?_XO;9wziyRiyJIno&=}45i5yM+{nNyiTbcc0=u2;S z47Xgd>*Pyhe5#yI`y?1CF`fNLVi{ELdi4&r;F3IhtE;)x2c?alS(FN@@AHTb* z=J;Gy*L%r{@}V=iVgB7c^Sc`8w;zBJ#Y~uL%(H8r1xFjsa~b^<`NX0geJ65?l7jj4 z*jA_381Q>k9Kn{h19%V?)M1SZe5V3B%Y|?*<^%>zl|QYj1+I0gNPaD5`8fp$oNvwe zN2SA2g!YGdd+%0Nxwn`YJ>^X2*)O|2e97F9IL=X>q%6&Sl4rJ(Md9EJ$cUJ1T#~x; zH{?tS<~X^8?NubGv)B5V>Yco5f^a|X7L7{|D(cI6o!!2Zaarg?M!_Bq5i@jD5fbRl zt=YqKXDx)R(_xR4a9&n#!C8^GWIN%4MBPSv^wRk|{z*ro4&5GIWf{_ehnY!HTFS)V z2=(E38aBz@k`bW=I~J$p!-iQsh z9wJ$K>(a>Z%@`5%XlGn-eOMXl)Vv-a%(+t+VzQjUtVG?)qcJaj|4vS5*JTTP8OL~q zg{;OGPVwOjIYB(PNs`5HTS4OE+%iFm_wbUnFB_a?vdf$#`#OE9ZLjh-aAPH>Uy{4f zO*(UT`Y$|TZEKBo>XR~?%kWx)kl`Kuc29C!t>mwAzF~$p-N*@33;sL58@wcI4^Z}g z{M2H|-Nb74sn$GKBZTSiA!<8um`mJiTOfiZxK#Z9!3H*O8tlvp3>PCbtA(qw6W>xP z{9G_vEiBxDLQ2wKr|+;r+-KVBCB6m-Mm9^wjpXNh`=psV7)a_&k2xgVGmCd}z?w2; zn9?D4!$I8Y2y|PGVI!_Nrb0A89K=17S`AsqFpZSGe`bJbg`>!B)(UK$=55CPX-w5i zr5NLQ8|lk@^3&wsv`28^{s4+z&1b39gwA_H?_WMD9rNjXqX?<9YFL%f81*jFvvE$p zD(eildu zrUQ7nE8SwE|M^;yQ57dZ=tX`|sA6W5_7b+39c@eYa;B>3bt?0>fQm~j zA<_0x-Dh4fk7+9jEu1lB{X{WSD)C#AyM3{a$4U616aXrM5n<0NlchWMLX!byYUEqO ztBFFur81G4=%Ujg`7N2p=Yi|lotKTGO2&F};ExJQF_U6uRAg#zF0?nf`7zmDwH=h= zEzs?0DvL+SaD;vE zf_gK5L^FT?W^DM9Bj~Ur@=uxh%86m}&sW78bKBzw-XVP9m72k%eA(fI6+`qe7^Xf9 z`ct++S#SEdrdD$3TW9f$_Vt&>Gd*%ts9(BKcJrc6e`~`WJnST3dJfguAD(lu)KmX^ zOJ(Kt9kB29(8AoUh?vAzdX1gZdgVt&juEm}`i(EqU7Z2P3DNxvAG182%d#{U{UmB| z-G9nt9oHt#Nq+B^5g3)2OQ4;CLPF7{_=ox(tCP!bBu|#!wf84ulPemc)*2iFm#<6E zzsJ{JC4lWy6pMeCRi=O2D|47b%s-F&)yYmwkv(!*cq8{QI({BoWp|U)F>ER`vT0d! z&XevZ>3#pO>7i~g_h0m#8ON(u9e;xh>9{hV@U%Mol1aO(1nQ(t(|H`Vc-J5xeTA;y z4u4sR1m9YzA0C^SGwxhfq6TDUz~3G0JLVGo^Y>F{Kk4Cy(%|KlhAhv7QsnxkNgutL ze^?zbjdM7yz+Gj(*83Es)RY00vvvG&4NA;@8*#|M&eG<0Z5i-Jw@8h>H|9!L)V>GB zyOKVphZxmH6lLo?=rh&=Svly+mcj!v;vtje#d@WckhBOf`_xjU5#R9y&V>iv_gacf zA)YGW6fB-$o7yyvr785a4m(27@dQt62*)EMCPDx4fsz{m>m95e+-y3{N5HFqi`r@J z+3t{p{MQ$HJ$_~930E_v%cRJuxQqfVqHE&>-<^pY0eYrflhE!F=`B>A$v4*mb@LrD zgQE>F7I>?#>$hxRPN4YWjCOQmdH)TPRWp8CC#uHwkMpR^KRRy7 zLScdJaTk=HABj3u$crggxQdyxA)rQS1i$40-w4{Pht(s3b|}!4?%PB^!gQ}Ql&U7* zgB{Ei(RGhl$jxO2$9AfjuRK6i7OuUh3o^4;o!|uq&DIeq%`do@D&3b}V%Ij>#f)cF z4}WOg34$dKn={4-{O8qnOhe9U+EK$_X!`AU?v?B(l5@GC`2@CX^}LgO_~M~_NaZBh zZjOEHSt_T;@<90W#_G@l8F5rmhGP3EVA$JCnX}xAa7`37cV^D1IeIT2CF)9ANP=Ik z{?rJ$81J%0lHhP6)%7a9fTAH#mG7|;c`FA^Yet- zwY26({oVFvxj4DN4x-pT_#(;Eb8jo@mV!|Vcw^(VpJmPQ zi4}srQam&Go8Ah$EZ%d;K3YnDyGzrs)X!L3#{3J$%v!(ub5+T-tEaA>yZMHMML_Ir&uVwlW0)PpXNOiK6<`Q%5igVUsWc}X@mIjAIzySe8xRB^_fX?8qaT*9t#rY zo=J=2FLmHD$2xKm(wG_nXq)V!&oMd&Y}SEr10{>yTaCL?Q($`u#Xe&PCYQ9I#z7Kz zH*mcjdqQGqrlu6}Z5z?#i%kAAiQ6d{rE3SmN*vIU7gj-XwkB>(-x9R-Vr6pA?|U47+hH8`kQu)FIuvHa@)EU_kQ6)- zPHHRO6AnXjEAz-qlc;;+hOJ!UovcbOhI$E{((QFmhmoxdb{u1y${tY=-EPA+1t6D< zqQ&=rZguIin0P0)j_mRH6EkFqwp1~vHO85s8z0kp--Nj)ri(8#$ikOona(PFajFtBWnUaA zJ#E39HkVHu-*%PDErj)i`X(QK8^`np{u~0PN!q8@w~Ri|3JZBK`5#?B#ptqV(?U!6 zqBD0a5J-*e7?OdjNviLKogbS-co8w|L6Vb$m1IhDqA9q(gg`Z&O8u-AFFHG2BVoJJ zCro@>!(Szz3daqJJKi0NP|@)>!FeKP)8oeTeGx1hOmvQe74`z7j2P~b4_N4iaT1+XkREKG8r&|$``KmU@Wq=;*?`_r)+bP}8 z-|y9uiDFeOm{K9uhvFRqz)rT?-3oT|gCX7|ZiROjI_}m0UuwU{sdw~VG-b*J!hKZU z{S$KLI*|fsI>uOt;&_?bNqVyaB#hDr7K{q+F~-$J)Z#z~uu1ArQRMrg@!1le*p|wk~tyMzbQ0I%hylKA(S@Z{887%UUwRQgvLkG&f;@9V*Vt1{o(m5UC z?x{nqCRg|0Z(%h-bn!s4PnQ|$X}KD-=jp@GEhb42x1=I z!meO5QsuCj*8dvNG;vIX55Ha+*y~LSu?p+fG2A~(MKY#se-Gmf6Vb%C zvF1B$IYRgI$0Vj=xafq+$o1G ziE-Lwlk>JBR-SWEesc9S?=nL4n-8EmiJG&vH4^X!J$dCh;V)WN~c*nKm?hpq&bylYO`syxu$Z)N9cDa%d(fMGe8+Z#d_U_sp4!|QS0Lw zp!k_CqSpj_E}@khdbD8ps_$!aP$F zdKVo46f?4{{YKv`%eW@moi*KYL7Rnzd&BK>eYE6BH}hA3RNxZF_Ck{D4W3GlCWedmygDnUPQahzs<)h?w?7XO5~Sb{C3uec_(6job&byf0es3v`uAx z_?M@NIz5Him1(}A;ACAx7dSt|f0^lHL69EY<3UejjJZ&#Zq3mcg=a6$)}>nGBAxik z%stVn`w~*t>GfqD-S%YZQR6o?!#ooipY_4Fd;hs#c&n&9SIjex*J1_suhrxlFuA< z{Hnx!MR1RUtQn#*MNF>FS5{Z?iPYT7Hz6BYvKZ$LwtV^9gh0)@K(IH?|JUA;XG;)68-pgPO#x2xm|{l;8C(98!W^9 zucWZ2RH8Ar^ZLAW^)y+14W+EtAxW9844D15%rU&iFx~eaSBaL^6sX**4`R`v2fp2A zUE7w?`!kf9;A(=yjV45;=zShaW9qibWc!ytrHX0T3b*7*!qwE9F}-jdq~h94+WELO z&x|o`=mUeNrM{?Rp$|+NL0{040I*{ErH^`zpH*{uRG(xRK~wL>f1>_`yGf`nL+rTa zil{n+e>G3@c9R$#Xd-VYfUZjUtx z`uYUAFg-j5Ue~*jB|eyi^m}tzkojy*$_kIpd26OH5=Mfnl;vJ@e}^o_*zXdCUx(=$ z@OBW>(Wto1@wm9#)DcmH>ufTGY0^93xGp*f(87BGpuSy+X1V(0*XLfd^T33}YUWKN z{zq7tv#Y%dOX92iZJn=NAFM`?z_;QAKk)TExs+04Bp{+^D&jKI@b=eBzPu=UffHMH zBn{R%xiJ=%9>FcS#GdW3d`=BaKe$>`G&t0N;N@0EZ={$Djl4`GKD*7`NfaX-U0Ab@ z6aLzjd9;>t{EE9t$w1bf#B!&Wv$;EXb2EA`Ko0CcI_-X~g;lQ{|=beD4V+f;d&sksbMOD1`LV`fCoMSym@@)1^(8TI^ z7p^x8US!qKskC7vkS8Dw{m74abt~3;P(T(p)K^7Q*s;y!n{f9|O5~-*U(#7RQ~Z16 zB{C+#%uYTvd~!fXuks}(g=D7p3n6?p*eyp*Ip_G2SQ>u$aM!=dv8jtWEu^Bz>*qJA zemM&G+DNCxeXT%=1zzB@F%-2JMco$@*%gzmB%G*PC|sOL7?g_RR7{sEU7a|)T<260RHerFcp~(PqKz(m(N|LVBqbCdM{^$TINy=)IE$BjhHEhNJil>k<=eK`YC3$=BsC0lw&Z=Yh z15fq?Qc5uw+tfRldszZ7JRNMwOz&1RB2|i#QWY)(Ta)DjC6dpCj4-=&_n*xgxpC{_ zj~(VA%q`{B2&Oj_rWlNq6E~&~)Xn;XJtxczkG3%30lvKpTVX#32)sXCyqdZ#Q? zF|1la0u>ac>Oj{^1k85SrlKIm>~Upd;&R%}is{}R?VvC0tKv%3D&U&7Ml!aJN&m<& zYt?Heb|>+R!V^o8gKnM9bhb-M9}DO+SQV{ZH_LL~>l@t_Xoz`}@Sbi^vY;#L9Sg8} zFX+iX?4Dilyb40tj{a-gYTYWZ)fD(1@zpmx{UcJfQqh*Z@YXKazWYN1Hn7-REw=K` z#2Eb%y&1uMt$p*t6aC-JVZ--=+VlBc8V^xznmN-EiQ{{g#Oz(~n!{XiR7I4u)>t~xt1z0FH#BC~BfodcK+Y)-JZwN-k4AMxK$@1dnb9P&@Onk|D)F`@JJhuJJQw~tv?~4o?)JAIi>zDy_dv(^MAA|)GlUmHmQBi7JtgGd;FiO z&(xUIDfQh^|4@}tv!NduUM=QSz4#yclvjMR)A0Cp;QF$o6Hg>Qm|93u%aMoY#m1qsGOpiNoUexvN0> zt}pdIvEirh7SxgS-vY0)d!(iEG2pF`rYZSqctFav;vjaAj;sf6_xU|IuAda6wVUDS z05*rXfKv>Ij>s#C+*KWzsfjp#;5iJNDDYYwMt>BO=oSp*e$Y`Q=;V4eQqQFCm%CQ) zKOQ%(rt$(4?8&qXvJXhc^Pkn{$K8#L+X2Y07el1?fb&0zcC$=6UB?!lJF!>E!$37&&dzN!$C^tU4O#O9N7XirJU3i;FWdR$(7F zuU-7kyxMEa!ufFJo3In>?iBlFi+_$zNf`V7zTKYQF>I5nFL1n9mpYmZMC&f2SSnnc zZ@uGEpxvzzVr~Klq(JG3BT>Zla0ySsUT;RP=*>8DSUD{R;u&; z?%LG^01~e~T-l_v}xEjYloLv+?wDrS1NrKG2 zt&uq0*(6Lj1w{AyLaAC)sTHSCsC+0*YcwFGQ6ZdKu`Pa*23tVeO4XNah7}k4*Z3gl zp(@dC2pmLa_LrjrmkClM-t@-a&k}&@`4@$4y{yw}Gz~BYkCQNX08eumO?RCF-ys{=Sm5?}Czk1KK9asa2i$B}?X^PIj%Wez8W50r5tjs47XYmvxgpdNr9@I0u4 z`5Mru4k!?aIm@2lv=jdj2xZ~E%VZJ(6cJ^MV|t5$6q)7_ASh!WmUBOtzP_cqF^@(x z$K2jgUK{FpJOT_i23+8}#}vX{)tjk^x%DoM^U)`)O1Lu3Y5?$S8X&9vZ`_SJv-1K& ztXXFQ#I*s}u6h0jR7J%lRR5&ZcnBGKp!O?ltM<-R0eu2bn`X07wi11;JHYR+N?DdD z0LtrUuknj33Hw*b5>}o^%)7n3E$!Xa2#8qT!{q{goT!A6$JYRpj~ufI^#SSR9VqmF`2 zsob=Aci8&DpOBWyn8BL?uPtY^T*hKwy`I(b!*hGIL!9UQ7uCQKt6Di}+lJ+mlwJD~ zgi>*Z`D%P{m&T&nYj43=d~n&}0B!6PDOFi|1Z`Cw*02k*B%pX?s5ibWT$VWQvt#Z zI)VPktb88pt5_b&P8uH|5Hoi7zSFLKo#MZa-0A6*d5?<}Rz{2{~5vT#*09?oUV1I$YTeEYWBq$v_qLd~F9k>(47@ zFRf4{(nL4<9?&Z#?34me+g&xMz2MY=eh6YhoV#Mr6;!Dee`VGpn`KRto^CW=ulMdP zdHPIMKz*9mDQltpZ{qly7&E+}cga7w4L+bhZ^0qM+Kz1)gr}bb4dOsFzBVOM5McN8 zMtl}a@vJBRu0*J`iKj$sYJSaBuhm!McWH?kHzh`mvMj#pe~nXVQIG5_hnNR{M5Q)n zTPl~cP4JEeJ{Vu?m&qDez%zE49|OLw#9HCYBOHJrZUybaarutIDJNZm=_Bp4lOAUU zL*PBH1H_y=EbxQ3S>udOyYbEm_R`Eq>du)TlO)c78$y-B^J{64KmhmTT`;_#EmLKi z?KbWl;9d=|R5A`{J+rUT%*z*49vE*uak{3(CV zy5ETH!?PcsG#p(FKTX!9@D+%73dK4&5IG-J&BQ**7rz{zJF-TQdFxUbtm#b+HVqgm zC{SG0coPARi#UxdzA&mPE;2QTFO^5fE7$mNh|+REokYeM6Rm%bbq9#7C$-Z$hW-DB zzV{!FR}A}@_+9}Ol`l@SP*LN`UMN#=Xz%VDB7{HHs}{GOi&le=(7HaFzx}S=oh-lg zY4m1XhK10SZbxhF+-zKSke;c7sgu{TS2z2PcJ4db%^%fXY0k+viwCWKk6OJ9HhLR! zWi#I2%z#@ld2Wf1(0MMCw~FoG-Ejta8P=18vDtVTBAxK3%l`pO`8al$H6Bx{`bEkx z!|yHI@4w=Kp(gDXnIhs2%Wab4>{=}m()c&Xfq^H|bd^{?|EQZEu-=mFIgK%<96Wrw zt+vEzaTnP)Eymrc@j~~9{)RCc|B}>-Y-2RGd zGm3nAGkzi{Ax`UbUx8X%e_87^aoKT`*UI_NU;Snr2_xU~DU)un|*P)FUY^ z6Tf6_aj$^I)cI9}KCWgYE!7{cx?ov~A_qH?ka54lD`fAlxyze?xArm*!`>0Z?QJOF zikSLyXEp1nXKu4-VqRh5L23y_rvy8v6or@syo%`0lGqN;%b3C<)_h4PrYbI(&NApU z%eLp6OV{qcz3f+fK8yMHBvW87zbM;Prl(!g zx?Ursf}cm367c0^Ud17xamnghKL!n9kxct~3~epl zFRC@5P{6_zCZe5~%mVUw$!4ImZ>R@ySw&#y8vDClZ~aIt^S#s=^Lkdzpi|udYW1D# z3Y1N}fX%YUp~Yps=Wk;k9-3lCQ+>1O)_|gmzm6aWa&)`;&%I8|Z*##ZECvn|kN&+& zq)M+Sw#0TG%?d#`^P)}*zjc+*o89}e4v3R^*k))x`-06v*}nZLx4dEzoc|4e9KVvX zDpcJ+>~CDMskPg_Lr!dX@+*9F>BZsep_Ub`y02Z8=&h2&EWen~yxu-hbIVp8oo70Y zP2;LOW|9O%Rkr^O8@9p!RWvYt851vM)!iw&V}8l=K|(>Zz?F}@C7nvu=JuyCSLZ7= z#?FC5Lb5GcuHdQoUHYNun%jn%J*D~bHw+t2);YQO(v)`GZfIwWqpLc}5~$AgnXB%ThJ zZ^4&Hn$lGg+*rs$pfFGa0k&6e{EUeA)^F_fKL2CpAXEu%qk~3B0>!zpa@?}j>E2+c zDPw~{K4aUvV27!UROcAe(ZqE4%YHQ>!EEOoi<;$${>&m-3fOHLbfeDz64KWSYt|`$ z3S=U=W9HkACI6hG=(a-VnJYXgo!jRGnZaDLPKBe!{LcCSE+>|2KnqNYHoUfHU)wbD z$gupB>dUO3qPTb_6(jfcSE4HL^U)`9+vpo%qE|tDjm)AM)7qjRx>!S)K`So>a@0lH zz5lfnn&-fP-rW_tqXfmoW5k@jjia;`@J9bKdO;da=lACVcu#4nLE1KU4kCduGF(Fl z!QPK6&+eU8|E~bafSdELVgTfT?$_2VL*iF@by;K=411*Jv3`)ED7NS7ZIOZv2&!$g zr~OH{#c1u?%;Nwkw*d5iP;{1YO}||j-$n}x8&ZFywgDnBLMa&_lA{z9P`X7x1VL)R zKollDT4G45bcd8kql^>=(p}Oq^4arZueMkF+`r#_&bhAZd(PJ`o~oW%oyCzWQ`a#; zNJojQLYG=W$>y=cW`7?K@bUVF{(RwvZII`A12q?;yJ*zft&ym$bTGfy<+>-h6@9|_ zaH>iCLrp+K5NTy0bC83uKf)dzp(LRveH>M?qA?}4;F}v^Hn?Wna;|XPUTKdHH;$)A zZclSuL?zw;8$z~OZPXe~ryp)}r}V588Enu){`mOn30S zP-|K?1N9MNyGOa@{Xw_;5?uw2%B#<(3|=NY{{eV6Rn=Kv18NjkG+~%O12^?QoRFF|)<@mcqJzho zL8P;}=TN005?WSo-s_m##Q$2pmP%Qt(Ta)=e@f?p6SFH^?9I1ONpjJyo9H%D`jhXR zbQ754d>C;c$1qRDWJY2bT#+yiJSL|ok0#56UF|k6rmqlzn$ra`z3bfxED`|9;2|TB zxF;}e-36Ey7#6JXRihijD=#&g2r$ZGC|e(fVS3pCth1eZjDOVz0F@XXCfb8ts#SoJ zRcus0!~Iw~oo^I4p!VX&8+^mmVlYdTvWz%=`nO>!lv~3!KcK0y$+I-Z?*SAY08dJK zr|cEmM%n~i#`QX*vE=K#f=4;mt7xVvR+U=}EZad}+^9NDT9qo8KHC^Rms1gse7MSl zIP849UZDB}YDR*|c%l!s5ZvmQdr=r(jZ-+5aG;xVc0yU}f|9isRK$;XjKz zbe4*7)&y#Q!iOQb-CZ*uZm4aham{*WQ)Z7*i9%3xjuu4#(wR2iF>d-zGy|Wa0C+Xr z`-9~+*Bo=)KKD9XoWW7xZq%c4@V0kDc-pbqtrsdCXOS+uyVDW;>)^W!;dHv=;c_U6 zTr4a%GW?!rvFBHrIMpuWb7syCrBkDZ_9yN}kt3`@#E-SzPlYYx#L6e!+R(W07iwjn zUN95l5CQEz(x-b=N`79x9Uqe$6yV7(`e1vH3N4my+k4d)YN;FCuro}ON~=qU0Mq1* z{nLgMC#*yF6(9VyN!-!)5ty&$x1y}+Q&-xBGH@Qf3$r%Z`u=yRq<}mHO1@7Ha-s>n zz|6D1D<$@v(L32?*N&jabn|cv>4vKlo~s2^^En>a9nDgrDCbFGN@aMoW?g6n&fSMY z4?=L^BT>CckIZ9KGsT3P?iz|!WC+F;BG>YCYuZ;UAQBUm=GyDpP~8zL}m+&1^7c!Z^Lm1aRm@< zx-g4pD&Itfz9z@+ea2&pCHGi9-{Dv;6mzf8O2OH+qi|0v)Eb5o6X7|vHenC0XCQL;s7YCDf|q4hnI?pE|*s=ICb+t)fD?0jQK(c ziAA((a=j+cI`6cjnxyA)@bUoa1mF|pRC%jEBEHJk2Pl>?_d@9(!A~iIy4iO)Bq*Rj z14UGBANxTu23V^s0-%oteWgsXr?DfwFqYxY@*4)B!S`%hhG!I4Bfm~70-RgfwXQwd zu*JJ{8vMt}M01dckrj7)`mU)Quxk_w1)-sArvn@W#Wg03CWJFYMV~1J9jOJC)9hQo z@B9>&`#hH1!ji8^ji+Us>kHGJY!2T|h-RECCwNBV-MZ#wt220b8UpV-1f8!E%^7X? z9z2Jtp(ok0|M)t2BcXxk(A1LDh0nE&3+%&k`@_l8)vqn5gfGn*yB1|v$CodL1T)SS z0`vD>?q<6Gb!+e02M_M0ul04dU?~U=gnM%v9L`=5`pj(TCbsE&gzA;psL~qw-9TUO zg!3lbiSt`*$m~UP)pT;%|9D%p$=m2w8Ga(%%L$}W=;MxR zfyDMwO(Q?oW`Vqq?z)=Tu;SQVW+|B6{1V7F zxCxxRya?JN!#gY$rY`<@TlOShDFN0}+O_UW=EFB@sew{QnU^H~xNjSYJbb8gjrKKgsbk!P_>9%7B$FhFoA@UJ-LLG`jb zFw)_-vDb2N{S>oCAW^QRsYUc?>_yNN3cHKN>=IxGTpr& z@%q`;y0>LFoA0d3FU?%~R!s~uKQE}8(gG0MdQFmwlImrwq+LYNEcMAQ@dnq7GBYPH z)eE4$a{O*hdxU5!IDKd|^u2)SZ)C|7>3^|L@0Zk|UiP3@-dA8r=<8^?Z~7FvuVM*-U#ReQnI_ zk7z%+Cv=1v{cfkb=%A6%MDxvKWns}m9RlT=49v+N^>xKkW!ITqb{Re!d<>X}nL>yV zN0{||G5g;|lXmS$Bjb+?Hr|S;#X>E)@)le(Iyhml=l&iwvSlyI3>M_NKMXftuU`6@ zx>B|D$KwU*X_JEXYTxkE(Zt#!sqDu`VQLbpP0-ZrVH+ym^LK;fFXMoDHJ_Uw@(fpU zuBUAT{XZ1#8Fv5g+`&ng(&ZiDlZaxa{@pg6HVe4o1DCYLjjMC~)tl4bGv~kKubz*TZ2jO6SRoFW%675oph799w0ox7(`)?PhH z-?z8JkzXV$S_nOl%u8tM;)cR56!)x!TZl>ZOFudIa&|zZmo>$jWeEB!O4YH<*2sHs z10yu)vi#d$q8_}}N6>2IzmyTcyO4grZ3c_r^d((a;t+m4@5`Jtno;s`WfM|zV0mbq z7KUGZ3kMaNyGJ1;H?%7xCjfb&8tE!9xwXzVl&6FGiw&J#5v64VQPUoLr^I|FK+gU$ zfj3Hd6?fLZrOdno-gNLvyBMX`gW4;9G~nbNq(%Y$pV{@_VP(qe zFJ%$A_|$ac3D7=RxGfpr5PDtQ_F)aJGTXo~HRak#-mp3*68LBjc#hHV<7Ew}Gyx7{ z?(lx}+%*K@P?)29DoU8idTY6&vcxRI2;{BpKHmgz%SaGv(m4<&I?GT-v5G#pC(UI| zvquL3o@m?|UyJ-2BM(xJ<-p+G;9o}5x~Wwp=;)z2MbWp^Dxj>IEFm|aS+5ZC&7CYy zEBV+N=jmUcolDQw$r;mEP5>S!?r>lE!25;7bcB;W)saWB*4-KwQe_=w+xNs zb!~=}LGs=3Jm2EiH{jzCe4Hqr^W$V(vA{2=Blzy+dHa>XB$K3c-uVD!#`$Lv%U|b) z{i$%B{!h%2;h!1>c!qj{)|YbKx6I(lK^d60GK&b89l|DXE%oDPzM$c3A;h`P21t*_>!5sQBV zFUEob_|0ltF1Cyz%Sx^f+hPT-T9VUpqV3E-yof^==$zSi4;<7-ZXRl{0ROJP!jc_w zf^m7ssVEfU5BURId!He>Ur)LDlz6 ziSR*HEkUzg*t)Ou$mrU52uV7Y{@%1?1{^h>0C9n9LtI(!A~PCP%~g`>(zG&EBUP(Pir$)&Zc;0M znO;wx@jqk(EA6~1dQNKG>1B9LNzV(E#@w(9EtUrARRuG*lBe=UC)A+{o&a!b&U7yu z(@k+uLKR(GUQ{^H24DmV1v)4{uUrJmzP+Tq8Io6gO4V^ZXEk;t$-FcPo);sZ;p%$1I>6r@XJttcv zKx>KJ96SMlBh3&=n^qbp@ytN*HNOBRKrU74fN@JVGwAbFZ?rtl00|1VTjg9Ev~=P@ z{}*BLRVh38?rOxqPL7+G2$Z#FZtR51xrd8uDG+V8=Ee{HwP0!mlDVG7GwqX)BoD z&EYj?GjGT$N0TG5QoT!krT+8E0&)lK*W5@y4Q}tfR9JCoVl4g;XA}c2GHPmkx8Bq; zZM^Nxf4`}R*>(FBCAnwT8(1p5>q}0f+C=!oTm02RG^c!VQXzY!UzKY#ETh;sGh~g? zmH*}c7VC6MTZABVpRaN5eoVj)USv9J*R*?NXNHrc{v=b7Jsl`lXiGQ02Yp;v?}H_7 zsJ_tB-TE?ge!~8uN__>Iquc=Jnkg!{BIro?i&)VQrufq{P35iARvq@HYVNZpd*eu` z4DqM6R^9cZv=et5RNc+Y>ztKW)h$Q88$tIE6AI4TpMH34PgSJPJh>BIAG;qiZINr# zdj6%q<1A|CBr4I9wE1W)sIQsqqOSbN`A)W8BH)#evz83H7cSeAIpbTg(!#Z^o<~!C z8r6;7LBN{CWuWo0=5T++<_Niu_#!48|9Y#30X5m`2{UMgg^wL+l*N71D#}kU5Cj+Y zX|}(F6oI@CiDGpGE2Vg4EMEXzm^=^Gs6t6rYlTK?>OpXRx!Uun(u8)DhbPX2vdB(@ zZ4P&9BS$gbNh?V&TdjL_#8|Q#K98$>N>!hF4zQ<>&hwVzsyW~!Q_Mh%nr+u5iX#qjF`)Z%~eC8_8wqs|0n z{?~<+3c&`v2?zjL){_zCWdke?f1?-_&}43Xso)hbLOkKXN9%Hm8`FG<%D@NgR5D_2 zJ^R9wZNn4nWp9<90U(|Oyu55-)SWp}+@RQ)=5xSRd$|yp8r~K-0(%Vpuc2F?@*z@E zMT3b&_2*?I=h`gK4;7yiwX)UChygjvvnSp+Hjk_oycWKY^$3a8zOl=L%8<_Gl&zSU zfcg*T&_uF5iCD0q-t{N&K!SVC%uL_Lg%G(h?M@coYL(6;^A|QV3I_ zMI(0`eZ&&B2>a>>_i9!q_6h$|mn}2Oo;nU6{qmP-bQBP;idx7}XWiqlN? zeynAw1${J4G-_<8&W&KF_^g6C`N-(mIUANB)WN3eE8m)gxD=sso>1#8Z4rW?TFy@Gl%aL}^j4 zo@r2#SXq@=y~Ha|(w`RY(%s7wbL_vR?eH%{uKt#Y8v)I;b`5shINhBk>~^h*{e0%m zqq?;U%E-_)t2SgLhxB{r>bZbCrPi>}iv#_u&EJ|vha?R-3zJLbu84NGR;abu#Qzyr z>C>xG)2p7}C#PQ3(_JPsDwXZZ8!IU_9{U;goBn9XtKdf&Lgjlh37MOuS6vMjsgy4# zn=MiqFRSgezlgz_T*hGg_OA8*`hVE2Ze7^hQ^!q6wd$k-ZxgA%lKn)kZWN|JqQ7Xg zeWS;*fy-0@x;3tn@3s?=ZTGZ{PK$3Ikl<2uF7E?{7Ym592fRAeKrG&2Y$P@mDlv zBx~8d(G|(K65*@03Z+UHqhq{SGo~x7I4hSxAIuQCcFq0!UO~!lfqkdMh@Aq8*U+cM zFM&#NB3aZDIWT2Lp4L0!?_ZNO24#-2&KL_$S{T5xa{hppg|}Os@yqUmc0flfuYV|g z>O;C2A$Kk6x-ssMJjgVLxRS*~} zTVBZAr5skInjQIme8+I5Ky_ehj_9vys>UAaCXnwluCHkY2supkSqANiLXdG3sphIO;YMe!lcR+^8m0 zPl)HlRZ^cTQ6JqxV*=CeQzFawO7z6PiL~_s%Mlm)^|1+>gqoqgEh9wK;Fu| zE@O@W((`-}tu^tqdBSe2#C{R&-8j5f;vMjN7;)Z)5NmhNyS`Cle&}aS64|BFYc&gx z$mLgM+hM%gVN9l(`>p?fX}SC_yk)y#tO4{Pltc*zKeS>hz1*8iQZ+Y%KK#ENK*vPf zC&nXZwoJ(KLNoG0G>(*I8KYxE&J}$j7gD|4KcL`za?CiSv)b;o-%85MU$SQ;fupg8 zY{cUrHNb&s@WRs(b9nsgI9Gq_eIcq#q8Ob{DmEK8KzN3<*Ake&7k`6jdOat;3XW)? z<@hQ#SKX!twE+ubD>!tq#*z;4Phe)h{ZIpI)df+j5iYtO%g0ogMZ2gr);%f_ULECN zc}Z%K7cjF6>R*mw-D6>w!!c&(B~0QNRUZD=z;@n8zu777t^;UWDH;LXo~;oTewP?V zu17yDTTVewx|1M)1^Q5+uI9}hhs22Mm>gMf9qZ;74Z zOu*^Q^`k+PIIx!@=04BRH6~mZ_lM8*4CvKFp(fYe7XIV0RIwj!p-yFW_vsH!y8 zNVYAHGl5-g_n-F9IPQ)axgB<$(CT&B+_II8?u=mHi+a5l-=A_g$kQX48MuE^o!Flk zv;TBVhUa3H)R5f&qb|DIHrFkP$LE5({*i3=iz-a{Do*Fgg+6sT;CG*_|QHW@yxUM zM7Tr6PolKv_9DtO@@~Ca)mj>5<$r&2Q^(EzM!TprpLEk7fQ#guj9&>MUNF}P0G4tA;BPfuerK|Oc;?R}{nWJ-dda-4n5&bR zWST9WqQyS9CV{nYRiF>(db&jLmyN_%%SD#(c*@^lbI&Ud@wR4gBzk4dP4$TTfHO|3 zEMN80k>^U!(bC^uxQSs6SwT1gb=cc$SM|q-7{Z-D&Mqnar*pc$OI9Qr#2&T^eEk&c zMLit>Z%fR@12bIS1waS3d#bc=fh8ey!e7a$%2QmtYVM*`e3GAmfi}DWk`;Q}UD{a- z-aP?vR7F7?BJ70tt*{LQ!zv=`S6r!sE=g;;_t+Gt