|
|
@ -21,46 +21,127 @@ What is the network doing?
|
|
|
|
\item Aguri
|
|
|
|
\item Aguri
|
|
|
|
\end{itemize}
|
|
|
|
\end{itemize}
|
|
|
|
|
|
|
|
|
|
|
|
%
|
|
|
|
|
|
|
|
% Authentication
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\section{Authentication}
|
|
|
|
\section{Authentication}
|
|
|
|
Two-factor authentication using TOTP.
|
|
|
|
Two-factor authentication using TOTP.
|
|
|
|
|
|
|
|
|
|
|
|
%
|
|
|
|
|
|
|
|
% Hardware
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\section{Firewall Hardware Overview}
|
|
|
|
\section{Firewall Hardware Overview}
|
|
|
|
Hardware.
|
|
|
|
Hardware.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\begin{itemize}
|
|
|
|
|
|
|
|
\item OPNsense is based on FreeBSD \\ \url{https://opnsense.org/}
|
|
|
|
|
|
|
|
\\ \url{https://wiki.opnsense.org/index.html}
|
|
|
|
|
|
|
|
\item Iris FW1100 datasheet \\ \url{https://www.supermicro.com/products/system/1U/1018/SYS-1018D-FRN8T.cfm}
|
|
|
|
|
|
|
|
\end{itemize}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The Supermicro SuperServer 1018D-FRN8T is a 1U server with front I/O.
|
|
|
|
|
|
|
|
That means that both the rear I/O ports as well as the I/O expansion
|
|
|
|
|
|
|
|
ports are found along the front side of the rack. In many cases this
|
|
|
|
|
|
|
|
is a desirable configuration as it can make cabling very simple.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\begin{figure}[!ht]
|
|
|
|
|
|
|
|
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
|
|
|
|
|
|
|
|
{sf-fw/ss-front.png}
|
|
|
|
|
|
|
|
\caption{Supermicro SuperServer 1018D-FRN8T Front}
|
|
|
|
|
|
|
|
\label{fig:supermicroSSfront}
|
|
|
|
|
|
|
|
\end{figure}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The rear of the unit has a redundant 400W power supply. Rated at 80
|
|
|
|
|
|
|
|
Plus Platinum the power supplies are efficient as well. The remainder
|
|
|
|
|
|
|
|
of the rear is simply a bezel for fans.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\begin{figure}[!ht]
|
|
|
|
|
|
|
|
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
|
|
|
|
|
|
|
|
{sf-fw/ss-rear.png}
|
|
|
|
|
|
|
|
\caption{Supermicro SuperServer 1018D-FRN8T Rear}
|
|
|
|
|
|
|
|
\label{fig:supermicroSSrear}
|
|
|
|
|
|
|
|
\end{figure}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The onboard I/O is plentiful. There are two USB 3.0 ports along with
|
|
|
|
|
|
|
|
a VGA port for KVM carts. Above the USB ports there is a RJ-45
|
|
|
|
|
|
|
|
Ethernet port for out-0f-band management that can be directly
|
|
|
|
|
|
|
|
connected to a dedicated management network.
|
|
|
|
|
|
|
|
%-------------------
|
|
|
|
|
|
|
|
Furthermore there are
|
|
|
|
|
|
|
|
six 1GbE ports connected to two Intel i210-at controllers and an
|
|
|
|
|
|
|
|
Intel i350-am4 controller. The two SFP+ ports are controlled by the
|
|
|
|
|
|
|
|
Xeon D’s Intel X552 NIC. For firewalls and other appliances, this is
|
|
|
|
|
|
|
|
a very strong configuration.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\begin{figure}[!ht]
|
|
|
|
|
|
|
|
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
|
|
|
|
|
|
|
|
{sf-fw/iris-fw1100-front.png}
|
|
|
|
|
|
|
|
\caption{Supermicro SuperServer 1018D-FRN8T interfaces}
|
|
|
|
|
|
|
|
\label{fig:supermicroSSinterfaces}
|
|
|
|
|
|
|
|
\end{figure}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Inside the system we see a redundant set of fans near the PSU bezel
|
|
|
|
|
|
|
|
and a very small motherboard inside. One can see our two stacks of
|
|
|
|
|
|
|
|
Seagate Enterprise Capacity V3 1TB 7200rpm drives as well. We removed
|
|
|
|
|
|
|
|
the PCIe riser and the airflow shroud from this picture to show off
|
|
|
|
|
|
|
|
the internals better.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\begin{figure}[!ht]
|
|
|
|
|
|
|
|
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]
|
|
|
|
|
|
|
|
{sf-fw/ss-noshroud.png}
|
|
|
|
|
|
|
|
\caption{Supermicro SuperServer 1018D-FRN8T Internal no shroud}
|
|
|
|
|
|
|
|
\label{fig:supermicroSSnoshroud}
|
|
|
|
|
|
|
|
\end{figure}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\subsection{Remote Management}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Supermicro’s IPMI and KVM-over-IP enables deployment flexibility.
|
|
|
|
|
|
|
|
One can do remote power up, power down, and reset of the server in
|
|
|
|
|
|
|
|
the event that it becomes unresponsive.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\begin{itemize}
|
|
|
|
|
|
|
|
\item fan speeds, chassis intrusion sensors, thermal sensors,
|
|
|
|
|
|
|
|
and etc. can be monitored remotely
|
|
|
|
|
|
|
|
\item remote power control. One can do remote power up, power
|
|
|
|
|
|
|
|
down, and reset of the server in the event that it becomes
|
|
|
|
|
|
|
|
unresponsive.
|
|
|
|
|
|
|
|
\item alerts can be setup to notify the admins of issues.
|
|
|
|
|
|
|
|
\item remotely mount CD images and floppy images to the machine
|
|
|
|
|
|
|
|
over the dedicated management Ethernet controller. This keeps
|
|
|
|
|
|
|
|
maintenance traffic off of the primary Intel NICs.
|
|
|
|
|
|
|
|
At the same time it removes the need for an optical disk to
|
|
|
|
|
|
|
|
be connected to the Supermicro motherboard.
|
|
|
|
|
|
|
|
\end{itemize}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Supermicro’s BIOS has a feature: the BMC IP address shows
|
|
|
|
|
|
|
|
up on the post screen!
|
|
|
|
|
|
|
|
If you have a KVM cart hooked up to the system, it gives an
|
|
|
|
|
|
|
|
indicator of which machine one is connected to during post.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Supermicro does include KVM-over-IP functionality with the motherboard.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\newpage
|
|
|
|
|
|
|
|
\section{Alternatives Firewalls Hardware Overview}
|
|
|
|
Some resellers:
|
|
|
|
Some resellers:
|
|
|
|
\begin{itemize}
|
|
|
|
\begin{itemize}
|
|
|
|
\item \url{https://www.deciso.com/}
|
|
|
|
\item \url{https://www.deciso.com/}
|
|
|
|
\item \url{https://www.pfwhardware.com/}
|
|
|
|
\item \url{https://www.pfwhardware.com/}
|
|
|
|
\item \url{https://www.osnet.eu/}
|
|
|
|
\item \url{https://www.osnet.eu/}
|
|
|
|
\end{itemize}
|
|
|
|
\end{itemize}
|
|
|
|
|
|
|
|
|
|
|
|
\begin{itemize}
|
|
|
|
\begin{itemize}
|
|
|
|
\item (8) 1 gig ethernet ports
|
|
|
|
\item (8) 1 gig ethernet ports
|
|
|
|
Connects to (1) 100M ethernet upstream fiber optic
|
|
|
|
Connects to (1) 100M ethernet upstream fiber optic
|
|
|
|
Connects to (1) 100M ethernet upstream wifi
|
|
|
|
Connects to (1) 100M ethernet upstream wifi
|
|
|
|
Various LAN
|
|
|
|
Various LAN
|
|
|
|
\item (Hot swap?) Dual Power Supplies
|
|
|
|
\item (Hot swap?) Dual Power Supplies
|
|
|
|
\item (How swap?) RAID (Linux md), with SSD storage.
|
|
|
|
\item (How swap?) RAID (Linux md), with SSD storage.
|
|
|
|
\item 2.5'' drive bays
|
|
|
|
\item 2.5'' drive bays
|
|
|
|
\item Total ~8GHz CPU
|
|
|
|
\item Total ~8GHz CPU
|
|
|
|
\item ~8-16 gigs RAM ? Depends on OS.
|
|
|
|
\item ~8-16 gigs RAM ? Depends on OS.
|
|
|
|
\item Two servers total, for standby/failover
|
|
|
|
\item Two servers total, for standby/failover
|
|
|
|
\end{itemize}
|
|
|
|
\end{itemize}
|
|
|
|
|
|
|
|
|
|
|
|
%
|
|
|
|
\section{IP-tables Firewall}
|
|
|
|
% Firewall
|
|
|
|
\subsection{Overview}
|
|
|
|
\section{Overview}
|
|
|
|
|
|
|
|
Most servers and workstations run GNU/Linux, which uses iptables.
|
|
|
|
Most servers and workstations run GNU/Linux, which uses iptables.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\section{iptables}
|
|
|
|
\subsection{iptables}
|
|
|
|
iptables is part of the Netfilter project and has been included by default in
|
|
|
|
iptables is part of the Netfilter project and has been included by default in
|
|
|
|
the Linux kernel for many years.
|
|
|
|
the Linux kernel for many years.
|
|
|
|
|
|
|
|
|
|
|
@ -70,7 +151,7 @@ the Linux kernel for many years.
|
|
|
|
\label{fig:www-netfilter}
|
|
|
|
\label{fig:www-netfilter}
|
|
|
|
\end{figure}
|
|
|
|
\end{figure}
|
|
|
|
|
|
|
|
|
|
|
|
\section{Requirements}
|
|
|
|
\subsection{Requirements}
|
|
|
|
There are a lot of operating systems to consider to use as a firewall...
|
|
|
|
There are a lot of operating systems to consider to use as a firewall...
|
|
|
|
|
|
|
|
|
|
|
|
Notes on some requirements in a firewall.
|
|
|
|
Notes on some requirements in a firewall.
|
|
|
@ -106,8 +187,8 @@ Notes on some requirements in a firewall.
|
|
|
|
\end{itemize}
|
|
|
|
\end{itemize}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\section{Firewall Operating Systems in Use}
|
|
|
|
\subsection{Firewall Operating Systems in Use}
|
|
|
|
\subsection{Debian}
|
|
|
|
\Large{Debian}
|
|
|
|
|
|
|
|
|
|
|
|
\href{https://www.debian.org/}{Debian}
|
|
|
|
\href{https://www.debian.org/}{Debian}
|
|
|
|
|
|
|
|
|
|
|
@ -122,7 +203,7 @@ Linux's iptables is used on servers.
|
|
|
|
\label{fig:www-debian-in-firewalls-chapter}
|
|
|
|
\label{fig:www-debian-in-firewalls-chapter}
|
|
|
|
\end{figure}
|
|
|
|
\end{figure}
|
|
|
|
|
|
|
|
|
|
|
|
\subsection{Proxmox setups iptables-firewall}
|
|
|
|
\Large{Proxmox setups iptables-firewall}
|
|
|
|
During Proxmox installation on the nodes, firewall is being confugured.
|
|
|
|
During Proxmox installation on the nodes, firewall is being confugured.
|
|
|
|
Some of nodes configurations can be found in chapter Free software under
|
|
|
|
Some of nodes configurations can be found in chapter Free software under
|
|
|
|
path apps/forksand-nodes-bootstrap/...
|
|
|
|
path apps/forksand-nodes-bootstrap/...
|
|
|
|