DOCSLIB.ORG

Example Customized Qos - Forum.Ipfire.Org 1/13/21, 8:36 PM

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Example Customized QoS - forum.ipfire.org 1/13/21, 8:36 PM forum.ipfire.org The old IPFire Forum Archive Search… ! " * Quick links # FAQ $ Login % Home ‹ Index ‹ English Area ‹ IPFire in General Example Customized QoS Post Reply & + , Search this topic… ! " 20 posts 1 2 ' Example Customized QoS / bloater99 . by bloater99 » May 18th, 2015, 7:05 pm Posts: 482 Joined: October 13th, 2014, 3:47 pm Now that I have a well-running QoS system in place for awhile, I am posting my customized QoS in case it can help anyone. I thought of adding it to the wiki, but I don't know if the devs want customized examples or if they prefer examples stick to the default Preset. Some notes: -We have a 10/2 Mbps cable connection. I dropped maximum rates by 5% (9.5/1.9 Mbps) within the classes to help prevent modem bu!ers from bloating. Thanks to N0man for his posts on bu!er bloat. -I had to delete/recreate many of the classes because you cannot edit a Class to change its priority. -When you delete/create Classes, the QoS graph will often break. Don't worry. Give it a minute and refresh the page and it will start working again. -Because the QoS graph uses consistent colors in sequential order, having the outbound and inbound classes line up by class # makes the colors match up in the graphs. Example: Web class is red on both outbound and inbound graphs; Email class is grey in both outbound and inbound graphs. I had to add a class (Ping) to Inbound in order to make this happen. By default, there is one fewer class in inbound than in outbound. -In my network, Web gets higher priority than VPN (the default presets are opposite). -I monitored maximal transfer rates in the Ping, DNS/RTP, and VPN inbound classes for a week and adjusted my guaranteed rates according to the observed maximal rates, so they were guaranteed at least the highest rate I observed. For example, Class 101 never got higher than 70.6 KB/sec (565 kbps) and typically was much lower (about half that) so I guaranteed 500 kbps and capped the Max to 700 kbps. -There is conflicting info about whether mail ports ever use UDP protocol or not, so I just threw UDP equivalents of all rules in to make sure I covered all bases. -Class 111/211 (Misc) consists of layer7 protocols that are discouraged on my network. I am unaware that they are even in use, but I set this class up just to observe if any of these protocols are detected, with intentionally low bandwidth restrictions in case anyone is trying to use them. ATTACHMENTS ipfire.qos-1.pdf (759.89 KiB) Downloaded 3777 times - Re: Example Customized QoS / . by furryfennec » May 23rd, 2015, 7:17 pm Just wanted to say thanks for this! I'm sure it will help folks out trying to understand the basics of QoS in IPFire. Very clear and concise presentation. furryfennec Posts: 6 Joined: September 13th, 2011, 12:54 am Location: Foster Brooks' house - Re: Example Customized QoS / dnl . by dnl » September 18th, 2015, 12:05 pm Posts: 375 Joined: June 28th, 2013, 11:03 am Hey bloater99 thanks for this! I've been investigating QoS for my network but do not seem to have any defaults, despite defaults being mentioned in the wiki page. Would you please be able to post a copy of the text files in the /var/ipfire/qos directory? These files mean that others can copy your configuration without having to enter it all manually: classes subclasses tosconfig portconfig level7config I like how you've aligned all the protocols. If you're comfortable working in a shell, it is easier to fix the order of things directly in the files. Thanks! IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE - Re: Example Customized QoS / bloater99 . by bloater99 » September 18th, 2015, 1:02 pm Posts: 482 Joined: October 13th, 2014, 3:47 pm dnl, I'll try to get those text files posted today. If not, then early next week. Of course since I posted this, I've tweaked qos a bit more, so my current settings don't match my original post. I do know I removed Class 111/211 because I was getting strange results on the qos graph. I'd get massive, impossible jumps in bandwidth (like 500 MB/sec on a 100Mbit network with 10Mbit internet) that seemed to go away when I removed 111/211. And these bandwidth jumps would only show on the qos graph, not on the network graphs at Status->Network. I also increased the guaranteed bandwidth on some of the lowest set classes to 100kbps because of kernel complaints (HTB: quantum of class 20202 is small. Consider r2q change.) I decided as long as my guaranteed bandwidths for all classes totaled less than my total bandwidth, it wouldn't hurt to bump these up a little bit and stop the kernel complaints. When I get the text files, I'll also post an updated PDF. - Re: Example Customized QoS / bloater99 . by bloater99 » September 18th, 2015, 7:18 pm Posts: 482 Joined: October 13th, 2014, 3:47 pm While going through the text files, I noticed something strange. In the 'settings' file there are two values: DEF_INC_SPD=9000 DEF_OUT_SPD=1800 These values do not match anything I have set through the GUI. I am guessing these are the speeds for class 210/110. But my speeds for these classes are 9500 and 1900. Anyone know what's going on? Rather than attaching text files, I will paste the text here, as I wanted to go through and edit out some private ports. classes imq0;200;1;100;100;;;8;Ping; imq0;202;2;100;1000;;;8;DNS/RTP; imq0;203;3;3000;9500;;;8;Web; imq0;204;4;100;7500;;;2;VPN; imq0;205;5;2000;9500;;;2;Email; imq0;210;6;100;9500;;;0;Default; red0;101;1;500;1000;;;8;Ping; red0;102;2;100;1000;;;8;DNS/RTP; red0;103;3;500;1900;;;8;Web; red0;104;4;500;1900;;;2;VPN; red0;105;5;200;1900;;;2;Email; red0;110;6;100;1900;;;0;Default; subclasses is empty... tosconfig is empty... portconfig 120;red0;udp;;465;;; 120;red0;udp;;587;;; 120;red0;udp;;;;25; 200;imq0;icmp;;;;; 202;imq0;tcp;;53;;; 202;imq0;udp;;53;;; 203;imq0;tcp;;443;;; 203;imq0;tcp;;80;;; 220;imq0;tcp;;110;;; 220;imq0;tcp;;993;;; 220;imq0;tcp;;995;;; 220;imq0;tcp;;;;110; 220;imq0;tcp;;;;993; 220;imq0;tcp;;;;995; 220;imq0;udp;;110;;; 220;imq0;udp;;993;;; 220;imq0;udp;;995;;; 220;imq0;udp;;;;110; 220;imq0;udp;;;;993; 220;imq0;udp;;;;995; 204;imq0;esp;;;;; 204;imq0;tcp;;1194;;; 204;imq0;tcp;;;;1194; 204;imq0;udp;;1194;;; 204;imq0;udp;;;;1194; 204;imq0;udp;;4500;;4500; 204;imq0;udp;;500;;500; 205;imq0;tcp;;110;;; 205;imq0;tcp;;993;;; 205;imq0;tcp;;995;;; 205;imq0;tcp;;;;110; 205;imq0;tcp;;;;993; 205;imq0;tcp;;;;995; 205;imq0;udp;;110;;; 205;imq0;udp;;993;;; 205;imq0;udp;;995;;; 205;imq0;udp;;;;110; 205;imq0;udp;;;;993; 205;imq0;udp;;;;995; level7config 102;red0;dns;;; 102;red0;rtp;;; 102;red0;skypetoskype;;; 103;red0;http;;; 103;red0;ssl;;; 104;red0;rdp;;; 104;red0;ssh;;; 104;red0;vnc;;; 105;red0;imap;;; 105;red0;smtp;;; 202;imq0;dns;;; 202;imq0;rtp;;; 202;imq0;skypetoskype;;; 203;imq0;http;;; 203;imq0;ssl;;; 204;imq0;rdp;;; 204;imq0;ssh;;; 204;imq0;vnc;;; 205;imq0;imap;;; 205;imq0;pop3;;; And lastly, a fresh PDF of the GUI page. ipfire.qos.091815.pdf (486.46 KiB) Downloaded 1136 times - Re: Example Customized QoS / dnl . by dnl » September 19th, 2015, 10:38 am Posts: 375 Joined: June 28th, 2013, 11:03 am Thanks! That's the information I was after! Thank you also for the tip about the kernel error, I'm seeing those also. I also have DEF_INC_SPD and DEF_OUT_SPD defined, and they are both 90% of the value of my Downlink and Uplink speeds. I guess they're calculated, but I'm not sure what the purpose is for. As an aside, I wonder if using level 7 filters is more CPU intensive than just using port filters? - Re: Example Customized QoS / bloater99 . by bloater99 » September 19th, 2015, 9:53 pm Posts: 482 Joined: October 13th, 2014, 3:47 pm Glad I could help! Yes, I noticed those two DEF_ lines were calculated at 90% of bandwidth limit too. I'm not sure what their purpose is either... I've read that level7 filters ARE more cpu intensive, but if they are, it's still low on my network. I rarely see the cpu climb over 10% during the busiest times of day. Cheers! - Wiki update & a home-specific class definition / dnl . by dnl » September 23rd, 2015, 1:43 am Posts: 375 Joined: June 28th, 2013, 11:03 am FYI: I've edited the QoS page in the wiki. It should be still technically accurate, but is now less confusing for a beginner. I removed the unhelpful DSL-specific table. People need to calculate their own bandwidth and not rely on the bandwidth their ISP reports. Can you quickly review the page and let me know if you think anything is incorrect? Also, I've been using your example but changed the order around. Here's a skeleton of the parent classes I'm thinking of switching to for a home connection.
Recommended publications
  • Tomato Topology Management Tool

    Tomato Topology Management Tool

    ToMaTo Topology Management Tool Dennis Schwerdel University of Kaiserslautern, Germany Department of Computer Science Integrated Communication Systems ICSY http://www.icsy.de Introduction ToMaTo is a topology-oriented control framework for virtual networking experiments. Control framework Topology-oriented Like Planet-Lab, Emulab, ... Basic abstraction: Network Developed in the German-Lab topology project Each experiment has its own Open-Source project (hosted on topology Github) Topologies contain connected elements Virtual networking experiments Developed for networking Advanced features experiments Direct console access E.g. networking research or Link emulation software testing Packet capturing All parts of the experiment setup are virtual Dennis Schwerdel, University of Kaiserslautern, Germany 2 Topology Graphical representation Icons show element type Colored icons show virtualization technology Link color shows network segments Link style shows link attributes Example One central server 4 clients, connected with 2 switches Internet connected to server Per Topology Accounting Permissions Dennis Schwerdel, University of Kaiserslautern, Germany 3 VM Elements KVM Full virtualization Integrated into Linux Kernel OpenVZ Container virtualization Added to Linux Kernel via patch Scripts Programming language virtualization Installed as software Additional elements Easy to add more Planned: VirtualBox, LXC Dennis Schwerdel, University of Kaiserslautern, Germany 4 Repy scripts Repy Restricted Python (Sandbox) Technology from Seattle testbed Modified for ToMaTo Functions for receiving and sending raw ethernet packages packet = tuntap_read("eth0", timeout=None) ethernet = ethernet_decode(packet) echo("%s -> %s: %d bytes\n" % (ethernet.src, ethernet.dst, len(packet)) tuntap_send("eth1", packet) Library Basic protocols implemented: Ethernet, IPv4, TCP, UDP and ICMP Even some higher protocols: DHCP and DNS Examples for: NAT router, DHCP server, DNS server, Switch, ..
  • Proceedings of the Bsdcon 2002 Conference

    Proceedings of the Bsdcon 2002 Conference

    USENIX Association Proceedings of the BSDCon 2002 Conference San Francisco, California, USA February 11-14, 2002 THE ADVANCED COMPUTING SYSTEMS ASSOCIATION © 2002 by The USENIX Association All Rights Reserved For more information about the USENIX Association: Phone: 1 510 528 8649 FAX: 1 510 548 5738 Email: [email protected] WWW: http://www.usenix.org Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Flexible Packet Filtering: Providing a Rich Toolbox Kurt J. Lidl Deborah G. Lidl Paul R. Borman Zero Millimeter LLC Wind River Systems Wind River Systems Potomac, MD Potomac, MD Mendota Heights, MN [email protected] [email protected] [email protected] Abstract The BSD/OS IPFW packet filtering system is a well engineered, flexible kernel framework for filtering (accepting, rejecting, logging, or modifying) IP packets. IPFW uses the well understood, widely available Berkeley Packet Filter (BPF) system as the basis of its packet matching abilities, and extends BPF in several straightforward areas. Since the first implementation of IPFW, the system has been enhanced several times to support additional functions, such as rate filtering, network address translation (NAT), and traffic flow monitoring. This paper examines the motivation behind IPFW and the design of the system. Comparisons with some contemporary packet filtering systems are provided. Potential future enhancements for the IPFW system are discussed. 1 Packet Filtering: An Overview might choose to copy only this data.
  • Firewall and Proxy Server HOWTO Firewall and Proxy Server HOWTO

    Firewall and Proxy Server HOWTO Firewall and Proxy Server HOWTO

    Firewall and Proxy Server HOWTO Firewall and Proxy Server HOWTO Table of Contents Firewall and Proxy Server HOWTO................................................................................................................1 Mark Grennan, mark@grennan.com.......................................................................................................1 1. Introduction..........................................................................................................................................1 2. Understanding Firewalls......................................................................................................................1 3. Firewall Architecture ..........................................................................................................................1 4. Setting up the Linux Filtering Firewall ...............................................................................................1 5. Software requirements.........................................................................................................................1 6. Preparing the Linux system.................................................................................................................1 7. IP filtering setup (IPFWADM)............................................................................................................2 8. IP filtering setup (IPCHAINS).............................................................................................................2 9. Installing a Transparent SQUID
  • Block Icmp Ping Requests

    Block Icmp Ping Requests

    Block Icmp Ping Requests Lenard often unpenned stutteringly when pedigreed Barton calques wittingly and forsook her stowage. Garcia is theropod vermiculatedand congregate unprosperously. winningly while nonnegotiable Timothy kedges and sever. Gyrate Fazeel sometimes hasting any magnetron Now we generally adds an email address of icmp block ping requests That after a domain name, feel free scans on or not sent by allowing through to append this friendship request. Might be incremented on your Echo press and the ICMP Echo reply messages are commonly as! Note that ping mechanism blocks ping icmp block not enforced for os. This case you provide personal information on. Send to subvert host directly, without using routing tables. Examples may be blocked these. Existence and capabilities is switched on or disparity the protocol IP protocol suite, but tcp is beat of. We are no latency and that address or another icmp message type of icmp ping so via those command in this information and get you? Before assigning it is almost indistinguishable from. Microsoft Windows found themselves unable to download security updates from Microsoft; Windows Update would boost and eventually time out. Important mechanisms are early when the ICMP protocol is restricted. Cisco device should be valuable so a host that block icmp? Add a normal packet will update would need access and others from. Now check if you? As an organization, you could weigh the risks of allowing this traffic against the risks of denying this traffic and causing potential users troubleshooting difficulties. Icmp block icmp packets. Please select create new know how long it disables a tcp syn flood option available in specific types through stateful firewalls can have old kernels.
  • Internet of Things

    Internet of Things

    8.5 GB Motorola Xiaomi Mi Lenovo A lightweight and Dual Layer DVD Moto Turbo A Powerful Processor Low on cost but high Yoga 3 Pro Free on performance premium quality Free Smartphone With a Brilliant Screen Pad Tablet Hybrid Laptop convertible `150 Remote Desktop Sharing with Chrome Recover Data from www.pcquest.com Encryped Hard Disk UNDERSTAND • CHOOSE • IMPLEMENT IT MAY 2015 with Ubuntu Internet of Things: The Road Ahead Key industries that are bullish on IoT and why, ISVs that live on IoT, 5 innovative IoT startups, latest trends on IoT adoption by businesses, and more... CONTEST: If your disks are missing, please ask your newsagent or email: [email protected] please ask your newsagent or email: If your disks are missing, WIN Ashampoo Snap 8 screen capturing tool and licensed copy of KEYWIN worth `44,000. See pg 58 for details Hot Trends: Developer Corner: The Pros and Cons of Net Neutrality How to Reduce Vulnerabilities in Android Apps How Online-only Mobile Brands are Shootouts Redefining Retail 12 Portable Bluetooth Speakers 5 Big Data Costs You Can’t Afford to Ignore 10 Budget Smartphones under `10,000 Subscribe to PCQuest and get antivirus worth `1,800 free. For details, go to pg. 74 92 pages including cover Contents 36 COVER STORY Internet of Things: The Road Ahead Moving beyond the initial euphoria, IoT has steadily progressed to impact our lives in several meaningful ways. Going forward we expect both businesses and individuals to make steady returns on their investments 38 5 Key Industries that are Bullish on IoT 42
  • Ipfire Duobox Business, 4 GB RAM, 64 GB SSD

    Ipfire Duobox Business, 4 GB RAM, 64 GB SSD

    Item no.: 323825 IPFire DuoBox Business, 4 GB RAM, 64 GB SSD from 462,37 EUR Item no.: 323825 shipping weight: 1.20 kg Manufacturer: IPFire Product Description IPFire DuoBox Business, 4 GB RAM, 64 GB SSDThis Firewall version was specifically designed for small offices und home offices, in which a stable and fast Internet connection is essential. The Duo Box Business provides you with fast Internet, while being low-cost and energy-efficient. It keeps your business connected and, most importantly, it keeps your network safe. Main Features: ● 2x Gigabit Ethernet for LAN and WAN ● 1x 300 Mbit dual-band Wi-Fi with access point mode ● optionally upgradeable with LTE Scope of Delivery: ● System ● Power Cable ● PSU ● 2x WLAN antennas Specifications Application: Firewall application for SOHO, branch offices and IoT Type: aluminum profile construction without venting holes, black anodized Dimensions (W x D x H): 134 x 108 x 55 mm Weight: 1.2 kg Cooling: directly attached to chassis Operating conditions: 0 - 50 °C / 80 % rel. humidity CPU: Intel Pentium 3558U, 2x 1.7 GHz RAM: 4 GB DDR3L Mainboard: customized eNUC platform I/O front (standard): 1x RS232, 1x USB 3.0, 1x Audio I/O back: 2x HDMI, 2x USB 3.0, 2x RJ45 (Realtek GLAN) I/O internal: internal I/O might be occupied - depending on your configuration, 1x mSATA/mPCIe full size, 2x USB 2.0 Storage: 1x 2.5" 64 GB SSD (industrial, MLC, 0 - +70 °C ) Graphics: Intel HD, up to 2 independend displays supported, max. resolution: 3840 x 2160 px Wireless LAN, Unex DNUR-S2 300 Mbit dual-band WLAN module LTE: Huawei 909u-5214G LTE (FDD) B1/B2/B3/B5/B7/B8/B203G DC-HSPA+/HSPA+/HSPA/UMTS B1/B2/B5/B82G EDGE/ GPRS/ GSM - 850/900/1800/1900MHz Power-In: DC wide-input 9..19V, 5.5 x 2.5 mm plug PSU: FSP060-DHAN3; external AC/DC adapterInput: 90 to 264 V ACOutput: 12 V / 60 W Power consumption: Idle 6 W, 100% load (Cel.) 11 W OS compatibility: IPFire, OPNSense, PFSense, Ubuntu Linux Scan this QR code to view the product All details, up-to-date prices and availability Powered by TCPDF (www.tcpdf.org).
  • U.S. Government Printing Office Style Manual, 2008

    U.S. Government Printing Office Style Manual, 2008

    U.S. Government Printing Offi ce Style Manual An official guide to the form and style of Federal Government printing 2008 PPreliminary-CD.inddreliminary-CD.indd i 33/4/09/4/09 110:18:040:18:04 AAMM Production and Distribution Notes Th is publication was typeset electronically using Helvetica and Minion Pro typefaces. It was printed using vegetable oil-based ink on recycled paper containing 30% post consumer waste. Th e GPO Style Manual will be distributed to libraries in the Federal Depository Library Program. To fi nd a depository library near you, please go to the Federal depository library directory at http://catalog.gpo.gov/fdlpdir/public.jsp. Th e electronic text of this publication is available for public use free of charge at http://www.gpoaccess.gov/stylemanual/index.html. Use of ISBN Prefi x Th is is the offi cial U.S. Government edition of this publication and is herein identifi ed to certify its authenticity. ISBN 978–0–16–081813–4 is for U.S. Government Printing Offi ce offi cial editions only. Th e Superintendent of Documents of the U.S. Government Printing Offi ce requests that any re- printed edition be labeled clearly as a copy of the authentic work, and that a new ISBN be assigned. For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 ISBN 978-0-16-081813-4 (CD) II PPreliminary-CD.inddreliminary-CD.indd iiii 33/4/09/4/09 110:18:050:18:05 AAMM THE UNITED STATES GOVERNMENT PRINTING OFFICE STYLE MANUAL IS PUBLISHED UNDER THE DIRECTION AND AUTHORITY OF THE PUBLIC PRINTER OF THE UNITED STATES Robert C.
  • Debian \ Amber \ Arco-Debian \ Arc-Live \ Aslinux \ Beatrix

    Debian \ Amber \ Arco-Debian \ Arc-Live \ Aslinux \ Beatrix

    Debian \ Amber \ Arco-Debian \ Arc-Live \ ASLinux \ BeatriX \ BlackRhino \ BlankON \ Bluewall \ BOSS \ Canaima \ Clonezilla Live \ Conducit \ Corel \ Xandros \ DeadCD \ Olive \ DeMuDi \ \ 64Studio (64 Studio) \ DoudouLinux \ DRBL \ Elive \ Epidemic \ Estrella Roja \ Euronode \ GALPon MiniNo \ Gibraltar \ GNUGuitarINUX \ gnuLiNex \ \ Lihuen \ grml \ Guadalinex \ Impi \ Inquisitor \ Linux Mint Debian \ LliureX \ K-DEMar \ kademar \ Knoppix \ \ B2D \ \ Bioknoppix \ \ Damn Small Linux \ \ \ Hikarunix \ \ \ DSL-N \ \ \ Damn Vulnerable Linux \ \ Danix \ \ Feather \ \ INSERT \ \ Joatha \ \ Kaella \ \ Kanotix \ \ \ Auditor Security Linux \ \ \ Backtrack \ \ \ Parsix \ \ Kurumin \ \ \ Dizinha \ \ \ \ NeoDizinha \ \ \ \ Patinho Faminto \ \ \ Kalango \ \ \ Poseidon \ \ MAX \ \ Medialinux \ \ Mediainlinux \ \ ArtistX \ \ Morphix \ \ \ Aquamorph \ \ \ Dreamlinux \ \ \ Hiwix \ \ \ Hiweed \ \ \ \ Deepin \ \ \ ZoneCD \ \ Musix \ \ ParallelKnoppix \ \ Quantian \ \ Shabdix \ \ Symphony OS \ \ Whoppix \ \ WHAX \ LEAF \ Libranet \ Librassoc \ Lindows \ Linspire \ \ Freespire \ Liquid Lemur \ Matriux \ MEPIS \ SimplyMEPIS \ \ antiX \ \ \ Swift \ Metamorphose \ miniwoody \ Bonzai \ MoLinux \ \ Tirwal \ NepaLinux \ Nova \ Omoikane (Arma) \ OpenMediaVault \ OS2005 \ Maemo \ Meego Harmattan \ PelicanHPC \ Progeny \ Progress \ Proxmox \ PureOS \ Red Ribbon \ Resulinux \ Rxart \ SalineOS \ Semplice \ sidux \ aptosid \ \ siduction \ Skolelinux \ Snowlinux \ srvRX live \ Storm \ Tails \ ThinClientOS \ Trisquel \ Tuquito \ Ubuntu \ \ A/V \ \ AV \ \ Airinux \ \ Arabian
  • Critical Infrastructure Cybersecurity V-6

    Critical Infrastructure Cybersecurity V-6

    Critical Infrastructure Cybersecurity: An Overview Presented by: Daniel E. Capano, SWPCA Justin Finnigan, Arcadis Cybercrime is a Growth Industry • Typically Low risk and High payoff • Threat Actors will attack soft targets first • Soft Targets = Many vulnerabilities • Soft Targets include “Critical Infrastructure” • Executive Order 13636 defines Critical Infrastructure as: “Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on cybersecurity, national economic security, national public health or safety, or any combination of those matters” Water Treatment Facilities • As more automation is used to control and monitor processes, the attack surface grows with it, and threat grows proportionately. • Conversely, reduction of the human element will reduce the attack surface • Disruption of water supply or waste treatment processes would have major disruptive and health impacts on the populace. • While there is no financial or technical incentive, mayhem and disruption remain goals • Air-gapping of the facility is no longer practical Modes of Attack • Social Engineering:The Human Element • Bring Your Own Device: Mobile devices can be compromised and contain sensitive info • Internal Threats: malicious or disgruntled employees • External Threats: Hostile governments • Reconnaissance: Find and research the target • Assessment: Determine its vulnerabilities • Exploit Vulnerability: Gain access and commit mayhem Stuxnet: A Game Changer • Stuxnet is a precision “Digital Weapon”, the first to specifically target a control system • Stuxnet was designed to destroy 1,000 Uranium Enrichment Centrifuges at the highly secure Natanz nuclear enrichment lab in Iran. • The facility is “air-gapped”: It is isolated physically and electronically from the world • Stuxnet specifically targeted Siemens S7 PLCs and attached frequency converters.
  • Wireless Networking in the Developing World

    Wireless Networking in the Developing World

    Wireless Networking in the Developing World Second Edition A practical guide to planning and building low-cost telecommunications infrastructure Wireless Networking in the Developing World For more information about this project, visit us online at http://wndw.net/ First edition, January 2006 Second edition, December 2007 Many designations used by manufacturers and vendors to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the authors were aware of a trademark claim, the designations have been printed in all caps or initial caps. All other trademarks are property of their respective owners. The authors and publisher have taken due care in preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information contained herein. © 2007 Hacker Friendly LLC, http://hackerfriendly.com/ This work is released under the Creative Commons Attribution-ShareAlike 3.0 license. For more details regarding your rights to use and redistribute this work, see http://creativecommons.org/licenses/by-sa/3.0/ Contents Where to Begin 1 Purpose of this book........................................................................................................................... 2 Fitting wireless into your existing network.......................................................................................... 3 Wireless
  • Μvirt: Virtualization on Openwrt

    Μvirt: Virtualization on Openwrt

    μVirt: Virtualization on OpenWrt Mathew McBride <[email protected]> @mcbridematt Why virtualize? ● “Universal CPE” concept ○ Telco point of view: Standardized (“whitebox”) CPE, (Truck)roll once, deploy many ○ Often as a method of extending private cloud to customer “edge” https://www.sdxcentral.com/articles/contributed/understanding-use-universal-cpe/2017/07/ Image from article (ADVA Optical Networking / SDxcentral) Goals ● Demonstrator for small virtualization on ARM64 ● Particular emphasis on “Universal CPE” use case ○ Customer sites with “appliance” spec boxes (typical 4-16GB RAM, <=256GB SSD) ○ Typical setup: Firewall, VoIP, IDS/IPS, SD-WAN VM’s ● Easy to use - works standalone ○ vs OpenStack, Industry (MANO) or commercial NFV stacks. ● Playground for end-to-end solutions ○ Working towards a demonstrator involving central management, SD-WAN/VPN, remote IPMI and full life cycle provisioning via LTE ● Would like to make advanced acceleration techniques available while still integrating with existing OpenWrt config structures Other use cases ● Deploying value add applications to existing fleet ○ E.g Home automation / Smart Home, media servers for residential CPE ○ Some carriers’ residential CPE are in the “micro” uCPE class already ● Multi-tenant virtualized router for MDUs ● Home router and server in a box ○ e.g OpenWrt + NextCloud ● Run software too complex for OpenWrt ● Isolation via VMs Why on OpenWrt? ● Small footprint ○ Fitting inside unmanaged flash (NOR/NAND) provides BOM savings ■ 128MB,1G,64GB,> 128GB price/technology barriers
  • Sophos Xg Policy Routing

    Sophos Xg Policy Routing

    Sophos Xg Policy Routing Mechanized and canaliculated Reza greets so singingly that Buster penalised his lanthanum. Marlon is endemic and impost abstractively as woodworking Hugh degauss disadvantageously and placates aft. Westbound Chauncey brutalise some retard after goalless Thacher dry-rot excruciatingly. Enter your network and if you want to that will show disconnected and bridging deployments handle the. This does webex meetings traffic passing through sophos xg firewall rules for sophos utm cannot easily incorporate heartbeat status of foreign companies. You are essential cookies per offrirti una migliore esp traffic to sophos connect kerio control over the interesting traffic shaping, sophos xg will then type each section. Ipfire is recognized, for free firewall device is able to discover an individual needs answer would lan subnet to analyze live. The sophos ui and destination networks and other traffic selector settings as the network so i went and apple and how it in place, a very time. Sophos xg firewall rule, you to test: check my way to see that result from the goal is commonly for. Palo alto network while you save a sophos xg policy routing options if you delete this site vpn sophos xg firewall also have a new layer to each item. Lan zones in azure portal from the networks for optional for an analog telephone system administrators can create the. Nat policy based on xg and palo alto networks and personalization of policies. In sophos community and routing of the nva adds a sophos xg policy routing. Lateral movement of sophos xg ipsec policy routes based on one site.