Difference between revisions of "Mesh/Firmware"

1,151 bytes added ,  18:05, 5 July 2014
added firewall software and other details
(→‎QoS / bandwidth shaping: added details about filtering)
(added firewall software and other details)
Line 153: Line 153:


Once we deploy nodes, we'll want a way to update them as appropriate. The already built node configurator operates along similar lines, but we'd need to do some tweaking in order to make it work on the mesh. Also, we'd want to give the users the options to turn remote updates off. A somewhat decentralized system would be nice as well.
Once we deploy nodes, we'll want a way to update them as appropriate. The already built node configurator operates along similar lines, but we'd need to do some tweaking in order to make it work on the mesh. Also, we'd want to give the users the options to turn remote updates off. A somewhat decentralized system would be nice as well.
Status: Not yet


== Watchdog script ==
== Watchdog script ==
Line 172: Line 170:
== QoS / bandwidth shaping ==
== QoS / bandwidth shaping ==


To support letting node owners select how much bandwidth they share. Allow users to block forwarded traffic based on type. There's an paper regarding [http://www.scribd.com/doc/155501125/Layer-7-Classificarion-and-Policing-in-the-PfSense layer 7 traffic shaping] too.  
To support letting node owners select how much bandwidth they share. Allow users to block forwarded traffic based on type. There's an paper regarding [http://www.scribd.com/doc/155501125/Layer-7-Classificarion-and-Policing-in-the-PfSense layer 7 traffic shaping] too.


* [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html ipfirewall] (ipfw) or [http://info.iet.unipi.it/~luigi/dummynet/ netdummy]
'''Complete Distributions'''
* [http://people.freebsd.org/~mtm/ipfw-classifyd.tar.bz2 ipfw-classifyd] (used by pfSense)
* [http://l7-filter.clearfoundation.com/ l7-filter] (p2p filtering) -  identifies packets based on application layer data. It classifies packets to be used with a bandwidth shaper. 
* [http://www.ipp2p.org/ ipp2p] (p2p filtering) -  identifies peer-to-peer (P2P) data in IP traffic.


These have firewall and network management tools included with the distribution.


Status: [[User:Juul|Juul]] is hacking on. Consider this hacked!
* [https://www.pfsense.org/ pfSense] - a widely used firewall distribution, but there are most definitely difficulties with it.
* [http://www.zentyal.org/ Zentyal] - a firewall distribution with easy to use graphical interface.
* [http://m0n0.ch/wall/ m0n0wall] - a lightweight firewall distribution meant for embedded systems.  


== Internet VPN ==
'''Packages'''


The firmware should tunnel all Internet traffic from the mesh through a VPN server, unless this feature is specifically disabled.
These are tools often used in network management distributions.  


This should not be a single VPN server, as that would be a single point of failure.
* [http://www.netfilter.org/ netfilter/iptables] - a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack.
* [http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 iproute2] - a collection of utilities for controlling TCP / IP networking and traffic control.
* [http://l7-filter.clearfoundation.com/ l7-filter] (p2p filtering) -  identifies packets based on application layer data. It classifies packets to be used with a bandwidth shaper. 
* [http://www.ipp2p.org/ ipp2p] (p2p filtering) -  identifies peer-to-peer (P2P) data in IP traffic.
* [http://suricata-ids.org/ Suricata] -  a high performance network [http://en.wikipedia.org/wiki/Network_intrusion_detection_system intrusion detection system] (IDS), [http://en.wikipedia.org/wiki/Intrusion_prevention_system intrusion prevention system] (IPS), and network security monitoring engine.
* [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html ipfirewall] (ipfw) - a freeBSD firewall that uses netdummy.
* [http://info.iet.unipi.it/~luigi/dummynet/ netdummy] - a freeBSD traffic shaper and bandwidth manager.
* [http://people.freebsd.org/~mtm/ipfw-classifyd.tar.bz2 ipfw-classifyd] - an application layer classifier for ipfw firewall for freeBSD.  


I suggest to use [http://wlan-si.net/blog/2012/10/29/tunneldigger-the-new-vpn-solution/ TunnelDigger]. [[User:Mitar|Mitar]] ([[User talk:Mitar|talk]]) 21:50, 11 July 2013 (PDT)
== Virtual Private Network (VPN) ==


Another tunneling option: [https://github.com/heyaaron/openmesher OpenMesher] [[User:jwentwistle|jwentwistle]]
The firmware should tunnel all internet traffic from the mesh through a VPN server, unless this feature is specifically disabled. This should not be a single server, as that would be a single point of failure.


[[Mesh/Network_topology|Network Topology]]
[https://github.com/sudomesh/tunneldigger TunnelDigger] - a lightweight tunneling client/server.
[https://github.com/heyaaron/openmesher OpenMesher] - another option, but not ideal because of memory constraints on embedded systems.


Status: [[User:Juul|Juul]] is implementing.
Here is our [[Mesh/Network_topology|Network Topology]].  


== Mesh VPN ==
== Mesh VPN ==
289

edits