289
edits
Jwentwistle (talk | contribs) (→QoS / bandwidth shaping: added details about filtering) |
Jwentwistle (talk | contribs) (added firewall software and other details) |
||
Line 153: | Line 153: | ||
Once we deploy nodes, we'll want a way to update them as appropriate. The already built node configurator operates along similar lines, but we'd need to do some tweaking in order to make it work on the mesh. Also, we'd want to give the users the options to turn remote updates off. A somewhat decentralized system would be nice as well. | Once we deploy nodes, we'll want a way to update them as appropriate. The already built node configurator operates along similar lines, but we'd need to do some tweaking in order to make it work on the mesh. Also, we'd want to give the users the options to turn remote updates off. A somewhat decentralized system would be nice as well. | ||
== Watchdog script == | == Watchdog script == | ||
Line 172: | Line 170: | ||
== QoS / bandwidth shaping == | == QoS / bandwidth shaping == | ||
To support letting node owners select how much bandwidth they share. Allow users to block forwarded traffic based on type. There's an paper regarding [http://www.scribd.com/doc/155501125/Layer-7-Classificarion-and-Policing-in-the-PfSense layer 7 traffic shaping] too. | To support letting node owners select how much bandwidth they share. Allow users to block forwarded traffic based on type. There's an paper regarding [http://www.scribd.com/doc/155501125/Layer-7-Classificarion-and-Policing-in-the-PfSense layer 7 traffic shaping] too. | ||
'''Complete Distributions''' | |||
These have firewall and network management tools included with the distribution. | |||
* [https://www.pfsense.org/ pfSense] - a widely used firewall distribution, but there are most definitely difficulties with it. | |||
* [http://www.zentyal.org/ Zentyal] - a firewall distribution with easy to use graphical interface. | |||
* [http://m0n0.ch/wall/ m0n0wall] - a lightweight firewall distribution meant for embedded systems. | |||
'''Packages''' | |||
These are tools often used in network management distributions. | |||
* [http://www.netfilter.org/ netfilter/iptables] - a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. | |||
* [http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 iproute2] - a collection of utilities for controlling TCP / IP networking and traffic control. | |||
* [http://l7-filter.clearfoundation.com/ l7-filter] (p2p filtering) - identifies packets based on application layer data. It classifies packets to be used with a bandwidth shaper. | |||
* [http://www.ipp2p.org/ ipp2p] (p2p filtering) - identifies peer-to-peer (P2P) data in IP traffic. | |||
* [http://suricata-ids.org/ Suricata] - a high performance network [http://en.wikipedia.org/wiki/Network_intrusion_detection_system intrusion detection system] (IDS), [http://en.wikipedia.org/wiki/Intrusion_prevention_system intrusion prevention system] (IPS), and network security monitoring engine. | |||
* [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html ipfirewall] (ipfw) - a freeBSD firewall that uses netdummy. | |||
* [http://info.iet.unipi.it/~luigi/dummynet/ netdummy] - a freeBSD traffic shaper and bandwidth manager. | |||
* [http://people.freebsd.org/~mtm/ipfw-classifyd.tar.bz2 ipfw-classifyd] - an application layer classifier for ipfw firewall for freeBSD. | |||
== Virtual Private Network (VPN) == | |||
The firmware should tunnel all internet traffic from the mesh through a VPN server, unless this feature is specifically disabled. This should not be a single server, as that would be a single point of failure. | |||
[[ | [https://github.com/sudomesh/tunneldigger TunnelDigger] - a lightweight tunneling client/server. | ||
[https://github.com/heyaaron/openmesher OpenMesher] - another option, but not ideal because of memory constraints on embedded systems. | |||
Here is our [[Mesh/Network_topology|Network Topology]]. | |||
== Mesh VPN == | == Mesh VPN == |
edits