+ and users are notified by mail. So in all cases, the update is just
+ a simple click and your system is running safe again.
+ </p>
+ </section>
+
+ <div class="divider"></div>
+
+ <section id="dialup">
+ <h3 class="headline">{{ _("Dialup") }}</h3>
+
+ <p class="copy">
+ IPFire as an Internet Gateway is able to dialup through various techniques
+ to connect to the Internet.
+ </p>
+ <p class="copy">
+ It supports all popular types of broadband access, as well as mobile access:
+ </p>
+
+ <ul>
+ <li>
+ <strong>VDSL</strong><br>
+ VDSL is short for <em>Very High Data Rate Digital Subscriber Line</em> and
+ it currently offers bandwidth up to 50 Mbit/s downstream and 10 Mbit/s upstream.
+ VDSL brings the possibility of using new technologies such as IPTV. With IPFire, a conventional
+ router can be replaced by a full-fledged system that brings the IPTV stream into your own home network.
+ </li>
+ <li>
+ <strong>ADSL / SDSL</strong><br>
+ Conventional DSL is also supported, although it is technically
+ called also PPPoE or PPPoA. In some countries, the PPTP protocol is also widely used and it is also fully
+ supported by IPFire.
+ </li>
+ <li>
+ <strong>Ethernet</strong><br>
+ Over Ethernet, IPFire can also be connected to the Internet and obtain
+ an IP address either via DHCP or static configuration.
+ </li>
+ <li>
+ <strong>4G / 3G</strong><br>
+ Mobile broadband connections over USB modems, which are also known by the names
+ UMTS, 3G, CDMA, HSDPA or LTE are also supported by IPFire.
+ </li>
+ </ul>
+ </section>
+
+ <div class="divider"></div>
+
+ <section id="proxy">
+ <h3 class="headline">{{ _("Web proxy") }}</h3>
+
+ <p class="copy">
+ IPFire includes a full-fledged web proxy, which is the well-known, open-source software Squid. It is used by ISPs, universities, schools and large companies use because of its diversity, stability and mature development. Even for small home networks, it
+ is a useful feature. In addition to the stateful paket inspection (SPI) filtering by the firewall on
+ the TCP/IP layer, the web content which is transmitted over HTTP, HTTPS or FTP can be analysed
+ and filtered as well.
+ </p>
+ <ul>
+ <li>
+ <strong>Security:</strong> The client does not query web servers directly, it queries the proxy first.
+ The server response goes back to the proxy and not to the client, which actually does not technically even appear on the
+ Internet. A related attack would therefore primarily reach the proxy and not the client. There are also
+ functions available for data privacy, which is an significant advantage in comparison to a pure NAT router.
+ </li>
+ <li>
+ <strong>Authentication:</strong> Using the access lists, the web proxy can also be configured to allow
+ access only after a user has been authenticated. At this point you have the choice between LDAP, identd,
+ Windows, Radius or local authentication methods. The web proxy can connect, for example to a
+ Microsoft Windows domain controller and only the users of that Windows domain can be granted access to the Internet.
+ </li>
+ <li>
+ <strong>Authorization:</strong> If the Internet access needs to be limited to specific time of a day,
+ or if it should be even completely disabled for any clients, is this easily configured by the
+ “network-based access control”, which can also be found on the IPFire web interface. A useful application for this feature can be for example, a school classroom.
+ </li>
+ <li>
+ <strong>Logging:</strong> Since each access can be logged over the proxy, possibilities for the
+ examination of the accessed content can be very useful, as well as statistics and bills can be issued afterwards.
+ Through the use of a logfile analyzer named Calamaris, log files can be charted by varying criteria
+ on the IPFire web interface.
+ </li>
+ <li>
+ <strong>Bandwidth management:</strong> The download management function allows for control of the bandwidth
+ to specified zones. Thus, content-based throttling (for example for binary files, CD images or
+ multimedia content) is configurable with bandwidth limitations for individual zones or for each host
+ SquidGuard is a URL filter add-on which is connected via the redirector mechanism of the proxy.
+ The heart of SquidGuard is something called a "blacklist." This is a content control list created by the official site. These lists contain a number of categorically-classified websites and can be kept up-to-date automatically. There are different, independent
+ sources for pre-built blacklists available, which allow among other classes filtering for adult
+ content, shopping, warez, social networking, or sites containing violent/abusive content.
+ </p>
+ <p class="copy">
+ Individual extensions for particular domains or URLs can be set up on the IPFire web interface for
+ blacklists and whitelists as well. IPFire also offers a black list editor, that makes the editing
+ and creating your own blacklists quite easy.
+ </p>
+ <p class="copy">
+ Possible areas of application for the SquidGuard on IPFire are:
+ </p>
+ <ul>
+ <li>
+ Block or restrict Internet content conditionally by time, user and/or computers.
+ </li>
+ <li>
+ Preventing access to certain (eg. youth-endangering) pages and content categories.
+ The Update Accelerator is a feature that can greatly accelerate deploying updates for operating systems.
+ All downloaded updates are cached and if requested another time, are delivered from the cache.
+ </p>
+ <p class="copy">
+ For example, Service Packs for Microsoft Windows (which often are several hundred megabytes) are cached for future retrieval, as well as virus scanner definition updates and other product updates which the system automatically identifies. This saves a massive amount of time when updating large amounts of computers (such as corporate networks).
+ The package manager Pakfire offers the addon SquidClamAV - a virus scanner for the web proxy. This checks in real-time all web traffic for viruses, utilizing the ClamAV virus definitions and scanning engine.
+ </p>
+ <p class="copy">
+ The additional protection to a conventional virus scanner lies in the fact that the files are transparently checked before ever making it to the client machine before the client machine's virus scan can be performed. So potentially-malicious files are blocked by
+ SquidClamAV before the client's actual download.
+ IPsec is a widely-deployed VPN solution that was originally developed to be used in conjunction with IPv6. Because it was so secure and IPv6 was so slowly deployed, it was backported to secure IPv4 traffic as well.
+ </p>
+
+ <p class="copy">
+ In contrast to SSL-VPNs, IPsec is hard to set-up. In IPFire, we
+ thought about how to make this technology easy-to-use and as a result, there
+ is a web user interface that handles all settings and takes care of the rest
+ of the configuration for you. It also keeps the tunnels alive and
+ re-establishes them automatically after a remote site has lost the connection. A secure connection to a branch office, a
+ business partner, or a home office is done within a couple of minutes
+ and compatible with all other implementations.
+ </p>
+
+ <p class="copy">
+ This high-level of compatibility is achieved by using the free
+ implementation called
+ <a href="//www.strongswan.org" target="_blank">strongSwan</a>. It is maintained by Andreas Steffen, who is a professor for security in communications and head of the Institute for Internet Technologies
+ and Applications at the University of Applied Sciences Rapperswil, in
+ Switzerland. StrongSwan also works with all current, major operating systems, such as Microsoft
+ An Intrusion Dection System (or IDS), is a piece of software designed to detect attacks against computer systems
+ and networks. Thereby the IDS will analyze the network traffic and search for attack samples. If someone
+ scans the ports of the IPFire-System to see which services are available, the IDS will immediately notice it.
+ </p>
+ <p class="copy">
+ An Intrusion Prevention System (or IPS), in addition to the detection system, will perform actions.
+ The IPS gets the information from the IDS and reacts accordingly. That means, recalling the example above with
+ the portscan, the system would automatically block the attacker immediately in order to prevent further inquiries.
+ </p>
+ <p class="copy">
+ It is possible to use IDS and IPS on the IPFire system. We call this system "Intrusion Detection
+ and Prevention System" (or IDPS). A very important deputy of this system is Snort, the free Network Intrusion Dection System
+ (NIDS). It analyzes the network traffic and if something abnormal happens, it will log the event. IPFire gives you
+ the possibility to see it very explicitly in the web interface.
+ </p>
+ <p class="copy">
+ For automatic prevention, IPFire has an add-on called Guardian which can be installed optionally.
+ </p>
+ <p class="copy">
+ An IDPS is a wise addition to the normal packet filter. It makes intelligent decisions about
+ incoming and outgoing network traffic and how to deal with it.
+ </p>
+ </section>
+
+ <div class="divider"></div>
+
+ <section id="qos">
+ <h3 class="headline">{{ _("Quality of Service") }}</h3>
+
+ <p class="copy">
+ Quality of Service (QoS) is able to save the quality of a service on one internet connection. This
+ means that on a highly-utilized internet connection, a service (for example VoIP) gets a stable size of bandwidth,
+ to transfer the information without delay and without loss. This is at the expense of the other
+ data flows on the line, which is tolerated, albeit transmitted more slowly (such as a file upload to an FTP server).
+ </p>
+ <p class="copy">
+ QoS does not only increase the functionality of real-time services, but also offers a little bit of overall improvement. For example:
+ </p>
+ <ul>
+ <li>
+ <strong>Connections establish much faster.</strong>
+ This is works very well on busy links.
+ </li>
+ <li>
+ <strong>Connections are much more stable.</strong>
+ Every service gets a minimum, guaranteed amount of bandwidth.
+ </li>
+ </ul>
+ <p class="copy">
+ For the classification of the packets, a Level-7-Filter is used. It also analyses the content, as well as the source-ports/IPs, and destination-ports/IPs of the packets. With that analysis, it will decide if it's a long download or a real-time
+ protocol and then subsequently determines the optimal use of the connection.
+ </p>
+ <p class="copy">
+ To put all in a nutshell, QoS reduces the latency and packet loss of an
+ internet connection. This is certainly a function that you don't want to miss where bandwidth is limited.
+ </p>
+ </section>
+
+ <div class="divider"></div>
+
+ <section id="hardware">
+ <h3 class="headline">{{ _("Hardware") }}</h3>
+
+ <p class="copy">
+ Since IPFire is based on a recent version of the Linux kernel, it supports most
+ of the latest hardware such as 10Gbit network cards and a variety of wireless
+ hardware out of the box.
+ The IPFire developers are very concerned with the ability to run IPFire as many
+ system variations as possible.
+ This helps IPFire to run on older or cheap hardware, as well as high-performance systems.
+ </p>
+ <p class="copy">
+ Minimum system requirements are an Intel Pentium I (i586),
+ 512MB RAM and 2GB hard drive space.
+ </p>
+ <p class="copy">
+ Some add-ons have extra requirements to perform smoothly.
+ On a system that fits the hardware requirements, IPFire
+ is able to serve hundreds of clients simultaneously.
+ </p>
+
+ <h4 class="secondHeadline">Heads up: More architectures in development!</h4>
+ <p class="copy">
+ The IPFire project is always interested in creating systems
+ which save the environment. The ARM architecture consumes
+ much less power and certainly has a lot of potential.
- and users are notified by mail. So in all cases, the update is just
- a simple click and your system is running safe again.
- </p>
- </section>
-
- <div class="divider"></div>
-
- <section id="dialup">
- <h3 class="headline">{{ _("Dialup") }}</h3>
-
- <p class="copy">
- IPFire as an Internet Gateway is able to dialup through various techniques
- to connect to the Internet.
- </p>
- <p class="copy">
- It supports all popular types of broadband access, as well as mobile access:
- </p>
-
- <ul>
- <li>
- <strong>VDSL</strong><br>
- VDSL is short for <em>Very High Data Rate Digital Subscriber Line</em> and
- it currently offers bandwidth up to 50 Mbit/s downstream and 10 Mbit/s upstream.
- VDSL brings the possibility of using new technologies such as IPTV. With IPFire, a conventional
- router can be replaced by a full-fledged system that brings the IPTV stream into your own home network.
- </li>
- <li>
- <strong>ADSL / SDSL</strong><br>
- Conventional DSL is also supported, although it is technically
- called also PPPoE or PPPoA. In some countries, the PPTP protocol is also widely used and it is also fully
- supported by IPFire.
- </li>
- <li>
- <strong>Ethernet</strong><br>
- Over Ethernet, IPFire can also be connected to the Internet and obtain
- an IP address either via DHCP or static configuration.
- </li>
- <li>
- <strong>4G / 3G</strong><br>
- Mobile broadband connections over USB modems, which are also known by the names
- UMTS, 3G, CDMA, HSDPA or LTE are also supported by IPFire.
- </li>
- </ul>
- </section>
-
- <div class="divider"></div>
-
- <section id="proxy">
- <h3 class="headline">{{ _("Web proxy") }}</h3>
-
- <p class="copy">
- IPFire includes a full-fledged web proxy, which is the well-known, open-source software Squid. It is used by ISPs, universities, schools and large companies use because of its diversity, stability and mature development. Even for small home networks, it
- is a useful feature. In addition to the stateful paket inspection (SPI) filtering by the firewall on
- the TCP/IP layer, the web content which is transmitted over HTTP, HTTPS or FTP can be analysed
- and filtered as well.
- </p>
- <ul>
- <li>
- <strong>Security:</strong> The client does not query web servers directly, it queries the proxy first.
- The server response goes back to the proxy and not to the client, which actually does not technically even appear on the
- Internet. A related attack would therefore primarily reach the proxy and not the client. There are also
- functions available for data privacy, which is an significant advantage in comparison to a pure NAT router.
- </li>
- <li>
- <strong>Authentication:</strong> Using the access lists, the web proxy can also be configured to allow
- access only after a user has been authenticated. At this point you have the choice between LDAP, identd,
- Windows, Radius or local authentication methods. The web proxy can connect, for example to a
- Microsoft Windows domain controller and only the users of that Windows domain can be granted access to the Internet.
- </li>
- <li>
- <strong>Authorization:</strong> If the Internet access needs to be limited to specific time of a day,
- or if it should be even completely disabled for any clients, is this easily configured by the
- “network-based access control”, which can also be found on the IPFire web interface. A useful application for this feature can be for example, a school classroom.
- </li>
- <li>
- <strong>Logging:</strong> Since each access can be logged over the proxy, possibilities for the
- examination of the accessed content can be very useful, as well as statistics and bills can be issued afterwards.
- Through the use of a logfile analyzer named Calamaris, log files can be charted by varying criteria
- on the IPFire web interface.
- </li>
- <li>
- <strong>Bandwidth management:</strong> The download management function allows for control of the bandwidth
- to specified zones. Thus, content-based throttling (for example for binary files, CD images or
- multimedia content) is configurable with bandwidth limitations for individual zones or for each host
- SquidGuard is a URL filter add-on which is connected via the redirector mechanism of the proxy.
- The heart of SquidGuard is something called a "blacklist." This is a content control list created by the official site. These lists contain a number of categorically-classified websites and can be kept up-to-date automatically. There are different, independent
- sources for pre-built blacklists available, which allow among other classes filtering for adult
- content, shopping, warez, social networking, or sites containing violent/abusive content.
- </p>
- <p class="copy">
- Individual extensions for particular domains or URLs can be set up on the IPFire web interface for
- blacklists and whitelists as well. IPFire also offers a black list editor, that makes the editing
- and creating your own blacklists quite easy.
- </p>
- <p class="copy">
- Possible areas of application for the SquidGuard on IPFire are:
- </p>
- <ul>
- <li>
- Block or restrict Internet content conditionally by time, user and/or computers.
- </li>
- <li>
- Preventing access to certain (eg. youth-endangering) pages and content categories.
- The Update Accelerator is a feature that can greatly accelerate deploying updates for operating systems.
- All downloaded updates are cached and if requested another time, are delivered from the cache.
- </p>
- <p class="copy">
- For example, Service Packs for Microsoft Windows (which often are several hundred megabytes) are cached for future retrieval, as well as virus scanner definition updates and other product updates which the system automatically identifies. This saves a massive amount of time when updating large amounts of computers (such as corporate networks).
- The package manager Pakfire offers the addon SquidClamAV - a virus scanner for the web proxy. This checks in real-time all web traffic for viruses, utilizing the ClamAV virus definitions and scanning engine.
- </p>
- <p class="copy">
- The additional protection to a conventional virus scanner lies in the fact that the files are transparently checked before ever making it to the client machine before the client machine's virus scan can be performed. So potentially-malicious files are blocked by
- SquidClamAV before the client's actual download.
- IPsec is a widely-deployed VPN solution that was originally developed to be used in conjunction with IPv6. Because it was so secure and IPv6 was so slowly deployed, it was backported to secure IPv4 traffic as well.
- </p>
-
- <p class="copy">
- In contrast to SSL-VPNs, IPsec is hard to set-up. In IPFire, we
- thought about how to make this technology easy-to-use and as a result, there
- is a web user interface that handles all settings and takes care of the rest
- of the configuration for you. It also keeps the tunnels alive and
- re-establishes them automatically after a remote site has lost the connection. A secure connection to a branch office, a
- business partner, or a home office is done within a couple of minutes
- and compatible with all other implementations.
- </p>
-
- <p class="copy">
- This high-level of compatibility is achieved by using the free
- implementation called
- <a href="//www.strongswan.org" target="_blank">strongSwan</a>. It is maintained by Andreas Steffen, who is a professor for security in communications and head of the Institute for Internet Technologies
- and Applications at the University of Applied Sciences Rapperswil, in
- Switzerland. StrongSwan also works with all current, major operating systems, such as Microsoft
- An Intrusion Dection System (or IDS), is a piece of software designed to detect attacks against computer systems
- and networks. Thereby the IDS will analyze the network traffic and search for attack samples. If someone
- scans the ports of the IPFire-System to see which services are available, the IDS will immediately notice it.
- </p>
- <p class="copy">
- An Intrusion Prevention System (or IPS), in addition to the detection system, will perform actions.
- The IPS gets the information from the IDS and reacts accordingly. That means, recalling the example above with
- the portscan, the system would automatically block the attacker immediately in order to prevent further inquiries.
- </p>
- <p class="copy">
- It is possible to use IDS and IPS on the IPFire system. We call this system "Intrusion Detection
- and Prevention System" (or IDPS). A very important deputy of this system is Snort, the free Network Intrusion Dection System
- (NIDS). It analyzes the network traffic and if something abnormal happens, it will log the event. IPFire gives you
- the possibility to see it very explicitly in the web interface.
- </p>
- <p class="copy">
- For automatic prevention, IPFire has an add-on called Guardian which can be installed optionally.
- </p>
- <p class="copy">
- An IDPS is a wise addition to the normal packet filter. It makes intelligent decisions about
- incoming and outgoing network traffic and how to deal with it.
- </p>
- </section>
-
- <div class="divider"></div>
-
- <section id="qos">
- <h3 class="headline">{{ _("Quality of Service") }}</h3>
-
- <p class="copy">
- Quality of Service (QoS) is able to save the quality of a service on one internet connection. This
- means that on a highly-utilized internet connection, a service (for example VoIP) gets a stable size of bandwidth,
- to transfer the information without delay and without loss. This is at the expense of the other
- data flows on the line, which is tolerated, albeit transmitted more slowly (such as a file upload to an FTP server).
- </p>
- <p class="copy">
- QoS does not only increase the functionality of real-time services, but also offers a little bit of overall improvement. For example:
- </p>
- <ul>
- <li>
- <strong>Connections establish much faster.</strong>
- This is works very well on busy links.
- </li>
- <li>
- <strong>Connections are much more stable.</strong>
- Every service gets a minimum, guaranteed amount of bandwidth.
- </li>
- </ul>
- <p class="copy">
- For the classification of the packets, a Level-7-Filter is used. It also analyses the content, as well as the source-ports/IPs, and destination-ports/IPs of the packets. With that analysis, it will decide if it's a long download or a real-time
- protocol and then subsequently determines the optimal use of the connection.
- </p>
- <p class="copy">
- To put all in a nutshell, QoS reduces the latency and packet loss of an
- internet connection. This is certainly a function that you don't want to miss where bandwidth is limited.
- </p>
- </section>
-
- <div class="divider"></div>
-
- <section id="hardware">
- <h3 class="headline">{{ _("Hardware") }}</h3>
-
- <p class="copy">
- Since IPFire is based on a recent version of the Linux kernel, it supports most
- of the latest hardware such as 10Gbit network cards and a variety of wireless
- hardware out of the box.
- The IPFire developers are very concerned with the ability to run IPFire as many
- system variations as possible.
- This helps IPFire to run on older or cheap hardware, as well as high-performance systems.
- </p>
- <p class="copy">
- Minimum system requirements are an Intel Pentium I (i586),
- 512MB RAM and 2GB hard drive space.
- </p>
- <p class="copy">
- Some add-ons have extra requirements to perform smoothly.
- On a system that fits the hardware requirements, IPFire
- is able to serve hundreds of clients simultaneously.
- </p>
-
- <h4 class="secondHeadline">Heads up: More architectures in development!</h4>
- <p class="copy">
- The IPFire project is always interested in creating systems
- which save the environment. The ARM architecture consumes
- much less power and certainly has a lot of potential.