From 8d7dd2e91642d730d2aa2271fe7dd5b95f2bdb16 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 15 Jul 2018 12:26:13 +0100 Subject: [PATCH] features: Tidy up markup Signed-off-by: Michael Tremer --- src/scss/_variables.scss | 1 + src/templates/static/features.html | 555 +++++++++++++++-------------- 2 files changed, 297 insertions(+), 259 deletions(-) diff --git a/src/scss/_variables.scss b/src/scss/_variables.scss index 820fb9a2..9a776c01 100644 --- a/src/scss/_variables.scss +++ b/src/scss/_variables.scss @@ -70,6 +70,7 @@ $small-font-size: 87.5%; // Headings $headings-font-weight: 300; $headings-line-height: 1.5; +$headings-margin-bottom: 1.5rem; $headings-color: $blue-grey-900; $h1-font-size: 3rem; diff --git a/src/templates/static/features.html b/src/templates/static/features.html index 648241fc..017fd693 100644 --- a/src/templates/static/features.html +++ b/src/templates/static/features.html @@ -36,7 +36,7 @@
  • Wireless Access Point
    • - +
    @@ -44,7 +44,7 @@

    About IPFire

    The Open Source Firewall Distribution

    -

    +

    IPFire was designed with both modularity and a high-level of flexibility in mind. You can easily deploy many variations of it, such as a firewall, a proxy server or a VPN gateway. @@ -52,7 +52,8 @@ nothing more. Everything is simple to manage and update through the package manager, making maintenance a breeze.

    -

    + +

    The IPFire development team understands that security means different things to different people and certainly can change over time. The fact that IPFire is modular and flexible make it perfect for integrating @@ -62,13 +63,13 @@ settings out-of-the-box, meaning it's a snap to get going quickly!

    - +
    - +
    -

    {{ _("Security") }}

    - -

    +

    {{ _("Security") }}

    + +

    The primary objective of IPFire is security. As there is of course no one, single way to achieve network security, it is important for a network administrator to understand their environment and what the term @@ -78,7 +79,8 @@ and makes it easy to create custom policies that manage each segment (see the Firewall page for more information).

    -

    + +

    Security of the modular components is a top priority. Updates are digitally signed and encrypted, as well as can be automatically installed by Pakfire (the IPFire package management system). @@ -88,7 +90,8 @@ they are running the latest security updates and bug fixes for all of the components they utilize.

    -

    + +

    IPFire 2.15 - Core Update 77 Since IPFire 2.15, the IPFire Linux kernel is patched with the @@ -101,150 +104,153 @@ harder for attackers to cause harm to the system.

    - +
    - +
    -

    {{ _("Firewall") }}

    +

    {{ _("Firewall") }}

    -

    - IPFire employs a Stateful Packet Inspection (SPI) firewall, - which is built on top of netfilter (the Linux packet filtering framework). -

    -

    - During the installation of IPFire, the network is configured into different, - separate segments. - This segmented security scheme means that there is a perfect place for each - machine in the network. - These different segments may be enabled separately, depending on your requirements. - Each segment represents a group of computers who share a common security level: -

    - -
    -
    - -
    -

    - Green represents a "safe" area. - This is where all regular clients will reside. - It is usually comprised of a wired, local network. - Clients on Green can access all other network - segments without restriction. -

    -
    - -
    -
    - -
    -

    - Red indicates "danger" or the connection to the Internet. - Nothing from Red is permitted to pass through the - firewall unless specifically configured by the - administrator. -

    -
    - -
    -
    - -
    -

    - Blue represents the "wireless" part of the local - network (chosen because it's the color of the sky). - Since the wireless network has the potential for abuse, - it is uniquely identified and specific rules govern - clients on it. - Clients on this network segment must be explicitly - allowed before they may access the network. -

    +

    + IPFire employs a Stateful Packet Inspection (SPI) firewall, + which is built on top of netfilter (the Linux packet filtering framework). +

    + +

    + During the installation of IPFire, the network is configured into different, + separate segments. + This segmented security scheme means that there is a perfect place for each + machine in the network. + These different segments may be enabled separately, depending on your requirements. + Each segment represents a group of computers who share a common security level: +

    + +
    +
    +
    - -
    -
    - -
    -

    - Orange is referred to as the "demilitarized zone" (DMZ). - Any servers which are publicly accessible are separated - from the rest of the network here to limit security - breaches. -

    + +

    + Green represents a "safe" area. + This is where all regular clients will reside. + It is usually comprised of a wired, local network. + Clients on Green can access all other network + segments without restriction. +

    +
    + +
    +
    +
    - -

    - IPFire 2.15 - Core Update 77 - With IPFire 2.15, the graphical user interface has been completely rewritten - and massively extended with new functionality. - It is now possible to manage groups of hosts or services. That makes it simpler - to create many similar rules for a great number of hosts, networks or services. + +

    + Red indicates "danger" or the connection to the Internet. + Nothing from Red is permitted to pass through the + firewall unless specifically configured by the + administrator.

    - -

    Managing firewall rules has never been easier before.

    - -

    - Because even with a big number of rules, the configuration remains - easily manageable and that makes it possible to build more restrictive - configurations without losing control. +

    + +
    +
    + +
    +

    + Blue represents the "wireless" part of the local + network (chosen because it's the color of the sky). + Since the wireless network has the potential for abuse, + it is uniquely identified and specific rules govern + clients on it. + Clients on this network segment must be explicitly + allowed before they may access the network.

    - -

    - Additionally, the firewall can be used to control outbound Internet - access from any segment. - This feature gives the network administrator complete control - over how their network is configured and secured. +

    + +
    +
    + +
    +

    + Orange is referred to as the "demilitarized zone" (DMZ). + Any servers which are publicly accessible are separated + from the rest of the network here to limit security + breaches.

    - -

    - - Firewall Documentation +

    + +

    + IPFire 2.15 - Core Update 77 + With IPFire 2.15, the graphical user interface has been completely rewritten + and massively extended with new functionality. + It is now possible to manage groups of hosts or services. That makes it simpler + to create many similar rules for a great number of hosts, networks or services. +

    + +
    Managing firewall rules has never been easier before.
    + +

    + Because even with a big number of rules, the configuration remains + easily manageable and that makes it possible to build more restrictive + configurations without losing control. +

    + +

    + Additionally, the firewall can be used to control outbound Internet + access from any segment. + This feature gives the network administrator complete control + over how their network is configured and secured. +

    + +

    + + Firewall Documentation + +

    + +
    Web User-Interface screenshots
    + +
    +
    + + {{ _( -

    - -

    Web User-Interface screenshots

    - -
    -
    - - {{ _( - -
    - -
    - - {{ _( - -
    - -
    - - {{ _( - -
    -
    - -
    -
    - - {{ _( - -
    - -
    - - {{ _( - -
    -
    +
    + +
    + + {{ _( + +
    + +
    + + {{ _( + +
    +
    + +
    +
    + + {{ _( + +
    + +
    + + {{ _( + +
    +
    - +
    - +
    -

    Pakfire

    -
    {{ _("The IPFire package management system") }}
    +

    Pakfire

    +

    {{ _("The IPFire package management system") }}

    -

    +

    From a technical point of view, IPFire is a minimalistic, hardened firewall system which comes with an integrated package manager called Pakfire. The primary task of Pakfire is to update the system with only a single click. @@ -252,12 +258,13 @@ bugfixes and feature enhancements, which make IPFire safer and faster - or simply: better.

    -

    + +

    Another task of Pakfire is to install additional software that adds new functionality to the IPFire system. Some useful of them are: - +

    • File sharing services such as Samba and vsftpd
    • Communications server using Asterisk
      • @@ -267,14 +274,14 @@

    - -
    + +
    {{ _(
    - +
    {{ _( @@ -282,32 +289,35 @@
    -

    Pakfire as a build system

    -

    +

    Pakfire as a build system
    + +

    The next major release of IPFire will also ship a new generation of the Pakfire packagement system. This new generation has been made faster, more secure, more easy to handle and adds a whole bunch of new features.

    -

    + +

    One of this features is that pakfire is now the buildsystem as well. Having a customized build system for the needs of IPFire and the IPFire developers improved the development process very much. Building new packages became a lot more easy and less time-consuming.

    -

    + +

    Quality assurance became more social right now. Check it out at pakfire.ipfire.org.

    - +
    - +
    -

    {{ _("Updates") }}

    +

    {{ _("Updates") }}

    -

    +

    IPFire is based on Linux, which is the best Open Source kernel around. Additionally, IPFire is not based on any other distribution like Knoppix is on Debian. It is compiled from the sources @@ -320,10 +330,12 @@ with patches to support as much hardware as possible and more importantly fix security errors.

    -

    + +

    This is what makes IPFire a very strong and hardened system.

    -

    + +

    To keep up that strength and be prepared for new hardware, we give out the so called Core Updates which are issued in @@ -331,27 +343,29 @@ security emergency, we provide updates in less than a day to overcome zero-day holes in the system.

    -

    + +

    All of the updates can be installed by the package management system and users are notified by mail. So in all cases, the update is just a simple click and your system is running safe again.

    - +
    - +
    -

    {{ _("Dialup") }}

    +

    {{ _("Dialup") }}

    -

    +

    IPFire as an Internet Gateway is able to dialup through various techniques to connect to the Internet.

    -

    + +

    It supports all popular types of broadband access, as well as mobile access:

    - +
    • VDSL
      @@ -378,19 +392,20 @@
    - +
    - +
    -

    {{ _("Web proxy") }}

    +

    {{ _("Web proxy") }}

    -

    +

    IPFire includes a full-fledged web proxy, which is the well-known, open-source software Squid. It is used by ISPs, universities, schools and large companies use because of its diversity, stability and mature development. Even for small home networks, it is a useful feature. In addition to the stateful paket inspection (SPI) filtering by the firewall on the TCP/IP layer, the web content which is transmitted over HTTP, HTTPS or FTP can be analysed and filtered as well.

    -
      + +
      • Security: The client does not query web servers directly, it queries the proxy first. The server response goes back to the proxy and not to the client, which actually does not technically even appear on the @@ -421,24 +436,27 @@ in a particular zone.
      - -

      {{ _("Content filter") }}

      -

      +

      {{ _("Content filter") }}
      + +

      SquidGuard is a URL filter add-on which is connected via the redirector mechanism of the proxy. The heart of SquidGuard is something called a "blacklist." This is a content control list created by the official site. These lists contain a number of categorically-classified websites and can be kept up-to-date automatically. There are different, independent sources for pre-built blacklists available, which allow among other classes filtering for adult content, shopping, warez, social networking, or sites containing violent/abusive content.

      -

      + +

      Individual extensions for particular domains or URLs can be set up on the IPFire web interface for blacklists and whitelists as well. IPFire also offers a black list editor, that makes the editing and creating your own blacklists quite easy.

      -

      + +

      Possible areas of application for the SquidGuard on IPFire are:

      -
        + +
        • Block or restrict Internet content conditionally by time, user and/or computers.
          • @@ -449,43 +467,44 @@ Hiding advertising.
        - - -

        {{ _("Update accelerator") }}

        -

        +

        {{ _("Update accelerator") }}
        + +

        The Update Accelerator is a feature that can greatly accelerate deploying updates for operating systems. All downloaded updates are cached and if requested another time, are delivered from the cache.

        -

        - For example, Service Packs for Microsoft Windows (which often are several hundred megabytes) are cached for future retrieval, as well as virus scanner definition updates and other product updates which the system automatically identifies. This saves a massive amount of time when updating large amounts of computers (such as corporate networks). + +

        + For example, Service Packs for Microsoft Windows (which often are several hundred megabytes) are cached for future retrieval, as well as virus scanner definition updates and other product updates which the system automatically identifies. This saves a massive amount of time when updating large amounts of computers (such as corporate networks).

        - -

        {{ _("Transparent virus scanner") }}

        - -

        + +

        {{ _("Transparent virus scanner") }}
        + +

        The package manager Pakfire offers the addon SquidClamAV - a virus scanner for the web proxy. This checks in real-time all web traffic for viruses, utilizing the ClamAV virus definitions and scanning engine.

        -

        + +

        The additional protection to a conventional virus scanner lies in the fact that the files are transparently checked before ever making it to the client machine before the client machine's virus scan can be performed. So potentially-malicious files are blocked by SquidClamAV before the client's actual download.

    - +
    - +
    -

    {{ _("Cryptography") }}

    +

    {{ _("Cryptography") }}

    -

    +

    Cryptography is one of the foundations for various services like VPNs and secure communication on the Internet. Therefore, IPFire is putting an emphasis on this topic.

    - -

    {{ _("Hardware Acceleration") }}

    - -

    + +

    {{ _("Hardware Acceleration") }}
    + +

    IPFire 2.15 - Core Update 77 IPFire can use various crypto processors like those to be found in AMD Geode CPUs, the VIA Padlock or CPU extensions like AES-NI @@ -494,17 +513,17 @@ data is sent through an encrypted tunnel.

    -
      + - -

      {{ _("Random Number Generators") }}

      -

      +

      {{ _("Random Number Generators") }}
      + +

      IPFire 2.15 - Core Update 77 IPFire is also able to use various random hardware number generators to seed the kernel's entropy pool. That entropy is needed to generate @@ -519,34 +538,35 @@

    - +
    - +
    -

    {{ _("VPN") }}

    -
    {{ _("Virtual Private Networks") }}
    +

    {{ _("VPN") }}

    +

    {{ _("Virtual Private Networks") }}

    -

    +

    IPFire also includes functionality to create virtual private networks (VPN). A VPN is a gateway which connects remote networks to the local one using an encrypted link. Uses for a VPN include business connections to branch offices or datacenters, as well as providing traveling staff with a secure portal to the corporate network.

    -

    + +

    For maximum flexibility, IPFire uses both IPsec and OpenVPN protocols, giving administrators maximum flexibility when configuring their VPN. Use of these protocols allows IPFire to connect to a variety of VPN endpoint - devices by manufacturers such as Cisco, Juniper, Checkpoint, etc. + devices by manufacturers such as Cisco, Juniper, Checkpoint, etc.

    - -

    {{ _("IPsec") }}

    - -

    + +

    {{ _("IPsec") }}
    + +

    IPsec is a widely-deployed VPN solution that was originally developed to be used in conjunction with IPv6. Because it was so secure and IPv6 was so slowly deployed, it was backported to secure IPv4 traffic as well.

    -

    +

    In contrast to SSL-VPNs, IPsec is hard to set-up. In IPFire, we thought about how to make this technology easy-to-use and as a result, there is a web user interface that handles all settings and takes care of the rest @@ -556,7 +576,7 @@ and compatible with all other implementations.

    -

    +

    This high-level of compatibility is achieved by using the free implementation called strongSwan. It is maintained by Andreas Steffen, who is a professor for security in communications and head of the Institute for Internet Technologies @@ -565,9 +585,9 @@ Windows 7, Microsoft Windows Vista and macOS.

    -

    {{ _("OpenVPN") }}

    - -

    +

    {{ _("OpenVPN") }}
    + +

    OpenVPN is a frequently-encountered and most popular representative of the class of Open Source SSL VPNs. Its relative ease of configuration has again, been made easier @@ -576,7 +596,8 @@ generated with a few mouse clicks and can be downloaded and distributed as a very compact client package.

    -

    + +

    Due to its high compatibility to all sorts of operating systems, such as Microsoft Windows, macOS, Linux, Android and many more, it is perfectly useful for roadwarrior connections. @@ -584,7 +605,8 @@ other devices to your company network, which makes it easy to work from anywhere in the world.

    -

    + +

    But besides connecting portable devices, OpenVPN can also be used to securely connect branches to the headquater. This makes it easy to access resources on other networks @@ -592,51 +614,57 @@ on your local network.

    - +
    - +
    -

    {{ _("Intrusion detection system") }}

    - -

    +

    {{ _("Intrusion detection system") }}

    + +

    An Intrusion Dection System (or IDS), is a piece of software designed to detect attacks against computer systems and networks. Thereby the IDS will analyze the network traffic and search for attack samples. If someone scans the ports of the IPFire-System to see which services are available, the IDS will immediately notice it.

    -

    + +

    An Intrusion Prevention System (or IPS), in addition to the detection system, will perform actions. The IPS gets the information from the IDS and reacts accordingly. That means, recalling the example above with the portscan, the system would automatically block the attacker immediately in order to prevent further inquiries.

    -

    + +

    It is possible to use IDS and IPS on the IPFire system. We call this system "Intrusion Detection and Prevention System" (or IDPS). A very important deputy of this system is Snort, the free Network Intrusion Dection System (NIDS). It analyzes the network traffic and if something abnormal happens, it will log the event. IPFire gives you the possibility to see it very explicitly in the web interface.

    -

    + +

    For automatic prevention, IPFire has an add-on called Guardian which can be installed optionally.

    -

    + +

    An IDPS is a wise addition to the normal packet filter. It makes intelligent decisions about incoming and outgoing network traffic and how to deal with it.

    - +
    - +
    -

    {{ _("Quality of Service") }}

    - -

    +

    {{ _("Quality of Service") }}

    + +

    Quality of Service (QoS) is able to save the quality of a service on one internet connection. This means that on a highly-utilized internet connection, a service (for example VoIP) gets a stable size of bandwidth, to transfer the information without delay and without loss. This is at the expense of the other data flows on the line, which is tolerated, albeit transmitted more slowly (such as a file upload to an FTP server).

    -

    + +

    QoS does not only increase the functionality of real-time services, but also offers a little bit of overall improvement. For example:

    +
    • Connections establish much faster. @@ -647,22 +675,24 @@ Every service gets a minimum, guaranteed amount of bandwidth.
    -

    + +

    For the classification of the packets, a Level-7-Filter is used. It also analyses the content, as well as the source-ports/IPs, and destination-ports/IPs of the packets. With that analysis, it will decide if it's a long download or a real-time protocol and then subsequently determines the optimal use of the connection.

    -

    + +

    To put all in a nutshell, QoS reduces the latency and packet loss of an internet connection. This is certainly a function that you don't want to miss where bandwidth is limited.

    - +
    - +
    -

    {{ _("Hardware") }}

    - -

    +

    {{ _("Hardware") }}

    + +

    Since IPFire is based on a recent version of the Linux kernel, it supports most of the latest hardware such as 10Gbit network cards and a variety of wireless hardware out of the box. @@ -670,23 +700,27 @@ system variations as possible. This helps IPFire to run on older or cheap hardware, as well as high-performance systems.

    -

    + +

    Minimum system requirements are an Intel Pentium I (i586), 512MB RAM and 2GB hard drive space.

    -

    + +

    Some add-ons have extra requirements to perform smoothly. On a system that fits the hardware requirements, IPFire is able to serve hundreds of clients simultaneously.

    -

    Heads up: More architectures in development!

    -

    +

    Heads up: More architectures in development!
    + +

    The IPFire project is always interested in creating systems which save the environment. The ARM architecture consumes much less power and certainly has a lot of potential.

    - @@ -699,13 +733,13 @@
    - +
    - +
    -

    {{ _("Virtualization") }}

    +

    {{ _("Virtualization") }}

    -

    +

    IPFire brings many front-end drivers for high-performance virtualization and can be run as virtual guest operating system on the following virtualization platforms. @@ -713,8 +747,9 @@ the best possible performance without impacting the hardware very much.

    -

    Supported hypervisors

    -
      +
      Supported hypervisors
      + +
      • KVM
        KVM is short for @@ -746,8 +781,9 @@
      -

      A note on virtualization

      -

      +

      A note on virtualization
      + +

      Virtualization does have advantages, but it is not without disadavantages. There is always the possibility that the VM container security can be bypassed in some way and a hacker can gain access beyond the VM. @@ -763,13 +799,13 @@

    - +
    - +
    -

    {{ _("Wireless Access Point") }}

    +

    {{ _("Wireless Access Point") }}

    -

    +

    IPFire offers several options for the integration of wireless clients. First, an access point can be connected via a LAN card. In this scenario, IPFire offers MAC/IP address filtering to allow only authorized clients. The clients are allowed by default to access the Internet, but they are not allowed access the local LAN. @@ -777,11 +813,12 @@ point over, using the add-on "hostapd". This add-on supports both unencrypted and WPA/WPA2-encrypted connections. Also the use of 5 GHz (802.11a standard) is possible if the wireless card supports it.

    -

    + +

    Wireless card support in IPFire is excellent. The drivers in the stable kernel are very up-to-date and IPFire therefore supports a significant amount of WLAN cards.

    -
    + @@ -792,7 +829,7 @@