]> git.ipfire.org Git - ipfire.org.git/blob - templates/static/features.html
projects / ipfire.org.git / blob
? search:


c31f32035bb72baaed052e66a3797d7e55d57f0f
[ipfire.org.git] / templates / static / features.html
1 {% extends "../base.html" %}
2
3 {% block title %}{{ _("About IPFire") }}{% end block %}
4
5 {% block container %}
6 <div class="container features-content">
7 <div class="row">
8 <nav id="sidebar" class="col-12 col-md-3" role="dropdown">
9 <input type="checkbox" id="menu">
10 <label for="menu" onclick></label>
11 <ul class="nav flex-column features_nav">
12 <li class="nav-item"><a class="nav-link active" href="#about">About IPFire</a></li>
13 <li class="nav-item"><a class="nav-link" href="#security">Security</a></li>
14 <li class="nav-item"><a class="nav-link" href="#firewall">Firewall</a></li>
15 <li class="nav-item"><a class="nav-link" href="#pakfire">PakFire</a></li>
16 <li class="nav-item"><a class="nav-link" href="#updates">Updates</a></li>
17 <li class="nav-item"><a class="nav-link" href="#dialup">Dialup</a></li>
18 <li class="nav-item"><a class="nav-link" href="#proxy">Web Proxy</a>
19 <ul>
20 <li class="nav-item"><a class="nav-link" href="#">Content Filter</a></li>
21 <li class="nav-item"><a class="nav-link" href="#">Update Accelerator</a></li>
22 <li class="nav-item"><a class="nav-link" href="#">Transparent Virus Scanner</a></li>
23 </ul>
24 </li>
25 <li class="nav-item"><a class="nav-link" href="#crypto">Cryptography</a></li>
26 <li class="nav-item"><a class="nav-link" href="#vpn">VPN</a>
27 <ul>
28 <li class="nav-item"><a class="nav-link" href="#">IPsec</a></li>
29 <li class="nav-item"><a class="nav-link" href="#">OpenVPN</a></li>
30 </ul>
31 </li>
32 <li class="nav-item"><a class="nav-link" href="#ids">Intrusion Detection System</a></li>
33 <li class="nav-item"><a class="nav-link" href="#qos">Quality of Service</a></li>
34 <li class="nav-item"><a class="nav-link" href="#hardware">Hardware</a></li>
35 <li class="nav-item"><a class="nav-link" href="#virtualization">Virtualisation</a></li>
36 <li class="nav-item"><a class="nav-link" href="#wlanap">Wireless Access Point</a></li>
37 </ul>
38 </nav>
39
40 <section class="content col-12 col-md-9">
41 <section id="about">
42 <h3 class="headline">About IP<strong>Fire</strong></h3>
43 <h5 class="subheadline">The Open Source Firewall Distribution</h5>
44
45 <p class="copy">
46 IP<strong>Fire</strong> was designed with both modularity and a high-level of
47 flexibility in mind. You can easily deploy many variations of it, such as a firewall,
48 a proxy server or a VPN gateway.
49 The modular design ensures that it runs exactly what you've configured it for and
50 nothing more. Everything is simple to manage and update through the package manager,
51 making maintenance a breeze.
52 </p>
53 <p class="copy">
54 The IP<strong>Fire</strong> development team understands that security means different things to
55 different people and certainly can change over time.
56 The fact that IPFire is modular and flexible make it perfect for integrating
57 into any existing security architecture.
58 Don't forget that ease-of-use is a key principle.
59 If all this sounds a little too much for you, IPFire comes with great default
60 settings out-of-the-box, meaning it's a snap to get going quickly!
61 </p>
62 </section>
63
64 <div class="divider"></div>
65
66 <section id="security">
67 <h3 class="headline">{{ _("Security") }}</h3>
68
69 <p class="copy">
70 The primary objective of IPFire is security.
71 As there is of course no one, single way to achieve network security, it is important
72 for a network administrator to understand their environment and what the term
73 <em>security</em> means in the context of their own network.
74 IPFire forms the base of a secure network.
75 It has the power to segment networks based on their respective security levels
76 and makes it easy to create custom policies that manage each segment
77 (see the Firewall page for more information).
78 </p>
79 <p class="copy">
80 Security of the modular components is a top priority.
81 Updates are digitally signed and encrypted, as well as can be automatically installed
82 by Pakfire (<a href="#updates">the IPFire package management system</a>).
83 Since IPFire is typically directly connected to the Internet, it is going to be a
84 primary target for hackers and other threats.
85 The simple Pakfire package manager helps administrators feel confident that
86 they are running the latest security updates and bug fixes for all of the
87 components they utilize.
88 </p>
89 <p class="copy">
90 <span class="badge badge-success">IPFire 2.15 - Core Update 77</span>
91 <a href="//planet.ipfire.org/post/feature-highlights-ipfire-2-15-1-hardening-the-system">Since IPFire 2.15</a>,
92 the IPFire Linux kernel is patched with the
93 <a href="//grsecurity.net">grsecurity</a> patchset, which
94 pro-actively hardens the kernel against various forms of attacks.
95 Most importantly, it protects from zero-day exploits by
96 eliminating entire bug classes and exploit vectors.
97 It makes stack buffer overflows almost impossible to exploit
98 and comes with strict access controls, that make it
99 harder for attackers to cause harm to the system.
100 </p>
101 </section>
102
103 <div class="divider"></div>
104
105 <section id="firewall">
106 <h3 class="headline">{{ _("Firewall") }}</h3>
107
108 <p class="copy">
109 IPFire employs a Stateful Packet Inspection (SPI) firewall,
110 which is built on top of netfilter (the Linux packet filtering framework).
111 </p>
112 <p class="copy">
113 During the installation of IPFire, the network is configured into different,
114 separate segments.
115 This segmented security scheme means that there is a perfect place for each
116 machine in the network.
117 These different segments may be enabled separately, depending on your requirements.
118 Each segment represents a group of computers who share a common security level:
119 </p>
120
121 <div class="row d-flex align-items-center mb-6 mb-md-5">
122 <div class="green-600 outline_i rounded-circle mb-3 mb-md-0 mr-md-4 ml-md-0 mx-auto">
123 <svg class="icon i_features i_verified"><use xlink:href="#verified"/></svg>
124 </div>
125 <p class="copy green-600 col-12 col-md-10 m-0">
126 Green represents a "safe" area.
127 This is where all regular clients will reside.
128 It is usually comprised of a wired, local network.
129 Clients on Green can access all other network
130 segments without restriction.
131 </p>
132 </div>
133
134 <div class="row d-flex align-items-center mb-6 mb-md-5">
135 <div class="red-900 outline_i rounded-circle mb-3 mb-md-0 mr-md-4 ml-md-0 mx-auto">
136 <svg class="icon i_features i_warning"><use xlink:href="#warning"/></svg>
137 </div>
138 <p class="copy red-900 col-12 col-md-10 m-0">
139 Red indicates "danger" or the connection to the Internet.
140 Nothing from Red is permitted to pass through the
141 firewall unless specifically configured by the
142 administrator.
143 </p>
144 </div>
145
146 <div class="row d-flex align-items-center mb-6 mb-md-5">
147 <div class="blue-700 outline_i rounded-circle mb-3 mb-md-0 mr-md-4 ml-md-0 mx-auto">
148 <svg class="icon i_features i_wifi"><use xlink:href="#wifi"/></svg>
149 </div>
150 <p class="copy blue-700 col-12 col-md-10 m-0">
151 Blue represents the "wireless" part of the local
152 network (chosen because it's the color of the sky).
153 Since the wireless network has the potential for abuse,
154 it is uniquely identified and specific rules govern
155 clients on it.
156 Clients on this network segment must be explicitly
157 allowed before they may access the network.
158 </p>
159 </div>
160
161 <div class="row d-flex align-items-center mb-5">
162 <div class="amber-800 outline_i rounded-circle mb-3 mb-md-0 mr-md-4 ml-md-0 mx-auto">
163 <svg class="icon i_features i_server"><use xlink:href="#server"/></svg>
164 </div>
165 <p class="copy amber-800 col-12 col-md-10 m-0">
166 Orange is referred to as the "demilitarized zone" (DMZ).
167 Any servers which are publicly accessible are separated
168 from the rest of the network here to limit security
169 breaches.
170 </p>
171 </div>
172
173 <p class="copy">
174 <span class="label label-success">IPFire 2.15 - Core Update 77</span>
175 With IPFire 2.15, the graphical user interface has been completely rewritten
176 and massively extended with new functionality.
177 It is now possible to manage groups of hosts or services. That makes it simpler
178 to create many similar rules for a great number of hosts, networks or services.
179 </p>
180
181 <h4 class="secondHeadline">Managing firewall rules has never been easier before.</h4>
182
183 <p class="copy">
184 Because even with a big number of rules, the configuration remains
185 easily manageable and that makes it possible to build more restrictive
186 configurations without losing control.
187 </p>
188
189 <p class="copy">
190 Additionally, the firewall can be used to control outbound Internet
191 access from any segment.
192 This feature gives the network administrator complete control
193 over how their network is configured and secured.
194 </p>
195
196 <p class="copy">
197 <a href="//wiki.ipfire.org/en/configuration/firewall/start">
198 Firewall Documentation
199 </a>
200 </p>
201
202 <h4 class="secondHeadline">Web User-Interface screenshots</h4>
203
204 <div class="row my-gallery" itemscope itemtype="http://schema.org/ImageGallery">
205 <figure class="col-sm-12 col-md-3" itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject">
206 <a class="thumbnail" href="{{ static_url("images/screenshots/en/firewall/rules.png") }}" itemprop="contentUrl" data-size="999x589">
207 <img class="img-fluid" src="{{ static_url("images/screenshots/en/firewall/rules.png") }}" itemprop="thumbnail" alt="{{ _("Screenshot") }}">
208 </a>
209 </figure>
210
211 <figure class="col-sm-12 col-md-3" itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject">
212 <a class="thumbnail" href="{{ static_url("images/screenshots/en/firewall/new-rule.png") }}" itemprop="contentUrl" data-size="1033x1077">
213 <img class="img-fluid" src="{{ static_url("images/screenshots/en/firewall/new-rule.png") }}" itemprop="thumbnail" alt="{{ _("Screenshot") }}">
214 </a>
215 </figure>
216
217 <figure class="col-sm-12 col-md-3" itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject">
218 <a class="thumbnail" href="{{ static_url("images/screenshots/en/firewall/service-groups.png") }}" itemprop="contentUrl" data-size="977x825">
219 <img class="img-fluid" src="{{ static_url("images/screenshots/en/firewall/service-groups.png") }}" itemprop="thumbnail" alt="{{ _("Screenshot") }}">
220 </a>
221 </figure>
222 </div>
223
224 <div class="row my-gallery">
225 <figure class="col-sm-12 col-md-3" itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject">
226 <a class="thumbnail" href="{{ static_url("images/screenshots/en/firewall/host-groups.png") }}" itemprop="contentUrl" data-size="1029x675">
227 <img class="img-fluid" src="{{ static_url("images/screenshots/en/firewall/host-groups.png") }}" itemprop="thumbnail" alt="{{ _("Screenshot") }}">
228 </a>
229 </figure>
230
231 <figure class="col-sm-12 col-md-3" itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject">
232 <a class="thumbnail" href="{{ static_url("images/screenshots/en/firewall/connections-1.png") }}" itemprop="contentUrl" data-size="776x686">
233 <img class="img-fluid" src="{{ static_url("images/screenshots/en/firewall/connections-1.png") }}" itemprop="thumbnail" alt="{{ _("Screenshot") }}">
234 </a>
235 </figure>
236 </div>
237 </section>
238
239 <div class="divider"></div>
240
241 <section id="pakfire">
242 <h3 class="headline">Pakfire</h3>
243 <h5 class="subheadline">{{ _("The IPFire package management system") }}</h5>
244
245 <p class="copy">
246 From a technical point of view, IPFire is a minimalistic, hardened firewall system
247 which comes with an integrated package manager called Pakfire.
248 The primary task of Pakfire is to update the system with only a single click.
249 It is very easy to install <a href="/features/updates">security patches,
250 bugfixes and feature enhancements</a>, which make IPFire safer and faster
251 - or simply: better.
252 </p>
253 <p class="copy">
254 Another task of Pakfire is to install additional software that adds new
255 functionality to the IPFire system.
256
257 Some useful of them are:
258
259 <ul>
260 <li>File sharing services such as Samba and vsftpd</li>
261 <li>Communications server using Asterisk</li>
262 <li>
263 Various command-line tools as <em>tcpdump</em>,
264 <em>nmap</em>, <em>traceroute</em> and many more.
265 </li>
266 </ul>
267 </p>
268
269 <div class="row my-gallery" itemscope itemtype="http://schema.org/ImageGallery">
270 <figure class="col-sm-12 col-md-3" itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject">
271 <a class="thumbnail" href="{{ static_url("images/screenshots/en/pakfire/pakfire-overview-1.png") }}" itemprop="contentUrl" data-size="770x508">
272 <img class="img-fluid" src="{{ static_url("images/screenshots/en/pakfire/pakfire-overview-1.png") }}" itemprop="thumbnail" alt="{{ _("Screenshot") }}">
273 </a>
274 </figure>
275
276 <figure class="col-sm-12 col-md-3" itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject">
277 <a class="thumbnail" href="{{ static_url("images/screenshots/en/pakfire/addon-services-1.png") }}" itemprop="contentUrl" data-size="698x284">
278 <img class="img-fluid" src="{{ static_url("images/screenshots/en/pakfire/addon-services-1.png") }}" itemprop="thumbnail" alt="{{ _("Screenshot") }}">
279 </a>
280 </figure>
281 </div>
282
283 <h4 class="secondHeadline">Pakfire as a build system</h4>
284 <p class="copy">
285 The next major release of IPFire will also ship a new generation
286 of the Pakfire packagement system.
287 This new generation has been made faster, more secure, more
288 easy to handle and adds a whole bunch of new features.
289 </p>
290 <p class="copy">
291 One of this features is that pakfire is now the
292 buildsystem as well. Having a customized build system for
293 the needs of IPFire and the IPFire developers improved
294 the development process very much. Building new packages
295 became a lot more easy and less time-consuming.
296 </p>
297 <p class="copy">
298 Quality assurance became more social right now. Check it
299 out at <a href="//pakfire.ipfire.org/">pakfire.ipfire.org</a>.
300 </p>
301 </section>
302
303 <div class="divider"></div>
304
305 <section id="updates">
306 <h3 class="headline">{{ _("Updates") }}</h3>
307
308 <p class="copy">
309 IPFire is based on Linux, which is the best Open Source kernel around.
310 Additionally, IPFire is <strong>not</strong> based on any other
311 distribution like Knoppix is on Debian. It is compiled from the sources
312 of every single package. This consumes a lot of work, but finally
313 gives the opportunity to not rely on the update cycles of others.
314 The advantages we gain is that we are able to select very stable
315 versions of software and build the distribution from them. For example
316 is the most part of the distribution quite well tested and long maintained
317 - in contrast to the kernel which is very recent and regularly updated
318 with patches to support as much hardware as possible and more importantly
319 fix security errors.
320 </p>
321 <p class="copy">
322 This is what makes IPFire a very strong and hardened system.
323 </p>
324 <p class="copy">
325 To keep up that strength and be prepared for new
326 <a href="/features/hardware">hardware</a>, we give
327 out the so called <strong>Core Updates</strong> which are issued in
328 about every four weeks and updating collected fixes. If there is a
329 security emergency, we provide updates in less than a day to overcome
330 zero-day holes in the system.
331 </p>
332 <p class="copy">
333 All of the updates can be installed by the
334 <a href="/features/pakfire">package management system</a>
335 and users are notified by mail. So in all cases, the update is just
336 a simple click and your system is running safe again.
337 </p>
338 </section>
339
340 <div class="divider"></div>
341
342 <section id="dialup">
343 <h3 class="headline">{{ _("Dialup") }}</h3>
344
345 <p class="copy">
346 IPFire as an Internet Gateway is able to dialup through various techniques
347 to connect to the Internet.
348 </p>
349 <p class="copy">
350 It supports all popular types of broadband access, as well as mobile access:
351 </p>
352
353 <ul>
354 <li>
355 <strong>VDSL</strong><br>
356 VDSL is short for <em>Very High Data Rate Digital Subscriber Line</em> and
357 it currently offers bandwidth up to 50 Mbit/s downstream and 10 Mbit/s upstream.
358 VDSL brings the possibility of using new technologies such as IPTV. With IPFire, a conventional
359 router can be replaced by a full-fledged system that brings the IPTV stream into your own home network.
360 </li>
361 <li>
362 <strong>ADSL / SDSL</strong><br>
363 Conventional DSL is also supported, although it is technically
364 called also PPPoE or PPPoA. In some countries, the PPTP protocol is also widely used and it is also fully
365 supported by IPFire.
366 </li>
367 <li>
368 <strong>Ethernet</strong><br>
369 Over Ethernet, IPFire can also be connected to the Internet and obtain
370 an IP address either via DHCP or static configuration.
371 </li>
372 <li>
373 <strong>4G / 3G</strong><br>
374 Mobile broadband connections over USB modems, which are also known by the names
375 UMTS, 3G, CDMA, HSDPA or LTE are also supported by IPFire.
376 </li>
377 </ul>
378 </section>
379
380 <div class="divider"></div>
381
382 <section id="proxy">
383 <h3 class="headline">{{ _("Web proxy") }}</h3>
384
385 <p class="copy">
386 IPFire includes a full-fledged web proxy, which is the well-known, open-source software Squid. It is used by ISPs, universities, schools and large companies use because of its diversity, stability and mature development. Even for small home networks, it
387 is a useful feature. In addition to the stateful paket inspection (SPI) filtering by the firewall on
388 the TCP/IP layer, the web content which is transmitted over HTTP, HTTPS or FTP can be analysed
389 and filtered as well.
390 </p>
391 <ul>
392 <li>
393 <strong>Security:</strong> The client does not query web servers directly, it queries the proxy first.
394 The server response goes back to the proxy and not to the client, which actually does not technically even appear on the
395 Internet. A related attack would therefore primarily reach the proxy and not the client. There are also
396 functions available for data privacy, which is an significant advantage in comparison to a pure NAT router.
397 </li>
398 <li>
399 <strong>Authentication:</strong> Using the access lists, the web proxy can also be configured to allow
400 access only after a user has been authenticated. At this point you have the choice between LDAP, identd,
401 Windows, Radius or local authentication methods. The web proxy can connect, for example to a
402 Microsoft Windows domain controller and only the users of that Windows domain can be granted access to the Internet.
403 </li>
404 <li>
405 <strong>Authorization:</strong> If the Internet access needs to be limited to specific time of a day,
406 or if it should be even completely disabled for any clients, is this easily configured by the
407 “network-based access control”, which can also be found on the IPFire web interface. A useful application for this feature can be for example, a school classroom.
408 </li>
409 <li>
410 <strong>Logging:</strong> Since each access can be logged over the proxy, possibilities for the
411 examination of the accessed content can be very useful, as well as statistics and bills can be issued afterwards.
412 Through the use of a logfile analyzer named Calamaris, log files can be charted by varying criteria
413 on the IPFire web interface.
414 </li>
415 <li>
416 <strong>Bandwidth management:</strong> The download management function allows for control of the bandwidth
417 to specified zones. Thus, content-based throttling (for example for binary files, CD images or
418 multimedia content) is configurable with bandwidth limitations for individual zones or for each host
419 in a particular zone.
420 </li>
421 </ul>
422
423 <h4 class="secondHeadline">{{ _("Content filter") }}</h4>
424
425 <p class="copy">
426 SquidGuard is a URL filter add-on which is connected via the redirector mechanism of the proxy.
427 The heart of SquidGuard is something called a "blacklist." This is a content control list created by the official site. These lists contain a number of categorically-classified websites and can be kept up-to-date automatically. There are different, independent
428 sources for pre-built blacklists available, which allow among other classes filtering for adult
429 content, shopping, warez, social networking, or sites containing violent/abusive content.
430 </p>
431 <p class="copy">
432 Individual extensions for particular domains or URLs can be set up on the IPFire web interface for
433 blacklists and whitelists as well. IPFire also offers a black list editor, that makes the editing
434 and creating your own blacklists quite easy.
435 </p>
436 <p class="copy">
437 Possible areas of application for the SquidGuard on IPFire are:
438 </p>
439 <ul>
440 <li>
441 Block or restrict Internet content conditionally by time, user and/or computers.
442 </li>
443 <li>
444 Preventing access to certain (eg. youth-endangering) pages and content categories.
445 </li>
446 <li>
447 Hiding advertising.
448 </li>
449 </ul>
450
451
452 <h4 class="secondHeadline">{{ _("Update accelerator") }}</h4>
453
454 <p class="copy">
455 The Update Accelerator is a feature that can greatly accelerate deploying updates for operating systems.
456 All downloaded updates are cached and if requested another time, are delivered from the cache.
457 </p>
458 <p class="copy">
459 For example, Service Packs for Microsoft Windows (which often are several hundred megabytes) are cached for future retrieval, as well as virus scanner definition updates and other product updates which the system automatically identifies. This saves a massive amount of time when updating large amounts of computers (such as corporate networks).
460 </p>
461
462 <h4 class="secondHeadline">{{ _("Transparent virus scanner") }}</h4>
463
464 <p class="copy">
465 The package manager Pakfire offers the addon SquidClamAV - a virus scanner for the web proxy. This checks in real-time all web traffic for viruses, utilizing the ClamAV virus definitions and scanning engine.
466 </p>
467 <p class="copy">
468 The additional protection to a conventional virus scanner lies in the fact that the files are transparently checked before ever making it to the client machine before the client machine's virus scan can be performed. So potentially-malicious files are blocked by
469 SquidClamAV before the client's actual download.
470 </p>
471 </section>
472
473 <div class="divider"></div>
474
475 <section id="crypto">
476 <h3 class="headline">{{ _("Cryptography") }}</h3>
477
478 <p class="copy">
479 Cryptography is one of the foundations for various services
480 like <a href="#vpn">VPNs</a> and secure communication on the Internet.
481 Therefore, IPFire is putting an emphasis on this topic.
482 </p>
483
484 <h4 class="secondHeadline">{{ _("Hardware Acceleration") }}</h4>
485
486 <p class="copy">
487 <span class="badge badge-success">IPFire 2.15 - Core Update 77</span>
488 IPFire can use various crypto processors like those to be found
489 in AMD Geode CPUs, the VIA Padlock or CPU extensions like AES-NI
490 of recent Intel and AMD CPUs.
491 These help us to achieve much better throughput where ever
492 data is sent through an encrypted tunnel.
493 </p>
494
495 <ul>
496 <li>
497 <a href="//wiki.ipfire.org/en/cryptography/hardware">
498 List of supported crypto hardware
499 </a>
500 </li>
501 </ul>
502
503 <h4 class="secondHeadline">{{ _("Random Number Generators") }}</h4>
504
505 <p class="copy">
506 <span class="badge badge-success">IPFire 2.15 - Core Update 77</span>
507 IPFire is also able to use various random hardware number generators
508 to seed the kernel's entropy pool. That entropy is needed to generate
509 secure keys and speeds up cryptographic operations as well.
510 </p>
511
512 <ul>
513 <li>
514 <a href="//wiki.ipfire.org/en/cryptography/entropy">
515 List of supported hardware random number generators
516 </a>
517 </li>
518 </ul>
519 </section>
520
521 <div class="divider"></div>
522
523 <section id="vpn">
524 <h3 class="headline">{{ _("VPN") }}</h3>
525 <h5 class="subheadline">{{ _("Virtual Private Networks") }}</h5>
526
527 <p class="copy">
528 IPFire also includes functionality to create virtual private networks (VPN).
529 A VPN is a gateway which connects remote networks to the local one using an
530 encrypted link.
531 Uses for a VPN include business connections to branch offices or datacenters,
532 as well as providing traveling staff with a secure portal to the corporate network.
533 </p>
534 <p class="copy">
535 For maximum flexibility, IPFire uses both IPsec and OpenVPN protocols,
536 giving administrators maximum flexibility when configuring their VPN.
537 Use of these protocols allows IPFire to connect to a variety of VPN endpoint
538 devices by manufacturers such as Cisco, Juniper, Checkpoint, etc.
539 </p>
540
541 <h4 class="secondHeadline">{{ _("IPsec") }}</h4>
542
543 <p class="copy">
544 IPsec is a widely-deployed VPN solution that was originally developed to be used in conjunction with IPv6. Because it was so secure and IPv6 was so slowly deployed, it was backported to secure IPv4 traffic as well.
545 </p>
546
547 <p class="copy">
548 In contrast to SSL-VPNs, IPsec is hard to set-up. In IPFire, we
549 thought about how to make this technology easy-to-use and as a result, there
550 is a web user interface that handles all settings and takes care of the rest
551 of the configuration for you. It also keeps the tunnels alive and
552 re-establishes them automatically after a remote site has lost the connection. A secure connection to a branch office, a
553 business partner, or a home office is done within a couple of minutes
554 and compatible with all other implementations.
555 </p>
556
557 <p class="copy">
558 This high-level of compatibility is achieved by using the free
559 implementation called
560 <a href="//www.strongswan.org" target="_blank">strongSwan</a>. It is maintained by Andreas Steffen, who is a professor for security in communications and head of the Institute for Internet Technologies
561 and Applications at the University of Applied Sciences Rapperswil, in
562 Switzerland. StrongSwan also works with all current, major operating systems, such as Microsoft
563 Windows 7, Microsoft Windows Vista and macOS.
564 </p>
565
566 <h4 class="secondHeadline">{{ _("OpenVPN") }}</h4>
567
568 <p class="copy">
569 OpenVPN is a frequently-encountered and most popular representative
570 of the class of Open Source SSL VPNs.
571 Its relative ease of configuration has again, been made easier
572 by the IPFire web interface. The firewall settings are controlled
573 by IPFire automatically, as well as the required certificates will be
574 generated with a few mouse clicks and can be downloaded and distributed
575 as a very compact client package.
576 </p>
577 <p class="copy">
578 Due to its high compatibility to all sorts of operating systems,
579 such as Microsoft Windows, macOS, Linux, Android and many more,
580 it is perfectly useful for roadwarrior connections.
581 With those, it is easy to connect your laptop, phone, tablet or
582 other devices to your company network, which makes it easy to
583 work from anywhere in the world.
584 </p>
585 <p class="copy">
586 But besides connecting portable devices, OpenVPN can also be used
587 to securely connect branches to the headquater.
588 This makes it easy to access resources on other networks
589 remotely without any complicated configuration on each client
590 on your local network.
591 </p>
592 </section>
593
594 <div class="divider"></div>
595
596 <section id="ids">
597 <h3 class="headline">{{ _("Intrusion detection system") }}</h3>
598
599 <p class="copy">
600 An Intrusion Dection System (or IDS), is a piece of software designed to detect attacks against computer systems
601 and networks. Thereby the IDS will analyze the network traffic and search for attack samples. If someone
602 scans the ports of the IPFire-System to see which services are available, the IDS will immediately notice it.
603 </p>
604 <p class="copy">
605 An Intrusion Prevention System (or IPS), in addition to the detection system, will perform actions.
606 The IPS gets the information from the IDS and reacts accordingly. That means, recalling the example above with
607 the portscan, the system would automatically block the attacker immediately in order to prevent further inquiries.
608 </p>
609 <p class="copy">
610 It is possible to use IDS and IPS on the IPFire system. We call this system "Intrusion Detection
611 and Prevention System" (or IDPS). A very important deputy of this system is Snort, the free Network Intrusion Dection System
612 (NIDS). It analyzes the network traffic and if something abnormal happens, it will log the event. IPFire gives you
613 the possibility to see it very explicitly in the web interface.
614 </p>
615 <p class="copy">
616 For automatic prevention, IPFire has an add-on called Guardian which can be installed optionally.
617 </p>
618 <p class="copy">
619 An IDPS is a wise addition to the normal packet filter. It makes intelligent decisions about
620 incoming and outgoing network traffic and how to deal with it.
621 </p>
622 </section>
623
624 <div class="divider"></div>
625
626 <section id="qos">
627 <h3 class="headline">{{ _("Quality of Service") }}</h3>
628
629 <p class="copy">
630 Quality of Service (QoS) is able to save the quality of a service on one internet connection. This
631 means that on a highly-utilized internet connection, a service (for example VoIP) gets a stable size of bandwidth,
632 to transfer the information without delay and without loss. This is at the expense of the other
633 data flows on the line, which is tolerated, albeit transmitted more slowly (such as a file upload to an FTP server).
634 </p>
635 <p class="copy">
636 QoS does not only increase the functionality of real-time services, but also offers a little bit of overall improvement. For example:
637 </p>
638 <ul>
639 <li>
640 <strong>Connections establish much faster.</strong>
641 This is works very well on busy links.
642 </li>
643 <li>
644 <strong>Connections are much more stable.</strong>
645 Every service gets a minimum, guaranteed amount of bandwidth.
646 </li>
647 </ul>
648 <p class="copy">
649 For the classification of the packets, a Level-7-Filter is used. It also analyses the content, as well as the source-ports/IPs, and destination-ports/IPs of the packets. With that analysis, it will decide if it's a long download or a real-time
650 protocol and then subsequently determines the optimal use of the connection.
651 </p>
652 <p class="copy">
653 To put all in a nutshell, QoS reduces the latency and packet loss of an
654 internet connection. This is certainly a function that you don't want to miss where bandwidth is limited.
655 </p>
656 </section>
657
658 <div class="divider"></div>
659
660 <section id="hardware">
661 <h3 class="headline">{{ _("Hardware") }}</h3>
662
663 <p class="copy">
664 Since IPFire is based on a recent version of the Linux kernel, it supports most
665 of the latest hardware such as 10Gbit network cards and a variety of wireless
666 hardware out of the box.
667 The IPFire developers are very concerned with the ability to run IPFire as many
668 system variations as possible.
669 This helps IPFire to run on older or cheap hardware, as well as high-performance systems.
670 </p>
671 <p class="copy">
672 Minimum system requirements are an Intel Pentium I (i586),
673 512MB RAM and 2GB hard drive space.
674 </p>
675 <p class="copy">
676 Some add-ons have extra requirements to perform smoothly.
677 On a system that fits the hardware requirements, IPFire
678 is able to serve hundreds of clients simultaneously.
679 </p>
680
681 <h4 class="secondHeadline">Heads up: More architectures in development!</h4>
682 <p class="copy">
683 The IPFire project is always interested in creating systems
684 which save the environment. The ARM architecture consumes
685 much less power and certainly has a lot of potential.
686 </p>
687 <!-- <p class="copy">
688 More about this may be found on the
689 <a href="/features/ports/arm">ARM project page</a>.
690 </p> -->
691
692 <div class="row my-gallery" itemscope itemtype="http://schema.org/ImageGallery">
693 <figure class="col-3" itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject">
694 <a class="thumbnail" href="{{ static_url("images/screenshots/en/hardware/hwtemp-1.png") }}" itemprop="contentUrl" data-size="756x432">
695 <img class="img-fluid" src="{{ static_url("images/screenshots/en/hardware/hwtemp-1_thumb.png") }}" itemprop="thumbnail" alt="{{ _("Screenshot") }}">
696 </a>
697 </figure>
698 </div>
699 </section>
700
701 <div class="divider"></div>
702
703 <section id="virtualization">
704 <h3 class="headline">{{ _("Virtualization") }}</h3>
705
706 <p class="copy">
707 IPFire brings many front-end drivers for high-performance virtualization
708 and can be run as virtual guest operating system on the following
709 virtualization platforms.
710 It has also been optimized to some of the mostly distributed ones to bring
711 the best possible performance without impacting the hardware very much.
712 </p>
713
714 <h4 class="secondHeadline">Supported hypervisors</h4>
715 <ul>
716 <li>
717 <strong>KVM</strong><br>
718 <a href="//www.linux-kvm.org">KVM</a> is short for
719 Kernel-based Virtual Machine and is developed by
720 <a href="//www.redhat.com">Red Hat Inc.</a>.
721 It is becoming the most advanced hypervisor and succeeding Xen, which
722 has been used so far.<br>
723 IPFire is coming with the <em>virtio</em> kernel modules, that have best
724 performance due to very less virtualization overhead.
725 </li>
726 <li>
727 <strong>VMware</strong><br>
728 IPFire runs on different VMware products like <em>vSphere</em>,
729 <em>ESXi</em> and <em>VMware workstation</em>. The additional package
730 <em>open-vm-tools</em> offers tools for a better integration.
731 </li>
732 <li>
733 <strong>Xen</strong>
734 Xen has recently been the de-facto Open Source hypervisor but is now
735 succeeded by KVM.<br>
736 IPFire can optionally be run with a paravirtualized kernel, which has very
737 less virtualization overhead as well. To make the installation very easy,
738 a pregenerated Xen image can be downloaded from the download page.
739 </li>
740 <li>
741 <strong>Others</strong>
742 IPFire is not limited to the hypervisors described above. It runs perfectly on
743 <em>Qemu</em>, <em>Microsoft Hyper-V</em> or <em>Oracle VirtualBox</em>, too.
744 </li>
745 </ul>
746
747 <h4 class="secondHeadline">A note on virtualization</h4>
748 <p class="copy">
749 Virtualization does have advantages, but it is not without disadavantages.
750 There is always the possibility that the VM container security can be
751 bypassed in some way and a hacker can gain access beyond the VM.
752 Because of this, it is not suggested to use IPFire as a virtual machine
753 in a production-level environment.
754 </p>
755
756 <div class="row my-gallery">
757 <figure class="col-sm-12 col-md-3" itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject">
758 <a class="thumbnail" href="{{ static_url("images/screenshots/en/virtualization/virt-manager-1.png") }}" itemprop="contentUrl" data-size="605x375">
759 <img class="img-fluid" src="{{ static_url("images/screenshots/en/virtualization/virt-manager-1_thumb.png") }}" itemprop="thumbnail" alt="{{ _("Screenshot") }}">
760 </a>
761 </figure>
762 </div>
763 </section>
764
765 <div class="divider"></div>
766
767 <section id="wlanap">
768 <h3 class="headline">{{ _("Wireless Access Point") }}</h3>
769
770 <p class="copy">
771 IPFire offers several options for the integration of wireless clients. First, an access point can
772 be connected via a LAN card. In this scenario, IPFire offers MAC/IP address filtering to allow only authorized
773 clients. The clients are allowed by default to access the Internet, but they are not allowed access the local LAN.
774 The second option is to install a wireless LAN (WLAN) card in the IPFire machine that takes the functionality of the access
775 point over, using the add-on "hostapd". This add-on supports both unencrypted and WPA/WPA2-encrypted connections. Also
776 the use of 5 GHz (802.11a standard) is possible if the wireless card supports it.
777 </p>
778 <p class="copy">
779 Wireless card support in IPFire is excellent. The drivers in the stable kernel are very up-to-date
780 and IPFire therefore supports a significant amount of WLAN cards.
781 </p>
782 </section>
783 </div>
784 </div>
785 </div>
786 <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.11.0/umd/popper.min.js" integrity="sha384-b/U6ypiBEHpOf/4+1nzFpr53nxSS+GLCkfwBdFNTxtclqqenISfwAzpKaMNFNmj4" crossorigin="anonymous"></script>
787 <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/js/bootstrap.min.js" integrity="sha384-h0AbiXch4ZDo7tp9hKZ4TsHbi047NrKGLO3SEJAg45jXxnGIfYzk4Si90RDIqNm1" crossorigin="anonymous"></script>
788 <script>
789 $(document).ready(function () {
790 $('body').scrollspy({ target: '#sidebar', offset: 148 })
791
792 $('a[href^="#"]').on('click', function(event) {
793 var target = $(this.getAttribute('href'));
794 if( target.length ) {
795 event.preventDefault();
796 $('html, body').stop().animate({
797 scrollTop: target.offset().top -147
798 }, 750);
799 }
800 });
801 });
802 </script>
803
804 <!-- Gallery Lightbox -->
805 <!-- Root element of PhotoSwipe. Must have class pswp. -->
806 <div class="pswp" tabindex="-1" role="dialog" aria-hidden="true">
807
808 <!-- Background of PhotoSwipe.
809 It's a separate element, as animating opacity is faster than rgba(). -->
810 <div class="pswp__bg"></div>
811
812 <!-- Slides wrapper with overflow:hidden. -->
813 <div class="pswp__scroll-wrap">
814
815 <!-- Container that holds slides. PhotoSwipe keeps only 3 slides in DOM to save memory. -->
816 <!-- don't modify these 3 pswp__item elements, data is added later on. -->
817 <div class="pswp__container">
818 <div class="pswp__item"></div>
819 <div class="pswp__item"></div>
820 <div class="pswp__item"></div>
821 </div>
822
823 <!-- Default (PhotoSwipeUI_Default) interface on top of sliding area. Can be changed. -->
824 <div class="pswp__ui pswp__ui--hidden">
825 <div class="pswp__top-bar">
826
827 <!-- Controls are self-explanatory. Order can be changed. -->
828 <div class="pswp__counter"></div>
829 <button class="pswp__button pswp__button--close" title="Close (Esc)"></button>
830 <button class="pswp__button pswp__button--share" title="Share"></button>
831 <button class="pswp__button pswp__button--fs" title="Toggle fullscreen"></button>
832 <button class="pswp__button pswp__button--zoom" title="Zoom in/out"></button>
833
834 <!-- Preloader demo https://codepen.io/dimsemenov/pen/yyBWoR -->
835 <!-- element will get class pswp__preloader--active when preloader is running -->
836 <div class="pswp__preloader">
837 <div class="pswp__preloader__icn">
838 <div class="pswp__preloader__cut">
839 <div class="pswp__preloader__donut"></div>
840 </div>
841 </div>
842 </div>
843 </div>
844
845 <div class="pswp__share-modal pswp__share-modal--hidden pswp__single-tap">
846 <div class="pswp__share-tooltip"></div>
847 </div>
848
849 <button class="pswp__button pswp__button--arrow--left" title="Previous (arrow left)"></button>
850 <button class="pswp__button pswp__button--arrow--right" title="Next (arrow right)"></button>
851
852 <div class="pswp__caption">
853 <div class="pswp__caption__center"></div>
854 </div>
855 </div>
856 </div>
857 </div>
858 <script src="{{ static_url("js/photoswipe.min.js") }}"></script>
859 <script src="{{ static_url("js/photoswipe-ui-default.min.js") }}"></script>
860 <script src="{{ static_url("js/photoswipe-index.js") }}"></script>
861
862 <!-- Icons -->
863 <svg aria-hidden="true" style="display: none">
864 <symbol id="verified" viewBox="0 0 24 24">
865 <path d="M12 0L3 4v6c0 5.55 3.84 10.74 9 12 5.16-1.26 9-6.45 9-12V4l-9-4zm-2 16l-4-4 1.41-1.41L10 13.17l6.59-6.59L18 8l-8 8z"/>
866 </symbol>
867 <symbol id="warning" viewBox="0 0 24 24">
868 <path d="M1 20h22L12 1 1 20zm12-3h-2v-2h2v2zm0-4h-2V9h2v4z"/>
869 </symbol>
870 <symbol id="wifi" viewBox="0 0 24 24">
871 <path d="M1 8l2 2c4.97-4.97 13.03-4.97 18 0l2-2C16.93 1.93 7.08 1.93 1 8zm8 8l3 3 3-3a4.237 4.237 0 0 0-6 0zm-4-4l2 2a7.074 7.074 0 0 1 10 0l2-2C15.14 8.14 8.87 8.14 5 12z"/>
872 </symbol>
873 <symbol id="server" viewBox="0 0 24 24">
874 <<path d="M13 18h1a1 1 0 0 1 1 1h7v2h-7a1 1 0 0 1-1 1h-4a1 1 0 0 1-1-1H2v-2h7a1 1 0 0 1 1-1h1v-2H4a1 1 0 0 1-1-1v-4a1 1 0 0 1 1-1h16a1 1 0 0 1 1 1v4a1 1 0 0 1-1 1h-7v2zM4 2h16a1 1 0 0 1 1 1v4a1 1 0 0 1-1 1H4a1 1 0 0 1-1-1V3a1 1 0 0 1 1-1zm5 4h1V4H9v2zm0 8h1v-2H9v2zM5 4v2h2V4H5zm0 8v2h2v-2H5z"/>
875 </symbol>
876 </svg>
877 {% end block %}
The website of ipfire.org.