medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

site updates

Browse Source
This commit is contained in:
Whisker Jones
2024-05-05 10:38:02 -06:00
parent 0d2386870d
commit 7d794ad2f9
19 changed files with 7376 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
tech_docs/database/SQLite3.md Normal file
View File

@@ -0,0 +1,69 @@
Certainly! Working with SQLite3 in Python involves several key steps, from connecting to a SQLite database to performing database operations and finally closing the connection. Below is a basic outline and explanation of a Python script that uses SQLite3 for database operations. This script demonstrates how to define a database, connect to it, create a table, insert data, query data, and handle transactions with commit/rollback, and finally close the connection.
```python
import sqlite3
# Define and connect to the database
# This will create the database file if it does not already exist
conn = sqlite3.connect('example.db')
# Create a cursor object using the cursor() method
cursor = conn.cursor()
# Define a table
# If the table already exists, this command will be ignored
cursor.execute('''CREATE TABLE IF NOT EXISTS inventory
(item_id INTEGER PRIMARY KEY, name TEXT, quantity INTEGER)''')
# Insert data into the table
cursor.execute('''INSERT INTO inventory (name, quantity)
VALUES ('Apples', 30), ('Bananas', 45), ('Oranges', 20)''')
# Commit the transaction (if necessary)
# If you're performing operations that modify the data, you need to commit
conn.commit()
# Query the database
cursor.execute('''SELECT * FROM inventory''')
for row in cursor.fetchall():
print(row)
# Handling transactions with commit/rollback
try:
# Perform some database operations
cursor.execute('''UPDATE inventory SET quantity = 25 WHERE name = 'Apples' ''')
# More operations...
# Commit if everything is fine
conn.commit()
except sqlite3.Error as e:
# Rollback on error
print(f"An error occurred: {e}")
conn.rollback()
# Close the cursor and connection to the database
cursor.close()
conn.close()
```
Here's what each part of the script does:
1. **Import SQLite3**: The `sqlite3` module is imported to use SQLite database functionalities.
2. **Connect to Database**: The `connect` function is used to connect to an SQLite database. It takes the database file name as an argument. If the file doesn't exist, SQLite will create it.
3. **Creating a Cursor Object**: A cursor object is created using the `cursor()` method. The cursor is used to execute SQL commands.
4. **Create Table**: The `execute` method of the cursor is used to execute SQL commands. Here, it's used to create a new table if it doesn't already exist.
5. **Insert Data**: Inserts data into the table. SQLite supports inserting multiple records in a single command.
6. **Commit Transaction**: If you've performed operations that modify the database, you must commit these changes to make them permanent.
7. **Query Data**: Executes a SELECT statement to fetch all records from the table, which are then printed out.
8. **Handling Transactions with Commit/Rollback**: Demonstrates error handling in transactions. If an error occurs during a database operation, the changes are rolled back.
9. **Close Cursor and Connection**: Finally, the cursor and the connection to the database are closed.
This script forms a basic template for performing database operations with SQLite in Python. Depending on your needs, you can modify and expand upon this template, such as by adding more complex queries, using parameters in your SQL commands to avoid SQL injection, and handling more sophisticated error scenarios.

1103
tech_docs/database/sql_notes.md Normal file
View File

File diff suppressed because it is too large Load Diff

93
tech_docs/music/SoX_guide.md Normal file
View File

@@ -0,0 +1,93 @@
Creating a complete user guide for SoX involves covering a range of basic use cases to help you get started with this versatile audio processing tool. SoX is highly effective for tasks like format conversion, audio effects application, and general sound manipulation, making it a go-to utility for both beginners and advanced users comfortable with the command line.
### Installation
First, ensure SoX is installed on your system. It's available in most Linux distributions' package repositories.
For Debian-based systems (like Ubuntu), use:
```bash
sudo apt-get install sox
```
For Red Hat-based systems, use:
```bash
sudo yum install sox
```
### Basic Operations
#### 1. Converting Audio Formats
SoX can convert audio files between various formats. For example, to convert an MP3 file to a WAV file:
```bash
sox input.mp3 output.wav
```
#### 2. Playing Audio Files
SoX can play audio files directly from the command line:
```bash
play filename.mp3
```
#### 3. Recording Audio
To record audio with SoX, use the `rec` command. This example records a 5-second audio clip from the default recording device:
```bash
rec -d 5 myrecording.wav
```
### Applying Effects
#### 1. Changing Volume
To increase or decrease the volume of an audio file, use the `vol` effect:
```bash
sox input.mp3 output.mp3 vol 2dB
```
#### 2. Applying Reverb
Add reverb to an audio file with:
```bash
sox input.wav output.wav reverb
```
#### 3. Trimming Audio
Trim an audio file to only include a specific portion (e.g., start at 10 seconds and end at 20 seconds):
```bash
sox input.mp3 output.mp3 trim 10 10
```
#### 4. Combining Audio Files
Concatenate two or more audio files into one:
```bash
sox input1.mp3 input2.mp3 output.mp3
```
### Advanced Features
#### 1. Applying Multiple Effects
You can chain multiple effects in a single command:
```bash
sox input.mp3 output.mp3 reverb vol 2dB trim 0 30
```
#### 2. Noise Reduction
To reduce noise, first capture a noise profile:
```bash
sox noise-audio.wav -n noiseprof noise.prof
```
Then apply the noise reduction:
```bash
sox input.wav output.wav noisered noise.prof 0.3
```
#### 3. Spectrogram
Generate a spectrogram of an audio file:
```bash
sox input.mp3 -n spectrogram -o output.png
```
### Tips and Tricks
- **Chain Effects**: SoX allows for complex processing chains that combine multiple effects, optimizing the processing flow.
- **Scripting**: Integrate SoX commands into shell scripts for batch processing or automated audio manipulation tasks.
- **Documentation**: For more detailed information on all SoX capabilities and effects, consult the SoX man page or the official SoX documentation by running `man sox` or visiting [SoX - Sound eXchange](http://sox.sourceforge.net/).
SoX is an exceptionally powerful tool for audio processing, offering a wide range of functionality from basic to advanced audio manipulation and analysis. Experimenting with its various options and effects can help you achieve precisely the audio outcomes you need.

228
tech_docs/music/SuperCollider.md Normal file
View File

@@ -0,0 +1,228 @@
Great choice! SuperCollider is a powerful tool for music production and sound synthesis. Here's a framework you can follow to get started with creating projects in SuperCollider, focusing on beat making, melodies, and other music production functions:
1. Learn the basics of SuperCollider:
- Familiarize yourself with the SuperCollider environment and its key components: the language (SCLang) and the server (scsynth).
- Understand the basic syntax and structure of SCLang, which is similar to Python in some ways.
- Explore the built-in UGens (Unit Generators) and their functionalities for audio synthesis and processing.
2. Set up your SuperCollider environment:
- Install SuperCollider on your computer and ensure it runs properly.
- Choose an IDE or text editor for writing SuperCollider code (e.g., the built-in IDE, Atom, or Vim).
- Test your audio output and configure any necessary audio settings.
3. Learn the fundamentals of sound synthesis:
- Study the different synthesis techniques available in SuperCollider, such as subtractive, additive, FM, and granular synthesis.
- Experiment with creating basic waveforms, envelopes, and filters to shape your sounds.
- Understand the concepts of oscillators, amplitudes, frequencies, and modulation.
4. Dive into rhythm and beat making:
- Learn how to create rhythmic patterns using SuperCollider's timing and sequencing capabilities.
- Explore the Pbind and Pmono classes for creating patterns and sequences.
- Experiment with different drum synthesis techniques, such as using noise generators, envelopes, and filters to create kick drums, snares, hi-hats, and other percussive sounds.
5. Explore melody and harmony:
- Learn how to create melodic patterns and sequences using SuperCollider's pitch and scale functions.
- Experiment with different waveforms, envelopes, and effects to create various instrument sounds, such as synths, pads, and leads.
- Understand the concepts of scales, chords, and musical intervals to create harmonically pleasing melodies.
6. Incorporate effects and processing:
- Explore the wide range of audio effects available in SuperCollider, such as reverb, delay, distortion, and compression.
- Learn how to apply effects to individual sounds or entire mixtures using the SynthDef and Synth classes.
- Experiment with creating custom effects chains and modulating effect parameters in real-time.
7. Structure and arrange your music:
- Learn how to organize your musical elements into a structured composition using SuperCollider's Patterns and Routines.
- Explore techniques for arranging and transitioning between different sections of your track, such as verse, chorus, and bridge.
- Utilize automation and parameter modulation to add variation and movement to your arrangements.
8. Experiment, iterate, and refine:
- Practice creating different genres and styles of EDM using SuperCollider.
- Iterate on your patches and compositions, fine-tuning sounds, rhythms, and arrangements.
- Seek feedback from the SuperCollider community, share your creations, and learn from others' techniques and approaches.
Remember to refer to the SuperCollider documentation, tutorials, and community resources as you progress through your projects. The SuperCollider website (https://supercollider.github.io/) provides extensive documentation, guides, and examples to help you along the way.
Start with simple projects and gradually increase complexity as you become more comfortable with SuperCollider's concepts and workflow. Don't hesitate to experiment, explore, and have fun while creating your music!
---
Certainly! Let's dive into mastering sound synthesis basics, rhythm and beat production, and crafting melodies and harmonies in SuperCollider.
**Mastering Sound Synthesis Basics:**
1. Synthesis Techniques:
- Subtractive Synthesis: This technique starts with a harmonically rich waveform (e.g., sawtooth or square wave) and then filters out certain frequencies to shape the sound. It's often used for creating warm pads, lush strings, and smooth basslines.
Example: `{RLPF.ar(Saw.ar(440), LFNoise1.kr(1).range(200, 5000), 0.1)}.play`
- FM Synthesis: Frequency Modulation synthesis involves modulating the frequency of one oscillator (carrier) with another oscillator (modulator). FM synthesis is known for creating complex, dynamic, and evolving timbres, such as metallic sounds, bells, and percussive hits.
Example: `{SinOsc.ar(440 + SinOsc.ar(1, 0, 100, 100), 0, 0.5)}.play`
- Additive Synthesis: This technique combines multiple sine waves at different frequencies and amplitudes to create complex timbres. It's useful for creating rich, harmonically dense sounds like organs, brass, and unique textures.
Example: `{Mix.fill(5, {|i| SinOsc.ar(440 * (i + 1), 0, 1 / (i + 1))})}.play`
2. Practical Exercise:
- Create a simple sine wave:
`{SinOsc.ar(440, 0, 0.5)}.play`
- Create a noise burst:
`{WhiteNoise.ar(0.5) * EnvGen.kr(Env.perc(0.01, 0.1), doneAction: 2)}.play`
**Rhythm and Beat Production:**
1. Building a Basic Drum Pattern:
- Here's an example of creating a simple drum pattern using `Pbind` and `SynthDef`:
```supercollider
SynthDef(\kick, {|amp = 0.5, freq = 60|
var sig = SinOsc.ar(freq, 0, amp) * EnvGen.kr(Env.perc(0.01, 0.5), doneAction: 2);
Out.ar(0, sig ! 2);
}).add;
SynthDef(\snare, {|amp = 0.5|
var sig = WhiteNoise.ar(amp) * EnvGen.kr(Env.perc(0.01, 0.2), doneAction: 2);
Out.ar(0, sig ! 2);
}).add;
Pbind(
\instrument, \kick,
\dur, Pseq([1, 1, 1, 1], inf),
\amp, 0.6
).play;
Pbind(
\instrument, \snare,
\dur, Pseq([Rest(1), 1, Rest(1), 1], inf),
\amp, 0.4
).play;
```
2. Rhythmic Complexity and Timing:
- Use `Pbind` with `Pseq` and `Prand` to create dynamic and evolving rhythms:
```supercollider
Pbind(
\instrument, \kick,
\dur, Pseq([1, 0.5, 0.5, Prand([1, 0.5], 1)], inf),
\amp, 0.6
).play;
```
**Crafting Melodies and Harmonies:**
1. Constructing Melodies:
- Use scale and pitch classes to create melodic patterns:
```supercollider
var scale = Scale.major.degrees;
var melody = Pbind(
\instrument, \synth,
\freq, Pseq(scale.collect({|degree| degree + 60}), inf),
\dur, 0.25,
\amp, 0.4
).play;
```
2. Harmony and Chords:
- Generate chords and progressions using chord degrees and intervals:
```supercollider
var chords = [
[0, 2, 4], // I chord
[2, 4, 6], // II chord
[4, 6, 8] // III chord
];
var progression = Pbind(
\instrument, \synth,
\freq, Pseq(chords.collect({|chord| chord.collect({|degree| degree + 60})}), inf),
\dur, 2,
\amp, 0.4
).play;
```
Remember to experiment, explore, and build upon these examples to create your own unique sounds and compositions in SuperCollider. Happy music-making!
---
Certainly! Here's a guide to producing down tempo music in minor keys using SuperCollider, incorporating the previously discussed mathematical concepts and ratios:
I. Harmony and Chord Progressions
A. Use the `Scale` class to generate minor scales and chords
1. `Scale.minor` for natural minor
2. `Scale.harmonicMinor` for harmonic minor
3. `Scale.melodicMinor` for melodic minor
B. Utilize `Pseq` and `Prand` to create chord progressions
C. Experiment with `Pswitch` and `Pif` to incorporate chromatic mediants
II. Rhythm and Tempo
A. Use `TempoClock` to set the tempo between 60-90 BPM
B. Utilize `Pbind` to create rhythmic patterns and polyrhythms
1. `\dur` for note durations (e.g., `Pseq([1/3, 1/6], inf)` for triplets against eighth notes)
2. `\stretch` for rhythmic variations (e.g., `Pseq([2/3, 1/3], inf)` for dotted eighth notes against quarter notes)
C. Apply swing using `Pswing` or by manipulating durations
III. Sound Design and Frequencies
A. Use `SinOsc`, `Saw`, `Pulse`, and other UGens for basic waveforms
B. Apply `RLPF`, `RHPF`, and `BPF` filters to focus on specific frequency ranges
C. Create layered textures using `Splay`, `Mix`, and `Splay`
D. Utilize the golden ratio for amplitude envelopes and modulation depths
IV. Arrangement and Structure
A. Use the Fibonacci sequence for section lengths and transitions with `Pn`, `Pfin`, and `Pdef`
B. Create tension and release by alternating between sections using `Pseq` and `Ppar`
C. Use the rule of thirds for placing key elements and transitions with `Quant`
V. Mixing and Mastering
A. Apply `AmpComp` and `FreqShift` to balance frequencies based on equal loudness contours
B. Use `Pan2` and `PanAz` for panning, following the "rule of sixths"
C. Adjust dynamics using `Compander`, `Limiter`, and `Normalizer`
D. Utilize `Meter` and `Loudness` UGens to monitor and control the dynamic range
VI. Example Code
```supercollider
(
// Minor scale and chord progression
~scale = Scale.minor;
~chords = ~scale.degrees.collect(_.chord);
~progression = Pseq([0, 3, 4, 0], inf);
// Rhythm and tempo
~tempo = 72;
~rhythmPattern = Pseq([2/3, 1/3], inf);
// Sound design and frequencies
~synthDef = SynthDef(\pad, {
|freq = 440, amp = 0.5, cutoff = 500, rq = 0.5|
var osc1 = Saw.ar(freq);
var osc2 = Pulse.ar(freq * (1 + MouseX.kr(-0.1, 0.1)));
var env = EnvGen.kr(Env.perc(0.01, 1.618), doneAction: 2);
var filter = RLPF.ar(osc1 + osc2, cutoff * env, rq);
Out.ar(0, Pan2.ar(filter * env * amp));
}).add;
// Arrangement and structure
~sections = [
Pn(Ppar([
Pbind(\instrument, \pad, \freq, Pseq((~chords[0] + 60).midicps, 1), \dur, 4),
Pbind(\instrument, \pad, \freq, Pseq((~chords[3] + 48).midicps, 1), \dur, 4),
]), 8),
Pn(Ppar([
Pbind(\instrument, \pad, \freq, Pseq((~chords[4] + 60).midicps, 1), \dur, 4),
Pbind(\instrument, \pad, \freq, Pseq((~chords[0] + 48).midicps, 1), \dur, 4),
]), 13),
];
// Mixing and mastering
~master = {
var sig = In.ar(0, 2);
sig = CompanderD.ar(sig, 0.5, 1, 0.3, 0.01, 0.1);
sig = Limiter.ar(sig, 0.9, 0.01);
sig = Splay.ar(sig);
sig = Loudness.ar(sig);
Out.ar(0, sig * 0.8);
}.play;
// Play the sections
~sections[0].play(TempoClock(~tempo / 60));
~sections[1].play(TempoClock(~tempo / 60), quant: [8]);
)
```
Remember to experiment with different UGens, patterns, and parameters to achieve your desired sound. SuperCollider provides a powerful and flexible environment for creating generative and algorithmic music, so don't hesitate to explore and customize the code to suit your needs.

127
tech_docs/networking/CCNA-exam-prep.md Normal file
View File

@@ -0,0 +1,127 @@
# CCNA 200-301 Official Cert Guide, Volume 1 Study Reference
## Introduction
- Overview of CCNA 200-301
- Study Plan Guidelines
## Part I: Introduction to Networking
# CCNA 200-301 Official Cert Guide, Volume 1 - Study Reference
## Part I: Introduction to Networking
### Chapter 1: Introduction to TCP/IP Networking
- **"Do I Know This Already?" Quiz**
- **Foundation Topics**
- Perspectives on Networking
- TCP/IP Networking Model
- History Leading to TCP/IP
- Overview of the TCP/IP Networking Model
- TCP/IP Application Layer
- HTTP Overview
- HTTP Protocol Mechanisms
- TCP/IP Transport Layer
- TCP Error Recovery Basics
- Same-Layer and Adjacent-Layer Interactions
- TCP/IP Network Layer
- Internet Protocol and the Postal Service
- Internet Protocol Addressing Basics
- IP Routing Basics
- TCP/IP Data-Link and Physical Layers
- Data Encapsulation Terminology
- Names of TCP/IP Messages
- OSI Networking Model and Terminology
- Comparing OSI and TCP/IP Layer Names and Numbers
- OSI Data Encapsulation Terminology
- **Chapter Review**
### Chapter 2: Fundamentals of Ethernet LANs
- **"Do I Know This Already?" Quiz**
- **Foundation Topics**
- An Overview of LANs
- Typical SOHO LANs
- Typical Enterprise LANs
- The Variety of Ethernet Physical Layer Standards
- Consistent Behavior over All Links Using the Ethernet Data-Link Layer
- Building Physical Ethernet LANs with UTP
- Transmitting Data Using Twisted Pairs
- Breaking Down a UTP Ethernet Link
- UTP Cabling Pinouts for 10BASE-T and 100BASE-T
- Straight-Through Cable Pinout
- Choosing the Right Cable Pinouts
- UTP Cabling Pinouts for 1000BASE-T
- Building Physical Ethernet LANs with Fiber
- Fiber Cabling Transmission Concepts
- Using Fiber with Ethernet
- Sending Data in Ethernet Networks
- Ethernet Data-Link Protocols
- Ethernet Addressing
- Identifying Network Layer Protocols with the Ethernet Type Field
- Error Detection with FCS
- Sending Ethernet Frames with Switches and Hubs
- Sending in Modern Ethernet LANs Using Full Duplex
- Using Half Duplex with LAN Hubs
- **Chapter Review**
### Chapter 3: Fundamentals of WANs and IP Routing
- **Part I Review**
## Part II: Implementing Ethernet LANs
### Chapter 4: Using the Command-Line Interface
### Chapter 5: Analyzing Ethernet LAN Switching
### Chapter 6: Configuring Basic Switch Management
### Chapter 7: Configuring and Verifying Switch Interfaces
- **Part II Review**
## Part III: Implementing VLANs and STP
### Chapter 8: Implementing Ethernet Virtual LANs
### Chapter 9: Spanning Tree Protocol Concepts
### Chapter 10: RSTP and EtherChannel Configuration
- **Part III Review**
## Part IV: IPv4 Addressing
### Chapter 11: Perspectives on IPv4 Subnetting
### Chapter 12: Analyzing Classful IPv4 Networks
### Chapter 13: Analyzing Subnet Masks
### Chapter 14: Analyzing Existing Subnets
- **Part IV Review**
## Part V: IPv4 Routing
### Chapter 15: Operating Cisco Routers
### Chapter 16: Configuring IPv4 Addresses and Static Routes
### Chapter 17: IP Routing in the LAN
### Chapter 18: Troubleshooting IPv4 Routing
- **Part V Review**
## Part VI: OSPF
### Chapter 19: Understanding OSPF Concepts
### Chapter 20: Implementing OSPF
### Chapter 21: OSPF Network Types and Neighbors
- **Part VI Review**
## Part VII: IP Version 6
### Chapter 22: Fundamentals of IP Version 6
### Chapter 23: IPv6 Addressing and Subnetting
### Chapter 24: Implementing IPv6 Addressing on Routers
### Chapter 25: Implementing IPv6 Routing
- **Part VII Review**
## Part VIII: Wireless LANs
### Chapter 26: Fundamentals of Wireless Networks
### Chapter 27: Analyzing Cisco Wireless Architectures
### Chapter 28: Securing Wireless Networks
### Chapter 29: Building a Wireless LAN
- **Part VIII Review**
## Part IX: Appendixes and Online Resources
- Appendix A: Numeric Reference Tables
- Appendix B: CCNA 200-301, Volume 1 Exam Updates
- Appendix C: Answers to Quizzes
- Glossary
- Index
- Online Appendixes (D to R) for additional practice and topics
### **Study Tips**
- Regularly review each part and complete associated quizzes.
- Utilize online appendixes for practical exercises.
- Follow the study planner for systematic progress.
- Engage with study aids like the glossary and index for quick references.

197
tech_docs/networking/NordVPN.md Normal file
View File

@@ -0,0 +1,197 @@
Absolutely, lets streamline the steps to set up NordVPN on a fresh OpenWrt device using CLI commands. This guide assumes you have basic knowledge of how to access your router via SSH and that OpenWrt is already installed on your device.
### Step 1: Access Your Router
Connect to your router via SSH:
```bash
ssh root@192.168.1.1
```
Replace `192.168.1.1` with your router's IP address if it has been changed from the default.
### Step 2: Update and Install Necessary Packages
Update the package manager and install OpenVPN and the necessary IP utilities:
```bash
opkg update
opkg install openvpn-openssl ip-full
```
### Step 3: Download and Set Up NordVPN Configuration Files
Choose a NordVPN server that you want to connect to and download its OpenVPN UDP configuration. You can find server configurations on the NordVPN website.
1. **Download a server config file directly to your router**:
Replace `SERVERNAME` with your chosen server's name.
```bash
wget -P /etc/openvpn https://downloads.nordcdn.com/configs/files/ovpn_udp/servers/SERVERNAME.udp.ovpn
```
2. **Rename the downloaded configuration file for easier management**:
```bash
mv /etc/openvpn/SERVERNAME.udp.ovpn /etc/openvpn/nordvpn.ovpn
```
### Step 4: Configure VPN Credentials
NordVPN requires authentication with your service credentials.
1. **Create a credentials file**:
Open a new file using `nano`:
```bash
nano /etc/openvpn/credentials
```
Enter your NordVPN username and password, each on a separate line. Save and close the editor.
2. **Modify the NordVPN configuration file to use the credentials file**:
```bash
sed -i 's/auth-user-pass/auth-user-pass \/etc\/openvpn\/credentials/' /etc/openvpn/nordvpn.ovpn
```
### Step 5: Enable and Start OpenVPN
1. **Automatically start OpenVPN with the NordVPN configuration on boot**:
```bash
echo 'openvpn --config /etc/openvpn/nordvpn.ovpn &' >> /etc/rc.local
```
2. **Start OpenVPN manually for the first time**:
```bash
/etc/init.d/openvpn start
```
### Step 6: Configure Network and Firewall
Ensure the VPN traffic is properly routed and the firewall is configured to allow it.
1. **Edit the network configuration**:
Add a new interface for the VPN:
```bash
uci set network.vpn0=interface
uci set network.vpn0.ifname='tun0'
uci set network.vpn0.proto='none'
uci commit network
```
2. **Set up the firewall to allow traffic from LAN to the VPN**:
```bash
uci add firewall zone
uci set firewall.@zone[-1].name='vpn'
uci set firewall.@zone[-1].network='vpn0'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci commit firewall
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpn'
uci commit firewall
```
3. **Restart the firewall to apply changes**:
```bash
/etc/init.d/firewall restart
```
### Step 7: Test the Connection
Check if the VPN connection is active and working:
```bash
ping -c 4 google.com
```
You should now be connected to NordVPN through your OpenWrt router using the configured OpenVPN setup. This streamlined guide ensures you have a clear path through the configuration process with easy-to-follow CLI commands.
---
The CLI instructions you're interested in offer a more hands-on approach to setting up NordVPN on an OpenWrt router. This method is ideal if you're comfortable using the command line and want more control over the VPN configuration. Here's a simplified version of the process, broken down into manageable steps:
### 1. Access Router via SSH
Connect to your OpenWrt router using SSH. The default IP is usually `192.168.1.1` unless you have changed it. The default username is `root`.
### 2. Install Necessary Packages
Update your package list and install the required OpenVPN packages:
```bash
opkg update
opkg install openvpn-openssl ip-full luci-app-openvpn
```
(Optional) Install `nano` for easier file editing:
```bash
opkg install nano
```
### 3. Download OpenVPN Configuration
Use NordVPN's server recommendation tool to find the best server and download its configuration file directly to your router:
```bash
wget -P /etc/openvpn https://downloads.nordcdn.com/configs/files/ovpn_udp/servers/[server-name].udp.ovpn
```
Replace `[server-name]` with the actual server name, such as `uk2054.nordvpn.com`.
### 4. Configure OpenVPN
Edit the downloaded .ovpn file to include your NordVPN credentials:
```bash
nano /etc/openvpn/[server-name].udp.ovpn
```
Modify the `auth-user-pass` line to point to a credentials file:
```plaintext
auth-user-pass /etc/openvpn/credentials
```
Create the credentials file:
```bash
echo "YourUsername" > /etc/openvpn/credentials
echo "YourPassword" >> /etc/openvpn/credentials
chmod 600 /etc/openvpn/credentials
```
### 5. Enable OpenVPN to Start on Boot
Ensure OpenVPN starts automatically with your router:
```bash
/etc/init.d/openvpn enable
```
### 6. Set Up Networking and Firewall
Create a new network interface for the VPN and configure the firewall to route traffic through the VPN:
**Network Interface Configuration:**
```bash
uci set network.nordvpntun=interface
uci set network.nordvpntun.proto='none'
uci set network.nordvpntun.ifname='tun0'
uci commit network
```
**Firewall Configuration:**
```bash
uci add firewall zone
uci set firewall.@zone[-1].name='vpnfirewall'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='nordvpntun'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpnfirewall'
uci commit firewall
```
### 7. Configure DNS
Change DNS settings to use NordVPN DNS or another preferred DNS service:
```bash
uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns='103.86.96.100'
uci add_list network.wan.dns='103.86.99.100'
uci commit
```
### 8. Prevent Traffic Leakage (Optional)
To enhance security, add custom rules to block all traffic if the VPN disconnects:
```bash
echo "if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then iptables -I forwarding_rule -j REJECT; fi" >> /etc/firewall.user
```
### 9. Start the VPN
Start the OpenVPN service and verify it's running properly:
```bash
/etc/init.d/openvpn start
```
### 10. Check Connection Status
Visit NordVPN's homepage or another site like `ipinfo.io` to check your IP address and ensure your traffic is routed through the VPN.
This setup should give you a robust and secure VPN connection on your OpenWrt router using NordVPN. If you encounter any issues, you may need to review the configuration steps or consult NordVPN's support for further troubleshooting.

229
tech_docs/networking/OpenWrt.md Normal file
View File

@@ -0,0 +1,229 @@
```bash
pct create 100 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz \
--unprivileged 1 --arch amd64 --ostype unmanaged --hostname openwrt-0 \
--password fuzzy817 --tag network --storage local-lvm --memory 256 --swap 128 \
--rootfs local-lvm:1,size=512M --net0 name=eth0,bridge=vmbr0,firewall=1 \
--net1 name=eth1,bridge=vmbr1,firewall=1 --cores 1 --cpuunits 500 --onboot 1 --debug 0
```
```bash
pct start 100
```
```bash
pct create 110 /var/lib/vz/template/cache/kali-rootfs.tar.xz \
--unprivileged 1 --arch amd64 --ostype debian --hostname kali-0 \
--password fuzzy817 --tag tools --storage zfs-disk0 --cores 2 \
--memory 2048 --swap 1024 --rootfs local-lvm:1,size=64G \
--net0 name=eth0,bridge=vmbr0,firewall=1 --cpuunits 1500 --onboot 1 \
--debug 0 --features nesting=1,keyctl=1
```
```bash
pct start 110
```
```bash
pct create 120 /var/lib/vz/template/cache/alpine-rootfs.tar.xz \
--unprivileged 1 --arch amd64 --ostype alpine --hostname alpine-0 \
--password fuzzy817 --tag docker --storage local-lvm --cores 2 \
--memory 1024 --swap 256 --rootfs local-lvm:1,size=8G \
--net0 name=eth0,bridge=vmbr0,firewall=1 --cpuunits 1000 --onboot 1 \
--debug 0 --features nesting=1,keyctl=1
```
```bash
pct start 120
```
---
# Proxmox Container Setup Guide
## Introduction
This guide provides detailed instructions for configuring OpenWRT, Alpine Linux, and Kali Linux containers on a Proxmox VE environment. Each section covers the creation, configuration, and basic setup steps necessary to get each type of container up and running, tailored for use in a lab setting.
## Links
- [Split A GPU Between Multiple Computers - Proxmox LXC (Unprivileged)](https://youtu.be/0ZDr5h52OOE?si=F4RVd5mA5IRjrpXU)
- [Must-Have OpenWrt Router Setup For Your Proxmox](https://youtu.be/3mPbrunpjpk?si=WofNEJUZL4FAw7HP)
- [Docker on Proxmox LXC 🚀 Zero Bloat and Pure Performance!](https://youtu.be/-ZSQdJ62r-Q?si=GCXOEsKnOdm6OIiz)
## Prerequisites
- Proxmox VE installed on your server
- Access to Proxmox web interface or command-line interface
- Container templates downloaded (OpenWRT, Alpine, Kali Linux)
## Container Configuration
### OpenWRT Container Setup
#### Description
This section details setting up an OpenWRT container designed for network routing and firewall tasks.
#### Create and Configure the OpenWRT Container
```bash
pct create 100 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz \
--unprivileged 1 --arch amd64 --ostype unmanaged --hostname openwrt-0 \
--password <password> --tag network --storage local-lvm --memory 256 --swap 128 \
--rootfs local-lvm:1,size=512M --net0 name=eth0,bridge=vmbr0,firewall=1 \
--net1 name=eth1,bridge=vmbr1,firewall=1 --cores 1 --cpuunits 500 --onboot 1 --debug 0
```
#### Start the Container and Access the Console
```bash
pct start 100
pct console 100
```
#### Update and Install Packages
```bash
opkg update
opkg install qemu-ga
reboot
```
#### Network and Firewall Configuration
Configure network settings and firewall rules:
```bash
vi /etc/config/network
/etc/init.d/network restart
vi /etc/config/firewall
/etc/init.d/firewall restart
# Setting up firewall rules using UCI
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-SSH'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='22'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-HTTPS'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='443'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-HTTP'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='80'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall
/etc/init.d/firewall restart
```
### Alpine Container Setup
#### Description
Set up an Alpine Linux container optimized for running Docker, ensuring lightweight deployment and management of Docker applications.
#### Create and Configure the Alpine Container
```bash
pct create 120 /var/lib/vz/template/cache/alpine-rootfs.tar.xz \
--unprivileged 1 --arch amd64 --ostype alpine --hostname alpine-0 \
--password <password> --tag docker --storage local-lvm --cores 2 \
--memory 1024 --swap 256 --rootfs local-lvm:1,size=8G \
--net0 name=eth0,bridge=vmbr0,firewall=1 --keyctl 1 --nesting 1 \
--cpuunits 1000 --onboot 1 --debug 0
```
#### Enter the Container
```bash
pct enter 120
```
#### System Update and Package Installation
Enable community repositories and install essential packages:
```bash
sed -i '/^#.*community/s/^#//' /etc/apk/repositories
apk update && apk upgrade
apk add qemu-guest-agent docker openssh sudo
```
#### Start and Enable Docker Service
```bash
rc-service docker start
rc-update add docker default
```
#### Configure Network
Set up network interfaces and restart networking services:
```bash
setup-interfaces
service networking restart
```
#### Configure and Start SSH Service
```bash
rc-update add sshd
service sshd start
vi /etc/ssh/sshd_config
service sshd restart
```
#### Create a System User and Add to Docker Group and Sudoers
```bash
adduser -s /bin/ash medusa
addgroup medusa docker
echo "medusa ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/medusa
```
#### Test Docker Installation
```bash
docker run hello-world
```
```bash
docker volume create portainer_data
```
```bash
docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest
```
```markdown
[Portainer Dashboard](https://localhost:9443)
```
### Kali Linux Container Setup
#### Description
Configure a Kali Linux container tailored for security testing and penetration testing tools.
#### Create and Configure the Kali Linux Container
```bash
pct create 110 /var/lib/vz/template/cache/kali-default-rootfs.tar.xz \
--unprivileged 1 --arch amd64 --ostype debian --hostname kali-0 \
--password <password> --tag tools --storage local-lvm --cores 2 \
--memory 2048 --swap 1024 --rootfs local-lvm:1,size=10G \
--net0 name=eth0,bridge=vmbr0,firewall=1 --cpuunits 1500 --onboot 1 \
--debug 0 --features nesting=1,keyctl=1
```
## Conclusion
Follow these steps to successfully set up and configure OpenWRT, Alpine, and Kali Linux containers on Proxmox. Adjust configurations according to your specific needs and ensure all passwords are secure before deploying containers in a production environment.
```bash
pct create 100 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz \
--unprivileged 1 --arch amd64 --ostype unmanaged --hostname openwrt-0 \
--password <password> --tag network --storage local-lvm --memory 256 --swap 128 \
--rootfs local-lvm:1,size=512M --net0 name=eth0,bridge=vmbr0,firewall=1 \
--net1 name=eth1,bridge=vmbr1,firewall=1 --cores 1 --cpuunits 500 --onboot 1 --debug 0
```
```bash
pct create 110 /var/lib/vz/template/cache/kali-default-rootfs.tar.xz \
--unprivileged 1 --arch amd64 --ostype debian --hostname kali-0 \
--password <password> --tag tools --storage local-lvm --cores 2 \
--memory 2048 --swap 1024 --rootfs local-lvm:1,size=10G \
--net0 name=eth0,bridge=vmbr0,firewall=1 --cpuunits 1500 --onboot 1 \
--debug 0 --features nesting=1,keyctl=1
```
```bash
pct create 120 /var/lib/vz/template/cache/alpine-rootfs.tar.xz \
--unprivileged 1 --arch amd64 --ostype alpine --hostname alpine-0 \
--password <password> --tag docker --storage local-lvm --cores 2 \
--memory 1024 --swap 256 --rootfs local-lvm:1,size=8G \
--net0 name=eth0,bridge=vmbr0,firewall=1 --keyctl 1 --nesting 1 \
--cpuunits 1000 --onboot 1 --debug 0
```

99
tech_docs/networking/SOAR_lab.md Normal file
View File

@@ -0,0 +1,99 @@
Creating a security operations environment with Wazuh and integrating Shuffle SOAR can greatly enhance your ability to monitor, analyze, and respond to threats in real time. Here's a consolidated reference guide to get you started, detailing the components needed, benefits, and areas of focus relevant today and into the future.
### Getting Started with Wazuh
**Installation and Configuration:**
- **Wazuh Server Setup:** Begin by installing the Wazuh server, which involves adding the Wazuh repository to your system, installing the Wazuh manager, and configuring Filebeat for log forwarding【5†source】.
- **Component Overview:** Wazuh consists of a universal agent, Wazuh server (manager), Wazuh indexer, and Wazuh dashboard for visualizing the data【6†source】【7†source】.
### Integrating Shuffle SOAR
**Setup and Integration:**
- **Configuring Wazuh for Shuffle:** Configure Wazuh to forward alerts in JSON format to Shuffle by setting up an integration block in the `ossec.conf` file of the Wazuh manager【13†source】【14†source】.
- **Creating Workflows in Shuffle:** Use Shuffle to create workflows that will process the Wazuh alerts. You can automate various security operations based on the type of alerts received, such as disabling a user account in response to detected threats【13†source】.
### Key Components and Benefits
- **Unified Security Monitoring:** Wazuh provides a comprehensive platform for threat detection, incident response, and compliance monitoring across your environment.
- **Automation and Response:** Shuffle SOAR enables the automation of security operations, reducing response times to threats and freeing up resources for other critical tasks.
- **Flexibility and Scalability:** Both Wazuh and Shuffle are designed to be scalable and flexible, allowing for customization according to specific organizational needs.
### Areas of Focus
1. **Threat Detection and Response:** Leveraging Wazuh's detection capabilities with Shuffle's automated workflows can significantly improve the efficiency of threat detection and response mechanisms.
2. **Compliance and Auditing:** Wazuh's comprehensive monitoring and logging capabilities are invaluable for meeting compliance requirements and conducting audits.
3. **Security Orchestration:** The integration of SOAR tools like Shuffle into security operations centers (SOCs) is becoming increasingly important for orchestrating responses to security incidents.
4. **Cloud Security:** With the shift towards cloud environments, focusing on cloud-specific security challenges and integrating cloud-native tools into your security stack is crucial.
### Looking Ahead
- **Machine Learning and AI:** Incorporating machine learning and AI for anomaly detection and predictive analytics will become more prevalent, offering advanced threat detection capabilities.
- **Zero Trust Architecture:** Implementing Zero Trust principles, supported by continuous monitoring and verification from solutions like Wazuh, will be critical for securing modern networks.
- **Enhanced Automation:** The future lies in further automating security responses and operational tasks, reducing the time from threat detection to resolution.
### Conclusion
By integrating Wazuh with Shuffle SOAR, organizations can create a robust security operations framework capable of addressing modern security challenges. This guide serves as a starting point for building and enhancing your security posture with these powerful tools. As you implement and scale your operations, keep abreast of emerging technologies and security practices to ensure your environment remains secure and resilient against evolving threats.
---
Given the topics covered, here are several labs and learning experiences designed to enhance your skills with Wazuh and Shuffle SOAR, particularly within a virtualized environment using KVM and isolated bridge networks. These exercises aim to provide hands-on experience, from basic setups to more advanced integrations and security practices.
### Lab 1: Basic Wazuh Server and Agent Setup
**Objective:** Install and configure a basic Wazuh server and agent setup within a KVM virtualized environment.
**Tasks:**
1. Create a VM for the Wazuh server on KVM, ensuring it is connected to an isolated bridge network.
2. Install the Wazuh server on this VM, following the [official documentation](https://documentation.wazuh.com/current/installation-guide/wazuh-server/index.html).
3. Create another VM for the Wazuh agent, connected to the same isolated bridge network.
4. Install the Wazuh agent and register it with the Wazuh server.
**Learning Outcome:** Understand the process of setting up Wazuh in a virtualized environment and the basic communication between server and agent.
### Lab 2: Advanced Wazuh Features Exploration
**Objective:** Explore advanced features of Wazuh, such as rule writing, log analysis, and file integrity monitoring.
**Tasks:**
1. Write custom detection rules for simulated threats (e.g., unauthorized SSH login attempts).
2. Configure and test file integrity monitoring on the agent VM.
3. Use the Wazuh Kibana app to analyze logs and alerts generated by the agent.
**Learning Outcome:** Gain hands-on experience with Wazuh's advanced capabilities for threat detection and response.
### Lab 3: Integrating Wazuh with Shuffle SOAR
**Objective:** Integrate Wazuh with Shuffle SOAR to automate responses to specific alerts.
**Tasks:**
1. Set up a basic Shuffle workflow that responds to a common threat detected by Wazuh (e.g., disabling a compromised user account).
2. Configure Wazuh to forward alerts to Shuffle using webhooks.
3. Simulate a threat that triggers the Wazuh alert and observe the automated response from Shuffle.
**Learning Outcome:** Learn how to automate security operations by integrating Wazuh with a SOAR platform.
### Lab 4: Security Hardening and Monitoring of Wazuh Environment
**Objective:** Apply security best practices to harden the Wazuh environment and set up monitoring.
**Tasks:**
1. Implement SSH key-based authentication for VMs.
2. Configure firewall rules to restrict access to the Wazuh server.
3. Set up monitoring for the Wazuh server using tools like Grafana to visualize logs and performance metrics.
**Learning Outcome:** Understand the importance of security hardening and continuous monitoring in a security operations environment.
### Lab 5: Cloud Integration and Elastic Stack
**Objective:** Explore the integration of Wazuh with cloud services and Elastic Stack for enhanced log analysis and visualization.
**Tasks:**
1. Configure Wazuh to monitor a cloud service (e.g., AWS S3 bucket for access logs).
2. Set up Elastic Stack (Elasticsearch, Logstash, Kibana) and integrate it with Wazuh for advanced log analysis.
3. Create dashboards in Kibana to visualize and analyze data from cloud services.
**Learning Outcome:** Gain insights into how Wazuh can be used for monitoring cloud environments and the integration with Elastic Stack for log management.
These labs offer a comprehensive learning path from basic setup to advanced usage and integration of Wazuh in a secure, virtualized environment. Working through these exercises will build a solid foundation in security monitoring, threat detection, and automated response strategies.

230
tech_docs/networking/cybersecurity_getting_started.md Normal file
View File

@@ -0,0 +1,230 @@
# Building a Cybersecurity Lab with Docker and Active Directory Integration
## Introduction
This guide provides a comprehensive walkthrough for creating an advanced cybersecurity lab environment using Docker and Docker Compose, integrated with a `homelab.local` Active Directory domain. The lab is designed to offer a flexible, scalable, and easily manageable platform for cybersecurity professionals and enthusiasts to practice, experiment, and enhance their skills in various security domains.
## Lab Architecture
The lab architecture consists of the following key components:
1. **Learning Paths**: The lab is organized into distinct learning paths, each focusing on a specific cybersecurity domain, such as network security, web application security, incident response, and malware analysis. This structure enables targeted skill development and focused experimentation.
2. **Docker Containers**: Each learning path is implemented using Docker containers, providing isolated and reproducible environments for different security scenarios and tools. Containers ensure efficient resource utilization and ease of management.
3. **Docker Compose**: Docker Compose is employed for orchestrating and managing the containers within each learning path. It allows for defining and configuring multiple services, networks, and volumes, simplifying the deployment and management of complex security environments.
4. **Active Directory Integration**: The lab is integrated with a `homelab.local` Active Directory domain, enabling centralized user and resource management. This integration provides a realistic enterprise network simulation and allows for practicing security scenarios in a controlled Active Directory environment.
```mermaid
graph TD
A[Host Machine] --> B[Docker]
B --> C[Network Security]
B --> D[Web Application Security]
B --> E[Incident Response and Forensics]
B --> F[Malware Analysis]
G[homelab.local] --> H[Active Directory Integration]
H --> B
```
## Lab Setup
To set up the cybersecurity lab, follow these step-by-step instructions:
### Prerequisites
- A host machine or dedicated server with sufficient resources (CPU, RAM, storage) to run multiple Docker containers.
- Docker and Docker Compose installed on the host machine.
- Access to the `homelab.local` Active Directory domain and its resources.
### Step 1: Active Directory Integration
1. Ensure that the `homelab.local` Active Directory domain is properly set up and accessible from the host machine.
2. Create the necessary user accounts, security groups, and organizational units (OUs) within the Active Directory domain to mirror a realistic enterprise environment.
### Step 2: Docker and Docker Compose Setup
1. Install Docker and Docker Compose on the host machine following the official documentation for your operating system.
2. Verify the successful installation by running `docker --version` and `docker-compose --version` in the terminal.
### Step 3: Learning Paths Structure
1. Create a dedicated directory for each learning path on the host machine, such as `network-security`, `web-app-security`, `incident-response`, and `malware-analysis`.
2. Within each learning path directory, create a `Dockerfile` that defines the container environment, including the necessary tools, dependencies, and configurations specific to that learning path.
3. Create a `docker-compose.yml` file in each learning path directory to define the services, networks, and volumes required for that specific path.
### Step 4: Configuration and Deployment
1. Customize the `Dockerfile` for each learning path, specifying the base image, installing required packages, and configuring the environment variables and settings.
2. Modify the `docker-compose.yml` file for each learning path, defining the services, networks, and volumes necessary for the specific security scenario or tool.
3. Use Docker Compose to build and deploy the containers for each learning path by running `docker-compose up -d` in the respective directory.
### Step 5: Central Management
1. Create a central `docker-compose.yml` file at the root level of the lab directory to manage and orchestrate all the learning path containers collectively.
2. Consider using tools like Portainer or Rancher for a web-based GUI to manage and monitor the Docker containers, networks, and volumes across the entire lab.
## Cybersecurity Learning Paths
The lab provides the following learning paths to cover various aspects of cybersecurity:
### 1. Network Security
- **Packet Analysis**: Utilize tools like Wireshark and tcpdump to capture and analyze network traffic, identify anomalies, and detect potential security threats.
- **Firewall Configuration**: Configure and manage firewalls using tools like iptables and pfsense to control network traffic, implement access controls, and enforce security policies.
- **Intrusion Detection and Prevention**: Deploy and configure intrusion detection systems (IDS) and intrusion prevention systems (IPS) using tools like Snort and Suricata to monitor network traffic and detect and prevent malicious activities.
- **VPN and Secure Communication**: Set up and configure virtual private networks (VPNs) using OpenVPN or WireGuard to establish secure communication channels between different network segments and remote locations.
```mermaid
graph LR
A[Network Security] --> B[Packet Analysis]
A --> C[Firewall Configuration]
A --> D[Intrusion Detection and Prevention]
A --> E[VPN and Secure Communication]
B --> B1[Wireshark]
B --> B2[tcpdump]
C --> C1[iptables]
C --> C2[pfsense]
D --> D1[Snort]
D --> D2[Suricata]
E --> E1[OpenVPN]
E --> E2[WireGuard]
```
### 2. Web Application Security
- **Vulnerability Assessment**: Perform web application vulnerability scanning and assessment using tools like OWASP ZAP, Burp Suite, and Nikto to identify common web vulnerabilities such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
- **Penetration Testing**: Conduct in-depth penetration testing on web applications using tools and frameworks like Metasploit, sqlmap, and BeEF to identify and exploit vulnerabilities, and assess the application's resilience to attacks.
- **Web Application Firewall (WAF)**: Configure and deploy WAFs using tools like ModSecurity and NAXSI to protect web applications from common attacks, enforce security rules, and monitor web traffic for suspicious activities.
- **API Security**: Test and secure RESTful APIs using tools like Postman and Swagger to validate API functionality, authentication, authorization, and input validation.
```mermaid
graph LR
A[Web Application Security] --> B[Vulnerability Assessment]
A --> C[Penetration Testing]
A --> D[Web Application Firewall]
A --> E[API Security]
B --> B1[OWASP ZAP]
B --> B2[Burp Suite]
B --> B3[Nikto]
C --> C1[Metasploit]
C --> C2[sqlmap]
C --> C3[BeEF]
D --> D1[ModSecurity]
D --> D2[NAXSI]
E --> E1[Postman]
E --> E2[Swagger]
```
### 3. Incident Response and Forensics
- **Incident Response Planning**: Develop and practice incident response procedures using the lab environment to simulate security incidents, test incident response plans, and improve incident handling capabilities.
- **Log Analysis**: Collect and analyze system and application logs using tools like ELK stack (Elasticsearch, Logstash, Kibana) and Splunk to identify security events, detect anomalies, and investigate incidents.
- **Memory Forensics**: Perform memory forensics on compromised systems using tools like Volatility and Rekall to analyze memory dumps, identify malicious processes, and extract valuable artifacts for incident investigation.
- **Network Forensics**: Conduct network forensics using tools like NetworkMiner and Xplico to analyze network traffic captures (PCAP files), reconstruct network events, and investigate network-based attacks.
```mermaid
graph LR
A[Incident Response and Forensics] --> B[Incident Response Planning]
A --> C[Log Analysis]
A --> D[Memory Forensics]
A --> E[Network Forensics]
C --> C1[ELK Stack]
C --> C2[Splunk]
D --> D1[Volatility]
D --> D2[Rekall]
E --> E1[NetworkMiner]
E --> E2[Xplico]
```
### 4. Malware Analysis
- **Static Analysis**: Perform static analysis on malware samples using tools like IDA Pro, Ghidra, and Radare2 to analyze malware code, identify suspicious functions, and understand the malware's behavior without executing it.
- **Dynamic Analysis**: Execute malware samples in isolated containers using tools like Cuckoo Sandbox and REMnux to observe the malware's behavior, analyze its interactions with the system and network, and identify its functionality and persistence mechanisms.
- **Reverse Engineering**: Apply reverse engineering techniques using tools like x64dbg and OllyDbg to disassemble and debug malware binaries, understand their internal workings, and identify obfuscation or anti-analysis techniques.
- **Malware Dissection**: Dissect and analyze different types of malware, such as ransomware, trojans, and botnets, to understand their infection vectors, command and control (C2) communication, and impact on infected systems.
```mermaid
graph LR
A[Malware Analysis] --> B[Static Analysis]
A --> C[Dynamic Analysis]
A --> D[Reverse Engineering]
A --> E[Malware Dissection]
B --> B1[IDA Pro]
B --> B2[Ghidra]
B --> B3[Radare2]
C --> C1[Cuckoo Sandbox]
C --> C2[REMnux]
D --> D1[x64dbg]
D --> D2[OllyDbg]
```
## Example Scenarios
To demonstrate the practical applications of the cybersecurity lab, consider the following example scenarios:
### Scenario 1: Ransomware Attack Simulation
Objective: Simulate a ransomware attack and practice incident response procedures.
Steps:
1. Set up a vulnerable Windows server container in the lab environment.
2. Create a simulated user environment with sample files and documents.
3. Deploy a controlled ransomware sample or a ransomware simulator within the container.
4. Monitor the network traffic and analyze the ransomware's behavior using tools like Wireshark and Snort.
5. Implement containment measures, such as isolating the infected container and blocking malicious traffic.
6. Perform memory forensics on the affected system to identify the encryption process and extract relevant artifacts.
7. Develop and test a recovery plan, including data restoration from backups and system hardening measures.
```mermaid
graph LR
A[Vulnerable Windows Server Container] --> B[Deploy Ransomware]
B --> C[Monitor Network Traffic]
C --> D[Implement Containment Measures]
D --> E[Perform Memory Forensics]
E --> F[Develop Recovery Plan]
F --> G[Restore Data and Harden System]
```
### Scenario 2: Web Application Penetration Testing
Objective: Conduct a penetration test on a vulnerable web application to identify and exploit vulnerabilities.
Steps:
1. Deploy a purposefully vulnerable web application, such as OWASP Juice Shop or DVWA, in a container.
2. Perform reconnaissance to gather information about the application's functionality and potential attack surfaces.
3. Conduct vulnerability scanning using tools like OWASP ZAP and Burp Suite to identify common web vulnerabilities.
4. Attempt to exploit the identified vulnerabilities, such as SQL injection or XSS, to gain unauthorized access or extract sensitive data.
5. Document the findings, including the steps taken, vulnerabilities discovered, and the potential impact of each vulnerability.
6. Provide recommendations for remediation and security best practices based on the penetration testing results.
```mermaid
graph LR
A[Deploy Vulnerable Web Application] --> B[Perform Reconnaissance]
B --> C[Conduct Vulnerability Scanning]
C --> D[Exploit Identified Vulnerabilities]
D --> E[Document Findings]
E --> F[Provide Remediation Recommendations]
```
### Scenario 3: Malware Analysis and Reverse Engineering
Objective: Analyze a malware sample to understand its behavior and develop detection and mitigation strategies.
Steps:
1. Obtain a malware sample from a trusted source or create a custom malware binary for analysis.
2. Perform static analysis on the malware sample using tools like IDA Pro or Ghidra to examine its code structure and identify suspicious functions.
3. Conduct dynamic analysis by executing the malware in an isolated container and monitoring its behavior using tools like Process Monitor and Wireshark.
4. Analyze the malware's interactions with the file system, registry, and network to understand its functionality and persistence mechanisms.
5. Reverse engineer the malware using a debugger like x64dbg to understand its internal logic and identify any obfuscation techniques.
6. Develop YARA rules or other detection signatures based on the identified characteristics of the malware.
7. Propose mitigation strategies, such as network segregation, application whitelisting, and endpoint protection, to defend against the analyzed malware.
```mermaid
graph LR
A[Obtain Malware Sample] --> B[Perform Static Analysis]
B --> C[Conduct Dynamic Analysis]
C --> D[Analyze Malware Interactions]
D --> E[Reverse Engineer Malware]
E --> F[Develop Detection Signatures]
F --> G[Propose Mitigation Strategies]
```
## Conclusion
The cybersecurity lab setup described in this guide provides a comprehensive and flexible environment for practicing and developing a wide range of cybersecurity skills. By leveraging Docker and Active Directory integration, the lab offers a realistic and manageable platform for simulating various security scenarios, analyzing threats, and testing defense mechanisms.
Through the different learning paths and example scenarios, readers can gain hands-on experience in network security, web application security, incident response, forensics, and malware analysis. The lab environment enables readers to explore and experiment with industry-standard tools and techniques, enhancing their practical skills and understanding of real-world cybersecurity challenges.
By following the step-by-step instructions and best practices outlined in this guide, readers can build a robust and customizable cybersecurity lab that adapts to their learning objectives and evolving security landscape. The modular nature of the lab allows for easy expansion and integration of additional security tools and scenarios as needed.
Remember to continuously update and refine the lab environment, stay informed about the latest security threats and techniques, and engage with the cybersecurity community to share knowledge and collaborate on new challenges.
Happy learning and secure coding!

420
tech_docs/networking/firewalls.md Normal file
View File

@@ -0,0 +1,420 @@
---
Certainly! Let's consider a more complex, real-world enterprise scenario and compare the configuration steps for Palo Alto Networks and Fortinet FortiGate firewalls.
Scenario:
- The enterprise has multiple web servers hosting different applications, each requiring inbound HTTPS access (port 443) from specific source networks.
- The web servers are located in a DMZ network (192.168.10.0/24) behind the firewall.
- The firewall should perform NAT to translate public IP addresses to the respective web servers' private IP addresses.
- The firewall should enforce security policies to inspect HTTPS traffic for potential threats and apply application-specific rules.
Solution 1: Palo Alto Networks
Step 1: Configure NAT rules for each web server.
```
set rulebase nat rules
set name "NAT_Web_Server_1"
set source any
set destination <public_IP_1>
set service any
set translate-to <web_server_1_private_IP>
set rulebase nat rules
set name "NAT_Web_Server_2"
set source any
set destination <public_IP_2>
set service any
set translate-to <web_server_2_private_IP>
```
Step 2: Create security zones and assign interfaces.
```
set network interface ethernet1/1 layer3 interface-management-profile none zone untrust
set network interface ethernet1/2 layer3 interface-management-profile none zone dmz
set zone dmz network layer3 [ ethernet1/2 ]
```
Step 3: Define security policies for each web server.
```
set rulebase security rules
set name "Allow_HTTPS_Web_Server_1"
set from untrust
set to dmz
set source <allowed_source_network_1>
set destination <public_IP_1>
set application ssl
set service application-default
set action allow
set profile-setting profiles virus default spyware default vulnerability default url-filtering default
set rulebase security rules
set name "Allow_HTTPS_Web_Server_2"
set from untrust
set to dmz
set source <allowed_source_network_2>
set destination <public_IP_2>
set application ssl
set service application-default
set action allow
set profile-setting profiles virus default spyware default vulnerability default url-filtering default
```
Step 4: Configure SSL decryption and inspection.
```
set rulebase decryption rules
set name "SSL_Inspect_Web_Servers"
set action no-decrypt
set source any
set destination [ <public_IP_1> <public_IP_2> ]
set service ssl
```
In this Palo Alto Networks solution, NAT rules are configured for each web server to translate the public IP addresses to their respective private IP addresses. Security zones are created, and interfaces are assigned to segregate the untrust (Internet-facing) and DMZ networks. Security policies are defined for each web server, specifying the allowed source networks, destination IP addresses, and applications (SSL). The policies also apply default security profiles for threat prevention. SSL decryption rules are configured to inspect the HTTPS traffic for potential threats.
Solution 2: Fortinet FortiGate
Step 1: Configure firewall addresses for the web servers.
```
config firewall address
edit "Web_Server_1"
set subnet 192.168.10.10/32
next
edit "Web_Server_2"
set subnet 192.168.10.20/32
next
end
```
Step 2: Configure virtual IPs (VIPs) for each web server.
```
config firewall vip
edit "VIP_Web_Server_1"
set extip <public_IP_1>
set mappedip "Web_Server_1"
set extintf "port1"
set portforward enable
set extport 443
set mappedport 443
next
edit "VIP_Web_Server_2"
set extip <public_IP_2>
set mappedip "Web_Server_2"
set extintf "port1"
set portforward enable
set extport 443
set mappedport 443
next
end
```
Step 3: Create firewall policies for each web server.
```
config firewall policy
edit 1
set name "Allow_HTTPS_Web_Server_1"
set srcintf "port1"
set dstintf "dmz"
set srcaddr <allowed_source_network_1>
set dstaddr "VIP_Web_Server_1"
set action accept
set service "HTTPS"
set ssl-ssh-profile "deep-inspection"
set nat enable
next
edit 2
set name "Allow_HTTPS_Web_Server_2"
set srcintf "port1"
set dstintf "dmz"
set srcaddr <allowed_source_network_2>
set dstaddr "VIP_Web_Server_2"
set action accept
set service "HTTPS"
set ssl-ssh-profile "deep-inspection"
set nat enable
next
end
```
Step 4: Configure SSL deep inspection.
```
config firewall ssl-ssh-profile
edit "deep-inspection"
set comment "SSL deep inspection"
set ssl inspect-all
set untrusted-caname "Fortinet_CA_SSL"
next
end
```
In the Fortinet FortiGate solution, firewall addresses are defined for each web server. Virtual IPs (VIPs) are configured to map the public IP addresses to the respective web server addresses and specify the port translation. Firewall policies are created for each web server, allowing HTTPS traffic from specific source networks to the corresponding VIPs. The policies also enable NAT and apply an SSL deep inspection profile to examine the encrypted traffic for threats.
Comparison:
Both Palo Alto Networks and Fortinet FortiGate offer robust security features and granular control for managing inbound HTTPS traffic in an enterprise environment. However, there are differences in their configuration approaches and terminology.
Palo Alto Networks uses a zone-based approach, where security zones are created, and interfaces are assigned to them. NAT rules and security policies are configured separately, allowing for more flexibility and control over traffic flows. Palo Alto Networks also provides a comprehensive set of security profiles for threat prevention.
Fortinet FortiGate, on the other hand, uses a more integrated approach with firewall addresses, VIPs, and firewall policies. VIPs combine the NAT configuration with the firewall rules, simplifying the setup. Firewall policies define the allowed traffic flow and include security features like SSL deep inspection.
Both firewalls offer advanced security features, such as SSL decryption and inspection, to detect and prevent threats in encrypted traffic. They also provide granular control over source and destination networks, applications, and services.
When choosing between Palo Alto Networks and Fortinet FortiGate for an enterprise environment, factors like the organization's security requirements, existing network infrastructure, ease of management, and integration with other security tools should be considered.
In summary, this real-world enterprise scenario demonstrates the configuration steps for allowing inbound HTTPS traffic to multiple web servers using Palo Alto Networks and Fortinet FortiGate firewalls. While both firewalls provide comprehensive security features, their configuration approaches and terminology differ, reflecting their unique architectures and philosophies.
---
Certainly! Here's a reference guide for how each OEM (Cisco ASA, Fortinet FortiGate, Palo Alto Networks, and Cisco Meraki MX) performs the core firewall tasks (traffic filtering, NAT, VPN, and threat prevention) via CLI:
1. Traffic Filtering
a. Cisco ASA:
- Configure access-list: `access-list <ACL_name> <line_number> <permit/deny> <protocol> <source_IP> <source_mask> <destination_IP> <destination_mask>`
- Apply access-list to interface: `access-group <ACL_name> <in/out> interface <interface_name>`
b. Fortinet FortiGate:
- Configure firewall policy: `config firewall policy`
- Set policy details: `edit <policy_id>`, `set srcintf <source_interface>`, `set dstintf <destination_interface>`, `set srcaddr <source_address>`, `set dstaddr <destination_address>`, `set service <service_name>`, `set action <accept/deny>`
c. Palo Alto Networks:
- Configure security rule: `set rulebase security rules`
- Set rule details: `set name <rule_name>`, `set from <source_zone>`, `set to <destination_zone>`, `set source <source_address>`, `set destination <destination_address>`, `set service <service_name>`, `set action <allow/deny>`
d. Cisco Meraki MX (via Dashboard):
- Configure firewall rule in the Meraki Dashboard:
- Navigate to Security & SD-WAN > Configure > Firewall
- Click "Add a Rule" and set the rule details (source, destination, service, action)
2. Network Address Translation (NAT)
a. Cisco ASA:
- Configure static NAT: `nat (<inside_interface>,<outside_interface>) source static <local_IP> <global_IP>`
- Configure dynamic NAT: `nat (<inside_interface>,<outside_interface>) source dynamic <local_network> <global_IP_pool>`
b. Fortinet FortiGate:
- Configure SNAT: `config firewall ippool`, `edit <ippool_name>`, `set startip <start_IP>`, `set endip <end_IP>`
- Apply SNAT to policy: `config firewall policy`, `edit <policy_id>`, `set ippool enable`, `set poolname <ippool_name>`
c. Palo Alto Networks:
- Configure NAT rule: `set rulebase nat rules`
- Set rule details: `set name <rule_name>`, `set source <source_zone>`, `set destination <destination_zone>`, `set service <service_name>`, `set source-translation dynamic-ip-and-port <interface_name> <IP_address>`
d. Cisco Meraki MX (via Dashboard):
- Configure NAT in the Meraki Dashboard:
- Navigate to Security & SD-WAN > Configure > NAT
- Click "Add a Rule" and set the rule details (source, destination, service, translation type)
3. Virtual Private Network (VPN)
a. Cisco ASA:
- Configure IKEv1 policy: `crypto ikev1 policy <priority>`, `authentication pre-share`, `encryption <encryption_algorithm>`, `hash <hash_algorithm>`, `group <DH_group>`, `lifetime <seconds>`
- Configure IPsec transform set: `crypto ipsec transform-set <transform_set_name> <encryption_algorithm> <authentication_algorithm>`
- Configure tunnel group: `tunnel-group <peer_IP> type ipsec-l2l`, `tunnel-group <peer_IP> ipsec-attributes`, `pre-shared-key <key>`
- Configure crypto map: `crypto map <map_name> <priority> ipsec-isakmp`, `set peer <peer_IP>`, `set transform-set <transform_set_name>`, `set pfs <DH_group>`, `match address <ACL_name>`
b. Fortinet FortiGate:
- Configure Phase 1 (IKE): `config vpn ipsec phase1-interface`, `edit <tunnel_name>`, `set interface <interface_name>`, `set remote-gw <peer_IP>`, `set proposal <encryption_algorithm>-<authentication_algorithm>-<DH_group>`
- Configure Phase 2 (IPsec): `config vpn ipsec phase2
-interface`, `edit <tunnel_name>`, `set phase1name <phase1_tunnel_name>`, `set proposal <encryption_algorithm>-<authentication_algorithm>-<DH_group>`
- Configure firewall policy for VPN: `config firewall policy`, `edit <policy_id>`, `set srcintf <source_interface>`, `set dstintf <destination_interface>`, `set srcaddr <source_address>`, `set dstaddr <destination_address>`, `set action ipsec`, `set schedule always`, `set service ANY`, `set inbound enable`, `set outbound enable`
c. Palo Alto Networks:
- Configure IKE gateway: `set network ike gateway <gateway_name>`, `set address <peer_IP>`, `set authentication pre-shared-key <key>`, `set local-address <interface_name>`, `set protocol ikev1`
- Configure IPsec tunnel: `set network tunnel ipsec <tunnel_name>`, `set auto-key ike-gateway <gateway_name>`, `set auto-key ipsec-crypto-profile <profile_name>`
- Configure IPsec crypto profile: `set network ipsec crypto-profiles <profile_name>`, `set esp encryption <encryption_algorithm>`, `set esp authentication <authentication_algorithm>`
- Configure security policy for VPN: `set rulebase security rules`, `set name <rule_name>`, `set from <source_zone>`, `set to <destination_zone>`, `set source <source_address>`, `set destination <destination_address>`, `set application any`, `set service any`, `set action allow`, `set profile-setting profiles spyware <anti_spyware_profile> virus <anti_virus_profile>`
d. Cisco Meraki MX (via Dashboard):
- Configure site-to-site VPN in the Meraki Dashboard:
- Navigate to Security & SD-WAN > Configure > Site-to-site VPN
- Click "Add a peer" and set the peer details (peer IP, remote subnet, pre-shared key)
- Configure the local networks to be advertised
- Configure client VPN (L2TP over IPsec) in the Meraki Dashboard:
- Navigate to Security & SD-WAN > Configure > Client VPN
- Enable client VPN and set the authentication details (pre-shared key, client IP range)
4. Threat Prevention
a. Cisco ASA with FirePOWER Services:
- Configure access control policy: `access-control-policy`, `edit <policy_name>`, `rule add <rule_name>`, `action <allow/block>`, `source <source_network>`, `destination <destination_network>`, `port <port_number>`, `application <application_name>`, `intrusion-policy <intrusion_policy_name>`, `file-policy <file_policy_name>`, `logging <enable/disable>`
b. Fortinet FortiGate:
- Configure antivirus profile: `config antivirus profile`, `edit <profile_name>`, `set comment <description>`, `set inspection-mode <proxy/flow-based>`, `set ftgd-analytics <enable/disable>`
- Configure IPS sensor: `config ips sensor`, `edit <sensor_name>`, `set comment <description>`, `set block-malicious-url <enable/disable>`, `set extended-log <enable/disable>`
- Apply antivirus and IPS profiles to firewall policy: `config firewall policy`, `edit <policy_id>`, `set av-profile <antivirus_profile_name>`, `set ips-sensor <ips_sensor_name>`
c. Palo Alto Networks:
- Configure antivirus profile: `set deviceconfig system profiles anti-virus <profile_name>`, `set threat-prevention packet-capture <enable/disable>`, `set action <default/allow/alert/block/drop>`
- Configure anti-spyware profile: `set deviceconfig system profiles spyware <profile_name>`, `set threat-prevention packet-capture <enable/disable>`, `set action <default/allow/alert/block/drop>`
- Configure vulnerability protection profile: `set deviceconfig system profiles vulnerability <profile_name>`, `set threat-prevention packet-capture <enable/disable>`, `set action <default/allow/alert/block/drop/reset-both/reset-client/reset-server>`
- Attach profiles to security policy: `set rulebase security rules`, `set name <rule_name>`, `set profile-setting profiles spyware <anti_spyware_profile> virus <anti_virus_profile> vulnerability <vulnerability_protection_profile>`
d. Cisco Meraki MX (via Dashboard):
- Configure threat protection in the Meraki Dashboard:
- Navigate to Security & SD-WAN > Configure > Threat Protection
- Enable intrusion detection and prevention (IDS/IPS) and set the security level
- Enable advanced malware protection (AMP) and set the detection and blocking options
- Configure URL filtering and set the content categories to be blocked
This reference guide provides a high-level overview of how to configure core firewall tasks using the CLI for each OEM. Keep in mind that the exact commands and syntax may vary depending on the specific device model and software version. It's always recommended to refer to the official documentation and command references provided by the respective vendors for the most accurate and up-to-date information.
Introduction
Firewalls are essential components of network security, serving as the first line of defense against external threats and unauthorized access. They enforce security policies by controlling the flow of network traffic based on predefined rules and criteria. The effectiveness and functionality of a firewall depend heavily on how it implements key features such as traffic filtering, Network Address Translation (NAT), Virtual Private Network (VPN), and threat prevention.
Traffic filtering is the foundation of firewall functionality. It involves inspecting incoming and outgoing network packets and making decisions based on factors like source and destination IP addresses, ports, protocols, and application-level data. Firewalls use various techniques for traffic filtering, such as stateful inspection, which maintains the state of network connections and allows for more granular control. According to a 2021 report by Grand View Research, the global network security firewall market size was valued at USD 4.3 billion in 2020 and is expected to grow at a compound annual growth rate (CAGR) of 12.1% from 2021 to 2028, highlighting the importance of effective traffic filtering in modern networks.
Network Address Translation (NAT) is a critical feature that allows firewalls to mask the internal network structure and conserve public IP addresses. NAT enables multiple devices on a private network to share a single public IP address, enhancing security and simplifying network configuration. Firewalls support different types of NAT, such as static NAT, dynamic NAT, and Port Address Translation (PAT). A study by Cisco found that NAT can help organizations save up to 50% on public IP address costs while improving network security and manageability.
Virtual Private Network (VPN) capabilities are essential for securing remote access and enabling secure communication between disparate network segments. Firewalls support various VPN technologies, such as IPsec, SSL/TLS, and PPTP, each with its own advantages and trade-offs. According to a 2021 report by Global Market Insights, the global VPN market size exceeded USD 30 billion in 2020 and is projected to grow at a CAGR of over 15% from 2021 to 2027, driven by the increasing demand for secure remote access solutions.
Threat prevention is an increasingly important aspect of modern firewalls, as they evolve beyond simple packet filtering to become comprehensive security gateways. Firewalls employ various techniques to detect and block advanced threats, such as intrusion prevention systems (IPS), malware scanning, URL filtering, and sandboxing. A 2021 report by MarketsandMarkets projects that the global threat intelligence market size will grow from USD 11.6 billion in 2021 to USD 15.8 billion by 2026, at a CAGR of 6.3%, underlining the importance of robust threat prevention capabilities in firewalls.
In the following sections, we will examine how four leading firewall vendors—Cisco ASA, Fortinet FortiGate, Palo Alto Networks, and Cisco Meraki MX—implement these core functionalities. By delving into the technical specifics and underlying mechanisms of each solution, this comparative analysis aims to provide a comprehensive understanding of their capabilities, strengths, and differences. This knowledge is crucial for organizations seeking to make informed decisions when selecting and configuring firewall solutions to align with their specific security requirements and network architectures.
---
You're right in observing that fundamentally, all firewall platforms—whether Cisco ASA, Fortinet FortiGate, Palo Alto Networks, Cisco Meraki MX, or others—serve the same core purpose: to protect networks by managing and controlling the flow of traffic based on defined security rules. They achieve these objectives through mechanisms that might differ in terminology or implementation details but ultimately perform similar functions. Heres a simplified abstraction of how these firewalls operate, focusing on their common functionalities:
### Core Functions of Firewalls:
1. **Traffic Filtering:** All firewall technologies employ some form of traffic filtering, whether they're using ACLs (Access Control Lists), security policies, or unified threat management rules. They decide whether to block or allow traffic based on source and destination IP addresses, port numbers, and other protocol-specific characteristics.
2. **Network Address Translation (NAT):** This is a universal feature across firewalls used to mask the internal IP addresses of a network from the external world. The terminology and specific capabilities (like static NAT, dynamic NAT, PAT) might vary, but the fundamental purpose remains to facilitate secure communication between internal and external networks.
3. **VPN Support:** Virtual Private Networks (VPNs) are supported by all major firewall platforms, though the implementations (IPSec, SSL VPN, etc.) and the specific features (like remote access VPN and site-to-site VPN) might differ. The end goal is to securely extend a networks reach over the internet.
4. **User and Application Control:** Modern firewalls go beyond traditional packet filtering by integrating user and application-level visibility and control. Technologies like Palo Altos App-ID and User-ID or similar features in other platforms enable more granular control based on application traffic and user identity, respectively.
5. **Threat Prevention:** Firewalls are increasingly incorporating integrated threat prevention tools that include IDS/IPS (Intrusion Detection and Prevention Systems), anti-malware, and URL filtering. These features help to identify and mitigate threats before they can penetrate deeper into the network.
### Terminology Differences:
- **Cisco ASA** might refer to its filtering mechanism as access groups and ACLs, whereas **Palo Alto** would discuss it in terms of security policies that integrate with application and user IDs.
- **Fortinet** integrates NAT within their security policies, making it a bit more straightforward in terms of policy management, compared to **Cisco ASA**, where NAT and security policies might be configured separately.
- **Palo Alto** and **Fortinet** emphasize application-level insights and controls, using terms like App-ID and NGFW (Next-Generation Firewall) features, which might not be explicitly named in the simpler, more traditional configurations of older Cisco ASA models.
Despite these differences in terminology and certain proprietary technologies, the underlying principles of how these firewalls operate remain largely consistent. They all aim to secure network environments through a combination of packet filtering, user and application control, and threat mitigation techniques, adapting these basic functions to modern network demands and threats in slightly different ways to cater to various organizational needs.
---
### Introduction
Choosing the right firewall solution is crucial for protecting an organization's network infrastructure. Firewalls not only block unauthorized access but also provide a control point for traffic entering and exiting the network. This comparative analysis examines Cisco ASA, Fortinet FortiGate, and Palo Alto firewalls, focusing on their approaches to firewall policy and NAT configurations, helping organizations select the best fit based on specific needs and network environments.
### Firewall Policy Configuration
#### **Cisco ASA**
- **Approach**: Utilizes access control lists (ACLs) and access groups for detailed traffic management.
- **Key Features**: High granularity allows for precise control, which is essential in complex network setups needing stringent security measures.
#### **Fortinet FortiGate**
- **Approach**: Adopts an integrated policy system that combines addresses, services, and actions.
- **User Experience**: Simplifies configuration, making it suitable for environments that require quick setup and changes.
#### **Palo Alto Networks**
- **Approach**: Employs a comprehensive strategy using zones and profiles, focusing on controlling traffic based on applications and users.
- **Key Features**: Includes User-ID and App-ID technologies that enhance security by enabling policy enforcement based on user identity and application traffic, ensuring that security measures are both stringent and adaptable to organizational needs.
### NAT Configuration
#### **Overview**
Network Address Translation (NAT) is crucial for hiding internal IP addresses and managing the IP routing between internal and external networks. It is a fundamental security feature that also optimizes the use of IP addresses.
#### **Cisco ASA**
- **Flexibility**: Offers robust options for static and dynamic NAT, catering to complex network requirements.
#### **Fortinet FortiGate**
- **Integration**: Features an intuitive setup where NAT configurations are integrated within firewall policies, facilitating easier management and visibility.
#### **Palo Alto Networks**
- **Innovation**: Provides versatile NAT options that are tightly integrated with security policies, supporting complex translations including bi-directional NAT for detailed traffic control.
### Comparative Summary
#### **Performance and Scalability**
- **Cisco ASA** is known for its stability and robust performance, handling high-volume traffic effectively.
- **Fortinet FortiGate** and **Palo Alto Networks** both excel in environments that scale dynamically, offering solutions that adapt quickly to changing network demands.
#### **Integration with Other Security Tools**
- All three platforms offer extensive integrations with additional security tools such as SIEM systems, intrusion prevention systems (IPS), and endpoint protection, enhancing overall security architecture.
#### **Cost and Licensing**
- **Cisco ASA** often involves a straightforward, albeit sometimes costly, licensing structure.
- **Fortinet FortiGate** typically provides a cost-effective solution with flexible licensing options.
- **Palo Alto Networks** may involve higher costs but justifies them with advanced features and comprehensive security coverage.
### Conclusion
Selecting the right firewall is a pivotal decision that depends on specific organizational requirements including budget, expected traffic volume, administrative expertise, and desired security level. This analysis highlights the distinct capabilities and configurations of Cisco ASA, Fortinet FortiGate, and Palo Alto Networks, guiding organizations towards making an informed choice that aligns with their security needs and operational preferences.
---
### 4. Cisco Meraki MX
- **Models Covered**: Meraki MX64, MX84, MX100, MX250
- **Throughput**:
- **Firewall Throughput**: Up to 4 Gbps
- **VPN Throughput**: Up to 1 Gbps
- **Concurrent Sessions**: Up to 2,000,000
- **VPN Support**:
- **Protocols**: Auto VPN (IPSec), L2TP over IPSec
- **Remote Access VPN**: Client VPN (L2TP over IPSec)
- **NAT Features**:
- **1:1 NAT, 1:Many NAT**
- **Port forwarding, and DMZ host**
- **Security Features**:
- **Threat Defense**: Integrated intrusion detection and prevention (IDS/IPS)
- **Content Filtering**: Native content filtering, categories-based
- **Access Control**: User and device-based policies
- **Deployment**:
- **Cloud Managed**: Entirely managed via the cloud, simplifying large-scale deployments and remote management.
- **Zero-Touch Deployment**: Fully supported
- **Special Features**:
- **SD-WAN Capabilities**: Advanced SD-WAN policy-based routing integrates with auto VPN for dynamic path selection.
### 5. SELinux (Security-Enhanced Linux)
- **Base**: Linux Kernel modification
- **Main Use**: Enforcing mandatory access controls (MAC) to enhance the security of Linux systems.
- **Operation Mode**:
- **Enforcing**: Enforces policies and denies access based on policy rules.
- **Permissive**: Logs policy violations but does not enforce them.
- **Disabled**: SELinux functionality turned off.
- **Security Features**:
- **Type Enforcement**: Controls access based on type attributes attached to each subject and object.
- **Role-Based Access Control (RBAC)**: Users perform operations based on roles, which govern the types of operations allowable.
- **Multi-Level Security (MLS)**: Adds sensitivity labels on objects for handling varying levels of security.
- **Deployment**:
- **Compatibility**: Compatible with most major distributions of Linux.
- **Management Tools**: Various tools available for policy management, including `semanage`, `setroubleshoot`, and graphical interfaces like `system-config-selinux`.
- **Advantages**:
- **Granular Control**: Provides very detailed and customizable security policies.
- **Audit and Compliance**: Excellent support for audit and compliance requirements with comprehensive logging.
Here are the additional fact sheets for AppArmor, a Linux security module, and typical VPN technologies used within Linux environments:
---
### 6. AppArmor (Application Armor)
- **Base**: Linux Kernel security module similar to SELinux
- **Main Use**: Provides application security by enabling administrators to confine programs to a limited set of resources, based on per-program profiles.
- **Operation Mode**:
- **Enforce Mode**: Enforces all rules defined in the profiles and restricts access accordingly.
- **Complain Mode**: Does not enforce rules but logs all violations.
- **Security Features**:
- **Profile-Based Access Control**: Each application can have a unique profile that specifies its permissions, controlling file access, capabilities, network access, and other resources.
- **Ease of Configuration**: Generally considered easier to configure and maintain than SELinux due to its more straightforward syntax and profile management.
- **Deployment**:
- **Compatibility**: Integrated into many Linux distributions, including Ubuntu and SUSE.
- **Management Tools**: `aa-genprof` for generating profiles, `aa-enforce` to switch profiles to enforce mode, and `aa-complain` to set profiles to complain mode.
- **Advantages**:
- **Simplicity and Accessibility**: Less complex than SELinux, making it more accessible for less experienced administrators.
- **Flexibility**: Offers effective containment and security without the extensive configuration SELinux may require.
### 7. Linux VPN Technologies
- **Common Solutions**:
- **OpenVPN**: A robust and highly configurable VPN solution that uses SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls.
- **WireGuard**: A newer, simpler, and faster approach to VPN that integrates more directly into the Linux kernel, offering better performance than older protocols.
- **IPSec/L2TP**: Often used in corporate environments, IPSec is used with L2TP to provide encryption at the network layer.
- **Throughput and Performance**:
- **OpenVPN**: Good performance with strong encryption. Suitable for most consumer and many enterprise applications.
- **WireGuard**: Exceptional performance, particularly in terms of connection speed and reconnection times over mobile networks.
- **Security Features**:
- **OpenVPN**: High security with configurable encryption methods. Supports various authentication mechanisms including certificates, pre-shared keys, and user authentication.
- **WireGuard**: Uses state-of-the-art cryptography and aims to be as easy to configure and deploy as SSH.
- **Deployment**:
- **Configuration**: Both OpenVPN and WireGuard offer easy-to-use CLI tools and are supported by a variety of GUIs across Linux distributions.
- **Compatibility**: Supported across a wide range of devices and Linux distributions.
- **Advantages**:
- **OpenVPN**: Wide adoption, extensive documentation, and strong community support.
- **WireGuard**: Modern cryptographic techniques, minimalistic design, and kernel-level integration for optimal performance.

49
tech_docs/networking/home_network.md Normal file
View File

@@ -0,0 +1,49 @@
To provide a comprehensive turnkey solution for a power user's home network leveraging OPNsense with zero-trust principles, VLAN segmentation, and advanced WAN management, we'll break down the network architecture into a detailed plan. This plan includes VLAN allocation, device roles, and how traffic is managed across WAN links.
### Network Overview:
- **WAN Links**:
- **WAN1 (Comcast)**: Primary internet connection, suitable for sensitive or work-related traffic. Limited by a data cap.
- **WAN2 (T-Mobile 5G)**: Secondary internet connection, unlimited data but CGNAT. Ideal for high-bandwidth or background tasks.
- **VLANs & Segmentation**:
- **VLAN 10 - Management**: For network infrastructure devices (switches, APs, OPNsense management).
- **VLAN 20 - Work & Personal**: For personal computers, workstations, and laptops.
- **VLAN 30 - IoT Devices**: For smart home devices, like smart bulbs, thermostats, and speakers.
- **VLAN 40 - Entertainment**: For streaming devices, gaming consoles, and smart TVs.
- **VLAN 50 - Guests**: For guests' devices, providing internet access with isolated access to local resources.
- **Special Configurations**:
- **802.1x Authentication**: Enabled on VLAN 20 for secure access.
- **VPN & SOCKS5**: Configured for selective routing of traffic from VLAN 20 and 40 through NordVPN or a SOCKS5 proxy.
### Network Diagram:
```mermaid
graph LR
Comcast(WAN1 - Comcast) -->|Primary| OPNsense
TMobile(WAN2 - T-Mobile 5G) -->|Secondary| OPNsense
OPNsense -->|Management VLAN10| SwitchAP[Switch & APs]
OPNsense -->|Work/Personal VLAN20| PC[PCs/Laptops]
OPNsense -->|IoT VLAN30| IoT[Smart Devices]
OPNsense -->|Entertainment VLAN40| TV[Streaming/Consoles]
OPNsense -->|Guest VLAN50| Guests[Guest Devices]
PC -->|VPN/SOCKS5| Cloud[VPN & SOCKS5]
TV -->|VPN| Cloud
```
### Device Roles and Policies:
- **Management (VLAN 10)**: Secure VLAN for managing networking equipment. Access restricted to network administrators.
- **Work & Personal (VLAN 20)**: High-priority VLAN for workstations and personal devices. Protected by 802.1x authentication. Selected traffic routed through VPN or SOCKS5 for privacy or geo-restrictions.
- **IoT Devices (VLAN 30)**: Isolated VLAN for IoT devices to enhance security. Internet access allowed, but access to other VLANs restricted.
- **Entertainment (VLAN 40)**: Dedicated VLAN for entertainment devices. Selected traffic can be routed through VPN for content access or privacy.
- **Guests (VLAN 50)**: VLAN for guest devices, providing internet access only with no access to the internal network.
### Policies:
- **Traffic Shaping & QoS**: Implemented on VLAN 20 and 40 to prioritize critical traffic (e.g., work-related applications, streaming).
- **Intrusion Detection & Prevention**: Enabled network-wide with tailored rules for IoT and guest VLANs to prevent unauthorized access and mitigate threats.
- **Multi-WAN Rules**: IoT and guest traffic primarily routed through WAN2 (T-Mobile 5G) to conserve WAN1 (Comcast) bandwidth under the data cap.
This plan provides a solid foundation for a secure, segmented home network, incorporating zero-trust principles and advanced routing to manage traffic across multiple WAN links effectively. It's customizable based on specific devices, user needs, and network policies, offering a starting point for a sophisticated home networking setup.

118
tech_docs/networking/vpn-torrent.md Normal file
View File

@@ -0,0 +1,118 @@
1. **Volume Paths:** Make sure the paths specified in the `volumes` sections are correct and accessible by Docker. These paths are where your configuration, downloads, and other data will be stored.
2. **Network Mode:** You've correctly set the network mode of the dependent services (`qbittorrent`, `jackett`, `sonarr`, `prowlarr`) to `service:gluetun`. This ensures that they use the VPN connection established by the `gluetun` service.
3. **Environment Variables:**
- `VPN_SERVICE_PROVIDER`, `VPN_TYPE`, and related settings in `gluetun` should be correctly configured for your VPN provider.
- Replace `<YOUR_PRIVATE_KEY>` with your actual WireGuard private key.
- `PUID` and `PGID` should match your user ID and group ID on the host system.
4. **Ports:** Ensure that the ports you've exposed are open and not being used by other services on your host system. This is important for accessing the web UIs of the respective services.
5. **Time Zone:** You've set the time zone for most services to `Etc/UTC`. Ensure this is what you intend, or adjust it to your local time zone.
6. **Restart Policy:** You've set a restart policy for each service, which is good for ensuring they automatically restart in case of a crash or after a reboot.
7. **Service Dependencies:** The `depends_on` section for services like `qbittorrent` is correctly set to depend on `gluetun`. This ensures `gluetun` starts before them.
8. **Configuration and Data Persistence:** Your setup indicates that configuration and data will be persisted on the host file system in the `/home/ubuntu/docker/arr-stack/` directory. This is good practice for data persistence.
Before deploying, make sure to replace any placeholders (like `<YOUR_PRIVATE_KEY>`) with actual values. Once everything is set up, you can start your Docker Compose stack with:
```bash
docker-compose up -d
```
This command will start all services in the background. You can then access the web interfaces of qBittorrent, Jackett, Sonarr, and Prowlarr through the respective ports you've configured.
```yaml
---
version: "3"
services:
gluetun:
image: qmcgaw/gluetun
container_name: gluetun
# line above must be uncommented to allow external containers to connect.
# See https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-container-to-gluetun.md#external-container-to-gluetun
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
ports:
- 6881:6881
- 6881:6881/udp
- 8085:8085 # qbittorrent
- 9117:9117 # Jackett
- 8989:8989 # Sonarr
- 9696:9696 # Prowlarr
volumes:
- /home/ubuntu/docker/arr-stack:/gluetun
environment:
# See https://github.com/qdm12/gluetun-wiki/tree/main/setup#setup
- VPN_SERVICE_PROVIDER=nordvpn
- VPN_TYPE=wireguard
# OpenVPN:
# - OPENVPN_USER=
# - OPENVPN_PASSWORD=
# Wireguard:
- WIREGUARD_PRIVATE_KEY=<YOUR_PRIVATE_KEY> # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/nordvpn.md#obtain-your-wireguard-private-key
- WIREGUARD_ADDRESSES=10.5.0.2/32
# Timezone for accurate log times
- TZ=Europe/London
# Server list updater
# See https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list
- UPDATER_PERIOD=24h
qbittorrent:
image: lscr.io/linuxserver/qbittorrent
container_name: qbittorrent
network_mode: "service:gluetun"
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/London
- WEBUI_PORT=8085
volumes:
- /home/ubuntu/docker/arr-stack/qbittorrent:/config
- /home/ubuntu/docker/arr-stack/qbittorrent/downloads:/downloads
depends_on:
- gluetun
restart: always
jackett:
image: lscr.io/linuxserver/jackett:latest
container_name: jackett
network_mode: "service:gluetun"
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
- AUTO_UPDATE=true #optional
- RUN_OPTS= #optional
volumes:
- /home/ubuntu/docker/arr-stack/jackett/data:/config
- /home/ubuntu/docker/arr-stack/jackett/blackhole:/downloads
restart: unless-stopped
sonarr:
image: lscr.io/linuxserver/sonarr:latest
container_name: sonarr
network_mode: "service:gluetun"
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
volumes:
- /home/ubuntu/docker/arr-stack/sonarr/data:/config
- /home/ubuntu/docker/arr-stack/sonarr/tvseries:/tv #optional
- /home/ubuntu/docker/arr-stack/sonarr/downloadclient-downloads:/downloads #optional
restart: unless-stopped
prowlarr:
image: lscr.io/linuxserver/prowlarr:latest
container_name: prowlarr
network_mode: "service:gluetun"
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
volumes:
- /home/ubuntu/docker/arr-stack/prowlarr/data:/config
restart: unless-stopped
```

117
tech_docs/virtualization/proxmox.md Normal file
View File

@@ -0,0 +1,117 @@
Great! It seems like you're working on an advanced use case of Linux containers using Proxmox. The provided LXC and cgroups administration reference guide is a solid foundation for understanding and managing containers.
When it comes to using LXC with Proxmox, there are a few additional considerations and Proxmox-specific commands that can be included in your guide. Here are some suggestions to enhance your guide:
1. Installing Proxmox
- Provide instructions on installing Proxmox on a bare-metal server or a virtual machine.
- Cover the system requirements and installation process specific to Proxmox.
2. Creating and Managing Containers in Proxmox
- Explain how to create containers using the Proxmox web interface or command-line tools.
- Provide examples of creating containers from ISO images or templates.
- Cover container configuration options available in Proxmox, such as resource allocation, network settings, and storage.
3. Proxmox-specific Container Management Commands
- Introduce Proxmox-specific commands for managing containers, such as:
To organize the Proxmox commands effectively, we can group them into categories based on their function. Here's a structured layout to help you easily navigate and understand the usage of each command:
### 1. Container Lifecycle Management
Commands related to creating, managing, and destroying containers.
- **Create and Clone**
- `pct create <vmid> <ostemplate> [OPTIONS]`
- `pct clone <vmid> <newid> [OPTIONS]`
- **Start and Stop**
- `pct start <vmid> [OPTIONS]`
- `pct stop <vmid> [OPTIONS]`
- `pct shutdown <vmid> [OPTIONS]`
- `pct suspend <vmid>`
- `pct resume <vmid>`
- `pct reboot <vmid> [OPTIONS]`
- **Removal and Cleanup**
- `pct destroy <vmid> [OPTIONS]`
- `pct template <vmid>`
- `pct restore <vmid> <ostemplate> [OPTIONS]`
### 2. Container Configuration and Information
Commands for configuring containers and fetching their information.
- **Configuration**
- `pct config <vmid> [OPTIONS]`
- `pct set <vmid> [OPTIONS]`
- **Information and Listing**
- `pct list`
- `pct status <vmid> [OPTIONS]`
- `pct pending <vmid>`
### 3. Snapshot Management
Commands related to managing snapshots of containers.
- `pct snapshot <vmid> <snapname> [OPTIONS]`
- `pct listsnapshot <vmid>`
- `pct delsnapshot <vmid> <snapname> [OPTIONS]`
- `pct rollback <vmid> <snapname> [OPTIONS]`
### 4. Storage and Volume Management
Commands for managing the storage and volumes of containers.
- **Volume Operations**
- `pct move-volume <vmid> <volume> [<storage>] [<target-vmid>] [<target-volume>] [OPTIONS]`
- `pct resize <vmid> <disk> <size> [OPTIONS]`
- `pct pull <vmid> <path> <destination> [OPTIONS]`
- `pct push <vmid> <file> <destination> [OPTIONS]`
- **Filesystem Operations**
- `pct mount <vmid>`
- `pct unmount <vmid>`
- `pct fsck <vmid> [OPTIONS]`
- `pct fstrim <vmid> [OPTIONS]`
### 5. Migration and Remote Management
Commands for moving containers and interacting remotely.
- **Migration**
- `pct migrate <vmid> <target> [OPTIONS]`
- `pct remote-migrate <vmid> [<target-vmid>] <target-endpoint> --target-bridge <string> --target-storage <string> [OPTIONS]`
- **Remote Interaction**
- `pct console <vmid> [OPTIONS]`
- `pct enter <vmid> [OPTIONS]`
- `pct exec <vmid> [<extra-args>] [OPTIONS]`
### 6. System Utilities and Miscellaneous
Commands related to system-level operations and utilities.
- `pct cpusets`
- `pct df <vmid>`
- `pct rescan [OPTIONS]`
- `pct unlock <vmid>`
### 7. Help and Documentation
- `pct help [<extra-args>] [OPTIONS]`
This categorization should help you find the appropriate command more quickly based on the task you need to perform with your Proxmox container.
- Explain the syntax and provide examples of using these commands.
4. Configuring Container Resources in Proxmox
- Describe how to configure container resources, such as CPU, memory, and disk, using Proxmox's web interface or command-line tools.
- Cover the use of Proxmox's "Cores," "Memory," and "Disk" configuration options.
- Explain how Proxmox leverages cgroups for resource management and isolation.
5. Networking in Proxmox Containers
- Discuss the networking options available for containers in Proxmox, such as bridged, NAT, and VLAN modes.
- Provide examples of configuring network interfaces and firewall rules for containers.
6. Storage Management for Containers
- Explain how to manage storage for containers in Proxmox, including creating and attaching storage volumes.
- Cover the different storage types supported by Proxmox, such as local storage, network storage (NFS, iSCSI), and distributed storage (Ceph).
7. Backup and Restoration of Containers
- Provide instructions on backing up and restoring containers using Proxmox's built-in backup tools.
- Explain how to schedule regular backups and configure retention policies.
8. Monitoring and Troubleshooting
- Discuss the monitoring features available in Proxmox for containers, such as resource usage graphs and logs.
- Provide troubleshooting tips specific to Proxmox containers, such as common error messages and their solutions.
9. Advanced Topics
- Cover advanced topics relevant to your use case, such as:
- Clustering and high availability for containers.
- Integration with other tools and services (e.g., Kubernetes, Docker).
- Performance tuning and optimization.
- Security best practices for Proxmox containers.
By incorporating these Proxmox-specific elements into your guide, you'll provide a comprehensive resource for advanced Linux container usage with Proxmox. Make sure to include relevant commands, configuration examples, and best practices throughout the guide to make it practical and easy to follow.

73
tech_docs/virtualization/proxmox_dhcp.md Normal file
View File

@@ -0,0 +1,73 @@
For your standalone Proxmox setup, switching between static and dynamic IP configurations and managing virtual bridges are important tasks. Below, I'll provide a concise guide to handle these changes effectively and safely.
### Switching from Static IP to DHCP:
- **Backup Configurations:** Always backup configuration files before making changes (`cp /etc/network/interfaces /etc/network/interfaces.bak`).
```bash
cp /etc/network/interfaces /etc/network/interfaces.bak
```
**Update Network Interface Configuration:**
Open `/etc/network/interfaces` in a text editor:
```bash
vim /etc/network/interfaces
```
- Change the `vmbr0` configuration from static to DHCP:
```bash
auto vmbr0
iface vmbr0 inet dhcp
bridge-ports enp3s0
bridge-stp off
bridge-fd 0
```
- Save the changes and exit the editor.
- **Restart Networking to Apply Changes:**
- Apply the new network settings:
```bash
systemctl restart networking
```
- **Find the New DHCP-Assigned IP Address:**
- After the network restarts, check the assigned IP:
```bash
ip addr show vmbr0
```
- **Update `/etc/hosts` with the New IP:**
- Edit the `/etc/hosts` file to replace the old static IP with the new one:
```bash
nano /etc/hosts
```
- Modify the line with the old IP to the new one you just obtained:
```plaintext
192.168.86.62 whitebox.foxtrot.lan whitebox # Old IP
192.168.x.x whitebox.foxtrot.lan whitebox # New DHCP IP
```
- Save and exit.
### Creating a New Virtual Bridge (`vmbrX`):
- **Add a New Virtual Bridge Configuration:**
- Edit `/etc/network/interfaces`:
```bash
vim /etc/network/interfaces
```
- Add a new bridge configuration at the end of the file:
```bash
auto vmbrX # Replace X with the next available number
iface vmbrX inet manual
bridge-ports none
bridge-stp off
bridge-fd 0
```
- Save and exit the editor.
- **Activate the New Bridge:**
- Restart the networking service to bring up the new bridge:
```bash
systemctl restart networking
```
### General Notes:

2642
tech_docs/virtualization/proxmox_docs.md Normal file
View File

File diff suppressed because it is too large Load Diff

1095
tech_docs/virtualization/proxmox_virtualmachines.md Normal file
View File

File diff suppressed because it is too large Load Diff

28
tech_docs/webdev/eleventy_structure.md Normal file
View File

@@ -0,0 +1,28 @@
```markdown
my-eleventy-project/
├── _includes/
│ ├── layouts/
│ │ └── base.njk
│ └── partials/
│ ├── header.njk
│ └── footer.njk
├── media/
│ ├── images/
│ └── videos/
├── css/
│ └── style.css
├── js/
│ └── script.js
├── pages/ (or just place *.md files here)
│ ├── about.md
│ ├── projects.md
│ └── contact.md
├── .eleventy.js
└── package.json
```

168
tech_docs/webdev/webdev_training.md Normal file
View File

@@ -0,0 +1,168 @@
## Feedback on Plans for Learning
Your plans for learning are detailed and purposefully directed towards achieving your goal of becoming a web developer. Here are some refined suggestions for enhancing your strategy:
- **Daily Practice:** Dedicate a minimum of 30 minutes daily to learn and practice. Consistent effort accumulates over time.
- **Community Engagement:** Seek help and share your progress in online communities such as [Stack Overflow](https://stackoverflow.com/) and [Reddit's r/webdev](https://www.reddit.com/r/webdev/) to foster learning through collaboration.
- **Patience:** Web development is intricate and may sometimes be frustrating. Remember, every expert was once a beginner. Persist with your efforts.
## SMART Goals for Training Plan
Refine your SMART goals as follows:
- **Specific:** Craft a basic webpage using HTML and CSS, incorporating at least one CSS framework by the end of the sixth week.
- **Measurable:** Complete all assignments in your ongoing [mention the specific course name] web development course.
- **Achievable:** Allocate a fixed 30 minutes daily for web development learning.
- **Relevant:** Stay focused on acquiring skills pivotal to web development, keeping abreast with the latest industry trends.
- **Time-bound:** Finish your web development course within a span of six months, setting a steady pace for learning.
## Weekly Training Schedule (Week 1)
Below is a more structured weekly schedule with practical tasks:
### Day 1
- **Objective:** Grasp the role and fundamental features of HTML in web development.
- **Resources:**
- [HTML Tutorial](https://www.w3schools.com/html/)
- [HTML Crash Course](https://www.theodinproject.com/lessons/foundations-introduction-to-html-and-css)
### Day 2
- **Objective:** Learn about the structural elements of an HTML document, focusing on <!DOCTYPE>, <html>, <head>, and <body>.
- **Resources:**
- [HTML Document Structure](https://www.w3.org/TR/html401/struct/global.html)
- [HTML Document Structure Tutorial](https://www.reddit.com/r/webdev/comments/q9f82u/i_made_a_detailed_walkthrough_of_the_odin/)
### Day 3
- **Objective:** Acquaint yourself with common HTML tags used to format a webpage.
- **Resources:**
- [HTML Tags](https://www.w3schools.com/tags/tag_html.asp)
- [HTML Tags Tutorial](https://www.theodinproject.com/lessons/foundations-elements-and-tags)
### Days 4-5
- **Practice:** Create a simplistic HTML webpage utilizing the tags learned. Share it with friends or online communities for feedback.
- **Resources:**
- [HTML Tutorial](https://www.w3schools.com/html/)
- [HTML Crash Course](https://www.theodinproject.com/lessons/foundations-introduction-to-html-and-css)
## Tips for a Fruitful Training Plan
Here are some actionable tips to augment your learning journey:
- **Prioritize Tasks:** Utilize the Eisenhower Matrix or ABCDE method to focus on high-priority tasks, optimizing your learning path.
- **Breaks:** Regular short breaks can prevent burnout and enhance focus. Ensure to take breaks during your learning sessions.
- **Mentorship:** Seek a mentor through platforms such as [LinkedIn](https://www.linkedin.com/) or local web development communities. A mentor can provide constructive feedback and guidance.
Remember to track your progress regularly to identify strengths and areas needing improvement. Wishing you the best in your web development learning journey!
and the following training plan:
## 24-Week Training Plan
### Step 1: Divide your training into smaller, manageable sections.
Break down your 24-week training plan into smaller, more manageable sections. For example, you could divide it into three 8-week phases, or four 6-week phases.
### Step 2: Assign specific weekly topics and objectives.
Once you have divided your training plan into sections, assign specific weekly topics and objectives. For example, in Week 1, you might focus on learning the basics of HTML and CSS. In Week 2, you might focus on building a simple webpage.
### Step 3: Create a Google Calendar for your training plan.
Create a new Google Calendar specifically for your 24-Week Training Plan. Set up all-day events for each week, and include reminders at the beginning of the week to help you stay focused.
### Step 4: Use Todoist to break down weekly objectives into daily tasks.
Use Todoist to break down your weekly objectives into daily tasks. Create a new project called "24-Week Training Plan" and set up sections for each week.
### Step 5: Allocate time for learning, practicing, and reviewing your progress.
Allocate time for learning new concepts, practicing, and reviewing your progress. Use time blocking or the Pomodoro Technique to allocate focused time to tasks and avoid multitasking.
### Step 6: Prioritize tasks based on importance and urgency.
Prioritize your tasks based on importance and urgency using the Eisenhower Matrix or ABCDE method. Focus on high-impact tasks first and address lower-priority tasks when time permits.
### Step 7: Set up a Trello board for your training plan.
Set up a Trello board for your 24-week training plan. Create lists for workflow stages (e.g., To Do, In Progress, Review, Completed), and add cards for tasks and objectives. Move cards between lists as you progress.
### Step 8: Organize your learning materials in Google Drive.
Organize your learning materials in Google Drive by creating folders for each week and adding documents, resources, and project files as needed.
### Step 9: Use automation tools to automate repetitive tasks or sync data.
Use automation tools like Zapier or Integromat to automate repetitive tasks or sync data between Google Calendar, Todoist, Trello, and Google Drive.
### Step 10: Use browser extensions to quickly add tasks or cards.
Use browser extensions like Todoist for Chrome or Trello for Chrome to quickly add tasks or cards without leaving your current webpage.
### Step 11: Set SMART goals and track your progress.
Set SMART goals for your training plan and track your progress regularly. Use tools like RescueTime or Clockify to monitor your time spent on tasks and identify areas for improvement.
### Step 12: Schedule regular breaks and leisure activities.
Schedule regular breaks and leisure activities to maintain a healthy work-life balance and prevent burnout.
### Step 13: Collaborate with others and seek feedback.
If you are working with others, use tools like Slack or Microsoft Teams to streamline communication and collaborate effectively. Schedule regular check-ins or meetings to discuss progress and share feedback.
### Step 14: Periodically review and adjust your workflow.
Periodically review your workflow and make adjustments based on your experiences, new tools, or changing priorities. Seek feedback from others who have successfully completed similar training programs or have expertise in the field.
**Additional tips:**
- Find a learning method that works best for you. Some people learn best by reading, while others learn best by watching or doing.
- Don't be afraid to ask for help. If you are struggling with a particular concept or task, reach out to a mentor, friend, or online community for assistance.
- Celebrate your successes. As you progress through your training plan, take the time to celebrate your accomplishments. This will help you stay motivated and on track.
## 24-Week Training Plan
**Week 1-4:**
- Introduction to web development history and terminology
- HTML fundamentals
- CSS fundamentals
- Web design principles
**Week 5-10:**
- CSS frameworks (e.g., Bootstrap, Tailwind CSS)
- JavaScript fundamentals
- DOM manipulation
- Asynchronous JavaScript
- Web accessibility and performance
**Week 11-14:**
- Svelte framework fundamentals
- State management and routing in Svelte
- Building small projects with Svelte
- Website project planning and collaboration
**Throughout the plan:**
- Allocate adequate time for practice and project work
- Schedule regular breaks and leisure activities
**Additional suggestions:**
- Use a learning management system (LMS)
- Join a study group or online community
- Seek out mentors or coaches
**Tips for success:**
- Be dedicated and hardworking
- Focus on learning the core concepts
- Practice regularly
- Build projects to apply your skills
- Get feedback from others

291
tech_docs/webdev/wp_kadence_wireframe.md Normal file
View File

@@ -0,0 +1,291 @@
# **Homepage Structure Using Kadence Blocks**
---
## **Hero Section**
### **Group:** Hero Introduction
- **Block:** Row Layout (Single Row)
- **Background:** Video or Image (16:9 aspect ratio) with `alt` text including primary keyword.
- **Block:** Advanced Heading
- **Content:** Main heading with primary keyword. Secondary keyword in the subheading.
- **Meta Description:** Informative description with the primary keyword.
- **Block:** Button
- **Action:** "Book an Event" with a descriptive `aria-label` for accessibility.
**Kadence Row Layout (Single Row)**
- **Background Settings**: Choose from color, gradient, image, or video. If using an image or video, ensure it's web-optimized.
- **Padding & Margin**: Adjust to create space and center content.
**Kadence Advanced Heading**
- **Font Settings**: Use H1 for main heading. Adjust font size, weight, and line-height for clarity.
- **Content**: Main heading with primary keyword. Add a secondary keyword in the subheading.
**Kadence Button**
- **Design**: Use Kadences styling options for button size, color, border-radius, and hover effects.
- **Link**: "Book an Event". Ensure the link directs to the booking section or page.
- **Row Layout (Single Row)**: This is appropriate for creating a hero section, as Kadence's Row Layout provides flexibility for both background and content settings.
- **Advanced Heading**: The Advanced Heading block in Kadence is suitable for hero section headings due to its extensive customization options.
- **Button**: The standard Gutenberg Button block is ideal for CTAs, especially in hero sections.
- **Video**: Consider adding a short video showcasing the chef's work for an engaging visitor experience.
> - Provides an immediate visual impact and introduces visitors to the chef's main offering.
> - Call to Action: "Book an Event"
> - Ensure the hero image loads quickly to reduce bounce rate.
> - Position the main heading and CTA (Call to Action) button above the fold for immediate visibility.
> - Use high-contrast colors for text and CTA to make them stand out against the background.
---
## **About the Chef**
### **Group:** Chef's Background
- **Block:** Row Layout (Two Columns: 1/3 + 2/3)
- **Column 1:**
- **Block:** Image (1:1 or 3:2 aspect ratio) with `alt` text describing the chef.
- **Column 2:**
- **Block:** Advanced Heading
- **Content:** Chef's name (with keyword) and bio. Include chef's relevant keywords in the bio.
- **Links:** Chef's social media profiles.
**Kadence Row Layout (Two Columns: 1/3 + 2/3)**
- **Column Gap**: Adjust to create a harmonious space between image and text.
**Kadence Image Block (1/3 column)**
- **Image Settings**: Choose a high-quality portrait of the chef and ensure it's web-optimized.
- **Alt Text**: Briefly describe the chef.
**Kadence Advanced Heading (2/3 column)**
- **Font Settings**: Use H2 tag and adjust font size, weight, and line-height.
- **Content**: Chef's name followed by a concise bio, ensuring a natural flow with keyword integration.
**Kadence Social Links (2/3 column)**
- **Design**: Customize icon size and colors.
- **Links**: Directly link to the chef's profiles on different platforms.
- **Row Layout (Two Columns: 1/3 + 2/3)**: This layout is effective for combining an image with textual content. The 1/3 column is suitable for the chef's image, while the 2/3 column can house the textual content.
- **Social Media**: Include links to the chef's social media profiles for increased engagement.
> - A brief introduction to the chef can help personalize the website and establish credibility.
> - Include a short bio and portrait.
> - Use a high-quality image of the chef. This helps in establishing trust.
> - Ensure the bio is concise and highlights the chef's achievements or specialties.
> - Include relevant keywords in the bio without keyword stuffing.
> - Use schema markup for the chef's bio to improve search engine visibility.
---
## **Services Offered**
### **Group:** Services Overview
- **Block:** Row Layout (Three Columns)
- **Each Column:**
- **Block:** Info Box with image (16:9 or 4:3 aspect ratio) with `alt` text (include service-specific keywords).
- **Content:** Heading with service-specific keywords, concise description, and Button ("Learn More" or "Book Now" with `aria-label`).
**Kadence Row Layout (Three Columns)**
- **Column Gap**: Adjust for even spacing between columns. Ensure columns stack on mobile for responsiveness.
**Kadence Info Box (Each Column)**
- **Image**: Use service-specific images that are web-optimized.
- **Heading**: Integrate service-specific keywords. Adjust font for clarity.
- **Description**: Provide concise service details.
- **Button**: Link to detailed service pages or booking options, using Kadence button styling.
- **Row Layout (Three Columns)**: This layout is suitable for showcasing multiple services side by side. For mobile views, ensure that the columns stack for responsiveness.
- **Info Box**: The Info Box block in Kadence is versatile and combines an image, heading, and button, making it ideal for service descriptions.
> - Showcase the primary services to give visitors an idea of what the chef specializes in.
> - Use concise descriptions and visuals.
> - Call to Actions: "Learn More" or "Book Now"
> - Highlight the most popular or signature services to capture interest.
> - Use clear and descriptive alt texts for service images.
> - Include CTAs within each service to drive user action.
---
## **Testimonials Slider**
### **Group:** Client Testimonials
- **Block:** Testimonial with Ratings
- **Content:** Rotating testimonials with name, designation, company, testimonial text, and ratings.
- **Link:** "Read All Testimonials" with `title` attribute for more context.
**Kadence Testimonial Carousel**
- **Layout**: Choose a design that allows for image, name, designation, and testimonial text.
- **Images**: Use uniform size, web-optimized images of the testimonial giver.
- **Content**: Display a curated list of impactful testimonials.
- **Navigation**: Adjust arrow and dot settings for user-friendly navigation.
- **Testimonial**: The Testimonial block provided by Kadence is apt for rotating testimonials and can also display associated images.
- **Ratings**: Integrate a rating system for testimonials to enhance credibility.
> - Social proof is powerful. Displaying a few select testimonials can build trust.
> - Call to Action: "Read All Testimonials"
> - Display testimonials with photos to increase credibility.
> - Rotate the most impactful testimonials.
> - Ensure the slider doesnt move too fast, allowing users to read comfortably.
> - Use schema markup for testimonials to increase their visibility in search engines.
---
## **Upcoming Events/Classes**
### **Group:** Events Schedule
- **Block:** Row Layout (Single Row)
- **Block:** Advanced Button (for viewing all events with `title` attribute)
- **Block:** Calendar with Link to Detailed Events Page
**Kadence Advanced Button**
- **Design**: Customize size, color, and hover effects.
- **Link**: Direct to a page with more comprehensive event details.
**Embed Block**
- **Integration**: Embed Google Calendar or another interactive system. Ensure it's styled to match the site's theme.
- **Calendar Integration**: Since neither Kadence nor Gutenberg provides a dedicated "Calendar" block, consider integrating Google Calendar, especially if it's linked with Calendly on the backend.
- **Detailed Events Page**: Include a link to a page with more comprehensive event details.
> - Inform visitors of any upcoming events or classes they can attend or book.
> - Call to Action: "View All Events"
> - Highlight limited-time or special events to create a sense of urgency.
> - Ensure the calendar is interactive and mobile-responsive.
> - Optimize event descriptions with relevant keywords.
> - Use schema markup for events to improve search engine visibility.
---
## **Gallery**
### **Group:** Image Gallery
- **Block:** Gallery with Lightbox
- **Content:** Images from past events/classes with descriptive `alt` texts.
- **Caption:** Write captions for each image with keywords.
**Kadence Gallery Block**
- **Layout**: Choose between grid or masonry layout. Enable lightbox feature for enhanced image viewing.
- **Images**: Upload web-optimized images with consistent aspect ratios.
- **Captions**: Provide concise descriptions with keyword integration.
- **Gallery Block**: Kadence's Gallery block is recommended due to advanced features like lightbox and masonry grid options.
- **Lightbox**: Implement a lightbox feature for an enhanced viewing experience.
> - A visual representation of past events, dishes, or classes can be enticing.
> - Call to Action: "View Full Gallery"
> - Optimize images for quick loading and mobile responsiveness.
> - Use descriptive alt texts for each image for SEO benefits.
> - Consider adding a lightbox feature for a larger view of images upon clicking.
---
## **Newsletter Signup**
### **Group:** Newsletter Subscription
- **Block:** Row Layout (Single Row)
- **Block:** Advanced Heading (for the section's title with primary or secondary keyword)
- **Subtitle:** Offer such as "Sign up and receive a 10% discount on your next booking or a free recipe."
- **Block:** Form (with `aria-label` for the email input field and "Subscribe" button).
**Kadence Form Block**
- **Fields**: Add fields for name and email. Customize placeholder texts.
- **Button**: Style the "Subscribe" button using Kadence settings.
- **Notifications**: Set up email notifications for each signup.
- **Forms**: While Kadence offers a form block, for specialized forms, especially newsletter sign-ups and detailed contact forms, consider linking to Google Forms for more functionality and flexibility.
> - Engage visitors by offering them a chance to stay updated with news, recipes, or special offers.
> - Call to Action: "Subscribe"
> - Position this near the footer but ensure it's visually distinct.
> - Make the sign-up process simple with minimal fields.
> - Ensure GDPR compliance if collecting emails from European visitors.
---
## **Contact & Booking**
### **Group:** Contact Details
- **Block:** Row Layout (Two Columns)
- **Column 1:**
- **Block:** Form (with fields for name, email, event type, date, and message, all with proper `aria-label` attributes for accessibility).
- **Column 2:**
- **Block:** Advanced Heading (for contact details, include keywords like "Contact [Chef's Name] for Corporate Cooking Events").
**Kadence Row Layout (Two Columns)**
- **Column Gap**: Adjust to create an even space between form and contact details.
**Kadence Form Block (1/2 column)**
- **Fields**: Include fields for name, email, event type, date, and message. Customize placeholders.
- **Button**: Style the "Submit" button using Kadence settings.
**Kadence Advanced Heading (1/2 column)**
- **Content**: Display contact details with keyword integration, ensuring natural readability.
> - Provide an easy way for visitors to reach out or book an event.
> - Call to Action: "Submit"
> - Make the form fields intuitive and easy to fill.
> - Use clear error messages and confirmations.
> - Ensure the form is mobile-responsive and loads quickly.
> - Consider adding a map showing the chef's location or primary service area.
---
## **Footer**
### **Group:** Footer Information
- **Block:** Row Layout (Multiple Rows)
- **Row 1:**
- **Block:** Navigation Menu (with `title` attributes for each link for more context).
- **Row 2:**
- **Block:** Icon List (for social media icons with proper `aria-label` attributes).
- **Row 3:**
- **Block:** Advanced Heading (for contact information with Schema Markup for local SEO).
**Kadence Navigation Menu**
- **Design**: Create a simple footer menu with essential links.
**Kadence Icon List**
- **Design**: Customize icon sizes, colors, and hover effects.
- **Links**: Directly link icons to respective social media profiles.
**Kadence Advanced Heading**
- **Content**: Display contact information and any necessary disclaimers.
- **Navigation Menu**: Utilize Kadence's Navigation block for a more customized menu experience in the footer.
- **Mobile Responsiveness**: Ensure that all blocks, especially those with columns, are set to stack or rearrange appropriately on mobile views.
> - Include essential links, contact information, and social media icons.
> - Keep the footer organized with clear categories or columns.
> - Ensure links are easy to click, especially on mobile devices.
> - Include an SEO-friendly sitemap link in the footer to aid search engine crawling.
---