CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

20250429 push notes

Browse Source
This commit is contained in:
Petar Cubela
2025-04-29 16:29:52 +02:00
parent 214941710d
commit 0cb3f588fa
69 changed files with 944 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
projects/OPNsense/Cluster/20250307-cluster-test-on-sg310.md Normal file
View File

@@ -0,0 +1,23 @@
## Setup Interfaces
### Master
| Interface | Net |
| --------- | -------------- |
| LAN | 192.168.1.1/24 |
| WAN | 10.11.12.2/24 |
| pfSync | 10.0.0.1/31 |
#### Virtual IP
WAN IP address: 10.11.12.4/24
LAN IP address: 192.168.1.3/24
### Slave
| Interface | Net |
| --------- | -------------- |
| LAN | 192.168.1.2/24 |
| WAN | 10.11.12.3/24 |
| pfSync | 10.0.0.2/31 |

11
projects/OPNsense/Initial-Notes/OPNsense-about.md Normal file
View File

@@ -0,0 +1,11 @@
**OPNsense** is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.
OPNsense started as a fork of pfSense and m0n0wall in 2014, with its first official release in January 2015. The project has evolved very quickly while still retaining familiar aspects of bot m0n0wall and pfSense. A strong focus on security and code quality drives the development of the project.
OPNsense offers weekly security updates with small increments to react on new emerging threats within in a fashionable time. A fixed release cycle of 2 major releases each year offers businesses the opportunity to plan upgrades ahead. For each major release a roadmap is put in place to guide development and set out clear goals.
## Mission Statement
> "Our mission is to make OPNsense the most widely used open source security platform. We give users, developers and business a friendly, stable and transparent environment.
> The project's name is derived from open and sense stands for: 'Open (source) makes sense.'"

43
projects/OPNsense/Initial-Notes/OPNsense-approxminated-service-time.md Normal file
View File

@@ -0,0 +1,43 @@
---
title: "OPNsense - Maintenance time estimate"
author: Petar Cubela
date: July 03, 2024
geometry: margin=1.5cm
output: pdf_document
---
## Intro
Let us roughly calculate the time needed to maintain a OPNsesne firewall.
Here we assumer that the firewall is already configured. Thus we are looking at standard maintenance of the device.
## OPNcentral
We are using OPNcentral which is able to monitor arbitrary numbers of OPNsense firewalls:
- it manually/automatically creates backups of all integrated firewalls
- backups can be read and compared for any firewall integrated in OPNcentral
- firmware, services and resources status of each OPNsense firewall can be managed via OPNcentral
- plugin configuration can be managed and send to each firewall via OPNcentral
## Time Consumption
- updates have to been done regularly which can be checked and updated for all firewalls simultaneously via OPNcentral (~ 1h per month for all firewalls!)
- in general the firewall will run flawlessly once setup without much interaction as long as nothing complicated has to be changed.
- changes in the configuration for known features should be in general simple (~1h per month for all firewalls!)
- changes for new plugins should take longer depending on the plugin but happens seldom (few/many days depending on plugin once each half year)
- OpenVPN integration is better integrated in Sophos. We will probably need to export the client configuration for each user (~ 1h per week for each firewall, depending on the number of users requiring vpn)
- there can be unexpected problems with the firewall in production use which we have to test and can not assess pre-usage (~ 1h per month a firewall)
### Estimation
- ~ 1h/month for updates
- ~ 1h/month for small config changes
- ~ up to days for configuring new desired plugins. happens once per year/half year?
- ~ 1h/month for vpn client export
- ~ 1h/month for unexpected issues/tickets
Which summarizes to **~ 4 hours per month** and more when new not-so-known plugins have to be configured.

38
projects/OPNsense/Initial-Notes/OPNsense-config.md Normal file
View File

@@ -0,0 +1,38 @@
## Intro
Start from beginning with factory settings.
### TODO
- [x] create sbxadmin user
- [x] Enable ssh
- [x] check wan is working
- [x] familiarize with Center management
- [x] manage opnsense via wan port (use DynDNS)
- [ ] try cluster of two opnsense nodes in proxmox
### Comments
- Very loooong boot times
## Enable LAN Bridge
Links to manuals:
- <https://docs.opnsense.org/manual/how-tos/lan_bridge.html>
- <https://kb.protectli.com/kb/how-to-enable-lan-bridge-in-opnsense/>
## Enable SSH
System -> Settings -> Administration -> Secure Shell
- **Check** Enable Secure Shell
- Login Group: wheel, admins
- **DO NOT** permit root user login
- Permit password login
- Changed ssh port to 69
## Central Management
Follow: <https://docs.opnsense.org/vendor/deciso/opncentral.html>

8
projects/OPNsense/Initial-Notes/OPNsense-config_summary.md Normal file
View File

@@ -0,0 +1,8 @@
## DONE
- general settings
- SSH settings
- Networkflow config (optional??)
- Setup OpenVPN (authentication via local database)
- local backup for OPNcentral
- backup for hosts via OPNcentral

16
projects/OPNsense/Initial-Notes/OPNsense-future.md Normal file
View File

@@ -0,0 +1,16 @@
- mailgateway
- reverse proxy (web application firewall)
- ssl/tsl inspection and decryption
- VPN authentication via Active Directory
## TODO
- [x] setup simple web server on a virtual linux machine
- [x] setup smtp in a virtual linux machine
- [x] set the test sever in opnsense's network
## Notes
VPN: Jan passwd: itKE=-gcbXN.=46

3
projects/OPNsense/Initial-Notes/OPNsense.md Normal file
View File

@@ -0,0 +1,3 @@
[[OPNsense-about]]
[[OPNsense-config]]
[[OPNsense-config_summary]]

4
projects/OPNsense/Initial-Notes/OPNsense_IDS-and-IPS.md Normal file
View File

@@ -0,0 +1,4 @@
## Introduction
An _Intrusion Detection System_ (IDS) watches network traffic for suspicious patterns and can alert operators when a pattern matches a database of known behaviors.
An _Intrusion Prevention System_ (IPS) goes a step further by inspecting each packet as it traverses a network interface to determine if the packet is suspicious in some way. If it matches a known pattern the system can drop the packet in an attempt to mitigate a threat.

113
projects/OPNsense/STANDARDS/Feature-Capability.md Normal file
View File

@@ -0,0 +1,113 @@
# OPNsense Feature Capability Overview (Industry Use)
This document lists the capabilities of the OPNsense firewall system, categorized by their **real-world stability and trustworthiness** in professional or industrial environments.
---
## ✅ Stable / Industry-Proven Core Features
These features are well-supported, reliable, and commonly used in production deployments.
### 🔧 Core Networking & Routing
- VLANs (tagged, untagged)
- Static and dynamic routing (OSPF, BGP via FRR plugin)
- Multi-WAN with load balancing / failover
- NAT (1:1, port forward, outbound NAT)
- DHCP/DHCPv6 Server & Relay
- DNS Resolver (Unbound) with DoT, conditional forwarding
- NTP Server
### 🔐 Firewall & Security
- Stateful firewall with alias system
- Schedule-based rules
- GeoIP blocking
- Packet logging and rule hit counters
### 👥 Authentication
- Local user DB
- LDAP / Active Directory (GPO support)
- Two-Factor Authentication (TOTP)
- Captive Portal with LDAP/RADIUS integration
### 🌍 VPN Services
- OpenVPN (with client export)
- IPsec (strongSwan)
- WireGuard (kernel module; fast & stable)
### 🔐 SSL Certificates
- ACME/Let's Encrypt support
- DNS-01, HTTP-01
- Auto-renewal + deploy to services
### 💾 Backup & Management
- Local and remote encrypted backup
- OPNcentral for multi-firewall config, update, backup
- High Availability (CARP-based)
---
## ⚠️ Moderately Reliable / Needs Case-by-Case Testing
These features are usable but require testing or tuning to ensure stability.
### 🛡️ Intrusion Detection / Prevention
- Suricata (IDS/IPS)
- Can impact performance on low-RAM systems (≥8GB recommended)
- Inline mode works but may be unstable with certain NICs
- Regular ruleset updates supported
### 🌐 Web Filtering / Proxy
- Squid Proxy + ICAP/ClamAV
- SSL inspection fragile; requires CA deployment to clients
- Transparent mode unstable on some NICs
- Basic caching stable; filtering can be unreliable
- ICAP antivirus adds CPU load
### 🔄 Dynamic DNS
- DDNS client with broad provider support
- Stable and scriptable
### ☁️ Remote Backups
- Supported to Google Drive, Git, Nextcloud (via plugin/scripting)
- Manual testing of restore process recommended
---
## ❌ Experimental / Immature Features
Avoid these for now in production or industrial deployments.
### 📬 Mail Gateway / Relay
- Basic Postfix relay plugin
- No spam filtering or advanced mail security
- Not recommended for secure mail handling
### 🌐 Web Application Firewall (WAF)
- Nginx WAF plugin exists
- No full ModSecurity/OWASP integration
- Better to isolate on a dedicated reverse proxy
### 📦 OPNProxy Plugin
- Adds fine-grained Squid-based user/group URL access control
- Inherits Squids instability
- Use with caution or for testing only
---
## Summary Table
| **Feature** | **Production Readiness** | **Notes** |
|-------------------------------|---------------------------|-------------------------------------------------------------|
| Core firewall, routing | ✅ Yes | Fully stable |
| VPN (OpenVPN, WireGuard) | ✅ Yes | Strong support and maturity |
| Suricata | ⚠️ With caution | Test on hardware; monitor CPU/RAM |
| Web Proxy / Filtering | ❌ Avoid or isolate | Only basic use; SSL filtering often unstable |
| Antivirus (clamav) | ⚠️ Optional | High CPU use; best supplemented by endpoint AV |
| DNS & DHCP | ✅ Yes | Mature and reliable |
| Mail Relay | ❌ No | Lacks required filtering and logging for industrial use |
| WAF (nginx) | ❌ No | Too limited for meaningful protection |
| DDNS, Backups, Certs | ✅ Yes | Useful and stable |
---
_This document is based on live testing, plugin maturity, and real-world experience with OPNsense in office and industrial settings._

22
projects/OPNsense/STANDARDS/Monthly-Time.md Normal file
View File

@@ -0,0 +1,22 @@
## OPNsense Firewall Monthly Maintenance Estimate (Per Firewall)
### Typical Monthly Tasks
| **Task** | **Description** | **Estimated Time** |
|----------------------------------------|----------------------------------------------------------------------------------|---------------------|
| **Firmware & Plugin Updates** | Centralized via OPNcentral; all firewalls updated simultaneously. | 1 hour |
| **Routine Configuration Changes** | Adjusting existing settings, rules, or features (not new plugins). | 1 hour |
| **VPN Client Configuration** | Exporting client configs for OpenVPN/IPsec users. | 0.5 hour |
| **Monitoring & Alert Response** | Reviewing OPNcentral alerts and responding to system warnings. | 0.5 hour |
| **Unexpected Issues / Tickets** | Troubleshooting user reports or production issues. | 1 hour |
| | | |
| **Total (typical month)** | | **~4 hours** |
---
### Additional (Occasional) Tasks
| **Task** | **Frequency** | **Estimated Time** |
|----------------------------------------|--------------------------|----------------------------|
| **New Plugin Integration** | 12 times per year | 13 days (one-time effort) |
| **Firewall Policy Audit & Cleanup** | Quarterly or Biannually | 12 hours per audit |

93
projects/OPNsense/STANDARDS/possible-impovements.md Normal file
View File

@@ -0,0 +1,93 @@
# OPNsense Recommended Plugins & Features (Industrial / Office Use)
This list outlines reliable, useful, and practical plugins and features for deploying OPNsense firewalls in professional and industrial environments. Features are grouped by purpose and marked by their trust level.
---
## 🔍 Monitoring & Logging
### ✅ Telegraf Plugin
- **Purpose:** Exports system metrics (CPU, RAM, interfaces) for external monitoring.
- **Integration:** Grafana, InfluxDB, Prometheus.
- **Notes:** Lightweight and reliable.
### ✅ Netflow / Insight (built-in)
- **Purpose:** Provides traffic flow analytics, top talkers, and interface usage.
- **Use Case:** Bandwidth monitoring and anomaly detection.
- **Notes:** Data can be archived for audit purposes.
### ✅ Zabbix Agent
- **Purpose:** Integrates OPNsense into existing Zabbix NMS environments.
- **Notes:** Trusted in enterprise and industrial networks.
---
## 🔐 Access Control & Identity
### ⚠️ FreeRADIUS Plugin
- **Purpose:** Local RADIUS server for VPN, 802.1X WiFi, or Captive Portal.
- **Notes:** Complex to configure; powerful in the right hands.
### ✅ TOTP / 2FA for Web GUI
- **Purpose:** Adds two-factor authentication for admin access.
- **Notes:** Uses Google Authenticator or similar apps.
---
## 🛠️ Configuration & Deployment
### ✅ Shellcmd Plugin
- **Purpose:** Runs custom shell scripts/commands at boot or service start.
- **Use Case:** Advanced sysctl, cron jobs, or plugin fixes.
- **Notes:** Excellent for hotfixes or automation in production.
### ✅ Smart Plugin (S.M.A.R.T. Monitoring)
- **Purpose:** Monitors local disk health if firewall is installed on SSD/HDD.
- **Notes:** Essential for long-term reliability.
---
## 🧱 Firewall Enhancements
### ⚠️ GeoIP Aliases
- **Purpose:** Block/allow traffic by country.
- **Notes:** Requires MaxMind license (free with registration).
### ✅ Policy-Based Routing
- **Purpose:** Custom WAN selection per VLAN/service/source.
- **Notes:** Use for traffic shaping, failover, or VoIP priority.
---
## 📡 Edge / Optional Features
### ✅ NTP Daemon
- **Purpose:** Acts as internal time server for LAN devices.
- **Use Case:** Environments without external NTP access.
- **Notes:** Stable and lightweight.
### ✅ mDNS Repeater
- **Purpose:** Repeats multicast DNS between VLANs (Bonjour/AirPrint).
- **Use Case:** Offices with Apple devices or smart printers.
- **Notes:** Requires proper VLAN firewall rules.
---
## ✅ Recommended Baseline Set for Industrial Use
| **Category** | **Feature** | **Plugin** | **Trust Level** |
|--------------------|------------------------|-------------------|-----------------|
| Monitoring | Telegraf, Netflow | `telegraf` | ✅ Stable |
| Logging/NMS | Zabbix Agent | `os-zabbix-agent` | ✅ Stable |
| Automation | Boot Scripting | `shellcmd` | ✅ Stable |
| Identity/VPN | FreeRADIUS (optional) | `freeradius` | ⚠️ Moderate |
| Access Security | TOTP 2FA | Built-in | ✅ Stable |
| Routing Control | Policy Routing | Built-in | ✅ Stable |
| Geo Restrictions | GeoIP Aliases | MaxMind required | ⚠️ Moderate |
| Time Sync | NTP Server | Built-in | ✅ Stable |
| Edge VLAN Utility | mDNS Repeater | `mdns-repeater` | ✅ Stable |
---
_This list is curated for environments that require high uptime, low maintenance, and avoid fragile or poorly maintained features like Squid or Zenarmor._

40
projects/OPNsense/Schulungen/20250305-initial_ideas.md Normal file
View File

@@ -0,0 +1,40 @@
## Intro
Ziel: Gebe Kollegen und Kolleginnen einen Ueberblich ueber die wichtigsten Funktionender OPNsense, sodass sie effizient und selbststaendig damit arbeiten koennen.
## Notes
- Template/Anleitung fuer Firewall Regeln in IT-Glue
- Wichigsten genutzten Features der Sophos in OPNsense praesentieren
## Erste Schulung
### Ort
Hybrid: Teams + Meetingraum
### Zeit
Vorraussichtlich der 14.03.2025 um 10:00.
### Themen
#### Allgemein/System
- Lobby/Dashboard - Grundlagen, Customizierbar,
- System/Firmware - Einspielen, Richitges Mirror und Caveat, Updates, Plugins und Packages
- Gehe allgemein und grob die Einstellungen durch und Ihre Positionen
-
#### Firewall
- Aliass - sehr wichtig und praktisch - sollte durch OPNcentral gepushed werden
- NAT
- Rules
- Unterschiede zu Sophos - kein Masquerading erforderlich (macht opnsense automatisch?)
#### Interfaces
### VPN

46
projects/OPNsense/Schulungen/20250319-pre-meeting-prep.md Normal file
View File

@@ -0,0 +1,46 @@
## Notes
- Wichigsten genutzten Features der Sophos in OPNsense praesentieren
## Topics
- Erster EInblick in das Dashboard der OPNsense
- Ueberblick ueber die Anreihung der Funktionen der Firewall
- Unterschiede zur Sophos Firewall
- Verwaltung durch unsere OPNcentral Instanz
- Firmware, Lizenzen, Plugins und Packages in OPNsense
- Backups
- Firewall - Aliase, NAT und Regeln
- EURE FRAGEN
- (Optional) Interfaces/Schnittstellen
- (Optional) (Open)VPN
## Standard Features (OPNsense vs. Sophos)
- DNAT corresponds to Port Forward (NAT)
- SNAT corresponds to Outbound (NAT)
### OPNsense
#### Nativ
- Base Setup (Routing, dhcp, dns, firewall regeln, vlans, authentizierungs server: ldap, totp, local, radius)
- VPN: IPsec, OpenVPN, Wireguard
- IDS/IPS Schutz via Suricata
- backup: lokal, central instanz, google drive. Extra: nextcloud, git, ...
#### Extra Features
- Web Proxy (Caching Proxy, Web Filter, Transparent Proxy, SSl inspection, managed TLS exclusion)
- Antivirus via (clamav + c-icap)
### Sophos
- Basis (network, dhcp, dns, firewall regeln, vlans, authentizierungs server: ldap, ad, radius, azure sso, etc.)
- VPN: IPsec, SSL VPN (OpenVPN), L2TP, PPTP
- IDS/IPS
- Web Protection
- Application Protection
- Email Protection
- Web Server Protection
- Active Threat Response
- Zero-day Protection

38
projects/OPNsense/opnsense-utm-features/opnsense-ids_ips-suricata.md Normal file
View File

@@ -0,0 +1,38 @@
## Source
- <https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/>
- <https://docs.opnsense.org/manual/ips.html>
## Introduction
> "The Intrusion Prevention System (IPS) system of OPNsense is based on Suricata and utilizes Netmap to enhance performance and minimize CPU utilization. This deep packet inspection system is very powerful and can be used to detect and mitigate security threats at wire speed."
## Initial Settings
1. Got to "Services > Intrusion Detection > Administration" which defaults to the "Settings" tab
2. Click the "Enable" checkbox to activate intrusion detection
3. Activate IPS by checking "IPS mode"
4. Optional: If using VLANs, check the "Promiscuous mode" checkbox
5. Set the pattern matcher as "Hyperscan"
6. As Interface choose "LAN" to monitory the local network traffic
7. When finished click "Apply" to save the settings.
Even though intrusion detection is enabled nothing will happen until we have
downloaded some rule sets and configure at least one policy.
Below you see a picture of the network configuration:
![img1](opnsense/idsips/settings.png)
## Downloading and Enabling Rulesets
**(NOTE FOR ME: It has yet too be decided which rules we will use eventually. This
also depends on the specific customer' needs.)**
1. Change to the "Download" tab.
2. Select all pre-defined lists (depends on customer' needs) and click on "Enable
selected" and directly after "Download & Update Rules"
3.
![img2](opnsense/idsips/downloads.png)
## Creating a Policy

3
projects/OPNsense/opnsense-utm-features/opnsense-lets_encrypt.md Normal file
View File

@@ -0,0 +1,3 @@
## Source
- <https://homenetworkguy.com/how-to/replace-opnsense-web-ui-self-signed-certificate-with-lets-encrypt/>

15
projects/OPNsense/opnsense-utm-features/opnsense-utm-checklist.md Normal file
View File

@@ -0,0 +1,15 @@
## UTM Configuration
- [x] ids/ips (suricata)
- [ ] web proxy
- [ ] antivirus
- [ ] openvpn
- [ ] acme
- [ ] mail protection
- [ ] waf
## Non-common
- [ ] VLAN
- [ ] LAGG

57
projects/OPNsense/plugins/net-snmp.md Normal file
View File

@@ -0,0 +1,57 @@
## SNMP Konfiguration mit bsnmpd
Die hier beschriebene Anleitung konfiguriert SNMP in der Version 2c.
**Installiere nicht das SNMP Plugin! (i.e.: os-net-smp)**
Es wird nicht mit **bsnmp** funktionieren.
## Schritte auf der OPNsense
1. Oeffne eine OPNsense Konsole (zum Beispiel: ssh ueber vpn) und melde dich als `root`-user an. (Befehl: `su`)
2. Aktiviere den `bsnmpd`-Dienst durch Erstellung der Datei `/etc/rc.conf.d/bsnmpd` mit dem folgenden Inhalt:
`bsnmpd_enable="YES"`
3. Auskommentiere die folgenden Zeilen in `/etc/snmpd.config`, um benoetigte SNMP Module zu aktivieren:
```
read := "your_snmp_community"
begemotSnmpdModulePath."hostres" = "/usr/lib/snmp_hostres.so"
begemotSnmpdModulePath."pf" = "/usr/lib/snmp_pf.so"
```
Trage fuer die Variable `read` den genutzten Community Namen ein.
4. Starte den `bsnmpd`-Dienst mit dem folgenden Befehl:
`/etc/rc.d/bsnmpd start`
5. Setze eine Firewall Regel auf, welche es erlaubt von einem Quell Geraet die OPNsense ueber den SNMP Port (161) zu erreichen.
6. Teste die Verbindung durch eine SNMP Abfrage an der OPNsense.
## Dont use
```
*** This port installs snmpd, header files and libraries but does not
start snmpd by default.
If you want to auto-start snmpd and snmptrapd, add the following to
/etc/rc.conf:
snmpd_enable="YES"
snmpd_flags="-a"
snmpd_conffile="/usr/local/share/snmp/snmpd.conf /etc/snmpd.conf"
snmptrapd_enable="YES"
snmptrapd_flags="-a -p /var/run/snmptrapd.pid"
**** You may also specify the following make variables:
NET_SNMP_SYS_CONTACT="zi@FreeBSD.org"
NET_SNMP_SYS_LOCATION="USA"
DEFAULT_SNMP_VERSION=3
NET_SNMP_MIB_MODULES="host smux mibII/mta_sendmail ucd-snmp/diskio"
NET_SNMP_LOGFILE=/var/log/snmpd.log
NET_SNMP_PERSISTENTDIR=/var/net-snmp
to define default values (or to override the defaults). To avoid being
prompted during the configuration process, you should (minimally) define
the first two variables. (NET_SNMP_SYS_*)
You may also define the following to avoid all interactive configuration:
BATCH="yes"
```

21
projects/OPNsense/unknown/opnsense-bussines-edition.md Normal file
View File

@@ -0,0 +1,21 @@
## Intro
[Source](https://docs.opnsense.org/be.html#)
> A mission critical version of the well-known OPNsense firewall.
> The Business Edition offers additional safeguards where functional changes are being included in a more conservative manner and feedback has been collected from development and community.
> Offering specific business-oriented features and third party security verification. Currently, the only open source LINCE compliant firewall.
> - Mission critical
> - LINCE compliant (security verification by trained third party independent professionals)
> - Commercial firmware repository
> - Free GeoIP database
> - Official OPNsense Open Virtualisation Image
> - Central Management, including easy one click remote host access, provisioning and monitoring.
> - Web Application Firewall
> - Free E-Book (English & German)
### More Information
- [Central Management](https://docs.opnsense.org/vendor/deciso/opncentral.html)
- [Web Application Firewall](https://docs.opnsense.org/vendor/deciso/opnwaf.html)
- [Extended Blocklist](https://docs.opnsense.org/vendor/deciso/extended_dnsbl.html)

17
projects/OPNsense/unknown/opnsense-central-management.md Normal file
View File

@@ -0,0 +1,17 @@
## MyNotes
- It is advised to generate proper certificates for the machines.
## Installation
Install `os-OPNcentral` under System->Firmware->Plugins
## Register new hosts
- Generate an API key and secret from the machine which should be granted access to.
- API keys are managed in the user manager
-
## Provisioning Classes

62
projects/OPNsense/unknown/opnsense-checklists.md Normal file
View File

@@ -0,0 +1,62 @@
## Sbx Office IP
- 213.160.17.142/28
- 213.160.17.141
## Generic Checklist
- [x] Set WAN - generic DHCP
- [x] Set LAN - generic 192.168.1.1
- [x] timezone: Europe/Berlin
- [x] Set Hostname (OPNsense) , domain name (localhost)
- [x] ntp server
- [x] static dns setup
- [x] std sbxadmin user
- [x] enable assess log (system -> settings -> administration)
- [x] LAN Bridge - generic all ports in bridge except igc1 (second port) is WAN port
- [x] enable ssh: enable, DO NOT permit root login, permit password login, port: 22
- [ ] firewall rules (LAN, WLAN, WLAN Guest {drop packets to LAN} ), std port activation
- [ ] local backups
- [ ] add office public ip as trusted (wan only reachable via office ip)
### Optional
- [x] web filtering
- [x] http scanning
- [ ] application control
- [x] ssl/tls inspection
- [ ] ssl certificates
### Mandatory Plugins
- [x] OPNcentral (for central management)
## Special Checklist
- [ ] add license TO: system -> firmware -> settings
- [ ] WAN - static config or pppoe or whatever
- [ ] LAN - ip network
- [ ] domain name (gw.domain.tld)
- [ ] ldap server config
- [ ] system update on first boot! (WITH BUSSINES LICENSE)
- [ ] setup dhcp server if used
- [ ] connect to opncentral
- [ ] create backups to opncentral
- [ ] setup ldap server
- [ ] setup openvpn server with authentication via ldap
## OPNsense Importer
> "All Full Images have the OPNsense Importer feature that offers flexibility in recovering failed firewalls, testing new releases without overwriting the current installation by running the new version in memory with the existing configuration or migrating configurations to new hardware installations."
- Create generic standard config to import at each customer install.
## OPNcentral Provisioning
We can use OPNcentral to provision the configuration of the customer's device, which is probably more useful than using the importer. Has to be tested.
## Notes
- ATTENTION: On first initial install bussines license has to be configured before updating!!
- DNS Servers: Cloudflare

86
projects/OPNsense/unknown/opnsense-frankeriger-current.md Normal file
View File

@@ -0,0 +1,86 @@
## Intro
The customer Franke Rieger Architekten is currently using a Sophos XG 106 firewall. The firewall is not anymore supported in the future or simply broken.. I dont know and care.
The Sophos thingy should be replaced by a OPNsense solution. In order to do this we try to reproduce the Sophos configuration as neatly as possible. Although it will be very hard.
### Plugins
- os-OPNcentral
- os-squid
- os-clamav
- os-c-icap
- os-acme-client
## Sophos features to reproduce
### Network
- [x] LAN port has a static network of: 192.168.9.254/24
- [x] default dhcp at br-lan: from 192.168.9.123 - 192.168.9.127
- [ ] WAN port has a static ip of: 192.168.99.253/24 (Speedport before firewall)
- [ ] ipv4 gateway: Name: Speedport, IP: 192.168.99.254, Interface: WAN port, Health check: on
- [x] DNS request route configured : Host/domain name: ffr.local, Target Servers: frr-srv-dc02.frr.local. OPNsense analogue: UnboundDNS -> Query Forwarding. (this is a config required for ad integration)
- [x] DNS servers are: itself, and choose arbitrary monopolistic techgiant
- [ ] ssl cert via acme (http-challenge), needs only to be enabled in ui and cert issued
### Authentication
- [x] Require MFA for: user portal, web admin console
- [ ] setup ad as "server" in opnsense
- [ ] import users form ad!!! (I hope it works...)
#### Not required
- [y] Kerberos for authenticating non-AD users (web authentication??)
- [y] captive portal
### Miscellaneous
- [x] sophos antivirus alternative (clamav + c-icap + squid web proxy)
- [x] SSL VPN - Needs to be tested properly
- [x] using SSL/TLS inspection with squid (transparent web proxy)
## Firewall rules to reproduce
- [x] allow VPN access to LAN network (any service) (web proxy) (ips: general policy) (waf)
- [x] allow LAN access to WAN network (dhcp. dns. ftp. http. https. icmp. icmpv6. imap(s). Jimdo-Mail??. ntp. ping. pop3(s). smtp. smtp(s). Teamviewer. ) (scan http and decrypted https, scan ftp for malware, use web proxy) (ips: general policy) (waf)
- [ ] service alias for imap(s), jimdo-mail, pop3(s), smtps_465, Teamviewer
- [x] allow wan access over https and ssh only via office ip (213.160.17.158) (in sophos jargon: "local service ACL exception rule" )
## IPS
- [x] default general policies
- [x] built-in [suricata](https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/)
## Web Proxy
- [x] risky downloads, suspicious, nudity and adult content, not suitable for the office, bandwidth-heavy browsing, unproductive browsing, not suitable for schools
- [x] https encryption
- [x] managed TLS exclusion list (corresponds to "SSL no bump sites" under Services -> Squid Web Proxy -> Administration, General Forwarding Settings under Froward Proxy list)
### Optional
The following features are too complicated and thus only optional.
## Web application firewall
- [ ] too complicated
## Wireless
- [ ] does it need to be configured on opnsense???
## Mail protection
- [y] scan ~~outgoing~~ incoming mails for malware (why??)
## Web Server
- not used

5
projects/OPNsense/unknown/opnsense-planing.md Normal file
View File

@@ -0,0 +1,5 @@
1. Learn Central Management
2. Include firewall to OPNcentral
3. Setup acme for ssl/ setup OPNWAF with acme included
4. Provision OPNsense Firewall via central management

40
projects/OPNsense/unknown/opnsense-proposal-draft.md Normal file
View File

@@ -0,0 +1,40 @@
## Introduction
Goal: Propose a UTM firewall based on the opnsense operating system to the customer.
Make "Bundles" including different kind of features with different price tags:
### Features
#### Main
- Base setup (routing, generic config, firewall rules, vlans, authentication via ad, etc...)
- VPN (standard OpenVPN)
- Free SSL certs (via ACME and Lets Encrypt) with auto-renewal
- Web Proxy (Caching Proxy, Web Filter, Transparent Proxy, SSL inspection, managed TLS exclusion, https de-/encryption) (!NOTE!: opnsense ca needs to be trusted from every client, which can be distributed by a GPO rule)
- Extend Feature of OPNsense Antivirus (with clamav + c-icap)
- IDS/IPS Protection via Suricata
#### Not implemented yet
- Mail Protection via Mail Relay on OPNsense
- WAF
#### Optional
- DynDNS
- Backup of config to google cloud, git or nextcloud (standard is backup locally and to opncentral)
- `OPNProxy`-Plugin extends Web Proxy to fine grained control of user/group access to certain domains/urls
### Bundles
#### Level 1
- Base
- VPN
- SSL certs (can be managed centrally by opncentral and pushed to specific customers when needed)
#### Level 2
- Web Proxy + Antivirus
- IDS/IPS Protection
#### Level 3
- Mail Protection
- WAF

31
projects/VZ/Rezept-Installation.md
View File

@@ -1,31 +0,0 @@
## Source
- [unattended Winstall - Github](https://github.com/memstechtips/UnattendedWinstall)
- [answer files](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs?view=windows-11)
- [unattended-generator](https://schneegans.de/windows/unattend-generator/)
## 20250303 - Todo
- [ ] Zertifikat (VZBY_SecurityAppliance_SSL_CA.cer) einfuegen
- [ ] Vantage Tool Installieren im Userkontext
- [ ] Energiesparmodus bei Netzbetrieb auf 'nie' setzen
- [ ] Freigabe [\\vzby-srv-fp01\install$](file://vzby-srv-fp01/install$) (nur als Domain-Admin) mappen wäre praktisch…
- [ ] SW - M365, MS Teams, PDF24, Sophos Connect, Sophos Endpoint Agent, Firefox, Acrobat Reader, Teamviewer QS aus Public Desktop, Netlogon Script als Verknuepfung auf Plublic Desktop
- [ ] SW in Userkontext - SBX-Generator
- [ ] Taskleiste:
- [ ] ausblenden von: Copilot, Store, Outlook New
- [x] Suchefeld auf "nur Suchsymbol setzen"
- [ ] Aktive Anwendungen auf "aus"
- [x] Taskleiste auf "links" verschieben
- [ ] Sophos Connect (wenn installiert), auf "dauerhaft" im SysTray platzieren
## Rezept
The steps we want to implement:
1. Win 11 OS autoinstall - the idea is to use Microsoft's own "Answer files" and install NinjaOne Agent autmatically
2. Change Computername
3. AD coupling - it probably possible to also use the Answer files for this
4. SW Installation - Use NinjaOne
5. OS and SW Configuration and Personalization - Use NinjaOne

113
projects/VZ/Win11-autoinstall-iso.md
View File

@@ -1,113 +0,0 @@
## Source
- [unattended Winstall - Github](https://github.com/memstechtips/UnattendedWinstall)
- [answer files](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs?view=windows-11)
- [unattended-generator](https://schneegans.de/windows/unattend-generator/)
## 20250303 - Todo
- [ ] Zertifikat (VZBY_SecurityAppliance_SSL_CA.cer) einfuegen
- [ ] Vantage Tool Installieren im Userkontext
- [ ] Energiesparmodus bei Netzbetrieb auf 'nie' setzen
- [ ] Freigabe [\\vzby-srv-fp01\install$](file://vzby-srv-fp01/install$) (nur als Domain-Admin) mappen wäre praktisch…
- [ ] SW - M365, MS Teams, PDF24, Sophos Connect, Sophos Endpoint Agent, Firefox, Acrobat Reader, Teamviewer QS aus Public Desktop, Netlogon Script als Verknuepfung auf Plublic Desktop
- [ ] SW in Userkontext - SBX-Generator
- [ ] Taskleiste:
- [ ] ausblenden von: Copilot, Store, Outlook New
- [x] Suchefeld auf "nur Suchsymbol setzen"
- [ ] Aktive Anwendungen auf "aus"
- [x] Taskleiste auf "links" verschieben
- [ ] Sophos Connect (wenn installiert), auf "dauerhaft" im SysTray platzieren
## VZ requirements
- Kein Secure Boot benoetigt
- USB sticks anzahl
### User
- User: Admin, Pass: Wgdkr!4mE
### Pre-settings
- Einfache Systemwiederherstellung (im unattended.xml??, galube nicht umsetzbar, da Microsoft dies erzwingt)
- Deaktivierung Schnellstart (DONE)
- "Outlook Neu"-Button ausblenden
- Kamera und Mikrofon unter Datenschutzeinstellungen einschalten
- bei Druckerinstallation: Point to Print-Problem lösen - Reg Key ausführen (reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /f)
- Energieeinstellungen bei "Netzbetrieb": Nie runterfahren
### Software
- **Ninja One Agent**
- Office M365 (M365 Business Standard)
- PDF24
- MS Teams
- Lenovo Commercial Vantage
- Sophos Endpoint Agent
- Sophos Connect
- Firefox Browser
#### Public Desktop
- TeamviewerQS.exe (sbx quick support)
- Script: Netzlaufwerke aktualisieren (C:\WINDOWS\system32\cmd.exe /c "cscript \\VZBY.lan\NETLOGON\logon.vbs && exit")
## Meeting Michael (17.01.2025)
The steps we want to implement:
1. Win 11 OS autoinstall - the idea is to use Microsoft's own "Answer files"
2. AD coupling - it probably possible to also use the Answer files for this
3. Ninja Agent Installation - again, use answer file
4. SW Installation - Use NinjaOne
5. OS and SW Configuration and Personalization - Use NinjaOne
## Meeting (10.02.2025)
#### Teilnehmer
- Hannah Bischof
- Oliver Kaspar
- Petar Cubela
### Takeaway
- pxe boot optimal (falls moeglich)
- generische Win11 Installation
- mit Kunden abgestimmte software auf allen Rechner installieren, welche benoetigt wird (NinjaOne)
- im Buero Loesung haben und potentiell bei groesseren Kunden, wo es sich lohnt
## Options - autoinstall
#### pxe
- Linux netboot.xyz Server (should work)
- SCCM - Configuration Manager
- Intune (expensive)
#### other
- boot stick and iso +unattended.xml (Microsoft's answer file)
## Gespraech mit Martin
- ablauf und termin muss mit vz geklaert werden. auch in bezug zu unsere ressourcen
- idee: pxe-boot einer praeparierten iso+xml welche sich automatisch installiert (samt ninja agent) und darauf folgende Installation aller sw pakete via ninja
## Meeting Vorbereitung unattende.xml 20250212
### Open Questions
- time zone: test automatic time zone settings using the language settings
- where should windows explorer be displayed: quick access or _this pc_
- hide the _task view_ button?
- configure wifi interactively or skip it???
- how to inject script? (for instance to install ninja agent)
### mandatory manually for now
- change computer name
- add to domain (domain join)
- ninja agent install
- trigger software installation via ninja

46
projects/VZ/ninja-install-archive.md
View File

@@ -1,46 +0,0 @@
```powershell
#Download and Run MSI package for Automated install
## VZ
#$uri = "https://eu.ninjarmm.com/agent/installer/22ea45a7-e951-4229-b305-ef9178339f0c/verbraucherzentralebayernmnchenmo9-7.0.2317-windows-installer.msi"
## SBX link for tests
$uri = "https://eu.ninjarmm.com/agent/installer/f816281d-6f56-4f13-abd6-5d4abf4dc67a/softboxhauptsitz-7.0.2317-windows-installer.msi"
$out = "c:\Temp\NinjaOneInstaller.msi"
if ( !( Test-Path "C:\Temp" ) )
{
New-Item -ItemType Directory -Path "C:\Temp"
}
Function Download_MSI_NinjaOne_Installer{
Invoke-WebRequest -uri $uri -OutFile $out -UserAgent ([Microsoft.PowerShell.Commands.PSUserAgent]::FireFox)
$msifile = Get-ChildItem -Path $out -File -Filter '*.ms*'
write-host "NinjaOne MSI $msifile "
}
$msifile = Get-ChildItem -Path $out -File -Filter '*.ms*'
Function Install_NinjaOne{
write-host "NinjaOne MSI $msifile "
$FileExists = Test-Path $msifile -IsValid
$DataStamp = get-date -Format yyyyMMddTHHmmss
$logFile = '{0}-{1}.log' -f $msifile.fullname,$DataStamp
$MSIArguments = @(
"/i"
('"{0}"' -f $msifile.fullname)
"/qn"
"/norestart"
"/L*v"
$logFile
)
If ($FileExists -eq $True)
{
Start-Process "msiexec.exe" -ArgumentList $MSIArguments -passthru | wait-process
write-host "Finished msi "$msifile
}
Else {Write-Host "File doesn't exists"}
}
Download_MSI_NinjaOne_Installer
$msifile = Get-ChildItem -Path $out -File -Filter '*.ms*'
Install_NinjaOne
```

131
projects/boschmann+feth/20250326-Preparation.md
View File

@@ -1,131 +0,0 @@
## ToDo
- [=] ap integrieren
- [=] ap ip anpassen
- [x] server auf maintenance in ninja einstellen
- [x] mount kid befestingen
- [=] switch ip anpassen
- [x] vlans erstellen
- [=] switch vlans konfigurieren
- [x] dns einstellungen anpassen
- [x] client rechner an switch (welche ports brauchen untagged client net)
- [x] fw regeln fuer vpn
- [x] second admin vpn
- [ ] star money, datev for ssl inspection exclude
- [ ] services.starfinanzen.de
- [ ] frontgate-eu.factsetdigitalsolutions.com
- [ ] starmoney.aboalarm.de
- [ ] web.starmoney.de
- [ ] starfinanz.de
- [ ] starmoney.de
- [ ] naechste Woche mehr kure gruene kabel mitnehmen (.25m)
## Einsatz
- WLAN-Intern: d5C9nhBBDGhd
- fP33-y4be-M8Qk
### Switch Ports
| Port | Device(s) | VLANs | Note |
| ---- | -------------------- | -------------------------------- | --------------- |
| 1 | Firewall | tagged: default, untagged: all | |
| 2 | HP | | ws |
| 4 | Mitel (phone) | untagged: 11, tagged: none | |
| 13 | Mitel (phone) | untagged: 11, tagged: none | |
| 19 | Mitel (phone) | untagged: 11, tagged: none | Printer |
| 25 | ? | | |
| 27 | Mitel (phone) | untagged: 11, tagged: none | WS-Boschmann |
| 28 | Mitel (phone) and HP | untagged: 11, tagged: none | WS |
| 34 | Mitel (phone) and HP | untagged: 11, tagged: none | WS-07 |
| 35 | Mitel (phone) | untagged: 11, tagged: none | |
| 37 | Mitel (phone) | untagged: 11, tagged: none | |
| 38 | HP | | ws |
| 39 | Mitel (phone) and HP | untagged: 11, tagged: none | WS |
| 40 | Mitel (phone) | untagged: 11, tagged: none | |
| 41 | Mitel (phone) and HP | untagged: 11, tagged: none | WS-14 |
| 43 | Sophos AP | untagged: default, tagged: 30,40 | several devices |
| 44 | HP | | ws |
| 46 | Mitel (phone) | untagged: 11, tagged: none | |
| 47 | ? | | |
| 48 | Server in UG | untagged: 11, tagged: none | |
## Basis
### Network
#### Interfaces
- LAN (Port1): Network 192.168.11.254/24
- [x] define V11_LAN_SERVER for this network
- [x] Call physical LAN interface V50_LAN_MGMT
- WAN (Port2 and Port8): Two Configured
- [x] Port2: PPPoE (versatel) 104.151.27.221/32
- [x] Port8: Static 192.168.178.254/24 (Fritzbox. For phone?)
- WiFi (BuF_Gast): Network: 192.168.111.100
#### VLANs
Currently no VLANs (except this weird wifi thing).
VLANs for new Firewall:
- V11_LAN_SERVER
- V20_LAN_CLIENT
- V30_WLAN_INTERNAL
- V40_WLAN_GUEST
- V50_LAN_MGMT
- (V70_LAN_PHONE ??)
#### DHCP
- DHCP only for WLAN_Gast: 192.168.111.101 - 192.168.111.120
- DC is doing DHCP for 192.168.11.0/24 network: 192.168.11.80 - .159
#### Services
- Star Money (banking)
- Teamviewer
- Cosoba
- DATEV
- Zoom
- DropBox
- Google Drive
- OneDrive
- M365
- Sharepoint
#### DNS
- [x] Configure DNS request route to DC for new Firewall
- DC is doing DNS when acting as DHCP Server
### Authentication
#### Server
- Server Type: AD
- Server Name: BUF-SRV-DC-01
- Server IP/Domain: 192.168.11.13
- Connection Sec: SSL/TLS
- Port: 636
- NetBIOS domain: BUF
- ADS user name: sophos_ldap
- Password: IT-Glue
- Emal address attribute: mail
- Domain name: buf.local
- Search Queries: dc=buf,dc=local
### Phone
- not separate configuration needed. Only Set WAN to fritz correctly. Check the connectivity to phones after migration
### VPN

142
projects/bvv/bind-manual.md
View File

@@ -1,142 +0,0 @@
## Intro
- Ziel: Schreibe eine detailierte Anleitung, welche es moeglich die DNS Eintraege von bind zu aendern ohne den Server kaputt zu machen.
- Motivation: Die bind Konfiguration wurde versehentlich erfolgreich zerstoert, was dazu fuehrte, dass der bind Server nicht mehr funktionierte.
## Receipt
Um Aenderungen am bind9 Server beim BVV durchzufuehren muss der Syntax von bind beachtet werden. Bei Fehlern kann es sein, dass die ganze DNS Aufloesung nicht mehr funktioniert.
### Einfuehrung
Alle Konfigurationsdateien fuer bind liegen im Ordner `/etc/bind/` am ns2 Server. Die Hauptkonfigurationsdatei fuer bind ist hierbei `/etc/bind/named.conf` von der Alles ausgeht. `named` ist herbei der Dienst zu `bind` zugehoerige Dienst, welcher im Hintergrund laueft; der Status der `named`-Dienstes kann geprueft werden mit: `systemctl status named`.
Saemtliche Zonen fuer die von diesem `bind` Server verwalteten Domaenen sind in der Datei `/etc/bind/named.conf.local` hinterlegt; die zugehoerige Datei fuer jede Domaene wo die DNS Eintrage gesetzt werden sind hier in der Datei `/etc/bind/named.conf.local` definiert unter der Variablen `file`. Unter der hier genutzten Strukturierung sind die DNS Eintraege hinterlegt in den Dateien `/etc/bind/db.<tld>.<domain>`. Zum Beispiel die DNS Eintraege fuer die Domaene `vhs-bayern.de` liegt in der Datei `/etc/bind/db.de.vhs-bayern`.
### Aenderungen der DNS Eintraege
Um die DNS Eintraege einer bestimmten Domaene zu aendern, muss die jeweilige Zonen Datei geoeffnet werden; zum Beispiel `/etc/bind/db.de.vhs-bayern.de` fuer die Domaene `vhs-bayern.de`:
```conf
$ORIGIN vhs-bayern.de.
$TTL 60
@ IN SOA ns1.vhs-bayern.de. hostmaster.vhs-bayern.de. (
2024121702 ; serial number (yyyymmddxx)
14400 ; refresh every 4 hours
14400 ; retry after 4 hours
604800 ; expire after 7 days
43200) ; default ttl is 12 hours
IN A 49.13.175.195 ; old: 144.76.93.148
IN NS ns1.vhs-bayern.de.
IN NS ns1.m-online.net.
IN NS ns2.m-online.net.
;;;;;;;;;;;;;;;;;;;;;;;;;;
;;; Local Host Address ;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;
localhost IN A 127.0.0.1
;;;;;;;;;;;;;;;;;;;;
;;; NS Eintraege ;;;
;;;;;;;;;;;;;;;;;;;;
newsletter.vhs-bayern.de. 1800 IN NS ns0.isprit2.de.
newsletter.vhs-bayern.de. 1800 IN NS ns1.isprit2.de.
;;;;;;;;;;;;;;;;;;;;
;;; MX Eintraege ;;;
;;;;;;;;;;;;;;;;;;;;
listserver.vhs-bayern.de. IN MX 10 listserver.vhs-bayern.de.
;;;vhs-bayern.de. IN MX 10 mx01.vhs-bayern.de.
ns1.vhs-bayern.de. IN MX 10 mx01.vhs-bayern.de.
intmx IN MX 10 domino
intmx IN MX 20 domino2
mailtest.vhs-bayern.de. 60 IN MX 10 mailtest
vhs-bayern.de. IN MX 0 vhsbayern-de0i.mail.protection.outlook.com.
;;;;;;;;;;;;;;;;;;;;;
;;; TXT Eintraege ;;;
;;;;;;;;;;;;;;;;;;;;;
;;vhs-bayern.de. 60 IN TXT "v=spf1 a mx ip4:62.245.128.64/27 ip4:62.245.128.96/27 include:spf.protection.outlook.com -all"
vhs-bayern.de. 60 IN TXT "v=spf1 a mx ip4:20.50.178.65/32 ip4:62.245.128.64/27 ip4:62.245.128.96/27 include:spf.protection.outlook.com -all"
vhs-bayern.de. 3600 IN TXT "MS=ms64478158"
;_dnsauth.vhs-bayern.de. 300 IN TXT "2024021509350769xvfne3rv45zuft4zpkil5d67tbpvkvnjlfei3862b34yrbsj"
_dnsauth.vhs-bayern.de. 300 IN TXT "202411121019550lyjgntwd5v35uvf533roxftuvkf9hbv20okc4g3xt0umpn6p8"
_dnsauth.www.vhs-bayern.de. 300 IN TXT "202411121019550lyjgntwd5v35uvf533roxftuvkf9hbv20okc4g3xt0umpn6p8"
;;;;;;;;;;;;;;;;;;;;;;;
;;; CNAME Eintraege ;;;
;;;;;;;;;;;;;;;;;;;;;;;
autodiscover CNAME autodiscover.outlook.com.
selector1._domainkey CNAME selector1-vhsbayern-de0i._domainkey.bvv1.onmicrosoft.com.
selector2._domainkey CNAME selector2-vhsbayern-de0i._domainkey.bvv1.onmicrosoft.com.
;;;;;;;;;;;;;;;;;;;
;;; A Eintraege ;;;
;;;;;;;;;;;;;;;;;;;
mx01 IN A 62.245.128.92
rproxy2 IN A 62.245.128.84
mail-gw1 IN A 62.245.128.85
;analytics IN A 62.245.128.69
domino IN A 192.168.1.108
domino2 IN A 192.168.1.109
;2009 IN A 62.245.128.90 deaktiviert 17.12.2024
;rproxy IN A 62.245.128.65
;eportfolio IN A 62.245.128.75
;ksc IN A 62.245.128.71
;ksc2 IN A 62.245.128.71
;portal1 IN A 192.168.1.117
;portal2 IN A 192.168.1.118
;db2portal IN A 192.168.1.119 deaktiviert 17.12.2024
;ntp IN A 192.168.1.110 deaktiviert 17.12.2024
;ntp IN A 192.168.1.130 deaktiviert 17.12.2024
ns1 IN A 62.245.128.66
vpn IN A 62.245.128.125
;ol3 IN A 62.245.128.89 deaktiviert 17.12.2024
;icsdb2 IN A 192.168.1.131 deaktiviert 17.12.2024
;ics1 IN A 192.168.1.132
;ics2 IN A 192.168.1.133
icsweb1 IN A 62.245.128.70 ;Staecker fragen
mailtest 60 IN A 62.245.128.94 ;?
;ttwportal 60 IN A 144.76.93.148 deaktiviert 17.12.2024
;www.ttwportal 60 IN A 144.76.93.148 deaktiviert 17.12.2024
www 60 IN A 49.13.175.195 ;Neuer Provider old: 144.76.93.148
production IN A 49.13.175.195 ;Neuer Provider 4motion
testing IN A 49.13.175.195 ;Neuer provider 4motion
analytics IN A 49.13.175.195 ;Neuer Provider 4motion
```
**Wichtig zu beachten hier ist, dass bei jeder Aenderung einer dieser Zonendateien die Seriennummer (ganz oben in der Datei im ersten DNS Eintrag) *erhoeht* werden muss. Egal um welchen Wert; die Seriennummer muss nur groesser sein, als die vorherige! Uebliches Schema ist das heutige Datum mit einer nachgestellten Zaehlung fuer jede Aenderung des Tages; zum Bespiel: 2025032401. Ohne diesen Schritt wuerde der Dienst Fehlermeldungen ausgeben und nicht mehr funktionieren.**
Sagen wir fuegen der obigen Datei einen DNS-Eintrag: `test IN A <ip-address>` ein. Damit dieser wirksam wird muss die Seriennummer im ersten DNS Eintrag erhoeht werden:
```conf
$ORIGIN vhs-bayern.de.
$TTL 60
@ IN SOA ns1.vhs-bayern.de. hostmaster.vhs-bayern.de. (
--------> 2025032401 ; serial number (yyyymmddxx) <---------------
14400 ; refresh every 4 hours
14400 ; retry after 4 hours
604800 ; expire after 7 days
43200) ; default ttl is 12 hours
IN A 49.13.175.195 ; old: 144.76.93.148
IN NS ns1.vhs-bayern.de.
IN NS ns1.m-online.net.
IN NS ns2.m-online.net.
```
Nachdem die Anpassung durchgefuehrt wurde sollten zu Sicherheit die Konfigurationsdateien auf Richtigkeit geprueft werden:
1. Pruefe die Konfiguration der 'Master'-Datei: `named-checkconf /etc/bind/named.conf`. Keine Ausgabe bedeutet: Alles gut!
2. Pruefe die Zonendatei mit: `named-checkzone vhs-bayern.de /etc/bind/db.de.vhs-bayern`:
```sh
root@ns2:/etc/bind# named-checkzone vhs-bayern.de db.de.vhs-bayern
zone vhs-bayern.de/IN: loaded serial 2024121702
OK
```
Der Befehl zeigt auch die aktuelle Seriennummer der Zone an!
3. Sofern es bei den zwei vorherigen Schritten keine Fehlermeldungen gab, kann der `named`-Dienst neugestartet werden mit: `systemctl restart named`
4. Pruefe noch den Status den `named`-Dienstes mit `systemctl status named`. Wenn es keine Fehler gibt sollte der neu hinzugefuegt Eintrag funktionieren.

18
projects/kwa/firewall_migration/20250318-OPNsense_Migration.md
View File

@@ -30,15 +30,15 @@ output: pdf_document
## Funktionen
- Basis Setup (routing, Generische Einstellung, Firewall Regeln, Authentizierung via AD,..)
- VLANs als Grundlage (MGMT, SRV, CLIENT, WLAN, WLAN-Guest)
- VPN (OpenVPN)
- Free SSL certs (via ACME)
- Web Proxy (Caching Proxy, Web Filter, Transparent Proxy, SSL Inspection, https de-/encryption) (!NOTE! OPNsense CA needs to be trusted by every client. Distribute via Filewave)
- OPNsense Antivirus Loesung (Clamav + C-Icap)
- IDS/IPS
- WAF
- OPNcentral
- [x] Basis Setup (routing, Generische Einstellung, Firewall Regeln, Authentizierung via AD,..)
- [x] VLANs als Grundlage (MGMT, SRV, CLIENT, WLAN, WLAN-Guest)
- [x] VPN (OpenVPN)
- [x] Free SSL certs (via ACME)
- [ ] Web Proxy (Caching Proxy, Web Filter, Transparent Proxy, SSL Inspection, https de-/encryption) (!NOTE! OPNsense CA needs to be trusted by every client. Distribute via Filewave)
- [ ] OPNsense Antivirus Loesung (Clamav + C-Icap)
- [x] IDS/IPS
- [ ] WAF
- [=] OPNcentral
## Zertifikate

139
projects/kwa/firewall_migration/20250414-preparation.md
View File

@@ -1,22 +1,143 @@
## Vor Ort Notes
opnsense ui: root, 4H?bh,wXU85JrXs
opnsense ui: sbxadmin, %bghY!FH65Z
cloud key: user: sbxadmin, 'M-_qt5cglnvX3NYn-XhU'
Main switch: 70:a7:41:ff:e4:4b
Subscription key: 4d91f57a-c10f-47c4-98c9-d6cf9eceeb15
## General
- [x] Change public DNS entries (gw.knoppwassmer.de -> \<public-ip\> )
- [x] ports der unifi untersuchen
- [x] setup acme with dns challenge (issue tomorrow)
- [x] configure dhcp on all unifi devices
- [x] unifi dashboard - define all vlan networks
- [x] add to opncentral
- [x] fotos machen
- [x] ips/ids anschalten
- [x] backup via ftp to nas if possible
- [ ] change ilo ip such that its in the mgmt net
- [ ] unifi cloud key mit cloud koppeln
- [ ] Switch und APs in IT-Glue hinterlegen
- [ ] physische Beschriftung anpassen
## Kerio Features
### Network
- WAN: 10.0.70.2 (FritzBox PPPoE)
- LAN: 192.168.70.1/24
- VPN: 192.168.170.1/24
- VPN: 172.16.70.1/24
### DNS and DHCP
- [x] domain name: ad.knoppwassmer.de
- [x] query forwarding: `*.zvelo.com` -> `1.1.1.1,1.2.2.1`
## OPNsense
### Network
| Name | Interface | Network | Note |
| ---------- | --------- | ----------------- | -------------- |
| WAN | WAN | 10.0.70.2/32 | FritzBox PPPoE |
| MGMT | LAN | 192.168.50.254/24 | |
| SERVER | LAN | 192.168.70.254/24 | |
| CLIENT | LAN | 192.168.20.254/24 | |
| WLAN | LAN | 192.168.30.254/24 | |
| WLAN_GUEST | LAN | 192.168.40.254/24 | |
| Name | Interface | VLAN tag | Network | Note |
| ---------- | --------- | -------- | --------------- | ----------------------- |
| WAN | WAN | / | 10.0.70.2/32 | FritzBox PPPoE |
| MGMT | LAN | 1 | 192.168.50.1/24 | |
| SERVER | LAN | 70 | 192.168.70.1/24 | |
| CLIENT | LAN | 20 | 192.168.20.1/24 | |
| WLAN | LAN | 30 | 192.168.30.1/24 | USE CLIENT net for WLAN |
| WLAN_GUEST | LAN | 40 | 192.168.40.1/24 | |
| OpenVPN | VPN | | 172.16.70.1/24 | |
### Firewall
#### Aliase
- [x] filewave
- [x] mailstore
- [x] nas
- [x] sbxoffice
- [x] ad
- [x] printer (NEW IP: 192.168.20.10. OLD IP: 192.168.70.200)
#### Rules
##### WAN
- [ ] enable geo filter (iran, north korea, russia)
- [x] Allow VPN entrypoint to WAN via VPN port
##### MGMT
- [x] allow 'mgmt addr' to AD server via ldap
- [x] allow 'mgmt net' to AD via dns
##### USER
- [x] allow 'user net' to AD via dns
- [x] allow 'user net' to nas via smb
- [x] allow 'user net' to AD via ldap(s)
- [x] allow 'user net' to 'server net' via https
- [x] allow 'user net' to mailstore via its web port (Reverse Proxy in future)
- [x] allow 'user net' to vwlizenz via (any?)
- [x] allow 'user net' to filewaveserver via filewaveservice ports
##### VPN
- [x] allow 'vpn net' to AD via dns
- [x] Allow SMB for VPN Client network
- [x] allow vpn net to server net
##### SERVER
- [x] Allow filewave out
#### DNAT
- [x] Port 8462/tcp from WAN address to Mailstore IP NAT
- [x] Port Group "Filewave" from WAN address to Filewave IP NAT
### Authentication Server
- [x] AD coupling somehow - DNAT from sbxoffice to local AD via LDAP(s)
### VPN
- depends on: Authentication Server
- [x] Setup OpenVPN.
- [x] Self-Signed Certificate Chain: Root CA, Server Cert and Client Cert
- [x] setup openvpn server
- [x] setup client certs
### IPS/IDS
- [x] setup and configure surricata - very heavy on resources.. need to be tested
### Content Filter
- [ ] Recreate - if possible - application, web and https filter
### Reverse Proxy (Web Server Protection)
- [ ] projektpro
- [ ] Andere?
### NTP
- Server: `srvu-master.ad.knoppwassmer.de`
## Archive
### Vor Ort Notes
1. Plane Switch Portbelegung
2. Stelle alle Geraete auf dhcp um:
1. [x] switches
2. [x] APs
3. [x] Cloud-Key
4. [x] Telefone
5. [x] Drucker (drucker muss mehr angepasst werden: dns)
3. Dangerous: Setze VLANs auf designierte Ports um
4. Geraete runterfahren
5. Neue Firewall anschalten und hoffen, dass es klappt

6
projects/radiochemie/opnsense-on-sophosHW-END.md
View File

@@ -1,6 +0,0 @@
## Open Things
- [ ] Clustering
- [ ] tight Firewall Rules (VPN -> GA)
- [ ] integrate to OPNcentral

6
projects/radiochemie/opnsense-on-sophosHW-HA.md
View File

@@ -1,6 +0,0 @@
## HA
### Use a XG and a SG?
- Not possible
- For CARP (Common Address Redundancy Protocol) the HW needs to be equal

50
projects/radiochemie/opnsense-on-sophosHW-intro.md
View File

@@ -1,50 +0,0 @@
## Goals
- 2x WAN - 1 external and 1 internal (GA-Network)
- Static Routing via WANlrz for BACnet SW
- 1x LAN - `10.52.12.0/24`
## Facts
### WAN
> **Note:** Such a setup requires extended considerations and settings which is discussed in [[opnsense-on-sophosHW-multi_wan]].
> WANpub will be the primary WAN port
> WANlrz is temporarily used for the BACnet software and will be disabled after 2-4 months. The Campus-GA network will in future only be reachable by vpn.
#### External WAN
(primary WAN, in future ga netz ueber vpn)
- Network: `129.187.9.243/29`
- Gateway: `129.187.9.246`
- DNS Server: `129.187.104.5` (How reachable?)
#### Second WAN
- `192.157.165.50/24` (Campus GA-Netz, for BACnet SW. 2-4 Months living)
### LAN
- Interne Netzwerke(20241208):
- `10.52.12.0/24` Hauptgebäude GA (VLAN12)
- `10.52.50.0/24` GA-Netz (VLAN50)
- Interne Netzwerke(20241216):
- `10.52.12.0/24` LAN
### Port Forwarding
- BACnet `47808/udp`
### OpenVPN
- Set up for access to GA network
### Location
- FRM Versorgungsgebaeude
## Vor Ort Einsatz
- port forwarding in both direction to second esxi nic
- <https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense>

17
projects/radiochemie/opnsense-on-sophosHW-multi_wan.md
View File

@@ -1,17 +0,0 @@
## Specific
In our setup we won't use Failover as the second WAN is primarily such that it has access to the Campus GA-network (`192.157.165.0/24` ? )
## General
### Multi WAN
Multi WAN scenarios are commonly used for failover or load balancing, but combinations are also possible with OPNsense.
#### Configure Failover
To setup Failover the following steps need to be taken:
1. Add monitor IPs to the gateways
2. Add a gateway group
3. Configure DNS for each gateway
4. Use policy based routing to utilize our gateway group
5. Add a firewall rule for DNS traffic that is intended for the firewall itself

3
projects/radiochemie/opnsense-on-sophosHW-ressources.md
View File

@@ -1,3 +0,0 @@
- [multi-wan](https://docs.opnsense.org/manual/how-tos/multiwan.html)
- [hacarp](https://docs.opnsense.org/manual/hacarp.html)
- [carp](https://docs.opnsense.org/manual/how-tos/carp.html)

1
projects/radiochemie/ovpn-mixed-otp.md
View File

@@ -1 +0,0 @@
erstelle einen separaten nutzer fuer externe Besucher der TUM, welcher mit otp eingestellt ist fuer die Authentifizierung.

14
projects/ssr-kwa/Tickets-20240704.md
View File

@@ -1,14 +0,0 @@
List of tickets/tasks to consider for the appointment at the 4th of July 2024:
| Number | Title | short description | company |
| -------------- | ------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- | ------- |
| T20240627.0021 | Mail accounts | specific Subscription for projects desired | kwa |
| T20240627.0021 | AirDrop von iPad auf Rechner | AirDrop only function unidirectional | kwa |
| T20240624.0011 | VPN am Handy und iPad einrichten | for mobile devices we need the preshared key for ipsec to function. PSK missing. Probably we will set new one | kwa |
| T20240701.0047 | 2 MacBooks einrichten | | ssr |
| T20240702.0019 | Vor-Ort Support | std macbook setup. write manual for it | ssr |
| T20240619.0035 | Apple Mail-Programm: Implementierung von 2 externen Mail-Serverprogrammen | inlcude mail accounts into mail client | ssr |
| T20240612.0021 | Ninja-Onboarding | 2 Mitarbeiterinnen haben Ninja noch nicht auf ihren Rechnern | ssr |
| T20240611.0054 | Problem Projekt Pro | PP not working. Seems to be a general Problem. Mr. Schneider-Zimmer contacted the PP support. | ssr |
| T20240611.0020 | Speicher fast voll | delete unnecessary stuff. Jan planned an appointment for next week. | ssr |

52
projects/ssr-kwa/buero-umbau/20240210-Umzug-Planung.md
View File

@@ -1,52 +0,0 @@
## Notes
- imac backup und einrichten
- telefonie
-
## Equipment
- Etikettiergeraet
- 4/5-Port Switch
- 8-Port Switch falls andere nicht geht
- LAN-Kabel
## WLAN KWA
- Fuege Grundriss in Unifi hinzu und schaetze optimale AP Position
## Neue Insel 1 im grossen Saal
- Neuer Arbeitsplatz: bestehende 24 Port Switch hernehmen + ein 4/5-Port Switch
- pruefe funktionsweise der alten Switch. Nehme Notfall Switch mit
- Tische Verkabeln
## Patch Switch Kabel Zuordnung
### Insel 1 KWA
| Label Patchpanel | Label Switch |
| ---------------- | ------------------- |
| 13 | 28 |
| 14 | 30 | Geht nicht
| 15 | 32 |
| 16 | 34 |
| 17 | 36 |
| 18 | 3 (SSR AP draussen) |
| 19 | 38 |
| 20 | 40 |
### Insel 3 SSR
| Label Patchpanel | Label Switch |
| ---------------- | ------------- |
| 31 | 24 |
| 32 | 12 |
| 33 | 13 |
| 34 | 14 |
| 35 | 15 |
| 36 | 23 (Telefon) |
| 37 | 16 |
| 38 | not connected |

32
projects/ssr-kwa/buero-umbau/20240918_Meeting_First-Step-Umbau.md
View File

@@ -1,32 +0,0 @@
Kleiner Umbau am Do 03.10 - So 06.10.
## ToDos
* Wechsel Insel 1. und 3. (low Prio):
- Main: Patching anpassen
- Pruefe _zuvor_ das Labeling der Leitungen
- Am besten am 02.10 druchfuehren, so dass am 07.10 mit neuer Platzverteilung gearbeitet werden kann
- Insel 1, Labeling PatchPanel: 13-20, Labeling Switch:
- Insel 2, Labeling PatchPanel: 5-12, Labeling Switch:
- Insel 3, Labeling PatchPanel: 31-38, Labeling Switch:
- Insel 4, Labeling PatchPanel: 23-30, Labeling Switch:
* Neue "Insel 1" von SSr (siehe Plan unten) braucht Internet:
- 3 Kabel laufen an alten Insel 4 vorbei und laufen zu "PLAN rueber"
- Kabel bei alten Insel 4 freilegen und freie Ports an Patchpanel zum Serverraum koppeln
- Kabelzuordnung muss geklaert werden
- Wo enden Kabel bei neuer "Insel 1"?
- Switch u. AP bei neuer "Insel 1", damit 6 Plaetze Internet haben
* Neuer AP fuer Flaechendeckende Abdeckung
- Plane anhand bestehender Draufsicht und Groessenangaben
- Welcher AP? (Unifi, Ruckus, sonst.)
* Verkabelung nachvollziehen
- Patchpanel zu Tischen ist klar (Label)
- Patchpanel zu Switch nicht klar (Kabelsalat)
- orangene Wandkabel laufen alle(?) zu Patchpanel in Serverrack von KWA (wird Trennung erschweren)
## Bueroplaene
![SSR](ssr/ssr-after-umbau-plan.pdf)
![KWA](kwa/kwa-after-umbau-plan.pdf)

19
projects/ssr-kwa/buero-umbau/20240918_meeting-oli.md
View File

@@ -1,19 +0,0 @@
## Abrechnung
- Einrichtung Laptops als Projekt buchen
## SSR/KWA
- Zur Not Kabel uebers Fenster aussen am Balkon fuehren
- unifi access point ok
- suche 8 Port Switch im Buero
## TU Web Server
- Install DokuWiki
## NeuKunde
- 10 - 15 Mitarbeiter
- Nutzen nur Macs
- Betreuen IBM GrossRechner

37
projects/ssr-kwa/buero-umbau/20240925-Einsatz-Kabellegung.md
View File

@@ -1,37 +0,0 @@
## Notes
- naechster termin: 02.10: Inseltausch 1 <-> 3 (labelgeraet mitnehmen)
- Neuer Arbeitsplatz: bestehende 24 Port Switch hernehmen + ein 4/5-Port Switch
- Am besten Tische mit Kabelfuehrung und Unterfach
- Ueberlegung Telefone abzuschaffen und teams zu nutzen
- altes Insel 1 ein Lan Kabel beschaedigt?
-
## Patch Switch Kabel Zuordnung
### Insel 1 KWA
| Label Patchpanel | Label Switch |
| ---------------- | ------------------- |
| 13 | 28 |
| 14 | 30 |
| 15 | 32 |
| 16 | 34 |
| 17 | 36 |
| 18 | 3 (SSR AP draussen) |
| 19 | 38 |
| 20 | 40 |
### Insel 3 SSR
| Label Patchpanel | Label Switch |
| ---------------- | ------------- |
| 31 | 24 |
| 32 | 12 |
| 33 | 13 |
| 34 | 14 |
| 35 | 15 |
| 36 | 23 (Telefon) |
| 37 | 16 |
| 38 | not connected |

10
projects/ssr-kwa/buero-umbau/Inital.md
View File

@@ -1,10 +0,0 @@
## Netzwerkumstrukturierung
- Firewall (Kerio -> Sophos) und Access Points (-> Ruckus) dieses Jahr tauschen
- Switche und Rest naechstes Jahr
- Mit neuer Firewall Netzwerk umstrukturieren mit VLANs (mgmt, gast, intern)
## AP options
- <https://eu.store.ui.com/eu/en?search=mesh&category=all-wifi> "AC Mesh" recommended
- Ruckus thing

21
projects/ssr-kwa/einsatz-20240715.md
View File

@@ -1,21 +0,0 @@
## Notes
### SSR/KWA next appointment
- IPhone setup for annika luedeke
- MacBook Setup for annika luedeke (MICHAEL)
- VPN on all iOS devices
- Mailboxes problem -> skip because there is a project to migrate to m365
- AirDrop test if issue is resolved
### SSR Apple id business manager
- managed Account: vpp-ssr@studio-stadt-region.de
- all other deprecated.
### iOS setup
Needed:
- Mail config
- Filewave integration
- VPN setup

11
projects/ssr-kwa/licenses.md
View File

@@ -1,11 +0,0 @@
## KWA/SSR
| Name | Manufacturer | Expiration | Admin |
| ------------------------- | -------------- | ---------- | ----- |
| iLO Advanced | HPE | Permanent | sbx |
| vCenter | VMWare vSphere | | sbx |
| vCenter Server Essentials | VMWare vSphere | | sbx |
| vSphere 7 Essentials | VMWare vSphere | | sbx |
| vSphere Essentials | VMWare vSphere | | sbx |
| Vectorwrx rlm_server | Vectorworks | Permanent | sbx |
| Mailstore | Mailstore? | n/a | griD |

13
projects/ssr-kwa/mail-migration/202410_Meeting-MailMigration.md
View File

@@ -1,13 +0,0 @@
## Notes
- Kalendar und Kontakte migrieren
- Oeffentliche Ordner migrieren abgesehen von alten Projekten
- Nutzer Postfaecher mitmigrieren
- Lizenzen von altem Dienstleister auf uns uebertragen
- outlook in filewave kiosk integrieren, sodass es jeder runterladen kann
- kerio connect kuendigen nach der Migration. Lizenz Uebertragung pruefen
- aktuelle m365 Lizenz: Bussines Standard. Reicht erst mal aus
- Angebot schicken zu neuen Lizenzen
- pruefen wie voll die einzelnen Postfaecher sind

23
projects/ssr-kwa/mail-migration/20250206-KWA-Meeting.md
View File

@@ -1,23 +0,0 @@
## Teilnehmer
- Nina Schiffel
- Sebastian Peter
- Maximilian Kriesmair
- Petar Cubela
## Terminbeschluss
- KW9: 24.02 - 26.02
## Notizen
- 2 Raeume als 'Kontakte'
- Wo sind Kontakte abgelegt?

12
projects/ssr-kwa/mail-migration/ssr-mail-migration-meeting-max-20240808.md
View File

@@ -1,12 +0,0 @@
## Links
- https://support.kerioconnect.gfi.com/hc/en-us/articles/360015196179-Migrating-Content-from-Kerio-Connect-to-Another-Platform
- https://www.recoverytools.com/kerio/migrator/buy.html
##
## Timing
- KWA: Im Oktober
- SSR: so schnell wie moeglich

28
projects/ssr-kwa/manual/Checkliste-apple-geraete.md
View File

@@ -1,28 +0,0 @@
## iPhone
- <https://mail.studio-stadt-region.de> besuchen - oder analog fuer kwa - und UNTER der login maske "profil runterladen" anklicken und anmelden ==> dies synced CalDAV, CardDAV, WebDAV aufs Handy
- VPN einstellen - Lokalen User im Kerio anlegen und Berechtigung fuer VPN geben. Am Handy in nativen VPN Einstellungen anlegen mit Typ: L2TP
## MacBook
### Checkliste
1. Mail Postfach anlegen (In Kerio Connect User anlegen)
1. Nutzer Profil in AD anlegen (In Univention User anlegen)
1. Nutzer Profil am Mac anlegen (Lokalen User an Mac Book anlegen)
1. iCloud (Sie erstellen selber ein iCloud Acc)
1. In M365 User anlegen und mit Lizenz versehen (Iwas mit Bussines-teuer-und-unverschaemt)
1. Mail Client (imap und smtp. Server: `mail.<domain.de>`, Credentials: Siehe Punkt 1.)
1. Calendar Config (manuell CalDAV. Server: `mail.<domain.de>`, Credentials: Siehe Punkt 1. )
1. Filewave Kiosk Client (https://kb.filewave.com/books/downloads/page/filewave-version-1542)
1. BusyContacts (manuell CardDAV. Server: `mail.<domain.de>`, Credentials: Siehe Punkt 1. )
1. icloud raumkalendar hinzufuegen (siehe IT-Glue. MFA otp auf sbx Smartphone)
1. NinjaOne Client (U know it)
1. Kerio VPN Client (Filewave Kiosk)
1. Projekt Pro (FileMaker Pro aus Filewave Kiosk. Projekt Pro ueber FileMaker einrichten und oeffnen bis zum Anmeldefenster)
1. Vectorworks (Filewave)
1. Microsoft Word/Excell/Powerpoint installieren und testen
1. Druckertreiber runterladen
https://eu.ninjarmm.com/agent/installer/665ef278-986b-4969-b436-26b1b254d6d5/studiostadtregionarchitekturstadtentwicklunghauptsitz-6.0.1816-installer.dmg

22
projects/ssr-kwa/manual/iphone-onboarding.md
View File

@@ -1,22 +0,0 @@
## Intro
Here, we shortly summarize how to onboard an iPhone.
### CheckList
- mail
- cal
- busycontacts
- teams
- vpn
## Mail, Contacts, Calendar
Follow:
- [Kerio Anleitung](https://manuals.gfi.com/en/kerio/connect/content/email-clients/mobile-devices/synchronizing-your-iphone-with-kerio-connect-251.html)
## Kerio VPN
1. Create a local user on the Kerio Firewall specific for VPN usage. Usage of the VPN has to be enabled explicitly.
2. Follow: <https://support.keriocontrol.gfi.com/hc/en-us/articles/360015189519-Configure-VPN-on-iOS-and-Android-devices>. (L2TP with Pre-Shared Key)

3
projects/ssr-kwa/manual/kerio-vpn-apple-silicon.html
View File

@@ -1,3 +0,0 @@
<h2 id="problem">Problem</h2>
<p>On apple silicon hardware the Kerio VPN service is not enabled natively. Third party kernel extensions have to be enable on Apple silicon-based Macs.</p>
<p>Follow this <a href="https://macsupport.tuxera.com/hc/en-gb/articles/4409208805522-How-do-I-enable-third-party-kernel-extensions-on-Apple-silicon-based-Macs">guide</a>.</p>

5
projects/ssr-kwa/manual/kerio-vpn-apple-silicon.md
View File

@@ -1,5 +0,0 @@
## Problem
On apple silicon hardware the Kerio VPN service is not enabled natively. Third party kernel extensions have to be enable on Apple silicon-based Macs.
Follow this [guide](https://macsupport.tuxera.com/hc/en-gb/articles/4409208805522-How-do-I-enable-third-party-kernel-extensions-on-Apple-silicon-based-Macs).

75
projects/ssr-kwa/manual/smb-server-centos.md
View File

@@ -1,75 +0,0 @@
## Ressources
- <https://wiki.archlinux.org/index.php/samba#Server>
- <https://wiki.archlinux.org/title/Samba#Client>
## Intro
As is often the case the [Arch Wiki](https://wiki.archlinux.org/index.php/samba#Server) has a fantactically detailed entry on setting up and configuring a samba server.
## Simple Config
Login at the server which should act as the samba server.
- First, install samba:
```sh
yum check-update && yum install samba
```
- Next, modify/create a file at `/etc/samba/smb.conf` with the following contents (adapt this for your needs):
```sh
[global]
workgroup = SAMBA
server string = petar
security = user
guest ok = yes
map to guest = Bad Password
log file = /var/log/samba/%m.log
max log size = 50
printcap name = /dev/null
load printers = no
# Install samba-usershares package for support
include = /etc/samba/usershares.conf
[Share]
comment = Folder to share
path = /path/to/share
browseable = yes
read only = no
guest ok = no
```
- Samba requires setting a password separately from that used for login. You may use an existing user or create a new one for this purpose.
```sh
smbpasswd -a sbxadmin
```
- Existing samba users can be listed with:
```sh
pdbedit -L -v
```
- Once finished, ensure the samba service is restarted with:
```sh
systemctl restart smbd
```
## Security config on server
### Firewalld
- CentOS uses as standard local firewall `firewalld`.
```sh
firewall-cmd --permanent --add-service={samba,samba-client,samba-dc} --zone=public
```
### SELinux
SELinux not allow samba to access folders by default, to solve this, run:
```sh
setsebool -P samba_export_all_ro 1
```
## Client
Depends on client OS. Just use Windows. Noob!

33
projects/ssr-kwa/projekt-datenschutz/20240909-meeting-datenschutzbeauftragter.md
View File

@@ -1,33 +0,0 @@
## Intro
Meeting mit Stephan Krischke
## Zukunft
- Serverraeume sollen getrennt werden (sobald 3. Partei ausgezogen sind)
- Strikt getrennte Bueros
- Sicherheits Standards pruefen bei Office365. Welche Daten sollen einsehbarsein?
## Schutz
- Keine Wasserleitung
- Absperrbarer Schrank
- Schlechte Belueftung durch gekippte Fenster
- Bueros muessen strikt getrennt sein
- Es kann einfach Zugang zum Serverraum ueber das Fenster erlangt werden
- Rauchmelder kombiniert mit Temperaturmelder
## Mail
- Spamschutz fuer Microsoft365
- Defender nutzen, um abgesichert zu sein.
## AD
- Wie werden Passwoerter gesetzt?
## Needed
- Graphischer Netzwerkplan
- Backup Plan. Was wird wann gebackupt und wie oft? Backup im eigenen VLAN. Minimal 3-2-1. Am besten 3-2-1-0-0 (VLAN)

76
projects/ssr-kwa/projekt-datenschutz/backup-scheme.md
View File

@@ -1,76 +0,0 @@
## Synology
### Storage
Die Synology hat zwei Storage Pools fuer verschiedene Zwecke.
Diese haben folgende Eigenschaften:
Storage Pool 1:
- RAID5 aus 3 HDDs mit je 7.3 TB (effektiv)
- Totale Kapazitaet von 14.5 TB
- Vierte HDD als "Hot Spare Drive" mit 7.3 TB
- SSD Cache mit zwei SSDs in einem RAID1
- Wird (in der Regel) genutzt als Dateienablage
Storage Pool 2:
- Synology Hybrid RAID mit zwei HDDs mit je 14.6 TB ("With data protection for 1-drive fault tolerance)
- Totale Kapazitaet von 14.5 TB
- Wird (in der Regel) genutzt als Ablage fuer Backups
### Ordner
Folgende Ordner liegen im Storage Pool 1:
- `SSR-750-BBSR-IBA'
- `SSR-ADMINISTRATION'
- `SSR-ARCHIV'
- `SSR-DATEN'
- `SSR-DATEN-AR'
- `SSR-DATEN-SE'
- `SSR-IT'
- `SSR-MITARBEITER'
- `SSR-PROJEKT-PRO'
Folgende Ordner liegen im Storage Pool 1:
- `SSR-BACKUP-INTERN`
- `SSR-BACKUP-KERIOCONNECT`
- `SSR-BACKUP-MAILSTORE`
- `SSR-TIME-MACHINE`
- `SSR-VM-BACKUP`
## Local Backup
### VMs
- Taeglich zwischen 4 Uhr und 5 Uhr morgens
- via "Active Backup for Business" ein Backup jeder VM
- Abgelegt im Ordner `/SSR-VM-BACKUP/ActiveBackupData/` im Storage Pool 2
### Ordner Backups
Von folgenden Ordnern wird ein lokales Backup gemacht von Storage Pool 1 nach Storage Pool 2:
- `SSR-ADMINISTRSTION` -> `/SSR-BACKUP-INTERN/SSR-ADMINISTRATION-BACKUP`
- `SSR-ARCHIV` -> `/SSR-BACKUP-INTERN/SSR-ARCHIV-BACKUP`
- `SSR-MITARBEITER` -> `/SSR-BACKUP-INTERN/SSR-COLLECT-BACKUP`
- `SSR-DATEN-AR` -> `/SSR-BACKUP-INTERN/SSR-DATEN-AR-BACKUP`
- `SSR-DATEN-AR` -> `/SSR-BACKUP-INTERN/SSR-DATEN-AR-BACKUP`
- `SSR-DATEN` -> `/SSR-BACKUP-INTERN/SSR-DATEN-BACKUP`
- `SSR-IT` -> `/SSR-BACKUP-INTERN/SSR-IT-BACKUP`
- `SSR-PROJEKT-PRO` -> `/SSR-BACKUP-INTERN/SSR-PROJEKTPRO-BACKUP`
Diese Backups werden taeglich (abgesehen vom Backup des SSR-ARCHIV Ordners, welches einmal die Woche stattfindet) durchgefuehrt. Einmal im Monat wird Daten Integritaets Check durchgefuehrt.
## Cloud Backup
Von folgenden Ordnern wird ein Cloud Backup(C2 Storage von Synology) gemacht von Storage Pool 1:
- `SSR-ADMINISTRSTION, SSR-IT` -> `/C2-SSR-ADMINISTRATION-IT-BACKUP`
- `SSR-ARCHIV` -> `/C2-SSR-ARCHIV-BACKUP`
- `SSR-DATEN-AR` -> `/C2-SSR-DATEN-AR-BACKUP`
- `SSR-DATEN-SE, SSR-750-BBSR-IBA` -> `/C2-SSR-DATEN-SE-BACKUP`
- `SSR-DATEN` -> `/C2-SSR-DATEN-BACKUP`
- `SSR-BACKUP-KERIOCONNECT` -> `/C2-SSR-KERIOCONNECT-BACKUP`
- `SSR-BACKUP-MAILSTORE` -> `/C2-SSR-MAILSTORE-BACKUP`
- `SSR-PROJEKT-PRO` -> `/C2-SSR-PROJEKTPRO-BACKUP`
Diese Backups werden taeglich abends zwischen 22:00 und 00:00 Uhr durchgefuerht.

26
projects/ssr-kwa/projekt-datenschutz/projekt-datenschutzkonzept.md
View File

@@ -1,26 +0,0 @@
## Intro
- Projekt in Frankfurt
- Datenerhebung bei Interviews
- projekt startet am 16.09 mit einer kampange, werbung, etc....
- kein(e) bestimmte(r) datenschutzbeauftragte(r) notwendig
## Problemstellung
- korrekte Aufnahme und Verarbeitung der personennenbezogenen Daten
- protokollierung des gesammelten daten und aufzeichnungen der gesammelten daten, aenderungen an den daten durchfuehrt
## Gespraech Meeting
- Umgang mit Daten haengt davon ab _welche personenbezogenen daten_ haben
- Welche Daten werden benoetigt?
- Werden die Daten anonymisiert bevor ssr sie erhaelt?
- Anbieter(in) fuer Newsletter finden, welches automatisiert die Daten verarbeitet und am besten auf keinem firmeneigenen firmenrechner speichert (kann ein kommerzieller genutzt werden)
- Wichitg ist herrauszufinden, welche Daten exakt ssr bekommt... Welche Anforderung hat die Stadt (nimmt die daten auf) an ssr?
-
## Ressources

31
projects/ssr-kwa/todo-20240725.md
View File

@@ -1,31 +0,0 @@
## List for ssr/kwa
### Large
- [ ] Kerio Lizenzen liegen noch bei griD (WIR WECHSELN ZU SOPHOS)
- [ ] Apple Business Manager (Michael ist dran)
- [ ] Handy VPN erkennt AD nicht fuer Authentizierung (erstelle lokale Nutzer fuer jeden)
- [ ] Mail client abonniert alle Projekte. Vor letztem Update war Auswahl moeglich spezifischer Postfaecher (Mail client synced alle postfaecher)
- [ ] Alle Lizenzen von griD zu uns holen
### Small
- [ ] Nina 2. MacBook
- [ ] Dominik Langsames MacBook
- [ ] Archivserver muss weg
- [ ] USV Warnmeldung verstehen und beheben
### Administrative
- [ ] Univention (AD) / Kerio Firewall needs Update
## done
- [x] Herr Wassmer Loschberechtigung bei Synology -> es gab dateien im ordner mit anderen berechtigungen
- [x] machraum email