Wiki/Entities/Shadowfeed.md

The Shadowfeed is the networking gateway between the AniNIX and the outside world -- it broadcasts the AniNIX signal and allows the network to communicate.

# Etymology
The Shadowfeed is named after a resistance communications network in the Star Wars universe. The [http://starwars.wikia.com/wiki/CIS_Shadowfeed Shadowfeed] was a disseminated network routed through existing communications technology, allowing a separatist movement to broadcast its message.

# Capacity and Components
The Shadowfeed is an Netgear R7000 Nighthawk router hardware flashed with DD-WRT firmware.[[Category:DD-WRT]][[Category:Netgear]] It can hold numerous clients wirelessly, and it supports wired USB 2.0 and 3.0 hard-drives to create simple NAS storage. There are five physical slots, one occupied by wired connection to the Forge2 frame, one by a connection to the Verizon wireless tower, and one to the Infrastructure. One remaining slot is free with a 100ft Cat5e cable and the other reserved for hotswap in case of port failure or LAN need.

<b>Note:</b> the best place we've found to grab firmware updates is [https://ddwrt-kong.clonevince.fr/ this upload site for Kong's builds]. Ensure that you are on build 33525 or later to avoid being vulnerable to [https://aircrack-ng.blogspot.com/2017/10/krack-wpa-vulnerability-key.html KRACK]. Follow the instructions [https://dd-wrt.com/wiki/index.php/Installation from the DD-WRT Wiki] to flash your router with new firmware or to patch. Make sure to watch for the peacocking notes! Use the dork "kong dd-wrt build <buildnumber>" -- if you use Chromecasts for [[Geth|AniNIX::Geth]], make sure to look for explicit validation of the devices, or run your own extensive regressions.

# Hosted Services and Entities
Nothing is hosted by the Shadowfeed, but it is manageable by either SSH or an onboard webserver.[[Category:Lighttpd]]

# Connections
The Shadowfeed has a number of hosts and entities that connect to it -- unknown entities are routed to a guest network, while known hosts are allowed inside the DMZ where they can access internal services. Direct AniNIX network members are listed below.
{{Reference|Core}}{{Reference|Windows}}{{Reference|DarkNet}}{{Reference|Print}}{{Reference|Bastion}}{{Reference|Tricorder}}{{Reference|Geth}}{{Reference|Forge2}}{{Reference|Infrastructure}}

# Additional Reference
## Add NAT Rule
<pre>
iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) --dport 3389 -j DNAT --to 10.0.1.2 [ -s SourceIP ]
iptables -I FORWARD -p tcp -d 10.0.1.2 --dport 3389 -j ACCEPT
iptables -t nat -I PREROUTING -p udp -d $(nvram get wan_ipaddr) --dport 3389 -j DNAT --to 10.0.1.2 [ -s SourceIP ]
iptables -I FORWARD -p udp -d 10.0.1.2 --dport 3389 -j ACCEPT
</pre>
## Direct config alteration
nvram show will get all the current options, whereas nvram get variable will return a variable.

nvram set or unset change variables.

nvram commit pushes the change.

## Guest Wifi
[https://dd-wrt.com/wiki/index.php/Guest_Network See here.]

## Sample Startup Script
The following will insert firewall lines into your sample startup script to harden your network edge. This allows [[WebServer|web]], [[SSH]], [[IRC]], [[Geth|AniNIX::Geth]], and [[Nazara|bastion]] access through the firewall, dropping all others. It also sets up the block chain for [[Cerberus|AniNIX::Cerberus]].

<pre>
iptables -N severe
iptables -I INPUT 2 -i vlan2 -j DROP
iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 6641 -j ACCEPT
iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 6697 -j ACCEPT
iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 9022 -j ACCEPT
iptables -I INPUT 2 -j severe
iptables -I FORWARD -j severe
</pre>
}}
Imperfect initial commit, but too far to go back 2020-01-02 05:22:16 -06:00			`The Shadowfeed is the networking gateway between the AniNIX and the outside world -- it broadcasts the AniNIX signal and allows the network to communicate.`

			`# Etymology`
			`The Shadowfeed is named after a resistance communications network in the Star Wars universe. The [http://starwars.wikia.com/wiki/CIS_Shadowfeed Shadowfeed] was a disseminated network routed through existing communications technology, allowing a separatist movement to broadcast its message.`

			`# Capacity and Components`
			The Shadowfeed is an Netgear R7000 Nighthawk router hardware flashed with DD-WRT firmware.[[Category:DD-WRT]][[Category:Netgear]] It can hold numerous clients wirelessly, and it supports wired USB 2.0 and 3.0 hard-drives to create simple NAS storage. There are five physical slots, one occupied by wired connection to the Forge2 frame, one by a connection to the Verizon wireless tower, and one to the Infrastructure. One remaining slot is free with a 100ft Cat5e cable and the other reserved for hotswap in case of port failure or LAN need.

			<b>Note:</b> the best place we've found to grab firmware updates is [https://ddwrt-kong.clonevince.fr/ this upload site for Kong's builds]. Ensure that you are on build 33525 or later to avoid being vulnerable to [https://aircrack-ng.blogspot.com/2017/10/krack-wpa-vulnerability-key.html KRACK]. Follow the instructions [https://dd-wrt.com/wiki/index.php/Installation from the DD-WRT Wiki] to flash your router with new firmware or to patch. Make sure to watch for the peacocking notes! Use the dork "kong dd-wrt build <buildnumber>" -- if you use Chromecasts for [[Geth\|AniNIX::Geth]], make sure to look for explicit validation of the devices, or run your own extensive regressions.

			`# Hosted Services and Entities`
			`Nothing is hosted by the Shadowfeed, but it is manageable by either SSH or an onboard webserver.[[Category:Lighttpd]]`

			`# Connections`
			`The Shadowfeed has a number of hosts and entities that connect to it -- unknown entities are routed to a guest network, while known hosts are allowed inside the DMZ where they can access internal services. Direct AniNIX network members are listed below.`
			`{{Reference\|Core}}{{Reference\|Windows}}{{Reference\|DarkNet}}{{Reference\|Print}}{{Reference\|Bastion}}{{Reference\|Tricorder}}{{Reference\|Geth}}{{Reference\|Forge2}}{{Reference\|Infrastructure}}`

			`# Additional Reference`
			`## Add NAT Rule`
			`<pre>`
			`iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) --dport 3389 -j DNAT --to 10.0.1.2 [ -s SourceIP ]`
			`iptables -I FORWARD -p tcp -d 10.0.1.2 --dport 3389 -j ACCEPT`
			`iptables -t nat -I PREROUTING -p udp -d $(nvram get wan_ipaddr) --dport 3389 -j DNAT --to 10.0.1.2 [ -s SourceIP ]`
			`iptables -I FORWARD -p udp -d 10.0.1.2 --dport 3389 -j ACCEPT`
			`</pre>`
			`## Direct config alteration`
			`nvram show will get all the current options, whereas nvram get variable will return a variable.`

			`nvram set or unset change variables.`

			`nvram commit pushes the change.`

			`## Guest Wifi`
			`[https://dd-wrt.com/wiki/index.php/Guest_Network See here.]`

			`## Sample Startup Script`
			`The following will insert firewall lines into your sample startup script to harden your network edge. This allows [[WebServer\|web]], [[SSH]], [[IRC]], [[Geth\|AniNIX::Geth]], and [[Nazara\|bastion]] access through the firewall, dropping all others. It also sets up the block chain for [[Cerberus\|AniNIX::Cerberus]].`

			`<pre>`
			`iptables -N severe`
			`iptables -I INPUT 2 -i vlan2 -j DROP`
			`iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 22 -j ACCEPT`
			`iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 80 -j ACCEPT`
			`iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 443 -j ACCEPT`
			`iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 6641 -j ACCEPT`
			`iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 6697 -j ACCEPT`
			`iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 9022 -j ACCEPT`
			`iptables -I INPUT 2 -j severe`
			`iptables -I FORWARD -j severe`
			`</pre>`
			`}}`