Re: [leaf-user] prevent Iot from the net

[Jean-Roch Blais]

Hello Andrew,
>You may even improve power efficiency using PSU with APFC and with lower 
>max power (= lower standby losses in transformers) :)
I wonder by how much, besides, a PSU like:  
http://www.newegg.ca/Product/Product.aspx?item=N82E16817151124 
 would cost me 
90$ ! 
bye
jrb.

> 
> --
> 
> leaf-user mailing list: leaf-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/

--

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] prevent Iot from the net

[Andrew]

You may even improve power efficiency using PSU with APFC and with lower 
max power (= lower standby losses in transformers) :)

On 28.11.2016 03:35, jean-roch blais wrote:
> Hello again List, I just revised my calculations for the power, it turns
> out assuming the current pulse is square add too much error, I integrated
> the pulse manually on the scope using 18 samples separated by 0.1 mSec,
> adding all that and spreading it over 8 mSec (= 1/60 cycles / 2 ), the
> current pulse becomes equivalent to 460 ma. So the power consumed is now =
> 55.3 watts. This is slightly better than the previous figure of 81 watts.
> At 7¢ a kwatt-hours this gives 34 canadian $. Ok I won't bug you'all with
> that any longer...
> jrb.
> --
>
>> 
>> leaf-user mailing list: leaf-user@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/leaf-user
>> Support Request -- http://leaf-project.org/
>>
>>
> --
> 
> leaf-user mailing list: leaf-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/



--

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] prevent Iot from the net

[jean-roch blais]

Hello again List, I just revised my calculations for the power, it turns
out assuming the current pulse is square add too much error, I integrated
the pulse manually on the scope using 18 samples separated by 0.1 mSec,
adding all that and spreading it over 8 mSec (= 1/60 cycles / 2 ), the
current pulse becomes equivalent to 460 ma. So the power consumed is now =
55.3 watts. This is slightly better than the previous figure of 81 watts.
At 7¢ a kwatt-hours this gives 34 canadian $. Ok I won't bug you'all with
that any longer...
jrb.
--

>
> 
> leaf-user mailing list: leaf-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/
>
>
--

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] prevent Iot from the net

[jean-roch blais]

Hello List, n22e113  2¢ comment, which I like :-), got me wondering... what
is the real power drawn by such a stripped down Mobo... Well, I hooked a
scope on a small current transformer on the power supply line to my mobo,
and this is what I get:
http://i.imgur.com/dBN8PPT.jpg I was very surprised to see a current pulse
drawn by the switching power supply right in the middle of the 120 volts.

The current pulse is about 3 amps peak and has a duration of 1.8 mSec. To
simplify the power calculation, let's assume it is a square pulse, the
power then would be roughly 3 amps * 120 v. rms * 1.8 msec/8 msec =  81
watts. The real value would be somewhat lower than that, and n22e113's
estimate of 75 what-hour is in the ballpark...

My kilowatt-hour here cost 7¢ (canadian) ! sorry I didn't want to rub it
in  :-) ! But yeah I still end up paying 46$. But then again, I can't
resign myself to throw away performing good "old" hardware...

jrb.
--

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] prevent Iot from the net

[n22e113]

On 11/5/2016 20:58, Jean-Roch Blais wrote:
> Here I’m using Buc 5.2.7 x86_64 on an Asus mobo P5GC-MX and Power supply, 
> pulled out of the PC tower, it’s in the basement, no one sees it :-) !
> Looks like that: http://imgur.com/38JiUW9

Hey, JRB,
I used to do that too! But that contraption would cost you probably 
75watt/hour. I am paying 19¢ per kw/hr, that is 75*24*365/1000*.19 = 
$124.83/year. You might want to try this at 10watt/hour: 
http://www.pcengines.ch/alix2d13.htm My 2¢

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] prevent Iot from the net

[Jean-Roch Blais]

> Le 5 nov. 2016 à 17:51, Victor McAllister  a écrit :
>> 
> I use a LEAF 6.0.0 GEODE on a PC Engines ALIX.
> 
Here I’m using Buc 5.2.7 x86_64 on an Asus mobo P5GC-MX and Power supply, 
pulled out of the PC tower, it’s in the basement, no one sees it :-) !
Looks like that: http://imgur.com/38JiUW9  !

> The LEAF handles NTP using bbntpd. However, I allow it to sync with only 
> one trusted external time server. /etc/default/ntpd
> 
> NTPDRUN=yes
> 
> NTPDOPTS='-l -p name of trusted timeserver'
> 
> IoT devices get their time from the LEAF bbntpd
> 
> ***
> in /etc/shorewall/rules
> 
> NTP(ACCEPT) fw  net:w.x.y.z
> 
> w.x.y.z is the ip or dname of the trusted time server.
> 
> NTP(ACCEPT) loc fw
> 
> #Block access to net from IoT devices
> DROP loc:a.b.c.d,e.f.g.h   net
> 
I thought you meant: 

   DROP:NFLOG(4) loc:a.b.c.d,e.f.g.h  net

I’d like to understand the (4) in NFLOG(4) :-) !

> a.b.c.d is the static ip of the IoT devices I do not want to access the web.
> ***
> 
> One of the devices that has no access to the Internet is a wireless 
> router configured as an AP. It has a fixed IP address and is NOT 
> configured to do DHCP. Wireless clients pass through to access dnsmasq 
> on the LEAF box via its ethernet connection. dnsmaq assigns static 
> addresses to each wireless client
> 
yes I have the same setup here too ! (ASUS RT-AC66U as an AP)

I just got some new security cameras (Dlink DCS-5010L) which need to be tightly 
ruled !

Thank’s again, it’s all good, 
jrb

> example.
> 
> dhcp-host=11:22:33:44:55:66,device dhcp name,192.168.1.x #comment
> 
> Victor
> 
> 
> --
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> 
> leaf-user mailing list: leaf-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] prevent Iot from the net

[Jean-Roch Blais]

Hello VIctor, and list,

some examples might help me … thank’s

jrb

> Le 4 nov. 2016 à 19:30, Victor McAllister <victo...@sonic.net> a écrit :
> 
> For now, I am just keeping the rule to DROP traffic from certain loc 
> devices to the net. I added the word NFLOG(4) to the DROP line and 
> shorewall compiles ok.
> 
> Victor
> 
> log, On 11/4/2016 1:28 AM, David M Brooke wrote:
>> For the new house I’m commissioning I face a similar challenge - various 
>> automation devices which communicate using TCP/IP but which probably don’t 
>> have the best security hardening and don’t get regular patch updates from 
>> the manufacturers to fix security vulnerabilities. Some of these are doing 
>> sensitive roles like managing access control and interfacing with the 
>> intruder alarm system.
>> 
>> In line with Dave’s advice I’ve set up multiple VLANs and mapped those to 
>> separate Shorewall Zones with different sets of Policies and Rules at the 
>> Zone level. I also have multiple WiFi SSIDs which each map to separate VLANs 
>> so they can have different policies applied - so e.g. my own WiFi devices 
>> use 802.1X authentication (against a RADIUS server) on one SSID and are 
>> allowed to access the local wired networks whereas there’s a separate SSID 
>> for Visitors, and that’s only allowed to access the Internet and not the 
>> local wired networks.
>> 
>> The main requirement is a VLAN-capable network switch. I currently use a 
>> Unifi model from ubnt.com but companies like Netgear make small, 
>> VLAN-capable switches which are relatively inexpensive. On Bering-uClibc you 
>> set up a sub-NIC per VLAN (e.g. eth1.112) and map each sub-NIC to a 
>> Shorewall Zone.
>> 
>> A useful trick for devices which need NTP access and hard-code an FQDN for 
>> that is to use the “address” entry in dnsmasq.conf to tell a white lie and 
>> return a local NTP server address for that FQDN in place of a remote NTP 
>> server address. For example:
>>address=/time.euro.apple.com/192.168.112.1
>> 
>> davidMbrooke
>> 
>>> On 3 Nov 2016, at 19:07, Dillabough, Dave <dave.dillabo...@bcgeu.ca> wrote:
>>> 
>>> I would add logging so that you would know if anything was amiss.
>>> 
>>> To test you could temporarily install a PC at the blocked address and see 
>>> what happens.
>>> 
>>> For more complete control as IoT devices proliferate I would add a separate 
>>> zone and set up a VLAN for home automation etc.
>>> 
>>> -Original Message-
>>> From: Victor McAllister [mailto:victo...@sonic.net]
>>> Sent: Thursday, November 03, 2016 11:53 AM
>>> To: Bering List
>>> Subject: [leaf-user] prevent Iot from the net
>>> 
>>> I have a couple devices, such as a DVR, on the local net (loc) that I do 
>>> not want to have access to the Internet. Remember the recent DDOS attacks 
>>> that originated with Iot devices!  I added this to shorewall rules.
>>> 
>>> DROP loc:192.168.1.x,192.168.1.y net all
>>> 
>>> They get their time from the local time server so they have no reason to 
>>> access the net.
>>> 
>>> I have not tested this, but at least shorewall compiles and runs. Any 
>>> comments.
>>> 
>>> Victor
>>> 
> 
> --
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> 
> leaf-user mailing list: leaf-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/


--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] prevent Iot from the net

[Victor McAllister]

For now, I am just keeping the rule to DROP traffic from certain loc 
devices to the net. I added the word NFLOG(4) to the DROP line and 
shorewall compiles ok.

Victor

log, On 11/4/2016 1:28 AM, David M Brooke wrote:
> For the new house I’m commissioning I face a similar challenge - various 
> automation devices which communicate using TCP/IP but which probably don’t 
> have the best security hardening and don’t get regular patch updates from the 
> manufacturers to fix security vulnerabilities. Some of these are doing 
> sensitive roles like managing access control and interfacing with the 
> intruder alarm system.
>
> In line with Dave’s advice I’ve set up multiple VLANs and mapped those to 
> separate Shorewall Zones with different sets of Policies and Rules at the 
> Zone level. I also have multiple WiFi SSIDs which each map to separate VLANs 
> so they can have different policies applied - so e.g. my own WiFi devices use 
> 802.1X authentication (against a RADIUS server) on one SSID and are allowed 
> to access the local wired networks whereas there’s a separate SSID for 
> Visitors, and that’s only allowed to access the Internet and not the local 
> wired networks.
>
> The main requirement is a VLAN-capable network switch. I currently use a 
> Unifi model from ubnt.com but companies like Netgear make small, VLAN-capable 
> switches which are relatively inexpensive. On Bering-uClibc you set up a 
> sub-NIC per VLAN (e.g. eth1.112) and map each sub-NIC to a Shorewall Zone.
>
> A useful trick for devices which need NTP access and hard-code an FQDN for 
> that is to use the “address” entry in dnsmasq.conf to tell a white lie and 
> return a local NTP server address for that FQDN in place of a remote NTP 
> server address. For example:
> address=/time.euro.apple.com/192.168.112.1
>
> davidMbrooke
>
>> On 3 Nov 2016, at 19:07, Dillabough, Dave <dave.dillabo...@bcgeu.ca> wrote:
>>
>> I would add logging so that you would know if anything was amiss.
>>
>> To test you could temporarily install a PC at the blocked address and see 
>> what happens.
>>
>> For more complete control as IoT devices proliferate I would add a separate 
>> zone and set up a VLAN for home automation etc.
>>
>> -Original Message-----
>> From: Victor McAllister [mailto:victo...@sonic.net]
>> Sent: Thursday, November 03, 2016 11:53 AM
>> To: Bering List
>> Subject: [leaf-user] prevent Iot from the net
>>
>> I have a couple devices, such as a DVR, on the local net (loc) that I do not 
>> want to have access to the Internet. Remember the recent DDOS attacks that 
>> originated with Iot devices!  I added this to shorewall rules.
>>
>> DROP loc:192.168.1.x,192.168.1.y net all
>>
>> They get their time from the local time server so they have no reason to 
>> access the net.
>>
>> I have not tested this, but at least shorewall compiles and runs. Any 
>> comments.
>>
>> Victor
>>

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] prevent Iot from the net

[David M Brooke]

For the new house I’m commissioning I face a similar challenge - various 
automation devices which communicate using TCP/IP but which probably don’t have 
the best security hardening and don’t get regular patch updates from the 
manufacturers to fix security vulnerabilities. Some of these are doing 
sensitive roles like managing access control and interfacing with the intruder 
alarm system.

In line with Dave’s advice I’ve set up multiple VLANs and mapped those to 
separate Shorewall Zones with different sets of Policies and Rules at the Zone 
level. I also have multiple WiFi SSIDs which each map to separate VLANs so they 
can have different policies applied - so e.g. my own WiFi devices use 802.1X 
authentication (against a RADIUS server) on one SSID and are allowed to access 
the local wired networks whereas there’s a separate SSID for Visitors, and 
that’s only allowed to access the Internet and not the local wired networks.

The main requirement is a VLAN-capable network switch. I currently use a Unifi 
model from ubnt.com but companies like Netgear make small, VLAN-capable 
switches which are relatively inexpensive. On Bering-uClibc you set up a 
sub-NIC per VLAN (e.g. eth1.112) and map each sub-NIC to a Shorewall Zone.

A useful trick for devices which need NTP access and hard-code an FQDN for that 
is to use the “address” entry in dnsmasq.conf to tell a white lie and return a 
local NTP server address for that FQDN in place of a remote NTP server address. 
For example:
address=/time.euro.apple.com/192.168.112.1

davidMbrooke

> On 3 Nov 2016, at 19:07, Dillabough, Dave <dave.dillabo...@bcgeu.ca> wrote:
> 
> I would add logging so that you would know if anything was amiss.
> 
> To test you could temporarily install a PC at the blocked address and see 
> what happens.
> 
> For more complete control as IoT devices proliferate I would add a separate 
> zone and set up a VLAN for home automation etc.
> 
> -Original Message-
> From: Victor McAllister [mailto:victo...@sonic.net] 
> Sent: Thursday, November 03, 2016 11:53 AM
> To: Bering List
> Subject: [leaf-user] prevent Iot from the net
> 
> I have a couple devices, such as a DVR, on the local net (loc) that I do not 
> want to have access to the Internet. Remember the recent DDOS attacks that 
> originated with Iot devices!  I added this to shorewall rules.
> 
> DROP loc:192.168.1.x,192.168.1.y net all
> 
> They get their time from the local time server so they have no reason to 
> access the net.
> 
> I have not tested this, but at least shorewall compiles and runs. Any 
> comments.
> 
> Victor
> 
> 
> --
> Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon 
> Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> 
> leaf-user mailing list: leaf-user@lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/
> 
> --
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> 
> leaf-user mailing list: leaf-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/


--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] prevent Iot from the net

[Dillabough, Dave]

I would add logging so that you would know if anything was amiss.

To test you could temporarily install a PC at the blocked address and see what 
happens.

For more complete control as IoT devices proliferate I would add a separate 
zone and set up a VLAN for home automation etc.

-Original Message-
From: Victor McAllister [mailto:victo...@sonic.net] 
Sent: Thursday, November 03, 2016 11:53 AM
To: Bering List
Subject: [leaf-user] prevent Iot from the net

I have a couple devices, such as a DVR, on the local net (loc) that I do not 
want to have access to the Internet. Remember the recent DDOS attacks that 
originated with Iot devices!  I added this to shorewall rules.

DROP loc:192.168.1.x,192.168.1.y net all

They get their time from the local time server so they have no reason to access 
the net.

I have not tested this, but at least shorewall compiles and runs. Any comments.

Victor


--
Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi 
processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi

leaf-user mailing list: leaf-user@lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] prevent Iot from the net

[Victor McAllister]

I have a couple devices, such as a DVR, on the local net (loc) that I do 
not want to have access to the Internet. Remember the recent DDOS 
attacks that originated with Iot devices!  I added this to shorewall rules.

DROP loc:192.168.1.x,192.168.1.y net all

They get their time from the local time server so they have no reason to 
access the net.

I have not tested this, but at least shorewall compiles and runs. Any 
comments.

Victor


--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/