每日彙整: 2018-10-17

樹莓派樹莓派之學習樹莓派之教育

OpenWrt 的世界︰樹莓派 3B 【路由器】移星轉斗《三前》

呂氏春秋‧義賞

昔晉文公將與楚人戰於城濮,召咎犯而問曰:『楚眾我寡,奈何而可?』咎犯對曰:『臣聞繁禮之君,不足繁戰之君,不足。君亦詐之而已。』文公以咎犯言告雍季,雍季曰:『竭澤而漁,豈不獲得?而明年無魚焚藪 ㄙㄡˇ 【草澤】而田【獵】,豈不獲得?而明年無獸詐偽之道,雖今偷可【僥倖】,後將無復【不再】,非長術也。』文公用咎犯之言,而敗楚人於城濮。反【返】而為賞,雍季在上。左右諫曰:『城濮之功,咎犯之謀也。君用其言而賞後其身,或者不可乎!』文公曰:『雍季之言,百世之利也。咎犯之言,一時之務也。焉有以一時之務先百世之利者乎 ?』孔子聞之曰:『臨難用詐,足以卻敵。反而尊賢,足以報德。文公雖不終始,足以霸矣。』賞重則民移之,民移之則成焉。成乎詐,其成毀,其勝敗。天下勝者眾矣,而霸者乃五,文公處其一,知勝之所成也。勝而不知勝之所成,與無勝同。秦勝於戎而敗乎殽 ,楚勝於諸夏而敗乎柏舉。武王得之矣,故一勝而王天下。眾詐盈國,不可以為安,患非獨外也。

170px-Handshake_(Workshop_Cologne_'06)

握手言和

220px-ACMA_1333_Samian_decree_2

以牙還牙
Tit for Tat

論語‧憲問第十四
或曰:『以德報怨,何如?』子曰:『何以報德?以直報怨,以德報德。

一九八四年,美國政治學家羅伯特‧阿克塞爾羅德 Robert Marshall Axelrod 寫了一本《合作的進化》 The Evolution of Cooperation 的書,探討有著『記憶』與『重複』發生的『囚徒困境』,將之稱為『重覆囚徒困境』 IPD iterated prisoners’ dilemma。在此博弈中,參賽者須反覆選擇彼此競合有關的策略 ,記住之前的結果。阿克塞爾羅德邀請全世界的學術同行來參與設計電腦策略程式,並在一個重覆囚徒困境競賽中互相競爭。 參賽的程式的差異在:演算法的複雜性、最初的對抗、寬容的能力種種方面。

據聞,最佳策略是『以牙還牙』,它是由俄裔美籍數學心理學家阿納托爾‧拉波波特 Anatol Rapoport 所設計的策略。這個程式僅僅只有四行 BASIC 語言陳述句,而且贏得了比賽。這個策略選擇先合作,然後採取對手前一回合的策略。有人說,更好一些的策略是『寬容的以牙還牙』。當你的對手背叛時,在下回合中你應該要『擲筊』偶爾【1%-5 %機會】合作一下。這是為了避免『死結』,萬一雙方誤解了對方的意思該怎麼辦的呢??

阿克塞爾羅德發現,當這種『對抗』被各種策略的參與者一再重覆了很長時間之後,從『利己角度』來判斷,最終『貪婪策略』趨向於減少,繼而比較『利他策略』更多的被採用。他用這個『博弈』來說明,經過『自然選擇』,一種『利他行為』之機制可以從最初『純粹自私』的機制進化而來!!當有了『記憶』,『背叛』恐將遭到『懲罰』時,所謂的『利己』必將思及『因果』效應的吧!

─── 《物理哲學·下上

 

表面想像『非軍事區』詞意簡單︰

DMZ (computing)

In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted network, usually a larger network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organization’s network is firewalled. The DMZ functions as a small, isolated network positioned between the Internet and the private network and, if its design is effective, allows the organization extra time to detect and address breaches before they would further penetrate into the internal networks.

The name is derived from the term “demilitarized zone“, an area between nation states in which military operation is not permitted.

……

Architecture

There are many different ways to design a network with a DMZ. Two of the most basic methods are with a single firewall, also known as the three legged model, and with dual firewalls. These architectures can be expanded to create very complex architectures depending on the network requirements.

Single firewall

Diagram of a typical three-legged network model employing a DMZ using a single firewall.

A single firewall with at least 3 network interfaces can be used to create a network architecture containing a DMZ. The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface. The firewall becomes a single point of failure for the network and must be able to handle all of the traffic going to the DMZ as well as the internal network. The zones are usually marked with colors -for example, purple for LAN, green for DMZ, red for Internet (with often another color used for wireless zones).

Dual firewall

Diagram of a typical network employing DMZ using dual firewalls.

The most secure approach, according to Colton Fralick,[1] is to use two firewalls to create a DMZ. The first firewall (also called the “front-end” or “perimeter”[2] firewall) must be configured to allow traffic destined to the DMZ only. The second firewall (also called “back-end” or “internal” firewall) only allows traffic from the DMZ to the internal network.

This setup is considered[1] more secure since two devices would need to be compromised. There is even more protection if the two firewalls are provided by two different vendors, because it makes it less likely that both devices suffer from the same security vulnerabilities. For example, accidental misconfiguration[dubious discuss] is less likely to occur the same way across the configuration interfaces of two different vendors, and a security hole found to exist in one vendor’s system is less likely to occur in the other one. One of the drawbacks of this architecture is that it’s more costly, both to purchase, and to manage.[3] The practice of using different firewalls from different vendors is sometimes described as a component of a “defense in depth[4] security strategy.

DMZ host

Some home routers refer to a DMZ host, which, in many cases is actually a misnomer. A home router DMZ host is a single address (e.g., IP address) on the internal network that has all traffic sent to it which is not otherwise forwarded to other LAN hosts. By definition, this is not a true DMZ (demilitarized zone), since the router alone does not separate the host from the internal network. That is, the DMZ host is able to connect to other hosts on the internal network, whereas hosts within a real DMZ are prevented from connecting with the internal network by a firewall that separates them unless the firewall permits the connection.

A firewall may allow this if a host on the internal network first requests a connection to the host within the DMZ. The DMZ host provides none of the security advantages that a subnet provides and is often used as an easy method of forwarding all ports to another firewall / NAT device. This tactic (establishing a DMZ host) is also used with systems which do not interact properly with normal firewalling rules or NAT. This can be because no forwarding rule can be formulated ahead of time (varying TCP or UDP port numbers for example, as opposed to a fixed number or fixed range). This is also used for network protocols for which the router has no programming to handle (6in4 or GRE tunnels are prototypical examples).

………

 

深入『實務』設定卻困難的也?

還好 OpenWrt 裡已有

Configure a guest WLAN

People looking for a way to configure a guest WLAN through the web interface should read the LuCI guest WLAN recipe.

Guest WLAN provides internet access to your network members. It also provides firewall security rules to isolate your guest network from the rest. This recipe contains information provided by our forums members and one blogger as shown below:

Manual configuration

The changes below assume an OpenWrt default configuration, the relevant files are:

:!: A guest WLAN (or plain guest network) across multiple network devices requires a separate VLAN.

………

 

『秘訣』大全,不知省卻一時多少言語!

就讓我們打斷 br-lan 

 

之 eth1 『網路』重練︰

root@LEDE:~# cat /etc/config/network 

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd42:80c5:b618::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '5.168.166.88'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'lanToo'
         option ifname 'eth1'
         option type'bridge'
         option proto 'static'
         option ipaddr '5.168.128.66'
         option netmask '255.255.255.0'
        

config interface 'wan'
	option type 'bridge'
	option proto 'dhcp'
	option ifname 'eth0'
	option peerdns '0'
	option dns '8.8.8.8'

config interface 'wwan'
	option proto 'dhcp'

 

root@LEDE:~# cat /etc/config/wireless 

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/soc/3f300000.mmc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
	option htmode 'HT20'
	option disabled '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'LEDE-RPI-3B'
	option encryption 'psk2+ccmp'
	option key '12345678'
	option network 'lan'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/soc/3f980000.usb/usb1/1-1/1-1.4/1-1.4:1.0'
	option htmode 'HT20'
	option disabled '0'

config wifi-iface
	option network 'wwan'
	option ssid 'WiFi-2.4'
	option encryption 'psk2'
	option device 'radio1'
	option mode 'sta'
	option bssid '4C:E6:76:C4:E3:EA'
	option key 'XXXXXXXXX'

 

root@LEDE:~# cat /etc/config/firewall 

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 wwan'

config forwarding
	option src 'lan'
	option dest 'wan'
...

config zone
	option name 'lanToo'
	option network 'lanToo'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'lanToo'

 

root@LEDE:~# cat /etc/config/dhcp 

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp lanToo
	option	interface	lanToo
	option	start		200
	option	limit		250
	option	leasetime	24h

 

先確定一切正常也☺

root@LEDE:~# ifconfig 
br-lan    Link encap:Ethernet  HWaddr B8:27:EB:8C:82:7A  
          inet addr:5.168.166.88  Bcast:5.168.166.255  Mask:255.255.255.0
          inet6 addr: fd42:80c5:b618::1/60 Scope:Global
          inet6 addr: fe80::ba27:ebff:fe8c:827a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:2108 (2.0 KiB)

br-wan    Link encap:Ethernet  HWaddr B8:27:EB:D9:D7:2F  
          inet addr:5.168.168.20  Bcast:5.168.168.255  Mask:255.255.255.0
          inet6 addr: fe80::ba27:ebff:fed9:d72f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2760 errors:0 dropped:390 overruns:0 frame:0
          TX packets:2269 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:250093 (244.2 KiB)  TX bytes:690436 (674.2 KiB)

eth0      Link encap:Ethernet  HWaddr B8:27:EB:D9:D7:2F  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2760 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2269 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:250093 (244.2 KiB)  TX bytes:717588 (700.7 KiB)

eth1      Link encap:Ethernet  HWaddr 00:0E:C6:81:79:01  
          inet addr:5.168.128.66  Bcast:5.168.128.255  Mask:255.255.255.0
          inet6 addr: fe80::20e:c6ff:fe81:7901/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:496 errors:0 dropped:0 overruns:0 frame:0
          TX packets:471 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:42606 (41.6 KiB)  TX bytes:50288 (49.1 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:19 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:1400 (1.3 KiB)  TX bytes:1400 (1.3 KiB)

wlan0     Link encap:Ethernet  HWaddr B8:27:EB:8C:82:7A  
          inet6 addr: fe80::ba27:ebff:fe8c:827a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:3526 (3.4 KiB)

wlan1     Link encap:Ethernet  HWaddr E8:4E:06:4F:C5:5C  
          inet addr:192.168.11.6  Bcast:192.168.11.255  Mask:255.255.255.0
          inet6 addr: fe80::ea4e:6ff:fe4f:c55c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:684 errors:0 dropped:0 overruns:0 frame:0
          TX packets:683 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:69118 (67.4 KiB)  TX bytes:76980 (75.1 KiB)

 

root@LEDE:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.11.1    0.0.0.0         UG    0      0        0 wlan1
5.168.128.0     *               255.255.255.0   U     0      0        0 eth1
5.168.166.0     *               255.255.255.0   U     0      0        0 br-lan
5.168.168.0     *               255.255.255.0   U     0      0        0 br-wan
5.168.168.1     *               255.255.255.255 UH    0      0        0 br-wan
192.168.11.0    *               255.255.255.0   U     0      0        0 wlan1
192.168.11.1    *               255.255.255.255 UH    0      0        0 wlan1