Last Update: August 11th, 2024
Update Reason: [FurrIX Launch]
Rundown: [NMP was updated due to the sharing of resources with FurrIX (furrix.zone)]
PREFACE
Our Network Management Policy states and explains how we operate our routing stack and the data that transits our infrastructure. This policy covers router deployment, network rules and flags as well as how we approach the maintenance and patching of our gear, physical and virtual.
As with all of our policies that govern the operation of both ‘Marbled Fennec Networks’ and ‘FurrIX’, this is a living document and will be updated from time to time as our sponsoring board of project members advances, alters and makes changes to both projects. As such, project members, project guest and end users should refer back to this policy often and make note of any changes that have occurred. Failure of a project member, project guest or end user does not excuse them from following the policies set for both projects by the sponsoring board of Marbled Fennec Networks. Failure to be aware and follow all policies can lead to service and/or account termination.
In addition, project members who choose to sponsor a project guest are to understand that their sponsorship, if approved, will be under taken within their own service account. The actions of any project guest that a project member registers with Marbled Fennec Network will be treated as if they were the actions of the sponsoring project member. Project members are to ensure that their guest follow all policies at all times that services hosted or offered by Marbled Fennec Networks are being used.
SCOPE
All communications that take place via Marbled Fennec Networks traverse over our network routing and switching gear, whether physical or virtual. Our routing and switching gear is owned by the FurrIX subproject which is sponsored directly by Marbled Fennec Networks. Project members, project guest and end user are to understand that the infrastructure provided by Marbled Fennec Networks and FurrIX consist of physical servers and virtual routers, bridges and switches that are maintained by Volunteer Techs (otherwise known as VTs) that are elected by the sponsoring board for the purpose of maintaining said gear. Volunteer Techs are able to drop into the network at the packet level, make configuration changes and alter the firmware running on our gear. All actions that our elected VTs perform are logged via various Network Management Systems (NMS) and Discord logging systems.
Marbled Fennec Networks is the parent project, sponsoring board of project members and host for the main physical servers, support desk, email systems and backup systems which are provided to the team at FurrIX. The FurrIX subproject is the operational and configuring agent for our routing and switching gear. Through the FurrIX subproject, Marbled Fennec Networks provides a wide array of network connectivity solutions to our project members, project guest and end users. These solutions consist of virtualized routers and switches, VPN technologies for IPv4 and IPv6 transit and internet access (where applicable), partner network tunneling and routing, as well as virtual private server hosting.
Our Network Management Policy applies to any communications that traverse any of the gear maintained, operated or provided by Marbled Fennec Networks and/or FurrIX. This includes, but is not limited to, any ingress or egress from and to our partnered networks, our own core network and any traffic that occurs as part of or under our network ranges. This policy covers all network protocols, internet protocols, applications and services provided by, operated through, or maintained by Marbled Fennec Networks and/or FurrIX.
THE HUMAN ELEMENT
The Sponsoring Board of Marbled Fennec Networks elects and assigns Volunteer Techs to the subproject known as FurrIX. These volunteers are responsible for the maintenance and day to day operation of our networking services. Maintaining our network requires skill, attention to detail and a fair amount of time dedication from our Volunteer Techs. The Sponsoring Board of Marbled Fennec Networks selects Volunteer Techs for various operational task and positions without both of our projects. Our Volunteer Techs are equipped with the tools, network mappings, access tokens, documentation and internal support required to perform their duties. Most, if not all, of our techs are volunteers who are Information Technology and Computer Networking amateurs that take on their respective roles within Marbled Fennec Networks and/or FurrIX for the fun of doing such and the expansion and refinement of their skills. No Volunteer Tech of either the parent or sub project may perform their respective duties above any other function of their daily lives. Participation in the maintenance and upkeep both projects is done on a purely amateur basis, for the love of the hobby, and without pecuniary interest. Therefore, maintenance of the projects and network, responses to support tickets and documentation refinement is done as Volunteer Techs are able and are not held to any time standard or service level agreement.
Marbled Fennec Networks does not apply, condone or otherwise imply the existence or adherence to any service level agreement. The project, and sub projects, are placed into operation on a purely amateur basis by those members who strive to keep packets moving. Project members, project guest or end users who are expecting complete uptime or a perfectly usable network are encouraged to look for a commercial provider to meet their needs, as such is outside the scope of both Marbled Fennec Networks and FurrIX. Our Volunteer Techs will not pushed into placing Marbled Fennec Networks or FurrIX above any other aspect of their daily and personal lives, what so ever. Any project member, project guest or end user that is found to be placing undue pressure of our Volunteer Techs will have the service(s) and account(s) terminated and will receive an email stating that their behavior was unacceptable and they should go look into a commercial provider. Our Volunteer Techs are humans with lives, emotions and personal experiences; they will not service abusive or abrasive support tickets. Marbled Fennec Networks and FurrIX values the happiness and mental health of our Volunteer Techs above all else.
PATCH SCHEDULE
Both Marbled Fennec Networks and FurrIX aim to inspect and apply OS patches, firmware updates and support software updates to our systems each week on Wednesday and Saturday. The patching window is from midnight to three AM EST. Project members, project guest and end users should expect to see little to no interruption during this process, not including any patches that require equipment reboots. In the event that a patch or update fails, our network and servers are setup with nightly offsite backups and we hold a rolling window of the last sixteen images and our Volunteer Techs will work as quickly as their schedule allows for the restoring of systems that experience a failed patch or update.
All updates and configuration changes are logged to an internal discord channels that all of our Volunteer Techs have access to. This allows for the coordination of updates and for our Volunteer Techs to work together to keep updates as smooth as possible. When major updates or updates that have a possibility of breakage are to happen, Marbled Fennec Networks will make a post on our website detailing what service(s) are affected and a rough guess of how long things will be offline. We will also make post on our website(s) detailing outages, changes to the network core or changes to our offered services.
BACKUP INFORMATION
Marbled Fennec Networks provides an internal service to itself and FurrIX that automatically handles the nightly backup imaging of all services and routers. These backups happen every night of the week at midnight and take roughly an hour to complete. We are setup to keep sixteen images of all project related routers, VMs and services on hand at all times. When updating a router, VM or in house service; the last backup image is locked to prevent data loss and to provide our Volunteer Techs with a known, working image to restore to if things go wrong.
Marbled Fennec Networks and FurrIX do not provide our project members, project guest or end user with any form of backup service nor access to our backup service. Project members, project guest and end users are expected to take reasonable measures themselves to protect their data. Neither Marbled Fennec Networks or FurrIX are responsible for data loss.
All backup images are stored on a separate physical server in a different part of the data center. The machine that handles the backup images (backup.fenfox.run) exist as a virtual machine on the secondary physical host (mech02.furrix.zone) and has firewall rules in place that only allow access from our internal /64 subnet. Only the lead network engineer and tier two support have access to this server.
Network Addressing
Due to the nature of the services offered by FurrIX, and thus by Marbled Fennec Networks, and the very real possibility for abuse; we statically assign all routes and internet protocol addresses to our project members, project guest and end users. The address range you are given access to is attached to your account and is noted on your service(s), as well as a PTR record is attached to the virtual interface that operates your service(s). This is done to make troubleshooting and identification of bad actors and improper network use easier for our Volunteer Techs to handle. Project members, project guest and end users are not allowed to request a custom IPv4 address as these addresses are NAT’d internally and the corresponding private range addresses are assigned in order. Custom IPv6 ranges from our pools may be requested, however, they may take a few days to process and the requested ‘vanity’ range must fall within one of the /58s routed to our member facing routers.
PTR RECORD ASSIGNMENT
FurrIX requires that the network interfaces address in any assigned subnet must have its PTR record set upon activation for the identification of the project member, project guest or end user responsible for the network traffic on that interface and its subnet range. Typically when a member’s service(s) are activated, the Volunteer Techs who operate FurrIX will place our routing interface on the first usable address in the assigned subnet. For most services, this will be something such as 2604:4300:f03:XX::1/64 and the usable pool of address for project members, project guest and end users begins at 2604:4300:f03:XX::2/64. The XX::1/64 address must have a PTR record assigned or service will not be activated. Currently, PTR records for routing interfaces will be placed into either the “.marbledfennec.net” or “.furrix.zone” namespaces. This properly identifies network traffic to our Volunteer Techs, members and external network admins.
Project members, project guest and end users who do not consent to having a PTR record set will not be connected to our network. This is not optional and is a rule made for traffic accounting and member accountability reasons.
Project members and end users may request additional PTR records be set for endpoints or devices in their subnet range as long as their subnet comes from our “2604:4300:f03::/48” pool. For technical reasons, we are not able to set PTR records for subnet ranges from the “2602:f992:f3::/48” pool. PTR request have to forwarded to our upstream provider and may take time to process. Marbled Fennec Networks will continue to offer this service for as long as our upstream provides such to us.
If you choose to submit a PTR record request, please make sure you are using a namespace that make sense at a glance. Silly, obscure, encoded or otherwise unwarranted record request will be reject during the manual review that the lead engineer at FurrIX performs. Currently the expected naming conventions are “<dev>.<member>.marbledfennec.net” or “<dev>.<member>.furrix.zone”
The code phrase for our NMP (Network Management Policy) is Coconut Sugar.
Partner Network Routing
Where such benefits our members, FurrIX may opt to setup a tunnel that routes traffic between our network and another project’s network. Announcements will be placed on our website(s) when this happens. Usually this is done to give both projects an additional point of presence on the internet or to provide better routes to specific internet resources. Interconnecting tunnels like such are always limited to 100Mbps traffic in both directions and do not have monthly transfer limits. When FurrIX enters a peering agreement with another project, the full details will be posted on our website(s) for our project members or end users to review. As long as the tunnel benefits both projects and their members, it will remain in operation.
Furthermore, when peering with partner networks, test router “jigs” for testing purposes must be setup for testing routes to different internet resources. When one peering partner has a better route to specific internet resource, they then become the preferred route for the other partner. This creates a mutual beneficial peering for both projects and their members.
NETWORK SECURITY AND INTRUSION DETECTION SYSTEM
By default, Marbled Fennec Networks provides FurrIX with a set of default firewall rules and some basic IDS rules for all of our routers. The standard setup is the none of our routers allow any IPv4 traffic inside without additional rules being setup for NAT to project member or end user subnets. For our project member and end users, FurrIX provides port forwarding on a first come, first served basis. No project member or end user is allowed to obtain a public IPv4 address for themselves through FurrIX or Marbled Fennec Networks. IPv4 address are shared through NAT on each router and are simply too expensive to provide.
For IPv6 access, which is the main goal of FurrIX, packets are routed straight through our network to project member or end user endpoints. Project members and end users are highly encouraged to deploy some form of a firewall on their end of the tunnel that connects them to our routers. Unless specifically requested upon service activation, FurrIX does not firewall IPv6 by default.
Project members, project guest and end user should be aware that all traffic that traverses the network operated by Marbled Fennec Networks and FurrIX passes through various firewalls, routers and intrusion detection systems that automatically inspect and may automatically block traffic on a temporary basis. These blocking actions alert our Volunteer Techs of potential problems. Our Volunteer Techs can drop into the network at the packet level to inspect what is causing the alerts and make adjustments to the network as needed. None of our Volunteer Techs are allowed to disclose any of the traffic they may see to anyone outside of our other Volunteer Techs, our upstream provider’s Network Operations Center (NOC) or law enforcement who may be doing an investigation for network abuse. FurrIX tries its best to remain a neutral network carrier and for the most part, our Volunteer Techs have no interest in what project members or end users are doing on our network as long as it is legal within the USA and they are not putting our projects or Volunteer Techs at risk.
Marbled Fennec Networks, the sponsor for this project, forbids FurrIX from excluding any project member, project guest, end user or Volunteer Tech from passing through the intrusion detection system on any of our routers. The IDS is in place as a security measure to assist with protecting the network and our projects from abuse, both internal and external.
Name Server Management
In partnership with FurrIX, Marbled Fennec Networks operates two public name servers that anyone may make use of for general DNS queries. Both servers are setup to resolve both OpenNIC and ICANN domains. Both servers provide IPv4 and IPv6 service with options for DoH and DoT features. Logs are kept for forty-eight hours before being truncated to zero. FurrIX has applied rate limits and bandwidth limits to each server to help prevent abuse.
While we strive to remain an unbiased and neutral network operator, there will be times in which our Volunteer Techs must moderate the name servers to prevent abuse. To date, there are roughly 150 domains which are dropped using iptables. Packets arriving at our servers containing the hex for these domains are dropped before they make it to the name service. We will not unblock known command and control domains.
Aside from the above and as part of the agreement with FurrIX, Marbled Fennec Networks will not restrict access to domain lookups that are not abusive. The internet is a weird place and not everyone will agree with the information that others seek out and that is something we all have to deal with as system admins. It is a fact of life.
Volunteer Tech Management
Marbled Fennec Networks and FurrIX both take the operation and security of their network seriously. When on-boarded, Volunteer Techs are provided with a Wire Guard profile that attaches them to our internal management network and grants them only the level of access they need for their roles. Being VPN’d into our IMN is a requirement in order to perform their duties. No management interface of any service operated by Marbled Fennec Networks or FurrIX is allowed to be exposed to the internet. All management interfaces must be placed behind our IMN and must have appropriate firewall rules in place at all times.
Volunteer Techs who are found to be misconfiguring administrative endpoints, and thus exposing them to the internet, will be removed from their position and possibly banned from the projects all together. Network and server management integrity is the top priority for our services and routing gear.
Volunteer Techs are forbidden from sharing their access tokens, network profiles or any other project data. They are not allowed to stream, record video of or share pictures or screenshots of themselves working on the network or any project services. If found to be doing such, they will be banned from the projects and network right away with no possible recourse. While pretty much all of our documentation may requested by our Volunteer Techs and project members, certain data sets are not to be shared under any circumstance as they are critical to the security and operational status of our network and routing gear.
PROJECT MEMBER, PROJECT GUEST AND END USER ACCOUNTS AND SERVICES
Project members, project guest and end users are not allowed to share their account(s) details with anyone not listed on their request for service(s) and the email of approval for their request. Your account(s) and service(s) are intended for your own personal use only and shall not be shared outside of your homelab or personal devices. You are fully responsible for all communications and data that traverse our network in relation to your account(s), service(s) and network access profile(s).
In the event that Marbled Fennec Networks receives any complaints about project member, project guest or end user activities, our Volunteer Techs at FurrIX will begin an investigation that may involve the temporary monitoring of said network traffic and data. If said project member, project guest or end user is found to be in violation of our policies, their access to service(s) and account(s) will be restricted while we try to contact them for a resolution. Failing contact, said project member, project guest or end user’s service(s) and account(s) will be terminated.
OUTRIGHT BANNED COMMUNICATIONS
Marbled Fennec Networks, in adherence to our agreement with FurrIX, does not allow project members, project guest or end users to operate TOR nodes of any type, mail servers or relays, public proxies or torrent services. If a project member, project guest or end user is found to be operating such, their access to the network and service(s) will be terminated without notice and said individual will be banned from requesting future account(s) or service(s).
FurrIX does not permit the operation of SMTP (email) servers by project members, project guest or end users. Due to the effort that we have spent to keep our network ranges clean and off of blocklist, we will not respond to support request to unblock ports 25, 465, and 587. Traffic on these ports is blocked both at the edge and internally in our routing stack. Furthermore, the attempted operation of services on these ports will trigger alerts in our NMS, causing our Volunteer Techs to act on the alerts to ensure these ports remain unusable.
NETWORK MANAGEMENT SYSTEM
As part of our agreement with FurrIX, Marbled Fennec Networks operates an NMS (Network Monitoring System) that handles various task such as but not limited to: traffic accounting per subnet, interface throughput monitoring, error alerting, uptime and outage tracking as well as all related stats. All routers, bridges and VMs operated by FurrIX are enrolled in the NMS. All services, physical servers and VMs operated by Marbled Fennec Networks are enrolled in the NMS. This is not optional and under the current agreement, both projects are required to enroll all of their project related gear into the NMS for monitoring and alerting. Additionally, to augment the NMS, all of FurrIX’s routers are running NTopNG.
NETWORK STATUS MONITORING
Marbled Fennec Networks operates a public service for tracking uptime and outages for various services hosted by both Marbled Fennec Networks and FurrIX. This page is viewable at https://status.marbledfennec.net/
For uptime and outage tracking of routed subnets and other endpoints, FurrIX operates a status page at https://status.marbledfennec.net/project/subnets
These status pages monitor all in house gear for both Marbled Fennec Networks and FurrIX. The general public can view this page for information on our services for the last fourteen hours, as well as view information about any outages or planned maintenance.
FIREWALL RULES AND QUALITY OF SERVICE
As needed in order to maintain network quality and to protect our network, Marbled Fennec Networks has empowered FurrIX to set and adjust firewall and quality of service rules on our routers and servers. Rules may be set or adjusted to allow or deny certain network ranges as well as set the priority for various network protocols. Our project members, project guest and end users may check our website(s) for updates that detail any changes to our network and why those changes have occurred.
In an attempt to keep network availability and usability fair for all project members, FurrIX deploys and occasionally adjust the quality of service (QoS) system on each router. The QoS system is intended to attempt to evenly divide the bandwidth of each router amongst its active users at any given time. Some types of traffic may temporarily see slower service on our network when compared to other types of traffic, if both types are flowing the network at the same time. Certain types such as known VOIP applications and web browsing will get greater priority than types of traffic such as Steam downloads or OS updates. This is done purely for the purpose of ensuring network stability during peak usage hours and will have little to no impact during periods of light usage. As of July 5th, 2024 the current QoS rates are 350Mbps download and 175Mbps upload shared per router. These rates were chosen based on the average usage over the past four months.
In addition to the limits in place by FurrIX, Marbled Fennec Networks reserves the right to place additional bandwidth restrictions on project members, project guest or end users who are deemed to be abusing the network by consuming extreme amounts of network bandwidth for extended periods of time. Project members, project guest and end users need to be mindful that the bandwidth on a router is shared between all active users connected to that router. Users who continue to burn through extreme amounts of bandwidth will eventually be disconnected and may face termination of their account(s) and service(s). Currently, as of Aug 9th, 2024, the alert threshold for network bandwidth abuse is set at 750GB within a single month period. Accounting date starts on the first day of the current month and ends on the last day of the current month. Usage accounting is performed on a per subnet basis, not per device, meaning a user’s usage is accounted for across all of their devices. Users exceeding 750GB within a one month period will be placed into a lower QoS bucket that limits their max bandwidth to 30Mbps for the remainder of the current month. Users exceeding 900GB within a one month period will be dropped into our lowest QoS bucket of 5Mbps for the remainder of the current months and will receive an email about fair usage and a warning of the possibility of their account(s) and service(s) being terminated. Users who receive two abuse and warning emails within a three month period will have their account(s) and service(s) terminated for network abuse and will be banned from applying for service(s) for forty-five days following.
SHARED NETWORK RESOURCES
While FurrIX does not, and cannot, guarantee complete network isolation from other users on any of our routers; the Volunteer Techs do their best to implement firewall rules that prevent users from reaching other users subnets directly. This is applied even across different routers within our network. If you need access to another users subnet, you both need to submit a ticket to the support desk and both verify that you want and are granting access.
INTENDED NETWORK USAGE
The network operated by Marbled Fennec Networks and FurrIX is not meant to be a replacement for a commercial transit provider. The services on our network are provided by hobbyist who maintain the network out of their own pockets and ask that our project members, project guest and end users be mindful of the network and its resources. Abuse of the projects or our network will not be tolerated. We have hard limits on our transit and network speeds for the connections to the outside world that we have to be mindful of and work to ensure fair use of.
Our projects provide and maintain an IPv6 enabled network for our project members and end users to use in a homelab or personal setting. The service(s) and account(s) that you may be granted access to are for your own personal use only. You may not operate a hosting, telecommunications or similar company or business system on our network and doing so will get your account(s) and service(s) terminated. Exceptions for certain types of hosting, such as personal websites, may be granted on a known and documented basis. You must speak with support on that process, and such grants are subject to all network and project policies.
You may not use our network to invade another person’s privacy; access or attempt to access any internet host which you do not have permission; to hack, crack or otherwise gain access to any other internet host; to share data or software that you do not have the rights to; use or access packet sniffers or similar tools; send unsolicited mail; restrict or inhibit any other member from using or enjoying our network; harass any other persons or groups; impersonate other persons or groups; or use any internet host in a way that is not authorized by its operators.
You may not perform actions that would cause undue burden to our network resources or other users connected to our network. For hosted services, this includes but is not limited to: exploits to bypass service limitations; exceed allocated network speeds or traffic limitations; gaining access to virtual machines not hosted under your account; exploits to make unauthorized changes to our network and systems.
Doing any of the above will result in termination of your account(s) and service(s), as well as you being banned from using our network in the future.
PUBLIC DISPLAY OF STATISTICS
Marbled Fennec Networks will collect, parse and occasionally display on our website(s) information about how the network is used. We are making this known via this policy as information collected and displayed will be in the form of traffic type, traffic amount, protocol, IPv6 subnet, the parties those subnets are provided to and which routed the traffic flowed across. This is solely for allowing users a look into how our network is being utilized and the amounts of traffic we route through our equipment, as well as a tool to help plan changes and modifications to our network in response to changes in usage patterns. Neither Marbled Fennec Networks nor FurrIX will disclose individual IPv6 addresses in the presented information on our website, only entire subnets. If you do not agree with this process, you should contact support immediately to cancel your service(s) and account(s).
As part of our Network Management Policy, the projects both report banned IP addresses to AbuseIPDB on a regular basis. This reporting is handled automatically via various services within our network.
INTERNAL COLLECTION AND PARSING OF NETWORK STATISTICS
Volunteer Techs helping maintain the network and projects will have the ability and tools needed to collect, parse and display network statistics internally that will help our projects see: how the network is utilized; view traffic flows in real time; see where traffic is coming from and going to; which IP addresses are involved; which parties those IP addresses are in use by; endpoint connection IP addresses and estimated geo location; resolved DNS queries and other related network statistics. This information is used internally to assist our Volunteer Techs make decisions related to setting up our routers, providing our users with support, planning maintenance and performing network upgrades.
Volunteer Techs are not allowed to disclose this level of detailed information to the public. The highly detailed internal view is only to be used for day to day upkeep, to respond to queries from our upstream’s NOC or to provide law enforcement with requested information as required by law.
COOPERATION WITH LAW ENFORCEMENT
Both Marbled Fennec Networks and FurrIX aim to keep good relations with our upstream provider(s) and law enforcement agencies. In the event that we are instructed to, and such compliance is legally required, FurrIX will provide our upstream provider and/or law enforcement with a virtual network drop via a virtual machine that will grant their investigators with network level access on our core bridge. Due to the types of situations that may arise requiring the above provisions, we may be ordered not to disclose any information about the investigation; however, once such is over and done with, FurrIX will provide Marbled Fennec Networks with as much knowledge as legally allowed in order for both projects to be transparent with our members and users.
THE BOTTOM LINE
FurrIX is an extension of the concepts that Marbled Fennec Networks has built over time. The two projects, their services and their network are built to provide a learning space to homelabbers and to roll out IPv6 to end users whose ISPs haven’t figured out how to do such yet. We don’t charge for our services, we strive to help one another out and we are play in a shared sandbox. All in all, just behave and do not abuse the network. We think that is a pretty fair ask of our members, guest, end users and vendors.