Update firewall docs

[conorsch]

The firewall appliance recommended in docs/hardware.md is no longer available. From the Netgate APU2 page:

The APU2 system is no longer available. The APU1D board and kit are available by special order only. Please email for availability.

It's ambiguous whether the APU4 unit will become available again:

OUT OF STOCK. The APU4 equivalent is the VK-T40E directly available from the pfSense microsite.

Then, on the VK-T40E page:

The VK-T40E has been replaced. Please select one of these fanless replacement options: SG-2220: Replacement for the VK-T40E with dual core Intel C2338 CPU, 2 GB RAM, 2 Intel GbE Ports. SG-2440: Upgrade with dual core Intel C2358 CPU, 4 GB RAM, 4 Intel GbE Ports.

The SG-2220 only has two ports, WAN and LAN, so that's out. The SG-2440, however, has four ports (WAN, LAN, OPT1, and OPT2) which could accommodate the Admin Workstation and remove the need for a switch. It's $500, rather than ~$300 for the APUs.

We should select a new recommended unit and update the docs.

Thanks to @Taipo for pointing this out (in the comments in #732).

[garrettr]

We got an SG-2440 delivered today and will be testing it (and updating the docs) this week.

[conorsch]

Waiting for release candidate for 0.3.5, will run through test install with new hardware then.

[conorsch]

The pfSense Guide URL in the docs is broken: http://data.sfb.bg.ac.rs/sftp/bojan.radic/Knjige/Guide_pfsense.pdf Consider linking to pfSense project wiki instead: https://doc.pfsense.org/index.php/Main_Page

[garrettr]

@conorsch That's unfortunate, the linked guide was really excellent. I'm pretty sure it was a copy of "pfSense: The Definitive Guide", which, according to the pfSense project wiki, is meant to be only available to Gold Subscribers. Which is unfortunate, as I found it to be much better than any of the online resources, especially for pfSense newbies.

Some options for resolving that particular issue are:

1. Encourage SecureDrop users to become pfSense Gold subscribers if they want to get access to that doc.
2. Find another copy online and link to that one instead.
3. Make sure our docs describe everything in enough detail that the pfSense guide is not needed.

[harlo]

I still needed a switch for my SG-2440: could not figure out how to configure OPT2 via the pfsense web interface, and didn't want to do it manually in iptables (although that should be a perfectly viable option...)

The web interface for the SG-2440 looks exactly like what's shown in our docs; there is no tab for OPT2.

[garrettr]

Added to 0.3.5 since the docs on master should describe how to install the release on master, and we need to update these docs since they hardware they reference is no longer available.

[harlo]

@garrettr and i figured this out. writing docs now...

[conorsch]

Regarding the broken link for the pfSense guide, we should go with @garrettr's third suggestion:

Make sure our docs describe everything in enough detail that the pfSense guide is not needed.

We can't host the PDF elsewhere, and recommending everyone who uses SecureDrop pay a subscription fee for slightly better docs is also unreasonable. Adding the necessary information explicitly to the SecureDrop docs is the right way to go.

[conorsch]

Resolved by #1113.