Openbsd apu » Historique » Version 5
sacha, 11/11/2020 21:41
1 | 1 | sacha | > > {{\>toc}} |
---|---|---|---|
2 | |||
3 | 3 | sacha | # Firewall OpenBSD on PCEngines APU |
4 | 1 | sacha | |
5 | 4 | sacha | **DISCLAIMER: This is not a step by step guide.** |
6 | 1 | sacha | |
7 | 3 | sacha | This is a toolbox on various config files, scripts (like prometheus startup scripts, sounds on boot...) and various tips (adding hardware power button). |
8 | 1 | sacha | |
9 | 3 | sacha | |
10 | 1 | sacha | ## Install an OpenBSD image |
11 | |||
12 | |||
13 | ### Getting the OpenBSD image |
||
14 | |||
15 | The list of the mirrors is here: https://www.openbsd.org/ftp.html |
||
16 | Get the last version, here 6.5 |
||
17 | |||
18 | ~~~ |
||
19 | wget ftp://ftp.irisa.fr/pub/mirrors/OpenBSD/6.5/amd64/install65.fs |
||
20 | ~~~ |
||
21 | |||
22 | ### Write the image to an USB Key |
||
23 | |||
24 | My usb key is on /dev/sde |
||
25 | |||
26 | ~~~ |
||
27 | dd if=install65.fs of=/dev/sde bs=1M |
||
28 | ~~~ |
||
29 | |||
30 | ### Boot USB & install |
||
31 | |||
32 | Select the tty output in 115200 on com0 |
||
33 | |||
34 | ~~~ |
||
35 | SeaBIOS (version rel-1.12.0.1-0-g393dc9c) |
||
36 | |||
37 | Press F10 key now for boot menu |
||
38 | |||
39 | Booting from Hard Disk... |
||
40 | Using drive 0, partition 3. |
||
41 | Loading...... |
||
42 | probing: pc0 com0 com1 com2 com3 mem[639K 1918M a20=on] |
||
43 | disk: hd0+ hd1+* |
||
44 | >> OpenBSD/amd64 BOOT 3.43 |
||
45 | boot> stty com0 115200 |
||
46 | boot> set tty com0 |
||
47 | switching console to com>> OpenBSD/amd64 BOOT 3.43 |
||
48 | boot> |
||
49 | ~~~ |
||
50 | |||
51 | Replying to answears |
||
52 | ~~~ |
||
53 | Welcome to the OpenBSD/amd64 6.5 installation program. |
||
54 | (I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I |
||
55 | |||
56 | Terminal type? [vt220] |
||
57 | System hostname? (short form, e.g. 'foo') cerbere |
||
58 | Password for root account? (will not echo) |
||
59 | Password for root account? (again) |
||
60 | Start sshd(8) by default? [yes] |
||
61 | Change the default console to com0? [yes] |
||
62 | Available speeds are: 9600 19200 38400 57600 115200. |
||
63 | Which speed should com0 use? (or 'done') [115200] |
||
64 | Setup a user? (enter a lower-case loginname, or 'no') [no] |
||
65 | Since no user was setup, root logins via sshd(8) might be useful. |
||
66 | WARNING: root is targeted by password guessing attacks, pubkeys are safer. |
||
67 | Allow root ssh login? (yes, no, prohibit-password) [no] yes |
||
68 | |||
69 | Available disks are: sd0 sd1. |
||
70 | Which disk is the root disk? ('?' for details) [sd0] |
||
71 | No valid MBR or GPT. |
||
72 | Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole] |
||
73 | ~~~ |
||
74 | |||
75 | 80% / |
||
76 | 10% swap |
||
77 | 10% /var/log |
||
78 | |||
79 | ### Configuration |
||
80 | |||
81 | |||
82 | #### /etc/sysctl.conf |
||
83 | |||
84 | ~~~ |
||
85 | net.inet.ip.forwarding=1 |
||
86 | net.inet.gre.allow=1 |
||
87 | |||
88 | ~~~ |
||
89 | |||
90 | #### /root/.profile |
||
91 | |||
92 | ~~~ |
||
93 | export PS1="\H|\t|:\w\\$" |
||
94 | |||
95 | umask 022 |
||
96 | |||
97 | #export LS_OPTIONS='--color=auto' |
||
98 | alias ls='/usr/local/bin/colorls -G' |
||
99 | alias ll='ls -l' |
||
100 | alias l='ls -lA' |
||
101 | alias d="du --max-depth=1 -h" |
||
102 | #alias carp='ifconfig carp |grep -e "MASTER" -e "BACKUP" && ifconfig -g carp' |
||
103 | |||
104 | # Some more alias to avoid making mistakes: |
||
105 | alias rm='rm -i' |
||
106 | alias cp='cp -i' |
||
107 | alias mv='mv -i' |
||
108 | alias df='df -h' |
||
109 | alias b='echo "\n IP BLACKLISTED\n========================================================";pfctl -t BLACKLIST -T show;echo "\n TOP 10 states\n========================================================";pfctl -sS |sort -nrk4 |head -n 10 ' |
||
110 | echo |
||
111 | echo "________________________________________________________________________" |
||
112 | echo |
||
113 | who |
||
114 | echo "________________________________________________________________________" |
||
115 | echo |
||
116 | last -n 20 |
||
117 | echo "________________________________________________________________________" |
||
118 | echo |
||
119 | uptime |
||
120 | echo "________________________________________________________________________" |
||
121 | ~~~ |
||
122 | |||
123 | #### /home/sacha/.profile |
||
124 | |||
125 | ~~~ |
||
126 | # $OpenBSD: dot.profile,v 1.5 2018/02/02 02:29:54 yasuoka Exp $ |
||
127 | # |
||
128 | # sh/ksh initialization |
||
129 | |||
130 | PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games |
||
131 | export PATH HOME TERM |
||
132 | |||
133 | export PS1="\H|\t|:\w\\$" |
||
134 | |||
135 | alias ls='colorls -G' |
||
136 | alias ll='ls -l' |
||
137 | alias l='ls -lA' |
||
138 | alias d="du --max-depth=1 -h" |
||
139 | |||
140 | # Some more alias to avoid making mistakes: |
||
141 | alias rm='rm -i' |
||
142 | alias cp='cp -i' |
||
143 | alias mv='mv -i' |
||
144 | alias df='df -h' |
||
145 | |||
146 | echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _" |
||
147 | echo |
||
148 | echo -n " " && uname -a |
||
149 | echo |
||
150 | echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _" |
||
151 | echo |
||
152 | w |
||
153 | echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _" |
||
154 | echo && echo |
||
155 | |||
156 | |||
157 | ~~~ |
||
158 | |||
159 | #### /etc/ssh/sshd_config |
||
160 | |||
161 | ~~~ |
||
162 | Port 55555 |
||
163 | PasswordAuthentication no |
||
164 | ChallengeResponseAuthentication no |
||
165 | ~~~ |
||
166 | |||
167 | + Ajouter le réseau local sur em2 sour la forme 10.10.département/24 |
||
168 | |||
169 | #### /etc/dhcpd.conf |
||
170 | |||
171 | En fonction du réseau local, exemple: |
||
172 | |||
173 | ~~~ |
||
174 | subnet 10.10.79.0 netmask 255.255.255.0 { |
||
175 | range 10.10.79.100 10.10.79.199; |
||
176 | default-lease-time 600; |
||
177 | max-lease-time 7200; |
||
178 | option subnet-mask 255.255.255.0; |
||
179 | option broadcast-address 10.10.79.255; |
||
180 | option routers 10.10.79.254; |
||
181 | option domain-name-servers 10.10.79.254, 185.233.100.100; |
||
182 | option domain-name "niort.rosedor.fr"; |
||
183 | } |
||
184 | ~~~ |
||
185 | |||
186 | ~~~ |
||
187 | echo 'dhcpd_flags="em2"' >>/etc/rc.conf.local |
||
188 | ~~~ |
||
189 | |||
190 | |||
191 | #### /etc/resolv.conf |
||
192 | |||
193 | ~~~ |
||
194 | search brest.openlux.fr |
||
195 | nameserver 10.10.79.254 |
||
196 | lookup file bind |
||
197 | ~~~ |
||
198 | |||
199 | |||
200 | #### /etc/ntpd.conf |
||
201 | |||
202 | ~~~ |
||
203 | # $OpenBSD: ntpd.conf,v 1.14 2015/07/15 20:28:37 ajacoutot Exp $ |
||
204 | # |
||
205 | # See ntpd.conf(5) and /etc/examples/ntpd.conf |
||
206 | |||
207 | #listen on 172.16.1.254 |
||
208 | servers fr.pool.ntp.org |
||
209 | |||
210 | ~~~ |
||
211 | |||
212 | 5 | sacha | #### Some music with the buzzer |
213 | 1 | sacha | |
214 | * Exemples: |
||
215 | |||
216 | ~~~ |
||
217 | echo -e "l4mn<b.>e8a2mspg+e8c+f+8b2" > /dev/speaker |
||
218 | echo -e "<cd<a#~<a#>f" > /dev/speaker |
||
219 | echo "o2 AAA ml o2l8F P16 o3l16C o2 l4A l8F o3P16l16C o2 l4A p4 o3 EEE ml l8F P16 o3l16C o2 l4A- l8F o3P16l16C o2 l4A" > /dev/speaker |
||
220 | echo -e "ec" > /dev/speaker |
||
221 | echo -e "t255l8c.f.afc~c.f.afc~c.f.afc.f.a..f.~c.f.afc~c.f.afc~c.f.afc~c.f.." > /dev/speaker |
||
222 | echo -e "<cd<a#~<a#>f" > /dev/speaker |
||
223 | echo -e "t240<cfcfgagaa#b#>dc<a#a.~fg.gaa#.agagegc.~cfcfgagaa#b#>dc<a#a.~fg.gga.agfgfgf.">/dev/speaker |
||
224 | echo -e "t255cf8f8edc<a>~cf8f8edd#e~ce8cdce8cd.<a>c8c8c#def8af8" > /dev/speaker |
||
225 | echo -e "olcega.a8f>cd2bgc.c8dee2" > /dev/speaker |
||
226 | echo -e "msl16oldcd4mll8pcb-agf+4.g4p4<msl16dcd4mll8pa.a+f+4p16g4" > /dev/speaker |
||
227 | echo -e "l2b.f+.p16a.c+.p l4mn<b.>e8a2mspg+e8c+f+8b2" > /dev/speaker |
||
228 | |||
229 | Beatles |
||
230 | "T255O3< < L2 A > > > L4 C# < A B > L2 C#.L2 N0 L4 C# < L2 B A F#A B A F# L1 E.< < L2 A > > > L4 C# < A B > L2 C#.L2 N0 L4 C# < L2 B A L2 F#.> L4 C# < L2 B A L1 B B L1 N0< < L2 A > > > L4 C# < L2 B > L2 C# < L2 A.> L4 C# < A B > L2 C#.< < L2 A > > > L4 C# < L2 B > C# < L2 A.L4 N0 A L2 B AL2 N0 > L2 C# < B A N0L4 F# A B E A B D A B A G# F# E" |
||
231 | |||
232 | sw |
||
233 | "t136 mn o3 l8 ddgfe-dc o2 b-ag o3 d2. l12 ddd l8 g4 p4 p2 p2 t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 c o2 b o3 c l2 ml o2 a1a4 p4 mn t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 c o2 b o3 c l2 ml o2 a1a4 p4 mn t136 mn o3 l8 p4 mn o2 l8 d4 e4.e o3c o2 bag l12 gab l8 a8. e16f+4d8. d e4.e o3 c o2 bag o3 d8.o2 a16 ml a4a4 mn d4 e4.e O3 c o2 bag l12 gaba8. e16 f+4 o3 d8. d16 l16 g8. fe-8. d c8. o2 b-a8. g o3 d2 t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 co2 b o3c l2 ml o2a1a4 p4 mn t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2ba ml l2 o3gdd mn l6 co2bo3c l2 ml o2a1a4 p4 mn l6 o3 mn ddd ml l1 gggg4 p4 p4 mn l12 dddg2" |
||
234 | |||
235 | Reveille: t255l8c.f.afc~c.f.afc~c.f.afc.f.a..f.~c.f.afc~c.f.afc~c.f.afc~c.f.. |
||
236 | Close Encounters: <cd<a#~<a#>f |
||
237 | Lord of the Dance (aka Simple Gifts): t240<cfcfgagaa#b#>dc<a#a.~fg.gaa#.agagegc.~cfcfgagaa#b#>dc<a#a.~fg.gga.agfgfgf. |
||
238 | Loony Toons theme: t255cf8f8edc<a>~cf8f8edd#e~ce8cdce8cd.<a>c8c8c#def8af8 |
||
239 | standard villain's entrance music: mst200o2ola.l8bc.~a.~>l2d# |
||
240 | a trope from 'The Right Stuff' score by Bill Conti: olcega.a8f>cd2bgc.c8dee2 |
||
241 | opening bars of Bach's Toccata and Fugue in D Minor": msl16oldcd4mll8pcb-agf+4.g4p4<msl16dcd4mll8pa.a+f+4p16g4 |
||
242 | opening bars of the theme from Star Trek Classic: l2b.f+.p16a.c+.p l4mn<b.>e8a2mspg+e8c+f+8b2 |
||
243 | |||
244 | |||
245 | ~~~ |
||
246 | |||
247 | 5 | sacha | My musics: |
248 | 1 | sacha | ~~~ |
249 | echo 'echo -e "<cd<a#~<a#>f" > /dev/speaker' >> /etc/rc.local |
||
250 | echo '"O3L30cO4L30cO5L30cO5L30g" > /dev/speaker' >> /etc/rc.local |
||
251 | ~~~ |
||
252 | |||
253 | #### Unbound |
||
254 | |||
255 | 5 | sacha | Duno why the config file is in var ? Creating a symling to found it |
256 | |||
257 | 1 | sacha | ~~~ |
258 | ln -s /var/unbound/etc/unbound.conf /etc/unbound.conf |
||
259 | ~~~ |
||
260 | |||
261 | ~~~ |
||
262 | # $OpenBSD: unbound.conf,v 1.14 2018/12/16 20:41:30 tim Exp $ |
||
263 | |||
264 | server: |
||
265 | interface: 127.0.0.1 |
||
266 | interface: 172.16.1.254 |
||
267 | #interface: 127.0.0.1@5353 # listen on alternative port |
||
268 | # interface: ::1 |
||
269 | do-ip6: no |
||
270 | |||
271 | # override the default "any" address to send queries; if multiple |
||
272 | # addresses are available, they are used randomly to counter spoofing |
||
273 | #outgoing-interface: 192.0.2.1 |
||
274 | #outgoing-interface: 2001:db8::53 |
||
275 | |||
276 | access-control: 0.0.0.0/0 refuse |
||
277 | access-control: 127.0.0.0/8 allow |
||
278 | access-control: 172.16.1.254/16 allow |
||
279 | access-control: ::0/0 refuse |
||
280 | access-control: ::1 allow |
||
281 | |||
282 | hide-identity: yes |
||
283 | hide-version: yes |
||
284 | |||
285 | # Uncomment to enable DNSSEC validation. |
||
286 | # |
||
287 | #auto-trust-anchor-file: "/var/unbound/db/root.key" |
||
288 | #val-log-level: 2 |
||
289 | |||
290 | # Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains |
||
291 | # https://tools.ietf.org/html/rfc8198 |
||
292 | # |
||
293 | #aggressive-nsec: yes |
||
294 | |||
295 | # Serve zones authoritatively from Unbound to resolver clients. |
||
296 | # Not for external service. |
||
297 | # |
||
298 | #local-zone: "local." static |
||
299 | #local-data: "mycomputer.local. IN A 192.0.2.51" |
||
300 | #local-zone: "2.0.192.in-addr.arpa." static |
||
301 | #local-data-ptr: "192.0.2.51 mycomputer.local" |
||
302 | |||
303 | # UDP EDNS reassembly buffer advertised to peers. Default 4096. |
||
304 | # May need lowering on broken networks with fragmentation/MTU issues, |
||
305 | # particularly if validating DNSSEC. |
||
306 | # |
||
307 | #edns-buffer-size: 1480 |
||
308 | |||
309 | # Use TCP for "forward-zone" requests. Useful if you are making |
||
310 | # DNS requests over an SSH port forwarding. |
||
311 | # |
||
312 | #tcp-upstream: yes |
||
313 | |||
314 | remote-control: |
||
315 | control-enable: yes |
||
316 | control-interface: /var/run/unbound.sock |
||
317 | |||
318 | # Use an upstream forwarder (recursive resolver) for some or all zones. |
||
319 | # |
||
320 | #forward-zone: |
||
321 | # name: "." # use for ALL queries |
||
322 | # forward-addr: 192.0.2.53 # example address only |
||
323 | # forward-first: yes # try direct if forwarder fails |
||
324 | ~~~ |
||
325 | |||
326 | ~~~ |
||
327 | rcctl enable unbound |
||
328 | rcctl start unbound |
||
329 | ~~~ |
||
330 | |||
331 | #### Install Prometheus node exporter |
||
332 | |||
333 | ~~~ |
||
334 | pkg_add go git gmake python-3.6 colorls gnuwatch mtr pftop curl bash |
||
335 | ln -s /usr/local/bin/python3 /usr/local/bin/python |
||
336 | cd /home/sacha |
||
337 | go get github.com/prometheus/node_exporter |
||
338 | cd /home/sacha/go/src/github.com/prometheus/node_exporter |
||
339 | gmake |
||
340 | mv node_exporter /usr/local/bin/ |
||
341 | ~~~ |
||
342 | |||
343 | ##### script de démarage: /etc/rc.d/node_exporter |
||
344 | |||
345 | ~~~ |
||
346 | vim /etc/login.conf |
||
347 | (...) |
||
348 | node_exporter:\ |
||
349 | :tc=daemon: |
||
350 | ~~~ |
||
351 | |||
352 | ~~~ |
||
353 | cap_mkdb /etc/login.conf |
||
354 | groupadd -g 2222 _node_exporter |
||
355 | useradd -u 2222 -g 2222 -c "Prometheus Node Exporter agent" -d /var/empty -s /sbin/nologin -L node_exporter _node_exporter |
||
356 | ~~~ |
||
357 | |||
358 | * /etc/rc.d/node_exporter |
||
359 | |||
360 | ~~~ |
||
361 | #!/bin/sh |
||
362 | # |
||
363 | |||
364 | daemon="/usr/local/bin/node_exporter" |
||
365 | node_exporter_textfile_dir="/var/node_exporter" |
||
366 | daemon_flags="--collector.textfile.directory==${node_exporter_textfile_dir}" |
||
367 | daemon_user="_node_exporter" |
||
368 | daemon_group="_node_exporter" |
||
369 | |||
370 | . /etc/rc.d/rc.subr |
||
371 | |||
372 | pexp="${daemon}.*" |
||
373 | rc_bg=YES |
||
374 | rc_reload=NO |
||
375 | |||
376 | rc_pre() { |
||
377 | if ! id ${daemon_user}; then |
||
378 | groupadd _node_exporter |
||
379 | useradd -g _node_exporter -c "Prometheus Node Exporter agent"\ |
||
380 | -d /var/empty -s /sbin/nologin -L node_exporter _node_exporter |
||
381 | fi |
||
382 | if [ ! -d ${node_exporter_textfile_dir} ]; then |
||
383 | install \ |
||
384 | -d \ |
||
385 | -o ${daemon_user} \ |
||
386 | -g ${daemon_group} \ |
||
387 | -m 1755 \ |
||
388 | ${node_exporter_textfile_dir} |
||
389 | fi |
||
390 | } |
||
391 | |||
392 | rc_start() { |
||
393 | ${rcexec} "${daemon} ${daemon_flags} < /dev/null 2>&1" |
||
394 | } |
||
395 | |||
396 | rc_cmd $1 |
||
397 | ~~~ |
||
398 | |||
399 | |||
400 | ~~~ |
||
401 | chmod 0755 /etc/rc.d/node_exporter |
||
402 | chown root:wheel /etc/rc.d/node_exporter |
||
403 | |||
404 | rcctl enable node_exporter |
||
405 | rcctl start node_exporter |
||
406 | ~~~ |
||
407 | |||
408 | --- |
||
409 | |||
410 | ## Firewall |
||
411 | |||
412 | |||
413 | ~~~ |
||
414 | touch /etc/BLACKLIST |
||
415 | vi /etc/WHITELIST |
||
416 | ~~~ |
||
417 | |||
418 | |||
419 | ### Standard: 1 ADSL |
||
420 | |||
421 | ~~~ |
||
422 | ####################################################### |
||
423 | 2 | sacha | # Firewall PF - OpenBSD - # |
424 | 1 | sacha | # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- # |
425 | # V1.0 - 20190612 # |
||
426 | ####################################################### |
||
427 | |||
428 | |||
429 | #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# |
||
430 | # MACROS # |
||
431 | #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# |
||
432 | |||
433 | #-----------------------------------------# |
||
434 | # Interfaces # |
||
435 | #-----------------------------------------# |
||
436 | #=====----> ADSL |
||
437 | 2 | sacha | ADSL = "pppoe0" |
438 | 1 | sacha | |
439 | 2 | sacha | |
440 | 1 | sacha | #=====----> LAN |
441 | LAN = "em2" |
||
442 | LAN_VoIP = "em3" |
||
443 | |||
444 | #-----------------------------------------# |
||
445 | # Hosts # |
||
446 | #-----------------------------------------# |
||
447 | |||
448 | |||
449 | #-----------------------------------------# |
||
450 | # W H I T E L I S T # |
||
451 | #-----------------------------------------# |
||
452 | table <WHITELIST> persist file "/etc/WHITELIST" |
||
453 | |||
454 | #-----------------------------------------# |
||
455 | # B L A C K L I S T # |
||
456 | #-----------------------------------------# |
||
457 | table <BLACKLIST> counters persist file "/etc/BLACKLIST" |
||
458 | |||
459 | #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# |
||
460 | # OPTIONS # |
||
461 | #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# |
||
462 | 2 | sacha | set loginterface $ADSL |
463 | 1 | sacha | |
464 | #set optimization aggressive |
||
465 | set block-policy drop |
||
466 | |||
467 | set skip on lo0 |
||
468 | |||
469 | |||
470 | #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# |
||
471 | # LOG # |
||
472 | #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# |
||
473 | match log all |
||
474 | |||
475 | |||
476 | #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# |
||
477 | # NORMALISATION # |
||
478 | #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# |
||
479 | |||
480 | # Nettoyer les paquets entrant |
||
481 | match in scrub (reassemble tcp random-id) |
||
482 | |||
483 | #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# |
||
484 | # NAT # |
||
485 | #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# |
||
486 | 2 | sacha | match out on $ADSL inet from ($LAN:network) to any nat-to ($ADSL) |
487 | 1 | sacha | |
488 | #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# |
||
489 | # FILTRAGE # |
||
490 | #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# |
||
491 | block log all |
||
492 | |||
493 | #-----------------------------------------# |
||
494 | # Anti-Flood # |
||
495 | #-----------------------------------------# |
||
496 | #NOFLOOD ="synproxy state (source-track rule max-src-conn 500, max-src-conn-rate 50/10, overload <BLACKLIST> flush global)" |
||
497 | NOFLOOD ="keep state (source-track rule, max-src-states 100)" |
||
498 | |||
499 | block in log quick on $ADSL from no-route to any |
||
500 | block out log quick on $ADSL from no-route to any |
||
501 | block in log quick on $ADSL from any to 255.255.255.255 |
||
502 | |||
503 | #-----------------------------------------# |
||
504 | # Blacklists # |
||
505 | #-----------------------------------------# |
||
506 | block in quick from <BLACKLIST> |
||
507 | |||
508 | block in log quick on $ADSL inet proto icmp from any to any icmp-type redir |
||
509 | block in log quick on $ADSL inet6 proto icmp6 from any to any icmp6-type redir |
||
510 | |||
511 | #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# |
||
512 | # Anti-spoof # |
||
513 | #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# |
||
514 | antispoof log quick for $ADSL label "antispoof" |
||
515 | |||
516 | #---------------------------------------# |
||
517 | # ICMP # |
||
518 | #---------------------------------------# |
||
519 | pass inet proto icmp all icmp-type { echorep, echoreq, timex, unreach } |
||
520 | |||
521 | #---------------------------------------# |
||
522 | # Trace Route # |
||
523 | #---------------------------------------# |
||
524 | pass in on { $LAN } proto udp from any to any port 33433 >< 33626 keep state |
||
525 | |||
526 | #---------------------------------------# |
||
527 | # WHITELIST # |
||
528 | #---------------------------------------# |
||
529 | pass in quick on $ADSL proto tcp from <WHITELIST> to any port 55555 |
||
530 | |||
531 | #---------------------------------------# |
||
532 | # LAN # |
||
533 | #---------------------------------------# |
||
534 | |||
535 | #=====----> Firewall to Lan |
||
536 | pass out on $LAN inet to $LAN:network |
||
537 | |||
538 | |||
539 | #=====----> ssh LAN |
||
540 | pass in quick on $LAN proto tcp from $LAN:network to $LAN port 55555 |
||
541 | #pass in quick proto tcp from any to port 55555 |
||
542 | |||
543 | #=====----> dns |
||
544 | pass in quick on $LAN proto udp from $LAN:network to $LAN port 53 |
||
545 | |||
546 | #=====----> dhcp |
||
547 | pass in quick on $LAN inet from $LAN:network to 255.255.255.255 |
||
548 | |||
549 | #=====----> Permit Lan to output |
||
550 | pass in on $LAN inet from $LAN:network to any |
||
551 | |||
552 | pass out on $LAN inet from $LAN:network to any |
||
553 | |||
554 | |||
555 | #---------------------------------------# |
||
556 | # ACCEPT OUTGOING # |
||
557 | #---------------------------------------# |
||
558 | pass out on $ADSL |
||
559 | ~~~ |
||
560 | 5 | sacha | |
561 | |||
562 | ## Power button |
||
563 | |||
564 | https://www.conrad.ch/de/p/sci-r13-81a-05bk-drucktaster-125-v-ac-0-5-a-1-x-aus-ein-tastend-1-st-701074.html |
||
565 | https://www.conrad.ch/de/p/konfektionierte-litze-polzahl-gesamt-2-rastermass-2-54-mm-741213-1-st-741213.html |