doc release 0.5.3

author: Silvino <silvino@bk.ru> 2019-06-16 05:04:09 +0100
committer: Silvino <silvino@bk.ru> 2019-06-16 05:04:44 +0100
commit: 296be79a3b724db67a37244a67cfb3e4ef6b652f (patch)
tree: 6136b7fbe2082b018a6a06f897b7012177cce630 /core/conf
parent: fdc231661647d4ca15ddf312e85b210eabd23e50 (diff)
parent: 951a8a84411da6b71cee11d8c9feb993b984acf5 (diff)
download: doc-296be79a3b724db67a37244a67cfb3e4ef6b652f.tar.gz
16 files changed, 714 insertions, 644 deletions
diff --git a/core/conf/default/grub b/core/conf/default/grub
new file mode 100644
index 0000000..e1a4636
--- /dev/null
+++ b/core/conf/default/grub
@@ -0,0 +1,4 @@
+GRUB_DISABLE_LINUX_UUID=false
+GRUB_ENABLE_LINUX_LABEL=false
+GRUB_CMDLINE_LINUX="rd.luks.uuid=luks-15f15024-e994-43e3-9de4-694ba94aaf7f rd.lvm.lv=vg_system/lv_root apparmor=1 security=apparmor"
+GRUB_ENABLE_CRYPTODISK=y
diff --git a/core/conf/distcc.conf b/core/conf/distcc.conf
new file mode 100644
index 0000000..723338b
--- /dev/null
+++ b/core/conf/distcc.conf
@@ -0,0 +1,3 @@
+DISTCC_ALLOW="10.0.0.0/8"
+DISTCC_USER="pkgmk"
+DISTCC_LOG_LEVEL="info"
diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh
index fa987a5..cd93687 100644
--- a/core/conf/iptables/ipt-bridge.sh
+++ b/core/conf/iptables/ipt-bridge.sh
@@ -1,7 +1,9 @@
 #!/bin/bash
-
-echo "setting bridge ${BR_IF} network..."
-echo 1 > /proc/sys/net/ipv4/ip_forward
+echo "setting bridge network..."
+source ipt-conf.sh
+source ipt-firewall.sh
+ipt_clear
+ipt_tables
 
 # Unlimited on loopback
 $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
@@ -9,174 +11,126 @@ $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
 $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
 
-####### NAT Prerouting Chain  ######
+######## NAT Prerouting Chain  ######
 #$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p udp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
-#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
-$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443
-#$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "
-
-####### Forward Chain  ######
-$IPT -A FORWARD -j blocker
-$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-
-# Allow access from bridge to gateway wifi interface
-$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in
-$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out
-$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in
-$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out
-$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in
-$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out
+##$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
+#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443
+##$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "
 
-#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out
-$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in
-$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out
-
-# allow output from BR_NET to external
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -j ACCEPT
-
-# allow input from public bridged interface facing Internet 
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_http_in
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_https_in
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_git_in
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_ftp_in
-
-######## Forward TAP2 ssh, http and https  ######
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out
+######## Forward Chain  ######
+#$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+#$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 #
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out
-
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out
+## Allow all for BR_NET
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT
 
+## DHCP
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s 0.0.0.0 -d 255.255.255.255 -j srv_dhcp
 
-#Less noise
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 519 --sport 520 -j DROP
+## Allow access from bridge to gateway wifi interface
+#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out
+#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out
+#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out
 
+##$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in
+##$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out
+#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out
 
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-#
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-#
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-#
-#
-# Tap1
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_ftp_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_ftp_out
-#
-#
-## Tap3
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_git_out
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_git_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in
-#
-#
-# Tap1, Tap2 and Tap3 can access external https
-
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in
-
+## allow output from BR_NET to external
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -j ACCEPT
 
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${DNS} -d ${PUB_IP} -j cli_dns_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_http_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_https_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_ssh_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_git_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -j ACCEPT
 
-#
-#        #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip
-#
-#        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp
-#        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp
+##Less noise
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 519 --sport 520 -j DROP
 
-#
-####### Input Chain ######
+######## Input Chain ######
 $IPT -A INPUT -j blocker
-#Less noise
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp  --sport 3030 --dport 1024:65535 -j DROP
-$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 137 --dport 137 -j DROP
-$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 138 --dport 138 -j DROP
 
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
-$IPT -A INPUT -i ${BR_IF} -d ${WIFI_NET} -s ${BR_NET} -j srv_icmp
+##Less noise
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp  --sport 3030 --dport 1024:65535 -j DROP
+#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -p udp  --sport 137 --dport 137 -j ACCEPT
+#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -p udp  --sport 137 --dport 137 -j ACCEPT
+#$IPT -A INPUT -i ${BR_IF} -s ${BR_NET} -d 10.255.255.255 -p udp --sport 520 --dport 520 -j ACCEPT
+#$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 137 --dport 137 -j ACCEPT
+#$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 138 --dport 138 -j ACCEPT
 
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in
-$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in
-$IPT -A INPUT -i ${WIFI_IF} -s ${WIFI_NET} -d ${WIFI_NET} -j srv_dns_in
-  
 $IPT -A INPUT -i ${BR_IF} -j srv_dhcp
-$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP}  -j srv_dhcp
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
 
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in
 $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in
 
-$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in
-$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in
-$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in
-$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in
-$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in
+#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${WIFI_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
+#$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in
+#$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP}  -j srv_dhcp
+#$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in
+#$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in
+#$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in
+#$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in
+#$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in
+#$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in
 
-# c2.ank /iso -> c9.ank /srv/qemu/iso
-$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -d ${PUB_IP} -j srv_http_in
-# hyperbola servers
-$IPT -A INPUT -p tcp --dport 1024:65535 --sport 50100 -m state --state RELATED,ESTABLISHED -j ACCEPT
+## PXE server
+#$IPT -A INPUT -i ${BR_IF} -p udp -d ${PUB_IP} -s ${BR_NET} --dport 69 --sport 1024:65535 -j ACCEPT
+#$IPT -A INPUT -i ${BR_IF} -p udp -d ${PUB_IP} -s ${BR_NET} --dport 1024:65535 --sport 1024:65535 -j ACCEPT
 
-####### Output Chain ######
-$IPT -A OUTPUT -j blocker
+######## Output Chain ######
 
-#Less noise
+##Less noise
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP
 
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_icmp
-$IPT -A OUTPUT -o ${BR_IF} -s ${WIFI_NET} -d ${BR_NET} -j srv_icmp
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j srv_git_out
+$IPT -A OUTPUT -o ${BR_IF} -j srv_icmp
+#$IPT -A OUTPUT -o ${PUB_IF} -j srv_icmp
 
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out
 
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
 
-$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out
-$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out
-$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out
 
-$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out
-$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out
-$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out
-$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -j srv_icmp
 
-# Hyperbola servers
-$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport 50100 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-# c2.ank /iso -> c9.ank /srv/qemu/iso
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d 10.0.0.4  -j srv_http_out
+## PXE Server
+#$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -p udp --dport 1024:65535 --sport 1024:65535 -j ACCEPT
 
-####### PostRouting Chain ######
-#Less noise
-#$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
-#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT
+######## PostRouting Chain ######
+##Less noise
+##$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+##$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+##$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT
+#$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE
+##$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
 
-$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE
+## log everything else and drop
+ipt_log
 
-#$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
+iptables-save > bridge.v4
diff --git a/core/conf/iptables/ipt-conf.sh b/core/conf/iptables/ipt-conf.sh
index 52669dc..c3dac16 100644
--- a/core/conf/iptables/ipt-conf.sh
+++ b/core/conf/iptables/ipt-conf.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
-TYPE=bridge
-#TYPE=server
+
+IPT="/usr/sbin/iptables"
 
 SPAMLIST="blockedip"
 SPAMDROPMSG="BLOCKED IP DROP"
@@ -19,4 +19,5 @@ PUB_IF="enp8s0"
 
 # private interface for virtual/internal
 WIFI_IF="wlp7s0"
-WIFI_NET="192.168.1.0/24"
+#WIFI_NET="192.168.1.0/24"
+WIFI_NET="10.0.0.0/8"
diff --git a/core/conf/iptables/ipt-firewall.sh b/core/conf/iptables/ipt-firewall.sh
index 6ea613a..12c3834 100644
--- a/core/conf/iptables/ipt-firewall.sh
+++ b/core/conf/iptables/ipt-firewall.sh
@@ -1,7 +1,5 @@
 #!/bin/bash
 
-IPT="/usr/sbin/iptables"
-
 ipt_clear () {
     echo "clear all iptables tables"
 
diff --git a/core/conf/iptables/ipt-open.sh b/core/conf/iptables/ipt-open.sh
new file mode 100644
index 0000000..3ef1254
--- /dev/null
+++ b/core/conf/iptables/ipt-open.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+echo "setting client network..."
+source ipt-conf.sh
+source ipt-firewall.sh
+ipt_clear
+ipt_tables
+
+# Unlimited on loopback
+$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+
+####### Input Chain ######
+$IPT -A INPUT -j blocker
+
+$IPT -A INPUT -i ${PUB_IF} -j cli_dns_in
+$IPT -A INPUT -i ${PUB_IF} -j cli_http_in
+$IPT -A INPUT -i ${PUB_IF} -j cli_https_in
+$IPT -A INPUT -i ${PUB_IF} -j cli_git_in
+$IPT -A INPUT -i ${PUB_IF} -j cli_ssh_in
+$IPT -A INPUT -i ${PUB_IF} -j srv_icmp
+$IPT -A INPUT -i ${PUB_IF} -j cli_pops_in
+$IPT -A INPUT -i ${PUB_IF} -j cli_smtps_in
+$IPT -A INPUT -i ${PUB_IF} -j cli_irc_in
+$IPT -A INPUT -i ${PUB_IF} -j cli_ftp_in
+$IPT -A INPUT -i ${PUB_IF} -j cli_gpg_in
+
+
+####### Output Chain ######
+$IPT -A OUTPUT -j blocker
+
+$IPT -A OUTPUT -o ${PUB_IF} -j cli_dns_out
+$IPT -A OUTPUT -o ${PUB_IF} -j cli_https_out
+$IPT -A OUTPUT -o ${PUB_IF} -j cli_ssh_out
+$IPT -A OUTPUT -o ${PUB_IF} -j cli_git_out
+$IPT -A OUTPUT -o ${PUB_IF} -j cli_git_out
+$IPT -A OUTPUT -o ${PUB_IF} -j srv_icmp
+$IPT -A OUTPUT -o ${PUB_IF} -j cli_pops_out
+$IPT -A OUTPUT -o ${PUB_IF} -j cli_smtps_out
+$IPT -A OUTPUT -o ${PUB_IF} -j cli_irc_out
+$IPT -A OUTPUT -o ${PUB_IF} -j cli_ftp_out
+$IPT -A OUTPUT -o ${PUB_IF} -j cli_gpg_out
+
+## log everything else and drop
+ipt_log
+
+iptables-save > open.v4
diff --git a/core/conf/iptables/ipt-server.sh b/core/conf/iptables/ipt-server.sh
index 225fd31..370db60 100644
--- a/core/conf/iptables/ipt-server.sh
+++ b/core/conf/iptables/ipt-server.sh
@@ -1,10 +1,14 @@
-echo "setting server network..."
+echo "setting server iptables ..."
+source ipt-conf.sh
+source ipt-firewall.sh
+ipt_clear
+ipt_tables
 
 # Unlimited on loopback
 $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
-$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+#$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+#$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
 
 ####### Input Chain ######
 $IPT -A INPUT -j blocker
@@ -35,3 +39,8 @@ $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out
 
 $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out
 $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out
+
+## log everything else and drop
+ipt_log
+
+iptables-save > server.v4
diff --git a/core/conf/iptables/open.v4 b/core/conf/iptables/open.v4
new file mode 100644
index 0000000..30e476d
--- /dev/null
+++ b/core/conf/iptables/open.v4
@@ -0,0 +1,210 @@
+# Generated by iptables-save v1.8.2 on Sat Jun  8 23:05:15 2019
+*security
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Sat Jun  8 23:05:15 2019
+# Generated by iptables-save v1.8.2 on Sat Jun  8 23:05:15 2019
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Sat Jun  8 23:05:15 2019
+# Generated by iptables-save v1.8.2 on Sat Jun  8 23:05:15 2019
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Sat Jun  8 23:05:15 2019
+# Generated by iptables-save v1.8.2 on Sat Jun  8 23:05:15 2019
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Sat Jun  8 23:05:15 2019
+# Generated by iptables-save v1.8.2 on Sat Jun  8 23:05:15 2019
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+:blocker - [0:0]
+:cli_dns_in - [0:0]
+:cli_dns_out - [0:0]
+:cli_ftp_in - [0:0]
+:cli_ftp_out - [0:0]
+:cli_git_in - [0:0]
+:cli_git_out - [0:0]
+:cli_gpg_in - [0:0]
+:cli_gpg_out - [0:0]
+:cli_http_in - [0:0]
+:cli_http_out - [0:0]
+:cli_https_in - [0:0]
+:cli_https_out - [0:0]
+:cli_irc_in - [0:0]
+:cli_irc_out - [0:0]
+:cli_pops_in - [0:0]
+:cli_pops_out - [0:0]
+:cli_smtps_in - [0:0]
+:cli_smtps_out - [0:0]
+:cli_ssh_in - [0:0]
+:cli_ssh_out - [0:0]
+:srv_db_in - [0:0]
+:srv_db_out - [0:0]
+:srv_dhcp - [0:0]
+:srv_dns_in - [0:0]
+:srv_dns_out - [0:0]
+:srv_git_in - [0:0]
+:srv_git_out - [0:0]
+:srv_http_in - [0:0]
+:srv_http_out - [0:0]
+:srv_https_in - [0:0]
+:srv_https_out - [0:0]
+:srv_icmp - [0:0]
+:srv_rip - [0:0]
+:srv_ssh_in - [0:0]
+:srv_ssh_out - [0:0]
+-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
+-A INPUT -j blocker
+-A INPUT -i wlp9s0 -j cli_dns_in
+-A INPUT -i wlp9s0 -j cli_http_in
+-A INPUT -i wlp9s0 -j cli_https_in
+-A INPUT -i wlp9s0 -j cli_git_in
+-A INPUT -i wlp9s0 -j cli_ssh_in
+-A INPUT -i wlp9s0 -j srv_icmp
+-A INPUT -i wlp9s0 -j cli_pops_in
+-A INPUT -i wlp9s0 -j cli_smtps_in
+-A INPUT -i wlp9s0 -j cli_irc_in
+-A INPUT -i wlp9s0 -j cli_ftp_in
+-A INPUT -i wlp9s0 -j cli_gpg_in
+-A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7
+-A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7
+-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT
+-A OUTPUT -j blocker
+-A OUTPUT -o wlp9s0 -j cli_dns_out
+-A OUTPUT -o wlp9s0 -j cli_https_out
+-A OUTPUT -o wlp9s0 -j cli_ssh_out
+-A OUTPUT -o wlp9s0 -j cli_git_out
+-A OUTPUT -o wlp9s0 -j cli_git_out
+-A OUTPUT -o wlp9s0 -j srv_icmp
+-A OUTPUT -o wlp9s0 -j cli_pops_out
+-A OUTPUT -o wlp9s0 -j cli_smtps_out
+-A OUTPUT -o wlp9s0 -j cli_irc_out
+-A OUTPUT -o wlp9s0 -j cli_ftp_out
+-A OUTPUT -o wlp9s0 -j cli_gpg_out
+-A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7
+-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
+-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
+-A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
+-A blocker -f -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
+-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs"
+-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
+-A blocker -j RETURN
+-A cli_dns_in -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
+-A cli_dns_in -j RETURN
+-A cli_dns_out -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
+-A cli_dns_out -j RETURN
+-A cli_ftp_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ftp_in -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A cli_ftp_in -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ftp_in -j RETURN
+-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A cli_ftp_out -j RETURN
+-A cli_git_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_git_in -j RETURN
+-A cli_git_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_git_out -j RETURN
+-A cli_gpg_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_gpg_in -j RETURN
+-A cli_gpg_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_gpg_out -j RETURN
+-A cli_http_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_http_in -p udp -m udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_http_in -j RETURN
+-A cli_http_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_http_out -p udp -m udp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_http_out -j RETURN
+-A cli_https_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_https_in -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_https_in -j RETURN
+-A cli_https_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_https_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_https_out -j RETURN
+-A cli_irc_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_irc_in -j RETURN
+-A cli_irc_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_irc_out -j RETURN
+-A cli_pops_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_pops_in -j RETURN
+-A cli_pops_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_pops_out -j RETURN
+-A cli_smtps_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_smtps_in -j RETURN
+-A cli_smtps_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_smtps_out -j RETURN
+-A cli_ssh_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ssh_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ssh_in -j RETURN
+-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_ssh_out -j RETURN
+-A srv_db_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_db_in -j RETURN
+-A srv_db_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A srv_db_out -j RETURN
+-A srv_dhcp -p udp -m udp --sport 68 --dport 67 -j ACCEPT
+-A srv_dhcp -p udp -m udp --sport 67 --dport 68 -j ACCEPT
+-A srv_dhcp -p udp -m udp --sport 67 --dport 67 -j ACCEPT
+-A srv_dhcp -j RETURN
+-A srv_dns_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_dns_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_dns_in -j RETURN
+-A srv_dns_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_dns_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_dns_out -j RETURN
+-A srv_git_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_git_in -j RETURN
+-A srv_git_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_git_out -j RETURN
+-A srv_http_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_http_in -j RETURN
+-A srv_http_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_http_out -j RETURN
+-A srv_https_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_https_in -j RETURN
+-A srv_https_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_https_out -j RETURN
+-A srv_icmp -p icmp -j ACCEPT
+-A srv_icmp -j RETURN
+-A srv_rip -p udp -m udp --sport 520 --dport 520 -j ACCEPT
+-A srv_rip -j RETURN
+-A srv_ssh_in -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
+-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH"
+-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
+-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
+-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH"
+-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
+-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_in -j RETURN
+-A srv_ssh_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_out -j RETURN
+COMMIT
+# Completed on Sat Jun  8 23:05:15 2019
diff --git a/core/conf/iptables/server.v4 b/core/conf/iptables/server.v4
new file mode 100644
index 0000000..ed202ee
--- /dev/null
+++ b/core/conf/iptables/server.v4
@@ -0,0 +1,204 @@
+# Generated by iptables-save v1.8.2 on Sat Jun  8 19:50:25 2019
+*security
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Sat Jun  8 19:50:25 2019
+# Generated by iptables-save v1.8.2 on Sat Jun  8 19:50:25 2019
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Sat Jun  8 19:50:25 2019
+# Generated by iptables-save v1.8.2 on Sat Jun  8 19:50:25 2019
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Sat Jun  8 19:50:25 2019
+# Generated by iptables-save v1.8.2 on Sat Jun  8 19:50:25 2019
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Sat Jun  8 19:50:25 2019
+# Generated by iptables-save v1.8.2 on Sat Jun  8 19:50:25 2019
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+:blocker - [0:0]
+:cli_dns_in - [0:0]
+:cli_dns_out - [0:0]
+:cli_ftp_in - [0:0]
+:cli_ftp_out - [0:0]
+:cli_git_in - [0:0]
+:cli_git_out - [0:0]
+:cli_gpg_in - [0:0]
+:cli_gpg_out - [0:0]
+:cli_http_in - [0:0]
+:cli_http_out - [0:0]
+:cli_https_in - [0:0]
+:cli_https_out - [0:0]
+:cli_irc_in - [0:0]
+:cli_irc_out - [0:0]
+:cli_pops_in - [0:0]
+:cli_pops_out - [0:0]
+:cli_smtps_in - [0:0]
+:cli_smtps_out - [0:0]
+:cli_ssh_in - [0:0]
+:cli_ssh_out - [0:0]
+:srv_db_in - [0:0]
+:srv_db_out - [0:0]
+:srv_dhcp - [0:0]
+:srv_dns_in - [0:0]
+:srv_dns_out - [0:0]
+:srv_git_in - [0:0]
+:srv_git_out - [0:0]
+:srv_http_in - [0:0]
+:srv_http_out - [0:0]
+:srv_https_in - [0:0]
+:srv_https_out - [0:0]
+:srv_icmp - [0:0]
+:srv_rip - [0:0]
+:srv_ssh_in - [0:0]
+:srv_ssh_out - [0:0]
+-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
+-A INPUT -j blocker
+-A INPUT -s 212.55.154.174/32 -d 10.0.0.254/32 -i enp8s0 -j cli_dns_in
+-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i enp8s0 -j srv_https_in
+-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i enp8s0 -j srv_ssh_in
+-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i enp8s0 -j srv_git_in
+-A INPUT -d 10.0.0.254/32 -i enp8s0 -j srv_https_in
+-A INPUT -d 10.0.0.254/32 -i enp8s0 -j cli_https_in
+-A INPUT -d 10.0.0.254/32 -i enp8s0 -j srv_ssh_in
+-A INPUT -d 10.0.0.254/32 -i enp8s0 -j srv_git_in
+-A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7
+-A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7
+-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT
+-A OUTPUT -j blocker
+-A OUTPUT -s 10.0.0.254/32 -d 212.55.154.174/32 -o enp8s0 -j cli_dns_out
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o enp8s0 -j srv_https_out
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o enp8s0 -j srv_ssh_out
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o enp8s0 -j srv_git_out
+-A OUTPUT -s 10.0.0.254/32 -o enp8s0 -j cli_https_out
+-A OUTPUT -s 10.0.0.254/32 -o enp8s0 -j srv_https_out
+-A OUTPUT -d 10.0.0.0/8 -o enp8s0 -j srv_ssh_out
+-A OUTPUT -d 10.0.0.0/8 -o enp8s0 -j srv_git_out
+-A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7
+-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
+-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
+-A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
+-A blocker -f -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
+-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs"
+-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
+-A blocker -j RETURN
+-A cli_dns_in -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
+-A cli_dns_in -j RETURN
+-A cli_dns_out -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
+-A cli_dns_out -j RETURN
+-A cli_ftp_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ftp_in -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A cli_ftp_in -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ftp_in -j RETURN
+-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A cli_ftp_out -j RETURN
+-A cli_git_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_git_in -j RETURN
+-A cli_git_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_git_out -j RETURN
+-A cli_gpg_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_gpg_in -j RETURN
+-A cli_gpg_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_gpg_out -j RETURN
+-A cli_http_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_http_in -p udp -m udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_http_in -j RETURN
+-A cli_http_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_http_out -p udp -m udp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_http_out -j RETURN
+-A cli_https_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_https_in -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_https_in -j RETURN
+-A cli_https_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_https_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_https_out -j RETURN
+-A cli_irc_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_irc_in -j RETURN
+-A cli_irc_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_irc_out -j RETURN
+-A cli_pops_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_pops_in -j RETURN
+-A cli_pops_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_pops_out -j RETURN
+-A cli_smtps_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_smtps_in -j RETURN
+-A cli_smtps_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_smtps_out -j RETURN
+-A cli_ssh_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ssh_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ssh_in -j RETURN
+-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_ssh_out -j RETURN
+-A srv_db_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_db_in -j RETURN
+-A srv_db_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A srv_db_out -j RETURN
+-A srv_dhcp -p udp -m udp --sport 68 --dport 67 -j ACCEPT
+-A srv_dhcp -p udp -m udp --sport 67 --dport 68 -j ACCEPT
+-A srv_dhcp -p udp -m udp --sport 67 --dport 67 -j ACCEPT
+-A srv_dhcp -j RETURN
+-A srv_dns_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_dns_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_dns_in -j RETURN
+-A srv_dns_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_dns_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_dns_out -j RETURN
+-A srv_git_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_git_in -j RETURN
+-A srv_git_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_git_out -j RETURN
+-A srv_http_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_http_in -j RETURN
+-A srv_http_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_http_out -j RETURN
+-A srv_https_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_https_in -j RETURN
+-A srv_https_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_https_out -j RETURN
+-A srv_icmp -p icmp -j ACCEPT
+-A srv_icmp -j RETURN
+-A srv_rip -p udp -m udp --sport 520 --dport 520 -j ACCEPT
+-A srv_rip -j RETURN
+-A srv_ssh_in -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
+-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH"
+-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
+-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
+-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH"
+-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
+-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_in -j RETURN
+-A srv_ssh_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_out -j RETURN
+COMMIT
+# Completed on Sat Jun  8 19:50:25 2019
diff --git a/core/conf/pkg-get.conf b/core/conf/pkg-get.conf
new file mode 100644
index 0000000..4825657
--- /dev/null
+++ b/core/conf/pkg-get.conf
@@ -0,0 +1,15 @@
+##
+# /etc/pkg-get.conf
+# pkg-get configuration file
+
+# package repositories (remote)
+# The first two are remote repoistories, the last is a local one
+pkgdir          /usr/ports/server|https://hive.gnu.systems/mirror-3.4/packages
+#pkgdir          /usr/packages/java|http://www.foobar.com/java
+#pkgdir          /usr/packages/games
+
+# runscripts: if "yes" pre-post install scripts are
+# automatically executed. Handle with care.
+runscripts     yes
+
+preferhigher yes      # (yes|no)
diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf
index 4085a38..4d689ec 100644
--- a/core/conf/pkgmk.conf
+++ b/core/conf/pkgmk.conf
@@ -2,10 +2,32 @@
 # /etc/pkgmk.conf: pkgmk(8) configuration
 #
 
-export CFLAGS="-O2 -g -march=x86-64 -pipe"
+export CFLAGS="-O2 -march=x86-64"
 export CXXFLAGS="${CFLAGS}"
 
-# export MAKEFLAGS="-j2"
+## ccache settings
+#export PATH="/usr/lib/ccache/:$PATH"
+#export CCACHE_DIR="/usr/ports/ccache"
+#export CCACHE_PREFIX="distcc"
+#export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux"
+#
+## compile using ccache and distcc
+#export DISTCC_HOSTS="localhost/4 xborg/4"
+#
+### compile using distcc without ccache
+##export PATH="/usr/lib/distcc/:$PATH"
+##export DISTCC_HOSTS="localhost/4,lzo,cpp xborg/4,lzo,cpp"
+##export PUMP_BUILD=yes
+#
+## distcc settings
+#export JOBS=$(/usr/bin/distcc -j 2> /dev/null)
+#export DISTCC_DIR="/usr/ports/distcc"
+#export MAKEFLAGS="-j ${JOBS}"
+#export SCONSFLAGS="$MAKEFLAGS"
+
+# local compile only
+export JOBS=$(nproc)
+export MAKEFLAGS="-j $JOBS"
 
 case ${PKGMK_ARCH} in
 	"64"|"")
@@ -22,7 +44,7 @@ case ${PKGMK_ARCH} in
 		;;
 esac
 
-#PKGMK_SOURCE_MIRRORS=(http://machine.example.org/ports/distfiles/)
+PKGMK_SOURCE_MIRRORS=(https://hive.gnu.systems/mirror-3.4/distfiles/)
 # PKGMK_SOURCE_DIR="$PWD"
 PKGMK_SOURCE_DIR="/usr/ports/distfiles"
 # PKGMK_PACKAGE_DIR="$PWD"
@@ -37,5 +59,6 @@ PKGMK_WORK_DIR="/usr/ports/work/$name"
 # PKGMK_WGET_OPTS=""
 # PKGMK_CURL_OPTS=""
 # PKGMK_COMPRESSION_MODE="gz"
+# PKGMK_UP_TO_DATE=yes
 
 # End of file
diff --git a/core/conf/ports/kde5.git b/core/conf/ports/kde5.git
new file mode 100644
index 0000000..37b5764
--- /dev/null
+++ b/core/conf/ports/kde5.git
@@ -0,0 +1,7 @@
+# Collection core
+#
+NAME=kde5
+URL=git://hive.gnu.systems/kde5.git
+BRANCH=stable-3.4
+destination=/usr/ports/kde5
+PORTS_DIR="/usr/ports"
diff --git a/core/conf/prt-get.conf b/core/conf/prt-get.conf
index 1f7a39e..8e88333 100644
--- a/core/conf/prt-get.conf
+++ b/core/conf/prt-get.conf
@@ -5,19 +5,16 @@
 # note: the order matters: the package found first is used
 prtdir /usr/ports/core
 prtdir /usr/ports/opt
-prtdir /usr/ports/contrib
-prtdir /usr/ports/machine-ports
 prtdir /usr/ports/xorg
 
-# 6c37 team provides a collection with freetype-iu, fontconfig-iu
-# and cairo-iu ports.
-
 # the following line enables the multilib compat-32 collection
 #prtdir /usr/ports/compat-32
 
 # the following line enables the user maintained contrib collection
-# prtdir /usr/ports/6c37-dropin
-# prtdir /usr/ports/6c37
+prtdir /usr/ports/contrib
+prtdir /usr/ports/ports
+prtdir /usr/ports/mate
+prtdir /usr/ports/kde5
 
 ### use mypackage form local directory
 # prtdir /home/packages/build:mypackage
@@ -26,7 +23,7 @@ prtdir /usr/ports/xorg
 writelog enabled         # (enabled|disabled)
 logmode  overwrite       # (append|overwrite)
 rmlog_on_success yes     # (no|yes)
-logfile  /usr/ports/pkgbuild/%n-%v-%r.log
+logfile  /usr/ports/pkgbuild/%n.log
                            # path, %p=path to port dir, %n=port name
                            #       %v=version, %r=release
 
@@ -37,7 +34,7 @@ logfile  /usr/ports/pkgbuild/%n-%v-%r.log
 readme verbose           # (verbose|compact|disabled)
 
 ### prefer higher versions in sysup / diff
-preferhigher no     # (yes|no)
+preferhigher yes      # (yes|no)
 
 ### use regexp search
 # useregex no        # (yes|no)
@@ -46,7 +43,6 @@ preferhigher no     # (yes|no)
 ### --install-scripts option
 runscripts yes            # (no|yes)
 
-
 ### EXPERT SECTION ###
 
 ### alternative commands
diff --git a/core/conf/rc.d/distccd b/core/conf/rc.d/distccd
new file mode 100755
index 0000000..65a166d
--- /dev/null
+++ b/core/conf/rc.d/distccd
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+#
+# /etc/rc.d/distccd: start/stop distcc daemon
+#
+
+. /etc/distcc.conf
+if [ -z "$DISTCC_ALLOW" ]; then 
+    echo "Please define a range of IPs allowed to connect to this distccd"
+    echo "host in DISTCC_ALLOW in /etc/rc.conf. More detailed information"
+    echo "can be found in the distcc's README package."
+    exit 1
+fi
+
+DISTCC_USER="${DISTCC_USER:=nobody}"
+DISTCC_LOG_LEVEL="${DISTCC_LOG_LEVEL:=notice}"
+
+case $1 in
+start)
+	/usr/sbin/distccd --daemon --user "$DISTCC_USER" --allow "$DISTCC_ALLOW" --log-level "$DISTCC_LOG_LEVEL"
+	;;
+stop)
+	killall -q /usr/sbin/distccd
+	;;
+restart)
+	$0 stop
+	$0 start
+	;;
+*)
+	echo "usage: $0 [start|stop|restart]"
+	;;
+esac
+
+# End of file
diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables
index 9471f99..cc7c765 100644
--- a/core/conf/rc.d/iptables
+++ b/core/conf/rc.d/iptables
@@ -1,39 +1,62 @@
 
-source /etc/iptables/ipt-conf.sh
-source /etc/iptables/ipt-firewall.sh
+IPT="/usr/sbin/iptables"
+TYPE=bridge
+#TYPE=server
+#TYPE=open
+
+echo "clear all iptables tables"
+
+${IPT} -F
+${IPT} -X
+${IPT} -t nat -F
+${IPT} -t nat -X
+${IPT} -t mangle -F
+${IPT} -t mangle -X
+${IPT} -t raw -F
+${IPT} -t raw -X
+${IPT} -t security -F
+${IPT} -t security -X
+
+# Set Default Rules
+${IPT} -P INPUT DROP
+${IPT} -P FORWARD DROP
+${IPT} -P OUTPUT DROP
+
+${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 
 case $1 in
 	start)
-		ipt_clear
-		ipt_tables
-		case $TYPE in
-		    bridge)
-			source /etc/iptables/ipt-bridge.sh
-
-			## log everything else and drop
-			ipt_log
-
-			iptables-save > /etc/iptables/bridge.v4
-			;;
-		    server)
-			source /etc/iptables/iptables-conf.sh
-
-			## log everything else and drop
-			ipt_log
-
-			iptables-save > /etc/iptables/net.v4
-			;;
-		esac
-		;;
-	stop)
+            case $TYPE in
+                bridge)
+
+                    echo "setting bridge network..."
+                    echo 1 > /proc/sys/net/ipv4/ip_forward
+
+                    ## load bridge configuration
+                    iptables-restore /etc/iptables/bridge.v4
+
+   		;;
+		server)
+
+                    echo "setting server network..."
+                    ## load server configuration
+                    iptables-restore /etc/iptables/server.v4
 
-		ipt_clear
 		;;
-	restart)
-		$0 stop
-		$0 start
+		open)
+
+                    echo "setting client network..."
+                    ## load client configuration
+                    iptables-restore /etc/iptables/open.v4
+
 		;;
+	    esac
+	;;
+        stop)
+
+	;;
 	*)
-		echo "Usage: $0 [start|stop|restart]"
-		;;
+	    echo "Usage: $0 [start|stop]"
+	;;
 esac
diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf
index 4606791..771112a 100644
--- a/core/conf/sysctl.conf
+++ b/core/conf/sysctl.conf
@@ -3,51 +3,19 @@
 #
 
 kernel.printk = 7 1 1 4
+
 kernel.randomize_va_space = 2
+
 # Shared Memory
 #kernel.shmmax = 500000000
 # Total allocated file handlers that can be allocated
 # fs.file-nr=
 vm.mmap_min_addr=65536
+
 # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
 kernel.pid_max = 65536
 
 #
-# Memory Protections
-#
-
-#  If you say Y here, all ioperm and iopl calls will return an error.
-#  Ioperm and iopl can be used to modify the running kernel.
-#  Unfortunately, some programs need this access to operate properly,
-#  the most notable of which are XFree86 and hwclock.  hwclock can be
-#  remedied by having RTC support in the kernel, so real-time 
-#  clock support is enabled if this option is enabled, to ensure 
-#  that hwclock operates correctly.
-#  
-#  If you're using XFree86 or a version of Xorg from 2012 or earlier,
-#  you may not be able to boot into a graphical environment with this
-#  option enabled.  In this case, you should use the RBAC system instead.
-kernel.grsecurity.disable_priv_io = 1
-
-#  If you say Y here, attempts to bruteforce exploits against forking
-#  daemons such as apache or sshd, as well as against suid/sgid binaries
-#  will be deterred.  When a child of a forking daemon is killed by PaX
-#  or crashes due to an illegal instruction or other suspicious signal,
-#  the parent process will be delayed 30 seconds upon every subsequent
-#  fork until the administrator is able to assess the situation and
-#  restart the daemon.
-#  In the suid/sgid case, the attempt is logged, the user has all their
-#  existing instances of the suid/sgid binary terminated and will
-#  be unable to execute any suid/sgid binaries for 15 minutes.
-#  
-#  It is recommended that you also enable signal logging in the auditing
-#  section so that logs are generated when a process triggers a suspicious
-#  signal.
-#  If the sysctl option is enabled, a sysctl option with name
-#  "deter_bruteforce" is created.
-kernel.grsecurity.deter_bruteforce = 1
-
-#
 # Filesystem Protections
 #
 
@@ -55,341 +23,9 @@ kernel.grsecurity.deter_bruteforce = 1
 # Increase system file descriptor limit
 fs.file-max = 65535
 
-#  If you say Y here, /tmp race exploits will be prevented, since users
-#  will no longer be able to follow symlinks owned by other users in
-#  world-writable +t directories (e.g. /tmp), unless the owner of the
-#  symlink is the owner of the directory. users will also not be
-#  able to hardlink to files they do not own.  If the sysctl option is
-#  enabled, a sysctl option with name "linking_restrictions" is created.
-kernel.grsecurity.linking_restrictions = 1
-
-
-#  Apache's SymlinksIfOwnerMatch option has an inherent race condition
-#  that prevents it from being used as a security feature.  As Apache
-#  verifies the symlink by performing a stat() against the target of
-#  the symlink before it is followed, an attacker can setup a symlink
-#  to point to a same-owned file, then replace the symlink with one
-#  that targets another user's file just after Apache "validates" the
-#  symlink -- a classic TOCTOU race.  If you say Y here, a complete,
-#  race-free replacement for Apache's "SymlinksIfOwnerMatch" option
-#  will be in place for the group you specify. If the sysctl option
-#  is enabled, a sysctl option with name "enforce_symlinksifowner" is
-#  created.
-kernel.grsecurity.enforce_symlinksifowner = 1
-kernel.grsecurity.symlinkown_gid = 15
-
-#  if you say Y here, users will not be able to write to FIFOs they don't
-#  own in world-writable +t directories (e.g. /tmp), unless the owner of
-#  the FIFO is the same owner of the directory it's held in.  If the sysctl
-#  option is enabled, a sysctl option with name "fifo_restrictions" is
-#  created.
-kernel.grsecurity.fifo_restrictions = 1
-
-#  If you say Y here, a sysctl option with name "romount_protect" will
-#  be created.  By setting this option to 1 at runtime, filesystems
-#  will be protected in the following ways:
-#  * No new writable mounts will be allowed
-#  * Existing read-only mounts won't be able to be remounted read/write
-#  * Write operations will be denied on all block devices
-#  This option acts independently of grsec_lock: once it is set to 1,
-#  it cannot be turned off.  Therefore, please be mindful of the resulting
-#  behavior if this option is enabled in an init script on a read-only
-#  filesystem.
-#  Also be aware that as with other root-focused features, GRKERNSEC_KMEM
-#  and GRKERNSEC_IO should be enabled and module loading disabled via
-#  config or at runtime.
-#  This feature is mainly intended for secure embedded systems.
-#kernel.grsecurity.romount_protect = 1
-
-#  if you say Y here, the capabilities on all processes within a
-#  chroot jail will be lowered to stop module insertion, raw i/o,
-#  system and net admin tasks, rebooting the system, modifying immutable
-#  files, modifying IPC owned by another, and changing the system time.
-#  This is left an option because it can break some apps.  Disable this
-#  if your chrooted apps are having problems performing those kinds of
-#  tasks.  If the sysctl option is enabled, a sysctl option with
-#  name "chroot_caps" is created.
-kernel.grsecurity.chroot_caps = 1
-
-#kernel.grsecurity.chroot_deny_bad_rename = 1
-
-#  If you say Y here, processes inside a chroot will not be able to chmod
-#  or fchmod files to make them have suid or sgid bits.  This protects
-#  against another published method of breaking a chroot.  If the sysctl
-#  option is enabled, a sysctl option with name "chroot_deny_chmod" is
-#  created.
-kernel.grsecurity.chroot_deny_chmod = 1
-
-#  If you say Y here, processes inside a chroot will not be able to chroot
-#  again outside the chroot.  This is a widely used method of breaking
-#  out of a chroot jail and should not be allowed.  If the sysctl 
-#  option is enabled, a sysctl option with name 
-#  "chroot_deny_chroot" is created.
-kernel.grsecurity.chroot_deny_chroot = 1
-
-#  If you say Y here, a well-known method of breaking chroots by fchdir'ing
-#  to a file descriptor of the chrooting process that points to a directory
-#  outside the filesystem will be stopped.  If the sysctl option
-#  is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
-kernel.grsecurity.chroot_deny_fchdir = 1
-
-#  If you say Y here, processes inside a chroot will not be allowed to
-#  mknod.  The problem with using mknod inside a chroot is that it
-#  would allow an attacker to create a device entry that is the same
-#  as one on the physical root of your system, which could range from
-#  anything from the console device to a device for your harddrive (which
-#  they could then use to wipe the drive or steal data).  It is recommended
-#  that you say Y here, unless you run into software incompatibilities.
-#  If the sysctl option is enabled, a sysctl option with name
-#  "chroot_deny_mknod" is created.
-kernel.grsecurity.chroot_deny_mknod = 1
-
-#  If you say Y here, processes inside a chroot will not be able to
-#  mount or remount filesystems.  If the sysctl option is enabled, a
-#  sysctl option with name "chroot_deny_mount" is created.
-kernel.grsecurity.chroot_deny_mount = 1
-
-#  If you say Y here, processes inside a chroot will not be able to use
-#  a function called pivot_root() that was introduced in Linux 2.3.41.  It
-#  works similar to chroot in that it changes the root filesystem.  This
-#  function could be misused in a chrooted process to attempt to break out
-#  of the chroot, and therefore should not be allowed.  If the sysctl
-#  option is enabled, a sysctl option with name "chroot_deny_pivot" is
-#  created.
-kernel.grsecurity.chroot_deny_pivot     = 1
-
-#  If you say Y here, processes inside a chroot will not be able to attach
-#  to shared memory segments that were created outside of the chroot jail.
-#  It is recommended that you say Y here.  If the sysctl option is enabled,
-#  a sysctl option with name "chroot_deny_shmat" is created.
-kernel.grsecurity.chroot_deny_shmat = 1
-
-#  If you say Y here, an attacker in a chroot will not be able to
-#  write to sysctl entries, either by sysctl(2) or through a /proc
-#  interface.  It is strongly recommended that you say Y here. If the
-#  sysctl option is enabled, a sysctl option with name
-#  "chroot_deny_sysctl" is created.
-kernel.grsecurity.chroot_deny_sysctl = 1
-
-#  If you say Y here, processes inside a chroot will not be able to
-#  connect to abstract (meaning not belonging to a filesystem) Unix
-#  domain sockets that were bound outside of a chroot.  It is recommended
-#  that you say Y here.  If the sysctl option is enabled, a sysctl option
-#  with name "chroot_deny_unix" is created.
-kernel.grsecurity.chroot_deny_unix = 1
-
-#  If you say Y here, the current working directory of all newly-chrooted
-#  applications will be set to the the root directory of the chroot.
-#  The man page on chroot(2) states:
-#  Note that usually chhroot does not change  the  current  working
-#  directory,  so  that `.' can be outside the tree rooted at
-#  `/'.  In particular, the  super-user  can  escape  from  a
-#  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
-#  
-#  It is recommended that you say Y here, since it's not known to break
-#  any software.  If the sysctl option is enabled, a sysctl option with
-#  name "chroot_enforce_chdir" is created.
-kernel.grsecurity.chroot_enforce_chdir  = 1
-
-#  If you say Y here, processes inside a chroot will not be able to
-#  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, 
-#  getsid, or view any process outside of the chroot.  If the sysctl
-#  option is enabled, a sysctl option with name "chroot_findtask" is
-#  created.
-kernel.grsecurity.chroot_findtask = 1
-
-#  If you say Y here, processes inside a chroot will not be able to raise
-#  the priority of processes in the chroot, or alter the priority of
-#  processes outside the chroot.  This provides more security than simply
-#  removing CAP_SYS_NICE from the process' capability set.  If the
-#  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
-#  is created.
-kernel.grsecurity.chroot_restrict_nice = 1
-
-#
-# Kernel Auditing
-#
-
-#  If you say Y here, the exec and chdir logging features will only operate
-#  on a group you specify.  This option is recommended if you only want to
-#  watch certain users instead of having a large amount of logs from the
-#  entire system.  If the sysctl option is enabled, a sysctl option with
-#  name "audit_group" is created.
-kernel.grsecurity.audit_group = 1
-
-#  If you say Y here, the exec and chdir logging features will only operate
-#  on a group you specify.  This option is recommended if you only want to
-#  watch certain users instead of having a large amount of logs from the
-#  entire system.  If the sysctl option is enabled, a sysctl option with
-#  name "audit_group" is created.
-kernel.grsecurity.audit_gid = 99
-
-#  If you say Y here, all execve() calls will be logged (since the
-#  other exec*() calls are frontends to execve(), all execution
-#  will be logged).  Useful for shell-servers that like to keep track
-#  of their users.  If the sysctl option is enabled, a sysctl option with
-#  name "exec_logging" is created.
-#  WARNING: This option when enabled will produce a LOT of logs, especially
-#  on an active system.
-kernel.grsecurity.exec_logging = 0				
-
-#  If you say Y here, all attempts to overstep resource limits will
-#  be logged with the resource name, the requested size, and the current
-#  limit.  It is highly recommended that you say Y here.  If the sysctl
-#  option is enabled, a sysctl option with name "resource_logging" is
-#  created.  If the RBAC system is enabled, the sysctl value is ignored.
-kernel.grsecurity.resource_logging = 1
-
-#  If you say Y here, all executions inside a chroot jail will be logged
-#  to syslog.  This can cause a large amount of logs if certain
-#  applications (eg. djb's daemontools) are installed on the system, and
-#  is therefore left as an option.  If the sysctl option is enabled, a
-#  sysctl option with name "chroot_execlog" is created.
-kernel.grsecurity.chroot_execlog = 0	
-
-#  If you say Y here, all attempts to attach to a process via ptrace
-#  will be logged.  If the sysctl option is enabled, a sysctl option
-#  with name "audit_ptrace" is created.
-#kernel.grsecurity.audit_ptrace = 1
-
-#  If you say Y here, all attempts to attach to a process via ptrace
-#  will be logged.  If the sysctl option is enabled, a sysctl option
-#  with name "audit_ptrace" is created.
-kernel.grsecurity.audit_chdir = 0
-
-#  If you say Y here, all mounts and unmounts will be logged.  If the
-#  sysctl option is enabled, a sysctl option with name "audit_mount" is
-#  created.
-kernel.grsecurity.audit_mount = 1
-
-#  If you say Y here, certain important signals will be logged, such as
-#  SIGSEGV, which will as a result inform you of when a error in a program
-#  occurred, which in some cases could mean a possible exploit attempt.
-#  If the sysctl option is enabled, a sysctl option with name
-#  "signal_logging" is created.
-kernel.grsecurity.signal_logging = 1
-
-#  If you say Y here, all failed fork() attempts will be logged.
-#  This could suggest a fork bomb, or someone attempting to overstep
-#  their process limit.  If the sysctl option is enabled, a sysctl option
-#  with name "forkfail_logging" is created.
-kernel.grsecurity.forkfail_logging = 1
-
-#  If you say Y here, any changes of the system clock will be logged.
-#  If the sysctl option is enabled, a sysctl option with name
-#  "timechange_logging" is created.
-kernel.grsecurity.timechange_logging = 1
-
-#  if you say Y here, calls to mmap() and mprotect() with explicit
-#  usage of PROT_WRITE and PROT_EXEC together will be logged when
-#  denied by the PAX_MPROTECT feature.  This feature will also
-#  log other problematic scenarios that can occur when PAX_MPROTECT
-#  is enabled on a binary, like textrels and PT_GNU_STACK.  If the 
-#  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
-#  is created.
-kernel.grsecurity.rwxmap_logging = 1
-
-#
-# Executable Protections
-#
-
-
-#  if you say Y here, non-root users will not be able to use dmesg(8)
-#  to view the contents of the kernel's circular log buffer.
-#  The kernel's log buffer often contains kernel addresses and other
-#  identifying information useful to an attacker in fingerprinting a
-#  system for a targeted exploit.
-#  If the sysctl option is enabled, a sysctl option with name "dmesg" is
-#  created.
-kernel.grsecurity.dmesg = 1
-
 # Hide symbol addresses in /proc/kallsyms
 kernel.kptr_restrict = 2
 
-#  If you say Y here, TTY sniffers and other malicious monitoring
-#  programs implemented through ptrace will be defeated.  If you
-#  have been using the RBAC system, this option has already been
-#  enabled for several years for all users, with the ability to make
-#  fine-grained exceptions.
-#  
-#  This option only affects the ability of non-root users to ptrace
-#  processes that are not a descendent of the ptracing process.
-#  This means that strace ./binary and gdb ./binary will still work,
-#  but attaching to arbitrary processes will not.  If the sysctl
-#  option is enabled, a sysctl option with name "harden_ptrace" is
-#  created.
-kernel.grsecurity.harden_ptrace = 1
-
-#  If you say Y here, unprivileged users will not be able to ptrace unreadable
-#  binaries.  This option is useful in environments that
-#  remove the read bits (e.g. file mode 4711) from suid binaries to
-#  prevent infoleaking of their contents.  This option adds
-#  consistency to the use of that file mode, as the binary could normally
-#  be read out when run without privileges while ptracing.
-#  
-#  If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
-#  is created.
-kernel.grsecurity.ptrace_readexec = 1
-
-#  If you say Y here, a change from a root uid to a non-root uid
-#  in a multithreaded application will cause the resulting uids,
-#  gids, supplementary groups, and capabilities in that thread
-#  to be propagated to the other threads of the process.  In most
-#  cases this is unnecessary, as glibc will emulate this behavior
-#  on behalf of the application.  Other libcs do not act in the
-#  same way, allowing the other threads of the process to continue
-#  running with root privileges.  If the sysctl option is enabled,
-#  a sysctl option with name "consistent_setxid" is created.
-kernel.grsecurity.consistent_setxid = 1
-
-#  If you say Y here, access to overly-permissive IPC objects (shared
-#  memory, message queues, and semaphores) will be denied for processes
-#  given the following criteria beyond normal permission checks:
-#  1) If the IPC object is world-accessible and the euid doesn't match
-#     that of the creator or current uid for the IPC object
-#  2) If the IPC object is group-accessible and the egid doesn't
-#     match that of the creator or current gid for the IPC object
-#  It's a common error to grant too much permission to these objects,
-#  with impact ranging from denial of service and information leaking to
-#  privilege escalation.  This feature was developed in response to
-#  research by Tim Brown:
-#  http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
-#  who found hundreds of such insecure usages.  Processes with
-#  CAP_IPC_OWNER are still permitted to access these IPC objects.
-#  If the sysctl option is enabled, a sysctl option with name
-#  "harden_ipc" is created.
-kernel.grsecurity.harden_ipc = 1
-
-#  If you say Y here, you will be able to choose a gid to add to the
-#  supplementary groups of users you want to mark as "untrusted."
-#  These users will not be able to execute any files that are not in
-#  root-owned directories writable only by root.  If the sysctl option
-#  is enabled, a sysctl option with name "tpe" is created.
-kernel.grsecurity.tpe = 1
-kernel.grsecurity.tpe_gid = 100
-
-#  If you say Y here, the group you specify in the TPE configuration will
-#  decide what group TPE restrictions will be *disabled* for.  This
-#  option is useful if you want TPE restrictions to be applied to most
-#  users on the system.  If the sysctl option is enabled, a sysctl option
-#  with name "tpe_invert" is created.  Unlike other sysctl options, this
-#  entry will default to on for backward-compatibility.
-kernel.grsecurity.tpe_invert = 0
-
-#  If you say Y here, all non-root users will be covered under
-#  a weaker TPE restriction.  This is separate from, and in addition to,
-#  the main TPE options that you have selected elsewhere.  Thus, if a
-#  "trusted" GID is chosen, this restriction applies to even that GID.
-#  Under this restriction, all non-root users will only be allowed to
-#  execute files in directories they own that are not group or
-#  world-writable, or in directories owned by root and writable only by
-#  root.  If the sysctl option is enabled, a sysctl option with name
-#  "tpe_restrict_all" is created.
-kernel.grsecurity.tpe_restrict_all = 1
-
-
-kernel.grsecurity.harden_tty = 1
-
 #
 # Network Protections
 #
@@ -455,7 +91,6 @@ net.ipv4.conf.default.rp_filter = 1
 #net.ipv6.conf.default.rp_filter = 1
 #net.ipv6.conf.all.rp_filter = 1
 
-
 # Make sure no one can alter the routing tables
 # Act as a router, necessary for Access Point
 net.ipv4.conf.all.accept_redirects = 0
@@ -495,96 +130,4 @@ net.ipv4.tcp_keepalive_time = 1800
 # Sen SynAck retries to 3
 net.ipv4.tcp_synack_retries = 3
 
-#  If you say Y here, neither TCP resets nor ICMP
-#  destination-unreachable packets will be sent in response to packets
-#  sent to ports for which no associated listening process exists.
-#  This feature supports both IPV4 and IPV6 and exempts the 
-#  loopback interface from blackholing.  Enabling this feature 
-#  makes a host more resilient to DoS attacks and reduces network
-#  visibility against scanners.
-#  
-#  The blackhole feature as-implemented is equivalent to the FreeBSD
-#  blackhole feature, as it prevents RST responses to all packets, not
-#  just SYNs.  Under most application behavior this causes no
-#  problems, but applications (like haproxy) may not close certain
-#  connections in a way that cleanly terminates them on the remote
-#  end, leaving the remote host in LAST_ACK state.  Because of this
-#  side-effect and to prevent intentional LAST_ACK DoSes, this
-#  feature also adds automatic mitigation against such attacks.
-#  The mitigation drastically reduces the amount of time a socket
-#  can spend in LAST_ACK state.  If you're using haproxy and not
-#  all servers it connects to have this option enabled, consider
-#  disabling this feature on the haproxy host.
-#  
-#  If the sysctl option is enabled, two sysctl options with names
-#  "ip_blackhole" and "lastack_retries" will be created.
-#  While "ip_blackhole" takes the standard zero/non-zero on/off
-#  toggle, "lastack_retries" uses the same kinds of values as
-#  "tcp_retries1" and "tcp_retries2".  The default value of 4
-#  prevents a socket from lasting more than 45 seconds in LAST_ACK
-#  state.
-kernel.grsecurity.ip_blackhole = 1
-kernel.grsecurity.lastack_retries = 4
-
-#  If you say Y here, you will be able to choose a GID of whose users will
-#  be unable to connect to other hosts from your machine or run server
-#  applications from your machine.  If the sysctl option is enabled, a
-#  sysctl option with name "socket_all" is created.
-kernel.grsecurity.socket_all = 1
-
-#  Here you can choose the GID to disable socket access for. Remember to
-#  add the users you want socket access disabled for to the GID
-#  specified here.  If the sysctl option is enabled, a sysctl option
-#  with name "socket_all_gid" is created.
-kernel.grsecurity.socket_all_gid = 200
-
-#  If you say Y here, you will be able to choose a GID of whose users will
-#  be unable to connect to other hosts from your machine, but will be
-#  able to run servers.  If this option is enabled, all users in the group
-#  you specify will have to use passive mode when initiating ftp transfers
-#  from the shell on your machine.  If the sysctl option is enabled, a
-#  sysctl option with name "socket_client" is created.
-kernel.grsecurity.socket_client = 1
-
-#  Here you can choose the GID to disable client socket access for.
-#  Remember to add the users you want client socket access disabled for to
-#  the GID specified here.  If the sysctl option is enabled, a sysctl
-#  option with name "socket_client_gid" is created.
-kernel.grsecurity.socket_client_gid = 201
-
-#  If you say Y here, you will be able to choose a GID of whose users will
-#  be unable to connect to other hosts from your machine, but will be
-#  able to run servers.  If this option is enabled, all users in the group
-#  you specify will have to use passive mode when initiating ftp transfers
-#  from the shell on your machine.  If the sysctl option is enabled, a
-#  sysctl option with name "socket_client" is created.
-kernel.grsecurity.socket_server = 1
-
-#  Here you can choose the GID to disable server socket access for.
-#  Remember to add the users you want server socket access disabled for to
-#  the GID specified here.  If the sysctl option is enabled, a sysctl
-#  option with name "socket_server_gid" is created.
-kernel.grsecurity.socket_server_gid = 99
-
-#
-# Physical Protections
-#
-
-#  If you say Y here, a new sysctl option with name "deny_new_usb"
-#  will be created.  Setting its value to 1 will prevent any new
-#  USB devices from being recognized by the OS.  Any attempted USB
-#  device insertion will be logged.  This option is intended to be
-#  used against custom USB devices designed to exploit vulnerabilities
-#  in various USB device drivers.
-#  
-#  For greatest effectiveness, this sysctl should be set after any
-#  relevant init scripts.  This option is safe to enable in distros
-#  as each user can choose whether or not to toggle the sysctl.
-kernel.grsecurity.deny_new_usb = 0
-
-#
-# Restrict grsec sysctl changes after this was set
-#
-kernel.grsecurity.grsec_lock = 0
-
 # End of file
author	Silvino <silvino@bk.ru>	2019-06-16 05:04:09 +0100
committer	Silvino <silvino@bk.ru>	2019-06-16 05:04:44 +0100
commit	296be79a3b724db67a37244a67cfb3e4ef6b652f (patch)
tree	6136b7fbe2082b018a6a06f897b7012177cce630 /core/conf
parent	fdc231661647d4ca15ddf312e85b210eabd23e50 (diff)
parent	951a8a84411da6b71cee11d8c9feb993b984acf5 (diff)
download	doc-296be79a3b724db67a37244a67cfb3e4ef6b652f.tar.gz