diff options
| author | Silvino Silva <silvino@bk.ru> | 2017-08-02 01:18:23 +0100 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2017-08-02 01:18:23 +0100 |
| commit | c0148601ebe2196375f26572624590cad2751845 (patch) | |
| tree | 0f40548a2b5c8eaf9bd99423e21b8baf63b83d65 /core/conf | |
| parent | 5ff68b8c191272fe9c80765fa6ac11c18aee3224 (diff) | |
| parent | 65167272a3ba52dc4d032a1c60a9ff030408047d (diff) | |
| download | doc-c0148601ebe2196375f26572624590cad2751845.tar.gz | |
Merge branch 'r-0.3.1' into develop
Diffstat (limited to 'core/conf')
| -rw-r--r-- | core/conf/exim/exim.conf | 4 | ||||
| -rw-r--r-- | core/conf/fstab | 58 | ||||
| -rw-r--r-- | core/conf/hosts | 18 | ||||
| -rw-r--r-- | core/conf/iptables/iptables-lan.sh | 336 | ||||
| -rw-r--r-- | core/conf/iptables/rules.v4 | 215 | ||||
| -rw-r--r-- | core/conf/pkgmk.conf | 9 | ||||
| -rw-r--r-- | core/conf/ports/6c37-dropin.httpup | 5 | ||||
| -rw-r--r-- | core/conf/prt-get.conf | 19 | ||||
| -rw-r--r-- | core/conf/rc.conf | 2 | ||||
| -rwxr-xr-x | core/conf/rc.d/net | 23 | ||||
| -rwxr-xr-x | core/conf/rc.d/wlan | 19 | ||||
| -rw-r--r-- | core/conf/resolv.conf | 9 | ||||
| -rw-r--r-- | core/conf/sysctl.conf | 566 |
13 files changed, 1027 insertions, 256 deletions
diff --git a/core/conf/exim/exim.conf b/core/conf/exim/exim.conf index 47a6094..074c8af 100644 --- a/core/conf/exim/exim.conf +++ b/core/conf/exim/exim.conf @@ -539,7 +539,9 @@ acl_check_data: # Deny if the message contains an overlong line. Per the standards # we should never receive one such via SMTP. # - deny condition = ${if > {$max_received_linelength}{998}} + deny message = maximum allowed line length is 998 octets, \ + got $max_received_linelength + condition = ${if > {$max_received_linelength}{998}} # Deny if the message contains a virus. Before enabling this check, you # must install a virus scanner and set the av_scanner option above. diff --git a/core/conf/fstab b/core/conf/fstab index 67bc4e4..d3fc878 100644 --- a/core/conf/fstab +++ b/core/conf/fstab @@ -13,52 +13,20 @@ #/dev/cdrom /cdrom iso9660 ro,user,noauto,unhide 0 0 #/dev/dvd /dvd udf ro,user,noauto,unhide 0 0 #/dev/floppy/0 /floppy vfat user,noauto,unhide 0 0 -#devpts /dev/pts devpts noexec,nosuid,gid=tty,mode=0620 0 0 #tmp /tmp tmpfs defaults 0 0 -shm /dev/shm tmpfs defaults 0 0 +#shm /dev/shm tmpfs defaults 0 0 #usb /proc/bus/usb usbfs defaults 0 0 -devpts /dev/pts devpts noexec,nosuid,gid=tty,mode=0620 0 0 - -#/ -#/dev/sda3: -UUID=c8776551-2a98-4335-9fcd-e337331216dd / ext4 defaults 0 0 - -#/boot -#/dev/sda2: -UUID=3b408790-65e1-4638-9591-7ba61f266913 /boot ext4 defaults,nodev,noexec,nosuid 0 0 - -#/boot/efi -#/dev/sda1: -UUID=962D-0DE1 /boot/efi vfat umask=0077 0 0 - -#/var -#/dev/sda4: -UUID=f0b112e2-6761-472f-b41e-e9c8ccd27702 /var ext4 defaults,nodev,noexec,nosuid 0 0 - -#/usr -#/dev/sda6: -UUID=35755a81-89b2-4f84-a945-5185d1d3b10b /usr ext4 defaults,nodev 0 0 - -#/tmp -#/dev/sda5: -UUID=1325ee41-27c9-4621-ab69-125bb6e1c63b /tmp ext4 defaults,nodev,nosuid,noexec 0 0 - -#/home -#/dev/sda7 -UUID=0ccd903c-b9e2-425f-bd30-78682ffce361 /home ext4 defaults,nodev,nosuid 0 0 - - -#/usr/ports -#/dev/sda8 -#UUID=d1df6743-d3cb-4d5a-badb-96cef3181095 /usr/ports ext4 defaults,nodev,nosuid,noexec 0 0 - -#/usr/ports/work -pkgmk /usr/ports/work tmpfs size=30G,gid=101,uid=101,defaults 0 0 - - -#swap -#/dev/sda9: -UUID=2925bf9d-6111-43cb-ab3f-2d95c55e40ca none swap sw 0 0 - # End of file +#/dev/sda3 on / type ext4 (rw,relatime,data=ordered) +#UUID=3bab76f8-e714-45f1-8e30-04cc8a09c3d1 / ext4 ro,relatime,data=ordered 0 1 +/dev/sda3 / ext4 defaults,noatime,ro 0 1 +devpts /dev/pts devpts noexec,nosuid,gid=tty,mode=0620 0 0 +UUID=3b408790-65e1-4638-9591-7ba61f266913 /boot ext4 defaults,ro,noatime 0 0 +UUID=962D-0DE1 /boot/efi vfat ro,noauto,umask=0077 0 0 +UUID=f2336a56-fbe6-444c-bdbf-f0e6c209c237 /var ext4 defaults,nodev,noexec,nosuid,errors=remount-ro 0 0 +UUID=20bd3948-0877-4192-af52-ad87d6f96db0 /usr ext4 defaults,ro,nodev,errors=remount-ro 0 0 +UUID=66c083d6-b8f2-4a98-ae55-9412f98cc089 /usr/ports ext4 defaults,ro,nodev,errors=remount-ro 0 0 +pkgmk /usr/ports/work tmpfs size=30G,gid=101,uid=100,defaults 0 0 +UUID=36e9e1d5-8356-451e-a301-81098b9a15ea /srv ext4 defaults,nodev,errors=remount-ro 0 0 +UUID=cd15196a-69f1-4fb4-9730-a384c62add91 /home ext4 defaults,nodev,nosuid,errors=remount-ro 0 0 diff --git a/core/conf/hosts b/core/conf/hosts index 449949b..4069af5 100644 --- a/core/conf/hosts +++ b/core/conf/hosts @@ -3,25 +3,11 @@ # # IPv4 LocalHosts 127.0.0.1 localhost.localdomain localhost -127.0.0.1 c9.core c9 - -127.0.0.1 wiki.localhost -127.0.0.1 git.localhost -127.0.0.1 doc.localhost -127.0.0.1 ports.localhost - -# IPv4 Intranet -#<ip-address> <hostname.domain.org> <aliases> - -10.0.0.254 c9.core -10.0.0.254 wiki.c9.core -10.0.0.254 git.c9.core -10.0.0.254 doc.c9.core -10.0.0.254 ports.c9.core +127.0.0.1 c9.core c9 # IPv4 Internet #<ip-address> <hostname.domain.org> <aliases> -10.0.0.254 core.privat-network.net +10.0.0.1 c9.core.cx # IPv6 #::1 ip6-localhost ip6-loopback diff --git a/core/conf/iptables/iptables-lan.sh b/core/conf/iptables/iptables-lan.sh new file mode 100644 index 0000000..491bc3b --- /dev/null +++ b/core/conf/iptables/iptables-lan.sh @@ -0,0 +1,336 @@ +#!/bin/sh + +# +# XXXXXXXXXXXXXXXXX +# XXXX Network XXXX +# XXXXXXXXXXXXXXXXX +# + +# | +# v +# +-------------+ +------------------+ +# |table: filter| <---+ | table: nat | +# |chain: INPUT | | | chain: PREROUTING| +# +-----+-------+ | +--------+---------+ +# | | | +# v | v +# [local process] | **************** +--------------+ +# | +---------+ Routing decision +------> |table: filter | +# v **************** |chain: FORWARD| +# **************** +------+-------+ +# Routing decision | +# **************** | +# | | +# v **************** | +# +-------------+ +------> Routing decision <---------------+ +# |table: nat | | **************** +# |chain: OUTPUT| | + +# +-----+-------+ | | +# | | v +# v | +-------------------+ +# +--------------+ | | table: nat | +# |table: filter | +----+ | chain: POSTROUTING| +# |chain: OUTPUT | +--------+----------+ +# +--------------+ | +# v +# XXXXXXXXXXXXXXXXX +# XXXX Network XXXX +# XXXXXXXXXXXXXXXXX +# +# iptables [-t table] {-A|-C|-D} chain rule-specification +# +# iptables [-t table] {-A|-C|-D} chain rule-specification +# +# iptables [-t table] -I chain [rulenum] rule-specification +# +# iptables [-t table] -R chain rulenum rule-specification +# +# iptables [-t table] -D chain rulenum +# +# iptables [-t table] -S [chain [rulenum]] +# +# iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] +# +# iptables [-t table] -N chain +# +# iptables [-t table] -X [chain] +# +# iptables [-t table] -P chain target +# +# iptables [-t table] -E old-chain-name new-chain-name +# +# rule-specification = [matches...] [target] +# +# match = -m matchname [per-match-options] +# +# +# Targets +# +# can be a user defined chain +# +# ACCEPT - accepts the packet +# DROP - drop the packet on the floor +# QUEUE - packet will be stent to queue +# RETURN - stop traversing this chain and +# resume ate the next rule in the +# previeus (calling) chain. +# +# if packet reach the end of the chain or +# a target RETURN, default policy for that +# chain is applayed. +# +# Target Extensions +# +# AUDIT +# CHECKSUM +# CLASSIFY +# DNAT +# DSCP +# LOG +# Torn on kernel logging, will print some +# some information on all matching packets. +# Log data can be read with dmesg or syslogd. +# This is a non-terminating target and a rule +# should be created with matching criteria. +# +# --log-level level +# Level of logging (numeric or see sys- +# log.conf(5) +# +# --log-prefix prefix +# Prefix log messages with specified prefix +# up to 29 chars log +# +# --log-uid +# Log the userid of the process with gener- +# ated the packet +# NFLOG +# This target pass the packet to loaded logging +# backend to log the packet. One or more userspace +# processes may subscribe to the group to receive +# the packets. +# +# ULOG +# This target provides userspace logging of maching +# packets. One or more userspace processes may then +# then subscribe to various multicast groups and +# then receive the packets. +# +# +# Commands +# +# -A, --append chain rule-specification +# -C, --check chain rule-specification +# -D, --delete chain rule-specification +# -D, --delete chain rulenum +# -I, --insert chain [rulenum] rule-specification +# -R, --replace chain rulenum rule-specification +# -L, --list [chain] +# -P, --policy chain target +# +# Parameters +# +# -p, --protocol protocol +# tcp, udp, udplite, icmp, esp, ah, sctp, all +# -s, --source address[/mask][,...] +# -d, --destination address[/mask][,...] +# -j, --jump target +# -g, --goto chain +# -i, --in-interface name +# -o, --out-interface name +# -f, --fragment +# -m, --match options module-name +# iptables can use extended packet matching +# modules. +# -c, --set-counters packets bytes + +IPT="/usr/sbin/iptables" +SPAMLIST="blockedip" +SPAMDROPMSG="BLOCKED IP DROP" +PUB_IF="wlp7s0" +DHCP_SERV="192.168.1.1" +PUB_IP="192.168.1.33" +PRIV_IF="br0" + +modprobe ip_conntrack +modprobe ip_conntrack_ftp + +echo "Stopping ipv4 firewall and deny everyone..." + +iptables -F +iptables -X +iptables -t nat -F +iptables -t nat -X +iptables -t mangle -F +iptables -t mangle -X +iptables -t raw -F +iptables -t raw -X +iptables -t security -F +iptables -t security -X + + +echo "Starting ipv4 firewall filter table..." + +# Set Default Rules +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT DROP + +# Unlimited on local +$IPT -A INPUT -i lo -j ACCEPT +$IPT -A OUTPUT -o lo -j ACCEPT + +# Block sync +$IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " +$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP + +# Block Fragments +$IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " +$IPT -A INPUT -f -j DROP + +# Block bad stuff +$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP +$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP + +$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " +$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets + +$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " +$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + +$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " +$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS + +$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " +$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans + +$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + +##### Add your AP rules below ###### + +echo 1 > /proc/sys/net/ipv4/ip_forward + +$IPT -A INPUT -i ${PRIV_IF} -j ACCEPT +$IPT -A OUTPUT -o ${PRIV_IF} -j ACCEPT + +$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP} +$IPT -A FORWARD -i ${PRIV_IF} -o ${PUB_IF} -j ACCEPT +$IPT -A FORWARD -i ${PUB_IF} -o ${PRIV_IF} -j ACCEPT +# +##### Server rules below ###### + +#echo "Allow ICMP" +$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 0 -s 192.168.0.0/16 -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -d 192.168.0.0/16 -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -s 192.168.0.0/16 -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 8 -d 192.168.0.0/16 -j ACCEPT + +#echo "Allow DNS Server" +#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -d 192.168.0.0/16 -j ACCEPT + +echo "Allow HTTP and HTTPS server" +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + +#echo "Allow ssh server" +#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT + +##### Add your rules below ###### + +echo "Allow DNS Client" + +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow Whois Client" + +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 43 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 43 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow HTTP Client" + +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow Rsync Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow POP3S Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow SMTPS Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow NTP Client" +$IPT -A OUTPUT -o ${PUB_IF} -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT + +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow IRC Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 6667 -m state --state NEW -j ACCEPT + +echo "Allow Active FTP Client" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow Git" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9418 -m state --state NEW -j ACCEPT + +echo "Allow ssh client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT + +#echo "Allow Passive Connections" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + + +# echo "Allow FairCoin" +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 46392 -m state --state NEW,ESTABLISHED -j ACCEPT +# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 46392 -m state --state ESTABLISHED -j ACCEPT +# +# echo "Allow Dashcoin" +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 29080 -m state --state NEW,ESTABLISHED -j ACCEPT +# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 29080 -m state --state ESTABLISHED -j ACCEPT +# +# echo "Allow warzone2100" +# $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2100 -s 192.168.0.0/16 -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 2100 -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 2100 -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9990 -j ACCEPT +# +# echo "Allow wesnoth" +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 15000 -m state --state NEW -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 14998 -m state --state NEW -j ACCEPT + +##### END your rules ############ +# Less log of known traffic + +# RIP protocol +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s 192.168.0.0/16 -j DROP + +# DHCP +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 67 --dport 68 -s $DHCP_SERV -j ACCEPT + +# log everything else and drop +$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " +$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " +$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + +exit 0 diff --git a/core/conf/iptables/rules.v4 b/core/conf/iptables/rules.v4 index 848603c..568455a 100644 --- a/core/conf/iptables/rules.v4 +++ b/core/conf/iptables/rules.v4 @@ -1,140 +1,111 @@ -# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *security -:INPUT ACCEPT [6:2056] +:INPUT ACCEPT [4559:2307887] :FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [6:2056] +:OUTPUT ACCEPT [4459:962215] COMMIT -# Completed on Sat Oct 15 17:20:41 2016 -# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +# Completed on Sat Feb 25 18:34:17 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *raw -:PREROUTING ACCEPT [7:2092] -:OUTPUT ACCEPT [6:2056] +:PREROUTING ACCEPT [18446:3412851] +:OUTPUT ACCEPT [4467:962535] COMMIT -# Completed on Sat Oct 15 17:20:41 2016 -# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +# Completed on Sat Feb 25 18:34:17 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 +*nat +:PREROUTING ACCEPT [13936:1107904] +:INPUT ACCEPT [49:2940] +:OUTPUT ACCEPT [504:40037] +:POSTROUTING ACCEPT [504:40037] +COMMIT +# Completed on Sat Feb 25 18:34:17 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *mangle -:PREROUTING ACCEPT [7:2092] -:INPUT ACCEPT [6:2056] +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [6:2056] -:POSTROUTING ACCEPT [6:2056] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] COMMIT -# Completed on Sat Oct 15 17:20:41 2016 -# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +# Completed on Sat Feb 25 18:34:17 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] +:ACCEPTLOG - [0:0] +:DROPLOG - [0:0] +:REJECTLOG - [0:0] +:RELATED_ICMP - [0:0] +:SYN_FLOOD - [0:0] -A INPUT -i lo -j ACCEPT --A INPUT -i br0 -j ACCEPT --A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 --A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP --A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " --A INPUT -f -j DROP +-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT +-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j LOG --log-prefix "PING-DROP:" +-A INPUT -p icmp -j DROP +-A INPUT -p icmp -f -j DROPLOG +-A INPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT +-A INPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP +-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT +-A INPUT -p icmp -j DROPLOG +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP +-A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP +-A INPUT -m state --state INVALID -j DROP +-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP +-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP --A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " --A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP -################################################################################# -# INPUT -# Established connections and passive -# - -# Allow established from dns server -#-A INPUT -i wlp7s0 -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - -# INPUT accept passive --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT -# Allow established from http server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from https server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from rsync server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 873 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from pop3s server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from smtps server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from ntp server --A INPUT -i wlp7s0 -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from whois server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 43 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from ftp server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -################################################################################## -# INPUT -# New and established connections to local servers -# - -# INPUT accept from wlp7s0 to dns server --A INPUT -i wlp7s0 -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT - -# INPUT accept from wlp7s0 to https server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -# INPUT accept from wlp7s0 to ssh server --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT --A INPUT -i wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW -m limit --limit 6/min --limit-burst 3 -j ACCEPT - - --A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 --A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 - -################################################################################## -# Output -# Connections to remote servers -# +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD +-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG +-A INPUT -f -j DROPLOG +-A INPUT -j DROPLOG +-A FORWARD -p icmp -f -j DROPLOG +-A FORWARD -p icmp -j DROPLOG +-A FORWARD -m state --state INVALID -j DROP +-A FORWARD -j REJECTLOG -A OUTPUT -o lo -j ACCEPT --A OUTPUT -o br0 -j ACCEPT - -# Allow dns -#-A OUTPUT -o wlp7s0 -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT - -# Allow to rsync server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to pop3s server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to smtps server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to ntp server --A OUTPUT -o wlp7s0 -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to ftp server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to https server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A OUTPUT -o wlp7s0 -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to http server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT - -################################################################################## -# Output -# Connections from local servers -# - -# Allow from ssh server --A OUTPUT -o wlp7s0 -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow from dns server --A OUTPUT -o wlp7s0 -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - --A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 -COMMIT -# Completed on Sat Oct 15 17:20:41 2016 -# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 -*nat -:PREROUTING ACCEPT [1:36] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] +-A OUTPUT -p icmp -j ACCEPT +-A OUTPUT -p icmp -f -j DROPLOG +-A OUTPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT +-A OUTPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP +-A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT +-A OUTPUT -p icmp -j DROPLOG +-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -m state --state INVALID -j DROP +-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -j DROPLOG +-A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A ACCEPTLOG -j ACCEPT +-A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A DROPLOG -j DROP +-A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset +-A REJECTLOG -j REJECT --reject-with icmp-port-unreachable +-A RELATED_ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT +-A RELATED_ICMP -p icmp -m icmp --icmp-type 11 -j ACCEPT +-A RELATED_ICMP -p icmp -m icmp --icmp-type 12 -j ACCEPT +-A RELATED_ICMP -j DROPLOG +-A SYN_FLOOD -m limit --limit 2/sec --limit-burst 6 -j RETURN +-A SYN_FLOOD -j DROP COMMIT -# Completed on Sat Oct 15 17:20:41 2016 +# Completed on Sat Feb 25 18:34:17 2017 diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf index 3533ba7..6949fa7 100644 --- a/core/conf/pkgmk.conf +++ b/core/conf/pkgmk.conf @@ -2,9 +2,10 @@ # /etc/pkgmk.conf: pkgmk(8) configuration # -export CFLAGS="-O2 -march=x86-64" +export CPPFLAGS="-D_FORTIFY_SOURCE=2" +export CFLAGS="-O2 -march=native -mtune=native -pipe -fPIC -fPIE -fstack-protector-strong --param=ssp-buffer-size=4 -fno-plt -fstack-check" export CXXFLAGS="${CFLAGS}" - +export LDFLAGS="-fPIE -pie -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now" export MAKEFLAGS="-j4" case ${PKGMK_ARCH} in @@ -22,7 +23,9 @@ case ${PKGMK_ARCH} in ;; esac -PKGMK_SOURCE_MIRRORS=(http://crux.nu/distfiles/) +PKGMK_SOURCE_MIRRORS=(https://crux.nu/distfiles/) +#PKGMK_SOURCE_MIRRORS=(https://crux.ster.zone/distfiles/) +#PKGMK_SOURCE_MIRRORS=(https://c9.root.sx/ports/distfiles/) PKGMK_SOURCE_DIR="/usr/ports/distfiles" PKGMK_PACKAGE_DIR="/usr/ports/packages" PKGMK_WORK_DIR="/usr/ports/work/$name" diff --git a/core/conf/ports/6c37-dropin.httpup b/core/conf/ports/6c37-dropin.httpup new file mode 100644 index 0000000..6dfb3e2 --- /dev/null +++ b/core/conf/ports/6c37-dropin.httpup @@ -0,0 +1,5 @@ +# Collection 6c37-dropin, by camille at airmail dot cc +# File generated by the CRUX portdb http://crux.nu/portdb/ + +ROOT_DIR=/usr/ports/6c37-dropin +URL=https://raw.githubusercontent.com/6c37/crux-ports-dropin/3.3/ diff --git a/core/conf/prt-get.conf b/core/conf/prt-get.conf index 1a5d841..e210ca8 100644 --- a/core/conf/prt-get.conf +++ b/core/conf/prt-get.conf @@ -5,20 +5,19 @@ # note: the order matters: the package found first is used prtdir /usr/ports/core prtdir /usr/ports/opt +prtdir /usr/ports/contrib +prtdir /usr/ports/c9-ports prtdir /usr/ports/xorg +# 6c37 team provides a collection with freetype-iu, fontconfig-iu +# and cairo-iu ports. + # the following line enables the multilib compat-32 collection #prtdir /usr/ports/compat-32 # the following line enables the user maintained contrib collection -prtdir /usr/ports/contrib - -# ports described on this documentation -#prtdir /usr/ports/c9-ports - -# 6c37 team provides a collection with freetype-iu, fontconfig-iu -# and cairo-iu ports. -#prtdir /usr/ports/6c37 +prtdir /usr/ports/6c37-dropin +prtdir /usr/ports/6c37 ### use mypackage form local directory # prtdir /home/packages/build:mypackage @@ -38,7 +37,7 @@ logfile /usr/ports/pkgbuild/%n-%v-%r.log readme verbose # (verbose|compact|disabled) ### prefer higher versions in sysup / diff -preferhigher yes # (yes|no) +preferhigher no # (yes|no) ### use regexp search # useregex no # (yes|no) @@ -51,7 +50,7 @@ runscripts yes # (no|yes) ### EXPERT SECTION ### ### alternative commands -makecommand sudo -H -u pkgmk fakeroot pkgmk +makecommand sudo -H -u pkgmk -g users fakeroot pkgmk addcommand sudo pkgadd removecommand sudo pkgrm runscriptcommand sudo sh diff --git a/core/conf/rc.conf b/core/conf/rc.conf index a9fffb8..ef31a33 100644 --- a/core/conf/rc.conf +++ b/core/conf/rc.conf @@ -7,6 +7,6 @@ KEYMAP=dvorak TIMEZONE="Europe/Lisbon" HOSTNAME=c9 SYSLOG=sysklogd -SERVICES=(lo net crond) +SERVICES=(lo iptables net crond) # End of file diff --git a/core/conf/rc.d/net b/core/conf/rc.d/net index 53224af..07c46a5 100755 --- a/core/conf/rc.d/net +++ b/core/conf/rc.d/net @@ -4,17 +4,18 @@ # # Connection type: "DHCP" or "static" -TYPE="static" +TYPE="DHCP" # For "static" connections, specify your settings here: # To see your available devices run "ip link". -DEV=enp8s0 -ADDR=192.168.1.9 +DEV=enp11s0 +ADDR=192.168.1.100 MASK=24 -GW=192.168.1.254 +GW=192.168.1.1 # Optional settings: -DHCPOPTS="-h $(/bin/hostname) -C resolv.conf $DEV" +#DHCPOPTS="-h $(/bin/hostname) -C resolv.conf $DEV" +DHCPOPTS="-t 10" case $1 in start) @@ -28,13 +29,17 @@ case $1 in ;; stop) if [ "${TYPE}" = "DHCP" ]; then - /usr/bin/pkill -F /var/run/dhcpcd-${DEV}.pid - + /sbin/dhcpcd -x else + #/sbin/ip route del default + #/sbin/ip link set ${DEV} down + #/sbin/ip addr del ${ADDR}/${MASK} dev ${DEV} + /sbin/ip route del default dev ${DEV} /sbin/ip route flush dev ${DEV} - /sbin/ip link set ${DEV} down - /sbin/ip addr flush dev ${DEV} + /sbin/ip link set ${DEV} down + /sbin/ip addr flush dev ${DEV} + fi ;; restart) diff --git a/core/conf/rc.d/wlan b/core/conf/rc.d/wlan index 894a69c..86910bc 100755 --- a/core/conf/rc.d/wlan +++ b/core/conf/rc.d/wlan @@ -2,15 +2,17 @@ # # /etc/rc.d/wlan: start/stop wireless interface # + DEV=wlp7s0 + SSD=/sbin/start-stop-daemon PROG_DHCP=/sbin/dhcpcd PROG_WIFI=/usr/sbin/wpa_supplicant -PID_DHCP=/var/run/dhcpcd-${DEV}.pid +PID_DHCP=/var/run/dhcpcd.pid PID_WIFI=/var/run/wpa_supplicant.pid -OPTS_DHCP="-h $(/bin/hostname) -C resolv.conf $DEV" +OPTS_DHCP="--waitip -h $(/bin/hostname) -z $DEV" OPTS_WIFI="-B -P $PID_WIFI -D nl80211,wext -c /etc/wpa_supplicant.conf -i $DEV" print_status() { @@ -30,13 +32,15 @@ case $1 in RETVAL=$? ;; stop) - ( $SSD --stop --retry 10 --pidfile $PID_DHCP + ( $SSD --stop --retry 10 --pidfile $PID_DHCP $SSD --stop --retry 10 --pidfile $PID_WIFI ) + RETVAL=$? - /sbin/ip route del default dev ${DEV} - /sbin/ip route flush dev ${DEV} - /sbin/ip link set ${DEV} down - /sbin/ip addr flush dev ${DEV} + /sbin/ip route del default dev ${DEV} + /sbin/ip route flush dev ${DEV} + /sbin/ip link set ${DEV} down + /sbin/ip addr flush dev ${DEV} + ;; restart) $0 stop @@ -54,4 +58,3 @@ esac exit $RETVAL # End of file - diff --git a/core/conf/resolv.conf b/core/conf/resolv.conf index 8a85b42..4c22142 100644 --- a/core/conf/resolv.conf +++ b/core/conf/resolv.conf @@ -1,3 +1,8 @@ -# /etc/resolv.conf.head can replace this line +# +# /etc/resolv.conf: resolver configuration file +# + +#search <domain.org> +#nameserver <ip-address> nameserver 213.73.91.35 -# /etc/resolv.conf.tail can replace this line +# End of file diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index b74243b..4606791 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -2,23 +2,423 @@ # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5) # -kernel.printk = 1 4 1 7 +kernel.printk = 7 1 1 4 +kernel.randomize_va_space = 2 +# Shared Memory +#kernel.shmmax = 500000000 +# Total allocated file handlers that can be allocated +# fs.file-nr= +vm.mmap_min_addr=65536 +# Allow for more PIDs (to reduce rollover problems); may break some programs 32768 +kernel.pid_max = 65536 + +# +# Memory Protections +# + +# If you say Y here, all ioperm and iopl calls will return an error. +# Ioperm and iopl can be used to modify the running kernel. +# Unfortunately, some programs need this access to operate properly, +# the most notable of which are XFree86 and hwclock. hwclock can be +# remedied by having RTC support in the kernel, so real-time +# clock support is enabled if this option is enabled, to ensure +# that hwclock operates correctly. +# +# If you're using XFree86 or a version of Xorg from 2012 or earlier, +# you may not be able to boot into a graphical environment with this +# option enabled. In this case, you should use the RBAC system instead. +kernel.grsecurity.disable_priv_io = 1 + +# If you say Y here, attempts to bruteforce exploits against forking +# daemons such as apache or sshd, as well as against suid/sgid binaries +# will be deterred. When a child of a forking daemon is killed by PaX +# or crashes due to an illegal instruction or other suspicious signal, +# the parent process will be delayed 30 seconds upon every subsequent +# fork until the administrator is able to assess the situation and +# restart the daemon. +# In the suid/sgid case, the attempt is logged, the user has all their +# existing instances of the suid/sgid binary terminated and will +# be unable to execute any suid/sgid binaries for 15 minutes. +# +# It is recommended that you also enable signal logging in the auditing +# section so that logs are generated when a process triggers a suspicious +# signal. +# If the sysctl option is enabled, a sysctl option with name +# "deter_bruteforce" is created. +kernel.grsecurity.deter_bruteforce = 1 + +# +# Filesystem Protections +# + +# Optimization for port usefor LBs +# Increase system file descriptor limit +fs.file-max = 65535 + +# If you say Y here, /tmp race exploits will be prevented, since users +# will no longer be able to follow symlinks owned by other users in +# world-writable +t directories (e.g. /tmp), unless the owner of the +# symlink is the owner of the directory. users will also not be +# able to hardlink to files they do not own. If the sysctl option is +# enabled, a sysctl option with name "linking_restrictions" is created. +kernel.grsecurity.linking_restrictions = 1 + + +# Apache's SymlinksIfOwnerMatch option has an inherent race condition +# that prevents it from being used as a security feature. As Apache +# verifies the symlink by performing a stat() against the target of +# the symlink before it is followed, an attacker can setup a symlink +# to point to a same-owned file, then replace the symlink with one +# that targets another user's file just after Apache "validates" the +# symlink -- a classic TOCTOU race. If you say Y here, a complete, +# race-free replacement for Apache's "SymlinksIfOwnerMatch" option +# will be in place for the group you specify. If the sysctl option +# is enabled, a sysctl option with name "enforce_symlinksifowner" is +# created. +kernel.grsecurity.enforce_symlinksifowner = 1 +kernel.grsecurity.symlinkown_gid = 15 + +# if you say Y here, users will not be able to write to FIFOs they don't +# own in world-writable +t directories (e.g. /tmp), unless the owner of +# the FIFO is the same owner of the directory it's held in. If the sysctl +# option is enabled, a sysctl option with name "fifo_restrictions" is +# created. +kernel.grsecurity.fifo_restrictions = 1 + +# If you say Y here, a sysctl option with name "romount_protect" will +# be created. By setting this option to 1 at runtime, filesystems +# will be protected in the following ways: +# * No new writable mounts will be allowed +# * Existing read-only mounts won't be able to be remounted read/write +# * Write operations will be denied on all block devices +# This option acts independently of grsec_lock: once it is set to 1, +# it cannot be turned off. Therefore, please be mindful of the resulting +# behavior if this option is enabled in an init script on a read-only +# filesystem. +# Also be aware that as with other root-focused features, GRKERNSEC_KMEM +# and GRKERNSEC_IO should be enabled and module loading disabled via +# config or at runtime. +# This feature is mainly intended for secure embedded systems. +#kernel.grsecurity.romount_protect = 1 + +# if you say Y here, the capabilities on all processes within a +# chroot jail will be lowered to stop module insertion, raw i/o, +# system and net admin tasks, rebooting the system, modifying immutable +# files, modifying IPC owned by another, and changing the system time. +# This is left an option because it can break some apps. Disable this +# if your chrooted apps are having problems performing those kinds of +# tasks. If the sysctl option is enabled, a sysctl option with +# name "chroot_caps" is created. +kernel.grsecurity.chroot_caps = 1 + +#kernel.grsecurity.chroot_deny_bad_rename = 1 + +# If you say Y here, processes inside a chroot will not be able to chmod +# or fchmod files to make them have suid or sgid bits. This protects +# against another published method of breaking a chroot. If the sysctl +# option is enabled, a sysctl option with name "chroot_deny_chmod" is +# created. +kernel.grsecurity.chroot_deny_chmod = 1 + +# If you say Y here, processes inside a chroot will not be able to chroot +# again outside the chroot. This is a widely used method of breaking +# out of a chroot jail and should not be allowed. If the sysctl +# option is enabled, a sysctl option with name +# "chroot_deny_chroot" is created. +kernel.grsecurity.chroot_deny_chroot = 1 + +# If you say Y here, a well-known method of breaking chroots by fchdir'ing +# to a file descriptor of the chrooting process that points to a directory +# outside the filesystem will be stopped. If the sysctl option +# is enabled, a sysctl option with name "chroot_deny_fchdir" is created. +kernel.grsecurity.chroot_deny_fchdir = 1 + +# If you say Y here, processes inside a chroot will not be allowed to +# mknod. The problem with using mknod inside a chroot is that it +# would allow an attacker to create a device entry that is the same +# as one on the physical root of your system, which could range from +# anything from the console device to a device for your harddrive (which +# they could then use to wipe the drive or steal data). It is recommended +# that you say Y here, unless you run into software incompatibilities. +# If the sysctl option is enabled, a sysctl option with name +# "chroot_deny_mknod" is created. +kernel.grsecurity.chroot_deny_mknod = 1 + +# If you say Y here, processes inside a chroot will not be able to +# mount or remount filesystems. If the sysctl option is enabled, a +# sysctl option with name "chroot_deny_mount" is created. +kernel.grsecurity.chroot_deny_mount = 1 + +# If you say Y here, processes inside a chroot will not be able to use +# a function called pivot_root() that was introduced in Linux 2.3.41. It +# works similar to chroot in that it changes the root filesystem. This +# function could be misused in a chrooted process to attempt to break out +# of the chroot, and therefore should not be allowed. If the sysctl +# option is enabled, a sysctl option with name "chroot_deny_pivot" is +# created. +kernel.grsecurity.chroot_deny_pivot = 1 + +# If you say Y here, processes inside a chroot will not be able to attach +# to shared memory segments that were created outside of the chroot jail. +# It is recommended that you say Y here. If the sysctl option is enabled, +# a sysctl option with name "chroot_deny_shmat" is created. +kernel.grsecurity.chroot_deny_shmat = 1 + +# If you say Y here, an attacker in a chroot will not be able to +# write to sysctl entries, either by sysctl(2) or through a /proc +# interface. It is strongly recommended that you say Y here. If the +# sysctl option is enabled, a sysctl option with name +# "chroot_deny_sysctl" is created. +kernel.grsecurity.chroot_deny_sysctl = 1 + +# If you say Y here, processes inside a chroot will not be able to +# connect to abstract (meaning not belonging to a filesystem) Unix +# domain sockets that were bound outside of a chroot. It is recommended +# that you say Y here. If the sysctl option is enabled, a sysctl option +# with name "chroot_deny_unix" is created. +kernel.grsecurity.chroot_deny_unix = 1 + +# If you say Y here, the current working directory of all newly-chrooted +# applications will be set to the the root directory of the chroot. +# The man page on chroot(2) states: +# Note that usually chhroot does not change the current working +# directory, so that `.' can be outside the tree rooted at +# `/'. In particular, the super-user can escape from a +# `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. +# +# It is recommended that you say Y here, since it's not known to break +# any software. If the sysctl option is enabled, a sysctl option with +# name "chroot_enforce_chdir" is created. +kernel.grsecurity.chroot_enforce_chdir = 1 + +# If you say Y here, processes inside a chroot will not be able to +# kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, +# getsid, or view any process outside of the chroot. If the sysctl +# option is enabled, a sysctl option with name "chroot_findtask" is +# created. +kernel.grsecurity.chroot_findtask = 1 + +# If you say Y here, processes inside a chroot will not be able to raise +# the priority of processes in the chroot, or alter the priority of +# processes outside the chroot. This provides more security than simply +# removing CAP_SYS_NICE from the process' capability set. If the +# sysctl option is enabled, a sysctl option with name "chroot_restrict_nice" +# is created. +kernel.grsecurity.chroot_restrict_nice = 1 + +# +# Kernel Auditing +# + +# If you say Y here, the exec and chdir logging features will only operate +# on a group you specify. This option is recommended if you only want to +# watch certain users instead of having a large amount of logs from the +# entire system. If the sysctl option is enabled, a sysctl option with +# name "audit_group" is created. +kernel.grsecurity.audit_group = 1 + +# If you say Y here, the exec and chdir logging features will only operate +# on a group you specify. This option is recommended if you only want to +# watch certain users instead of having a large amount of logs from the +# entire system. If the sysctl option is enabled, a sysctl option with +# name "audit_group" is created. +kernel.grsecurity.audit_gid = 99 + +# If you say Y here, all execve() calls will be logged (since the +# other exec*() calls are frontends to execve(), all execution +# will be logged). Useful for shell-servers that like to keep track +# of their users. If the sysctl option is enabled, a sysctl option with +# name "exec_logging" is created. +# WARNING: This option when enabled will produce a LOT of logs, especially +# on an active system. +kernel.grsecurity.exec_logging = 0 + +# If you say Y here, all attempts to overstep resource limits will +# be logged with the resource name, the requested size, and the current +# limit. It is highly recommended that you say Y here. If the sysctl +# option is enabled, a sysctl option with name "resource_logging" is +# created. If the RBAC system is enabled, the sysctl value is ignored. +kernel.grsecurity.resource_logging = 1 + +# If you say Y here, all executions inside a chroot jail will be logged +# to syslog. This can cause a large amount of logs if certain +# applications (eg. djb's daemontools) are installed on the system, and +# is therefore left as an option. If the sysctl option is enabled, a +# sysctl option with name "chroot_execlog" is created. +kernel.grsecurity.chroot_execlog = 0 + +# If you say Y here, all attempts to attach to a process via ptrace +# will be logged. If the sysctl option is enabled, a sysctl option +# with name "audit_ptrace" is created. +#kernel.grsecurity.audit_ptrace = 1 + +# If you say Y here, all attempts to attach to a process via ptrace +# will be logged. If the sysctl option is enabled, a sysctl option +# with name "audit_ptrace" is created. +kernel.grsecurity.audit_chdir = 0 + +# If you say Y here, all mounts and unmounts will be logged. If the +# sysctl option is enabled, a sysctl option with name "audit_mount" is +# created. +kernel.grsecurity.audit_mount = 1 + +# If you say Y here, certain important signals will be logged, such as +# SIGSEGV, which will as a result inform you of when a error in a program +# occurred, which in some cases could mean a possible exploit attempt. +# If the sysctl option is enabled, a sysctl option with name +# "signal_logging" is created. +kernel.grsecurity.signal_logging = 1 + +# If you say Y here, all failed fork() attempts will be logged. +# This could suggest a fork bomb, or someone attempting to overstep +# their process limit. If the sysctl option is enabled, a sysctl option +# with name "forkfail_logging" is created. +kernel.grsecurity.forkfail_logging = 1 + +# If you say Y here, any changes of the system clock will be logged. +# If the sysctl option is enabled, a sysctl option with name +# "timechange_logging" is created. +kernel.grsecurity.timechange_logging = 1 + +# if you say Y here, calls to mmap() and mprotect() with explicit +# usage of PROT_WRITE and PROT_EXEC together will be logged when +# denied by the PAX_MPROTECT feature. This feature will also +# log other problematic scenarios that can occur when PAX_MPROTECT +# is enabled on a binary, like textrels and PT_GNU_STACK. If the +# sysctl option is enabled, a sysctl option with name "rwxmap_logging" +# is created. +kernel.grsecurity.rwxmap_logging = 1 + +# +# Executable Protections +# + + +# if you say Y here, non-root users will not be able to use dmesg(8) +# to view the contents of the kernel's circular log buffer. +# The kernel's log buffer often contains kernel addresses and other +# identifying information useful to an attacker in fingerprinting a +# system for a targeted exploit. +# If the sysctl option is enabled, a sysctl option with name "dmesg" is +# created. +kernel.grsecurity.dmesg = 1 + +# Hide symbol addresses in /proc/kallsyms +kernel.kptr_restrict = 2 + +# If you say Y here, TTY sniffers and other malicious monitoring +# programs implemented through ptrace will be defeated. If you +# have been using the RBAC system, this option has already been +# enabled for several years for all users, with the ability to make +# fine-grained exceptions. +# +# This option only affects the ability of non-root users to ptrace +# processes that are not a descendent of the ptracing process. +# This means that strace ./binary and gdb ./binary will still work, +# but attaching to arbitrary processes will not. If the sysctl +# option is enabled, a sysctl option with name "harden_ptrace" is +# created. +kernel.grsecurity.harden_ptrace = 1 + +# If you say Y here, unprivileged users will not be able to ptrace unreadable +# binaries. This option is useful in environments that +# remove the read bits (e.g. file mode 4711) from suid binaries to +# prevent infoleaking of their contents. This option adds +# consistency to the use of that file mode, as the binary could normally +# be read out when run without privileges while ptracing. +# +# If the sysctl option is enabled, a sysctl option with name "ptrace_readexec" +# is created. +kernel.grsecurity.ptrace_readexec = 1 + +# If you say Y here, a change from a root uid to a non-root uid +# in a multithreaded application will cause the resulting uids, +# gids, supplementary groups, and capabilities in that thread +# to be propagated to the other threads of the process. In most +# cases this is unnecessary, as glibc will emulate this behavior +# on behalf of the application. Other libcs do not act in the +# same way, allowing the other threads of the process to continue +# running with root privileges. If the sysctl option is enabled, +# a sysctl option with name "consistent_setxid" is created. +kernel.grsecurity.consistent_setxid = 1 + +# If you say Y here, access to overly-permissive IPC objects (shared +# memory, message queues, and semaphores) will be denied for processes +# given the following criteria beyond normal permission checks: +# 1) If the IPC object is world-accessible and the euid doesn't match +# that of the creator or current uid for the IPC object +# 2) If the IPC object is group-accessible and the egid doesn't +# match that of the creator or current gid for the IPC object +# It's a common error to grant too much permission to these objects, +# with impact ranging from denial of service and information leaking to +# privilege escalation. This feature was developed in response to +# research by Tim Brown: +# http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ +# who found hundreds of such insecure usages. Processes with +# CAP_IPC_OWNER are still permitted to access these IPC objects. +# If the sysctl option is enabled, a sysctl option with name +# "harden_ipc" is created. +kernel.grsecurity.harden_ipc = 1 + +# If you say Y here, you will be able to choose a gid to add to the +# supplementary groups of users you want to mark as "untrusted." +# These users will not be able to execute any files that are not in +# root-owned directories writable only by root. If the sysctl option +# is enabled, a sysctl option with name "tpe" is created. +kernel.grsecurity.tpe = 1 +kernel.grsecurity.tpe_gid = 100 +# If you say Y here, the group you specify in the TPE configuration will +# decide what group TPE restrictions will be *disabled* for. This +# option is useful if you want TPE restrictions to be applied to most +# users on the system. If the sysctl option is enabled, a sysctl option +# with name "tpe_invert" is created. Unlike other sysctl options, this +# entry will default to on for backward-compatibility. +kernel.grsecurity.tpe_invert = 0 + +# If you say Y here, all non-root users will be covered under +# a weaker TPE restriction. This is separate from, and in addition to, +# the main TPE options that you have selected elsewhere. Thus, if a +# "trusted" GID is chosen, this restriction applies to even that GID. +# Under this restriction, all non-root users will only be allowed to +# execute files in directories they own that are not group or +# world-writable, or in directories owned by root and writable only by +# root. If the sysctl option is enabled, a sysctl option with name +# "tpe_restrict_all" is created. +kernel.grsecurity.tpe_restrict_all = 1 + + +kernel.grsecurity.harden_tty = 1 + +# +# Network Protections +# + +# Increase Linux auto tuning TCP buffer limits +# min, default, and max number of bytes to use +# set max to at least 4MB, or higher if you use very high BDP paths +# Tcp Windows etc +net.core.rmem_max = 8388608 +net.core.wmem_max = 8388608 +net.core.netdev_max_backlog = 5000 +net.ipv4.tcp_window_scaling = 1 + +# Both ports linux-blob and linux-libre don't build with ipv6 # Disable ipv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 # Tuen IPv6 -# net.ipv6.conf.default.router_solicitations = 0 -# net.ipv6.conf.default.accept_ra_rtr_pref = 0 -# net.ipv6.conf.default.accept_ra_pinfo = 0 -# net.ipv6.conf.default.accept_ra_defrtr = 0 -# net.ipv6.conf.default.autoconf = 0 -# net.ipv6.conf.default.dad_transmits = 0 -# net.ipv6.conf.default.max_addresses = 0 - -# Avoid a smurf attack +#net.ipv6.conf.default.router_solicitations = 0 +#net.ipv6.conf.default.accept_ra_rtr_pref = 0 +#net.ipv6.conf.default.accept_ra_pinfo = 0 +#net.ipv6.conf.default.accept_ra_defrtr = 0 +#net.ipv6.conf.default.autoconf = 0 +#net.ipv6.conf.default.dad_transmits = 0 +#net.ipv6.conf.default.max_addresses = 0 + +# Avoid a smurf attack, ping scanning net.ipv4.icmp_echo_ignore_broadcasts = 1 # Turn on protection for bad icmp error messages @@ -47,40 +447,31 @@ net.ipv4.conf.default.log_martians = 1 ## ignore echo broadcast requests to prevent being part of smurf attacks (default) net.ipv4.icmp_echo_ignore_broadcasts = 1 -# No source routed packets here -net.ipv4.conf.all.accept_source_route = 0 -net.ipv4.conf.default.accept_source_route = 0 - ## sets the kernels reverse path filtering mechanism to value 1(on) ## will do source validation of the packet's recieved from all the interfaces on the machine ## protects from attackers that are using ip spoofing methods to do harm net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 -net.ipv6.conf.default.rp_filter = 1 -net.ipv6.conf.all.rp_filter = 1 +#net.ipv6.conf.default.rp_filter = 1 +#net.ipv6.conf.all.rp_filter = 1 + # Make sure no one can alter the routing tables +# Act as a router, necessary for Access Point net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 +# No source routed packets here +# Discard packets with source routes, ip spoofing +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 -# Act as a router, necessary for Access Point -net.ipv4.ip_forward = 1 -net.ipv4.conf.all.send_redirects = 1 -net.ipv4.conf.default.send_redirects = 1 - -kernel.shmmax = 500000000 -# Turn on execshild -kernel.exec-shield = 1 -kernel.randomize_va_space = 1 -# Optimization for port usefor LBs -# Increase system file descriptor limit -fs.file-max = 65535 +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 -# Allow for more PIDs (to reduce rollover problems); may break some programs 32768 -kernel.pid_max = 65536 +net.ipv4.ip_forward = 0 # Increase system IP port limits net.ipv4.ip_local_port_range = 2000 65000 @@ -89,14 +480,111 @@ net.ipv4.ip_local_port_range = 2000 65000 net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 87380 8388608 -# Increase Linux auto tuning TCP buffer limits -# min, default, and max number of bytes to use -# set max to at least 4MB, or higher if you use very high BDP paths -# Tcp Windows etc -net.core.rmem_max = 8388608 -net.core.wmem_max = 8388608 -net.core.netdev_max_backlog = 5000 -net.ipv4.tcp_window_scaling = 1 +# Disable proxy_arp +net.ipv4.conf.default.proxy_arp = 0 +net.ipv4.conf.all.proxy_arp = 0 -# End of file +# Disable bootp_relay +net.ipv4.conf.default.bootp_relay = 0 +net.ipv4.conf.all.bootp_relay = 0 + +# Decrease TCP fin timeout +net.ipv4.tcp_fin_timeout = 30 +# Decrease TCP keep alive time +net.ipv4.tcp_keepalive_time = 1800 +# Sen SynAck retries to 3 +net.ipv4.tcp_synack_retries = 3 + +# If you say Y here, neither TCP resets nor ICMP +# destination-unreachable packets will be sent in response to packets +# sent to ports for which no associated listening process exists. +# This feature supports both IPV4 and IPV6 and exempts the +# loopback interface from blackholing. Enabling this feature +# makes a host more resilient to DoS attacks and reduces network +# visibility against scanners. +# +# The blackhole feature as-implemented is equivalent to the FreeBSD +# blackhole feature, as it prevents RST responses to all packets, not +# just SYNs. Under most application behavior this causes no +# problems, but applications (like haproxy) may not close certain +# connections in a way that cleanly terminates them on the remote +# end, leaving the remote host in LAST_ACK state. Because of this +# side-effect and to prevent intentional LAST_ACK DoSes, this +# feature also adds automatic mitigation against such attacks. +# The mitigation drastically reduces the amount of time a socket +# can spend in LAST_ACK state. If you're using haproxy and not +# all servers it connects to have this option enabled, consider +# disabling this feature on the haproxy host. +# +# If the sysctl option is enabled, two sysctl options with names +# "ip_blackhole" and "lastack_retries" will be created. +# While "ip_blackhole" takes the standard zero/non-zero on/off +# toggle, "lastack_retries" uses the same kinds of values as +# "tcp_retries1" and "tcp_retries2". The default value of 4 +# prevents a socket from lasting more than 45 seconds in LAST_ACK +# state. +kernel.grsecurity.ip_blackhole = 1 +kernel.grsecurity.lastack_retries = 4 +# If you say Y here, you will be able to choose a GID of whose users will +# be unable to connect to other hosts from your machine or run server +# applications from your machine. If the sysctl option is enabled, a +# sysctl option with name "socket_all" is created. +kernel.grsecurity.socket_all = 1 + +# Here you can choose the GID to disable socket access for. Remember to +# add the users you want socket access disabled for to the GID +# specified here. If the sysctl option is enabled, a sysctl option +# with name "socket_all_gid" is created. +kernel.grsecurity.socket_all_gid = 200 + +# If you say Y here, you will be able to choose a GID of whose users will +# be unable to connect to other hosts from your machine, but will be +# able to run servers. If this option is enabled, all users in the group +# you specify will have to use passive mode when initiating ftp transfers +# from the shell on your machine. If the sysctl option is enabled, a +# sysctl option with name "socket_client" is created. +kernel.grsecurity.socket_client = 1 + +# Here you can choose the GID to disable client socket access for. +# Remember to add the users you want client socket access disabled for to +# the GID specified here. If the sysctl option is enabled, a sysctl +# option with name "socket_client_gid" is created. +kernel.grsecurity.socket_client_gid = 201 + +# If you say Y here, you will be able to choose a GID of whose users will +# be unable to connect to other hosts from your machine, but will be +# able to run servers. If this option is enabled, all users in the group +# you specify will have to use passive mode when initiating ftp transfers +# from the shell on your machine. If the sysctl option is enabled, a +# sysctl option with name "socket_client" is created. +kernel.grsecurity.socket_server = 1 + +# Here you can choose the GID to disable server socket access for. +# Remember to add the users you want server socket access disabled for to +# the GID specified here. If the sysctl option is enabled, a sysctl +# option with name "socket_server_gid" is created. +kernel.grsecurity.socket_server_gid = 99 + +# +# Physical Protections +# + +# If you say Y here, a new sysctl option with name "deny_new_usb" +# will be created. Setting its value to 1 will prevent any new +# USB devices from being recognized by the OS. Any attempted USB +# device insertion will be logged. This option is intended to be +# used against custom USB devices designed to exploit vulnerabilities +# in various USB device drivers. +# +# For greatest effectiveness, this sysctl should be set after any +# relevant init scripts. This option is safe to enable in distros +# as each user can choose whether or not to toggle the sysctl. +kernel.grsecurity.deny_new_usb = 0 + +# +# Restrict grsec sysctl changes after this was set +# +kernel.grsecurity.grsec_lock = 0 + +# End of file |