about summary refs log tree commit diff stats
path: root/core/conf
diff options
context:
space:
mode:
Diffstat (limited to 'core/conf')
-rw-r--r--core/conf/iptables/br-lan.v4136
-rw-r--r--core/conf/iptables/ipt-bridge.sh172
-rw-r--r--core/conf/iptables/ipt-conf.sh21
-rw-r--r--core/conf/iptables/ipt-firewall.sh258
-rw-r--r--core/conf/iptables/ipt-server.sh37
-rw-r--r--core/conf/iptables/net.v4111
-rw-r--r--core/conf/ports/mate.git7
-rw-r--r--core/conf/ports/mate.httpup.inactive (renamed from core/conf/ports/mate.httpup)0
-rw-r--r--core/conf/rc.d/iptables117
-rwxr-xr-xcore/conf/rc.d/wlan47
-rw-r--r--core/conf/skel/.profile33
11 files changed, 597 insertions, 342 deletions
diff --git a/core/conf/iptables/br-lan.v4 b/core/conf/iptables/br-lan.v4
deleted file mode 100644
index 61da499..0000000
--- a/core/conf/iptables/br-lan.v4
+++ /dev/null
@@ -1,136 +0,0 @@
-# Generated by iptables-save v1.6.2 on Tue Apr  3 02:25:27 2018
-*security
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-COMMIT
-# Completed on Tue Apr  3 02:25:27 2018
-# Generated by iptables-save v1.6.2 on Tue Apr  3 02:25:27 2018
-*raw
-:PREROUTING ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-COMMIT
-# Completed on Tue Apr  3 02:25:27 2018
-# Generated by iptables-save v1.6.2 on Tue Apr  3 02:25:27 2018
-*nat
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-COMMIT
-# Completed on Tue Apr  3 02:25:27 2018
-# Generated by iptables-save v1.6.2 on Tue Apr  3 02:25:27 2018
-*mangle
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-COMMIT
-# Completed on Tue Apr  3 02:25:27 2018
-# Generated by iptables-save v1.6.2 on Tue Apr  3 02:25:27 2018
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT DROP [0:0]
-:blocker - [0:0]
-:client_in - [0:0]
-:client_out - [0:0]
-:netconf_in - [0:0]
-:netconf_out - [0:0]
-:server_in - [0:0]
-:server_out - [0:0]
--A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
--A INPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -i lo -j ACCEPT
--A INPUT -j blocker
--A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j server_in
--A INPUT -d 10.0.0.0/8 -i br0 -j client_in
--A INPUT -i br0 -j netconf_in
--A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7
--A FORWARD -j blocker
--A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j netconf_in
--A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j netconf_out
--A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j client_in
--A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j client_out
--A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j server_out
--A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7
--A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT
--A OUTPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -o lo -j ACCEPT
--A OUTPUT -j blocker
--A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j server_out
--A OUTPUT -s 10.0.0.0/8 -o br0 -j client_out
--A OUTPUT -o br0 -j netconf_out
--A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7
--A blocker -s 8.8.0.0/24 -j LOG --log-prefix "iptables: blocker google: " --log-level 7
--A blocker -s 8.8.0.0/24 -j DROP
--A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
--A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
--A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
--A blocker -f -j DROP
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: "
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
--A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs"
--A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: "
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
--A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: "
--A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
--A blocker -j RETURN
--A client_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -j RETURN
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -j RETURN
--A netconf_in -p udp -m udp --sport 68 --dport 67 -j ACCEPT
--A netconf_in -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 520 --dport 520 -j ACCEPT
--A netconf_in -p icmp -j LOG --log-prefix "iptables: netconf_in ICMP: " --log-level 7
--A netconf_in -p icmp -j ACCEPT
--A netconf_in -j RETURN
--A netconf_out -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
--A netconf_out -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 520 --dport 520 -j ACCEPT
--A netconf_out -p icmp -j LOG --log-prefix "iptables: netconf_out ICMP: " --log-level 7
--A netconf_out -p icmp -j ACCEPT
--A netconf_out -j RETURN
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 5900 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -j RETURN
--A server_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 5900 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A server_out -j RETURN
-COMMIT
-# Completed on Tue Apr  3 02:25:27 2018
diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh
new file mode 100644
index 0000000..6ad26fa
--- /dev/null
+++ b/core/conf/iptables/ipt-bridge.sh
@@ -0,0 +1,172 @@
+#!/bin/bash
+
+echo "setting bridge ${BR_IF} network..."
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
+# Unlimited on loopback
+$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+
+####### NAT Prerouting Chain  ######
+#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p udp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
+#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
+$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443
+#$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "
+
+####### Forward Chain  ######
+$IPT -A FORWARD -j blocker
+$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+
+# Allow access from bridge to gateway wifi interface
+$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in
+$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out
+$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in
+$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out
+$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in
+$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out
+
+#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out
+$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in
+$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out
+
+# allow output from BR_NET to external
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -j ACCEPT
+
+# allow input from public bridged interface facing Internet 
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_http_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_https_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_git_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_ftp_in
+
+######## Forward TAP2 ssh, http and https  ######
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out
+#
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out
+
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out
+
+
+#Less noise
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 519 --sport 520 -j DROP
+
+
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#
+#
+# Tap1
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_ftp_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_ftp_out
+#
+#
+## Tap3
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_git_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_git_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in
+#
+#
+# Tap1, Tap2 and Tap3 can access external https
+
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in
+
+
+
+#
+#        #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip
+#
+#        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp
+#        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp
+
+#
+####### Input Chain ######
+$IPT -A INPUT -j blocker
+#Less noise
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp  --sport 3030 --dport 1024:65535 -j DROP
+$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 137 --dport 137 -j DROP
+$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 138 --dport 138 -j DROP
+
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
+
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in
+$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in
+  
+$IPT -A INPUT -i ${BR_IF} -j srv_dhcp
+$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP}  -j srv_dhcp
+
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in
+$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in
+
+$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in
+$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in
+$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in
+$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in
+$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in
+
+####### Output Chain ######
+$IPT -A OUTPUT -j blocker
+
+#Less noise
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP
+
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_icmp
+
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out
+
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out
+
+
+$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out
+$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out
+$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out
+
+$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out
+$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out
+$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out
+$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out
+
+#$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_ssh_out
+
+####### PostRouting Chain ######
+#Less noise
+#$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT
+
+$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE
+
+#$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
diff --git a/core/conf/iptables/ipt-conf.sh b/core/conf/iptables/ipt-conf.sh
new file mode 100644
index 0000000..eef0b52
--- /dev/null
+++ b/core/conf/iptables/ipt-conf.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+TYPE=bridge
+#TYPE=server
+
+SPAMLIST="blockedip"
+SPAMDROPMSG="BLOCKED IP DROP"
+
+# public interface to network/internet
+BR_IF="br0"
+BR_NET="10.0.0.0/8"
+GW="10.0.0.1"
+#GW="10.0.0.2"
+#DNS="10.0.0.254"
+DNS="212.55.154.174"
+
+PUB_IP="10.0.0.254"
+PUB_IF="enp8s0"
+
+# private interface for virtual/internal
+WIFI_IF="wlp7s0"
+WIFI_NET="192.168.1.0/24"
diff --git a/core/conf/iptables/ipt-firewall.sh b/core/conf/iptables/ipt-firewall.sh
new file mode 100644
index 0000000..4697de0
--- /dev/null
+++ b/core/conf/iptables/ipt-firewall.sh
@@ -0,0 +1,258 @@
+#!/bin/bash
+
+IPT="/usr/sbin/iptables"
+
+ipt_clear () {
+    echo "clear all iptables tables"
+
+    iptables -F
+    iptables -X
+    iptables -t nat -F
+    iptables -t nat -X
+    iptables -t mangle -F
+    iptables -t mangle -X
+    iptables -t raw -F
+    iptables -t raw -X
+    iptables -t security -F
+    iptables -t security -X
+    iptables -N blocker
+
+    iptables -N srv_dhcp
+    iptables -N srv_rip
+    iptables -N srv_icmp
+    iptables -N srv_dns_in
+    iptables -N srv_dns_out
+    iptables -N srv_http_in
+    iptables -N srv_http_out
+    iptables -N srv_https_in
+    iptables -N srv_https_out
+    iptables -N srv_ssh_in
+    iptables -N srv_ssh_out
+    iptables -N srv_git_in
+    iptables -N srv_git_out
+    iptables -N srv_db_in
+    iptables -N srv_db_out
+
+
+    iptables -N cli_dns_in
+    iptables -N cli_dns_out
+    iptables -N cli_http_in
+    iptables -N cli_http_out
+    iptables -N cli_https_in
+    iptables -N cli_https_out
+    iptables -N cli_ssh_in
+    iptables -N cli_ssh_out
+    iptables -N cli_pops_in
+    iptables -N cli_pops_out
+    iptables -N cli_smtps_in
+    iptables -N cli_smtps_out
+    iptables -N cli_irc_in
+    iptables -N cli_irc_out
+    iptables -N cli_ftp_in
+    iptables -N cli_ftp_out
+    iptables -N cli_git_in
+    iptables -N cli_git_out
+    iptables -N cli_gpg_in
+    iptables -N cli_gpg_out
+
+    # Set Default Rules
+    iptables -P INPUT DROP
+    iptables -P FORWARD DROP
+    iptables -P OUTPUT DROP
+}
+
+ipt_log () {
+    ## log everything else and drop
+    $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
+    $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
+    $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
+}
+
+
+ipt_tables () {
+    echo "start adding tables..."
+
+    ####### blocker Chain  ######
+    ## Block google dns
+    #$IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: "
+    #$IPT -A blocker -s 8.8.0.0/24 -j DROP
+    ## Block sync
+    $IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: "
+    $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP
+    ## Block Fragments
+    $IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: "
+    $IPT -A blocker -f -j DROP
+    $IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
+    $IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP
+    $IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: "
+    $IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
+    $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: "
+    $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+    $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: "
+    $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
+    $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: "
+    $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
+    $IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags ACK,FIN FIN -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags ACK,PSH PSH -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags ACK,URG URG -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+    ## Return to caller
+    $IPT -A blocker -j RETURN
+
+    ######## DNS Server
+    #echo "server_in chain: Allow input to DNS Server"
+    $IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535  -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A srv_dns_in -j RETURN
+    #echo "srv_dns_out chain: Allow output from DNS server"
+    $IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+    $IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+    $IPT -A srv_dns_out -j RETURN
+
+    ####### Database Server
+    $IPT -A srv_db_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A srv_db_in -j RETURN
+    $IPT -A srv_db_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A srv_db_out -j RETURN
+
+    ####### SSH Server
+    $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT
+
+    $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \
+        --update --seconds 60 --hitcount 4 --rttl \
+        --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH"
+
+    $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent --update --seconds 60 \
+        --hitcount 4 --rttl --name SSH -j DROP
+
+    $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+
+    $IPT -A srv_ssh_in -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
+
+    $IPT -A srv_ssh_in -p tcp --dport 22 -m recent \
+        --update --seconds 60 --hitcount 4 --rttl \
+        --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH"
+
+    $IPT -A srv_ssh_in -p tcp --dport 22 -m recent --update --seconds 60 \
+        --hitcount 4 --rttl --name SSH -j DROP
+
+    $IPT -A srv_ssh_in -p tcp --dport 22 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A srv_ssh_in -j RETURN
+
+    $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A srv_ssh_out -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A srv_ssh_out -j RETURN
+
+    ####### HTTP Server
+    $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A srv_http_in -j RETURN
+    $IPT -A srv_http_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+    $IPT -A srv_http_out -j RETURN
+
+    ####### HTTPS Server
+    $IPT -A srv_https_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A srv_https_in -j RETURN
+    $IPT -A srv_https_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+    $IPT -A srv_https_out -j RETURN
+
+    ###### GIT server
+    $IPT -A srv_git_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A srv_git_in -j RETURN
+    $IPT -A srv_git_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+    $IPT -A srv_git_out -j RETURN
+
+    ######## DNS Client
+    $IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -j ACCEPT
+    $IPT -A cli_dns_out -j RETURN
+    $IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -j ACCEPT
+    $IPT -A cli_dns_in -j RETURN
+
+    ######## HTTP Client
+    #$IPT -A cli_http_in -p tcp -m tcp --tcp-flags ACK --sport 80 --dport 1024:65535 -j DROP
+    $IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_http_in -p udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_http_in -j RETURN
+    $IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_http_out -p udp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_http_out -j RETURN
+
+    ######## IRC client
+    $IPT -A cli_irc_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_irc_in -j RETURN
+    $IPT -A cli_irc_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_irc_out -j RETURN
+
+    ######## FTP client
+    $IPT -A cli_ftp_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_ftp_in -p tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
+    $IPT -A cli_ftp_in -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_ftp_in -j RETURN
+    $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_ftp_out -p tcp --dport 20 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_ftp_out -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
+    $IPT -A cli_ftp_out -j RETURN
+
+    ######## GIT client
+    $IPT -A cli_git_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_git_in -j RETURN
+    $IPT -A cli_git_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_git_out -j RETURN
+
+    ######## POP3S client
+    $IPT -A cli_pops_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_pops_in -j RETURN
+    $IPT -A cli_pops_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_pops_out -j RETURN
+
+    ######## SMTPS client
+    $IPT -A cli_smtps_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_smtps_in -j RETURN
+    $IPT -A cli_smtps_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_smtps_out -j RETURN
+
+    ######## HTTPS client
+    $IPT -A cli_https_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_https_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_https_in -j RETURN
+    $IPT -A cli_https_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_https_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_https_out -j RETURN
+
+    ######## SSH client
+    $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_ssh_in -j RETURN
+    $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_ssh_out -j RETURN
+
+    ######## GPG key client
+    $IPT -A cli_gpg_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_gpg_in -j RETURN
+    $IPT -A cli_gpg_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_gpg_out -j RETURN
+
+    ######## DHCP Server
+    $IPT -A srv_dhcp -p udp --sport 68 --dport 67 -j ACCEPT
+    $IPT -A srv_dhcp -p udp --sport 67 --dport 68 -j ACCEPT
+    $IPT -A srv_dhcp -p udp --sport 67 --dport 67 -j ACCEPT
+    $IPT -A srv_dhcp -j RETURN
+
+    ####### RIP Server
+    $IPT -A srv_rip -p udp --sport 520 --dport 520 -j ACCEPT
+    $IPT -A srv_rip -j RETURN
+
+    ####### ICMP Server
+    $IPT -A srv_icmp -p icmp -j ACCEPT
+    $IPT -A srv_icmp -j RETURN
+}
+
+
diff --git a/core/conf/iptables/ipt-server.sh b/core/conf/iptables/ipt-server.sh
new file mode 100644
index 0000000..225fd31
--- /dev/null
+++ b/core/conf/iptables/ipt-server.sh
@@ -0,0 +1,37 @@
+echo "setting server network..."
+
+# Unlimited on loopback
+$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+
+####### Input Chain ######
+$IPT -A INPUT -j blocker
+
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in
+#$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in
+
+
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in
+
+####### Output Chain ######
+$IPT -A OUTPUT -j blocker
+
+$IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out
+#$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out
+$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out
+$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out
+$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out
+
+$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out
+$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out
+
+$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out
+$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out
diff --git a/core/conf/iptables/net.v4 b/core/conf/iptables/net.v4
deleted file mode 100644
index 568455a..0000000
--- a/core/conf/iptables/net.v4
+++ /dev/null
@@ -1,111 +0,0 @@
-# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
-*security
-:INPUT ACCEPT [4559:2307887]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [4459:962215]
-COMMIT
-# Completed on Sat Feb 25 18:34:17 2017
-# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
-*raw
-:PREROUTING ACCEPT [18446:3412851]
-:OUTPUT ACCEPT [4467:962535]
-COMMIT
-# Completed on Sat Feb 25 18:34:17 2017
-# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
-*nat
-:PREROUTING ACCEPT [13936:1107904]
-:INPUT ACCEPT [49:2940]
-:OUTPUT ACCEPT [504:40037]
-:POSTROUTING ACCEPT [504:40037]
-COMMIT
-# Completed on Sat Feb 25 18:34:17 2017
-# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
-*mangle
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-COMMIT
-# Completed on Sat Feb 25 18:34:17 2017
-# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT DROP [0:0]
-:ACCEPTLOG - [0:0]
-:DROPLOG - [0:0]
-:REJECTLOG - [0:0]
-:RELATED_ICMP - [0:0]
-:SYN_FLOOD - [0:0]
--A INPUT -i lo -j ACCEPT
--A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT
--A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j LOG --log-prefix "PING-DROP:"
--A INPUT -p icmp -j DROP
--A INPUT -p icmp -f -j DROPLOG
--A INPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
--A INPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP
--A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
--A INPUT -p icmp -j DROPLOG
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
--A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
--A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
--A INPUT -m state --state INVALID -j DROP
--A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
--A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
--A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD
--A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG
--A INPUT -f -j DROPLOG
--A INPUT -j DROPLOG
--A FORWARD -p icmp -f -j DROPLOG
--A FORWARD -p icmp -j DROPLOG
--A FORWARD -m state --state INVALID -j DROP
--A FORWARD -j REJECTLOG
--A OUTPUT -o lo -j ACCEPT
--A OUTPUT -p icmp -j ACCEPT
--A OUTPUT -p icmp -f -j DROPLOG
--A OUTPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
--A OUTPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP
--A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
--A OUTPUT -p icmp -j DROPLOG
--A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -m state --state INVALID -j DROP
--A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -j DROPLOG
--A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
--A ACCEPTLOG -j ACCEPT
--A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
--A DROPLOG -j DROP
--A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
--A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
--A REJECTLOG -j REJECT --reject-with icmp-port-unreachable
--A RELATED_ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT
--A RELATED_ICMP -p icmp -m icmp --icmp-type 11 -j ACCEPT
--A RELATED_ICMP -p icmp -m icmp --icmp-type 12 -j ACCEPT
--A RELATED_ICMP -j DROPLOG
--A SYN_FLOOD -m limit --limit 2/sec --limit-burst 6 -j RETURN
--A SYN_FLOOD -j DROP
-COMMIT
-# Completed on Sat Feb 25 18:34:17 2017
diff --git a/core/conf/ports/mate.git b/core/conf/ports/mate.git
new file mode 100644
index 0000000..0c4e057
--- /dev/null
+++ b/core/conf/ports/mate.git
@@ -0,0 +1,7 @@
+# Collection mate
+#
+NAME=mate
+URL=git://c2.ank/mate.git
+BRANCH=develop-c34
+destination=/usr/ports/mate
+PORTS_DIR="/usr/ports"
diff --git a/core/conf/ports/mate.httpup b/core/conf/ports/mate.httpup.inactive
index 93ad84f..93ad84f 100644
--- a/core/conf/ports/mate.httpup
+++ b/core/conf/ports/mate.httpup.inactive
diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables
index dd17b97..26a48b4 100644
--- a/core/conf/rc.d/iptables
+++ b/core/conf/rc.d/iptables
@@ -1,86 +1,39 @@
-#!/bin/sh
-#
-# /etc/rc.d/iptables: load/unload iptable rules
-#
 
-rules=/etc/iptables/net.v4
-
-iptables_clear () {
-    echo "clear all iptables tables"
-    iptables -F
-    iptables -X
-    iptables -t nat -F
-    iptables -t nat -X
-    iptables -t mangle -F
-    iptables -t mangle -X
-    iptables -t raw -F
-    iptables -t raw -X
-    iptables -t security -F
-    iptables -t security -X
-}
+source /etc/iptables/ipt-conf.sh
+source /etc/iptables/ipt-firewall.sh
 
 case $1 in
-    start)
-        echo "starting IPv4 firewall filter table..."
-        /usr/sbin/iptables-restore ${rules}
-        ;;
-    stop)
-        iptables_clear
-        echo "stopping firewall and deny everyone..."
-        /usr/sbin/iptables -P INPUT DROP
-        /usr/sbin/iptables -P FORWARD DROP
-        /usr/sbin/iptables -P OUTPUT DROP
-
-        # Unlimited on local
-        /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
-        /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
-
-        # log everything else and drop
-        /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
-        /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
-        /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
-
-        ;;
-    open)
-        iptables_clear
-        echo "outgoing Open firewall and deny everyone..."
-
-        /usr/sbin/iptables -P INPUT DROP
-        /usr/sbin/iptables -P FORWARD DROP
-        /usr/sbin/iptables -P OUTPUT ACCEPT
-
-	/usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
-	/usr/sbin/iptables -t mangle -P INPUT ACCEPT
-	/usr/sbin/iptables -t mangle -P FORWARD ACCEPT
-	/usr/sbin/iptables -t mangle -P OUTPUT ACCEPT
-	/usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-
-        /usr/sbin/iptables -A OUTPUT -j ACCEPT
-
-        # Unlimited on local
-        /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
-        /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
-
-        # Accept passive
-        /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
-        /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
-        /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
-
-        # log everything else and drop
-        /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
-        /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
-        /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
-
-        ;;
-
-    restart)
-        $0 stop
-        $0 start
-        ;;
-    *)
-
-        echo "usage: $0 [start|stop|restart]"
-        ;;
+	start)
+		ipt_clear
+		ipt_tables
+		case $TYPE in
+		    bridge)
+			source /etc/iptables/ipt-bridge.sh
+
+			## log everything else and drop
+			ipt_log
+
+			iptables-save > /etc/iptables/net.v4
+			;;
+		    server)
+			source /etc/iptables/iptables-conf.sh
+
+			## log everything else and drop
+			iptables_log
+
+			iptables-save > /etc/iptables/net.v4
+			;;
+		esac
+		;;
+	stop)
+
+		ipt_clear
+		;;
+	restart)
+		$0 stop
+		$0 start
+		;;
+	*)
+		echo "Usage: $0 [start|stop|restart]"
+		;;
 esac
-
-# End of file
diff --git a/core/conf/rc.d/wlan b/core/conf/rc.d/wlan
index 86910bc..c9c60ec 100755
--- a/core/conf/rc.d/wlan
+++ b/core/conf/rc.d/wlan
@@ -3,8 +3,11 @@
 # /etc/rc.d/wlan: start/stop wireless interface
 #
 
-DEV=wlp7s0
+# Connection type: "DHCP" or "static"
+#TYPE="DHCP"
+TYPE="static"
 
+DEV=wlp7s0
 
 SSD=/sbin/start-stop-daemon
 PROG_DHCP=/sbin/dhcpcd
@@ -15,6 +18,11 @@ PID_WIFI=/var/run/wpa_supplicant.pid
 OPTS_DHCP="--waitip -h $(/bin/hostname) -z $DEV"
 OPTS_WIFI="-B -P $PID_WIFI -D nl80211,wext -c /etc/wpa_supplicant.conf -i $DEV"
 
+ADDR=192.168.1.67
+MASK=24
+GW=192.168.1.254
+
+
 print_status() {
 	$SSD --status --pidfile $2
 	case $? in
@@ -27,20 +35,37 @@ print_status() {
 
 case $1 in
 	start)
-		$SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI && \
-		$SSD --start --pidfile $PID_DHCP --exec $PROG_DHCP -- $OPTS_DHCP
-		RETVAL=$?
+
+		if [ "${TYPE}" = "DHCP" ]; then
+			$SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI && \
+			$SSD --start --pidfile $PID_DHCP --exec $PROG_DHCP -- $OPTS_DHCP
+			RETVAL=$?
+		else
+
+			/sbin/ip link set ${DEV} up
+
+			$SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI 
+
+			RETVAL=$?
+
+			/sbin/ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast +
+			/sbin/ip route add default via ${GW}
+		fi
 		;;
 	stop)
-		( $SSD --stop --retry 10 --pidfile $PID_DHCP 
-		  $SSD --stop --retry 10 --pidfile $PID_WIFI )
 
-		RETVAL=$?
-		  /sbin/ip route del default dev ${DEV}
-                  /sbin/ip route flush dev ${DEV}
-                  /sbin/ip link set ${DEV} down
-                  /sbin/ip addr flush dev ${DEV}
+		if [ "${TYPE}" = "DHCP" ]; then
+			( $SSD --stop --retry 10 --pidfile $PID_DHCP 
+			  $SSD --stop --retry 10 --pidfile $PID_WIFI )
+			RETVAL=$?
+		else
+			$SSD --stop --retry 10 --pidfile $PID_WIFI 
+			RETVAL=$?
 
+			/sbin/ip link set ${DEV} down
+			/sbin/ip route del default
+			/sbin/ip addr del ${ADDR}/${MASK} dev ${DEV}
+		fi
 		;;
 	restart)
 		$0 stop
diff --git a/core/conf/skel/.profile b/core/conf/skel/.profile
index 71dd6f8..1c8aa8b 100644
--- a/core/conf/skel/.profile
+++ b/core/conf/skel/.profile
@@ -1,6 +1,35 @@
 export GPG_AGENT_INFO  # the env file does not contain the export statement
 export SSH_AUTH_SOCK   # enable gpg-agent for ssh
 
-export GPGKEY=8BF422F7
+export GPGKEY=XXXXXXXX
 
-#alias prodtmux="ssh srv-remote -t tmux a"
+# ssh-agent to ask only ounce for password
+SSH_ENV="$HOME/.ssh/environment"
+function start_agent {
+    echo "Initialising new SSH agent..."
+    /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
+    echo succeeded
+    chmod 600 "${SSH_ENV}"
+    . "${SSH_ENV}" > /dev/null
+    /usr/bin/ssh-add;
+}
+
+# Source SSH settings, if applicable
+if [ -f "${SSH_ENV}" ]; then
+    . "${SSH_ENV}" > /dev/null
+    #ps ${SSH_AGENT_PID} doesn't work under cywgin
+    ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
+        start_agent;
+    }
+else
+    start_agent;
+fi
+
+# Weston
+if test -z "${XDG_RUNTIME_DIR}"; then
+    export XDG_RUNTIME_DIR=/tmp/${UID}-runtime-dir
+    if ! test -d "${XDG_RUNTIME_DIR}"; then
+        mkdir "${XDG_RUNTIME_DIR}"
+        chmod 0700 "${XDG_RUNTIME_DIR}"
+    fi
+fi