about summary refs log tree commit diff stats
path: root/core/conf
diff options
context:
space:
mode:
Diffstat (limited to 'core/conf')
-rw-r--r--core/conf/fstab21
-rw-r--r--core/conf/iptables/iptables-lan.sh377
-rw-r--r--core/conf/pkgmk.conf14
-rw-r--r--core/conf/pkgmk.conf.harden94
-rw-r--r--core/conf/ports.conf1
-rw-r--r--core/conf/ports/c9-ports.git7
-rw-r--r--core/conf/ports/compat-32.pub2
-rw-r--r--core/conf/ports/contrib.git7
-rw-r--r--core/conf/ports/contrib.pub2
-rw-r--r--core/conf/ports/core.git7
-rw-r--r--core/conf/ports/core.pub2
-rwxr-xr-xcore/conf/ports/drivers/git47
-rwxr-xr-xcore/conf/ports/drivers/httpup27
-rwxr-xr-xcore/conf/ports/drivers/rsync143
-rw-r--r--core/conf/ports/opt.git6
-rw-r--r--core/conf/ports/opt.pub2
-rw-r--r--core/conf/ports/xorg.git6
-rw-r--r--core/conf/ports/xorg.pub2
-rw-r--r--core/conf/prt-get.conf6
-rw-r--r--core/conf/skel/.tmux.conf6
20 files changed, 603 insertions, 176 deletions
diff --git a/core/conf/fstab b/core/conf/fstab
index d3fc878..99fead9 100644
--- a/core/conf/fstab
+++ b/core/conf/fstab
@@ -19,14 +19,17 @@
 
 # End of file
 #/dev/sda3 on / type ext4 (rw,relatime,data=ordered)
-#UUID=3bab76f8-e714-45f1-8e30-04cc8a09c3d1 / 		ext4	ro,relatime,data=ordered			0	1
 /dev/sda3  				   / 		ext4	defaults,noatime,ro				0	1
 devpts                 		           /dev/pts	devpts	noexec,nosuid,gid=tty,mode=0620			0	0
-UUID=3b408790-65e1-4638-9591-7ba61f266913  /boot	ext4	defaults,ro,noatime		  		0	0
-UUID=962D-0DE1				   /boot/efi	vfat	ro,noauto,umask=0077      			0	0  
-UUID=f2336a56-fbe6-444c-bdbf-f0e6c209c237  /var		ext4	defaults,nodev,noexec,nosuid,errors=remount-ro  0	0
-UUID=20bd3948-0877-4192-af52-ad87d6f96db0  /usr		ext4	defaults,ro,nodev,errors=remount-ro		0	0
-UUID=66c083d6-b8f2-4a98-ae55-9412f98cc089  /usr/ports	ext4	defaults,ro,nodev,errors=remount-ro		0	0
-pkgmk                                      /usr/ports/work tmpfs   size=30G,gid=101,uid=100,defaults 		0 	0
-UUID=36e9e1d5-8356-451e-a301-81098b9a15ea  /srv		ext4	defaults,nodev,errors=remount-ro		0	0
-UUID=cd15196a-69f1-4fb4-9730-a384c62add91  /home        ext4    defaults,nodev,nosuid,errors=remount-ro		0	0
+none                                       /sys/kernel/security securityfs defaults                             0       0
+devpts                 		           /dev/pts	devpts	noexec,nosuid,gid=tty,mode=0620			0	0
+shm                   			   /dev/shm	tmpfs	defaults                                        0       0
+tmp                                        /tmp         tmpfs   defaults,noatime,nosuid,nodev,noexec,size=128M  0       0
+UUID=3b408790-65e1-4638-9591-7ba61f266913  /boot	ext4	defaults,ro,noatime		  		0	2
+UUID=962D-0DE1				   /boot/efi	vfat	ro,noauto,umask=0077      			0	2
+UUID=f2336a56-fbe6-444c-bdbf-f0e6c209c237  /var		ext4	defaults,nodev,noexec,nosuid,errors=remount-ro  0	2
+UUID=20bd3948-0877-4192-af52-ad87d6f96db0  /usr		ext4	defaults,ro,nodev,errors=remount-ro		0	2
+UUID=66c083d6-b8f2-4a98-ae55-9412f98cc089  /usr/ports	ext4	defaults,ro,nodev,errors=remount-ro		0	2
+pkgmk                                      /usr/ports/work tmpfs   size=30G,gid=101,uid=100,defaults 		0       2
+UUID=36e9e1d5-8356-451e-a301-81098b9a15ea  /srv		ext4	defaults,nodev,errors=remount-ro		0	2
+UUID=cd15196a-69f1-4fb4-9730-a384c62add91  /home        ext4    defaults,nodev,nosuid,errors=remount-ro		0	2
diff --git a/core/conf/iptables/iptables-lan.sh b/core/conf/iptables/iptables-lan.sh
index 491bc3b..32a6ef5 100644
--- a/core/conf/iptables/iptables-lan.sh
+++ b/core/conf/iptables/iptables-lan.sh
@@ -146,13 +146,16 @@
 IPT="/usr/sbin/iptables"
 SPAMLIST="blockedip"
 SPAMDROPMSG="BLOCKED IP DROP"
-PUB_IF="wlp7s0"
-DHCP_SERV="192.168.1.1"
-PUB_IP="192.168.1.33"
-PRIV_IF="br0"
+# public interface to network/internet
+BR_IF="br0"
+BR_IP="10.0.0.254"
+BR_NET="10.0.0.0/8"
+GW="10.0.0.1"
 
-modprobe ip_conntrack
-modprobe ip_conntrack_ftp
+# private interface for virtual/internal
+WIFI_IF="wlp7s0"
+WIFI_NET="192.168.1.0/24"
+#PRI_IP="192.168.1.33"
 
 echo "Stopping ipv4 firewall and deny everyone..."
 
@@ -166,171 +169,237 @@ iptables -t raw -F
 iptables -t raw -X
 iptables -t security -F
 iptables -t security -X
-
-
-echo "Starting ipv4 firewall filter table..."
+iptables -N blocker
+
+iptables -N netconf_in
+iptables -N netconf_out
+iptables -N server_in
+iptables -N server_out
+iptables -N client_in
+iptables -N client_out
+
+iptables -N srv_dns_in
+iptables -N srv_dns_out
+iptables -N cli_dns_in
+iptables -N cli_dns_out
+iptables -N cli_http_in
+iptables -N cli_http_out
 
 # Set Default Rules
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT DROP
 
-# Unlimited on local
-$IPT -A INPUT -i lo -j ACCEPT
-$IPT -A OUTPUT -o lo -j ACCEPT
-
-# Block sync
-$IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: "
-$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-
-# Block Fragments
-$IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: "
-$IPT -A INPUT -f -j DROP
-
-# Block bad stuff
-$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
-$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-
-$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: "
-$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
-
-$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: "
-$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-
-$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: "
-$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
-
-$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: "
-$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
+####### blocker Chain  ######
+## Block google dns
+$IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: "
+$IPT -A blocker -s 8.8.0.0/24 -j DROP
+## Block sync
+$IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: "
+$IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP
+## Block Fragments
+$IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: "
+$IPT -A blocker -f -j DROP
+$IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
+$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP
+$IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: "
+$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
+$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: "
+$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: "
+$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
+$IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: "
+$IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
+$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+## Return to caller
+$IPT -A blocker -j RETURN
+
+######## DNS Server
+#echo "server_in chain: Allow input to DNS Server"
+$IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535  -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A srv_dns_in -j RETURN
+#echo "srv_dns_out chain: Allow output from DNS server"
+$IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+$IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+$IPT -A srv_dns_out -j RETURN
+
+######## DNS Client
+echo "cli_dns_out chain: Allow output to DNS server"
+$IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A cli_dns_out -j RETURN
+echo "cli_dns_in chain: Allow input from DNS Server"
+$IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A cli_dns_in -j RETURN
+
+######## HTTP Client
+$IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A cli_http_in -j RETURN
+#echo "Allow to HTTP server"
+$IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A cli_http_out -j RETURN
+
+####### server input Chain  ######
+#echo "server_in chain: Allow to VNC Server"
+#$IPT -A server_in -p tcp --dport 5900:5910 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+echo "server_in chain: Allow to DataBase Server"
+$IPT -A server_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+echo "server_in chain: Allow to SSH server"
+$IPT -A server_in -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+echo "server_in chain: Allow input to HTTPS Server"
+$IPT -A server_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+echo "server_in chain: Allow input to HTTP Server"
+$IPT -A server_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+echo "server_in chain: Allow output from GIT server"
+$IPT -A server_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+## Return to caller
+$IPT -A server_in -j RETURN
+
+####### server output Chain  ######
+echo "server_out chain: Allow output from GIT server"
+$IPT -A server_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+echo "server_out chain: Allow output from https server"
+$IPT -A server_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+echo "server_out chain: Allow output from http server"
+$IPT -A server_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+echo "server_out chain: Allow output from SSH server"
+$IPT -A server_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+echo "server_out chain: Allow output from Data Base server"
+$IPT -A server_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+#echo "server_out chain: Allow output from VNC server"
+#$IPT -A server_out -p tcp --sport 5900:5910 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+## Return to caller
+$IPT -A server_out -j RETURN
+
+####### client input Chain  ######
+echo "client_in chain: Allow input from IRC server"
+$IPT -A client_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+echo "client_in chain: Allow input from FTP server"
+$IPT -A client_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+echo "client_in chain: Allow input from GIT server"
+$IPT -A client_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+echo "client_in chain: Allow input from POP3S server"
+$IPT -A client_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+echo "client_in chain: Allow input from SMTPS server"
+$IPT -A client_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+echo "client_in chain: Allow input from HTTPS server"
+$IPT -A client_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A client_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+echo "client_in chain: Allow input from SSH Server"
+$IPT -A client_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A client_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+echo "client_in chain: Allow input from GPG key Server"
+$IPT -A client_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A client_in -j RETURN
+
+####### client output Chain  ######
+echo "client_out chain: Allow output to IRC  server"
+$IPT -A client_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+echo "client_out chain: Allow output to FTP server"
+$IPT -A client_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+echo "client_out chain: Allow output to GIT server"
+$IPT -A client_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+echo "client_out chain: Allow output to POP3S server"
+$IPT -A client_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+echo "client_out chain: Allow output to SMTPS server"
+$IPT -A client_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+echo "client_out chain: Allow output to HTTPS server"
+$IPT -A client_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A client_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+echo "client_out chain: Allow output to SSH server"
+$IPT -A client_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A client_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+echo "client_out chain: Allow output to GPG key Server"
+$IPT -A client_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A client_out -j RETURN
+
+####### netconf input Chain  ######
+echo "netconf_in chain: Allow DHCP protocol"
+$IPT -A netconf_in -p udp --sport 68 --dport 67 -j ACCEPT
+echo "netconf_in chain: Allow RIP protocol for ${BR_NET}"
+$IPT -A netconf_in -p udp --sport 520 --dport 520 -j ACCEPT
+#echo "netconf chain: Allow ICMP from ${BR_NET}"
+#$IPT -A netconf_in -p icmp -s ${BR_NET} -j ACCEPT
+echo "netconf_in chain: Allow ICMP from all"
+$IPT -A netconf_in -p icmp -j ACCEPT
+
+## Return to caller
+$IPT -A netconf_in -j RETURN
+
+
+####### netconf output Chain  ######
+echo "netconf_out chain: Allow output from DHCP server"
+$IPT -A netconf_out -p udp --sport 67 --dport 68 -j ACCEPT
+echo "netconf_out chain: Allow RIP protocol for ${BR_NET}"
+$IPT -A netconf_out -p udp --sport 520 --dport 520 -j ACCEPT
+#echo "netconf chain: Allow ICMP output to ${BR_NET}"
+#$IPT -A netconf_out -p icmp -d ${BR_NET} -j ACCEPT
+echo "netconf chain: Allow ICMP output to all"
+$IPT -A netconf_out -p icmp -j ACCEPT
+
+## Return to caller
+$IPT -A netconf_out -j RETURN
+
+############################################################
+#
+# Start adding rules tables
+#
 
-$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+echo "Starting ipv4 firewall tables..."
 
-##### Add your AP rules below ######
+# Unlimited on loopback
+$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A INPUT -i lo -s ${BR_IP} -d ${BR_IP} -j ACCEPT
+$IPT -A OUTPUT -o lo -s ${BR_IP} -d ${BR_IP} -j ACCEPT
 
+#modprobe ip_conntrack
+#modprobe ip_conntrack_ftp
 echo 1 > /proc/sys/net/ipv4/ip_forward
 
-$IPT -A INPUT -i ${PRIV_IF} -j ACCEPT
-$IPT -A OUTPUT -o ${PRIV_IF} -j ACCEPT
-
-$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP}
-$IPT -A FORWARD -i ${PRIV_IF} -o ${PUB_IF} -j ACCEPT
-$IPT -A FORWARD -i ${PUB_IF} -o ${PRIV_IF} -j ACCEPT
+####### Forward Chain  ######
+$IPT -A FORWARD -j blocker
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+$IPT -A FORWARD -o ${BR_IF} -s ${BR_IP} -d ${BR_NET} -j ACCEPT
+#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j ACCEPT
+#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j ACCEPT
+
+####### Input Chain ######
+$IPT -A INPUT -j blocker
+$IPT -A INPUT -i ${BR_IF} -j netconf_in
+$IPT -A INPUT -i ${BR_IF} -d ${BR_IP} -j srv_dns_in
+$IPT -A INPUT -i ${BR_IF} -s ${BR_NET} -d ${BR_IP} -j server_in
+#$IPT -A INPUT -i ${WIFI_IF} -d ${WIFI_NET} -j client_in
+#$IPT -A INPUT -i ${WIFI_IF} -d ${WIFI_NET} -j cli_dns_in
+#$IPT -A INPUT -i ${BR_IF} -d ${BR_IP} -j client_in
 #
-##### Server rules below ######
-
-#echo "Allow ICMP"
-$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 0 -s 192.168.0.0/16 -j ACCEPT
-$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -d 192.168.0.0/16 -j ACCEPT
-$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -s 192.168.0.0/16 -j ACCEPT
-$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 8 -d 192.168.0.0/16 -j ACCEPT
-
-#echo "Allow DNS Server"
-#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 1024:65535 --dport 53  -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
-#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -d 192.168.0.0/16 -j ACCEPT
-
-echo "Allow HTTP and HTTPS server"
-#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
-$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
-#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-
-#echo "Allow ssh server"
-#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-#$IPT -A INPUT  -i ${PUB_IF} -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
-#$IPT -A INPUT  -i ${PUB_IF} -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
-
-##### Add your rules below ######
-
-echo "Allow DNS Client"
-
-$IPT -A INPUT -i ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+##$IPT -A INPUT -i ${WIFI_IF} -j server_in
+#$IPT -A INPUT -i ${WIFI_IF} -j netconf_in
 
-$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+####### Output Chain ######
+$IPT -A OUTPUT -j blocker
+$IPT -A OUTPUT -o ${BR_IF}  -j netconf_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${BR_IP} -d ${BR_NET} -j srv_dns_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${BR_IP} -d ${BR_NET} -j server_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${BR_IP} -d ${BR_NET} -j client_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -s ${WIFI_NET} -j client_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -s ${WIFI_NET} -j cli_dns_out
 
-echo "Allow Whois Client"
+#$IPT -A OUTPUT -o ${BR_IF} -s ${BR_IP} -j client_out
 
-$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 43 -m state --state ESTABLISHED -j ACCEPT
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 43 -m state --state NEW,ESTABLISHED -j ACCEPT
+#$IPT -A OUTPUT -o ${WIFI_IF} -j server_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -j netconf_out
 
-echo "Allow HTTP Client"
+####### PostRouting Chain ######
+$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE
+#$IPT -t nat -A POSTROUTING -o ${BR_IF} -j MASQUERADE
 
-$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-
-echo "Allow Rsync Client"
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
-$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT
-
-echo "Allow POP3S Client"
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
-$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT
-
-echo "Allow SMTPS Client"
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
-$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT
-
-echo "Allow NTP Client"
-$IPT -A OUTPUT -o ${PUB_IF} -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-$IPT -A INPUT -i ${PUB_IF} -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
-
-$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-
-echo "Allow IRC Client"
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 6667 -m state --state NEW -j ACCEPT
-
-echo "Allow Active FTP Client"
-$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
-
-echo "Allow Git"
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9418 -m state --state NEW -j ACCEPT
-
-echo "Allow ssh client"
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-$IPT -A INPUT  -i ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-
-#echo "Allow Passive Connections"
-$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
-$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT
-
-
-# echo "Allow FairCoin"
-# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 46392 -m state --state NEW,ESTABLISHED -j ACCEPT
-# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 46392 -m state --state ESTABLISHED -j ACCEPT
-# 
-# echo "Allow Dashcoin"
-# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 29080 -m state --state NEW,ESTABLISHED -j ACCEPT
-# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 29080 -m state --state ESTABLISHED -j ACCEPT
-# 
-# echo "Allow warzone2100"
-# $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2100 -s 192.168.0.0/16 -j ACCEPT
-# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 2100 -j ACCEPT
-# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 2100 -j ACCEPT
-# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9990 -j ACCEPT
-# 
-# echo "Allow wesnoth"
-# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 15000 -m state --state NEW -j ACCEPT
-# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 14998 -m state --state NEW -j ACCEPT
-
-##### END your rules ############
-# Less log of known traffic
-
-# RIP protocol
-$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s 192.168.0.0/16 -j DROP
-
-# DHCP
-$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT
-$IPT -A INPUT -i ${PUB_IF} -p udp --sport 67 --dport 68 -s $DHCP_SERV -j ACCEPT
-
-# log everything else and drop
-$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
+## log everything else and drop
 $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
+$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
 $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
-
+$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
+$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "
 exit 0
diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf
index 6949fa7..94bc9df 100644
--- a/core/conf/pkgmk.conf
+++ b/core/conf/pkgmk.conf
@@ -2,11 +2,10 @@
 # /etc/pkgmk.conf: pkgmk(8) configuration
 #
 
-export CPPFLAGS="-D_FORTIFY_SOURCE=2"
-export CFLAGS="-O2 -march=native -mtune=native -pipe -fPIC -fPIE -fstack-protector-strong --param=ssp-buffer-size=4 -fno-plt -fstack-check"
+export CFLAGS="-O2 -g -march=x86-64 -pipe"
 export CXXFLAGS="${CFLAGS}"
-export LDFLAGS="-fPIE -pie -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"
-export MAKEFLAGS="-j4"
+
+# export MAKEFLAGS="-j2"
 
 case ${PKGMK_ARCH} in
 	"64"|"")
@@ -23,11 +22,12 @@ case ${PKGMK_ARCH} in
 		;;
 esac
 
-PKGMK_SOURCE_MIRRORS=(https://crux.nu/distfiles/)
-#PKGMK_SOURCE_MIRRORS=(https://crux.ster.zone/distfiles/)
-#PKGMK_SOURCE_MIRRORS=(https://c9.root.sx/ports/distfiles/)
+#PKGMK_SOURCE_MIRRORS=(http://c9.root.sx/ports/distfiles/)
+# PKGMK_SOURCE_DIR="$PWD"
 PKGMK_SOURCE_DIR="/usr/ports/distfiles"
+# PKGMK_PACKAGE_DIR="$PWD"
 PKGMK_PACKAGE_DIR="/usr/ports/packages"
+# PKGMK_WORK_DIR="$PWD/work"
 PKGMK_WORK_DIR="/usr/ports/work/$name"
 # PKGMK_DOWNLOAD="no"
 # PKGMK_IGNORE_FOOTPRINT="no"
diff --git a/core/conf/pkgmk.conf.harden b/core/conf/pkgmk.conf.harden
new file mode 100644
index 0000000..ad95d65
--- /dev/null
+++ b/core/conf/pkgmk.conf.harden
@@ -0,0 +1,94 @@
+#
+# /etc/pkgmk.conf: pkgmk(8) configuration
+#
+# ONLY FOR x86 64 PROCESSORS
+CUSTOMVERSION=8
+
+W_CFLAGS="-Wall -Wextra -Wno-inline -Wundef -Wformat=2 -Wformat-security -Wformat-nonliteral -Wlogical-op -Wsign-compare -Wmissing-include-dirs -Wold-style-definition -Wpointer-arith -Winit-self -Wdeclaration-after-statement -Wfloat-equal -Wsuggest-attribute=noreturn -Wmissing-prototypes -Wstrict-prototypes -Wredundant-decls -Wmissing-declarations -Wmissing-noreturn -Wshadow -Wendif-labels -Wstrict-aliasing=2 -Wwrite-strings -Wno-long-long -Wno-overlength-strings -Wno-unused-parameter -Wno-missing-field-initializers -Wno-unused-result -Werror=overflow -Wdate-time -Wnested-externs"
+
+#-ffast-math -fno-common -fdiagnostics-show-option -fno-strict-aliasing -fvisibility=hidden -ffunction-sections -fdata-sections -ffat-lto-objects
+H_CFLAGS="-g -O1 -march=x86-64 -pipe -fstack-protector-strong --param=ssp-buffer-size=4 -fno-plt -fstack-check"
+
+CFLAGS="${W_CFLAGS} ${H_CFLAGS} -fPIC -fPIE -pie"
+CXXFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2"
+CPPFLAGS="-O1 -Wp,-D_FORTIFY_SOURCE=2"
+#--as-needed -Wl,--no-undefined -Wl,--gc-sections -Wl
+LDFLAGS="-fPIC -fPIE -pie -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"
+
+
+PIC_CFLAGS="${W_FLAGS} ${H_CFLAGS} -fPIC"
+PIC_CXXFLAGS="${PIC_CFLAGS} -D_FORTIFY_SOURCE=2"
+PIC_LDFLAGS="-fPIC -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"
+
+export MAKEFLAGS="-j$(nproc)"
+
+case ${name} in
+
+	"keyutils")
+                export CFLAGS=" ${H_CFLAGS} -fPIC -fPIE -pie -g -O1 -march=x86-64 -pipe"
+                export CXXFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2"
+        ;;
+	"grub2")
+                export CFLAGS="${W_CFLAGS} -g -O1 -march=x86-64 -pipe"
+                export CXXFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2"
+                export LDFLAGS=""
+                ;;
+        "grub2-efi")
+                export CFLAGS="${W_CFLAGS} -g -O1 -march=x86-64 -pipe"
+                export CXXFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2"
+                export LDFLAGS=""
+                ;;
+	"gcc")
+    		export CFLAGS="-g -O2 -march=x86-64 -pipe -fPIC -fstack-protector-strong --param=ssp-buffer-size=4 -fno-plt -fstack-check"
+    		export CXXFLAGS="${CFLAGS}"
+    		export CPPFLAGS="${H_CPPFLAGS}"
+    		export LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"
+		;;
+	"glibc")
+       		export CFLAGS="${CFLAGS} -fno-plt -fstack-check"
+		export CXXFLAGS="${CFLAGS}"
+		export CPPFLAGS="-O1"
+		export LDFLAGS=""
+		;;
+        "libcap")
+                export CFLAGS="${PIC_CFLAGS}"
+		export CXXFLAGS="${PIC_CXXFLAGS}"
+		export LDFLAGS="${PIC_LDFLAGS}"
+                ;;
+        "mdadm")
+                export CFLAGS="${PIC_CFLAGS}"
+		export CXXFLAGS="${PIC_CXXFLAGS}"
+		export LDFLAGS="${PIC_LDFLAGS}"
+                ;;
+	"openssl")
+         	export CFLAGS="${PIC_CFLAGS}"
+		export CXXFLAGS="${PIC_CXXFLAGS}"
+		export LDFLAGS="${PIC_LDFLAGS}"
+		;;
+esac
+
+case ${PKGMK_ARCH} in
+	"64"|"")
+		;;
+	*)
+		echo "Unknown architecture selected! Exiting."
+		exit 1
+		;;
+esac
+
+#PKGMK_SOURCE_MIRRORS=(https://crux.nu/distfiles/)
+#PKGMK_SOURCE_MIRRORS=(https://crux.ster.zone/distfiles/)
+PKGMK_SOURCE_MIRRORS=(https://c9.root.sx/ports/distfiles/)
+PKGMK_SOURCE_DIR="/srv/ports/distfiles"
+PKGMK_PACKAGE_DIR="/srv/ports/packages"
+PKGMK_WORK_DIR="/srv/ports/work/$name"
+# PKGMK_DOWNLOAD="no"
+# PKGMK_IGNORE_FOOTPRINT="no"
+# PKGMK_IGNORE_NEW="no"
+# PKGMK_NO_STRIP="no"
+# PKGMK_DOWNLOAD_PROG="wget"
+# PKGMK_WGET_OPTS=""
+# PKGMK_CURL_OPTS=""
+# PKGMK_COMPRESSION_MODE="gz"
+
+# End of file
diff --git a/core/conf/ports.conf b/core/conf/ports.conf
new file mode 100644
index 0000000..4420813
--- /dev/null
+++ b/core/conf/ports.conf
@@ -0,0 +1 @@
+PORTS_DIR=/usr/ports
diff --git a/core/conf/ports/c9-ports.git b/core/conf/ports/c9-ports.git
new file mode 100644
index 0000000..392f77f
--- /dev/null
+++ b/core/conf/ports/c9-ports.git
@@ -0,0 +1,7 @@
+# Collection core
+#
+NAME=c9-ports
+URL=git://c9.root.sx/c9-ports.git
+BRANCH=develop
+destination=/usr/ports/c9-ports
+PORTS_DIR="/usr/ports"
diff --git a/core/conf/ports/compat-32.pub b/core/conf/ports/compat-32.pub
new file mode 100644
index 0000000..4ef53cc
--- /dev/null
+++ b/core/conf/ports/compat-32.pub
@@ -0,0 +1,2 @@
+untrusted comment: compat-32 public key
+RWSwxGo/zH7eXV9L7s9BhT4ZBQ6YLE+iWPkJ190GTTiP6IBBTC0XJOrM
diff --git a/core/conf/ports/contrib.git b/core/conf/ports/contrib.git
new file mode 100644
index 0000000..d9c0a7d
--- /dev/null
+++ b/core/conf/ports/contrib.git
@@ -0,0 +1,7 @@
+# Collection core
+#
+NAME=contrib
+URL=git://c9.root.sx/c9-contrib.git
+BRANCH=develop
+destination=/usr/ports/contrib
+PORTS_DIR="/usr/ports"
diff --git a/core/conf/ports/contrib.pub b/core/conf/ports/contrib.pub
new file mode 100644
index 0000000..81d31e5
--- /dev/null
+++ b/core/conf/ports/contrib.pub
@@ -0,0 +1,2 @@
+untrusted comment: contrib public key
+RWSagIOpLGJF3/J2edPyOdE4VWoyvvVvt3gdvOArUkvBrgSHjsBEdmrS
diff --git a/core/conf/ports/core.git b/core/conf/ports/core.git
new file mode 100644
index 0000000..3e23528
--- /dev/null
+++ b/core/conf/ports/core.git
@@ -0,0 +1,7 @@
+# Collection core
+#
+NAME=core
+URL=git://c9.root.sx/c9-core.git
+BRANCH=develop
+destination=/usr/ports/core
+PORTS_DIR="/usr/ports"
diff --git a/core/conf/ports/core.pub b/core/conf/ports/core.pub
new file mode 100644
index 0000000..a09d3ac
--- /dev/null
+++ b/core/conf/ports/core.pub
@@ -0,0 +1,2 @@
+untrusted comment: core public key
+RWRJc1FUaeVeqsGlEPc66dguintWWomCSORUNseged62IATuMVCK0zu6
diff --git a/core/conf/ports/drivers/git b/core/conf/ports/drivers/git
new file mode 100755
index 0000000..654a8c7
--- /dev/null
+++ b/core/conf/ports/drivers/git
@@ -0,0 +1,47 @@
+#!/bin/sh
+#
+# /etc/ports/drivers/git: git driver script for ports(8)
+#
+
+if [ $# -ne 1 ]; then
+	echo "usage: $0 <file>" >&2
+	exit 1
+fi
+
+. $1
+
+if [ -z "$URL" ]; then
+	echo "URL not set in '$1'" >&2
+	exit 2
+fi
+if [ -z "$NAME" ]; then
+	echo "NAME not set in '$1'" >&2
+	exit 2
+fi
+if [ -z "$BRANCH" ]; then
+	echo "BRANCH not set in '$1'" >&2
+	exit 2
+fi
+
+REPOSITORY="$PORTS_DIR/$NAME"
+if [ -n "$LOCAL_REPOSITORY" ]; then
+	REPOSITORY="$LOCAL_REPOSITORY"
+fi
+
+echo "Fetching updates from $URL"
+echo "Updating collection $NAME"
+
+cd "$REPOSITORY" 2> "/dev/null"
+
+if [ $? -lt 1 ]; then
+	git checkout -q "$BRANCH"
+	git fetch -q
+	git diff --pretty=format: --name-status "$BRANCH" origin/"$BRANCH" | sed "s/M\t/ Edit /g; s/A\t/ Checkout /g; s/D\t/ Delete /g" | sort
+	git clean -q -f
+	git reset -q --hard origin/"$BRANCH"
+else
+	git clone -q -b "$BRANCH" "$URL" "$REPOSITORY"
+	ls -1 $REPOSITORY | sed "s/^/ Checkout /"
+fi
+
+echo "Finished successfully"
diff --git a/core/conf/ports/drivers/httpup b/core/conf/ports/drivers/httpup
new file mode 100755
index 0000000..5c8db84
--- /dev/null
+++ b/core/conf/ports/drivers/httpup
@@ -0,0 +1,27 @@
+#!/bin/sh
+#
+# /etc/ports/drivers/httpup: httpup driver script for ports(8)
+# 
+
+if [ $# -ne 1 ]; then
+        echo "usage: $0 <file>" >&2
+        exit 1
+fi
+
+. $1
+
+if [ -z "$ROOT_DIR" ]; then
+	echo "ROOT_DIR not set in '$1'" >&2
+	exit 2
+fi
+if [ -z "$URL" ]; then
+	echo "URL not set in '$1'" >&2
+	exit 2
+fi
+
+for REPO in $URL; do
+    PORT=`echo $REPO | sed -n '/#.*$/s|^.*#||p'`
+    httpup sync $REPO $ROOT_DIR/$PORT
+done
+
+# End of file.
diff --git a/core/conf/ports/drivers/rsync b/core/conf/ports/drivers/rsync
new file mode 100755
index 0000000..14dd3e5
--- /dev/null
+++ b/core/conf/ports/drivers/rsync
@@ -0,0 +1,143 @@
+#!/usr/bin/perl
+#
+# /etc/ports/drivers/rsync: rsync(1) driver script for ports(8)
+#
+
+use warnings;
+use strict;
+use File::Basename;
+
+my $host = '';
+my $collection = '';
+my $destination = '';
+my %new_checkouts;
+my %old_checkouts;
+
+sub error
+{
+	my $message = shift;
+	print "Error: $message ($!)\nUpdating failed\n";
+	exit 1;
+}
+
+sub warning
+{
+	my $message = shift;
+	print "Warning: $message ($!)\n";
+}
+
+if ($#ARGV < 0)
+{
+	print "Usage: $0 <file>\n";
+	exit 1;
+}
+
+open(FILE, $ARGV[0]) or error("Couldn't open $ARGV[0]");
+while (<FILE>)
+{
+	chomp;
+	if    (/^host=(.*)/)        { $host = $1; }
+	elsif (/^collection=(.*)/)  { $collection = $1; }
+	elsif (/^destination=(.*)/) { $destination = $1; }
+}
+close(FILE);
+
+if ($host eq '')        { error("Host field not set in $ARGV[0]");        }
+if ($collection eq '')  { error("Collection field not set in $ARGV[0]");  }
+if ($destination eq '') { error("Destination field not set in $ARGV[0]"); }
+
+if (-e "$destination/.checkouts")
+{
+	# read the old .checkouts file into memory
+	open(FILE, "$destination/.checkouts") or error("Couldn't read checkouts from $destination/.checkouts");
+	while (<FILE>)
+	{
+		chomp;
+		$old_checkouts{$_} = 1;
+	}
+	close(FILE);
+}
+
+print "Updating file list from " . $host . "::$collection\n";
+
+# get the remote file list (new .checkouts)
+open(PIPE, 'rsync -crz --no-human-readable ' . $host . '::' . $collection . '|') or error("Couldn't open pipe to rsync");
+while (<PIPE>)
+{
+	chomp;
+
+	next if /^MOTD:/;	# ignore MOTD lines
+	s/^(.{43})//;		# ignore the first 43 characters (mode, date etc...)
+	next if /^.$/;		# ignore the . directory
+
+	$new_checkouts{$_} = 1;
+}
+close(PIPE);
+error("Running rsync failed") unless $? == 0;
+
+print "Updating collection " . basename($destination) . "\n";
+
+# now really run rsync
+open(PIPE, 'rsync -crz --no-human-readable --log-format "%o %n" ' . $host . "::$collection $destination|") or error("Couldn't open pipe to rsync");
+while (<PIPE>)
+{
+	chomp;
+
+	if (/^recv (.*)/)
+	{
+		if ($old_checkouts{$1})
+		{
+			s/^recv/ Edit/;
+		}
+		else
+		{
+			s/^recv/ Checkout/;
+		}
+	}
+
+	print $_ . "\n";
+}
+close(PIPE);
+error("Running rsync failed") unless $? == 0;
+
+# save new checkouts into .checkouts
+open(FILE, ">$destination/.checkouts") or error("Couldn't save checkouts to $destination/.checkouts");
+foreach my $checkout (sort keys %new_checkouts)
+{
+	print FILE "$checkout\n";
+}
+close(FILE);
+
+# use chroot as an additional safety measure when removing files
+chroot($destination) or error("Couldn't chroot into $destination");
+chdir('/');
+
+# iterate through old checkouts, remove obsolete files
+foreach my $checkout (sort keys %old_checkouts)
+{
+	if (!$new_checkouts{$checkout})
+	{
+		if (-f $checkout)
+		{
+			print " Delete $checkout\n";
+			unlink($checkout) or warning("Couldn't delete $checkout");
+		}
+	}
+}
+
+# iterate through old checkouts, remove obsolete directories
+foreach my $checkout (sort keys %old_checkouts)
+{
+	if (!$new_checkouts{$checkout})
+	{
+		if (-d $checkout)
+		{
+			print " Delete $checkout\n";
+			rmdir($checkout) or warning("Couldn't delete $checkout");
+		}
+	}
+}
+
+print "Finished successfully\n";
+
+# End of file
diff --git a/core/conf/ports/opt.git b/core/conf/ports/opt.git
new file mode 100644
index 0000000..bedc00c
--- /dev/null
+++ b/core/conf/ports/opt.git
@@ -0,0 +1,6 @@
+# Collection core
+#
+NAME=opt
+URL=git://c9.root.sx/c9-opt.git
+BRANCH=develop
+destination=/usr/ports/opt
diff --git a/core/conf/ports/opt.pub b/core/conf/ports/opt.pub
new file mode 100644
index 0000000..346b688
--- /dev/null
+++ b/core/conf/ports/opt.pub
@@ -0,0 +1,2 @@
+untrusted comment: opt public key
+RWSE3ohX2g5d/Zmwm/W4S8ZzNNTjXE7bI8XmnpawKOnQ+MiVa7TD0YC9
diff --git a/core/conf/ports/xorg.git b/core/conf/ports/xorg.git
new file mode 100644
index 0000000..5123db5
--- /dev/null
+++ b/core/conf/ports/xorg.git
@@ -0,0 +1,6 @@
+# Collection core
+#
+NAME=xorg
+URL=git://c9.root.sx/c9-xorg.git
+BRANCH=develop
+destination=/usr/ports/xorg
diff --git a/core/conf/ports/xorg.pub b/core/conf/ports/xorg.pub
new file mode 100644
index 0000000..983eb51
--- /dev/null
+++ b/core/conf/ports/xorg.pub
@@ -0,0 +1,2 @@
+untrusted comment: xorg public key
+RWTSGWF5Q7TndIlWcgmz/x/4xBWLbyPRmI3LyI8rsN/iahlpFpgNIwSR
diff --git a/core/conf/prt-get.conf b/core/conf/prt-get.conf
index e210ca8..9683cfe 100644
--- a/core/conf/prt-get.conf
+++ b/core/conf/prt-get.conf
@@ -16,8 +16,8 @@ prtdir /usr/ports/xorg
 #prtdir /usr/ports/compat-32
 
 # the following line enables the user maintained contrib collection
-prtdir /usr/ports/6c37-dropin
-prtdir /usr/ports/6c37
+# prtdir /usr/ports/6c37-dropin
+# prtdir /usr/ports/6c37
 
 ### use mypackage form local directory
 # prtdir /home/packages/build:mypackage
@@ -50,7 +50,7 @@ runscripts yes            # (no|yes)
 ### EXPERT SECTION ###
 
 ### alternative commands
-makecommand      sudo -H -u pkgmk -g users fakeroot pkgmk
+makecommand      sudo -H -u pkgmk fakeroot pkgmk
 addcommand       sudo pkgadd
 removecommand    sudo pkgrm
 runscriptcommand sudo sh
diff --git a/core/conf/skel/.tmux.conf b/core/conf/skel/.tmux.conf
index a68ccb2..4feb9a4 100644
--- a/core/conf/skel/.tmux.conf
+++ b/core/conf/skel/.tmux.conf
@@ -1,6 +1,9 @@
 set -g default-terminal "screen-256color"
 
 set-window-option -g mode-keys vi
+bind-key -T copy-mode-vi 'v' send-keys -X begin-selection
+bind-key -T copy-mode-vi 'y' send-keys -X copy-selection-and-cancel
+
 
 # Vim style
 # copy tmux's selection buffer into the primary X selection with PREFIX+CTRL+Y
@@ -8,9 +11,6 @@ bind-key u run "tmux save-buffer - | xsel -ib"
 # copy primary X selection into tmux's selection buffer with PREFIX+CTRL+P
 bind-key e run "xsel -o | tmux load-buffer -"
 
-bind-key -t vi-copy 'v' begin-selection
-bind-key -t vi-copy 'y' copy-selection
-
 set-option -g set-titles on
 set-option -g set-titles-string '#S> #I.#P #W'
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2024-12-18 07:13:31 +0000