about summary refs log tree commit diff stats
path: root/core
diff options
context:
space:
mode:
Diffstat (limited to 'core')
-rw-r--r--core/apparmor.html2
-rw-r--r--core/bash.html42
-rw-r--r--core/conf/iptables/br-lan.v4136
-rw-r--r--core/conf/iptables/ipt-bridge.sh172
-rw-r--r--core/conf/iptables/ipt-conf.sh (renamed from core/scripts/iptables-conf.sh)6
-rw-r--r--core/conf/iptables/ipt-firewall.sh (renamed from core/scripts/iptables.sh)212
-rw-r--r--core/conf/iptables/ipt-server.sh37
-rw-r--r--core/conf/iptables/net.v4111
-rw-r--r--core/conf/ports/mate.git7
-rw-r--r--core/conf/ports/mate.httpup.inactive (renamed from core/conf/ports/mate.httpup)0
-rw-r--r--core/conf/rc.d/iptables117
-rwxr-xr-xcore/conf/rc.d/wlan47
-rw-r--r--core/conf/skel/.profile33
-rw-r--r--core/configure.html2
-rw-r--r--core/dash.html2
-rw-r--r--core/exim.html2
-rw-r--r--core/hardening.html2
-rw-r--r--core/index.html8
-rw-r--r--core/install.html112
-rw-r--r--core/linux.html2
-rw-r--r--core/network.html2
-rw-r--r--core/package.html2
-rw-r--r--core/ports.html2
-rw-r--r--core/reboot.html2
-rw-r--r--core/samhain.html2
-rw-r--r--core/scripts/backup-system.sh337
-rw-r--r--core/scripts/install-core.sh7
-rw-r--r--core/scripts/setup-iso.sh4
-rw-r--r--core/scripts/setup-virtual.sh56
-rw-r--r--core/sysctl.html2
-rw-r--r--core/tmux.html2
-rw-r--r--core/toolchain.html2
-rw-r--r--core/tty-terminal.html2
33 files changed, 645 insertions, 829 deletions
diff --git a/core/apparmor.html b/core/apparmor.html
index 709f2a4..9954593 100644
--- a/core/apparmor.html
+++ b/core/apparmor.html
@@ -98,7 +98,7 @@
         <a href="index.html">Core OS Index</a>
         <p>This is part of the Hive System Documentation.
         Copyright (C) 2018
-        c9 team.
+        Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
 
diff --git a/core/bash.html b/core/bash.html
index 8e0c95e..72e746d 100644
--- a/core/bash.html
+++ b/core/bash.html
@@ -37,11 +37,41 @@
         <p>Example of ~/.profile;</p>
 
         <pre>
-        PATH=~/.composer/vendor/bin:${PATH}
-
-        export GPG_AGENT_INFO  # the env file does not contain the export statement
-        export SSH_AUTH_SOCK   # enable gpg-agent for ssh
-        </pre>
+	export GPG_AGENT_INFO  # the env file does not contain the export statement
+	export SSH_AUTH_SOCK   # enable gpg-agent for ssh
+
+	export GPGKEY=XXXXXXXX
+
+	# ssh-agent to ask only ounce for password
+	SSH_ENV="$HOME/.ssh/environment"
+	function start_agent {
+	    echo "Initialising new SSH agent..."
+	    /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
+	    echo succeeded
+	    chmod 600 "${SSH_ENV}"
+	    . "${SSH_ENV}" > /dev/null
+	    /usr/bin/ssh-add;
+	}
+
+	# Source SSH settings, if applicable
+	if [ -f "${SSH_ENV}" ]; then
+	    . "${SSH_ENV}" > /dev/null
+	    #ps ${SSH_AGENT_PID} doesn't work under cywgin
+	    ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
+		start_agent;
+	    }
+	else
+	    start_agent;
+	fi
+
+	# Weston
+	if test -z "${XDG_RUNTIME_DIR}"; then
+	    export XDG_RUNTIME_DIR=/tmp/${UID}-runtime-dir
+	    if ! test -d "${XDG_RUNTIME_DIR}"; then
+		mkdir "${XDG_RUNTIME_DIR}"
+		chmod 0700 "${XDG_RUNTIME_DIR}"
+	    fi
+fi        </pre>
 
         <h2 id="bashrc">2.5.2.2. Bash RC</h2>
 
@@ -126,7 +156,7 @@
         <p>
         This is part of the Hive System Documentation.
         Copyright (C) 2018
-        c9 team.
+        Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
 
diff --git a/core/conf/iptables/br-lan.v4 b/core/conf/iptables/br-lan.v4
deleted file mode 100644
index 61da499..0000000
--- a/core/conf/iptables/br-lan.v4
+++ /dev/null
@@ -1,136 +0,0 @@
-# Generated by iptables-save v1.6.2 on Tue Apr  3 02:25:27 2018
-*security
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-COMMIT
-# Completed on Tue Apr  3 02:25:27 2018
-# Generated by iptables-save v1.6.2 on Tue Apr  3 02:25:27 2018
-*raw
-:PREROUTING ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-COMMIT
-# Completed on Tue Apr  3 02:25:27 2018
-# Generated by iptables-save v1.6.2 on Tue Apr  3 02:25:27 2018
-*nat
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-COMMIT
-# Completed on Tue Apr  3 02:25:27 2018
-# Generated by iptables-save v1.6.2 on Tue Apr  3 02:25:27 2018
-*mangle
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-COMMIT
-# Completed on Tue Apr  3 02:25:27 2018
-# Generated by iptables-save v1.6.2 on Tue Apr  3 02:25:27 2018
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT DROP [0:0]
-:blocker - [0:0]
-:client_in - [0:0]
-:client_out - [0:0]
-:netconf_in - [0:0]
-:netconf_out - [0:0]
-:server_in - [0:0]
-:server_out - [0:0]
--A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
--A INPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -i lo -j ACCEPT
--A INPUT -j blocker
--A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j server_in
--A INPUT -d 10.0.0.0/8 -i br0 -j client_in
--A INPUT -i br0 -j netconf_in
--A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7
--A FORWARD -j blocker
--A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j netconf_in
--A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j netconf_out
--A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j client_in
--A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j client_out
--A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j server_out
--A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7
--A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT
--A OUTPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -o lo -j ACCEPT
--A OUTPUT -j blocker
--A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j server_out
--A OUTPUT -s 10.0.0.0/8 -o br0 -j client_out
--A OUTPUT -o br0 -j netconf_out
--A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7
--A blocker -s 8.8.0.0/24 -j LOG --log-prefix "iptables: blocker google: " --log-level 7
--A blocker -s 8.8.0.0/24 -j DROP
--A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
--A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
--A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
--A blocker -f -j DROP
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: "
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
--A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs"
--A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: "
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
--A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: "
--A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
--A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
--A blocker -j RETURN
--A client_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A client_in -j RETURN
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT
--A client_out -j RETURN
--A netconf_in -p udp -m udp --sport 68 --dport 67 -j ACCEPT
--A netconf_in -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 520 --dport 520 -j ACCEPT
--A netconf_in -p icmp -j LOG --log-prefix "iptables: netconf_in ICMP: " --log-level 7
--A netconf_in -p icmp -j ACCEPT
--A netconf_in -j RETURN
--A netconf_out -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
--A netconf_out -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 520 --dport 520 -j ACCEPT
--A netconf_out -p icmp -j LOG --log-prefix "iptables: netconf_out ICMP: " --log-level 7
--A netconf_out -p icmp -j ACCEPT
--A netconf_out -j RETURN
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 5900 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
--A server_in -j RETURN
--A server_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A server_out -p tcp -m tcp --sport 5900 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
--A server_out -j RETURN
-COMMIT
-# Completed on Tue Apr  3 02:25:27 2018
diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh
new file mode 100644
index 0000000..6ad26fa
--- /dev/null
+++ b/core/conf/iptables/ipt-bridge.sh
@@ -0,0 +1,172 @@
+#!/bin/bash
+
+echo "setting bridge ${BR_IF} network..."
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
+# Unlimited on loopback
+$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+
+####### NAT Prerouting Chain  ######
+#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p udp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
+#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
+$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443
+#$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "
+
+####### Forward Chain  ######
+$IPT -A FORWARD -j blocker
+$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+
+# Allow access from bridge to gateway wifi interface
+$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in
+$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out
+$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in
+$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out
+$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in
+$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out
+
+#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out
+$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in
+$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out
+
+# allow output from BR_NET to external
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -j ACCEPT
+
+# allow input from public bridged interface facing Internet 
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_http_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_https_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_git_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_ftp_in
+
+######## Forward TAP2 ssh, http and https  ######
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out
+#
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out
+
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out
+
+
+#Less noise
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 519 --sport 520 -j DROP
+
+
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#
+#
+# Tap1
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_ftp_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_ftp_out
+#
+#
+## Tap3
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_git_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_git_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in
+#
+#
+# Tap1, Tap2 and Tap3 can access external https
+
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in
+
+
+
+#
+#        #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip
+#
+#        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp
+#        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp
+
+#
+####### Input Chain ######
+$IPT -A INPUT -j blocker
+#Less noise
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp  --sport 3030 --dport 1024:65535 -j DROP
+$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 137 --dport 137 -j DROP
+$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 138 --dport 138 -j DROP
+
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
+
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in
+$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in
+  
+$IPT -A INPUT -i ${BR_IF} -j srv_dhcp
+$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP}  -j srv_dhcp
+
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in
+$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in
+
+$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in
+$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in
+$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in
+$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in
+$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in
+
+####### Output Chain ######
+$IPT -A OUTPUT -j blocker
+
+#Less noise
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP
+
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_icmp
+
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out
+
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out
+
+
+$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out
+$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out
+$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out
+
+$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out
+$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out
+$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out
+$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out
+
+#$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_ssh_out
+
+####### PostRouting Chain ######
+#Less noise
+#$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT
+
+$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE
+
+#$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
diff --git a/core/scripts/iptables-conf.sh b/core/conf/iptables/ipt-conf.sh
index 478ce08..eef0b52 100644
--- a/core/scripts/iptables-conf.sh
+++ b/core/conf/iptables/ipt-conf.sh
@@ -2,7 +2,6 @@
 TYPE=bridge
 #TYPE=server
 
-IPT="/usr/sbin/iptables"
 SPAMLIST="blockedip"
 SPAMDROPMSG="BLOCKED IP DROP"
 
@@ -10,6 +9,7 @@ SPAMDROPMSG="BLOCKED IP DROP"
 BR_IF="br0"
 BR_NET="10.0.0.0/8"
 GW="10.0.0.1"
+#GW="10.0.0.2"
 #DNS="10.0.0.254"
 DNS="212.55.154.174"
 
@@ -17,5 +17,5 @@ PUB_IP="10.0.0.254"
 PUB_IF="enp8s0"
 
 # private interface for virtual/internal
-#PRIV_IF="wlp7s0"
-#PRIV_NET="192.168.1.0/24"
+WIFI_IF="wlp7s0"
+WIFI_NET="192.168.1.0/24"
diff --git a/core/scripts/iptables.sh b/core/conf/iptables/ipt-firewall.sh
index 0516d94..4697de0 100644
--- a/core/scripts/iptables.sh
+++ b/core/conf/iptables/ipt-firewall.sh
@@ -1,8 +1,8 @@
 #!/bin/bash
 
-source /etc/iptables/iptables-conf.sh
+IPT="/usr/sbin/iptables"
 
-iptables_clear () {
+ipt_clear () {
     echo "clear all iptables tables"
 
     iptables -F
@@ -61,7 +61,7 @@ iptables_clear () {
     iptables -P OUTPUT DROP
 }
 
-iptables_log () {
+ipt_log () {
     ## log everything else and drop
     $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
     $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
@@ -69,13 +69,13 @@ iptables_log () {
 }
 
 
-iptables_tables () {
+ipt_tables () {
     echo "start adding tables..."
 
     ####### blocker Chain  ######
     ## Block google dns
-    $IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: "
-    $IPT -A blocker -s 8.8.0.0/24 -j DROP
+    #$IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: "
+    #$IPT -A blocker -s 8.8.0.0/24 -j DROP
     ## Block sync
     $IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: "
     $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP
@@ -124,7 +124,6 @@ iptables_tables () {
     $IPT -A srv_db_out -j RETURN
 
     ####### SSH Server
-
     $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT
 
     $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \
@@ -136,8 +135,20 @@ iptables_tables () {
 
     $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 
+    $IPT -A srv_ssh_in -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
+
+    $IPT -A srv_ssh_in -p tcp --dport 22 -m recent \
+        --update --seconds 60 --hitcount 4 --rttl \
+        --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH"
+
+    $IPT -A srv_ssh_in -p tcp --dport 22 -m recent --update --seconds 60 \
+        --hitcount 4 --rttl --name SSH -j DROP
+
+    $IPT -A srv_ssh_in -p tcp --dport 22 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
     $IPT -A srv_ssh_in -j RETURN
+
     $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A srv_ssh_out -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
     $IPT -A srv_ssh_out -j RETURN
 
     ####### HTTP Server
@@ -159,14 +170,13 @@ iptables_tables () {
     $IPT -A srv_git_out -j RETURN
 
     ######## DNS Client
-    $IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -j ACCEPT
     $IPT -A cli_dns_out -j RETURN
-    $IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -j ACCEPT
     $IPT -A cli_dns_in -j RETURN
 
     ######## HTTP Client
     #$IPT -A cli_http_in -p tcp -m tcp --tcp-flags ACK --sport 80 --dport 1024:65535 -j DROP
-
     $IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
     $IPT -A cli_http_in -p udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
     $IPT -A cli_http_in -j RETURN
@@ -181,11 +191,15 @@ iptables_tables () {
     $IPT -A cli_irc_out -j RETURN
 
     ######## FTP client
-
     $IPT -A cli_ftp_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_ftp_in -p tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
+    $IPT -A cli_ftp_in -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
     $IPT -A cli_ftp_in -j RETURN
     $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_ftp_out -p tcp --dport 20 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_ftp_out -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
     $IPT -A cli_ftp_out -j RETURN
+
     ######## GIT client
     $IPT -A cli_git_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
     $IPT -A cli_git_in -j RETURN
@@ -241,180 +255,4 @@ iptables_tables () {
     $IPT -A srv_icmp -j RETURN
 }
 
-case $TYPE in
-    bridge)
-        iptables_clear
-        iptables_tables
-
-        echo "setting bridge network..."
-        echo 1 > /proc/sys/net/ipv4/ip_forward
-
-        # Unlimited on loopback
-        $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-        $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-        $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
-        $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
-
-        ####### NAT Prerouting Chain  ######
-
-        ####### Forward Chain  ######
-        $IPT -A FORWARD -j blocker
-        $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-        $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-
-        # Tap1 and Tap3 can access external http
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out
-
-        ####### Forward TAP2 ssh, http and https  ######
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out
-
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out
-
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out
-        #
-        #        #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip
-        #
-        #        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp
-        #        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp
-
-        # Tap1, Tap2 and Tap3 can access external https
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in
-
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in
-
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in
-
-        #Less noise
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p udp --dport 519 --sport 520 -j DROP
-
-        ####### Input Chain ######
-        $IPT -A INPUT -j blocker
-        #Less noise
-        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp  --sport 3030 --dport 1024:65535 -j DROP
-
-        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap1 -j srv_dns_in
-        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap2 -j srv_dns_in
-        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap3 -j srv_dns_in
-
-        $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap1 -j srv_dhcp
-        $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -j srv_dhcp
-        $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -j srv_dhcp
-
-        $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -d ${PUB_IP}  -j srv_dhcp
-
-        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_dns_in
-        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in
-        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in
-        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in
-        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in
-
-        ####### Output Chain ######
-        $IPT -A OUTPUT -j blocker
-
-        #Less noise
-        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP
-
-        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
-        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out
-
-        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
-        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out
-        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out
-
-        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp
-        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out
-        #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
-        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out
-        #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_ssh_out
-
-        ####### PostRouting Chain ######
-        #Less noise
-        #$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-        #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
-        #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT
-
-        #$IPT -t nat -A POSTROUTING -o ${PRIV_IF} -j MASQUERADE
-
-        ## log everything else and drop
-        iptables_log
-
-        #$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
-        # $IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "
-
-        iptables-save > /etc/iptables/net.v4
-        exit 0
-        ;;
-
-    server)
-        iptables_clear
-        iptables_tables
-
-        echo "setting server network..."
-
-        # Unlimited on loopback
-        $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-        $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-        $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
-        $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
-
-        ####### Input Chain ######
-        $IPT -A INPUT -j blocker
-
-	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
-	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in
-	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in
-	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in
-        #$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in
-
-
-	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in
-	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in
-	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in
-	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in
-
-        ####### Output Chain ######
-        $IPT -A OUTPUT -j blocker
-
-	$IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out
-	#$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out
-	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out
-	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out
-	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out
-
-	$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out
-	$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out
-
-        $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out
-	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out
-
-        ## log everything else and drop
-        iptables_log
-
-        iptables-save > /etc/iptables/net.v4
-        exit 0
-
-        ;;
-    *)
-
-        echo "usage: $0 [start|stop|restart]"
-        ;;
-esac
 
diff --git a/core/conf/iptables/ipt-server.sh b/core/conf/iptables/ipt-server.sh
new file mode 100644
index 0000000..225fd31
--- /dev/null
+++ b/core/conf/iptables/ipt-server.sh
@@ -0,0 +1,37 @@
+echo "setting server network..."
+
+# Unlimited on loopback
+$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+
+####### Input Chain ######
+$IPT -A INPUT -j blocker
+
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in
+#$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in
+
+
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in
+$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in
+
+####### Output Chain ######
+$IPT -A OUTPUT -j blocker
+
+$IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out
+#$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out
+$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out
+$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out
+$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out
+
+$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out
+$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out
+
+$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out
+$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out
diff --git a/core/conf/iptables/net.v4 b/core/conf/iptables/net.v4
deleted file mode 100644
index 568455a..0000000
--- a/core/conf/iptables/net.v4
+++ /dev/null
@@ -1,111 +0,0 @@
-# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
-*security
-:INPUT ACCEPT [4559:2307887]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [4459:962215]
-COMMIT
-# Completed on Sat Feb 25 18:34:17 2017
-# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
-*raw
-:PREROUTING ACCEPT [18446:3412851]
-:OUTPUT ACCEPT [4467:962535]
-COMMIT
-# Completed on Sat Feb 25 18:34:17 2017
-# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
-*nat
-:PREROUTING ACCEPT [13936:1107904]
-:INPUT ACCEPT [49:2940]
-:OUTPUT ACCEPT [504:40037]
-:POSTROUTING ACCEPT [504:40037]
-COMMIT
-# Completed on Sat Feb 25 18:34:17 2017
-# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
-*mangle
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-COMMIT
-# Completed on Sat Feb 25 18:34:17 2017
-# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT DROP [0:0]
-:ACCEPTLOG - [0:0]
-:DROPLOG - [0:0]
-:REJECTLOG - [0:0]
-:RELATED_ICMP - [0:0]
-:SYN_FLOOD - [0:0]
--A INPUT -i lo -j ACCEPT
--A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT
--A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j LOG --log-prefix "PING-DROP:"
--A INPUT -p icmp -j DROP
--A INPUT -p icmp -f -j DROPLOG
--A INPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
--A INPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP
--A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
--A INPUT -p icmp -j DROPLOG
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
--A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
--A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
--A INPUT -m state --state INVALID -j DROP
--A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
--A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
--A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD
--A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG
--A INPUT -f -j DROPLOG
--A INPUT -j DROPLOG
--A FORWARD -p icmp -f -j DROPLOG
--A FORWARD -p icmp -j DROPLOG
--A FORWARD -m state --state INVALID -j DROP
--A FORWARD -j REJECTLOG
--A OUTPUT -o lo -j ACCEPT
--A OUTPUT -p icmp -j ACCEPT
--A OUTPUT -p icmp -f -j DROPLOG
--A OUTPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
--A OUTPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP
--A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
--A OUTPUT -p icmp -j DROPLOG
--A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -m state --state INVALID -j DROP
--A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -j DROPLOG
--A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
--A ACCEPTLOG -j ACCEPT
--A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
--A DROPLOG -j DROP
--A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
--A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
--A REJECTLOG -j REJECT --reject-with icmp-port-unreachable
--A RELATED_ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT
--A RELATED_ICMP -p icmp -m icmp --icmp-type 11 -j ACCEPT
--A RELATED_ICMP -p icmp -m icmp --icmp-type 12 -j ACCEPT
--A RELATED_ICMP -j DROPLOG
--A SYN_FLOOD -m limit --limit 2/sec --limit-burst 6 -j RETURN
--A SYN_FLOOD -j DROP
-COMMIT
-# Completed on Sat Feb 25 18:34:17 2017
diff --git a/core/conf/ports/mate.git b/core/conf/ports/mate.git
new file mode 100644
index 0000000..0c4e057
--- /dev/null
+++ b/core/conf/ports/mate.git
@@ -0,0 +1,7 @@
+# Collection mate
+#
+NAME=mate
+URL=git://c2.ank/mate.git
+BRANCH=develop-c34
+destination=/usr/ports/mate
+PORTS_DIR="/usr/ports"
diff --git a/core/conf/ports/mate.httpup b/core/conf/ports/mate.httpup.inactive
index 93ad84f..93ad84f 100644
--- a/core/conf/ports/mate.httpup
+++ b/core/conf/ports/mate.httpup.inactive
diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables
index dd17b97..26a48b4 100644
--- a/core/conf/rc.d/iptables
+++ b/core/conf/rc.d/iptables
@@ -1,86 +1,39 @@
-#!/bin/sh
-#
-# /etc/rc.d/iptables: load/unload iptable rules
-#
 
-rules=/etc/iptables/net.v4
-
-iptables_clear () {
-    echo "clear all iptables tables"
-    iptables -F
-    iptables -X
-    iptables -t nat -F
-    iptables -t nat -X
-    iptables -t mangle -F
-    iptables -t mangle -X
-    iptables -t raw -F
-    iptables -t raw -X
-    iptables -t security -F
-    iptables -t security -X
-}
+source /etc/iptables/ipt-conf.sh
+source /etc/iptables/ipt-firewall.sh
 
 case $1 in
-    start)
-        echo "starting IPv4 firewall filter table..."
-        /usr/sbin/iptables-restore ${rules}
-        ;;
-    stop)
-        iptables_clear
-        echo "stopping firewall and deny everyone..."
-        /usr/sbin/iptables -P INPUT DROP
-        /usr/sbin/iptables -P FORWARD DROP
-        /usr/sbin/iptables -P OUTPUT DROP
-
-        # Unlimited on local
-        /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
-        /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
-
-        # log everything else and drop
-        /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
-        /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
-        /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
-
-        ;;
-    open)
-        iptables_clear
-        echo "outgoing Open firewall and deny everyone..."
-
-        /usr/sbin/iptables -P INPUT DROP
-        /usr/sbin/iptables -P FORWARD DROP
-        /usr/sbin/iptables -P OUTPUT ACCEPT
-
-	/usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
-	/usr/sbin/iptables -t mangle -P INPUT ACCEPT
-	/usr/sbin/iptables -t mangle -P FORWARD ACCEPT
-	/usr/sbin/iptables -t mangle -P OUTPUT ACCEPT
-	/usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-
-        /usr/sbin/iptables -A OUTPUT -j ACCEPT
-
-        # Unlimited on local
-        /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
-        /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
-
-        # Accept passive
-        /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
-        /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
-        /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
-
-        # log everything else and drop
-        /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
-        /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
-        /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
-
-        ;;
-
-    restart)
-        $0 stop
-        $0 start
-        ;;
-    *)
-
-        echo "usage: $0 [start|stop|restart]"
-        ;;
+	start)
+		ipt_clear
+		ipt_tables
+		case $TYPE in
+		    bridge)
+			source /etc/iptables/ipt-bridge.sh
+
+			## log everything else and drop
+			ipt_log
+
+			iptables-save > /etc/iptables/net.v4
+			;;
+		    server)
+			source /etc/iptables/iptables-conf.sh
+
+			## log everything else and drop
+			iptables_log
+
+			iptables-save > /etc/iptables/net.v4
+			;;
+		esac
+		;;
+	stop)
+
+		ipt_clear
+		;;
+	restart)
+		$0 stop
+		$0 start
+		;;
+	*)
+		echo "Usage: $0 [start|stop|restart]"
+		;;
 esac
-
-# End of file
diff --git a/core/conf/rc.d/wlan b/core/conf/rc.d/wlan
index 86910bc..c9c60ec 100755
--- a/core/conf/rc.d/wlan
+++ b/core/conf/rc.d/wlan
@@ -3,8 +3,11 @@
 # /etc/rc.d/wlan: start/stop wireless interface
 #
 
-DEV=wlp7s0
+# Connection type: "DHCP" or "static"
+#TYPE="DHCP"
+TYPE="static"
 
+DEV=wlp7s0
 
 SSD=/sbin/start-stop-daemon
 PROG_DHCP=/sbin/dhcpcd
@@ -15,6 +18,11 @@ PID_WIFI=/var/run/wpa_supplicant.pid
 OPTS_DHCP="--waitip -h $(/bin/hostname) -z $DEV"
 OPTS_WIFI="-B -P $PID_WIFI -D nl80211,wext -c /etc/wpa_supplicant.conf -i $DEV"
 
+ADDR=192.168.1.67
+MASK=24
+GW=192.168.1.254
+
+
 print_status() {
 	$SSD --status --pidfile $2
 	case $? in
@@ -27,20 +35,37 @@ print_status() {
 
 case $1 in
 	start)
-		$SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI && \
-		$SSD --start --pidfile $PID_DHCP --exec $PROG_DHCP -- $OPTS_DHCP
-		RETVAL=$?
+
+		if [ "${TYPE}" = "DHCP" ]; then
+			$SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI && \
+			$SSD --start --pidfile $PID_DHCP --exec $PROG_DHCP -- $OPTS_DHCP
+			RETVAL=$?
+		else
+
+			/sbin/ip link set ${DEV} up
+
+			$SSD --start --pidfile $PID_WIFI --exec $PROG_WIFI -- $OPTS_WIFI 
+
+			RETVAL=$?
+
+			/sbin/ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast +
+			/sbin/ip route add default via ${GW}
+		fi
 		;;
 	stop)
-		( $SSD --stop --retry 10 --pidfile $PID_DHCP 
-		  $SSD --stop --retry 10 --pidfile $PID_WIFI )
 
-		RETVAL=$?
-		  /sbin/ip route del default dev ${DEV}
-                  /sbin/ip route flush dev ${DEV}
-                  /sbin/ip link set ${DEV} down
-                  /sbin/ip addr flush dev ${DEV}
+		if [ "${TYPE}" = "DHCP" ]; then
+			( $SSD --stop --retry 10 --pidfile $PID_DHCP 
+			  $SSD --stop --retry 10 --pidfile $PID_WIFI )
+			RETVAL=$?
+		else
+			$SSD --stop --retry 10 --pidfile $PID_WIFI 
+			RETVAL=$?
 
+			/sbin/ip link set ${DEV} down
+			/sbin/ip route del default
+			/sbin/ip addr del ${ADDR}/${MASK} dev ${DEV}
+		fi
 		;;
 	restart)
 		$0 stop
diff --git a/core/conf/skel/.profile b/core/conf/skel/.profile
index 71dd6f8..1c8aa8b 100644
--- a/core/conf/skel/.profile
+++ b/core/conf/skel/.profile
@@ -1,6 +1,35 @@
 export GPG_AGENT_INFO  # the env file does not contain the export statement
 export SSH_AUTH_SOCK   # enable gpg-agent for ssh
 
-export GPGKEY=8BF422F7
+export GPGKEY=XXXXXXXX
 
-#alias prodtmux="ssh srv-remote -t tmux a"
+# ssh-agent to ask only ounce for password
+SSH_ENV="$HOME/.ssh/environment"
+function start_agent {
+    echo "Initialising new SSH agent..."
+    /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
+    echo succeeded
+    chmod 600 "${SSH_ENV}"
+    . "${SSH_ENV}" > /dev/null
+    /usr/bin/ssh-add;
+}
+
+# Source SSH settings, if applicable
+if [ -f "${SSH_ENV}" ]; then
+    . "${SSH_ENV}" > /dev/null
+    #ps ${SSH_AGENT_PID} doesn't work under cywgin
+    ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
+        start_agent;
+    }
+else
+    start_agent;
+fi
+
+# Weston
+if test -z "${XDG_RUNTIME_DIR}"; then
+    export XDG_RUNTIME_DIR=/tmp/${UID}-runtime-dir
+    if ! test -d "${XDG_RUNTIME_DIR}"; then
+        mkdir "${XDG_RUNTIME_DIR}"
+        chmod 0700 "${XDG_RUNTIME_DIR}"
+    fi
+fi
diff --git a/core/configure.html b/core/configure.html
index 2fadfcf..7d34bf7 100644
--- a/core/configure.html
+++ b/core/configure.html
@@ -272,7 +272,7 @@
         <a href="index.html">Core OS Index</a>
         <p>This is part of the Hive System Documentation.
         Copyright (C) 2018
-        c9 team.
+        Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
     </body>
diff --git a/core/dash.html b/core/dash.html
index 134616d..a273107 100644
--- a/core/dash.html
+++ b/core/dash.html
@@ -21,7 +21,7 @@
         <a href="index.html">Core OS Index</a>
         <p>This is part of the Hive System Documentation.
         Copyright (C) 2018
-        c9 team.
+        Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
     </body>
diff --git a/core/exim.html b/core/exim.html
index 2f93af8..23708d2 100644
--- a/core/exim.html
+++ b/core/exim.html
@@ -226,7 +226,7 @@
         <p>
         This is part of the Hive System Documentation.
         Copyright (C) 2018
-        c9 team.
+        Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
     </body>
diff --git a/core/hardening.html b/core/hardening.html
index 60fea58..1455398 100644
--- a/core/hardening.html
+++ b/core/hardening.html
@@ -45,7 +45,7 @@
         <a href="index.html">Core OS Index</a>
         <p>This is part of the Hive System Documentation.
         Copyright (C) 2018
-        c9 team.
+        Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
 
diff --git a/core/index.html b/core/index.html
index 9145f3e..87330b1 100644
--- a/core/index.html
+++ b/core/index.html
@@ -2,15 +2,15 @@
 <html dir="ltr" lang="en">
     <head>
 	<meta charset='utf-8'>
-	<title>c9 Core OS</title>
+	<title>Core OS</title>
     </head>
     <body>
 
 	<a href="../index.html">Documentation Index</a>
 
-	<h1>c9 Core OS</h1>
+	<h1>Core OS</h1>
 
-	<p>c9 Core OS covers installation and configuration of
+	<p>Core OS covers installation and configuration of
 	basic functionality of Crux 3.4 Gnu\Linux operating system.
 	This documentation try's to follow Crux HandBook installation
 	method diverges, for example, by only installing and
@@ -155,7 +155,7 @@
 	<p>
 	This is part of the Hive System Documentation.
 	Copyright (C) 2018
-	c9 team.
+	Hive Team.
 	See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
 	for copying conditions.</p>
 
diff --git a/core/install.html b/core/install.html
index dfde50a..fb1a546 100644
--- a/core/install.html
+++ b/core/install.html
@@ -75,7 +75,7 @@
         installations. Partition size 128M;</p>
 
         <pre>
-        (parted) mkpart ESP fat32 4 125
+        (parted) mkpart ESP fat32 4 132
         (parted) name 2 efi
         (parted) set 2 boot on
         </pre>
@@ -83,70 +83,74 @@
         <h3>/boot</h3>
 
         <p>Boot partition. Partition with 1G provide room for kernels
-        and crux iso that can be directly boot from grub (without root
+        and bootable iso's that can be directly boot from grub (without root
         partition). Partition size 1G;</p>
 
         <pre>
-        (parted) mkpart primary ext4 125 1128
+        (parted) mkpart primary ext4 132 1132
         (parted) name 3 boot
         </pre>
 
         <h3>/</h3>
 
-        <p>Normal core crux installation root partition uses
-        approximately 2G, without /usr 200MB-500M. Minimum 2G
-        is recommended to give room to root home directory with
-        dedicated (separated) usr and var partition.
-        Partition size 4G;</p>
+        <p>Core collection installation on root partition uses
+        approximately 2G. Partition with 8G-20G is recommended
+        for a server or desktop with dedicated ports partition
+        or using only compiled packages. Partition size 20G;</p>
 
         <pre>
-        (parted) mkpart primary ext4 1128 5128
+        (parted) mkpart primary ext4 1132 21132
         (parted) name 4 root
         </pre>
 
         <h3>/var</h3>
 
         <p>Var partition is recommended 1G-5G depending on how
-        system is configured. Partition size 1G;</p>
+        system is configured. Partition size 2G;</p>
 
         <pre>
-        (parted) mkpart primary ext4 5128 6128
+        (parted) mkpart primary ext4 21132 23132
         (parted) name 5 var
         </pre>
 
-        <h3>/usr</h3>
-
-        <p>User partition with 4G-8G is recommended for a desktop
-        setup, with dedicated partition for ports. Partition size
-        8G;</p>
-
-        <pre>
-        (parted) mkpart primary ext4 6128 14128
-        (parted) name 6 usr
-        </pre>
-
         <h3>Swap (ram)</h3>
 
         <p>Swap partition general advice is to have the same size as
         memory ram, ports system will be configured to build on ram.
-        To build firefox is necessary at least 34G, swap partitions
-        will be added to lvm and this partition removed.
-        Partition size 4G;</p>
+        To build firefox is necessary at least 34G. Partition size 4G;</p>
+
+        <p>Is better to create swap partition later using
+        <a href="../tools/lvm.html">lvm</a>.</p>
 
         <pre>
-        (parted) mkpart primary linux-swap 14128 18128
-        (parted) name 3 swap
+        (parted) mkpart primary linux-swap 23132 27132
+        (parted) name 6 swap
         </pre>
 
+
         <h3>/home</h3>
 
-        <p>Home partition general advice is to fill the rest of disk
-        space. Home partition will be added later to lvm and this
-        partition removed. Fill the rest of disk space;</p>
+        <p>Home partition on desktop fill the rest of disk
+        space while on server this partition can be unnecessary.
+        Fill the rest of disk space;</p>
+
+        <p>Is better to create home partition later using
+        <a href="../tools/lvm.html">lvm</a>.</p>
+
+        <pre>
+        (parted) mkpart primary ext4 27132 100%
+        (parted) name 7 home
+        </pre>
+
+        <h3>Create filesystems</h3>
 
         <pre>
-        (parted) mkpart primary ext4 18128 100%
-        (parted) name 8 home
+        $ sudo mkfs.fat -F 32 /dev/sda2
+        $ sudo mkfs.ext4      /dev/sda3
+        $ sudo mkfs.ext4      /dev/sda4
+        $ sudo mkfs.ext4      /dev/sda5
+        $ sudo mkswap	      /dev/sda6
+        $ sudo mkfs.ext4      /dev/sda7
         </pre>
 
         <h2 id="step3">1.1.3. Prepare Install</h2>
@@ -156,41 +160,25 @@
         create file systems, install packages, configure host
         metadata and setup ports;</p>
 
-        <pre>
-        $ export CHROOT=/mnt
-        </pre>
+	<p>Export target root partition;</p>
 
-        <h3>Create filesystems</h3>
-
-        <pre>
-        $ export DEV=/dev/sda
-        </pre>
+	<pre>
+	$ export BLK_ROOT=/dev/sda
+	</pre>
 
-        <pre>
-        $ export BLK_EFI="${DEV}2"
-        $ export BLK_BOOT="${DEV}3"
-        $ export BLK_ROOT="${DEV}4"
-        $ export BLK_VAR="${DEV}5"
-        $ export BLK_USR="${DEV}6"
-        $ export BLK_SWP="${DEV}7"
-        $ export BLK_HOME="${DEV}8"
-       </pre>
+	<p>Export target root directory you want to install;</p>
 
         <pre>
-        $ sudo mkfs.fat -F 32  $BLK_EFI
-        $ sudo mkfs.ext4 $BLK_BOOT
-        $ sudo mkfs.ext4 $BLK_ROOT
-        $ sudo mkfs.ext4 $BKL_VAR
-        $ sudo mkfs.ext4 $BKL_USR
-        $ sudo mkswap $BLK_SWAP
-        $ sudo mkfs.ext4 $BKL_HOME
+        $ export CHROOT=/mnt
         </pre>
 
+	<p>If you are installing to a directory and not partitions you don't need to mount;</p>
+
         <pre>
         $ sudo mount $BLK_ROOT $CHROOT
         </pre>
 
-        <p>Create directories and mount target partitions;</p>
+        <p>Create follow directories;</p>
 
         <pre>
         $ sudo mkdir -p $CHROOT/boot
@@ -203,7 +191,11 @@
         $ sudo mkdir -p $CHROOT/tmp
         $ sudo mkdir -p $CHROOT/proc
         $ sudo mkdir -p $CHROOT/sys
+	</pre>
+
+	<p>If partition layout is different or target is a directory is not necessary to mount, create only the directories;</p>
 
+	<pre>
         $ sudo mount $BLK_BOOT $CHROOT/boot
         $ sudo mkdir -p $CHROOT/boot/efi
         $ sudo mount $BLK_EFI $CHROOT/boot/efi
@@ -211,8 +203,6 @@
         $ sudo mount $BLK_VAR $CHROOT/var
         $ sudo mkdir -p $CHROOT/var/lib/pkg
 
-        $ sudo mount $BLK_USR $CHROOT/usr
-
         $ sudo mount $BLK_HOME $CHROOT/home
         </pre>
 
@@ -226,7 +216,7 @@
         $ sudo mount -vt sysfs sysfs $CHROOT/sys
         </pre>
 
-        <p>Mount iso on target partition;</p>
+        <p>Mount iso or copy packages to target /mnt directory;</p>
 
         <pre>
         # modprobe isofs
@@ -354,7 +344,7 @@
         <a href="index.html">Core OS Index</a>
         <p>This is part of the Hive System Documentation.
         Copyright (C) 2018
-        c9 team.
+        Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
 
diff --git a/core/linux.html b/core/linux.html
index f4dd14f..670d0e7 100644
--- a/core/linux.html
+++ b/core/linux.html
@@ -858,7 +858,7 @@
         <a href="index.html">Core OS Index</a>
         <p>This is part of the Hive System Documentation.
         Copyright (C) 2018
-        c9 team.
+        Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
 
diff --git a/core/network.html b/core/network.html
index feb9765..2b94e50 100644
--- a/core/network.html
+++ b/core/network.html
@@ -445,7 +445,7 @@
         <p>
         This is part of the Hive System Documentation.
         Copyright (C) 2018
-        c9 team.
+        Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
 
diff --git a/core/package.html b/core/package.html
index 4aa649d..bedb132 100644
--- a/core/package.html
+++ b/core/package.html
@@ -184,7 +184,7 @@
         <a href="index.html">Core OS Index</a>
         <p>This is part of the Hive System Documentation.
         Copyright (C) 2018
-        c9 team.
+        Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
 
diff --git a/core/ports.html b/core/ports.html
index 7f1cd54..32e5095 100644
--- a/core/ports.html
+++ b/core/ports.html
@@ -191,7 +191,7 @@
         <p>
         This is part of the Hive System Documentation.
         Copyright (C) 2018
-        c9 team.
+        Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
     </body>
diff --git a/core/reboot.html b/core/reboot.html
index 1fae99b..505a889 100644
--- a/core/reboot.html
+++ b/core/reboot.html
@@ -225,7 +225,7 @@
         <a href="index.html">Core OS Index</a>
         <p>This is part of the Hive System Documentation.
         Copyright (C) 2018
-        c9 team.
+        Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
     </body>
diff --git a/core/samhain.html b/core/samhain.html
index f161a16..d28a6d2 100644
--- a/core/samhain.html
+++ b/core/samhain.html
@@ -257,7 +257,7 @@
         <p>
         This is part of the Hive System Documentation.
         Copyright (C) 2018
-        c9 team.
+        Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
 
diff --git a/core/scripts/backup-system.sh b/core/scripts/backup-system.sh
index 9e1ed2f..7faf676 100644
--- a/core/scripts/backup-system.sh
+++ b/core/scripts/backup-system.sh
@@ -2,8 +2,9 @@
 
 ROOT_DIR=
 DEST_DIR=/root/backup
-PORT_PKG="${DEST_DIR}/crux"
-PORT_PRT="${DEST_DIR}/ports"
+DEST_SYS="${DEST_DIR}/system"
+PORT_PKG="${DEST_SYS}/packages"
+PORT_PRT="${DEST_SYS}/ports"
 DATA_CNF="${DEST_DIR}/conf"
 DATA_USR="${DEST_DIR}/user"
 DATA_SRV="${DEST_DIR}/srv"
@@ -20,164 +21,16 @@ ConfirmOrExit ()
                 echo "Aborting - you entered $CONFIRM"
                 exit
                 ;;
-            *) echo "Please enter only y or n"
-        esac
-    done
-    echo "You entered $CONFIRM. Continuing ..."
-}
-
-mkbk_coll_pkg() {
-    # backup binary packages per collection
-    col=$1
-    # make backup collection directory
-    mkdir ${PORT_PKG}/${col}
-    # for each package listed in col_name.pkg
-    while read line; do
-        # if binary package don't exist try to build
-        if [ ! -f /usr/ports/packages/${line} ]; then
-            echo "Building package: ${line};\n"
-            name=$(echo ${line} | cut -d "#" -f 1)
-            $sudo prt-get update -fr ${name}
-        fi
-
-        # if binary package exist copy to destination
-        if [ -f /usr/ports/packages/${line} ]; then
-            echo "Backing up package: ${line}"
-            echo ${line} >> ${DEST_DIR}/backup.pkg
-            cp /usr/ports/packages/${line} ${PORT_PKG}/${col}/
-        else
-            echo "Package not found: ${line}"
-            echo ${line} >> ${DEST_DIR}/${col}-notfound.pkg
-        fi
-    done < $DEST_DIR/${col}.pkg
-}
-
-mkbk_coll_ports() {
-    # backup collection ports
-    col=$1
-
-    tar --xattrs -zcpf $PORT_PRT/${col}.tar.gz \
-        --directory=$ROOT_DIR/usr/ports/${col} \
-        --exclude=.git/ \
-}
-
-mkbk_metadata() {
-
-    # archive pkgutils data
-    tar --xattrs -zcpf $DATA_CNF/pkg-db.tar.gz \
-        /var/lib/pkg/db
-
-    # must be using gwak instead of sed, xargs and echo
-    prt-get listinst -v | sed -s s/" "/#/g | xargs -i echo {}.pkg.tar.gz > ${DEST_DIR}/installed.pkg
-
-    # make list and copy installed core packages
-    prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/core" | cut -d " " -f 3 > ${DEST_DIR}/core.pkg
-
-    prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/opt" | cut -d " " -f 3 > $DEST_DIR/opt.pkg
-
-    prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/contrib" | cut -d " " -f 3 > $DEST_DIR/contrib.pkg
-
-    prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/xorg" | cut -d " " -f 3 > $DEST_DIR/xorg.pkg
-
-    prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep -v "yes /usr/ports/core" | grep -v "yes /usr/ports/opt" | grep -v "yes /usr/ports/contrib" | grep -v "yes /usr/ports/xorg" | grep "yes " | cut -d " " -f 3 > $DEST_DIR/other.pkg
-
-}
-
-mkbk_etc_conf() {
-
-    tar --xattrs -zcpf $DATA_CNF/etc.tar.gz \
-        --directory=$ROOT_DIR/etc \
-        .
-
-    tar --xattrs -zcpf $DATA_CNF/usr_etc.tar.gz \
-        --directory=$ROOT_DIR/usr/etc \
-        .
-}
-
-mkbk_srv_www() {
-
-    # backup web data first stop php and nginx
-
-    for pkg_www in ${ROOT_DIR}/srv/www/*; do
-        if [[ ! $(ls ${pkg_www} | grep -v "backup_deploy") = "" ]]; then
-            pkg_back="${DATA_SRV}/www"
-            if [ ! -d ${pkg_back} ]; then
-                mkdir -p ${pkg_back}
-            fi
-            bck_file="${pkg_back}/$(basename ${pkg_www}).tar.gz"
-            exc="${pkg_www}/backup_deploy"
-            tar --exclude ${exc} --xattrs -zcpf ${bck_file} ${pkg_www}
-        fi
-    done
-}
-
-mkbk_srv_pgsql() {
-
-    # backup database data first dump all databases
-
-    pkg_back="${DATA_SRV}/pgsql"
-    if [ ! -d ${pkg_back} ]; then
-        mkdir -p ${pkg_back}
-    fi
-    pg_dumpall -U postgres | gzip > ${pkg_back}/cluster_dump.gz
-
-    tar --xattrs -zcpf "${pkg_back}/pgsql-conf.tar.gz" \
-        ${ROOT_DIR}/srv/pgsql/data/pg_hba.conf \
-        ${ROOT_DIR}/srv/pgsql/data/pg_ident.conf \
-        ${ROOT_DIR}/srv/pgsql/data/postgresql.conf
-}
-
-mkbk_srv_gitolite() {
-
-    # backup gitolite repositories
-
-    pkg_back="${DATA_SRV}/gitolite"
-    if [ ! -d ${pkg_back} ]; then
-        mkdir -p ${pkg_back}
-    fi
-
-    tar --xattrs -zcpf "${pkg_back}/gitolite.tar.gz" \
-        --directory=${ROOT_DIR}/srv/gitolite \
-        .
-}
-
-mkbk_user_metadata() {
-
-    for dir in /home/*; do
-        if [ "${dir}" != "/home/lost+found" ]; then
-            user=$(basename $dir)
-            tar --xattrs -zcpf "${DATA_USR}/meta-${user}.tar.gz" \
-                $dir/.bash_profile \
-                $dir/.bashrc \
-                $dir/.config \
-                $dir/.gitconfig \
-                $dir/.gnupg \
-                $dir/.irssi \
-                $dir/.lynxrc \
-                $dir/.mutt \
-                $dir/.netrc \
-                $dir/.profile \
-                $dir/.spectrwm.conf \
-                $dir/.ssh \
-                $dir/.tmux.conf \
-                $dir/.vim \
-                $dir/.vimrc \
-                $dir/.xinitrc
-
-            # encript data
-            #gpg --output "${DATA_USR}/meta-${user}.tar.gz.gpg" \
-                #    --encrypt --recipient user@host \
-                #    "${DATA_USR}/meta-${user}.tar.gz"
-
-            tar --xattrs -zcpf "${DATA_USR}/gitolite-${user}.tar.gz" \
-                $dir/gitolite-admin
-        fi
-    done
+	*) echo "Please enter only y or n"
+esac
+done
+echo "You entered $CONFIRM. Continuing ..."
 }
 
 print_data () {
     echo "ROOT_DIR=${ROOT_DIR}"
     echo "DEST_DIR=${DEST_DIR}"
+    echo "DEST_SYS=${DEST_SYS}"
     echo "PORT_PKG=${PORT_PKG}"
     echo "PORT_PRT=${PORT_PRT}"
     echo "DATA_CNF=${DATA_CNF}"
@@ -205,11 +58,13 @@ while [ "$1" ]; do
             DEST_DIR=$2
 
             # Destination directory
-            PORT_PKG="${DEST_DIR}/crux"
-            PORT_PRT="${DEST_DIR}/ports"
-            DATA_CNF="${DEST_DIR}/conf"
-            DATA_USR="${DEST_DIR}/user"
-            DATA_SRV="${DEST_DIR}/srv"
+	    DEST_SYS="${DEST_DIR}/system"
+	    PORT_PKG="${DEST_SYS}/packages"
+	    PORT_PRT="${DEST_SYS}/ports"
+	    DATA_CNF="${DEST_DIR}/conf"
+	    DATA_USR="${DEST_DIR}/user"
+	    DATA_SRV="${DEST_DIR}/srv"
+
             shift ;;
         -h|--help)
             print_help
@@ -231,62 +86,184 @@ mkdir -p ${DATA_CNF}
 mkdir -p ${DATA_USR}
 mkdir -p ${DATA_SRV}
 
-# Light backup data
-mkbk_metadata
-mkbk_etc_conf
+# Backup system settings
+tar --xattrs -zcpf $DATA_CNF/etc.tar.gz \
+    --directory=$ROOT_DIR/etc \
+    .
+
+tar --xattrs -zcpf $DATA_CNF/usr_etc.tar.gz \
+    --directory=$ROOT_DIR/usr/etc \
+    .
 
+# User Meta Data
 while true
 do
-    echo -n "Backup user metadata ? Please confirm (y or n) :"
+    echo "Backup User Metadata ?"
+    echo "Please confirm (y or n): "
     read CONFIRM
     case $CONFIRM in
         n|N|no|NO|No) break ;;
         y|Y|YES|yes|Yes)
             echo "Accept - you entered $CONFIRM"
-            mkbk_user_metadata
+	    for dir in /home/*; do
+		if [ "${dir}" != "/home/lost+found" ]; then
+		    user=$(basename $dir)
+		    tar --xattrs -zcpf "${DATA_USR}/meta-${user}.tar.gz" \
+			$dir/.bash_profile \
+			$dir/.bashrc \
+			$dir/.config \
+			$dir/.gitconfig \
+			$dir/.gnupg \
+			$dir/.irssi \
+			$dir/.lynxrc \
+			$dir/.mutt \
+			$dir/.netrc \
+			$dir/.profile \
+			$dir/.spectrwm.conf \
+			$dir/.ssh \
+			$dir/.tmux.conf \
+			$dir/.vim \
+			$dir/.vimrc \
+			$dir/.xinitrc
+
+		    # encript data
+		    #gpg --output "${DATA_USR}/meta-${user}.tar.gz.gpg" \
+			#    --encrypt --recipient user@host \
+			#    "${DATA_USR}/meta-${user}.tar.gz"
+
+		    tar --xattrs -zcpf "${DATA_USR}/gitolite-${user}.tar.gz" \
+			$dir/gitolite-admin
+		fi
+	    done
             break
             ;;
         *) echo "Please enter only y or n"
     esac
 done
 
+# Server Data
 while true
 do
-    echo -n "Backup web services data (/srv) ? Please confirm (y or n) :"
+    echo "Backup Server Data ?"
+    echo "Please confirm (y or n): "
     read CONFIRM
     case $CONFIRM in
         n|N|no|NO|No) break ;;
         y|Y|YES|yes|Yes)
             echo "Accept - you entered $CONFIRM"
-            mkbk_srv_www
-            mkbk_srv_pgsql
-            mkbk_srv_gitolite
+
+	    # backup web data first stop php and nginx
+	    for pkg_www in ${ROOT_DIR}/srv/www/*; do
+		if [[ ! $(ls ${pkg_www} | grep -v "backup_deploy") = "" ]]; then
+		    pkg_back="${DATA_SRV}/www"
+		    if [ ! -d ${pkg_back} ]; then
+			mkdir -p ${pkg_back}
+		    fi
+		    bck_file="${pkg_back}/$(basename ${pkg_www}).tar.gz"
+		    exc="${pkg_www}/backup_deploy"
+		    tar --exclude ${exc} --xattrs -zcpf ${bck_file} ${pkg_www}
+		fi
+	    done
+
+	    # backup database data first dump all databases
+	    pkg_back="${DATA_SRV}/pgsql"
+	    if [ ! -d ${pkg_back} ]; then
+		mkdir -p ${pkg_back}
+	    fi
+	    pg_dumpall -U postgres | gzip > ${pkg_back}/cluster_dump.gz
+
+	    tar --xattrs -zcpf "${pkg_back}/pgsql-conf.tar.gz" \
+		${ROOT_DIR}/srv/pgsql/data/pg_hba.conf \
+		${ROOT_DIR}/srv/pgsql/data/pg_ident.conf \
+		${ROOT_DIR}/srv/pgsql/data/postgresql.conf
+
+
+	    # backup gitolite repositories
+	    pkg_back="${DATA_SRV}/gitolite"
+	    if [ ! -d ${pkg_back} ]; then
+		mkdir -p ${pkg_back}
+	    fi
+
+	    tar --xattrs -zcpf "${pkg_back}/gitolite.tar.gz" \
+		--directory=${ROOT_DIR}/srv/gitolite \
+		.
+
             break
             ;;
         *) echo "Please enter only y or n"
     esac
 done
 
-
+# Port System
 while true
 do
-    echo -n "Backup port system ? Please confirm (y or n) :"
+    echo "Backup Port System ?" 
+    echo "Please confirm (y or n) :"
     read CONFIRM
     case $CONFIRM in
         n|N|no|NO|No) break ;;
         y|Y|YES|yes|Yes)
             echo "Accept - you entered $CONFIRM"
-            mkbk_coll_ports "core"
-            mkbk_coll_pkg "core"
-            mkbk_coll_ports "opt"
-            mkbk_coll_pkg "opt"
-            mkbk_coll_ports "contrib"
-            mkbk_coll_pkg "contrib"
-            mkbk_coll_ports "xorg"
-            mkbk_coll_pkg "xorg"
-            mkbk_coll_pkg "other"
+
+	    # archive pkgutils data
+	    tar --xattrs -zcpf $DEST_SYS/pkg-db.tar.gz \
+		/var/lib/pkg/db
+
+	    # archive ports data
+	    tar --xattrs -zcpf $DEST_SYS/etc_ports.tar.gz \
+		    --directory=/etc/ports \
+		    .	
+
+	    METADATA=${DEST_SYS}/meta-data
+	    mkdir -p $METADATA
+
+	    # must be using gwak instead of sed
+ 	    prt-get listinst -v | sed 's/ /#/g' | sed 's/$/.pkg.tar.gz/g' > ${METADATA}/all-installed.pkg 
+
+	    for filename in /etc/ports/*.git; do
+	    	source $filename
+
+		# backup ports collection
+		echo "Backing up collection: $NAME"
+		tar --xattrs -zcpf $PORT_PRT/${NAME}-ports.tar.gz \
+		--directory=$ROOT_DIR/usr/ports/${NAME} \
+		--exclude=.git/ \
+		.
+
+
+		# create list of installed packages 
+		prt-get printf "%i %p %n\n" | grep "yes /usr/ports/${NAME}" | cut -d " " -f 3 > ${METADATA}/${NAME}-installed.pkg
+
+		# backup collection packages
+		while read line; do
+			echo "Backing up package: ${NAME}/${line}"
+			# get installed version not version on ports
+			PACKAGE="$(cat ${METADATA}/all-installed.pkg | grep "^${line}#")"
+			if [ ! -f /usr/ports/packages/${PACKAGE} ]; then
+				echo "Building package: ${PACKAGE};\n"
+				sudo prt-get update -fr -if -is ${line}
+				(cd /usr/ports/${NAME}/${line} \
+				       	&& sudo pkgmk -uf)
+			fi
+
+			if [ -f /usr/ports/packages/${PACKAGE} ]; then
+				echo ${PACKAGE} >> ${METADATA}/${NAME}-backup.pkg
+				#cp /usr/ports/packages/${PACKAGE} ${PORT_PKG}/${NAME}/
+				tar rvf ${PORT_PKG}/${NAME}.tar \
+					--directory=/usr/ports/packages \
+					${PACKAGE}
+			else
+				echo "Package $PORT_NAME not found: ${line}"
+				echo ${PACKAGE} >> ${METADATA}/${NAME}-notfound.pkg
+			fi
+		done < ${METADATA}/${NAME}-installed.pkg
+	    done
             break
             ;;
         *) echo "Please enter only y or n"
     esac
 done
+
+RELEASE_NAME=$(basename ${DEST_DIR})
+cd $(dirname ${DEST_DIR}) && tar -zcpf  ${RELEASE_NAME}.tar.gz ${RELEASE_NAME}/
+rm -rf ${DEST_DIR}
diff --git a/core/scripts/install-core.sh b/core/scripts/install-core.sh
index d4d6983..9edd966 100644
--- a/core/scripts/install-core.sh
+++ b/core/scripts/install-core.sh
@@ -41,7 +41,7 @@ install_core() {
         done
     fi
 
-    tar xf "${PORT_PKG}/core/pkgutils#5.40-1.pkg.tar.xz" usr/bin/pkgadd -O > ${CHROOT}/pkgadd
+    tar xf "${PORT_PKG}/core/pkgutils#5.40-7.pkg.tar.xz" usr/bin/pkgadd -O > ${CHROOT}/pkgadd
 
     chmod +x ${CHROOT}/pkgadd
 
@@ -55,7 +55,8 @@ install_core() {
     while read line; do
         pkg=${PORT_PKG}/core/${line}
         echo "Installing ${pkg};\n"
-        ${CHROOT}/pkgadd -f -r ${CHROOT} ${pkg}
+        #${CHROOT}/pkgadd -f -r ${CHROOT} ${pkg}
+        pkgadd -f -r ${CHROOT} ${pkg}
     done < ${CORE_LS}
 
     rm ${CHROOT}/pkgadd
@@ -67,7 +68,7 @@ install_core() {
 
 install_packages() {
     echo "Installing $CHROOT/media/crux/opt/fakeroot"
-    $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/media/crux/opt/fakeroot#*
+    $CHROOT/usr/bin/pkgadd -f -r $CHROOT ${CHROOT}/media/crux/opt/fakeroot#*
     echo "Installing $CHROOT/media/crux/opt/dbus"
     $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/media/crux/opt/dbus#*
     echo "Installing $CHROOT/media/crux/opt/expat"
diff --git a/core/scripts/setup-iso.sh b/core/scripts/setup-iso.sh
index ddad787..ebcd043 100644
--- a/core/scripts/setup-iso.sh
+++ b/core/scripts/setup-iso.sh
@@ -2,6 +2,7 @@
 
 # location of iso and md5 file
 ISO_DIR="/usr/ports/iso"
+MOUNT_POINT="/mnt/media"
 
 ISO_FILE="${ISO_DIR}/crux-3.4.iso"
 MD5_FILE="${ISO_DIR}/crux-3.4.md5"
@@ -70,7 +71,7 @@ mount_iso() {
 
     modprobe isofs
     modprobe loop
-    mount -o loop $ISO_FILE /media
+    mount -o loop $ISO_FILE $MOUNT_POINT
 }
 
 print_data() {
@@ -80,6 +81,7 @@ print_data() {
     echo "md5 file: ${MD5_FILE}"
     echo "iso url: ${ISO_URL}"
     echo "md5 url: ${MD5_URL}"
+    echo "mount point: ${MOUNT_POINT}"
 }
 
 print_help() {
diff --git a/core/scripts/setup-virtual.sh b/core/scripts/setup-virtual.sh
index 2b27a9f..3583bb6 100644
--- a/core/scripts/setup-virtual.sh
+++ b/core/scripts/setup-virtual.sh
@@ -20,45 +20,51 @@ ConfirmOrExit ()
 }
 
 DEV_NAME=${1}
+IMG=${2}.qcow2
+SIZE=${3}
 CHROOT="/mnt"
 DEV="/dev/${DEV_NAME}"
 
+echo "/srv/qemu/img/${IMG}"
+echo "${SIZE}"
 echo "DEV_NAME=${DEV_NAME}"
 echo "DEV=${DEV}"
 echo "CHROOT=${CHROOT}"
 
 ConfirmOrExit
 
+#qemu-img create -f qcow2 example.qcow2 20G
+qemu-img create -f qcow2 /srv/qemu/img/${IMG} ${SIZE}
+qemu-nbd -c ${DEV} /srv/qemu/img/${IMG}
+
 parted --script ${DEV} \
-        mklabel gpt \
-        unit mib \
-        mkpart primary 1 3 \
-        set 1 bios_grub on \
-        name 1 grub \
-        mkpart ESP fat32 3 59 \
-        set 2 boot on \
-        name 2 efi \
-        mkpart primary ext4 103 200 \
-        name 3 boot \
-        mkpart primary linux-swap 200 456 \
-        name 4 swap \
-        mkpart primary ext4 456 3700 \
-        name 5 root \
-        mkpart primary ext4 3700 4000 \
-        name 6 var \
-        mkpart primary ext4 4000 100% \
-        name 7 home
+    mklabel gpt \
+    unit mib \
+    mkpart primary 2 4 \
+    name 1 grub \
+    mkpart ESP fat32 4 128 \
+    name 2 efi \
+    mkpart primary ext4 128 1128 \
+    name 3 boot \
+    mkpart primary ext4 1128 12128 \
+    name 4 root \
+    mkpart primary ext4 12128 14128 \
+    name 5 var \
+    mkpart primary ext4 14128 100% \
+    name 6 lvm \
+    set 1 bios_grub on \
+    set 2 boot on \
+    set 6 lvm on
 
 kpartx -a -s -l -u ${DEV}
 
 mkfs.fat -F 32  /dev/mapper/${DEV_NAME}p2
 mkfs.ext4       /dev/mapper/${DEV_NAME}p3
-mkswap          /dev/mapper/${DEV_NAME}p4
+mkfs.ext4       /dev/mapper/${DEV_NAME}p4
 mkfs.ext4       /dev/mapper/${DEV_NAME}p5
-mkfs.ext4       /dev/mapper/${DEV_NAME}p6
-mkfs.ext4       /dev/mapper/${DEV_NAME}p7
+pvcreate	/dev/mapper/${DEV_NAME}p6
 
-mount /dev/mapper/${DEV_NAME}p5 $CHROOT
+mount /dev/mapper/${DEV_NAME}p4 $CHROOT
 mkdir -p $CHROOT/proc
 mkdir -p $CHROOT/sys
 mkdir -p $CHROOT/dev
@@ -69,8 +75,4 @@ mount /dev/mapper/${DEV_NAME}p3 $CHROOT/boot
 mkdir -p $CHROOT/boot/efi
 mount /dev/mapper/${DEV_NAME}p2 $CHROOT/boot/efi
 mkdir -p $CHROOT/var
-mount /dev/mapper/${DEV_NAME}p6 $CHROOT/var
-mkdir -p $CHROOT/home
-mount /dev/mapper/${DEV_NAME}p7 $CHROOT/home
-
-
+mount /dev/mapper/${DEV_NAME}p5 $CHROOT/var
diff --git a/core/sysctl.html b/core/sysctl.html
index b871158..525a6cf 100644
--- a/core/sysctl.html
+++ b/core/sysctl.html
@@ -618,7 +618,7 @@
         <a href="index.html">Core OS Index</a>
         <p>This is part of the Hive System Documentation.
         Copyright (C) 2018
-        c9 team.
+        Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
 
diff --git a/core/tmux.html b/core/tmux.html
index d6bc2c5..b94253d 100644
--- a/core/tmux.html
+++ b/core/tmux.html
@@ -110,7 +110,7 @@
         <p>
         This is part of the Hive System Documentation.
         Copyright (C) 2018
-        c9 team.
+        Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
 
diff --git a/core/toolchain.html b/core/toolchain.html
index 0ed64bc..57113fd 100644
--- a/core/toolchain.html
+++ b/core/toolchain.html
@@ -176,7 +176,7 @@
         <a href="index.html">Core OS Index</a>
         <p>This is part of the Hive System Documentation.
         Copyright (C) 2018
-        c9 team.
+        Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
 
diff --git a/core/tty-terminal.html b/core/tty-terminal.html
index 2696119..6eb08d3 100644
--- a/core/tty-terminal.html
+++ b/core/tty-terminal.html
@@ -74,7 +74,7 @@
         <a href="index.html">Core OS Index</a>
         <p>This is part of the Hive System Documentation.
         Copyright (C) 2018
-        c9 team.
+        Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
     </body>