diff options
Diffstat (limited to 'tools/conf/etc')
-rw-r--r-- | tools/conf/etc/fonts/local.conf | 1542 | ||||
-rw-r--r-- | tools/conf/etc/iptables/iptables-br.sh | 318 | ||||
-rw-r--r-- | tools/conf/etc/iptables/vlan.v4 | 228 | ||||
-rw-r--r-- | tools/conf/etc/nginx/sites-enabled/default.conf | 86 | ||||
-rw-r--r-- | tools/conf/etc/ssh/sshd_config | 30 |
5 files changed, 2019 insertions, 185 deletions
diff --git a/tools/conf/etc/fonts/local.conf b/tools/conf/etc/fonts/local.conf new file mode 100644 index 0000000..64dc276 --- /dev/null +++ b/tools/conf/etc/fonts/local.conf @@ -0,0 +1,1542 @@ +<?xml version="1.0"?> +<!DOCTYPE fontconfig SYSTEM "fonts.dtd"> +<fontconfig> + + <!-- + Documented at + http://linux.die.net/man/5/fonts-conf + + To check font mapping run the command at terminal + $ fc-match 'helvetica Neue' + + WARNING :: Droid Sans font with autohinter becomes bad, without autohinter looks great, but becomes smallish, cant help + even the smallish is so good, that i am using it on desktop + + but cannot be used as a substitution for arial, since 12px (which is very common on websites) becomes small as if tahoma 10px + + Noto sans does better in this case, can be used as arial substitution without loss of size + noto sans is slightly fatter than droid sans + + Open sans is much fat, and open sans bold looks bad, hence we choose noto sans as the replacement for arial + + + Download the following fonts + Droid fonts whole sets + + + Download from google web fonts + open sans all styles + noto sans all styles + noto serif all styles + --> + + <!-- + .fonts.conf + release 6.3.23 + Licensed under GNU GPL + ================================ + LCD optimized 96 dpi + "Sharp'N'Clear" font settings + with emphasis on 'msttcorefonts' + + tested on Ubuntu GNU/Linux 5.10 + ================================ + by Obi Bok + Gmail: obibok + http://linuxtuneup.blogspot.com + ================================ + Why was this conceived? + + - some font families look better hinted by Byte Code Interpreter (BCI) + while other fonts look better hinted by Auto-Hinter + - hinting type affects italic and bold fonts differently + - antialiasing needs to be adjusted according to font families and sizes + + Essentially, there is no one single rule that works for all fonts. + + NOTE: + - Verdana @ 8pt doesn't render '2' and '6' right + - Arial shows 'Z' distorted in Firefox 1.5 + --> + + <!-- + Make font sizes match the dpi set in Xorg. + + Increase or decrease this value if fonts are too small or too large + for your screen resolution. + + FIXME: this only affects QT-based apps? + --> + <match target="pattern"> + <edit name="dpi" mode="assign"> + <double>96</double> + </edit> + </match> + + <!-- + Enable anti-aliasing. + + This only works for outline and scalable fonts. + Bitmap and PostScript fonts do not get anti-aliased. + + FIXME: is this correct? + --> + <match target="font"> + <edit name="antialias" mode="assign"> + <bool>true</bool> + </edit> + </match> + + <!-- + Set sub-pixel order if not detected. + + "X knows the sub pixel order already, and if this is enabled as well, + Freetype produces some very strange results. However, if you do still + have problems, consider (...) 'rgb' (the standard for LCD monitors), + 'bgr' (unusual), 'vrgb' (vertical rgb, if you have a monitor that + has been rotated by 90 degrees[1]), 'vgbr' (as vrgb, but very rare)." + <http://www.linuxquestions.org/linux/answers/Hardware/\ + LCD_TFT_Monitor_Configuration_in_X_Org> + + Find out your LCD's sub-pixel order: + <http://grc.com/image/cleartype2c.gif> + --> + <match target="font"> + <test qual="all" name="rgba" compare="eq"> + <const>unknown</const> + </test> + <edit name="rgba" mode="assign"> + <const>rgb</const> + </edit> + </match> + + <!-- + Sub-pixel hinting via BCI enabled by default if compiled in. + + "Whole-pixel anti-aliasing does not represent a useful solution for + improving small point-size type. (...) By 'borrowing' sub-pixels from + adjacent whole pixels, we can fine-tune the placement and width of typeface + features with three times more horizontal accuracy then ever before!" + <http://grc.com/ctwhat.htm> + --> + + <!-- + Disable anti-aliasing for select fonts based on size and style. + + | font | WinXP | Linux | + ========================================= + Andale Mono IPA 14 13 + Arial 12 13 + Arial Black 12 - + Arial Narrow 14 13 + Berling Antiqua 12 13 + Book Antiqua 12 13 + Bookdings 0 ? + Bookman Old Style 22 13 + Century Gothic 16 16 + Comic Sans MS 11 9/11 + Courier New 26 22 + Franklin Gothic Medium 12 10/12 + Frutiger Linotype 12 10/12 + Garamond 18 13/19 + Georgia 12 12/13 + Impact 16 0 + Kartika 12 16 + Lucida Console 12 13 + Lucida Sans Typewriter 12 12 + Lucida Sans Unicode 12 10/13 + Marlett ? ? + Microsoft Sans Serif 12 12/13 + Palatino Linotype 12 13 + SylfaenARM - 13 + Symbol 12 ? + Tahoma 12 12/13 + Times New Roman 12 13 + Trebuchet MS 12 12 + Verdana 12 12 + Vrinda 12 17 + Webdings 20 ? + Wingdings 20 ? + ========================================= + + "The relationship of pixels to points depends on the number of pixels + per inch, which is typically some 'standard' value corresponding to + default screen fonts. For example, MS Windows has two standard sets of + screen fonts initially designed for IBM display systems: 'small' (VGA) + and 'large' (8514/A). 'Small' fonts are 96 pixels per inch, 'large' are + 120. Macintosh systems render type at a nominal 72 pixels per inch, i.e. + one pixel = one point. Some display systems using scalable screen fonts + allow fine tuning of pixels per inch to suit user preferences." + <http://www.hpaa.com/css1/pxnpts.asp> + + X pt * 96 dpi / 72 dpi = Y px + --> + + <!-- + font group #1: normal roman anti-aliased above 10pt/13.4px + --> + <match target="font"> + + <test qual="any" name="family" compare="eq"> + <string>Franklin Gothic Medium</string> + <string>Frutiger Linotype</string> + <!-- Lucida Sans Unicode has no italic and uses artificial oblique --> + <string>Lucida Sans Unicode</string> + </test> + + <test qual="any" name="pixelsize" compare="less_eq"> + <double>13.4</double> + </test> + + <test qual="any" name="weight" compare="less_eq"> + <const>medium</const> + </test> + + <test qual="any" name="slant" compare="eq"> + <const>roman</const> + </test> + + <edit name="antialias" mode="assign"> + <bool>false</bool> + </edit> + + </match> + + <!-- + font group #2: normal roman anti-aliased above 11pt/14.7px + + Must use 15px instead of 14.7px for this to work in QT-based apps + --> + <match target="font"> + <test qual="any" name="family" compare="eq"> + <!-- Comic Sans MS has no italic and uses artificial oblique --> + <string>Comic Sans MS</string> + </test> + <test qual="any" name="pixelsize" compare="less_eq"> + <double>15</double> + </test> + <test qual="any" name="weight" compare="less_eq"> + <const>medium</const> + </test> + <test qual="any" name="slant" compare="eq"> + <const>roman</const> + </test> + <edit name="antialias" mode="assign"> + <bool>false</bool> + </edit> + </match> + + <!-- + font group #3: normal roman anti-aliased above 12pt/16px + + Must use at least 16.1px instead of 16px for this to work in Firefox + Does not work in Chrome properly + In chrome 13px evalutes to 17.4px pixelsize test, funny! + --> + <match target="font"> + <test qual="any" name="family" compare="eq"> + <string>Georgia</string> + <string>Lucida Sans</string> + <string>Lucida Sans Typewriter</string> + <!-- Microsoft Sans Serif has no italic and uses artificial oblique --> + <string>Microsoft Sans Serif</string> + <!-- Tahoma has no italic and uses artificial oblique --> + <string>Tahoma</string> + <string>Trebuchet MS</string> + <string>Verdana</string> + </test> + <test qual="any" name="pixelsize" compare="less_eq"> + <double>16.1</double> + </test> + <test qual="any" name="weight" compare="less_eq"> + <const>medium</const> + </test> + <test qual="any" name="slant" compare="eq"> + <const>roman</const> + </test> + + <edit name="antialias" mode="assign"> + <bool>false</bool> + </edit> + </match> + + <!-- + font group #4: normal roman anti-aliased above 13pt/17.4px + --> + <match target="font"> + <test qual="any" name="family" compare="eq"> + <string>Arial</string> + <string>Arial Narrow</string> + <string>Berling Antiqua</string> + <string>Book Antiqua</string> + <string>Bookman Old Style</string> + <string>Garamond</string> + <!-- Lucida Console has no italic and uses artificial oblique --> + <string>Lucida Console</string> + <string>Palatino Linotype</string> + <string>SylfaenARM</string> + <string>Times New Roman</string> + </test> + <test qual="any" name="pixelsize" compare="less_eq"> + <double>17.4</double> + </test> + <test qual="any" name="weight" compare="less_eq"> + <const>medium</const> + </test> + <test qual="any" name="slant" compare="eq"> + <const>roman</const> + </test> + <edit name="antialias" mode="assign"> + <bool>false</bool> + </edit> + </match> + + <!-- + font group #5: normal roman anti-aliased above 16pt/21.4px + --> + <match target="font"> + <test qual="any" name="family" compare="eq"> + <string>Century Gothic</string> + <string>Kartika</string> + </test> + <test qual="any" name="pixelsize" compare="less_eq"> + <double>21.4</double> + </test> + <test qual="any" name="weight" compare="less_eq"> + <const>medium</const> + </test> + <test qual="any" name="slant" compare="eq"> + <const>roman</const> + </test> + <edit name="antialias" mode="assign"> + <bool>false</bool> + </edit> + </match> + + <!-- + font group #6: normal roman anti-aliased above 17pt/23px + --> + <match target="font"> + <test qual="any" name="family" compare="eq"> + <string>Vrinda</string> + </test> + <test qual="any" name="pixelsize" compare="less_eq"> + <double>23</double> + </test> + <test qual="any" name="weight" compare="less_eq"> + <const>medium</const> + </test> + <test qual="any" name="slant" compare="eq"> + <const>roman</const> + </test> + <edit name="antialias" mode="assign"> + <bool>false</bool> + </edit> + </match> + + <!-- + font group #7: normal roman anti-aliased above 22pt/29.4px + --> + <match target="font"> + <test qual="any" name="family" compare="eq"> + <string>Courier New</string> + </test> + <test qual="any" name="pixelsize" compare="less_eq"> + <double>29.4</double> + </test> + <test qual="any" name="weight" compare="less_eq"> + <const>medium</const> + </test> + <test qual="any" name="slant" compare="eq"> + <const>roman</const> + </test> + <edit name="antialias" mode="assign"> + <bool>false</bool> + </edit> + </match> + + <!-- + font group #8: bold roman anti-aliased above 9pt/12px + --> + <match target="font"> + <test qual="any" name="family" compare="eq"> + <string>Georgia</string> + </test> + <test qual="any" name="pixelsize" compare="less_eq"> + <double>12</double> + </test> + <test qual="any" name="weight" compare="more"> + <const>medium</const> + </test> + <test qual="any" name="slant" compare="eq"> + <const>roman</const> + </test> + <edit name="antialias" mode="assign"> + <bool>false</bool> + </edit> + </match> + + <!-- + font group #9: bold roman anti-aliased above 10pt/13.4px + --> + <match target="font"> + <test qual="any" name="family" compare="eq"> + <string>Tahoma</string> + <string>Verdana</string> + </test> + <test qual="any" name="pixelsize" compare="less_eq"> + <double>13.4</double> + </test> + <test qual="any" name="weight" compare="more"> + <const>medium</const> + </test> + <test qual="any" name="slant" compare="eq"> + <const>roman</const> + </test> + <edit name="antialias" mode="assign"> + <bool>false</bool> + </edit> + </match> + + <!-- + font group #10: bold roman anti-aliased above 12pt/16px + --> + <match target="font"> + <test qual="any" name="family" compare="eq"> + <string>Courier New</string> + </test> + <test qual="any" name="pixelsize" compare="less_eq"> + <double>16</double> + </test> + <test qual="any" name="weight" compare="more"> + <const>medium</const> + </test> + <test qual="any" name="slant" compare="eq"> + <const>roman</const> + </test> + <edit name="antialias" mode="assign"> + <bool>false</bool> + </edit> + </match> + + <!-- + Enable FreeType Auto-Hinter for select fonts. + + Auto-Hinter is disabled by default if Bytecode Interpreter was compiled in. + Some Linux "native" fonts look better hinted by Auto-Hinter, + usually in sizes 11pt-13pt; others look better hinted by BCI. + --> + + <!-- + Set Auto-Hinter to full hinting style. + + 'slight' and 'medium' hinting often produce pixel discoloration. + + hintfull for all fonts by default + --> + <match target="font"> + <edit name="hintstyle" mode="assign"> + <const>hintfull</const> + </edit> + </match> + + <!-- + font group #11: hinted via Auto-Hinter + --> + <match target="font"> + <test qual="any" name="family" compare="eq"> + <string>Bitstream Charter</string> + <string>Courier 10 Pitch</string> + <string>DejaVu Sans Condensed</string> + <string>DejaVu Serif Condensed</string> + <string>FreeMono</string> + <string>FreeSans</string> + <string>FreeSerif</string> + <string>Luxi Mono</string> + <string>Luxi Sans</string> + <string>Luxi Serif</string> + <string>MgOpen Canonica</string> + <string>MgOpen Cosmetica</string> + <string>MgOpen Modata</string> + <string>MgOpen Moderna</string> + <string>URW Bookman L</string> + <string>URW Chancery L</string> + <string>URW Gothic L</string> + <string>URW Palladio L</string> + </test> + + <edit name="autohint" mode="assign"> + <bool>true</bool> + </edit> + </match> + + <!-- + font group #12: normal italic hinted via Auto-Hinter at 9-10pt + + Arial hinted via BCI at 9pt has distorted 'y', at 10pt - '2' + --> + <match target="font"> + <test qual="any" name="family" compare="eq"> + <string>Arial</string> + </test> + <test qual="any" name="pixelsize" compare="more_eq"> + <double>12</double> + </test> + <test qual="any" name="pixelsize" compare="less_eq"> + <double>13.4</double> + </test> + <test qual="any" name="weight" compare="less_eq"> + <const>medium</const> + </test> + <test qual="any" name="slant" compare="not_eq"> + <const>roman</const> + </test> + <edit name="autohint" mode="assign"> + <bool>true</bool> + </edit> + </match> + + <!-- + font group #13: normal italic hinted via Auto-Hinter at 12pt + + This fixes distorted 'K' + --> + <match target="font"> + <test qual="any" name="family" compare="eq"> + <string>Book Antiqua</string> + </test> + <test qual="any" name="pixelsize" compare="eq"> + <double>16</double> + </test> + <test qual="any" name="weight" compare="less_eq"> + <const>medium</const> + </test> + <test qual="any" name="slant" compare="not_eq"> + <const>roman</const> + </test> + <edit name="autohint" mode="assign"> + <bool>true</bool> + </edit> + </match> + + <!-- + font group #14: normal italic hinted via Auto-Hinter at all sizes + --> + <match target="font"> + <test qual="any" name="family" compare="eq"> + <!-- 10, 11, 12 --> + <string>Frutiger Linotype</string> + <!-- 8-9: 'z', '2'; 10-15, 17, 19: 'z' --> + <string>Times New Roman</string> + <!-- 9-10: 'N' 'Q'; 12: 'w', 'C', 'D', 'O', 'Q', 'R', '2', '9', '0' --> + <string>Verdana</string> + </test> + <test qual="any" name="weight" compare="less_eq"> + <const>medium</const> + </test> + <test qual="any" name="slant" compare="not_eq"> + <const>roman</const> + </test> + <edit name="autohint" mode="assign"> + <bool>true</bool> + </edit> + </match> + + <!-- + Set minimum allowed size to avoid illegible fonts. + --> + <!-- 7pt in QT-based apps --> + <match target="pattern"> + <test qual="any" name="size" compare="less"> + <double>7</double> + </test> + <edit name="size" mode="assign"> + <double>7</double> + </edit> + </match> + + <!-- 9.4px (7pt) in GTK-based apps --> + <match target="pattern"> + <test qual="any" name="pixelsize" compare="less"> + <double>9.4</double> + </test> + <edit name="pixelsize" mode="assign"> + <double>9.4</double> + </edit> + </match> + + <!-- + TODO: Create rules limiting minimum sizes for these *bold* fonts: + + Andale Mono | Andale Mono IPA + Arial + Arial Narrow + Berling Antiqua + Book Antiqua + Bookman Old Style + Century Gothic + Comic Sans MS + Courier New + Franklin Gothic Medium + Frutiger Linotype + Garamond + Georgia + Kartika + Lucida Console + Lucida Sans Typewriter + Lucida Sans Unicode + Microsoft Sans Serif + Palatino | Palatino Linotype + SylfaenARM + Tahoma + Times New Roman + Trebuchet MS + Verdana + Vrinda + --> + + <!-- + font group #15: bold fonts no smaller than 10.7px (8pt) + + FIXME: for Firefox and other GTK-based apps? + --> + <match target="font"> + <test qual="any" name="family" compare="eq"> + <string>Arial</string> + </test> + <test qual="any" name="pixelsize" compare="less"> + <double>10.7</double> + </test> + <test qual="any" name="weight" compare="more"> + <const>medium</const> + </test> + <edit name="pixelsize" mode="assign"> + <double>10.7</double> + </edit> + </match> + + <!-- + Anti-alias fonts with "fake" styles. + + FIXME: QT only? GTK? Firefox? + --> + <!-- FIXME: dirty_hack(tm) - fontconfig reports syntax errors --> + <match target="font"> + <test qual="any" name="matrix" compare="not_eq"> + <double>0</double> + </test> + <!-- another approach - no errors but freezes Firefox 1.5 --> + <!-- + <match target="font"> + <test qual="any" name="matrix" compare="eq"> + <name>matrix</name> + </test> + --> + <edit name="antialias" mode="assign"> + <bool>true</bool> + </edit> + </match> + + <!-- + Substitute unavailable and/or unwanted fonts. + + Aliases will not work if the actual fonts are installed. + Replacing font family works in Firefox (FIXME: and other GTK-based apps?) + QT-based apps also need font foundry replaced. + Grouping fonts for substitution doesn't work in Firefox, so we need each + font family replaced individually. + --> + + <!-- + sans-serif + + "If the font still has no generic name, add sans-serif" + /etc/fonts.conf + + Therefore, we only substitute what we need. + --> + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Bitstream Charter</string> + </test> + <edit name="family" mode="append" binding="same"> + <string>serif</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Bitstream Vera Sans</string> + </test> + <edit name="family" mode="append" binding="same"> + <string>sans</string> + </edit> + </match> + + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>DejaVu Sans</string> + </test> + <edit name="family" mode="append" binding="same"> + <string>sans</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>DejaVu Sans Condensed</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Arial</string> + </edit> + </match> + + <!-- + Dont do this, overriding freesans will cause utf fonts to be come rubbish in chrome + --> + <!-- + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>FreeSans</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Arial</string> + </edit> + </match> + --> + <!-- + ON web pages if font family is like this + + font-family: 'Helvetica Neue', arial, sans-serif; + + google chrome will immediately move to next font, if it does not find the first, even if there are append entries + But firefox will take the append entry if the font does not exist :) + --> + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Helvetica</string> + </test> + <edit name="family" mode="append" binding="same"> + <string>Sans</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Helvetica Neue</string> + </test> + <edit name="family" mode="append" binding="same"> + <string>Sans</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Lucida</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Arial</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <!-- FIXME: may need to use "Lucida Bright" instead --> + <string>LucidaBright</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Arial</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Lucida Bright</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Arial</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Luxi Sans</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Arial</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>MgOpen Cosmetica</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Arial</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>MgOpen Modata</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Arial</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>MgOpen Moderna</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Arial</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>System</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Arial</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>URW Gothic L</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Arial</string> + </edit> + </match> + + <!-- + FIXME: Verdana renders characters '2' and '6' slightly distorted + so it will be substituted with Arial. + + EDIT Silver Moon : not replacing verdana with arial. + hey verdana is slightly fatty, how about replacing it with open sans or noto sans + open sans is fattier compared to droid sans + + BAH, it looks good + + Open Sans is cramped at 11px with autohint = true + 'sa' the s and a will stick badly + '50' the 5 and 0 will stick badly + + But 12px onwards Open Sans is better than Noto Sans + + But the vote goes to noto sans for verdana replaced to maintain beauty at 11px + + Another note + noto sans has single stroke small g , open sans has the 2 round style g + noto sans p is thin, open sans p is better looking + --> + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Verdana</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Noto Sans</string> + </edit> + <edit name="family" mode="prepend" binding="same"> + <string>Open Sans</string> + </edit> + </match> + + <!-- + serif + --> + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Bitstream Vera Serif</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Georgia</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>DejaVu Serif</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Georgia</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>DejaVu Serif Condensed</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Georgia</string> + </edit> + </match> + + + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Luxi Serif</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Georgia</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>MgOpen Canonica</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Georgia</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>New Century Schoolbook</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Georgia</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>New York</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Georgia</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Palatino</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Georgia</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Times</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Georgia</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>URW Bookman L</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Georgia</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>URW Palladio L</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Georgia</string> + </edit> + </match> + + <!-- + monospace + --> + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Andale Mono</string> + </test> + <edit name="family" mode="append" binding="same"> + <string>monospace</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Bitstream Vera Sans Mono</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Courier New</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Courier</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>monospace</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>DejaVu Sans Mono</string> + </test> + <edit name="family" mode="append" binding="same"> + <string>monospace</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Fixedsys</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Courier New</string> + </edit> + </match> + + + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <!-- FIXME: Ubuntu Wiki uses "Lucida Typewriter" instead --> + <string>LucidaTypewriter</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Courier New</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Lucida Typewriter</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Courier New</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Luxi Mono</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Courier New</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Monaco</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Courier New</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Terminal</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Courier New</string> + </edit> + </match> + + <!-- + cursive + --> + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Apple Chancery</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Comic Sans MS</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Lucida Handwriting</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Comic Sans MS</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>URW Chancery L</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Comic Sans MS</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Zapf Chancery</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Comic Sans MS</string> + </edit> + </match> + + <!-- + fantasy + --> + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Copperplate</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Impact</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Desdemona</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Impact</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Kino</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Impact</string> + </edit> + </match> + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Techno</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Impact</string> + </edit> + </match> + + <!-- + Provide required aliases for standard names. + --> + <!-- + <alias> + <family>sans-serif</family> + <prefer> + <family>Arial</family> + </prefer> + </alias> + + <alias> + <family>serif</family> + <prefer> + <family>Georgia</family> + </prefer> + </alias> + --> + <!-- + <alias> + <family>monospace</family> + <prefer> + <family>Courier New</family> + </prefer> + </alias> + --> + <alias> + <family>cursive</family> + <prefer> + <family>Comic Sans MS</family> + </prefer> + </alias> + + <alias> + <family>fantasy</family> + <prefer> + <family>Impact</family> + </prefer> + </alias> + + <!-- + Added by Silver Moon (m00n.silv3r@gmail.com) + Changes focussing on Droid Sans, replacing windows old fonts like arial, courier + and fixing some fonts like lucida grande bold, and hindi fonts + --> + + <!-- + Replace arial fonts larger than 12px by droid sans + Works only in firefox, not in chrome + --> + + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Arial</string> + </test> + <test qual="any" name="pixelsize" compare="more"> + <double>12.0</double> + </test> + <edit name="family" mode="assign" binding="strong"> + <string>droid sans</string> + </edit> + </match> + + + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Arial</string> + </test> + <test qual="any" name="pixelsize" compare="less"> + <double>13.0</double> + </test> + <edit name="family" mode="assign" binding="same"> + <string>noto sans</string> + </edit> + </match> + + + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Arial</string> + </test> + <edit name="family" mode="assign" binding="same"> + <string>noto sans</string> + </edit> + </match> + + <!-- + Replace Georgia by Noto Serif + --> + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Georgia</string> + </test> + <edit name="family" mode="assign" binding="same"> + <string>Noto Serif</string> + </edit> + </match> + + + <!-- + + Behavioug is similar to droid sans, + + WITHOUT AUTOHINTER + + 1. becomes smallish, like droid sans, very small on desktop , + 2. DESKTOP - HIGHLY PROPORTIONATE, HIGHLY CLEAR + 2. WEBPAGES - less clearer - vertical stands become hazy + 3. slightly less STRETCHED + + WITH AUTOHINTER : + + 1. very slightly STRETCHED + 2. CRYSTAL CLARITY on webpages, + 3. lesser proportionate on desktop, CLARITY KIND OF OK OK + 3. bold font ugly with hintfull, good with hintslight + + + Since we are using noto sans as arial replacement, hint it fully with autohinter. + + hintslight will compromise clarity + + thought of doing this, above 12px autohint = false + below 13px authint = true + but autohint false leads to loss of clarity, but makes width correct + moreover chrome does not obey pixelsize correctly + --> + <match target="font"> + <test qual="any" name="family" compare="eq"> + <string>noto sans</string> + </test> + <edit mode="assign" name="autohint"> + <bool>true</bool> + </edit> + <edit mode="assign" name="hintstyle"> + <const>hintfull</const> + </edit> + </match> + + + <match target="font"> + <test qual="any" name="family" compare="eq"> + <string>ubuntu</string> + </test> + <edit mode="assign" name="autohint"> + <bool>true</bool> + </edit> + <edit mode="assign" name="hintstyle"> + <const>hintfull</const> + </edit> + </match> + + <!-- + DROID SANS + + WITHOUT AUTOHINTER + 1.CLEARER 13px onwards + 2. 12px on webpages very small + 3. super clear at 12px + 4. 9pt desktop super clear, super PROPORTIONATE + + + AUTOHINT = TRUE + 1. LESS CLEARER + 2. 'n' is cramped + 3. 9pt desktop, slightly distorted + 4. 12px webpage is normal sized, but not great as noto sans with autohint = true. but better than arial + + + + droid sans with autohinter, becomes more disproportionate on gnome, this is lesser with noto sans + + in browser there is not much difference between autohint true/false + true leads to clarity loss + --> + <match target="font"> + <test qual="any" name="family" compare="eq"> + <string>Droid Sans</string> + <string>Droid Sans Mono</string> + </test> + <edit mode="assign" name="autohint"> + <bool>false</bool> + </edit> + <edit mode="assign" name="hintstyle"> + <const>hintfull</const> + </edit> + </match> + + + <match target="font"> + <test qual="any" name="family" compare="eq"> + <string>liberation mono</string> + </test> + <edit mode="assign" name="autohint"> + <bool>false</bool> + </edit> + <edit mode="assign" name="hintstyle"> + <const>hintmedium</const> + </edit> + </match> + + + + + + + <!-- time for stupid tricks for 2 stupid browsers, namely firefox and chrome --> + <!-- stupid trick for firefox + firefox obeys pixelsize but not size + --> + <match target="font"> + <test qual="any" name="family" compare="eq"> + <string>noto sans</string> + </test> + <test qual="any" name="pixelsize" compare="less"> + <double>16</double> + </test> + <test qual="any" name="weight" compare="more"> + <const>medium</const> + </test> + <edit mode="assign" name="autohint"> + <bool>true</bool> + </edit> + <edit mode="assign" name="hintstyle" binding="weak"> + <const>hintslight</const> + </edit> + </match> + + <!-- + stupid trick for chrome + chrome obeys size, but not pixelsize below 17.4 pixel + --> + <match target="font"> + <test qual="any" name="family" compare="eq"> + <string>noto sans</string> + </test> + <test qual="any" name="size" compare="less"> + <double>16</double> + </test> + <test qual="any" name="weight" compare="more"> + <const>medium</const> + </test> + <edit mode="assign" name="antialias"> + <bool>true</bool> + </edit> + <edit mode="assign" name="autohint"> + <bool>true</bool> + </edit> + <edit mode="assign" name="hintstyle" binding="weak"> + <const>hintslight</const> + </edit> + </match> + + + + + + + + + + + + + + + + + + + <!-- use droid sans mono for monospace --> + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>monospace</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Droid Sans Mono</string> + </edit> + </match> + + <!-- use droid sans mono for sans-serif --> + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>sans-serif</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Noto Sans</string> + </edit> + </match> + + <!-- use droid sans mono for Courier New --> + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Courier New</string> + </test> + <edit name="family" mode="prepend" binding="same"> + <string>Droid Sans Mono</string> + </edit> + </match> + + + + + + + <!-- replace times new roman with droid serif --> + <match target="pattern"> + <test qual="any" name="family" compare="eq"> + <string>Times New Roman</string> + <string>serif</string> + </test> + + <edit name="family" mode="prepend" binding="same"> + <string>Noto Serif</string> + </edit> + </match> + + + <!-- lucida grande bold, with hintfull, becomes stiff looking, with 1 part of a letter more fat than the other, therefor hintslight--> + <match target="font"> + <test qual="any" name="family" compare="eq"> + <string>Lucida Grande</string> + </test> + <test qual="any" name="weight" compare="more"> + <const>medium</const> + </test> + <edit mode="assign" name="hintstyle"> + <const>hintslight</const> + </edit> + </match> + + + <!-- lucida grande bold, with hintfull, becomes stiff looking, with 1 part of a letter more fat than the other, therefor hintslight--> + <match target="font"> + <test qual="any" name="family" compare="eq"> + <string>Lucida Console</string> + </test> + <edit name="antialias" mode="assign"> + <bool>true</bool> + </edit> + <edit mode="assign" name="autohint"> + <bool>false</bool> + </edit> + <edit mode="assign" name="hintstyle"> + <const>hintfull</const> + </edit> + </match> + + <!-- + Open sans WITHOUT autohint, becomes fattish in chrome/firefox + WITH autohint, becomes crytalline, very good + but like noto sans, the bold version is not beautiful + need to fix : TODO + --> + <match target="font"> + <test compare="eq" name="family" qual="any"> + <string>Open Sans</string> + </test> + <edit mode="assign" name="autohint"> + <bool>true</bool> + </edit> + <edit mode="assign" name="hintstyle"> + <const>hintfull</const> + </edit> + </match> + + + + + <!-- + Styling for hindi fonts + Hindi (hi) + --> + <!-- force Lohit Hindi for hindi font --> + <match target="pattern"> + <test compare="eq" name="lang"> + <string>hi</string> + </test> + <edit binding="strong" mode="prepend" name="family"> + <string>Lohit Hindi</string> + </edit> + </match> + + <!-- do some antialiasing tweak for gargi and lohit hindi font --> + <match target="font"> + <test compare="eq" name="family" qual="any"> + <string>gargi</string> + <string>Lohit Hindi</string> + </test> + <edit mode="assign" name="antialias"> + <bool>true</bool> + </edit> + <edit mode="assign" name="autohint"> + <bool>true</bool> + </edit> + <edit mode="assign" name="hintstyle"> + <const>hintslight</const> + </edit> + </match> + + <!-- Replace mangal with lohit hindi, mangal is a stupid font --> + <match target="pattern"> + <test compare="eq" name="family" qual="any"> + <string>mangal</string> + </test> + <edit binding="strong" mode="assign" name="family"> + <string>Lohit Hindi</string> + </edit> + </match> + <!-- Hindi (hi) ends --> + +</fontconfig> + diff --git a/tools/conf/etc/iptables/iptables-br.sh b/tools/conf/etc/iptables/iptables-br.sh new file mode 100644 index 0000000..104e574 --- /dev/null +++ b/tools/conf/etc/iptables/iptables-br.sh @@ -0,0 +1,318 @@ +#!/bin/sh + +# +# XXXXXXXXXXXXXXXXX +# XXXX Network XXXX +# XXXXXXXXXXXXXXXXX +# + +# | +# v +# +-------------+ +------------------+ +# |table: filter| <---+ | table: nat | +# |chain: INPUT | | | chain: PREROUTING| +# +-----+-------+ | +--------+---------+ +# | | | +# v | v +# [local process] | **************** +--------------+ +# | +---------+ Routing decision +------> |table: filter | +# v **************** |chain: FORWARD| +# **************** +------+-------+ +# Routing decision | +# **************** | +# | | +# v **************** | +# +-------------+ +------> Routing decision <---------------+ +# |table: nat | | **************** +# |chain: OUTPUT| | + +# +-----+-------+ | | +# | | v +# v | +-------------------+ +# +--------------+ | | table: nat | +# |table: filter | +----+ | chain: POSTROUTING| +# |chain: OUTPUT | +--------+----------+ +# +--------------+ | +# v +# XXXXXXXXXXXXXXXXX +# XXXX Network XXXX +# XXXXXXXXXXXXXXXXX +# +# iptables [-t table] {-A|-C|-D} chain rule-specification +# +# iptables [-t table] {-A|-C|-D} chain rule-specification +# +# iptables [-t table] -I chain [rulenum] rule-specification +# +# iptables [-t table] -R chain rulenum rule-specification +# +# iptables [-t table] -D chain rulenum +# +# iptables [-t table] -S [chain [rulenum]] +# +# iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] +# +# iptables [-t table] -N chain +# +# iptables [-t table] -X [chain] +# +# iptables [-t table] -P chain target +# +# iptables [-t table] -E old-chain-name new-chain-name +# +# rule-specification = [matches...] [target] +# +# match = -m matchname [per-match-options] +# +# +# Targets +# +# can be a user defined chain +# +# ACCEPT - accepts the packet +# DROP - drop the packet on the floor +# QUEUE - packet will be stent to queue +# RETURN - stop traversing this chain and +# resume ate the next rule in the +# previeus (calling) chain. +# +# if packet reach the end of the chain or +# a target RETURN, default policy for that +# chain is applayed. +# +# Target Extensions +# +# AUDIT +# CHECKSUM +# CLASSIFY +# DNAT +# DSCP +# LOG +# Torn on kernel logging, will print some +# some information on all matching packets. +# Log data can be read with dmesg or syslogd. +# This is a non-terminating target and a rule +# should be created with matching criteria. +# +# --log-level level +# Level of logging (numeric or see sys- +# log.conf(5) +# +# --log-prefix prefix +# Prefix log messages with specified prefix +# up to 29 chars log +# +# --log-uid +# Log the userid of the process with gener- +# ated the packet +# NFLOG +# This target pass the packet to loaded logging +# backend to log the packet. One or more userspace +# processes may subscribe to the group to receive +# the packets. +# +# ULOG +# This target provides userspace logging of maching +# packets. One or more userspace processes may then +# then subscribe to various multicast groups and +# then receive the packets. +# +# +# Commands +# +# -A, --append chain rule-specification +# -C, --check chain rule-specification +# -D, --delete chain rule-specification +# -D, --delete chain rulenum +# -I, --insert chain [rulenum] rule-specification +# -R, --replace chain rulenum rule-specification +# -L, --list [chain] +# -P, --policy chain target +# +# Parameters +# +# -p, --protocol protocol +# tcp, udp, udplite, icmp, esp, ah, sctp, all +# -s, --source address[/mask][,...] +# -d, --destination address[/mask][,...] +# -j, --jump target +# -g, --goto chain +# -i, --in-interface name +# -o, --out-interface name +# -f, --fragment +# -m, --match options module-name +# iptables can use extended packet matching +# modules. +# -c, --set-counters packets bytes + +IPT="/usr/sbin/iptables" +SPAMLIST="blockedip" +SPAMDROPMSG="BLOCKED IP DROP" +# public interface to network/internet +PUB_IF="wlp7s0" +DHCP_SERV="192.168.1.1" +PUB_IP="192.168.1.33" +NET_ADDR="192.168.1.0/24" +# private interface for virtual/internal +PRIV_IF="br0" +PRIV_IP="10.0.0.1" + +modprobe ip_conntrack +modprobe ip_conntrack_ftp + +echo "Stopping ipv4 firewall and deny everyone..." + +iptables -F +iptables -X +iptables -t nat -F +iptables -t nat -X +iptables -t mangle -F +iptables -t mangle -X +iptables -t raw -F +iptables -t raw -X +iptables -t security -F +iptables -t security -X + + +echo "Starting ipv4 firewall filter table..." + +# Set Default Rules +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT DROP + +###### AP rules ###### +echo 1 > /proc/sys/net/ipv4/ip_forward +$IPT -A FORWARD -i ${PRIV_IF} -o ${PUB_IF} -j ACCEPT +$IPT -A FORWARD -i ${PUB_IF} -o ${PRIV_IF} -j ACCEPT +$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP} + +# Block sync +$IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " +$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP + +# Block Fragments +$IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " +$IPT -A INPUT -f -j DROP + +# Block bad stuff +$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP +$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP + +$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " +$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets + +$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " +$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + +$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " +$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS + +$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " +$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans + +$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + + +###### Input Chain ###### + +# Unlimited on local +$IPT -A INPUT -i ${PRIV_IF} -j ACCEPT +#$IPT -A INPUT -i lo -s ${PRIV_IP} -j ACCEPT + +# Unlimited on loopback +$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A INPUT -i lo -s 192.168.1.33 -d 192.168.1.33 -j ACCEPT + +echo "Allow input from DNS Server" +$IPT -A INPUT -i ${PUB_IF} -p udp --dport 1024:65535 --sport 53 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow input from Https server" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow input to HTTPS Server" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT + +#echo "Allow input from HTTP Server" +#$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow input from IRC server" +$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 1024:65535 --sport 6667 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow input from FTP server" +$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 1024:65535 --sport 21 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow input from git server" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow input from POP3S server" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow input from SMTPS server" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow input to HTTP Server" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT + +#echo "Allow input to DNS Server" +#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT + +echo "Allow input to SSH server" +$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + +###### Output Chain ###### + +# Unlimited on loopback +$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A OUTPUT -o lo -s 192.168.1.33 -d 192.168.1.33 -j ACCEPT +#$IPT -A OUTPUT -o lo -d ${PRIV_IP} -j ACCEPT + +# Unlimited on local +$IPT -A OUTPUT -o ${PRIV_IF} -j ACCEPT + +echo "Allow output to DNS server" +$IPT -A OUTPUT -o ${PUB_IF} -p udp --dport 53 --sport 1024:65535 -j ACCEPT + +echo "Allow output to https server" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 443 -j ACCEPT + +echo "Allow output from https server" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + +#echo "Allow output from http server" +#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + +#echo "Allow to HTTP server" +#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow output to SSH server" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow output to ftp server" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow output to git server" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow output to IRC server" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow output to SMTPS server" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow output to POP3S server" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + +## less logs + +echo "Drop RIP protocol" +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s $NET_ADDR -j DROP + +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT + +## log everything else and drop +$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " +$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " +$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " +# +exit 0 diff --git a/tools/conf/etc/iptables/vlan.v4 b/tools/conf/etc/iptables/vlan.v4 index 9248630..7954521 100644 --- a/tools/conf/etc/iptables/vlan.v4 +++ b/tools/conf/etc/iptables/vlan.v4 @@ -1,170 +1,112 @@ -# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +# Generated by iptables-save v1.6.1 on Wed Mar 15 20:53:45 2017 *security -:INPUT ACCEPT [6:2056] +:INPUT ACCEPT [85:6694] :FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [6:2056] +:OUTPUT ACCEPT [3:179] COMMIT -# Completed on Sat Oct 15 17:20:41 2016 -# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +# Completed on Wed Mar 15 20:53:45 2017 +# Generated by iptables-save v1.6.1 on Wed Mar 15 20:53:45 2017 *raw -:PREROUTING ACCEPT [7:2092] -:OUTPUT ACCEPT [6:2056] +:PREROUTING ACCEPT [97:7863] +:OUTPUT ACCEPT [3:179] COMMIT -# Completed on Sat Oct 15 17:20:41 2016 -# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +# Completed on Wed Mar 15 20:53:45 2017 +# Generated by iptables-save v1.6.1 on Wed Mar 15 20:53:45 2017 +*nat +:PREROUTING ACCEPT [6:683] +:INPUT ACCEPT [2:138] +:OUTPUT ACCEPT [2:131] +:POSTROUTING ACCEPT [2:131] +COMMIT +# Completed on Wed Mar 15 20:53:45 2017 +# Generated by iptables-save v1.6.1 on Wed Mar 15 20:53:45 2017 *mangle -:PREROUTING ACCEPT [7:2092] -:INPUT ACCEPT [6:2056] +:PREROUTING ACCEPT [8:624] +:INPUT ACCEPT [8:624] :FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [6:2056] -:POSTROUTING ACCEPT [6:2056] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] COMMIT -# Completed on Sat Oct 15 17:20:41 2016 -# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +# Completed on Wed Mar 15 20:53:45 2017 +# Generated by iptables-save v1.6.1 on Wed Mar 15 20:53:45 2017 *filter :INPUT DROP [0:0] -:FORWARD ACCEPT [0:0] +:FORWARD DROP [0:0] :OUTPUT DROP [0:0] +:ACCEPTLOG - [0:0] +:DROPLOG - [0:0] +:REJECTLOG - [0:0] +:RELATED_ICMP - [0:0] +:SYN_FLOOD - [0:0] -A INPUT -i lo -j ACCEPT --A INPUT -i br0 -j ACCEPT --A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 --A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP --A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " --A INPUT -f -j DROP +-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT +-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j LOG --log-prefix "PING-DROP:" +-A INPUT -p icmp -j DROP +-A INPUT -p icmp -f -j DROPLOG +-A INPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT +-A INPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP +-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT +-A INPUT -p icmp -j DROPLOG +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP +-A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP +-A INPUT -m state --state INVALID -j DROP +-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP +-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP --A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " --A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP -################################################################################# -# INPUT -# Established connections and passive -# - -# Allow established from dns server -#-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# INPUT accept passive --A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT - - -# Allow irc --A INPUT -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow xmmp --A INPUT -p tcp -m tcp --sport 5222 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT -# Allow established from https server --A INPUT -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT --A INPUT -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - -# Allow established from http server --A INPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from rsync server --A INPUT -p tcp -m tcp --sport 873 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from pop3s server --A INPUT -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from smtps server --A INPUT -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from ntp server --A INPUT -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from whois server --A INPUT -p tcp -m tcp --sport 43 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from ftp server --A INPUT -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -################################################################################## -# INPUT -# New and established connections to local servers -# - -# allow ping --A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT --A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT - -# INPUT accept to dns server --A INPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT - -# INPUT accept from wlp7s0 to https server +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD +-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG +-A INPUT -f -j DROPLOG -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -# INPUT accept from wlp7s0 to ssh server --A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT --A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW -m limit --limit 6/min --limit-burst 3 -j ACCEPT - --A FORWARD -i br0 -j ACCEPT - --A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 --A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 - -################################################################################## -# Output -# Connections to remote servers -# +-A INPUT -j DROPLOG +-A FORWARD -p icmp -f -j DROPLOG +-A FORWARD -p icmp -j DROPLOG +-A FORWARD -m state --state INVALID -j DROP +-A FORWARD -j REJECTLOG -A OUTPUT -o lo -j ACCEPT --A OUTPUT -o br0 -j ACCEPT - -# Allow ping --A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -# Allow to ssh clients +-A OUTPUT -p icmp -j ACCEPT +-A OUTPUT -p icmp -f -j DROPLOG +-A OUTPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT +-A OUTPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP +-A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT +-A OUTPUT -p icmp -j DROPLOG +-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -m state --state INVALID -j DROP +-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - -# Allow to dns -#-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow from dns server --A OUTPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - -# Allow irc +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow xmmp --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT - - -# Allow to rsync server +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to pop3s server -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to smtps server -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to ntp server -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to ftp server -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to https server --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT --A OUTPUT -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to http server +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT - -################################################################################## -# Output -# Connections from local servers -# - - --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT - - --A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 -COMMIT -# Completed on Sat Oct 15 17:20:41 2016 -# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 -*nat -:PREROUTING ACCEPT [1:36] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] - --A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.0/24 -j ACCEPT --A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE -#-A POSTROUTING -o wlp7s0 -j MASQUERADE - +-A OUTPUT -j DROPLOG +-A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A ACCEPTLOG -j ACCEPT +-A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A DROPLOG -j DROP +-A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset +-A REJECTLOG -j REJECT --reject-with icmp-port-unreachable +-A RELATED_ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT +-A RELATED_ICMP -p icmp -m icmp --icmp-type 11 -j ACCEPT +-A RELATED_ICMP -p icmp -m icmp --icmp-type 12 -j ACCEPT +-A RELATED_ICMP -j DROPLOG +-A SYN_FLOOD -m limit --limit 2/sec --limit-burst 6 -j RETURN +-A SYN_FLOOD -j DROP COMMIT -# Completed on Sat Oct 15 17:20:41 2016 +# Completed on Wed Mar 15 20:53:45 2017 diff --git a/tools/conf/etc/nginx/sites-enabled/default.conf b/tools/conf/etc/nginx/sites-enabled/default.conf index 4e01b88..f7c3484 100644 --- a/tools/conf/etc/nginx/sites-enabled/default.conf +++ b/tools/conf/etc/nginx/sites-enabled/default.conf @@ -1,49 +1,103 @@ - server { + +#listen 443 ssl http2; listen 443 ssl; - # listen [::]:443 ssl; +# listen 80; server_name c9.core; - root /srv/www/default; +# listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/c9.core/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/c9.core/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/c9.core/chain.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + add_header Strict-Transport-Security max-age=15768000; + ssl_stapling on; + ssl_stapling_verify on; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + + root /srv/www; + + location /ports/distfiles { + alias /usr/ports/distfiles; + } + + location /ports/packages { + alias /usr/ports/distfiles; + } + + location /doc { + alias /srv/www/c9-doc; + index index.html; + } - location /distfiles { - alias /usr/ports/distfiles; + location /git/static { +# static files (png/css) served from /usr/share/gitweb/static + alias /srv/www/gitweb/static; + expires 30d; } + location /git { + alias /srv/www/gitweb; + index gitweb.cgi; + fastcgi_split_path_info ^/git()(/?.+)$; + fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; + fastcgi_param DOCUMENT_ROOT /srv/www/gitweb; + fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; - location /bug { + include fastcgi_params; + fastcgi_pass unix:/var/run/fcgiwrap.sock; + } + + location /task { index index.php; - alias /srv/www/default/flyspray; + alias /srv/www/c9-flyspray; try_files $uri $uri/ index.php$is_args$args; } - location ~ ^/bug(.+\.php)$ { ### This location block was the solution - alias /srv/www/default/flyspray; - - fastcgi_split_path_info ^(.+\.php)(/.+)$; + location ~ ^/task(.+\.php)$ { ### This location block was the solution + alias /srv/www/c9-flyspray; + fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; try_files $uri /index.php =404; include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$1; - # fastcgi_pass unix:/var/run/php5-fpm.sock; +# fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_pass 127.0.0.1:9000; } location / { - alias /srv/www/default/pmwiki/; - index pmwiki.php + alias /srv/www/c9-pmwiki/; + index pmwiki.php; try_files $uri $uri/ /pmwiki.php$is_args$args; } +# ACME challenge + location ^~ /.well-known { + allow all; + alias /srv/www/c9-pmwiki/pub/cert/.well-known/; + default_type "text/plain"; + try_files $uri =404; + } + + location ~ \.php$ { - alias /srv/www/default/pmwiki; + alias /srv/www/c9-pmwiki; + index pmwiki.php; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index pmwiki.php; try_files $uri /pmwiki.php =404; include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - # fastcgi_pass unix:/var/run/php5-fpm.sock; +# fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_pass 127.0.0.1:9000; } } diff --git a/tools/conf/etc/ssh/sshd_config b/tools/conf/etc/ssh/sshd_config index f0619fe..cba9be5 100644 --- a/tools/conf/etc/ssh/sshd_config +++ b/tools/conf/etc/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $ +# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -16,45 +16,28 @@ AddressFamily inet #ListenAddress 0.0.0.0 #ListenAddress :: -# The default requires explicit activation of protocol 1 -Protocol 2 - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 - # Ciphers and keying #RekeyLimit default none -Ciphers aes256-ctr,aes192-ctr,aes128-ctr # Logging -# obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO LogLevel VERBOSE # Authentication: -LoginGraceTime 1m +#LoginGraceTime 2m #PermitRootLogin prohibit-password -PermitRootLogin no #StrictModes yes #MaxAuthTries 6 -MaxAuthTries 3 #MaxSessions 10 -#RSAAuthentication yes -PubkeyAuthentication yes - -AllowGroups admin users gitolite +#PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys @@ -66,23 +49,19 @@ AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication +# HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes -PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes -ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no @@ -116,7 +95,6 @@ ChallengeResponseAuthentication no #PrintLastLog yes #TCPKeepAlive yes #UseLogin no -UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 |