updated for FreeBSD 12.2

2021-02-13 11:38:38 -08:00
parent bd3cffc61a
commit 5cee123a3c
121 changed files with 7315 additions and 624 deletions
--- a/jails/config/hub/ipfw.rules
+++ b/jails/config/hub/ipfw.rules
@ -0,0 +1,23 @@
+#!/bin/sh
+# Flush out the list before we begin.
+ipfw -q -f flush
+
+# Set rules command prefix
+cmd="ipfw -q add"
+pif="epair0b"     # interface name of NIC attached to Internet
+
+$cmd 00100 allow ip from any to any via lo0
+$cmd 00200 deny ip from any to 127.0.0.0/8
+$cmd 00300 deny ip from 127.0.0.0/8 to any
+$cmd 00400 deny ip from any to ::1
+$cmd 00500 deny ip from ::1 to any
+$cmd 00600 allow ipv6-icmp from :: to ff02::/16
+$cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
+$cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
+$cmd 00900 allow ipv6-icmp from any to any icmp6types 1
+$cmd 01000 allow ipv6-icmp from any to any icmp6types 2,135,136
+$cmd 05000 reset ip from table(22) to me
+$cmd 65000 allow ip from any to any
+$cmd 65535 deny ip from any to any
+
+# https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html
--- a/jails/config/hub/pkgp.conf
+++ b/jails/config/hub/pkgp.conf
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
    priority: 10
 }

-pkgp121: {
-    url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+pkgp122: {
+    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
    mirror_type: "http",
    signature_type: "pubkey",
    pubkey: "/mnt/certs/poudriere.cert",
--- a/jails/config/hub/sshguard.conf
+++ b/jails/config/hub/sshguard.conf
@ -0,0 +1,54 @@
+#!/bin/sh
+# sshguard.conf -- SSHGuard configuration
+
+# Options that are uncommented in this example are set to their default
+# values. Options without defaults are commented out.
+
+#### REQUIRED CONFIGURATION ####
+# Full path to backend executable (required, no default)
+#BACKEND="/usr/local/libexec/sshg-fw-hosts"
+BACKEND="/usr/local/libexec/sshg-fw-ipfw"
+#BACKEND="/usr/local/libexec/sshg-fw-pf"
+
+# Space-separated list of log files to monitor. (optional, no default)
+#FILES="/var/log/auth.log /var/log/maillog"
+FILES="/var/log/auth.log"
+
+# Shell command that provides logs on standard output. (optional, no default)
+# Example 1: ssh and sendmail from systemd journal:
+#LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"
+# Example 2: ssh from os_log (macOS 10.12+)
+#LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'"
+
+#### OPTIONS ####
+# Block attackers when their cumulative attack score exceeds THRESHOLD.
+# Most attacks have a score of 10. (optional, default 30)
+THRESHOLD=30
+
+# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
+# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
+BLOCK_TIME=120
+
+# Remember potential attackers for up to DETECTION_TIME seconds before
+# resetting their score. (optional, default 1800)
+DETECTION_TIME=1800
+
+# Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128)
+IPV6_SUBNET=128
+
+# Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32)
+IPV4_SUBNET=32
+
+#### EXTRAS ####
+# !! Warning: These features may not work correctly with sandboxing. !!
+
+# Full path to PID file (optional, no default)
+#PID_FILE=/var/run/sshguard.pid
+
+# Colon-separated blacklist threshold and full path to blacklist file.
+# (optional, no default)
+#BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db
+
+# IP addresses listed in the WHITELIST_FILE are considered to be
+# friendlies and will never be blocked.
+#WHITELIST_FILE=/usr/local/etc/sshguard.whitelist
--- a/jails/config/hub/vncmods/passwd
+++ b/jails/config/hub/vncmods/passwd
@ -0,0 +1 @@
+͕it<EFBFBD>ͭ<EFBFBD>
--- a/jails/config/hub/vncmods/vncserver
+++ b/jails/config/hub/vncmods/vncserver
@ -0,0 +1,44 @@
+#!/bin/sh
+
+# the two lines below are not just comments but required by rcorder; service -e
+# PROVIDE: vncserver
+# REQUIRE: NETWORKING SERVERS DAEMON ldconfig resolv
+
+. /etc/rc.subr
+
+: ${vncserver_enable="NO"}
+: ${vncserver_user="p"}
+: ${vncserver_geometry="1600x900"}
+: ${vncserver_display="1"}
+: ${vncserver_securitytypes="vncauth"}
+# : ${vncserver_securitytypes="vencrypt,vncauth,tlsvnc"}
+# encryption incompatible with clients - vncconnect-realvnc and guacd
+ 
+name=vncserver
+rcvar=vncserver_enable
+ 
+VNCSERVER="/usr/local/bin/vncserver"
+ 
+start_cmd="vncserver_start"
+stop_cmd="vncserver_stop"
+restart_cmd="vncserver_restart"
+ 
+vncserver_start()
+{
+        CMD="$VNCSERVER -geometry ${vncserver_geometry} -name $(hostname -s) -securitytypes ${vncserver_securitytypes} :${vncserver_display}"
+        su -l ${vncserver_user} -c "${CMD}"
+}
+ 
+vncserver_stop()
+{
+        CMD="$VNCSERVER -kill :${vncserver_display}"
+        su -l ${vncserver_user} -c "${CMD}"
+}
+vncserver_restart()
+{
+	vncserver_stop
+	vncserver_start
+}
+
+load_rc_config ${name}
+run_rc_command "$1"