next set of updates

2020-05-26 21:15:31 -07:00
parent 2327d9d6c0
commit 7707eb5865
61 changed files with 43942 additions and 122 deletions
--- a/jails/config/ibm/create_tuns.sh
+++ b/jails/config/ibm/create_tuns.sh
@ -0,0 +1,15 @@
+# Copyright (c) 2018-2020, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+#!/bin/sh
+#
+
+ifconfig tun181 create
+#ifconfig bridge1 addm tap181 up
+#ifconfig tap181 up
+#ifconfig tap181 inet6 auto_linklocal
--- a/jails/config/ibm/ibm.sh
+++ b/jails/config/ibm/ibm.sh
@ -0,0 +1,17 @@
+# Copyright (c) 2018-2020, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+#!/usr/local/bin/bash
+# ./ibm.sh under tmux
+
+ifconfig tun186 create
+ifconfig tun186 inet 172.16.0.186 172.16.0.100
+chmod 666 /dev/tun186
+
+cd /data/Z110/CONF
+# hercules
--- a/jails/config/ibm/ipfw.rules
+++ b/jails/config/ibm/ipfw.rules
@ -0,0 +1,140 @@
+#!/bin/sh
+
+# https://www.freebsd.org/doc/handbook/firewalls-ipfw.html
+# ipfw -vated list
+
+# IPFW configuration
+#sysrc firewall_enable="YES"
+#sysrc firewall_logif="YES"
+#sysrc firewall_script="/mnt/config/ipfw.rules"
+
+# NATd configuration
+#sysrc gateway_enable="YES"
+#sysrc natd_enable="YES"
+#sysrc natd_interface="epair0b"
+#sysrc natd_flags="-f /mnt/config/natd.conf"
+#natd.conf:
+#redirect_port tcp 172.16.0.100:21-23 21-23
+
+# Set rules command prefix
+cmd="ipfw -q add"
+lif="tun186" # interface name of tunnel attached to Local network
+rif="epair0b" # interface name of vnet attached to Remote/external network
+skip="skipto 12000"
+
+# Flush out the list before we begin.
+ipfw -q -f flush
+
+# gateway_enable already set in rc.conf
+# sysctl net.inet.ip.forwarding=1
+
+# Packets passing the stateful NAT may be re-injected into the firewall
+# sysctl net.inet.ip.fw.one_pass=0
+ipfw disable one_pass
+
+# functionality is included in the divert action
+#ipfw -q nat 1 config if $rif same_ports unreg_only reset
+
+$cmd 00050 allow ip from any to any via $lif
+
+$cmd 00100 allow ip from any to any via lo0
+
+$cmd 00200 deny ip from any to 127.0.0.0/8
+$cmd 00300 deny ip from 127.0.0.0/8 to any
+$cmd 00400 deny ip from any to ::1
+$cmd 00500 deny ip from ::1 to any
+
+$cmd 00600 allow ipv6-icmp from :: to ff02::/16
+$cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
+$cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
+$cmd 00900 allow ipv6-icmp from any to any icmp6types 1
+$cmd 01000 allow ipv6-icmp from any to any icmp6types 2,135,136
+
+# The reassemble rule is not needed with userland natd(8)
+# because the internal workings of the IPFW divert action
+# takes care of reassembling packets before delivery to the socket
+#$cmd 01100 reass all from any to any in
+
+$cmd 01200 divert natd ip from any to any in via $rif     # NAT any inbound packets
+
+# Allow the packet through if it has an existing entry in the dynamic rules table
+$cmd 01300 check-state
+
+# Allow access to DNS
+$cmd 02110 $skip tcp from any to 192.168.0.5 53 out via $rif setup keep-state
+$cmd 02111 $skip udp from any to 192.168.0.5 53 out via $rif keep-state
+$cmd 02112 $skip tcp from any to 2603:3024:3f6:e1::5 53 out via $rif setup keep-state
+$cmd 02113 $skip udp from any to 2603:3024:3f6:e1::5 53 out via $rif keep-state
+
+# Allow access to ISP's DHCP server for cable/DSL configurations.
+# Use the first rule and check log for IP address.
+# Then, uncomment the second rule, input the IP address, and delete the first rule
+#$cmd 02120 $skip log udp from any to any 67 out via $rif keep-state
+#$cmd 02120 $skip udp from any to x.x.x.x 67 out via $rif keep-state
+
+# Allow outbound ping
+$cmd 02210 $skip icmp from any to any out via $rif keep-state
+
+# Allow outbound NTP
+$cmd 02220 $skip udp from any to any 123 out via $rif keep-state
+
+# Allow outbound TCP traffic
+$cmd 02500 $skip tcp from any to any 20,22,25,80,443 out via $rif setup keep-state
+# 03720 pasv ftp
+
+# deny and log all other outbound connections
+$cmd 02999 deny log all from any to any out via $rif
+
+#### Lockdown incoming traffic
+# Deny all inbound traffic from non-routable reserved address spaces
+#$cmd 03110 deny all from 192.168.0.0/16 to any in via $rif     #RFC 1918 private IP
+#$cmd 03111 deny all from 172.16.0.0/12 to any in via $rif      #RFC 1918 private IP
+#$cmd 03112 deny all from 10.0.0.0/8 to any in via $rif         #RFC 1918 private IP
+$cmd 03113 deny all from 127.0.0.0/8 to any in via $rif        #loopback
+$cmd 03114 deny all from 0.0.0.0/8 to any in via $rif          #loopback 
+$cmd 03115 deny all from 169.254.0.0/16 to any in via $rif     #DHCP auto-config
+$cmd 03116 deny all from 192.0.2.0/24 to any in via $rif       #reserved for docs
+$cmd 03117 deny all from 204.152.64.0/23 to any in via $rif    #Sun cluster interconnect
+$cmd 03118 deny all from 224.0.0.0/3 to any in via $rif        #Class D & E multicast
+
+# Allow traffic from ISP's DHCP server.
+# Replace x.x.x.x with the same IP address used in rule 02120.
+#$cmd 03120 allow udp from any to x.x.x.x 67 in via $rif keep-state
+
+# Allow public pings
+$cmd 03210 allow icmp from any to any in via $rif
+
+# Deny ident
+$cmd 03230 deny tcp from any to any 113 in via $rif
+
+# Deny all Netbios services.
+$cmd 03240 deny { tcp or udp } from any to any 81,137-139,445,1026,1027,1433,1434 in via $rif
+
+# Deny fragments
+$cmd 03250 deny all from any to any frag in via $rif
+
+# Deny ACK packets that did not match the dynamic rule table
+$cmd 03500 deny tcp from any to any established in via $rif
+
+# Allow inbound SSH host connections
+$cmd 03610 allow tcp from any to me 22 in via $rif setup limit src-addr 2
+
+# Allow HTTP host connections to host web server
+$cmd 03620 allow tcp from any to me 80 in via $rif setup limit src-addr 2
+
+# Allow inbound Telnet connections to NAT
+$cmd 03710 allow tcp from any to me 23,3270 in via $rif setup limit src-addr 2
+
+# Allow inbound FTP connections to NAT
+$cmd 03720 allow tcp from any to me 20,21 in via $rif setup limit src-addr 2
+# 02500 pasv ftp
+
+# Reject and log all other incoming connections
+$cmd 03999 deny log all from any to any in via $rif
+#### lockdown in
+
+$cmd 12000 divert natd ip from any to any out via $rif # skipto location for outbound stateful rules
+
+$cmd 65000 allow ip from any to any
+
+#$cmd 65535 deny ip from any to any
--- a/jails/config/ibm/natd.conf
+++ b/jails/config/ibm/natd.conf
@ -0,0 +1,2 @@
+redirect_port tcp 172.16.0.100:20-21 20-21
+redirect_port tcp 172.16.0.100:23 23
--- a/jails/config/ibm/setup_jail.sh
+++ b/jails/config/ibm/setup_jail.sh
@ -0,0 +1,4 @@
+# requrired to run other configured scripts
+/bin/sh /etc/rc
+# launch tmux with emu
+#/mnt/config/startemu.sh
--- a/jails/config/ibm/startemu.sh
+++ b/jails/config/ibm/startemu.sh
@ -0,0 +1,31 @@
+# Copyright (c) 2018-2020, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+#!/bin/sh
+#
+session="emu_tmux"
+
+# set up tmux
+tmux start-server
+
+# create a new tmux session, naming the window hercules
+tmux new-session -d -s $session -n hercules
+tmux selectp -t 1
+tmux send-keys "cd /mnt/config;./ibm.sh" C-m
+
+# create a new window empty
+tmux new-window -t $session:1 -n empty
+tmux selectp -t 1
+tmux send-keys "cd /mnt/config;clear" C-m
+
+# return to main window
+tmux select-window -t $session:0
+tmux selectp -t 1
+
+# Finished setup, attach to the tmux session!
+#tmux attach-session -t $session