diff --git a/FreeBSD/other/ipfw.rules b/FreeBSD/other/ipfw.rules new file mode 100644 index 0000000..626bd46 --- /dev/null +++ b/FreeBSD/other/ipfw.rules @@ -0,0 +1,274 @@ +#!/bin/sh +################################################# +# ipfw Firewall Commands +################################################# +/sbin/ipfw -q -f flush +cmd="/sbin/ipfw -q add" +cmd_table="/sbin/ipfw -q table" + +################################################# +# Create tables +################################################# +# siempie_net +$cmd_table 1 add 10.0.0.0/28 +$cmd_table 1 add 10.110.0.0/20 +$cmd_table 1 add 172.16.0.0/28 +$cmd_table 1 add 192.168.10.0/24 +$cmd_table 1 add 192.168.20.0/24 + +# router ips +$cmd_table 2 add 10.0.0.1 +$cmd_table 2 add 172.16.0.1 +$cmd_table 2 add 192.168.10.254 +$cmd_table 2 add 192.168.15.254 +$cmd_table 2 add 192.168.20.254 +$cmd_table 2 add 192.168.25.254 + +# reverse proxies +$cmd_table 3 add rp01.siempie.local +$cmd_table 3 add rp02.siempie.local + + +################################################# +# Table 22 for ssh abuse (check sshguard) +################################################# +$cmd 00901 drop log ip from 'table(22)' to any + + +################################################# +# Allow Loopback and Deny Loopback Spoofing +################################################# +$cmd pass all from any to any via lo0 +$cmd drop all from any to 127.0.0.0/8 +$cmd drop all from 127.0.0.0/8 to any +$cmd drop tcp from any to any frag + + +################################################# +# Stateful rules +################################################# +$cmd check-state +$cmd pass tcp from any to any established +$cmd pass all from any to any out keep-state + + +################################################# +# Allow ICMP +################################################# +$cmd pass icmp from any to any icmptypes 8 + + +################################################# +# Allow NTP +# ############################################### +$cmd pass udp from any to any ntp + + +################################################# +# Allow DHCP +################################################# +$cmd pass udp from any 68 to 255.255.255.255 67 +$cmd pass udp from any 67 to any 68 +$cmd pass udp from any 67 to 255.255.255.255 68 + + +################################################# +# Allow LLDP +################################################# +$cmd pass udp from any to 255.255.255.255 5678 + + +################################################# +# Allow any connection out, keeping state +################################################# +$cmd pass tcp from any to any via lagg0 setup keep-state +$cmd pass udp from any to any via lagg0 setup keep-state +$cmd pass icmp from any to any keep-state + + +################################################# +# Deny Port scanning (Nmap) +################################################# +$cmd 00600 drop log logamount 50 ip from any to any ipoptions rr +$cmd 00610 drop log logamount 50 ip from any to any ipoptions ts +$cmd 00620 drop log logamount 50 ip from any to any ipoptions lsrr +$cmd 00630 drop log logamount 50 ip from any to any ipoptions ssrr +$cmd 00640 drop log logamount 50 tcp from any to any tcpflags syn,fin +$cmd 00650 drop log logamount 50 tcp from any to any tcpflags syn,rst + + +################################################# +# Global +################################################# +# SSH +$cmd 59000 pass tcp from any to bastion.siempie.local ssh keep-state # world -> bastion | ssh +$cmd 59001 pass tcp from bastion.siempie.local to any ssh keep-state # bastion -> world | ssh +$cmd 59002 pass tcp from 'table(1)' to nas.siempie.local ssh keep-state # siempie-lans -> nas | ssh +$cmd 59003 pass tcp from nas.siempie.local to 'table(1)' ssh keep-state # nas -> siempie-lans | ssh + +# DNS +$cmd 59005 pass udp from any to 'table(2)' 53 keep-state # allow dns to router + +# Web +$cmd 59010 pass tcp from any to not 'table(1)' 80 # allow outbound 80 +$cmd 59011 pass tcp from any to not 'table(1)' 443 # allow outbound 443 + + +################################################# +# Services +################################################# +# Wireguard +$cmd 61000 pass udp from wireguard.siempie.local to any 51820 keep-state # wireguard -> world | wireguard +$cmd 61001 pass udp from any to wireguard.siempie.local 51820 keep-state # world -> wireguard | wireguard + +# Ansible +$cmd 61005 pass tcp from ansible.siempie.local to any ssh keep-state # ansible -> world | sshd + +# Arr +$cmd 61010 pass tcp from arr.siempie.local to nas.siempie.local 2049 keep-state # arr -> nas | nfs +$cmd 61011 pass tcp from 'table(3)' to arr.siempie.local 8686 keep-state # rp -> lidarr | http +$cmd 61012 pass tcp from 'table(3)' to arr.siempie.local 7878 keep-state # rp -> sonarr | http +$cmd 61013 pass tcp from 'table(3)' to arr.siempie.local 8989 keep-state # rp -> radarr | http + +# Blackbeard +$cmd 61014 pass tcp from blackbeard.siempie.local to nas.siempie.local 2049 keep-state # blackbeard -> nas | nfs +$cmd 61015 pass tcp from 'table(3)' to blackbeard.siempie.local 8686 keep-state # rp -> lidarr | http +$cmd 61016 pass tcp from 'table(3)' to blackbeard.siempie.local 7878 keep-state # rp -> sonarr | http +$cmd 61017 pass tcp from 'table(3)' to blackbeard.siempie.local 8989 keep-state # rp -> radarr | http +$cmd 61018 pass tcp from blackbeard.siempie.local to arr.siempie.local 22 keep-state + + +# Emby +$cmd 61020 pass tcp from emby.siempie.local to nas.siempie.local 2049 keep-state # emby -> nas | nfs +$cmd 61021 pass tcp from 'table(3)' to emby.siempie.local 8096 keep-state # rp -> emby | http +$cmd 61022 pass tcp from arr.siempie.local to emby.siempie.local 8096 keep-state # arr -> emby | http +$cmd 61023 pass tcp from blackbeard.siempie.local to emby.siempie.local 8096 keep-state # blackbeard -> emby | http +$cmd 61024 pass tcp from 192.168.20.0/24 to emby.siempie.local 8096 keep-state # client-network -> emby | http + +# Gitea +$cmd 61030 pass tcp from 'table(3)' to gitea.siempie.local 3000 keep-state # rp -> gitea-siempie | http +$cmd 61031 pass tcp from 'table(3)' to gitea.siempie.local 3001 keep-state # rp -> gitea-hackerboys | http +$cmd 61032 pass tcp from 'table(3)' to gitea.siempie.local 3002 keep-state # rp -> gitea-simoncornet | http + +# Grafana +$cmd 61040 pass tcp from 'table(3)' to grafana.siempie.local 3000 keep-state # rp -> grafana | http +$cmd 61042 pass udp from 'table(1)' to grafana.siempie.local 25826 keep-state # influxdb/collectd + +# Hackerboys +$cmd 61050 pass tcp from hackerboys.siempie.local to nas.siempie.local 2049 keep-state # hackerboys -> nas | nfs +$cmd 61051 pass tcp from 'table(3)' to hackerboys.siempie.local 3000 keep-state # rp -> rocketchat | http + +# Jitsi +$cmd 61055 pass tcp from 'table(3)' to jitsi.siempie.local 443 keep-state # rp -> jitsi | https +$cmd 61056 pass udp from any to jitsi.siempie.local 10000-20000 keep-state # voice + +# Mattermost +$cmd 61060 pass tcp from mattermost.siempie.local to nas.siempie.local 2049 keep-state # mattermost -> nas | nfs +$cmd 61061 pass tcp from 'table(3)' to mattermost.siempie.local 8065 keep-state # rp -> mattermost | http + +# Nextcloud +$cmd 61070 pass tcp from nextcloud.siempie.local to nas.siempie.local 2049 keep-state # nextcloud -> nas | nfs +$cmd 61071 pass tcp from 'table(3)' to nextcloud.siempie.local 443 keep-state # rp -> nextcloud | https +$cmd 61072 pass tcp from nextcloud.siempie.local to smtp.transip.email 465 keep-state # nextcloud -> transip | smtp + +# phpIPAM +$cmd 61075 pass tcp from 'table(3)' to phpipam.siempie.local 80 keep-state # rp -> phpipam | http + +# Rainloop +$cmd 61090 pass tcp from rainloop.siempie.local to any 993 keep-state # imap +$cmd 61091 pass tcp from rainloop.siempie.local to any 465 keep-state # smtp +$cmd 61092 pass tcp from 'table(3)' to rainloop.siempie.local 80 keep-state # rp -> rainloop | http + +# Reverse Proxies +$cmd 61100 pass tcp from 'table(3)' to nas.siempie.local 2049 keep-state # nfs +$cmd 61101 pass tcp from 'table(3)' to 'table(2)' 80 keep-state # rp -> router | http +$cmd 61102 pass { tcp or udp } from 'table(3)' to any 53 keep-state # dns +$cmd 61103 pass tcp from lb.siempie.local to 'table(3)' 80 keep-state # lb -> rp | http +$cmd 61104 pass tcp from lb.siempie.local to 'table(3)' 443 keep-state # lb -> rp | https + +# Rundeck +$cmd 61115 pass tcp from rundeck.siempie.local to nas.siempie.local 2049 keep-state # nfs +$cmd 61116 pass tcp from rundeck.siempie.local to any ssh keep-state # ssh +$cmd 61117 pass tcp from 'table(3)' to rundeck.siempie.local 4440 keep-state # rp -> rundeck | http + +# Smokeping +$cmd 61120 pass tcp from 'table(3)' to smokeping.siempie.local 80 keep-state # rp -> smokeping | http + +# Stack +$cmd 61135 pass tcp from stack.siempie.local to nas.siempie.local 2049 keep-state # stack -> nas | nfs + +# Vault +$cmd 61140 pass tcp from vault.siempie.local to nas.siempie.local 2049 keep-state # vault -> nas | nfs +$cmd 61141 pass tcp from 'table(3)' to vault.siempie.local 443 keep-state # rp -> bitwarden | https + +# Unifi +$cmd 61150 pass tcp from 'table(3)' to unifi.siempie.local 8443 keep-state # rp -> unifi | http +$cmd 61151 pass udp from ap-livingroom.siempie.local to unifi.siempie.local 3478 keep-state # ap-livingroom +$cmd 61152 pass tcp from ap-livingroom.siempie.local to unifi.siempie.local 8080 keep-state # ap-livingroom +$cmd 61153 pass udp from ap-livingroom.siempie.local to unifi.siempie.local 10001 keep-state # ap-livingroom +$cmd 61154 pass udp from ap-attic.siempie.local to unifi.siempie.local 3478 keep-state # ap-attic +$cmd 61155 pass tcp from ap-attic.siempie.local to unifi.siempie.local 8080 keep-state # ap-attic +$cmd 61156 pass udp from ap-attic.siempie.local to unifi.siempie.local 10001 keep-state # ap-attic + +# Loadbalancer +$cmd 61160 pass tcp from any to lb.siempie.local 80 keep-state # world -> lb | http +$cmd 61161 pass tcp from any to lb.siempie.local 443 keep-state # world -> lb | https +$cmd 61162 pass tcp from grafana.siempie.local to lb.siempie.local 81 keep-state # stats + +# SABnzbd +$cmd 61170 pass tcp from 'table(3)' to sabnzbd.siempie.local 8080 keep-state # rp -> sabnzbd | http +$cmd 61172 pass tcp from arr.siempie.local to sabnzbd.siempie.local 8080 keep-state # arr -> sabnzbd | http +$cmd 61173 pass tcp from blackbeard.siempie.local to sabnzbd.siempie.local 8080 keep-state # blackbeard -> sabnzbd | http + +# Do-Chat +$cmd 61175 pass tcp from do-chat.siempie.local to nas.siempie.local 2049 keep-state # do-chat -> nas | nfs +$cmd 61176 pass tcp from 'table(3)' to do-chat.siempie.local 3000 keep-state # rocketchat | http + +# AdGuard-Home +$cmd 61179 pass tcp from 'table(3)' to adguard.siempie.local 443 keep-state # rp -> adguard | https +$cmd 61180 pass { tcp or udp } from adguard.siempie.local to any 53 keep-state # adguard -> world | dns +$cmd 61181 pass tcp from adguard.siempie.local to any 853 keep-state # adguard -> world | dot +# $cmd 61182 pass udp from nas.siempie.local to adguard.siempie.local 53 keep-state # router -> adguard | dns +$cmd 61183 pass tcp from 'table(2)' to adguard.siempie.local 443 keep-state # router -> adguard | doh +$cmd 61184 pass udp from 159.180.12.237 to adguard.siempie.local 53 keep-state # florian -> adguard | dns +$cmd 61185 pass udp from 83.128.133.1 to adguard.siempie.local 53 keep-state # fresia -> adguard | dns + +# Do-Splunk +$cmd 61190 pass udp from any to splunk.do.local 514 keep-state # allow syslog +$cmd 61191 pass tcp from 'table(3)' to splunk.do.local 8000 keep-state # rp -> splunk | http + +# VMware +$cmd 61195 pass tcp from esx01.siempie.local to nas.siempie.local 2049 keep-state # esx01 -> nas | nfs +$cmd 61196 pass tcp from esx02.siempie.local to nas.siempie.local 2049 keep-state # esx02 -> nas | nfs +$cmd 61197 pass tcp from esx03.siempie.local to nas.siempie.local 2049 keep-state # esx03 -> nas | nfs + + +################################################# +# Drop rules +################################################# +# Drop specific traffic +$cmd 61200 drop ip from any to any 137 # block netbios +$cmd 61201 drop ip from any to 224.0.22 any # block IGMPv3 +$cmd 61202 drop ip from any to 224.0.0.251 5353 # block mDNS +$cmd 61203 drop ip from any to 224.0.0.252 5355 # block LLMNR +$cmd 61204 drop ip from any to 239.254.127.63 48000 # block unifi stats +$cmd 61205 drop ip from any to 239.255.255.250 1900 # block SSDP +$cmd 61206 drop ip from any to 255.255.255.255 10001 # block unifi discovery spam + +# Default deny bridge0 +$cmd 61299 drop all from any to any via bridge0 + +# Default deny bridge1 +$cmd 61399 drop all from any to any via bridge1 + +# Default deny bridge2 +$cmd 61499 drop all from any to any via bridge2 + +# Default deny bridge3 +$cmd 61599 drop all from any to any via bridge3 + +# Default deny bridge4 +$cmd 61699 drop all from any to any via bridge4 + +# Default deny + log +$cmd drop log all from any to any diff --git a/FreeBSD/vm/readme.md b/FreeBSD/vm/readme.md new file mode 100644 index 0000000..208725d --- /dev/null +++ b/FreeBSD/vm/readme.md @@ -0,0 +1,14 @@ +# vm-backup.bash +Restore single line: +``` +openssl enc -d -aes-256-ctr -a -pbkdf2 -iter 1000 -k supersecretstuff -in < backup file > | \ +pigz -c -d -p 4 | \ +zfs receive -F < restore destination > +``` + +Example: +``` +openssl enc -d -aes-256-ctr -a -pbkdf2 -iter 1000 -k supersecretstuff -in /tank/backup/vms/stack-2021-02-10.pigz.enc | \ +pigz -c -d -p 4 | \ +zfs receive -F zroot/vms/stack +``` diff --git a/FreeBSD/vm/vm-backup-single.csh b/FreeBSD/vm/unused_vm-backup-single.csh similarity index 100% rename from FreeBSD/vm/vm-backup-single.csh rename to FreeBSD/vm/unused_vm-backup-single.csh diff --git a/FreeBSD/vm/vm-backup.csh b/FreeBSD/vm/unused_vm-backup.csh similarity index 100% rename from FreeBSD/vm/vm-backup.csh rename to FreeBSD/vm/unused_vm-backup.csh diff --git a/FreeBSD/vm/vm-backup-single.bash b/FreeBSD/vm/vm-backup.bash similarity index 69% rename from FreeBSD/vm/vm-backup-single.bash rename to FreeBSD/vm/vm-backup.bash index 76f242e..afae4e5 100644 --- a/FreeBSD/vm/vm-backup-single.bash +++ b/FreeBSD/vm/vm-backup.bash @@ -6,7 +6,9 @@ vm_dataset="zroot/vms" vm_pid=`/usr/bin/pgrep -f "bhyve: $vm"` backup_location="/tank/backup/vms/" backup_date=`date "+%Y-%m-%d"` -enc_password="nDNmPPBPk7jQnwke" +enc_password="supersecretstuff" +default_state="started" +state="${2:-$default_state}" # snapshot vm echo "" @@ -33,11 +35,14 @@ for vm in $vm; do sleep 1 ## create snapshot - zfs snapshot $vm_dataset/$vm@$backup_date + zfs snapshot -r $vm_dataset/$vm@$backup_date - ## start VM - echo "Starting $vm" - (vm start $vm > /dev/null) >& /dev/null + ## start VM if required + if [ $state = "started" ] + then + echo "Starting $vm" + (vm start $vm > /dev/null) >& /dev/null + fi done @@ -50,14 +55,20 @@ for vm in $vm; do sleep 1 ## send snapshot to backup destination - zfs send $vm_dataset/$vm@$backup_date | \ + zfs send -Rc $vm_dataset/$vm@$backup_date | \ pigz -c -p 4 | \ - openssl enc -aes-256-ctr -a -pbkdf2 -iter 1000 -salt -k $enc_password \ + openssl enc \ + -aes-256-ctr \ + -a \ + -pbkdf2 \ + -iter 1000 \ + -salt \ + -k $enc_password \ > $backup_location/$vm-$backup_date.pigz.enc ## delete snapshot sleep 1 - zfs destroy $vm_dataset/$vm@$backup_date + zfs destroy -r $vm_dataset/$vm@$backup_date done