[SCRIPTS] Fast forward
This commit is contained in:
parent
9e10ba0820
commit
3312517bc1
274
FreeBSD/other/ipfw.rules
Normal file
274
FreeBSD/other/ipfw.rules
Normal file
@ -0,0 +1,274 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
#################################################
|
||||||
|
# ipfw Firewall Commands
|
||||||
|
#################################################
|
||||||
|
/sbin/ipfw -q -f flush
|
||||||
|
cmd="/sbin/ipfw -q add"
|
||||||
|
cmd_table="/sbin/ipfw -q table"
|
||||||
|
|
||||||
|
#################################################
|
||||||
|
# Create tables
|
||||||
|
#################################################
|
||||||
|
# siempie_net
|
||||||
|
$cmd_table 1 add 10.0.0.0/28
|
||||||
|
$cmd_table 1 add 10.110.0.0/20
|
||||||
|
$cmd_table 1 add 172.16.0.0/28
|
||||||
|
$cmd_table 1 add 192.168.10.0/24
|
||||||
|
$cmd_table 1 add 192.168.20.0/24
|
||||||
|
|
||||||
|
# router ips
|
||||||
|
$cmd_table 2 add 10.0.0.1
|
||||||
|
$cmd_table 2 add 172.16.0.1
|
||||||
|
$cmd_table 2 add 192.168.10.254
|
||||||
|
$cmd_table 2 add 192.168.15.254
|
||||||
|
$cmd_table 2 add 192.168.20.254
|
||||||
|
$cmd_table 2 add 192.168.25.254
|
||||||
|
|
||||||
|
# reverse proxies
|
||||||
|
$cmd_table 3 add rp01.siempie.local
|
||||||
|
$cmd_table 3 add rp02.siempie.local
|
||||||
|
|
||||||
|
|
||||||
|
#################################################
|
||||||
|
# Table 22 for ssh abuse (check sshguard)
|
||||||
|
#################################################
|
||||||
|
$cmd 00901 drop log ip from 'table(22)' to any
|
||||||
|
|
||||||
|
|
||||||
|
#################################################
|
||||||
|
# Allow Loopback and Deny Loopback Spoofing
|
||||||
|
#################################################
|
||||||
|
$cmd pass all from any to any via lo0
|
||||||
|
$cmd drop all from any to 127.0.0.0/8
|
||||||
|
$cmd drop all from 127.0.0.0/8 to any
|
||||||
|
$cmd drop tcp from any to any frag
|
||||||
|
|
||||||
|
|
||||||
|
#################################################
|
||||||
|
# Stateful rules
|
||||||
|
#################################################
|
||||||
|
$cmd check-state
|
||||||
|
$cmd pass tcp from any to any established
|
||||||
|
$cmd pass all from any to any out keep-state
|
||||||
|
|
||||||
|
|
||||||
|
#################################################
|
||||||
|
# Allow ICMP
|
||||||
|
#################################################
|
||||||
|
$cmd pass icmp from any to any icmptypes 8
|
||||||
|
|
||||||
|
|
||||||
|
#################################################
|
||||||
|
# Allow NTP
|
||||||
|
# ###############################################
|
||||||
|
$cmd pass udp from any to any ntp
|
||||||
|
|
||||||
|
|
||||||
|
#################################################
|
||||||
|
# Allow DHCP
|
||||||
|
#################################################
|
||||||
|
$cmd pass udp from any 68 to 255.255.255.255 67
|
||||||
|
$cmd pass udp from any 67 to any 68
|
||||||
|
$cmd pass udp from any 67 to 255.255.255.255 68
|
||||||
|
|
||||||
|
|
||||||
|
#################################################
|
||||||
|
# Allow LLDP
|
||||||
|
#################################################
|
||||||
|
$cmd pass udp from any to 255.255.255.255 5678
|
||||||
|
|
||||||
|
|
||||||
|
#################################################
|
||||||
|
# Allow any connection out, keeping state
|
||||||
|
#################################################
|
||||||
|
$cmd pass tcp from any to any via lagg0 setup keep-state
|
||||||
|
$cmd pass udp from any to any via lagg0 setup keep-state
|
||||||
|
$cmd pass icmp from any to any keep-state
|
||||||
|
|
||||||
|
|
||||||
|
#################################################
|
||||||
|
# Deny Port scanning (Nmap)
|
||||||
|
#################################################
|
||||||
|
$cmd 00600 drop log logamount 50 ip from any to any ipoptions rr
|
||||||
|
$cmd 00610 drop log logamount 50 ip from any to any ipoptions ts
|
||||||
|
$cmd 00620 drop log logamount 50 ip from any to any ipoptions lsrr
|
||||||
|
$cmd 00630 drop log logamount 50 ip from any to any ipoptions ssrr
|
||||||
|
$cmd 00640 drop log logamount 50 tcp from any to any tcpflags syn,fin
|
||||||
|
$cmd 00650 drop log logamount 50 tcp from any to any tcpflags syn,rst
|
||||||
|
|
||||||
|
|
||||||
|
#################################################
|
||||||
|
# Global
|
||||||
|
#################################################
|
||||||
|
# SSH
|
||||||
|
$cmd 59000 pass tcp from any to bastion.siempie.local ssh keep-state # world -> bastion | ssh
|
||||||
|
$cmd 59001 pass tcp from bastion.siempie.local to any ssh keep-state # bastion -> world | ssh
|
||||||
|
$cmd 59002 pass tcp from 'table(1)' to nas.siempie.local ssh keep-state # siempie-lans -> nas | ssh
|
||||||
|
$cmd 59003 pass tcp from nas.siempie.local to 'table(1)' ssh keep-state # nas -> siempie-lans | ssh
|
||||||
|
|
||||||
|
# DNS
|
||||||
|
$cmd 59005 pass udp from any to 'table(2)' 53 keep-state # allow dns to router
|
||||||
|
|
||||||
|
# Web
|
||||||
|
$cmd 59010 pass tcp from any to not 'table(1)' 80 # allow outbound 80
|
||||||
|
$cmd 59011 pass tcp from any to not 'table(1)' 443 # allow outbound 443
|
||||||
|
|
||||||
|
|
||||||
|
#################################################
|
||||||
|
# Services
|
||||||
|
#################################################
|
||||||
|
# Wireguard
|
||||||
|
$cmd 61000 pass udp from wireguard.siempie.local to any 51820 keep-state # wireguard -> world | wireguard
|
||||||
|
$cmd 61001 pass udp from any to wireguard.siempie.local 51820 keep-state # world -> wireguard | wireguard
|
||||||
|
|
||||||
|
# Ansible
|
||||||
|
$cmd 61005 pass tcp from ansible.siempie.local to any ssh keep-state # ansible -> world | sshd
|
||||||
|
|
||||||
|
# Arr
|
||||||
|
$cmd 61010 pass tcp from arr.siempie.local to nas.siempie.local 2049 keep-state # arr -> nas | nfs
|
||||||
|
$cmd 61011 pass tcp from 'table(3)' to arr.siempie.local 8686 keep-state # rp -> lidarr | http
|
||||||
|
$cmd 61012 pass tcp from 'table(3)' to arr.siempie.local 7878 keep-state # rp -> sonarr | http
|
||||||
|
$cmd 61013 pass tcp from 'table(3)' to arr.siempie.local 8989 keep-state # rp -> radarr | http
|
||||||
|
|
||||||
|
# Blackbeard
|
||||||
|
$cmd 61014 pass tcp from blackbeard.siempie.local to nas.siempie.local 2049 keep-state # blackbeard -> nas | nfs
|
||||||
|
$cmd 61015 pass tcp from 'table(3)' to blackbeard.siempie.local 8686 keep-state # rp -> lidarr | http
|
||||||
|
$cmd 61016 pass tcp from 'table(3)' to blackbeard.siempie.local 7878 keep-state # rp -> sonarr | http
|
||||||
|
$cmd 61017 pass tcp from 'table(3)' to blackbeard.siempie.local 8989 keep-state # rp -> radarr | http
|
||||||
|
$cmd 61018 pass tcp from blackbeard.siempie.local to arr.siempie.local 22 keep-state
|
||||||
|
|
||||||
|
|
||||||
|
# Emby
|
||||||
|
$cmd 61020 pass tcp from emby.siempie.local to nas.siempie.local 2049 keep-state # emby -> nas | nfs
|
||||||
|
$cmd 61021 pass tcp from 'table(3)' to emby.siempie.local 8096 keep-state # rp -> emby | http
|
||||||
|
$cmd 61022 pass tcp from arr.siempie.local to emby.siempie.local 8096 keep-state # arr -> emby | http
|
||||||
|
$cmd 61023 pass tcp from blackbeard.siempie.local to emby.siempie.local 8096 keep-state # blackbeard -> emby | http
|
||||||
|
$cmd 61024 pass tcp from 192.168.20.0/24 to emby.siempie.local 8096 keep-state # client-network -> emby | http
|
||||||
|
|
||||||
|
# Gitea
|
||||||
|
$cmd 61030 pass tcp from 'table(3)' to gitea.siempie.local 3000 keep-state # rp -> gitea-siempie | http
|
||||||
|
$cmd 61031 pass tcp from 'table(3)' to gitea.siempie.local 3001 keep-state # rp -> gitea-hackerboys | http
|
||||||
|
$cmd 61032 pass tcp from 'table(3)' to gitea.siempie.local 3002 keep-state # rp -> gitea-simoncornet | http
|
||||||
|
|
||||||
|
# Grafana
|
||||||
|
$cmd 61040 pass tcp from 'table(3)' to grafana.siempie.local 3000 keep-state # rp -> grafana | http
|
||||||
|
$cmd 61042 pass udp from 'table(1)' to grafana.siempie.local 25826 keep-state # influxdb/collectd
|
||||||
|
|
||||||
|
# Hackerboys
|
||||||
|
$cmd 61050 pass tcp from hackerboys.siempie.local to nas.siempie.local 2049 keep-state # hackerboys -> nas | nfs
|
||||||
|
$cmd 61051 pass tcp from 'table(3)' to hackerboys.siempie.local 3000 keep-state # rp -> rocketchat | http
|
||||||
|
|
||||||
|
# Jitsi
|
||||||
|
$cmd 61055 pass tcp from 'table(3)' to jitsi.siempie.local 443 keep-state # rp -> jitsi | https
|
||||||
|
$cmd 61056 pass udp from any to jitsi.siempie.local 10000-20000 keep-state # voice
|
||||||
|
|
||||||
|
# Mattermost
|
||||||
|
$cmd 61060 pass tcp from mattermost.siempie.local to nas.siempie.local 2049 keep-state # mattermost -> nas | nfs
|
||||||
|
$cmd 61061 pass tcp from 'table(3)' to mattermost.siempie.local 8065 keep-state # rp -> mattermost | http
|
||||||
|
|
||||||
|
# Nextcloud
|
||||||
|
$cmd 61070 pass tcp from nextcloud.siempie.local to nas.siempie.local 2049 keep-state # nextcloud -> nas | nfs
|
||||||
|
$cmd 61071 pass tcp from 'table(3)' to nextcloud.siempie.local 443 keep-state # rp -> nextcloud | https
|
||||||
|
$cmd 61072 pass tcp from nextcloud.siempie.local to smtp.transip.email 465 keep-state # nextcloud -> transip | smtp
|
||||||
|
|
||||||
|
# phpIPAM
|
||||||
|
$cmd 61075 pass tcp from 'table(3)' to phpipam.siempie.local 80 keep-state # rp -> phpipam | http
|
||||||
|
|
||||||
|
# Rainloop
|
||||||
|
$cmd 61090 pass tcp from rainloop.siempie.local to any 993 keep-state # imap
|
||||||
|
$cmd 61091 pass tcp from rainloop.siempie.local to any 465 keep-state # smtp
|
||||||
|
$cmd 61092 pass tcp from 'table(3)' to rainloop.siempie.local 80 keep-state # rp -> rainloop | http
|
||||||
|
|
||||||
|
# Reverse Proxies
|
||||||
|
$cmd 61100 pass tcp from 'table(3)' to nas.siempie.local 2049 keep-state # nfs
|
||||||
|
$cmd 61101 pass tcp from 'table(3)' to 'table(2)' 80 keep-state # rp -> router | http
|
||||||
|
$cmd 61102 pass { tcp or udp } from 'table(3)' to any 53 keep-state # dns
|
||||||
|
$cmd 61103 pass tcp from lb.siempie.local to 'table(3)' 80 keep-state # lb -> rp | http
|
||||||
|
$cmd 61104 pass tcp from lb.siempie.local to 'table(3)' 443 keep-state # lb -> rp | https
|
||||||
|
|
||||||
|
# Rundeck
|
||||||
|
$cmd 61115 pass tcp from rundeck.siempie.local to nas.siempie.local 2049 keep-state # nfs
|
||||||
|
$cmd 61116 pass tcp from rundeck.siempie.local to any ssh keep-state # ssh
|
||||||
|
$cmd 61117 pass tcp from 'table(3)' to rundeck.siempie.local 4440 keep-state # rp -> rundeck | http
|
||||||
|
|
||||||
|
# Smokeping
|
||||||
|
$cmd 61120 pass tcp from 'table(3)' to smokeping.siempie.local 80 keep-state # rp -> smokeping | http
|
||||||
|
|
||||||
|
# Stack
|
||||||
|
$cmd 61135 pass tcp from stack.siempie.local to nas.siempie.local 2049 keep-state # stack -> nas | nfs
|
||||||
|
|
||||||
|
# Vault
|
||||||
|
$cmd 61140 pass tcp from vault.siempie.local to nas.siempie.local 2049 keep-state # vault -> nas | nfs
|
||||||
|
$cmd 61141 pass tcp from 'table(3)' to vault.siempie.local 443 keep-state # rp -> bitwarden | https
|
||||||
|
|
||||||
|
# Unifi
|
||||||
|
$cmd 61150 pass tcp from 'table(3)' to unifi.siempie.local 8443 keep-state # rp -> unifi | http
|
||||||
|
$cmd 61151 pass udp from ap-livingroom.siempie.local to unifi.siempie.local 3478 keep-state # ap-livingroom
|
||||||
|
$cmd 61152 pass tcp from ap-livingroom.siempie.local to unifi.siempie.local 8080 keep-state # ap-livingroom
|
||||||
|
$cmd 61153 pass udp from ap-livingroom.siempie.local to unifi.siempie.local 10001 keep-state # ap-livingroom
|
||||||
|
$cmd 61154 pass udp from ap-attic.siempie.local to unifi.siempie.local 3478 keep-state # ap-attic
|
||||||
|
$cmd 61155 pass tcp from ap-attic.siempie.local to unifi.siempie.local 8080 keep-state # ap-attic
|
||||||
|
$cmd 61156 pass udp from ap-attic.siempie.local to unifi.siempie.local 10001 keep-state # ap-attic
|
||||||
|
|
||||||
|
# Loadbalancer
|
||||||
|
$cmd 61160 pass tcp from any to lb.siempie.local 80 keep-state # world -> lb | http
|
||||||
|
$cmd 61161 pass tcp from any to lb.siempie.local 443 keep-state # world -> lb | https
|
||||||
|
$cmd 61162 pass tcp from grafana.siempie.local to lb.siempie.local 81 keep-state # stats
|
||||||
|
|
||||||
|
# SABnzbd
|
||||||
|
$cmd 61170 pass tcp from 'table(3)' to sabnzbd.siempie.local 8080 keep-state # rp -> sabnzbd | http
|
||||||
|
$cmd 61172 pass tcp from arr.siempie.local to sabnzbd.siempie.local 8080 keep-state # arr -> sabnzbd | http
|
||||||
|
$cmd 61173 pass tcp from blackbeard.siempie.local to sabnzbd.siempie.local 8080 keep-state # blackbeard -> sabnzbd | http
|
||||||
|
|
||||||
|
# Do-Chat
|
||||||
|
$cmd 61175 pass tcp from do-chat.siempie.local to nas.siempie.local 2049 keep-state # do-chat -> nas | nfs
|
||||||
|
$cmd 61176 pass tcp from 'table(3)' to do-chat.siempie.local 3000 keep-state # rocketchat | http
|
||||||
|
|
||||||
|
# AdGuard-Home
|
||||||
|
$cmd 61179 pass tcp from 'table(3)' to adguard.siempie.local 443 keep-state # rp -> adguard | https
|
||||||
|
$cmd 61180 pass { tcp or udp } from adguard.siempie.local to any 53 keep-state # adguard -> world | dns
|
||||||
|
$cmd 61181 pass tcp from adguard.siempie.local to any 853 keep-state # adguard -> world | dot
|
||||||
|
# $cmd 61182 pass udp from nas.siempie.local to adguard.siempie.local 53 keep-state # router -> adguard | dns
|
||||||
|
$cmd 61183 pass tcp from 'table(2)' to adguard.siempie.local 443 keep-state # router -> adguard | doh
|
||||||
|
$cmd 61184 pass udp from 159.180.12.237 to adguard.siempie.local 53 keep-state # florian -> adguard | dns
|
||||||
|
$cmd 61185 pass udp from 83.128.133.1 to adguard.siempie.local 53 keep-state # fresia -> adguard | dns
|
||||||
|
|
||||||
|
# Do-Splunk
|
||||||
|
$cmd 61190 pass udp from any to splunk.do.local 514 keep-state # allow syslog
|
||||||
|
$cmd 61191 pass tcp from 'table(3)' to splunk.do.local 8000 keep-state # rp -> splunk | http
|
||||||
|
|
||||||
|
# VMware
|
||||||
|
$cmd 61195 pass tcp from esx01.siempie.local to nas.siempie.local 2049 keep-state # esx01 -> nas | nfs
|
||||||
|
$cmd 61196 pass tcp from esx02.siempie.local to nas.siempie.local 2049 keep-state # esx02 -> nas | nfs
|
||||||
|
$cmd 61197 pass tcp from esx03.siempie.local to nas.siempie.local 2049 keep-state # esx03 -> nas | nfs
|
||||||
|
|
||||||
|
|
||||||
|
#################################################
|
||||||
|
# Drop rules
|
||||||
|
#################################################
|
||||||
|
# Drop specific traffic
|
||||||
|
$cmd 61200 drop ip from any to any 137 # block netbios
|
||||||
|
$cmd 61201 drop ip from any to 224.0.22 any # block IGMPv3
|
||||||
|
$cmd 61202 drop ip from any to 224.0.0.251 5353 # block mDNS
|
||||||
|
$cmd 61203 drop ip from any to 224.0.0.252 5355 # block LLMNR
|
||||||
|
$cmd 61204 drop ip from any to 239.254.127.63 48000 # block unifi stats
|
||||||
|
$cmd 61205 drop ip from any to 239.255.255.250 1900 # block SSDP
|
||||||
|
$cmd 61206 drop ip from any to 255.255.255.255 10001 # block unifi discovery spam
|
||||||
|
|
||||||
|
# Default deny bridge0
|
||||||
|
$cmd 61299 drop all from any to any via bridge0
|
||||||
|
|
||||||
|
# Default deny bridge1
|
||||||
|
$cmd 61399 drop all from any to any via bridge1
|
||||||
|
|
||||||
|
# Default deny bridge2
|
||||||
|
$cmd 61499 drop all from any to any via bridge2
|
||||||
|
|
||||||
|
# Default deny bridge3
|
||||||
|
$cmd 61599 drop all from any to any via bridge3
|
||||||
|
|
||||||
|
# Default deny bridge4
|
||||||
|
$cmd 61699 drop all from any to any via bridge4
|
||||||
|
|
||||||
|
# Default deny + log
|
||||||
|
$cmd drop log all from any to any
|
14
FreeBSD/vm/readme.md
Normal file
14
FreeBSD/vm/readme.md
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
# vm-backup.bash
|
||||||
|
Restore single line:
|
||||||
|
```
|
||||||
|
openssl enc -d -aes-256-ctr -a -pbkdf2 -iter 1000 -k supersecretstuff -in < backup file > | \
|
||||||
|
pigz -c -d -p 4 | \
|
||||||
|
zfs receive -F < restore destination >
|
||||||
|
```
|
||||||
|
|
||||||
|
Example:
|
||||||
|
```
|
||||||
|
openssl enc -d -aes-256-ctr -a -pbkdf2 -iter 1000 -k supersecretstuff -in /tank/backup/vms/stack-2021-02-10.pigz.enc | \
|
||||||
|
pigz -c -d -p 4 | \
|
||||||
|
zfs receive -F zroot/vms/stack
|
||||||
|
```
|
@ -6,7 +6,9 @@ vm_dataset="zroot/vms"
|
|||||||
vm_pid=`/usr/bin/pgrep -f "bhyve: $vm"`
|
vm_pid=`/usr/bin/pgrep -f "bhyve: $vm"`
|
||||||
backup_location="/tank/backup/vms/"
|
backup_location="/tank/backup/vms/"
|
||||||
backup_date=`date "+%Y-%m-%d"`
|
backup_date=`date "+%Y-%m-%d"`
|
||||||
enc_password="nDNmPPBPk7jQnwke"
|
enc_password="supersecretstuff"
|
||||||
|
default_state="started"
|
||||||
|
state="${2:-$default_state}"
|
||||||
|
|
||||||
# snapshot vm
|
# snapshot vm
|
||||||
echo ""
|
echo ""
|
||||||
@ -33,11 +35,14 @@ for vm in $vm; do
|
|||||||
sleep 1
|
sleep 1
|
||||||
|
|
||||||
## create snapshot
|
## create snapshot
|
||||||
zfs snapshot $vm_dataset/$vm@$backup_date
|
zfs snapshot -r $vm_dataset/$vm@$backup_date
|
||||||
|
|
||||||
## start VM
|
## start VM if required
|
||||||
|
if [ $state = "started" ]
|
||||||
|
then
|
||||||
echo "Starting $vm"
|
echo "Starting $vm"
|
||||||
(vm start $vm > /dev/null) >& /dev/null
|
(vm start $vm > /dev/null) >& /dev/null
|
||||||
|
fi
|
||||||
|
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -50,14 +55,20 @@ for vm in $vm; do
|
|||||||
sleep 1
|
sleep 1
|
||||||
|
|
||||||
## send snapshot to backup destination
|
## send snapshot to backup destination
|
||||||
zfs send $vm_dataset/$vm@$backup_date | \
|
zfs send -Rc $vm_dataset/$vm@$backup_date | \
|
||||||
pigz -c -p 4 | \
|
pigz -c -p 4 | \
|
||||||
openssl enc -aes-256-ctr -a -pbkdf2 -iter 1000 -salt -k $enc_password \
|
openssl enc \
|
||||||
|
-aes-256-ctr \
|
||||||
|
-a \
|
||||||
|
-pbkdf2 \
|
||||||
|
-iter 1000 \
|
||||||
|
-salt \
|
||||||
|
-k $enc_password \
|
||||||
> $backup_location/$vm-$backup_date.pigz.enc
|
> $backup_location/$vm-$backup_date.pigz.enc
|
||||||
|
|
||||||
## delete snapshot
|
## delete snapshot
|
||||||
sleep 1
|
sleep 1
|
||||||
zfs destroy $vm_dataset/$vm@$backup_date
|
zfs destroy -r $vm_dataset/$vm@$backup_date
|
||||||
|
|
||||||
done
|
done
|
||||||
|
|
Loading…
Reference in New Issue
Block a user