siempie/scripts
0
0
Fork 0
Code Issues Pull Requests Actions Activity

[SCRIPTS] Fast forward

Browse Source
This commit is contained in:
Simon Cornet 2021-02-10 18:35:24 +01:00
parent 9e10ba0820
commit 3312517bc1
5 changed files with 307 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

274
FreeBSD/other/ipfw.rules Normal file
View File

@ -0,0 +1,274 @@
#!/bin/sh
#################################################
# ipfw Firewall Commands
#################################################
/sbin/ipfw -q -f flush
cmd="/sbin/ipfw -q add"
cmd_table="/sbin/ipfw -q table"
#################################################
# Create tables
#################################################
# siempie_net
$cmd_table 1 add 10.0.0.0/28
$cmd_table 1 add 10.110.0.0/20
$cmd_table 1 add 172.16.0.0/28
$cmd_table 1 add 192.168.10.0/24
$cmd_table 1 add 192.168.20.0/24
# router ips
$cmd_table 2 add 10.0.0.1
$cmd_table 2 add 172.16.0.1
$cmd_table 2 add 192.168.10.254
$cmd_table 2 add 192.168.15.254
$cmd_table 2 add 192.168.20.254
$cmd_table 2 add 192.168.25.254
# reverse proxies
$cmd_table 3 add rp01.siempie.local
$cmd_table 3 add rp02.siempie.local
#################################################
# Table 22 for ssh abuse (check sshguard)
#################################################
$cmd 00901 drop log ip from 'table(22)' to any
#################################################
# Allow Loopback and Deny Loopback Spoofing
#################################################
$cmd pass all from any to any via lo0
$cmd drop all from any to 127.0.0.0/8
$cmd drop all from 127.0.0.0/8 to any
$cmd drop tcp from any to any frag
#################################################
# Stateful rules
#################################################
$cmd check-state
$cmd pass tcp from any to any established
$cmd pass all from any to any out keep-state
#################################################
# Allow ICMP
#################################################
$cmd pass icmp from any to any icmptypes 8
#################################################
# Allow NTP
# ###############################################
$cmd pass udp from any to any ntp
#################################################
# Allow DHCP
#################################################
$cmd pass udp from any 68 to 255.255.255.255 67
$cmd pass udp from any 67 to any 68
$cmd pass udp from any 67 to 255.255.255.255 68
#################################################
# Allow LLDP
#################################################
$cmd pass udp from any to 255.255.255.255 5678
#################################################
# Allow any connection out, keeping state
#################################################
$cmd pass tcp from any to any via lagg0 setup keep-state
$cmd pass udp from any to any via lagg0 setup keep-state
$cmd pass icmp from any to any keep-state
#################################################
# Deny Port scanning (Nmap)
#################################################
$cmd 00600 drop log logamount 50 ip from any to any ipoptions rr
$cmd 00610 drop log logamount 50 ip from any to any ipoptions ts
$cmd 00620 drop log logamount 50 ip from any to any ipoptions lsrr
$cmd 00630 drop log logamount 50 ip from any to any ipoptions ssrr
$cmd 00640 drop log logamount 50 tcp from any to any tcpflags syn,fin
$cmd 00650 drop log logamount 50 tcp from any to any tcpflags syn,rst
#################################################
# Global
#################################################
# SSH
$cmd 59000 pass tcp from any to bastion.siempie.local ssh keep-state # world -> bastion | ssh
$cmd 59001 pass tcp from bastion.siempie.local to any ssh keep-state # bastion -> world | ssh
$cmd 59002 pass tcp from 'table(1)' to nas.siempie.local ssh keep-state # siempie-lans -> nas | ssh
$cmd 59003 pass tcp from nas.siempie.local to 'table(1)' ssh keep-state # nas -> siempie-lans | ssh
# DNS
$cmd 59005 pass udp from any to 'table(2)' 53 keep-state # allow dns to router
# Web
$cmd 59010 pass tcp from any to not 'table(1)' 80 # allow outbound 80
$cmd 59011 pass tcp from any to not 'table(1)' 443 # allow outbound 443
#################################################
# Services
#################################################
# Wireguard
$cmd 61000 pass udp from wireguard.siempie.local to any 51820 keep-state # wireguard -> world | wireguard
$cmd 61001 pass udp from any to wireguard.siempie.local 51820 keep-state # world -> wireguard | wireguard
# Ansible
$cmd 61005 pass tcp from ansible.siempie.local to any ssh keep-state # ansible -> world | sshd
# Arr
$cmd 61010 pass tcp from arr.siempie.local to nas.siempie.local 2049 keep-state # arr -> nas | nfs
$cmd 61011 pass tcp from 'table(3)' to arr.siempie.local 8686 keep-state # rp -> lidarr | http
$cmd 61012 pass tcp from 'table(3)' to arr.siempie.local 7878 keep-state # rp -> sonarr | http
$cmd 61013 pass tcp from 'table(3)' to arr.siempie.local 8989 keep-state # rp -> radarr | http
# Blackbeard
$cmd 61014 pass tcp from blackbeard.siempie.local to nas.siempie.local 2049 keep-state # blackbeard -> nas | nfs
$cmd 61015 pass tcp from 'table(3)' to blackbeard.siempie.local 8686 keep-state # rp -> lidarr | http
$cmd 61016 pass tcp from 'table(3)' to blackbeard.siempie.local 7878 keep-state # rp -> sonarr | http
$cmd 61017 pass tcp from 'table(3)' to blackbeard.siempie.local 8989 keep-state # rp -> radarr | http
$cmd 61018 pass tcp from blackbeard.siempie.local to arr.siempie.local 22 keep-state
# Emby
$cmd 61020 pass tcp from emby.siempie.local to nas.siempie.local 2049 keep-state # emby -> nas | nfs
$cmd 61021 pass tcp from 'table(3)' to emby.siempie.local 8096 keep-state # rp -> emby | http
$cmd 61022 pass tcp from arr.siempie.local to emby.siempie.local 8096 keep-state # arr -> emby | http
$cmd 61023 pass tcp from blackbeard.siempie.local to emby.siempie.local 8096 keep-state # blackbeard -> emby | http
$cmd 61024 pass tcp from 192.168.20.0/24 to emby.siempie.local 8096 keep-state # client-network -> emby | http
# Gitea
$cmd 61030 pass tcp from 'table(3)' to gitea.siempie.local 3000 keep-state # rp -> gitea-siempie | http
$cmd 61031 pass tcp from 'table(3)' to gitea.siempie.local 3001 keep-state # rp -> gitea-hackerboys | http
$cmd 61032 pass tcp from 'table(3)' to gitea.siempie.local 3002 keep-state # rp -> gitea-simoncornet | http
# Grafana
$cmd 61040 pass tcp from 'table(3)' to grafana.siempie.local 3000 keep-state # rp -> grafana | http
$cmd 61042 pass udp from 'table(1)' to grafana.siempie.local 25826 keep-state # influxdb/collectd
# Hackerboys
$cmd 61050 pass tcp from hackerboys.siempie.local to nas.siempie.local 2049 keep-state # hackerboys -> nas | nfs
$cmd 61051 pass tcp from 'table(3)' to hackerboys.siempie.local 3000 keep-state # rp -> rocketchat | http
# Jitsi
$cmd 61055 pass tcp from 'table(3)' to jitsi.siempie.local 443 keep-state # rp -> jitsi | https
$cmd 61056 pass udp from any to jitsi.siempie.local 10000-20000 keep-state # voice
# Mattermost
$cmd 61060 pass tcp from mattermost.siempie.local to nas.siempie.local 2049 keep-state # mattermost -> nas | nfs
$cmd 61061 pass tcp from 'table(3)' to mattermost.siempie.local 8065 keep-state # rp -> mattermost | http
# Nextcloud
$cmd 61070 pass tcp from nextcloud.siempie.local to nas.siempie.local 2049 keep-state # nextcloud -> nas | nfs
$cmd 61071 pass tcp from 'table(3)' to nextcloud.siempie.local 443 keep-state # rp -> nextcloud | https
$cmd 61072 pass tcp from nextcloud.siempie.local to smtp.transip.email 465 keep-state # nextcloud -> transip | smtp
# phpIPAM
$cmd 61075 pass tcp from 'table(3)' to phpipam.siempie.local 80 keep-state # rp -> phpipam | http
# Rainloop
$cmd 61090 pass tcp from rainloop.siempie.local to any 993 keep-state # imap
$cmd 61091 pass tcp from rainloop.siempie.local to any 465 keep-state # smtp
$cmd 61092 pass tcp from 'table(3)' to rainloop.siempie.local 80 keep-state # rp -> rainloop | http
# Reverse Proxies
$cmd 61100 pass tcp from 'table(3)' to nas.siempie.local 2049 keep-state # nfs
$cmd 61101 pass tcp from 'table(3)' to 'table(2)' 80 keep-state # rp -> router | http
$cmd 61102 pass { tcp or udp } from 'table(3)' to any 53 keep-state # dns
$cmd 61103 pass tcp from lb.siempie.local to 'table(3)' 80 keep-state # lb -> rp | http
$cmd 61104 pass tcp from lb.siempie.local to 'table(3)' 443 keep-state # lb -> rp | https
# Rundeck
$cmd 61115 pass tcp from rundeck.siempie.local to nas.siempie.local 2049 keep-state # nfs
$cmd 61116 pass tcp from rundeck.siempie.local to any ssh keep-state # ssh
$cmd 61117 pass tcp from 'table(3)' to rundeck.siempie.local 4440 keep-state # rp -> rundeck | http
# Smokeping
$cmd 61120 pass tcp from 'table(3)' to smokeping.siempie.local 80 keep-state # rp -> smokeping | http
# Stack
$cmd 61135 pass tcp from stack.siempie.local to nas.siempie.local 2049 keep-state # stack -> nas | nfs
# Vault
$cmd 61140 pass tcp from vault.siempie.local to nas.siempie.local 2049 keep-state # vault -> nas | nfs
$cmd 61141 pass tcp from 'table(3)' to vault.siempie.local 443 keep-state # rp -> bitwarden | https
# Unifi
$cmd 61150 pass tcp from 'table(3)' to unifi.siempie.local 8443 keep-state # rp -> unifi | http
$cmd 61151 pass udp from ap-livingroom.siempie.local to unifi.siempie.local 3478 keep-state # ap-livingroom
$cmd 61152 pass tcp from ap-livingroom.siempie.local to unifi.siempie.local 8080 keep-state # ap-livingroom
$cmd 61153 pass udp from ap-livingroom.siempie.local to unifi.siempie.local 10001 keep-state # ap-livingroom
$cmd 61154 pass udp from ap-attic.siempie.local to unifi.siempie.local 3478 keep-state # ap-attic
$cmd 61155 pass tcp from ap-attic.siempie.local to unifi.siempie.local 8080 keep-state # ap-attic
$cmd 61156 pass udp from ap-attic.siempie.local to unifi.siempie.local 10001 keep-state # ap-attic
# Loadbalancer
$cmd 61160 pass tcp from any to lb.siempie.local 80 keep-state # world -> lb | http
$cmd 61161 pass tcp from any to lb.siempie.local 443 keep-state # world -> lb | https
$cmd 61162 pass tcp from grafana.siempie.local to lb.siempie.local 81 keep-state # stats
# SABnzbd
$cmd 61170 pass tcp from 'table(3)' to sabnzbd.siempie.local 8080 keep-state # rp -> sabnzbd | http
$cmd 61172 pass tcp from arr.siempie.local to sabnzbd.siempie.local 8080 keep-state # arr -> sabnzbd | http
$cmd 61173 pass tcp from blackbeard.siempie.local to sabnzbd.siempie.local 8080 keep-state # blackbeard -> sabnzbd | http
# Do-Chat
$cmd 61175 pass tcp from do-chat.siempie.local to nas.siempie.local 2049 keep-state # do-chat -> nas | nfs
$cmd 61176 pass tcp from 'table(3)' to do-chat.siempie.local 3000 keep-state # rocketchat | http
# AdGuard-Home
$cmd 61179 pass tcp from 'table(3)' to adguard.siempie.local 443 keep-state # rp -> adguard | https
$cmd 61180 pass { tcp or udp } from adguard.siempie.local to any 53 keep-state # adguard -> world | dns
$cmd 61181 pass tcp from adguard.siempie.local to any 853 keep-state # adguard -> world | dot
# $cmd 61182 pass udp from nas.siempie.local to adguard.siempie.local 53 keep-state # router -> adguard | dns
$cmd 61183 pass tcp from 'table(2)' to adguard.siempie.local 443 keep-state # router -> adguard | doh
$cmd 61184 pass udp from 159.180.12.237 to adguard.siempie.local 53 keep-state # florian -> adguard | dns
$cmd 61185 pass udp from 83.128.133.1 to adguard.siempie.local 53 keep-state # fresia -> adguard | dns
# Do-Splunk
$cmd 61190 pass udp from any to splunk.do.local 514 keep-state # allow syslog
$cmd 61191 pass tcp from 'table(3)' to splunk.do.local 8000 keep-state # rp -> splunk | http
# VMware
$cmd 61195 pass tcp from esx01.siempie.local to nas.siempie.local 2049 keep-state # esx01 -> nas | nfs
$cmd 61196 pass tcp from esx02.siempie.local to nas.siempie.local 2049 keep-state # esx02 -> nas | nfs
$cmd 61197 pass tcp from esx03.siempie.local to nas.siempie.local 2049 keep-state # esx03 -> nas | nfs
#################################################
# Drop rules
#################################################
# Drop specific traffic
$cmd 61200 drop ip from any to any 137 # block netbios
$cmd 61201 drop ip from any to 224.0.22 any # block IGMPv3
$cmd 61202 drop ip from any to 224.0.0.251 5353 # block mDNS
$cmd 61203 drop ip from any to 224.0.0.252 5355 # block LLMNR
$cmd 61204 drop ip from any to 239.254.127.63 48000 # block unifi stats
$cmd 61205 drop ip from any to 239.255.255.250 1900 # block SSDP
$cmd 61206 drop ip from any to 255.255.255.255 10001 # block unifi discovery spam
# Default deny bridge0
$cmd 61299 drop all from any to any via bridge0
# Default deny bridge1
$cmd 61399 drop all from any to any via bridge1
# Default deny bridge2
$cmd 61499 drop all from any to any via bridge2
# Default deny bridge3
$cmd 61599 drop all from any to any via bridge3
# Default deny bridge4
$cmd 61699 drop all from any to any via bridge4
# Default deny + log
$cmd drop log all from any to any

14
FreeBSD/vm/readme.md Normal file
View File

@ -0,0 +1,14 @@
# vm-backup.bash
Restore single line:
```
openssl enc -d -aes-256-ctr -a -pbkdf2 -iter 1000 -k supersecretstuff -in < backup file > | \
pigz -c -d -p 4 | \
zfs receive -F < restore destination >
```
Example:
```
openssl enc -d -aes-256-ctr -a -pbkdf2 -iter 1000 -k supersecretstuff -in /tank/backup/vms/stack-2021-02-10.pigz.enc | \
pigz -c -d -p 4 | \
zfs receive -F zroot/vms/stack
```

0
FreeBSD/vm/vm-backup-single.csh → FreeBSD/vm/unused_vm-backup-single.csh
View File

0
FreeBSD/vm/vm-backup.csh → FreeBSD/vm/unused_vm-backup.csh
View File

23
FreeBSD/vm/vm-backup-single.bash → FreeBSD/vm/vm-backup.bash
View File

@ -6,7 +6,9 @@ vm_dataset="zroot/vms"
vm_pid=`/usr/bin/pgrep -f "bhyve: $vm"`
backup_location="/tank/backup/vms/"
backup_date=`date "+%Y-%m-%d"`
enc_password="nDNmPPBPk7jQnwke"
enc_password="supersecretstuff"
default_state="started"
state="${2:-$default_state}"
# snapshot vm
echo ""
@ -33,11 +35,14 @@ for vm in $vm; do
sleep 1
## create snapshot
zfs snapshot $vm_dataset/$vm@$backup_date
zfs snapshot -r $vm_dataset/$vm@$backup_date
## start VM
## start VM if required
if [ $state = "started" ]
then
echo "Starting $vm"
(vm start $vm > /dev/null) >& /dev/null
fi
done
@ -50,14 +55,20 @@ for vm in $vm; do
sleep 1
## send snapshot to backup destination
zfs send $vm_dataset/$vm@$backup_date | \
zfs send -Rc $vm_dataset/$vm@$backup_date | \
pigz -c -p 4 | \
openssl enc -aes-256-ctr -a -pbkdf2 -iter 1000 -salt -k $enc_password \
openssl enc \
-aes-256-ctr \
-a \
-pbkdf2 \
-iter 1000 \
-salt \
-k $enc_password \
> $backup_location/$vm-$backup_date.pigz.enc
## delete snapshot
sleep 1
zfs destroy $vm_dataset/$vm@$backup_date
zfs destroy -r $vm_dataset/$vm@$backup_date
done