diff options
author | Andreas Fankhauser hiddenalpha.ch | 2024-09-21 00:05:18 +0200 |
---|---|---|
committer | Andreas Fankhauser hiddenalpha.ch | 2024-09-21 00:05:18 +0200 |
commit | 018b4b5128048d76c732e70f30e8eab8286c2712 (patch) | |
tree | 1806ccd1b466ebcf539ba2972e791a8fbcb0cd6c | |
parent | 58b1aa187932b98488a7ab7316c77935613767d2 (diff) | |
download | UnspecifiedGarbage-018b4b5128048d76c732e70f30e8eab8286c2712.zip UnspecifiedGarbage-018b4b5128048d76c732e70f30e8eab8286c2712.tar.gz |
Add some doc
- Add iptable rules examples.
- Doc how to mount nofail and bind-mount.
- Doc some cifs/SMB client and server configs.
- Add some old sqlite doc from worktree.
-rw-r--r-- | doc/note/iptables/rules.txt | 196 | ||||
-rw-r--r-- | doc/note/mount/fstab.txt | 10 | ||||
-rw-r--r-- | doc/note/qemu/qemu.txt | 9 | ||||
-rw-r--r-- | doc/note/samba/samba.txt | 65 | ||||
-rw-r--r-- | doc/note/sqlite/sqlite.txt | 23 |
5 files changed, 295 insertions, 8 deletions
diff --git a/doc/note/iptables/rules.txt b/doc/note/iptables/rules.txt new file mode 100644 index 0000000..052647d --- /dev/null +++ b/doc/note/iptables/rules.txt @@ -0,0 +1,196 @@ + +*filter + +# Loopback +-A INPUT -i lo -j ACCEPT +-A OUTPUT -o lo -j ACCEPT + +# Drop corrupt (evil) null packets. +-A INPUT -p tcp --tcp-flags ALL NONE -j DROP + +# Drop corrupt (evil) syn packets. +-A INPUT -p tcp ! --syn -m state --state NEW -j DROP + +# Drop XMAS (corrupt/evil) packets +-A INPUT -p tcp --tcp-flags ALL ALL -j DROP + +# Anti DoS attack +#-A INPUT -p tcp --dport 1:1024 -m limit --limit 1/seconds --limit-burst 100 -j ACCEPT + +# DNS client +#-A OUTPUT -p udp --dport 53 -m udp -j ACCEPT +#-A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT + +# mDNS (zeroconf, bonjour) +#-A INPUT -p udp --sport 5353 --dport 5353 -j ACCEPT +#-A OUTPUT -p udp --dport 5353 --sport 5353 -j ACCEPT + +# DHCP client +#-A OUTPUT -p udp --dport 67:68 -j ACCEPT +#-A INPUT -p udp -m state --state ESTABLISHED,RELATED --sport 67:68 -j ACCEPT + +# Ping client +#-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT +#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT + +# Ping server +#-A INPUT -p icmp --icmp-type echo-request -j ACCEPT +#-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT + +# Traceroute client +#-A OUTPUT -p icmp --icmp-type 8 -j ACCEPT +#-A INPUT -p icmp --icmp-type 11 -j ACCEPT +#-A OUTPUT -p udp -m udp --match multiport --dports 33434:33523 -j ACCEPT +#-A INPUT -p udp -m udp --match multiport --sports 33434:33523 -j ACCEPT + +# Traceroute server +#-A INPUT -p icmp --icmp-type 8 -j ACCEPT +#-A INPUT -p udp --dport 33434:33523 -j REJECT + +# NTP client +# May the part "-m state --state ESTABLISHED,RELATED" has to be dropped (not tested yet). +#-A OUTPUT -p udp --dport 123 -j ACCEPT +#-A INPUT -p udp --sport 123 -m state --state ESTABLISHED,RELATED -j ACCEPT + +# NTP Server +#-A INPUT -p udp --dport 123 -j ACCEPT +#-A OUTPUT -p udp --sport 123 -j ACCEPT + +# SSH client +#-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT +#-A INPUT -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT + +# SSH client (for hiddn) +#-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 10022 -j ACCEPT +#-A INPUT -p tcp -m state --state ESTABLISHED --sport 10022 -j ACCEPT + +# SSH client (for brgmt) +#-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 5566 -j ACCEPT +#-A INPUT -p tcp -m state --state ESTABLISHED --sport 5566 -j ACCEPT + +# SSH server +#-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT +#-A OUTPUT -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT + +# OpenVPN client +#-A OUTPUT -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT +#-A INPUT -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT + +# OpenVPN server +#-A INPUT -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT +#-A OUTPUT -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT + +# Web client +#-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT +#-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT +#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 80 -j ACCEPT +#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 443 -j ACCEPT + +# Web server (HTTPS) +#-A INPUT -p tcp --dport 443 -j ACCEPT +#-A OUTPUT -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT + +# Web server (HTTP) +#-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT +#-A OUTPUT -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT + +# FTP client (control) +#-A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +#-A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT +# (Passive mode) +#-A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT +#-A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT +# (Active mode) +#-A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT +#-A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT + +# FTP server (control) +#-A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate ESTABLISHED,NEW -j ACCEPT +#-A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +# (Active mode) +#-A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +#-A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT +# (Passive mode) +#-A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT +#-A OUTPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + +# CUPS client (to connect to printers) +#-A OUTPUT -p udp --dport 161 -j ACCEPT +#-A INPUT -p udp --sport 161 -j ACCEPT +#-A OUTPUT -p tcp --dport 631 -j ACCEPT +#-A INPUT -p tcp --sport 631 -j ACCEPT + +# Socket printing client +#-A OUTPUT -p tcp -m tcp --dport 9100 -j ACCEPT +#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 9100 -j ACCEPT + +# CUPS server (only required for remote access) +#-A INPUT -p udp --dport 631 -j ACCEPT +#-A INPUT -p tcp --dport 631 -j ACCEPT +#-A OUTPUT -p tcp --sport 631 -j ACCEPT +#-A OUTPUT -p tcp --sport 631 -j ACCEPT + +# POP3 client +#-A OUTPUT -p tcp --dport 995 -j ACCEPT +#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 995 -j ACCEPT + +# SMTP client +#-A OUTPUT -p tcp --dport 465 -j ACCEPT +#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 465 -j ACCEPT + +# IMAP client +#-A OUTPUT -p tcp --dport 993 -j ACCEPT +#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 993 -j ACCEPT + +# Whois client +#-A OUTPUT -p tcp --dport 43 -j ACCEPT +#-A INPUT -p tcp --sport 43 -m state --state ESTABLISHED,RELATED -j ACCEPT + +# Git client +#-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 9418 -j ACCEPT +#-A INPUT -p tcp -m state --state ESTABLISHED --sport 9418 -j ACCEPT + +# Git server +#-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 9418 -j ACCEPT +#-A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 9418 -j ACCEPT + +# Samba (SMB) Client +#-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 139 -j ACCEPT +#-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 445 -j ACCEPT +#-A INPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 139 -j ACCEPT +#-A INPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 445 -j ACCEPT + +# Samba (SMB) Server +#-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 139 -j ACCEPT +#-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 445 -j ACCEPT +#-A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 139 -j ACCEPT +#-A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 445 -j ACCEPT + +# MsTeams/MsSkype clients (in addition to TCP 80 & 443) +#-A OUTPUT -p udp --match multiport --dports 3478:3481 -j ACCEPT +#-A INPUT -p udp --match multiport --sports 3478:3481 -j ACCEPT + +# Some client ports for debugging. +#-A OUTPUT -p tcp -m tcp --match multiport --dports 1230:1239 -j ACCEPT +#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --match multiport --sports 1230:1239 -j ACCEPT +#-A OUTPUT -p udp -m udp --match multiport --dports 1230:1239 -j ACCEPT +#-A INPUT -p udp -m state --state ESTABLISHED,RELATED --match multiport --sports 1230:1239 -j ACCEPT + +# Some server ports for debugging. +#-A INPUT -p tcp --match multiport --dports 1230:1239 -j ACCEPT +#-A OUTPUT -p tcp -m tcp --match multiport --sports 1230:1239 -m state --state RELATED,ESTABLISHED -j ACCEPT +#-A INPUT -p udp --match multiport --dports 1230:1239 -j ACCEPT +#-A OUTPUT -p udp -m udp --match multiport --sports 1230:1239 -m state --state RELATED,ESTABLISHED -j ACCEPT + +# Log blocked connection attemps +#-A INPUT -j LOG --log-prefix "FwBadInn: " --log-level 6 +-A FORWARD -j LOG --log-prefix "FwBadFwd: " --log-level 6 +-A OUTPUT -j LOG --log-prefix "FwBadOut: " --log-level 6 + +# Disallow any non-whitelisted packets (Use either DROP or REJECT. Your choice) +-A INPUT -j REJECT +-A FORWARD -j REJECT +-A OUTPUT -j REJECT + +COMMIT + diff --git a/doc/note/mount/fstab.txt b/doc/note/mount/fstab.txt index de642ce..d309148 100644 --- a/doc/note/mount/fstab.txt +++ b/doc/note/mount/fstab.txt @@ -2,6 +2,16 @@ fstab ===== +## Prevent boot hang on mount errors + +/src /dst theType nofail 0 0 + + +## Make a bind mount from fstab + +/src /dst none bind 0 0 + + ## Moving firefox cache to RAM Effect: Faster at runtime, slower at startup. diff --git a/doc/note/qemu/qemu.txt b/doc/note/qemu/qemu.txt index 728e97e..944d4cb 100644 --- a/doc/note/qemu/qemu.txt +++ b/doc/note/qemu/qemu.txt @@ -167,14 +167,7 @@ true `# SMB client debian` \ guest ok = yes force user = usernameFromHost - -### Add those in "/etc/fstab" to setup mount automatically at boot: -### HINT: mkdir /home/user/build - //10.0.2.2/sharename /mnt/sharename cifs password=,uid=1000,gid=1000,user,vers=3.0 0 0 - /home/user/build /mnt/sharename/build none bind 0 0 - -List smb shares (eg debugging) - smbclient -NL //10.0.2.2 +See also "../samba/samba.txt". ## Shared host dir via NFS (handy for broken windoof hosts) diff --git a/doc/note/samba/samba.txt b/doc/note/samba/samba.txt new file mode 100644 index 0000000..92c89fd --- /dev/null +++ b/doc/note/samba/samba.txt @@ -0,0 +1,65 @@ + +Samba (aka SMB, ServerMessageBlock) +=================================== + + + && $SUDO apt install --no-install-recommends samba + + +## List smb shares on a remote + + $SUDO apt install --no-install-recommends smbclient + smbclient -NL //10.0.2.2 + + +## Mount a share + +Variant for "/etc/fstab" (make sure mount dir exists): + +//10.0.2.2/sharename /mnt/sharename cifs password=,uid=1000,gid=1000,user,vers=3.0 0 0 + + +## Fix silly resolve issues (smb.conf) + +[global] + name resolve order = host lmhosts wins bcast + + +## Base config for "/etc/samba/smb.conf" + +[global] + workgroup = WORKGROUP + interfaces = 127.0.0.0/8 + bind interfaces only = yes + log file = /var/log/samba/log.%m + max log size = 1000 + logging = file + panic action = /usr/share/samba/panic-action %d + server role = standalone server + obey pam restrictions = yes + unix password sync = yes + passwd program = /usr/bin/passwd %u + passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . + pam password change = yes + map to guest = bad user + usershare allow guests = yes + + +## Example shares (for "/etc/samba/smb.conf") + +[net-visible-share-name] + path = /server/path/to/be/shared + public = no # <- TODO explain + writeable = yes # TODO explain + guest ok = yes + force user = allClientsWillLookLikeThisUsername + #create mask = 0640 + #directory mask = 0770 + + + +## Refs + +[smb hostname resolve bug](https://serverfault.com/a/609377/673216) + + diff --git a/doc/note/sqlite/sqlite.txt b/doc/note/sqlite/sqlite.txt new file mode 100644 index 0000000..eeb5aac --- /dev/null +++ b/doc/note/sqlite/sqlite.txt @@ -0,0 +1,23 @@ + + +## How to merge two DBs with same schema + +BEGIN TRANSACTION; +ATTACH 'gugus.db' AS other; +INSERT INTO "Foo" SELECT * FROM "other"."Foo"; +INSERT INTO "Bar" SELECT * FROM "other"."Bar"; +COMMIT; +DETACH other; + + +ATTACH 'bekb-2023.db' AS other; +INSERT INTO "Account" SELECT * FROM "other"."Account"; +INSERT INTO "Currency" SELECT * FROM "other"."Currency"; +INSERT INTO "AccountType" SELECT * FROM "other"."AccountType"; +INSERT INTO "Transaction" SELECT * FROM "other"."Transaction"; + + +## import CSV + + sqlite3 foo.db -bail -cmd '.mode csv' -cmd '.separator ;' -cmd '.import foo.csv FooTable' + |