Add some doc

- Add iptable rules examples.
- Doc how to mount nofail and bind-mount.
- Doc some cifs/SMB client and server configs.
- Add some old sqlite doc from worktree.

5 files changed, 295 insertions, 8 deletions

diff --git a/doc/note/iptables/rules.txt b/doc/note/iptables/rules.txt
new file mode 100644
index 0000000..052647d
--- /dev/null
+++ b/doc/note/iptables/rules.txt
@@ -0,0 +1,196 @@
+
+*filter
+
+# Loopback
+-A INPUT  -i lo -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+
+# Drop corrupt (evil) null packets.
+-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
+
+# Drop corrupt (evil) syn packets.
+-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
+
+# Drop XMAS (corrupt/evil) packets
+-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
+
+# Anti DoS attack
+#-A INPUT -p tcp --dport 1:1024 -m limit --limit 1/seconds --limit-burst 100 -j ACCEPT
+
+# DNS client
+#-A OUTPUT -p udp --dport 53 -m udp -j ACCEPT
+#-A INPUT  -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# mDNS (zeroconf, bonjour)
+#-A INPUT  -p udp --sport 5353 --dport 5353 -j ACCEPT
+#-A OUTPUT -p udp --dport 5353 --sport 5353 -j ACCEPT
+
+# DHCP client
+#-A OUTPUT -p udp --dport 67:68 -j ACCEPT
+#-A INPUT  -p udp -m state --state ESTABLISHED,RELATED --sport 67:68 -j ACCEPT
+
+# Ping client
+#-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
+#-A INPUT  -p icmp --icmp-type echo-reply   -j ACCEPT
+
+# Ping server
+#-A INPUT  -p icmp --icmp-type echo-request -j ACCEPT
+#-A OUTPUT -p icmp --icmp-type echo-reply   -j ACCEPT
+
+# Traceroute client
+#-A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
+#-A INPUT  -p icmp --icmp-type 11 -j ACCEPT
+#-A OUTPUT -p udp -m udp --match multiport --dports 33434:33523 -j ACCEPT
+#-A INPUT  -p udp -m udp --match multiport --sports 33434:33523 -j ACCEPT
+
+# Traceroute server
+#-A INPUT -p icmp --icmp-type 8 -j ACCEPT
+#-A INPUT -p udp --dport 33434:33523 -j REJECT
+
+# NTP client
+# May the part "-m state --state ESTABLISHED,RELATED" has to be dropped (not tested yet).
+#-A OUTPUT -p udp --dport 123 -j ACCEPT
+#-A INPUT -p udp --sport 123 -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# NTP Server
+#-A INPUT -p udp --dport 123 -j ACCEPT
+#-A OUTPUT -p udp --sport 123 -j ACCEPT
+
+# SSH client
+#-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
+#-A INPUT -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT
+
+# SSH client (for hiddn)
+#-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 10022 -j ACCEPT
+#-A INPUT -p tcp -m state --state ESTABLISHED --sport 10022 -j ACCEPT
+
+# SSH client (for brgmt)
+#-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 5566 -j ACCEPT
+#-A INPUT -p tcp -m state --state ESTABLISHED --sport 5566 -j ACCEPT
+
+# SSH server
+#-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
+#-A OUTPUT -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT
+
+# OpenVPN client
+#-A OUTPUT -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
+#-A INPUT  -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT
+
+# OpenVPN server
+#-A INPUT  -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
+#-A OUTPUT -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT
+
+# Web client
+#-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
+#-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
+#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 80 -j ACCEPT
+#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 443 -j ACCEPT
+
+# Web server (HTTPS)
+#-A INPUT -p tcp --dport 443 -j ACCEPT
+#-A OUTPUT -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# Web server (HTTP)
+#-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT
+#-A OUTPUT -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# FTP client (control)
+#-A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
+#-A INPUT  -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
+# (Passive mode)
+#-A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
+#-A INPUT  -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
+# (Active mode)
+#-A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
+#-A INPUT  -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
+
+# FTP server (control)
+#-A INPUT  -p tcp -m tcp --dport 21 -m conntrack --ctstate ESTABLISHED,NEW -j ACCEPT
+#-A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+# (Active mode)
+#-A INPUT  -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+#-A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+# (Passive mode)
+#-A INPUT  -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT
+#-A OUTPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+# CUPS client (to connect to printers)
+#-A OUTPUT -p udp --dport 161 -j ACCEPT
+#-A INPUT -p udp --sport 161 -j ACCEPT
+#-A OUTPUT -p tcp --dport 631 -j ACCEPT
+#-A INPUT -p tcp --sport 631 -j ACCEPT
+
+# Socket printing client
+#-A OUTPUT -p tcp -m tcp --dport 9100 -j ACCEPT
+#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 9100 -j ACCEPT
+
+# CUPS server (only required for remote access)
+#-A INPUT -p udp --dport 631 -j ACCEPT
+#-A INPUT -p tcp --dport 631 -j ACCEPT
+#-A OUTPUT -p tcp --sport 631 -j ACCEPT
+#-A OUTPUT -p tcp --sport 631 -j ACCEPT
+
+# POP3 client
+#-A OUTPUT -p tcp --dport 995 -j ACCEPT
+#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 995 -j ACCEPT
+
+# SMTP client
+#-A OUTPUT -p tcp --dport 465 -j ACCEPT
+#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 465 -j ACCEPT
+
+# IMAP client
+#-A OUTPUT -p tcp --dport 993 -j ACCEPT
+#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 993 -j ACCEPT
+
+# Whois client
+#-A OUTPUT -p tcp --dport 43 -j ACCEPT
+#-A INPUT  -p tcp --sport 43 -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Git client
+#-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 9418 -j ACCEPT
+#-A INPUT  -p tcp -m state --state ESTABLISHED --sport 9418 -j ACCEPT
+
+# Git server
+#-A INPUT  -p tcp -m state --state NEW,ESTABLISHED --dport 9418 -j ACCEPT
+#-A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 9418 -j ACCEPT
+
+# Samba (SMB) Client
+#-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 139 -j ACCEPT
+#-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 445 -j ACCEPT
+#-A INPUT  -p tcp -m state --state RELATED,ESTABLISHED --sport 139 -j ACCEPT
+#-A INPUT  -p tcp -m state --state RELATED,ESTABLISHED --sport 445 -j ACCEPT
+
+# Samba (SMB) Server
+#-A INPUT  -p tcp -m state --state NEW,ESTABLISHED --dport 139 -j ACCEPT
+#-A INPUT  -p tcp -m state --state NEW,ESTABLISHED --dport 445 -j ACCEPT
+#-A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 139 -j ACCEPT
+#-A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED --sport 445 -j ACCEPT
+
+# MsTeams/MsSkype clients (in addition to TCP 80 & 443)
+#-A OUTPUT -p udp --match multiport --dports 3478:3481  -j ACCEPT
+#-A INPUT  -p udp --match multiport --sports 3478:3481  -j ACCEPT
+
+# Some client ports for debugging.
+#-A OUTPUT -p tcp -m tcp --match multiport --dports 1230:1239 -j ACCEPT
+#-A INPUT  -p tcp -m state --state ESTABLISHED,RELATED --match multiport --sports 1230:1239 -j ACCEPT
+#-A OUTPUT -p udp -m udp --match multiport --dports 1230:1239 -j ACCEPT
+#-A INPUT  -p udp -m state --state ESTABLISHED,RELATED --match multiport --sports 1230:1239 -j ACCEPT
+
+# Some server ports for debugging.
+#-A INPUT  -p tcp --match multiport --dports 1230:1239 -j ACCEPT
+#-A OUTPUT -p tcp -m tcp --match multiport --sports 1230:1239 -m state --state RELATED,ESTABLISHED -j ACCEPT
+#-A INPUT  -p udp --match multiport --dports 1230:1239 -j ACCEPT
+#-A OUTPUT -p udp -m udp --match multiport --sports 1230:1239 -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# Log blocked connection attemps
+#-A INPUT   -j LOG --log-prefix "FwBadInn: " --log-level 6
+-A FORWARD -j LOG --log-prefix "FwBadFwd: " --log-level 6
+-A OUTPUT  -j LOG --log-prefix "FwBadOut: " --log-level 6
+
+# Disallow any non-whitelisted packets (Use either DROP or REJECT. Your choice)
+-A INPUT   -j REJECT
+-A FORWARD -j REJECT
+-A OUTPUT  -j REJECT
+
+COMMIT
+
diff --git a/doc/note/mount/fstab.txt b/doc/note/mount/fstab.txt
index de642ce..d309148 100644
--- a/doc/note/mount/fstab.txt
+++ b/doc/note/mount/fstab.txt
@@ -2,6 +2,16 @@
 fstab
 =====
 
+## Prevent boot hang on mount errors
+
+/src  /dst  theType  nofail  0  0
+
+
+## Make a bind mount from fstab
+
+/src  /dst  none  bind  0  0
+
+
 ## Moving firefox cache to RAM
 
 Effect: Faster at runtime, slower at startup.
diff --git a/doc/note/qemu/qemu.txt b/doc/note/qemu/qemu.txt
index 728e97e..944d4cb 100644
--- a/doc/note/qemu/qemu.txt
+++ b/doc/note/qemu/qemu.txt
@@ -167,14 +167,7 @@ true `# SMB client debian` \
    guest ok = yes
    force user = usernameFromHost
 
-
-### Add those in "/etc/fstab" to setup mount automatically at boot:
-### HINT:  mkdir /home/user/build
-  //10.0.2.2/sharename  /mnt/sharename  cifs  password=,uid=1000,gid=1000,user,vers=3.0  0  0
-  /home/user/build  /mnt/sharename/build  none  bind  0  0
-
-List smb shares (eg debugging)
-  smbclient -NL //10.0.2.2
+See also "../samba/samba.txt".
 
 
 ## Shared host dir via NFS (handy for broken windoof hosts)
diff --git a/doc/note/samba/samba.txt b/doc/note/samba/samba.txt
new file mode 100644
index 0000000..92c89fd
--- /dev/null
+++ b/doc/note/samba/samba.txt
@@ -0,0 +1,65 @@
+
+Samba (aka SMB, ServerMessageBlock)
+===================================
+
+
+  && $SUDO apt install --no-install-recommends samba
+
+
+## List smb shares on a remote
+
+  $SUDO apt install --no-install-recommends smbclient
+  smbclient -NL //10.0.2.2
+
+
+## Mount a share
+
+Variant for "/etc/fstab" (make sure mount dir exists):
+
+//10.0.2.2/sharename  /mnt/sharename  cifs  password=,uid=1000,gid=1000,user,vers=3.0  0  0
+
+
+## Fix silly resolve issues (smb.conf)
+
+[global]
+    name resolve order = host lmhosts wins bcast
+
+
+## Base config for "/etc/samba/smb.conf"
+
+[global]
+    workgroup = WORKGROUP
+    interfaces = 127.0.0.0/8
+    bind interfaces only = yes
+    log file = /var/log/samba/log.%m
+    max log size = 1000
+    logging = file
+    panic action = /usr/share/samba/panic-action %d
+    server role = standalone server
+    obey pam restrictions = yes
+    unix password sync = yes
+    passwd program = /usr/bin/passwd %u
+    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+    pam password change = yes
+    map to guest = bad user
+    usershare allow guests = yes
+
+
+## Example shares (for "/etc/samba/smb.conf")
+
+[net-visible-share-name]
+    path = /server/path/to/be/shared
+    public = no     # <- TODO explain
+    writeable = yes   # TODO explain
+    guest ok = yes
+    force user = allClientsWillLookLikeThisUsername
+    #create mask = 0640
+    #directory mask = 0770
+
+
+
+## Refs
+
+[smb hostname resolve bug](https://serverfault.com/a/609377/673216)
+
+
diff --git a/doc/note/sqlite/sqlite.txt b/doc/note/sqlite/sqlite.txt
new file mode 100644
index 0000000..eeb5aac
--- /dev/null
+++ b/doc/note/sqlite/sqlite.txt
@@ -0,0 +1,23 @@
+
+
+## How to merge two DBs with same schema
+
+BEGIN TRANSACTION;
+ATTACH 'gugus.db' AS other;
+INSERT INTO "Foo" SELECT * FROM "other"."Foo";
+INSERT INTO "Bar" SELECT * FROM "other"."Bar";
+COMMIT;
+DETACH other;
+
+
+ATTACH 'bekb-2023.db' AS other;
+INSERT INTO "Account" SELECT * FROM "other"."Account";
+INSERT INTO "Currency" SELECT * FROM "other"."Currency";
+INSERT INTO "AccountType" SELECT * FROM "other"."AccountType";
+INSERT INTO "Transaction" SELECT * FROM "other"."Transaction";
+
+
+## import CSV
+
+  sqlite3 foo.db -bail -cmd '.mode csv' -cmd '.separator ;' -cmd '.import foo.csv FooTable'
+