diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/dnsmasq.conf | 2 | ||||
| -rw-r--r-- | etc/dovecot/dovecot.conf | 38 | ||||
| -rw-r--r-- | etc/gai.conf | 65 | ||||
| -rw-r--r-- | etc/myconf/cfgl_meta | 6 | ||||
| -rw-r--r-- | etc/netns/ns0/nftables.conf | 6 | ||||
| -rw-r--r-- | etc/nftables.conf | 6 | ||||
| -rw-r--r-- | etc/postfix/main.cf | 2 | ||||
| -rw-r--r-- | etc/services | 26 | ||||
| -rw-r--r-- | etc/ssh/ssh_config.d/my_ssh_config.conf | 2 | ||||
| -rw-r--r-- | etc/sudoers | 2 | ||||
| -rw-r--r-- | etc/systemd/system/sshd-ns0.service | 19 | ||||
| -rw-r--r-- | etc/systemd/system/swgp-go.service.d/override.conf | 5 |
12 files changed, 138 insertions, 41 deletions
diff --git a/etc/dnsmasq.conf b/etc/dnsmasq.conf index 9ab206b1..743f55aa 100644 --- a/etc/dnsmasq.conf +++ b/etc/dnsmasq.conf @@ -118,7 +118,7 @@ no-resolv #except-interface= # Or which to listen on by address (remember to include 127.0.0.1 if # you use this.) -listen-address=::1,127.0.0.1 +#listen-address= # If you want dnsmasq to provide only DNS service on an interface, # configure it as shown above, and then use the following line to # disable DHCP and TFTP on it. diff --git a/etc/dovecot/dovecot.conf b/etc/dovecot/dovecot.conf index e7d11a07..b4001ada 100644 --- a/etc/dovecot/dovecot.conf +++ b/etc/dovecot/dovecot.conf @@ -1,8 +1,23 @@ +# https://doc.dovecot.org/2.4.2/installation/upgrade/2.3-to-2.4.html#default-settings +# needed for 2.4 +dovecot_config_version = 2.4.2 +dovecot_storage_version = 2.4.2 + # Edited from `doveconf -nP`, see https://doc.dovecot.org/2.3/configuration_manual/quick_configuration/#split-configuration-files -mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs +# https://doc.dovecot.org/2.4.2/installation/upgrade/2.3-to-2.4.html#converted-settings +# > mail_location setting & mail userdb field Split into multiple mail_* settings. +mail_driver = maildir +mail_path = ~/Mail +# https://doc.dovecot.org/2.4.1/core/config/mail_location.html#mail_inbox_path +mail_inbox_path = ~/Mail/Inbox +# https://doc.dovecot.org/2.4.1/core/config/mailbox_formats/maildir.html#directory-layout +# > use hierarchical directories, such as Maildir/folder/ Maildir/folder/subfolder/ +mailbox_list_layout = fs namespace inbox { inbox = yes - location = + # https://doc.dovecot.org/2.4.2/installation/upgrade/2.3-to-2.4.html#converted-settings + # namespace { location } setting is changed in 2.4, it is kinda no need to + # so I just removed, not remove will error mailbox Archive { auto = subscribe special_use = \Archive @@ -29,7 +44,9 @@ namespace inbox { } prefix = } -passdb { +# https://doc.dovecot.org/2.4.1/installation/upgrade/2.3-to-2.4.html#passdb-userdb-section-naming +# > passdb and userdb sections now require a name +passdb some_name { driver = pam } service auth { @@ -40,9 +57,16 @@ service auth { } } ssl = required -ssl_cert = </etc/postfix/flylightning.pem -ssl_dh = </etc/dovecot/dh.pem -ssl_key = </etc/postfix/flylightning.key -userdb { +# https://doc.dovecot.org/2.4.2/installation/upgrade/2.3-to-2.4.html#converted-settings +# ssl_cert, ssl_dh, ssl_key name changed +ssl_server_cert_file = /etc/postfix/flylightning.pem +ssl_server_dh_file = /etc/dovecot/dh.pem +ssl_server_key_file = /etc/postfix/flylightning.key +userdb some_name { driver = passwd } +# https://doc.dovecot.org/2.4.2/installation/upgrade/2.3-to-2.4.html#default-settings +# > No protocols are enabled by default. +# In the past, imap pop3 lmtp are enabled by default. Now none I only need +# imaps, so I put imap here +protocols = imap diff --git a/etc/gai.conf b/etc/gai.conf new file mode 100644 index 00000000..ac96e422 --- /dev/null +++ b/etc/gai.conf @@ -0,0 +1,65 @@ +# Configuration for getaddrinfo(3). +# +# So far only configuration for the destination address sorting is needed. +# RFC 3484 governs the sorting. But the RFC also says that system +# administrators should be able to overwrite the defaults. This can be +# achieved here. +# +# All lines have an initial identifier specifying the option followed by +# up to two values. Information specified in this file replaces the +# default information. Complete absence of data of one kind causes the +# appropriate default information to be used. The supported commands include: +# +# reload <yes|no> +# If set to yes, each getaddrinfo(3) call will check whether this file +# changed and if necessary reload. This option should not really be +# used. There are possible runtime problems. The default is no. +# +# label <mask> <value> +# Add another rule to the RFC 3484 label table. See section 2.1 in +# RFC 3484. The default is: +# +#label ::1/128 0 +#label ::/0 1 +#label 2002::/16 2 +#label ::/96 3 +#label ::ffff:0:0/96 4 +#label fec0::/10 5 +#label fc00::/7 6 +#label 2001:0::/32 7 +# +# This default differs from the tables given in RFC 3484 by handling +# (now obsolete) site-local IPv6 addresses and Unique Local Addresses. +# The reason for this difference is that these addresses are never +# NATed while IPv4 site-local addresses most probably are. Given +# the precedence of IPv6 over IPv4 (see below) on machines having only +# site-local IPv4 and IPv6 addresses a lookup for a global address would +# see the IPv6 be preferred. The result is a long delay because the +# site-local IPv6 addresses cannot be used while the IPv4 address is +# (at least for the foreseeable future) NATed. We also treat Teredo +# tunnels special. +# +# precedence <mask> <value> +# Add another rule to the RFC 3484 precedence table. See section 2.1 +# and 10.3 in RFC 3484. The default is: +# +#precedence ::1/128 50 +#precedence ::/0 40 +#precedence 2002::/16 30 +#precedence ::/96 20 +#precedence ::ffff:0:0/96 10 +# +# For sites which prefer IPv4 connections change the last line to +# +precedence ::ffff:0:0/96 100 + +# +# scopev4 <mask> <value> +# Add another rule to the RFC 6724 scope table for IPv4 addresses. +# By default the scope IDs described in section 3.2 in RFC 6724 are +# used. Changing these defaults should hardly ever be necessary. +# The defaults are equivalent to: +# +#scopev4 ::ffff:169.254.0.0/112 2 +#scopev4 ::ffff:127.0.0.0/104 2 +#scopev4 ::ffff:0.0.0.0/96 14 diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta index 69812ef9..6c9f2ab2 100644 --- a/etc/myconf/cfgl_meta +++ b/etc/myconf/cfgl_meta @@ -8,6 +8,7 @@ 755 root root //etc/dovecot 644 root root //etc/dovecot/dovecot.conf 644 root root //etc/fstab +644 root root //etc/gai.conf 644 root root //etc/hostname 644 root root //etc/locale.conf 644 root root //etc/locale.gen @@ -34,8 +35,6 @@ 644 root root //etc/resolv.conf 644 root root //etc/services 755 root root //etc/ssh -755 root root //etc/ssh/ssh_config.d -644 root root //etc/ssh/ssh_config.d/my_ssh_config.conf 644 root root //etc/ssh/sshd_config 440 root root //etc/sudoers 755 root root //etc/systemd @@ -54,8 +53,7 @@ 644 root root //etc/systemd/system/paccache.service.d/10-remove-all.conf 755 root root //etc/systemd/system/qbittorrent-nox@.service.d 644 root root //etc/systemd/system/qbittorrent-nox@.service.d/override.conf -755 root root //etc/systemd/system/swgp-go.service.d -644 root root //etc/systemd/system/swgp-go.service.d/override.conf +644 root root //etc/systemd/system/sshd-ns0.service 755 root root //etc/systemd/system/wg-quick@.service.d 644 root root //etc/systemd/system/wg-quick@.service.d/override.conf 755 root root //etc/tmpfiles.d diff --git a/etc/netns/ns0/nftables.conf b/etc/netns/ns0/nftables.conf index b0c1237c..d0643505 100644 --- a/etc/netns/ns0/nftables.conf +++ b/etc/netns/ns0/nftables.conf @@ -22,17 +22,17 @@ table inet my_table { ct state invalid drop comment "early drop of invalid connections" ct state {established, related} accept comment "allow tracked connections" iifname lo accept comment "allow from loopback" - iifname $wg_iface accept comment "allow from wireguard" + iifname $wg_iface ip saddr 10.0.0.1 accept comment "allow from wireguard insp ip" + iifname $wg_iface ip6 saddr fdc9:281f:04d7:9ee9::1 accept comment "allow from wireguard insp ip" ip protocol icmp accept meta l4proto ipv6-icmp accept - #tcp dport ssh accept + tcp dport ssh accept #tcp dport qbt-nox accept tcp dport qbt accept udp dport qbt accept #tcp dport iperf3 accept udp dport wireguard accept - udp dport swgp accept pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited counter comment "count any other traffic" diff --git a/etc/nftables.conf b/etc/nftables.conf index ebf4a082..6aed40f0 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -32,12 +32,12 @@ table inet my_table { tcp dport http accept # email related ports tcp dport smtp accept - tcp dport pop3 accept - tcp dport imap accept + #tcp dport pop3 accept + #tcp dport imap accept tcp dport submissions accept tcp dport submission accept tcp dport imaps accept - tcp dport pop3s accept + #tcp dport pop3s accept pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited counter comment "count any other traffic" diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf index a919bc84..f7b2a56b 100644 --- a/etc/postfix/main.cf +++ b/etc/postfix/main.cf @@ -743,5 +743,5 @@ sample_directory = /etc/postfix # readme_directory = /usr/share/doc/postfix inet_protocols = ipv4 -meta_directory = /etc/postfix shlib_directory = /usr/lib/postfix +meta_directory = /etc/postfix diff --git a/etc/services b/etc/services index b7d2fd1c..e42132f7 100644 --- a/etc/services +++ b/etc/services @@ -455,6 +455,7 @@ fxp 286/tcp fxp 286/udp k-block 287/tcp k-block 287/udp +tacacss 300/tcp novastorbakcup 308/tcp novastorbakcup 308/udp entrusttime 309/tcp @@ -1315,12 +1316,6 @@ pkix-3-ca-ra 829/tcp pkix-3-ca-ra 829/udp netconf-ssh 830/tcp netconf-ssh 830/udp -netconf-beep 831/tcp -netconf-beep 831/udp -netconfsoaphttp 832/tcp -netconfsoaphttp 832/udp -netconfsoapbeep 833/tcp -netconfsoapbeep 833/udp dhcp-failover2 847/tcp dhcp-failover2 847/udp gdoi 848/tcp @@ -7675,8 +7670,8 @@ perrla 4313/tcp choiceview-agt 4314/tcp choiceview-clt 4316/tcp opentelemetry 4317/tcp -fox-skytale 4319/tcp -fox-skytale 4319/udp +skytale 4319/tcp +skytale 4319/udp fdt-rcatp 4320/tcp fdt-rcatp 4320/udp rwhois 4321/tcp @@ -7799,8 +7794,8 @@ netcabinet-com 4409/tcp itwo-server 4410/tcp found 4411/tcp smallchat 4412/udp -avi-nms 4413/tcp -avi-nms-disc 4413/udp +vision-mon 4413/tcp +vision-mon-disc 4413/udp updog 4414/tcp brcd-vr-req 4415/tcp pjj-player 4416/tcp @@ -7875,6 +7870,7 @@ awacs-ice 4488/udp ipsec-nat-t 4500/tcp ipsec-nat-t 4500/udp a25-fap-fgw 4502/sctp +m-bus-oms 4503/udp armagetronad 4534/udp ehs 4535/tcp ehs 4535/udp @@ -8094,6 +8090,7 @@ vxlan-gpe 4790/udp roce 4791/udp unified-bus 4792/tcp unified-bus 4792/udp +uet 4793/udp iims 4800/tcp iims 4800/udp iwec 4801/tcp @@ -10479,6 +10476,7 @@ odnsp 9966/udp xybrid-rt 9978/tcp visweather 9979/tcp pumpkindb 9981/tcp +kaostransport 9986/tcp dsm-scm-target 9987/tcp dsm-scm-target 9987/udp nsesrvr 9988/tcp @@ -11014,6 +11012,7 @@ notezilla-lan 21010/tcp trinket-agent 21212/tcp cohesity-agent 21213/tcp aigairserver 21221/tcp +xahaud 21337/tcp rdm-tfs 21553/tcp dfserver 21554/tcp dfserver 21554/udp @@ -11128,6 +11127,7 @@ binkp 24554/tcp binkp 24554/udp bilobit 24577/tcp bilobit-update 24577/udp +udpstp 24601/udp sdtvwcam 24666/tcp canditv 24676/tcp canditv 24676/udp @@ -11443,8 +11443,8 @@ ciscocsdb 43441/udp z-wave-tunnel 44123/tcp pmcd 44321/tcp pmcd 44321/udp -pmcdproxy 44322/tcp -pmcdproxy 44322/udp +pmproxy 44322/tcp +pmproxy 44322/udp pmwebapi 44323/tcp cognex-dataman 44444/tcp acronis-backup 44445/tcp @@ -11522,9 +11522,7 @@ inspider 49150/tcp # My ISP verizon block incomming to gateway port 22. So I need to use another port to ssh into my home server. # https://www.reddit.com/r/verizon/comments/to1q43/verizon_5g_home_internet_blocking_ssh_service_port/ wireguard 49432/udp -ssh-isp 49812/tcp iperf3 53497/tcp -swgp 54635/udp # qbittorrent-nox web ui port for remote access browser gui qbt-nox 57151/tcp # qbittorrent/ options/ connection/ listening port diff --git a/etc/ssh/ssh_config.d/my_ssh_config.conf b/etc/ssh/ssh_config.d/my_ssh_config.conf deleted file mode 100644 index a5f1fca3..00000000 --- a/etc/ssh/ssh_config.d/my_ssh_config.conf +++ /dev/null @@ -1,2 +0,0 @@ -Host flylightning.xyz - Port ssh-isp diff --git a/etc/sudoers b/etc/sudoers index 94678ba5..faf0e3f7 100644 --- a/etc/sudoers +++ b/etc/sudoers @@ -128,7 +128,7 @@ root ALL=(ALL:ALL) ALL # %wheel ALL=(ALL:ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command -# %sudo ALL=(ALL:ALL) ALL +# %sudo ALL=(ALL:ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). diff --git a/etc/systemd/system/sshd-ns0.service b/etc/systemd/system/sshd-ns0.service new file mode 100644 index 00000000..d66b8932 --- /dev/null +++ b/etc/systemd/system/sshd-ns0.service @@ -0,0 +1,19 @@ +# modified from /usr/lib/systemd/system/sshd.service + +[Unit] +After=network.target sshdgenkeys.service +Before=ssh-access.target +Description=OpenSSH Daemon +Documentation=man:sshd(8) man:sshd_config(5) +Wants=sshdgenkeys.service ssh-access.target +After=ns0.service + +[Service] +Type=notify-reload +ExecStart=/usr/bin/sshd -D +KillMode=process +Restart=always +NetworkNamespacePath=/run/netns/ns0 + +[Install] +WantedBy=multi-user.target diff --git a/etc/systemd/system/swgp-go.service.d/override.conf b/etc/systemd/system/swgp-go.service.d/override.conf deleted file mode 100644 index bb775d08..00000000 --- a/etc/systemd/system/swgp-go.service.d/override.conf +++ /dev/null @@ -1,5 +0,0 @@ -[Unit] -After=ns0.service - -[Service] -NetworkNamespacePath=/run/netns/ns0 |