know-how:firewall
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende ÜberarbeitungNächste ÜberarbeitungBeide Seiten der Revision | ||
know-how:firewall [2022/02/21 13:20] – [Blocks - Multi - IPSET] cc | know-how:firewall [2024/02/12 11:38] – [unbound] cc | ||
---|---|---|---|
Zeile 1139: | Zeile 1139: | ||
exit 0 | exit 0 | ||
+ | </ | ||
+ | |||
+ | ====== unbound ====== | ||
+ | * Rekursiver DNS Resolver der DNSSEC validiert und auch dns over tls unterstützt | ||
+ | |||
+ | ===== dns over tls ===== | ||
+ | * führt zu massiven DNS Performanceeinbruch FIXME performance + prefetch usw. | ||
+ | < | ||
+ | server: | ||
+ | .. | ||
+ | .. | ||
+ | #2024-02-11 cc: The debian place where the bundle can be found | ||
+ | tls-cert-bundle: | ||
+ | .. | ||
+ | .. | ||
+ | forward-zone: | ||
+ | name: " | ||
+ | forward-addr: | ||
+ | forward-addr: | ||
+ | forward-tls-upstream: | ||
+ | .. | ||
+ | .. | ||
</ | </ | ||
Zeile 1365: | Zeile 1387: | ||
| | ||
</ | </ | ||
+ | ====== GeoIP - map-geoip.sh ====== | ||
+ | * GeoIP Lookup aus vorhandenen Logfiles / kann auch gepiped werden um vorher relevante Auszüge rauszugreppen | ||
+ | * **map-geoip.sh** | ||
+ | |||
+ | < | ||
+ | #!/bin/bash | ||
+ | |||
+ | # cmd: foo=$(mmdblookup -f / | ||
+ | |||
+ | # https:// | ||
+ | |||
+ | PATH_LOGS="/ | ||
+ | PATH_GEODB="/ | ||
+ | |||
+ | function bailout | ||
+ | { | ||
+ | echo -e " | ||
+ | echo -e " | ||
+ | exit 2 | ||
+ | |||
+ | |||
+ | } | ||
+ | |||
+ | function lookup_geo | ||
+ | { | ||
+ | mmdblookup -f $PATH_GEODB | ||
+ | |||
+ | } | ||
+ | |||
+ | function lookup_ip | ||
+ | { | ||
+ | echo $1 | grep -o -P " | ||
+ | |||
+ | |||
+ | } | ||
+ | |||
+ | [[ -r $PATH_GEODB ]] || bailout " | ||
+ | |||
+ | |||
+ | [[ -r " | ||
+ | |||
+ | [[ $1 == " | ||
+ | |||
+ | |||
+ | [[ -r $PATH_LOGS || $PATH_LOGS == " | ||
+ | |||
+ | |||
+ | which mmdblookup >/ | ||
+ | |||
+ | IFS=$' | ||
+ | |||
+ | while read foo ; | ||
+ | do | ||
+ | LOG_SUFFIX="" | ||
+ | SRC_IP="" | ||
+ | DST_IP="" | ||
+ | |||
+ | SRC_IP=$(lookup_ip $foo " | ||
+ | DST_IP=$(lookup_ip $foo " | ||
+ | |||
+ | #echo "SRC: $SRC_IP" | ||
+ | #echo "DST: $DST_IP" | ||
+ | |||
+ | if [ ${#SRC_IP} -gt 0 ] && [ ${#DST_IP} -gt 0 ] | ||
+ | then | ||
+ | SRC_GEO=$(lookup_geo $SRC_IP) | ||
+ | DST_GEO=$(lookup_geo $DST_IP) | ||
+ | |||
+ | [[ -z $SRC_GEO | ||
+ | [[ -z $DST_GEO ]] && DST_GEO=" | ||
+ | |||
+ | LOG_SUFFIX=" | ||
+ | |||
+ | |||
+ | echo " | ||
+ | fi | ||
+ | |||
+ | |||
+ | done < <(zcat -f $PATH_LOGS ) | ||
+ | </ | ||
====== WEB Module ====== | ====== WEB Module ====== | ||
===== Blocks - Multi - IPSET ===== | ===== Blocks - Multi - IPSET ===== |
know-how/firewall.txt · Zuletzt geändert: 2024/02/26 10:31 von cc