Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- know-how:firewall [2021/10/18 11:06] – [roadworker mfa - multiple factor auth] cc
+++ know-how:firewall [2024/02/26 10:31] (aktuell) – cc
@@ Zeile 1: / Zeile 1: @@
+~~ODT~~
 FIXME
 ====== Features ======
@@ Zeile 993: / Zeile 994: @@
 auth-user-pass-verify /etc/openvpn/roadworker-cert/totp_auth.sh via-env
 auth-user-pass-optional
+script-security 3
 ....
 </code>
@@ Zeile 1139: / Zeile 1141: @@
 </code>
+====== unbound ======
+  * Rekursiver DNS Resolver der DNSSEC validiert und auch dns over tls unterstützt
+===== internal dns zone =====
+  * zB: wenn intern ein AD Server benutzt wird für interne Domäne
+<code>
+server:
+..
+..
+    #2024-02-11 cc: if pannoniait.intern was used by a e.g. windows ad server
+    private-domain: pannoniait.intern
+    domain-insecure: pannoniait.intern
+..
+..
+#2024-02-11 cc: If pannoniait.intern was used e.g. by windows ad server
+forward-zone:
+   name: pannoniait.intern
+   forward-addr: IP_DNS_SERVER
+</code>
+===== dns over tls =====
+  * führt zu massiven DNS Performanceeinbruch FIXME performance + prefetch usw.
+<code>
+server:
+..
+..
+    #2024-02-11 cc: The debian place where the bundle can be found
+    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
+..
+..
+forward-zone:
+    name: "."
+    forward-addr: 9.9.9.9@853#dns.quad9.net
+    forward-addr: 149.112.112.112@853#dns.quad9.net
+    forward-tls-upstream: yes
+..
+..
+</code>
+====== Traffic Shaping - tc ======
+  * FIXME - Großteil "man" Seiten https://wiki.archlinux.org/title/Advanced_traffic_control / https://tldp.org/en/Traffic-Control-HOWTO/ar01s06.html
+  * FIXME - PLAYGROUND - für bestimmten Traffic Bandbreite insgesamt einschränken , damit zB: ein Pool von Adressen eingeschränkt werden kann wie zB: Windows Updates :) entweder über iptables Markierungen oder über ipset Matches
+<code>
+#!/bin/sh -x
+# Maximum allowed downlink. Set to 90% of the achievable downlink in mbit
+DOWNLINK=60
+# Interface facing the Internet
+EXTDEV=wlp2s0
+# Load IFB, all other modules all loaded automatically
+modprobe ifb
+ip link set dev ifb0 down
+# Clear old queuing disciplines (qdisc) on the interfaces and the MANGLE table
+tc qdisc del dev $EXTDEV root    2> /dev/null > /dev/null
+tc qdisc del dev $EXTDEV ingress 2> /dev/null > /dev/null
+tc qdisc del dev ifb0 root       2> /dev/null > /dev/null
+tc qdisc del dev ifb0 ingress    2> /dev/null > /dev/null
+iptables -t mangle -F
+# appending "stop" (without quotes) after the name of the script stops here.
+if [ "$1" = "stop" ]
+then
+        echo "Shaping removed on $EXTDEV."
+        exit
+fi
+ip link set dev ifb0 up
+# HTB classes on IFB with rate limiting - default class 3:30
+tc qdisc add dev ifb0 root handle 3: htb default 30
+tc class add dev ifb0 parent 3:3 classid 3:30 htb rate 60mbit ceil 60mbit
+tc class add dev ifb0 parent 3:3 classid 3:33 htb rate 10mbit ceil 10mbit
+# Packets marked with "2" on IFB flow through class 3:33
+tc filter add dev ifb0 parent 3:0 protocol ip handle 2 fw flowid 3:33
+# Martin Devera, author of HTB, then recommends SFQ for beneath these classes:
+tc qdisc add dev ifb0 parent 3:30 handle 30: sfq perturb 10
+tc qdisc add dev ifb0 parent 3:33 handle 33: sfq perturb 10
+#https://speed.hetzner.de/1GB.bin
+iptables -t mangle -A PREROUTING -s 88.198.248.254 -j MARK --set-mark 2
+iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
+# Forward all ingress traffic on internet interface to the IFB device
+tc qdisc add dev $EXTDEV ingress handle ffff:
+tc filter add dev $EXTDEV parent ffff: protocol ip \
+        u32 match u32 0 0 \
+        action connmark \
+        action mirred egress redirect dev ifb0 \
+        flowid ffff:1
+# Kein markieren mehr der Pakete / iptables fällt weg über ipset
+# root@mrWhiteGhost:/home/urnilxfgbez/Desktop# ipset create slowdown hash:ip
+#root@mrWhiteGhost:/home/urnilxfgbez/Desktop# tc filter add dev ifb0 parent 3:0 protocol ip basic match 'ipset(slowdown src,dst)' flowid 3:33
+#
+#
+#
+#
+#root@mrWhiteGhost:/tmp# tc -s class show dev ifb0
+#class htb 3:33 root prio 0 rate 10Mbit ceil 10Mbit burst 1600b cburst 1600b
+# Sent 28375626 bytes 20582 pkt (dropped 0, overlimits 20488 requeues 0)
+# backlog 0b 0p requeues 0
+# lended: 20582 borrowed: 0 giants: 0
+# tokens: -16889 ctokens: -16889
+#
+#class htb 3:30 root prio 0 rate 60Mbit ceil 60Mbit burst 1590b cburst 1590b
+# Sent 1760229 bytes 3364 pkt (dropped 0, overlimits 884 requeues 0)
+# backlog 0b 0p requeues 0
+# lended: 3364 borrowed: 0 giants: 0
+# tokens: 3125 ctokens: 3125
+exit 0
+</code>
 ====== GeoIP - iptables matches ======
@@ Zeile 1273: / Zeile 1408: @@
    976 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country CN,RS  LOG flags 0 level 4
 </code>
+====== GeoIP - map-geoip.sh ======
+  * GeoIP Lookup aus vorhandenen Logfiles / kann auch gepiped werden um vorher relevante Auszüge rauszugreppen
+  * **map-geoip.sh**
+<code>
+#!/bin/bash
+# cmd: foo=$(mmdblookup -f /usr/local/share/ip-db/dbip-country-lite.mmdb  -i 192.168.0.1 country iso_code 2>/dev/null)
+# https://download.db-ip.com/free/dbip-country-lite-2022-03.mmdb.gz
+PATH_LOGS="/var/log/fw.log.1"
+PATH_GEODB="/usr/local/share/ip-db/dbip-country-lite.mmdb"
+function bailout
+{
+        echo -e "$1" >&2
+	echo -e "\nUsage: $0 [LOGFILE_FIREWALLS]"
+	exit 2
+}
+function lookup_geo
+{
+	mmdblookup -f $PATH_GEODB  -i $1 country iso_code 2>/dev/null | grep -o -P "\"[a-zA-Z]{2}\"" | tr -d "\""
+}
+function lookup_ip
+{
+    echo $1 | grep -o -P "$2(([0-9]{1,3}\.)){3}[0-9]{1,3}"
+}
+[[ -r $PATH_GEODB ]] || bailout "Cannot read geodb database: $PATH_GEODB"
+[[ -r "$1" ]] && PATH_LOGS="$1"
+[[ $1 == "-" ]] && PATH_LOGS="-"
+[[ -r $PATH_LOGS || $PATH_LOGS == "-"  ]] || bailout "Cannot read path logs: $PATH_LOGS"
+which mmdblookup >/dev/null || bailout "Cannot find mmdblookup please install\n"
+IFS=$'\n'
+while read foo ;
+do
+        LOG_SUFFIX=""
+	SRC_IP=""
+	DST_IP=""
+	SRC_IP=$(lookup_ip $foo "SRC=" |tr -d "SRC=")
+	DST_IP=$(lookup_ip $foo "DST=" | tr -d "DST=" )
+	#echo "SRC: $SRC_IP"
+	#echo "DST: $DST_IP"
+	if [ ${#SRC_IP} -gt 0 ] && [ ${#DST_IP} -gt 0 ]
+	then
+		SRC_GEO=$(lookup_geo $SRC_IP)
+		DST_GEO=$(lookup_geo $DST_IP)
+                [[ -z $SRC_GEO  ]] && SRC_GEO="00"
+		[[ -z $DST_GEO ]] && DST_GEO="00"
+		LOG_SUFFIX="SRC_GEO=$SRC_GEO DST_GEO=$DST_GEO"
+		echo "$foo$LOG_SUFFIX"
+	fi
+done < <(zcat -f $PATH_LOGS )
+</code>
 ====== WEB Module ======
+===== Blocks - Multi - IPSET =====
+  * In Kombination mit dnsmasq und seiner Funktionalität ipsets aktualisieren zu können
+  *  www-data muss dnsmasq neu starten können zB: visudo -> www-data  ALL=(ALL)NOPASSWD:/usr/sbin/service dnsmasq restart / und die entsprechenden Berechtigungen für das Set File besitzen unter /etc/dnsmasq.d/ipset-foo.conf
+  * **Achtung:** Wenn es eine Vielzahl an Sets gibt die mit dnsmasq befüllt werden sollen muss auf die dnsmasq Syntax geachtet werden **ipset=/hostname/set1/set2/set3** und nicht jeweils eine extra Datei für set1, set2, set3
+  * **merge-ipsets.sh**
+<code>
+#!/bin/bash
+function bailout
+{
+        echo -e "$1" >&2
+        exit 2
+}
+which dnsmasq >/dev/null || bailout "Cannot find dnsmasq binary"
+LOCATION_DNSMASQS="/etc/dnsmasq.conf /etc/dnsmasq.d/*"
+TMP_LOCATION=$(mktemp)
+FINAL_LOCATION="/etc/dnsmasq.d/ipset-master.conf"
+if [ ! -w $FINAL_LOCATION ]
+then
+	rm $TMP_LOCATION
+	bailout "FAIL: Final config file: $FINAL_LOCATION cannot be written to "
+fi
+grep -h  "^ipset=" $LOCATION_DNSMASQS  | cut -d"/" -f"2" | sort | uniq -c  | while read hosts ;
+do
+	nr_matches=$(echo $hosts | awk '{print $1}')
+	host_entry=$(echo $hosts | awk '{print $2}')
+        if (($nr_matches > 1 ))  &&  [ -n $host_entry ] ;
+	then
+                 build_entry="ipset=/$host_entry"
+		 while read found_sets
+		 do
+			 build_entry+="/$found_sets"
+		 done <<< $(grep -h "^ipset=/$host_entry/" $LOCATION_DNSMASQS | cut -d"/" -f 3- | tr "/" "\n" | sort | uniq )
+		echo $build_entry >> $TMP_LOCATION
+                echo $build_entry
+	fi
+done
+filesize_tmp=$(stat -c %s $TMP_LOCATION)
+if [ $filesize_tmp == "0" ]
+then
+rm $TMP_LOCATION
+echo "No double ipsets found in $LOCATION_DNSMASQS"
+exit 0
+fi
+cmp -s $TMP_LOCATION $FINAL_LOCATION
+compare_ret="$?"
+if [ $compare_ret == "0" ]
+then
+	rm $TMP_LOCATION
+        echo "Current ipsets have already been merged"
+	exit 0
+fi
+dnsmasq --test --conf-file=$TMP_LOCATION
+ipset_tests="$?"
+if [ $ipset_tests != "0" ]
+then
+	rm $TMP_LOCATION
+	bailout "FAIL: Malformed config file: $TMP_LOCATION"
+fi
+#2022-02-21 cc: Keep Ownership intact
+cat $TMP_LOCATION > $FINAL_LOCATION
+rm $TMP_LOCATION
+systemctl reload dnsmasq || bailout "FAIL: Cannot reload dnsmasq"
+exit 0
+</code>
+  * {{ :know-how:ipset-master.zip |}}
 ===== Blocks - IPSET =====
   * In Kombination mit dnsmasq und seiner Funktionalität ipsets aktualisieren zu können
-  *  www-data muss dnsmasq neu starten können zB: visudo -> www-data  ALL=(ALL)NOPASSWD:/usr/sbin/service dnsmasq restart
+  *  www-data muss dnsmasq neu starten können zB: visudo -> www-data  ALL=(ALL)NOPASSWD:/usr/sbin/service dnsmasq restart / und die entsprechenden Berechtigungen für das Set File besitzen unter /etc/dnsmasq.d/ipset-foo.conf
   * {{ :know-how:blocked-ipset.zip |}}