Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- know-how:firewall [2022/02/21 13:14] – [Blocks - Multi - IPSET] cc
+++ know-how:firewall [2024/02/26 10:31] (aktuell) – cc
@@ Zeile 1: / Zeile 1: @@
+~~ODT~~
 FIXME
 ====== Features ======
@@ Zeile 1139: / Zeile 1140: @@
 exit 0
+</code>
+====== unbound ======
+  * Rekursiver DNS Resolver der DNSSEC validiert und auch dns over tls unterstützt
+===== internal dns zone =====
+  * zB: wenn intern ein AD Server benutzt wird für interne Domäne
+<code>
+server:
+..
+..
+    #2024-02-11 cc: if pannoniait.intern was used by a e.g. windows ad server
+    private-domain: pannoniait.intern
+    domain-insecure: pannoniait.intern
+..
+..
+#2024-02-11 cc: If pannoniait.intern was used e.g. by windows ad server
+forward-zone:
+   name: pannoniait.intern
+   forward-addr: IP_DNS_SERVER
+</code>
+===== dns over tls =====
+  * führt zu massiven DNS Performanceeinbruch FIXME performance + prefetch usw.
+<code>
+server:
+..
+..
+    #2024-02-11 cc: The debian place where the bundle can be found
+    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
+..
+..
+forward-zone:
+    name: "."
+    forward-addr: 9.9.9.9@853#dns.quad9.net
+    forward-addr: 149.112.112.112@853#dns.quad9.net
+    forward-tls-upstream: yes
+..
+..
 </code>
@@ Zeile 1365: / Zeile 1408: @@
    976 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country CN,RS  LOG flags 0 level 4
 </code>
+====== GeoIP - map-geoip.sh ======
+  * GeoIP Lookup aus vorhandenen Logfiles / kann auch gepiped werden um vorher relevante Auszüge rauszugreppen
+  * **map-geoip.sh**
+<code>
+#!/bin/bash
+# cmd: foo=$(mmdblookup -f /usr/local/share/ip-db/dbip-country-lite.mmdb  -i 192.168.0.1 country iso_code 2>/dev/null)
+# https://download.db-ip.com/free/dbip-country-lite-2022-03.mmdb.gz
+PATH_LOGS="/var/log/fw.log.1"
+PATH_GEODB="/usr/local/share/ip-db/dbip-country-lite.mmdb"
+function bailout
+{
+        echo -e "$1" >&2
+	echo -e "\nUsage: $0 [LOGFILE_FIREWALLS]"
+	exit 2
+}
+function lookup_geo
+{
+	mmdblookup -f $PATH_GEODB  -i $1 country iso_code 2>/dev/null | grep -o -P "\"[a-zA-Z]{2}\"" | tr -d "\""
+}
+function lookup_ip
+{
+    echo $1 | grep -o -P "$2(([0-9]{1,3}\.)){3}[0-9]{1,3}"
+}
+[[ -r $PATH_GEODB ]] || bailout "Cannot read geodb database: $PATH_GEODB"
+[[ -r "$1" ]] && PATH_LOGS="$1"
+[[ $1 == "-" ]] && PATH_LOGS="-"
+[[ -r $PATH_LOGS || $PATH_LOGS == "-"  ]] || bailout "Cannot read path logs: $PATH_LOGS"
+which mmdblookup >/dev/null || bailout "Cannot find mmdblookup please install\n"
+IFS=$'\n'
+while read foo ;
+do
+        LOG_SUFFIX=""
+	SRC_IP=""
+	DST_IP=""
+	SRC_IP=$(lookup_ip $foo "SRC=" |tr -d "SRC=")
+	DST_IP=$(lookup_ip $foo "DST=" | tr -d "DST=" )
+	#echo "SRC: $SRC_IP"
+	#echo "DST: $DST_IP"
+	if [ ${#SRC_IP} -gt 0 ] && [ ${#DST_IP} -gt 0 ]
+	then
+		SRC_GEO=$(lookup_geo $SRC_IP)
+		DST_GEO=$(lookup_geo $DST_IP)
+                [[ -z $SRC_GEO  ]] && SRC_GEO="00"
+		[[ -z $DST_GEO ]] && DST_GEO="00"
+		LOG_SUFFIX="SRC_GEO=$SRC_GEO DST_GEO=$DST_GEO"
+		echo "$foo$LOG_SUFFIX"
+	fi
+done < <(zcat -f $PATH_LOGS )
+</code>
 ====== WEB Module ======
 ===== Blocks - Multi - IPSET =====
@@ Zeile 1393: / Zeile 1516: @@
 	rm $TMP_LOCATION
-	bailout "FAIL: Final config file: $FINAL_LOACTION cannot be written to "
+	bailout "FAIL: Final config file: $FINAL_LOCATION cannot be written to "
 fi
@@ Zeile 1471: / Zeile 1594: @@
 exit 0
 </code>
+  * {{ :know-how:ipset-master.zip |}}
 ===== Blocks - IPSET =====