diff --git a/firewalld.org b/firewalld.org index 3c44100..aa829c5 100644 --- a/firewalld.org +++ b/firewalld.org @@ -1,32 +1,29 @@ #+title: Firewalld #+setupfile: ../org-templates/page.org -** Allow connections only from certain IP addresses +** Allow connections only from tailnet -Source: [[https://serverfault.com/a/798120][FirewallD: Allow connections only from certain IP addresses]] +Create a new zone for the ~tailscale0~ interface. -- Do not use rich rules for this. -- A firewalld zone corresponds to a set of services that you want to allow, and the sources of the traffic to those services. -- Traffic sources can be designated in two ways: by interface, or by source IP address. Traffic that matches /any/ source passes this check. - -Create a new zone for Kali Linux IP addresses: -#+begin_src shell -sudo firewall-cmd --permanent --new-zone=kali +#+BEGIN_SRC shell +sudo firewall-cmd --permanent --new-zone=tailnet +sudo firewall-cmd --permanent --zone=tailnet --add-interface=tailscale0 sudo firewall-cmd --reload -#+end_src +#+END_SRC -Enable the services allow for kali zone: -#+begin_src shell -sudo firewall-cmd --zone=kali --permanent --add-service=ssh -sudo firewall-cmd --zone=kali --permanent --add-service=rsyncd -sudo firewall-cmd --reload -#+end_src +Add services and ports to the ~tailnet~ zone. -Add the IP addresses allowed to reach the above services. Ensure there are no interfaces designated to this zone. -#+begin_src shell -sudo firewall-cmd --zone=kali --permanent --add-source= -sudo firewall-cmd --zone=kali --permanent --add-source= -sudo firewall-cmd --zone=kali --permanent --add-source= -sudo firewall-cmd --zone=kali --permanent --add-source= +#+BEGIN_SRC shell +sudo firewall-cmd --permanent --zone=tailnet --add-service={http,https,ssh} +sudo firewall-cmd --permanent --zone=tailnet --add-port=9100/tcp sudo firewall-cmd --reload -#+end_src +#+END_SRC + +Ensure the ~public~ zone does not have any interfaces or sources. + +#+BEGIN_SRC shell +sudo firewall-cmd --permanent --zone=public --remove-interface=eth0 +sudo firewall-cmd --reload +#+END_SRC + +The firewall should now only allow traffic coming from the tailnet interface, ~tailscale0~. diff --git a/freebsd.org b/freebsd.org index 984fee0..e4dbbe2 100644 --- a/freebsd.org +++ b/freebsd.org @@ -1,5 +1,9 @@ #+title: FreeBSD +** USB 3.1 Type-C to RJ45 Gigabit Ethernet adapter + +The [[https://www.amazon.com/dp/B08989MYQ2][Amazon Basics Aluminum USB 3.1 Type-C to RJ45 Gigabit Ethernet Adapter]] works well with FreeBSD 14.1-RELEASE. It uses the *AX88179* chipset from ASIX Electronics Corp. + ** Install the ports tree Source: [[https://docs.freebsd.org/en/books/handbook/ports/#ports-using-installation-methods][Chapter 4. Installing Applications: Packages and Ports | FreeBSD Documentation Portal]] @@ -61,3 +65,16 @@ zfs mount -a #+END_SRC You should now be able to edit files, add/remove packages, etc. + +** Mount encrypted zroot in LiveCD + +Boot into the LiveCD environment. + +#+BEGIN_SRC shell +mkdir /tmp/mnt +geli attach /dev/nda0p4 +zpool import -f -R /tmp/mnt zroot +zfs mount zroot/ROOT/default +#+END_SRC + +The root directory of the zroot, ~zroot/ROOT/default~, is labeled to not be automounted when imported, hence the need for the last command.