Edit firewall.org, freebsd.org

This commit is contained in:
Jeffrey Serio 2024-09-23 21:23:08 -05:00
parent 3d37bb0b8c
commit 459b71e0a3
2 changed files with 37 additions and 23 deletions

View File

@ -1,32 +1,29 @@
#+title: Firewalld #+title: Firewalld
#+setupfile: ../org-templates/page.org #+setupfile: ../org-templates/page.org
** Allow connections only from certain IP addresses ** Allow connections only from tailnet
Source: [[https://serverfault.com/a/798120][FirewallD: Allow connections only from certain IP addresses]] Create a new zone for the ~tailscale0~ interface.
- Do not use rich rules for this. #+BEGIN_SRC shell
- A firewalld zone corresponds to a set of services that you want to allow, and the sources of the traffic to those services. sudo firewall-cmd --permanent --new-zone=tailnet
- Traffic sources can be designated in two ways: by interface, or by source IP address. Traffic that matches /any/ source passes this check. sudo firewall-cmd --permanent --zone=tailnet --add-interface=tailscale0
Create a new zone for Kali Linux IP addresses:
#+begin_src shell
sudo firewall-cmd --permanent --new-zone=kali
sudo firewall-cmd --reload sudo firewall-cmd --reload
#+end_src #+END_SRC
Enable the services allow for kali zone: Add services and ports to the ~tailnet~ zone.
#+begin_src shell
sudo firewall-cmd --zone=kali --permanent --add-service=ssh
sudo firewall-cmd --zone=kali --permanent --add-service=rsyncd
sudo firewall-cmd --reload
#+end_src
Add the IP addresses allowed to reach the above services. Ensure there are no interfaces designated to this zone. #+BEGIN_SRC shell
#+begin_src shell sudo firewall-cmd --permanent --zone=tailnet --add-service={http,https,ssh}
sudo firewall-cmd --zone=kali --permanent --add-source=<IPv4 addr 1> sudo firewall-cmd --permanent --zone=tailnet --add-port=9100/tcp
sudo firewall-cmd --zone=kali --permanent --add-source=<IPv6 addr>
sudo firewall-cmd --zone=kali --permanent --add-source=<IPv4 addr 2>
sudo firewall-cmd --zone=kali --permanent --add-source=<IPv4 addr 3>
sudo firewall-cmd --reload sudo firewall-cmd --reload
#+end_src #+END_SRC
Ensure the ~public~ zone does not have any interfaces or sources.
#+BEGIN_SRC shell
sudo firewall-cmd --permanent --zone=public --remove-interface=eth0
sudo firewall-cmd --reload
#+END_SRC
The firewall should now only allow traffic coming from the tailnet interface, ~tailscale0~.

View File

@ -1,5 +1,9 @@
#+title: FreeBSD #+title: FreeBSD
** USB 3.1 Type-C to RJ45 Gigabit Ethernet adapter
The [[https://www.amazon.com/dp/B08989MYQ2][Amazon Basics Aluminum USB 3.1 Type-C to RJ45 Gigabit Ethernet Adapter]] works well with FreeBSD 14.1-RELEASE. It uses the *AX88179* chipset from ASIX Electronics Corp.
** Install the ports tree ** Install the ports tree
Source: [[https://docs.freebsd.org/en/books/handbook/ports/#ports-using-installation-methods][Chapter 4. Installing Applications: Packages and Ports | FreeBSD Documentation Portal]] Source: [[https://docs.freebsd.org/en/books/handbook/ports/#ports-using-installation-methods][Chapter 4. Installing Applications: Packages and Ports | FreeBSD Documentation Portal]]
@ -61,3 +65,16 @@ zfs mount -a
#+END_SRC #+END_SRC
You should now be able to edit files, add/remove packages, etc. You should now be able to edit files, add/remove packages, etc.
** Mount encrypted zroot in LiveCD
Boot into the LiveCD environment.
#+BEGIN_SRC shell
mkdir /tmp/mnt
geli attach /dev/nda0p4
zpool import -f -R /tmp/mnt zroot
zfs mount zroot/ROOT/default
#+END_SRC
The root directory of the zroot, ~zroot/ROOT/default~, is labeled to not be automounted when imported, hence the need for the last command.