Index: TipAndDoc/.bash_profile =================================================================== --- TipAndDoc/.bash_profile (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/.bash_profile (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,6 @@ +# set PATH so it includes user's private bin if it exists +if [ -d "$HOME/.bin" ] ; then + PATH="$HOME/.bin:$PATH" +fi + +/usr/bin/screen -d -RR -U Index: TipAndDoc/.bashrc =================================================================== --- TipAndDoc/.bashrc (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/.bashrc (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,123 @@ +# ~/.bashrc: executed by bash(1) for non-login shells. +# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc) +# for examples + +# If not running interactively, don't do anything +[ -z "$PS1" ] && return + +# don't put duplicate lines in the history. See bash(1) for more options +export HISTCONTROL=ignoredups +# ... and ignore same sucessive entries. +export HISTCONTROL=ignoreboth + +# check the window size after each command and, if necessary, +# update the values of LINES and COLUMNS. +shopt -s checkwinsize + +# make less more friendly for non-text input files, see lesspipe(1) +[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)" + +# set variable identifying the chroot you work in (used in the prompt below) +if [ -z "$debian_chroot" ] && [ -r /etc/debian_chroot ]; then + debian_chroot=$(cat /etc/debian_chroot) +fi + +# set a fancy prompt (non-color, unless we know we "want" color) +case "$TERM" in + xterm-color) color_prompt=yes;; +esac + +# uncomment for a colored prompt, if the terminal has the capability; turned +# off by default to not distract the user: the focus in a terminal window +# should be on the output of commands, not on the prompt +#force_color_prompt=yes + +if [ -n "$force_color_prompt" ]; then + if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then + # We have color support; assume it's compliant with Ecma-48 + # (ISO/IEC-6429). (Lack of such support is extremely rare, and such + # a case would tend to support setf rather than setaf.) + color_prompt=yes + else + color_prompt= + fi +fi + +if [ "$color_prompt" = yes ]; then + PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' +else + PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' +fi +unset color_prompt force_color_prompt + +# If this is an xterm set the title to user@host:dir +case "$TERM" in +xterm*|rxvt*) + PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD/$HOME/~}\007"' + ;; +*) + ;; +esac + +# Alias definitions. +# You may want to put all your additions into a separate file like +# ~/.bash_aliases, instead of adding them here directly. +# See /usr/share/doc/bash-doc/examples in the bash-doc package. + +#if [ -f ~/.bash_aliases ]; then +# . ~/.bash_aliases +#fi + +# enable color support of ls and also add handy aliases +if [ "$TERM" != "dumb" ] && [ -x /usr/bin/dircolors ]; then + eval "`dircolors -b`" + alias ls='ls --color=auto' + #alias dir='ls --color=auto --format=vertical' + #alias vdir='ls --color=auto --format=long' + + #alias grep='grep --color=auto' + #alias fgrep='fgrep --color=auto' + #alias egrep='egrep --color=auto' +fi + +# some more ls aliases +#alias ll='ls -l' +#alias la='ls -A' +#alias l='ls -CF' + +# enable programmable completion features (you don't need to enable +# this, if it's already enabled in /etc/bash.bashrc and /etc/profile +# sources /etc/bash.bashrc). +if [ -f /etc/bash_completion ]; then + . /etc/bash_completion +fi + +umask 022 # create new file with '644' +ulimit -c 0 # no dump core +export PAGER=less +export LESS='-X -i -P ?f%f:(stdin). ?lb%lb?L/%L.. [?eEOF:?pb%pb\%..]' + +HISTSIZE=50000 +HISTFILESIZE=50000 + +set -o notify # notify end of background job immediately + +shopt -s histappend # append command history instead of overwrite +shopt -s checkhash # check always PATH hash table +shopt -s cmdhist # save multi lines command to one line +shopt -s no_empty_cmd_completion # no complementation with no input +shopt -s histverify # check command history before execute + + +# view last 30 history or search from last 1000 history +function i { + if [ "$1" ]; then history 1000 | grep "$@"; else history 30; fi +} + +# view last 30 history or search from all history +function I { + if [ "$1" ]; then history | grep "$@"; else history 30; fi +} + +alias vi='vim' +alias sudo='sudo -H ' Index: TipAndDoc/.bin/get_ip_from_ifconfig.pl =================================================================== --- TipAndDoc/.bin/get_ip_from_ifconfig.pl (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/.bin/get_ip_from_ifconfig.pl (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,14 @@ +#!/usr/bin/perl +use strict; +use Data::Dumper; + +my $interface; +my %IPs; + +foreach ( qx{ (LC_ALL=C /sbin/ifconfig -a 2>&1) } ) { + $interface = $1 if /^(\S+?):?\s/; + next unless defined $interface; + $IPs{$interface}->{STATE}=uc($1) if /\b(up|down)\b/i; + $IPs{$interface}->{IP}=$1 if /inet\D+(\d+\.\d+\.\d+\.\d+)/i; +} +print Dumper(\%IPs); Index: TipAndDoc/.bin/get_ip_from_ioctl.pl =================================================================== --- TipAndDoc/.bin/get_ip_from_ioctl.pl (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/.bin/get_ip_from_ioctl.pl (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,36 @@ +#!/usr/bin/perl +use strict; +use warnings; +require 'sys/ioctl.ph'; +use Socket; + +my %interfaces; +my $max_addrs = 30; +socket(my $socket, AF_INET, SOCK_DGRAM, 0) or die "socket: $!"; + +{ + my $ifreqpack = 'a16a16'; + my $buf = pack($ifreqpack, '', '') x $max_addrs; + my $ifconf = pack('iP', length($buf), $buf); + + # This does the actual work + ioctl($socket, SIOCGIFCONF(), $ifconf) or die "ioctl: $!"; + + my $len = unpack('iP', $ifconf); + substr($buf, $len) = ''; + + %interfaces = unpack("($ifreqpack)*", $buf); + + unless (keys(%interfaces) < $max_addrs) { + # Buffer was too small + $max_addrs += 10; + redo; + } +} + +for my $addr (values %interfaces) { + $addr = inet_ntoa((sockaddr_in($addr))[1]); +} + +use Data::Dumper; +print Dumper \%interfaces; Index: TipAndDoc/.bin/smartgrep =================================================================== --- TipAndDoc/.bin/smartgrep (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/.bin/smartgrep (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,5 @@ +for DEVICE in `ls /dev/[hs]d?` +do + echo -n "$DEVICE: " + sudo smartctl -a $DEVICE | grep $1 +done Index: TipAndDoc/.bin/svnst =================================================================== --- TipAndDoc/.bin/svnst (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/.bin/svnst (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,3 @@ +#! /bin/sh + +svn st $@ | grep "^[^?]" Index: TipAndDoc/.bin/wake =================================================================== --- TipAndDoc/.bin/wake (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/.bin/wake (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,53 @@ +#!/usr/bin/perl + +use Cwd qw( realpath ); +use File::Basename qw( fileparse ); + +@cfg = ('.wake', ( (fileparse( realpath($0) ))[1] ) . '.wake'); +$mac = {}; + +$x = '[0-9a-fA-F]'; +$macre = "$x$x:$x$x:$x$x:$x$x:$x$x:$x$x"; +$ipre = "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"; + +foreach my $cfg (@cfg) { + open(CFG, $cfg); + while () { + next if /^\s*#/; + next if /^\s*$/; + + chomp; + my($host, $hw, $ip) = split; + push @{$mac->{lc($host)}}, { MAC => $hw, IP => $ip }; + } +} + +if (@ARGV) { + foreach $host (@ARGV) { + if ($host =~ /$macre/) { + print qx(wakeonlan $host); + } + elsif (@physical = @{$mac->{lc($host)}}) { + foreach my $mac (@physical) { + if ($mac->{IP}) { + print qx(wakeonlan -i $mac->{IP} $mac->{MAC}); + } + else { + print qx(wakeonlan $mac->{MAC}); + } + } + } + else { + print lc($host) . ": no such host in the list.\n"; + } + } +} +else { + foreach $host (sort keys %$mac) { + $physical = $mac->{lc($host)}; + foreach my $mac (@$physical) { + print "$host -> $mac->{MAC} -> $mac->{IP}\n"; + } + } +} + Index: TipAndDoc/.profile =================================================================== --- TipAndDoc/.profile (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/.profile (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,21 @@ +# ~/.profile: executed by the command interpreter for login shells. +# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login +# exists. +# see /usr/share/doc/bash/examples/startup-files for examples. +# the files are located in the bash-doc package. + +# the default umask is set in /etc/profile +#umask 022 + +# if running bash +if [ -n "$BASH_VERSION" ]; then + # include .bashrc if it exists + if [ -f "$HOME/.bashrc" ]; then + . "$HOME/.bashrc" + fi +fi + +# set PATH so it includes user's private bin if it exists +if [ -d "$HOME/bin" ] ; then + PATH="$HOME/bin:$PATH" +fi Index: TipAndDoc/.screenrc =================================================================== --- TipAndDoc/.screenrc (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/.screenrc (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,12 @@ +escape ^x^x +autodetach on +defbce on +vbell off +defscrollback 10000 +startup_message off +hardstatus on +hardstatus alwayslastline +hardstatus string "%{.bW}%{.rW}%n: %t %{-} %=%{..G}%H %{..Y}LoadAvg: %l %0c " +caption always "%{= wk} %-w%{=bu dr}%n %t%{-}%+w" +logfile /home/mitty/.screen/%y-%m-%d_%0c:%s.%n.log +deflog on Index: TipAndDoc/cron.daily/apt-cron =================================================================== --- TipAndDoc/cron.daily/apt-cron (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/cron.daily/apt-cron (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,9 @@ +#!/bin/sh + +set -e + +/usr/bin/aptitude update > /dev/null 2>&1 + +if [ `/usr/bin/aptitude -s -y safe-upgrade | /bin/grep -c ^0` -eq 0 ]; then + /usr/bin/aptitude -s -y safe-upgrade | /bin/grep '^[ T0-9]' +fi Index: TipAndDoc/iproute/setroute-rhel.sh =================================================================== --- TipAndDoc/iproute/setroute-rhel.sh (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/iproute/setroute-rhel.sh (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,43 @@ +#!/bin/sh + +set -x + +IFACE="${1:?"usage: $0 [gateway] "}" +GATEWAY=$2 + +TID=`/sbin/ip addr show dev ${IFACE} | grep -w ${IFACE}: | tr -s ' ' | cut -d : -f 1` + +if [ "${GATEWAY}" = "down" ]; then + # delete routing table and policy and exit + ## routing table is automatically flushed, so 'route flush' can be removed + /sbin/ip route flush table ${TID} + ## device has no longer any IP addr, so do not use IPADDR + /sbin/ip rule del table ${TID} priority ${TID} + /sbin/ip route flush cache + echo "remove routing table and policy for ${IFACE}" + exit +fi + + +# get IP address, network mask, default gateway info +IPADDR=`/sbin/ip addr show dev ${IFACE} | grep -w inet | tr -s ' ' | cut -d ' ' -f 3 | cut -d / -f 1` +NETWORK=`/sbin/ip route show dev ${IFACE} | grep -w ${IPADDR} | tr -s ' ' | cut -d ' ' -f 1` + +if [ -z "${GATEWAY}" ]; then + GATEWAY=`/sbin/ip route show dev ${IFACE} | grep -w default | tr -s ' ' | cut -d ' ' -f 3` +fi +if [ -z "${GATEWAY}" ]; then + GATEWAY=`/sbin/ip route | grep -w default | tr -s ' ' | cut -d ' ' -f 3` + # this may add wrong default route especially on RHEL +fi + + +# set routing table +/sbin/ip route add ${NETWORK} dev ${IFACE} table ${TID} +/sbin/ip route add default via ${GATEWAY} dev ${IFACE} table ${TID} + +# set routing policy +/sbin/ip rule add from ${IPADDR} table ${TID} priority ${TID} + +/sbin/ip route flush cache +echo "add routing table and policy for ${IFACE} on table ${TID}" Index: TipAndDoc/iproute/setroute.sh =================================================================== --- TipAndDoc/iproute/setroute.sh (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/iproute/setroute.sh (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,58 @@ +#!/bin/sh + +# set individualized routing table and policy for each network device + + +set -x + +## INTERFACES(5) +# IFACE physical name of the interface being processed +# METHOD method of the interface (e.g., static) +# MODE start if run from ifup, stop if run from ifdown +# PHASE as per MODE, but with finer granularity, distinguishing the pre- +# up, post-up, pre-down and post-down phases. + +# optional arugument to set default gateway manually +GATEWAY=$1 + +TID=`/sbin/ip addr show dev ${IFACE} | grep -w ${IFACE}: | tr -s ' ' | cut -d : -f 1` + +if [ "${PHASE}" = "post-down" ]; then + # delete routing table and policy and exit + ## routing table is automatically flushed, so 'route flush' can be removed + /sbin/ip route flush table ${TID} + ## device has no longer any IP addr, so do not use IPADDR + /sbin/ip rule del table ${TID} priority ${TID} + /sbin/ip route flush cache + echo "remove routing table and policy for ${IFACE}" + exit +fi + + +# get IP address, network mask, default gateway info +IPADDR=`/sbin/ip addr show dev ${IFACE} | grep -w inet | tr -s ' ' | cut -d ' ' -f 3 | cut -d / -f 1` +if [ -z "${IPADDR}" ]; then + # fail to bind IP address to device + echo "${IFACE} has no IP address." + exit +fi +NETWORK=`/sbin/ip route show dev ${IFACE} | grep -w ${IPADDR} | tr -s ' ' | cut -d ' ' -f 1` + +if [ -z "${GATEWAY}" ]; then + GATEWAY=`/sbin/ip route show dev ${IFACE} | grep -w default | tr -s ' ' | cut -d ' ' -f 3` +fi +if [ -z "${GATEWAY}" ]; then + GATEWAY=`/sbin/ip route | grep -w default | tr -s ' ' | cut -d ' ' -f 3` + # this may add wrong default route especially on RHEL +fi + + +# set routing table +/sbin/ip route add ${NETWORK} dev ${IFACE} table ${TID} +/sbin/ip route add default via ${GATEWAY} dev ${IFACE} table ${TID} + +# set routing policy +/sbin/ip rule add from ${IPADDR} table ${TID} priority ${TID} + +/sbin/ip route flush cache +echo "add routing table and policy for ${IFACE} on table ${TID}" Index: TipAndDoc/iptables/setfilter =================================================================== --- TipAndDoc/iptables/setfilter (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/iptables/setfilter (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,105 @@ +#!/bin/sh -e + +### BEGIN INIT INFO +# Provides: setfilter +# Required-Start: ufw +# Required-Stop: +# Default-Start: S +# Default-Stop: +# Short-Description: set network filters with iptables +### END INIT INFO + +PATH="/sbin:/bin:/usr/sbin:/usr/bin" + +. /lib/lsb/init-functions + +if [ -s /etc/ufw/ufw.conf ]; then + . /etc/ufw/ufw.conf +else + log_failure_msg "Could not find /etc/ufw/ufw.conf (aborting)" + exit 1 +fi + +RULES_PATH="/etc/ufw" + +case "$1" in +start) + if iptables -L LOG_ICMP -t raw -n >/dev/null 2>&1 ; then + # if firewall loaded, tell to reload instead + log_action_msg "Network filter already started, use 'force-reload'" + exit 0 + fi + if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then + log_action_begin_msg "Setting network filter" + error="" + + tables="raw mangle nat" + for table in $tables + do + RULES="$RULES_PATH/$table.rules" + + #flush the chains + iptables -F -t $table || error="yes" + iptables -X -t $table || error="yes" + + if [ -s "$RULES" ]; then + if ! iptables-restore -n < $RULES ; then + log_action_cont_msg "Problem running '$RULES'" + error="yes" + fi + else + log_action_cont_msg "Couldn't find '$RULES'" + fi + done + + if [ "$error" = "yes" ]; then + log_action_end_msg 1 + exit 1 + else + log_action_end_msg 0 + fi + else + log_action_begin_msg "Skipping network filter (not enabled)" + log_action_end_msg 0 + fi + ;; +stop) + if [ "$ENABLED" != "yes" ] && [ "$ENABLED" != "YES" ]; then + log_action_begin_msg "Skipping network filter (not enabled)" + log_action_end_msg 0 + exit 0 + fi + + log_action_begin_msg "Stopping network filter" + error="" + + tables="raw mangle nat" + for table in $tables + do + iptables -F -t $table || error="yes" + iptables -X -t $table || error="yes" + done + + if [ "$error" = "yes" ]; then + log_action_end_msg 1 + exit 1 + else + log_action_end_msg 0 + fi + ;; +restart|force-reload) + if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then + $0 stop + $0 start + else + log_warning_msg "Skipping $1 (not enabled)" + fi + ;; +*) + echo "Usage: /etc/init.d/setfilter {start|stop|restart|force-reload}" + exit 1 + ;; +esac + +exit 0 + Index: TipAndDoc/iptables/setlan2wan.sh =================================================================== --- TipAndDoc/iptables/setlan2wan.sh (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/iptables/setlan2wan.sh (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,35 @@ +#!/bin/sh + +# enable access to WAN device on router node from LAN clients +# + +set -x + +## INTERFACES(5) +# IFACE physical name of the interface being processed +# METHOD method of the interface (e.g., static) +# MODE start if run from ifup, stop if run from ifdown +# PHASE as per MODE, but with finer granularity, distinguishing the pre- +# up, post-up, pre-down and post-down phases. + +LANIF="${1:?"usage: $0 "}" +LANIP="${2:?"usage: $0 "}" + +WANIP=`/sbin/ip addr show dev ${IFACE} | grep -w inet | tr -s ' ' | cut -d ' ' -f 3 | cut -d / -f 1` + +if [ "${PHASE}" = "pre-down" ]; then + # delete rule and exit + /sbin/iptables -t nat -D PREROUTING -i ${LANIF} -d ${WANIP} -j DNAT --to-destination ${LANIP} + echo "remove rule for access to WAN device on router node from LAN clients" + exit +fi + + +# set rule +( +sleep 60 + +/sbin/iptables -t nat -A PREROUTING -i ${LANIF} -d ${WANIP} -j DNAT --to-destination ${LANIP} +echo "set rule for access to WAN device on router node from LAN clients" + +) & Index: TipAndDoc/iptables/setmasq.sh =================================================================== --- TipAndDoc/iptables/setmasq.sh (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/iptables/setmasq.sh (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,26 @@ +#!/bin/sh + +# set IP MASQUERADE with post-up command in INTERFACES(5) + + +set -x + +## INTERFACES(5) +# IFACE physical name of the interface being processed +# METHOD method of the interface (e.g., static) +# MODE start if run from ifup, stop if run from ifdown +# PHASE as per MODE, but with finer granularity, distinguishing the pre- +# up, post-up, pre-down and post-down phases. + +# optional argument to set default gateway devices connected to WAN manually +# (try each of them in order) + +if [ "${PHASE}" = "post-down" ]; then + # remove MASQUERADE rule and exit + /sbin/iptables -t nat -D POSTROUTING -o ${IFACE} -j MASQUERADE + exit +fi + + +# set MASQUERADE rule +/sbin/iptables -t nat -A POSTROUTING -o ${IFACE} -j MASQUERADE Index: TipAndDoc/iptables/setnapt.sh =================================================================== --- TipAndDoc/iptables/setnapt.sh (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/iptables/setnapt.sh (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,54 @@ +#!/bin/sh + +# set IP MASQUERADE for listed devices +# this script must be set on the LAN gateway device + + +set -x + +## INTERFACES(5) +# IFACE physical name of the interface being processed +# METHOD method of the interface (e.g., static) +# MODE start if run from ifup, stop if run from ifdown +# PHASE as per MODE, but with finer granularity, distinguishing the pre- +# up, post-up, pre-down and post-down phases. + +# optional argument to set default gateway devices connected to WAN manually +# (try each of them in order) +GATEWAYS="$@" + +if [ "${PHASE}" = "post-down" ]; then + # flush POSTROUTING chain and exit + /sbin/iptables -t nat -F POSTROUTING + exit +fi + + +( + +# wait for initialization of WAN device with DHCPd +sleep 60 + +if [ -z "${GATEWAYS}" ]; then + GATEWAYS=`/sbin/ip route show table main | grep -w default | tr -s ' ' | cut -d ' ' -f 5` +fi + +for GW in ${GATEWAYS}; do + if [ ${GW} = ${IFACE} ]; then + # skip if device is the LAN gateway + continue + fi + + IPADDR=`/sbin/ip addr show dev ${GW} | grep -w inet | tr -s ' ' | cut -d ' ' -f 3 | cut -d / -f 1` + if [ -z "${IPADDR}" ]; then + # device doesn't seem to have an IP address + continue + fi + + ## set masquerade rule to all devices + # because there is no way to know which one is default gateway + # without manual specification + /sbin/iptables -t nat -A POSTROUTING -o ${GW} -j MASQUERADE +done + +) & Index: TipAndDoc/iptables/ufw/after.rules =================================================================== --- TipAndDoc/iptables/ufw/after.rules (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/iptables/ufw/after.rules (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,37 @@ +# +# rules.input-after +# +# Rules that should be run after the ufw command line added rules. Custom +# rules should be added to one of these chains: +# ufw-after-input +# ufw-after-output +# ufw-after-forward +# + +# Don't delete these required lines, otherwise there will be errors +*filter +:ufw-after-input - [0:0] +:ufw-after-output - [0:0] +:ufw-after-forward - [0:0] +# End required lines + +## allow connections to the local services from WAN +# ssh 22/tcp +-A ufw-after-input -p tcp --syn -m state --state NEW --dport 22 -j ACCEPT +# https 443/tcp +-A ufw-after-input -p tcp --syn -m state --state NEW --dport 443 -j ACCEPT + +# don't log noisy services by default +-A ufw-after-input -p udp --dport 137 -j RETURN +-A ufw-after-input -p udp --dport 138 -j RETURN +-A ufw-after-input -p tcp --dport 139 -j RETURN +-A ufw-after-input -p tcp --dport 445 -j RETURN +-A ufw-after-input -p udp --dport 67 -j RETURN +-A ufw-after-input -p udp --dport 68 -j RETURN + +# catchall for logging +-A ufw-after-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK INPUT]: " --log-level err +-A ufw-after-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK FORWARD]: " --log-level err + +# don't delete the 'COMMIT' line or these rules won't be processed +COMMIT Index: TipAndDoc/iptables/ufw/before.rules =================================================================== --- TipAndDoc/iptables/ufw/before.rules (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/iptables/ufw/before.rules (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,90 @@ +# +# rules.before +# +# Rules that should be run before the ufw command line added rules. Custom +# rules should be added to one of these chains: +# ufw-before-input +# ufw-before-output +# ufw-before-forward +# + +# Don't delete these required lines, otherwise there will be errors +*filter +:ufw-before-input - [0:0] +:ufw-before-output - [0:0] +:ufw-before-forward - [0:0] +:ufw-not-local - [0:0] +# End required lines + + +# allow all on loopback +-A ufw-before-input -i lo -j ACCEPT +-A ufw-before-output -i lo -j ACCEPT + +# connection tracking rules +-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# drop INVALID packets +# uncomment to log INVALID packets +-A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW BLOCK INVALID]: " --log-level err -m limit --limit 3/min --limit-burst 10 +-A ufw-before-input -m conntrack --ctstate INVALID -j DROP + +## Ingress filter (see RFC 2827) (eth0:LAN<192.168.100.0/24>) +-A ufw-before-forward -i eth0 -s ! 192.168.100.0/24 -j LOG --log-tcp-options --log-ip-options --log-prefix "[UFW BLOCK LOG_INGRESS]: " --log-level err -m limit --limit 3/min --limit-burst 10 +-A ufw-before-forward -i eth0 -s ! 192.168.100.0/24 -j DROP + +## DROP CIFS(Samba) access from/to WAN(eth1) +-A ufw-before-input -i eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP +-A ufw-before-input -i eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP +-A ufw-before-forward -i eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP +-A ufw-before-forward -i eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP +-A ufw-before-forward -o eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP +-A ufw-before-forward -o eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP +-A ufw-before-output -o eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP +-A ufw-before-output -o eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP + +## Access from LAN +-A ufw-before-input -i eth0 -j ACCEPT +-A ufw-before-forward -i eth0 -j ACCEPT + +# connection tracking for outbound +-A ufw-before-output -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +-A ufw-before-output -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + +# ok icmp codes +-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT +-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT +-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT +-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT +-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT + +# allow dhcp client to work +-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT + +# +# ufw-not-local +# +-A ufw-before-input -j ufw-not-local + +# if LOCAL, RETURN +-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN + +# if MULTICAST, RETURN +-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN + +# if BROADCAST, RETURN +-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN + +-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK NOT-TO-ME]: " --log-level err + +# all other non-local packets are dropped +-A ufw-not-local -j DROP + +# allow MULTICAST, be sure the MULTICAST line above is uncommented +-A ufw-before-input -s 224.0.0.0/4 -j ACCEPT +-A ufw-before-input -d 224.0.0.0/4 -j ACCEPT + + +# don't delete the 'COMMIT' line or these rules won't be processed +COMMIT Index: TipAndDoc/iptables/ufw/mangle.rules =================================================================== --- TipAndDoc/iptables/ufw/mangle.rules (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/iptables/ufw/mangle.rules (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,12 @@ +# +# This file is used by /etc/init.d/setfilter +# +# Rules that should be stored in mangle table. + + +*mangle +# to overcome criminally braindead ISPs or servers which block ICMP Fragmentation Needed packets +# see iptables(8) +-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + +COMMIT Index: TipAndDoc/iptables/ufw/nat.rules =================================================================== --- TipAndDoc/iptables/ufw/nat.rules (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/iptables/ufw/nat.rules (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,18 @@ +# +# This file is used by /etc/init.d/setfilter +# +# Rules that should be stored in nat table. +# These are mainly used to IP MASQUERADE and REDIRECT. + + +*nat + +## port REDIRECT to local services +# 8443/tcp -> 443/tcp +-A PREROUTING -p tcp --dport 8443 -j REDIRECT --to-port 443 +# WAN 8000/tcp -> 443/tcp +-A PREROUTING -p tcp -i eth1 --dport 8000 -j REDIRECT --to-port 443 +# LAN 8000/tcp -> 22/tcp +-A PREROUTING -p tcp -i eth0 --dport 8000 -j REDIRECT --to-port 22 + +COMMIT Index: TipAndDoc/iptables/ufw/raw.rules =================================================================== --- TipAndDoc/iptables/ufw/raw.rules (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/iptables/ufw/raw.rules (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,33 @@ +# +# This file is used by /etc/init.d/setfilter +# +# Rules that should be stored in raw table. +# These are mainly used to filter evil or wrong packets. + + +*raw +:LOG_ICMP - [0:0] +:LOG_SPOOF - [0:0] + +## LOG and DROP fragmented packets (not head fragments) +-A PREROUTING --fragment -j LOG --log-prefix "[UFW BLOCK FRAGMENTED]: " --log-level err -m limit --limit 3/min --limit-burst 10 +-A PREROUTING --fragment -j DROP + +## LOG and DROP strange icmp packets +-A LOG_ICMP -j LOG --log-prefix "[UFW BLOCK BAD-ICMP]: " --log-level err -m limit --limit 3/min --limit-burst 10 +-A LOG_ICMP -j DROP +# Too large icmp requests +-A PREROUTING -p icmp --icmp-type echo-request -m length --length 128: -j LOG_ICMP +# Too many times of icmp requests (only 5 packets per second if over 10pkts/sec) +-A PREROUTING -p icmp --icmp-type echo-request -m limit --limit 5/s --limit-burst 10 -j ACCEPT +-A PREROUTING -p icmp --icmp-type echo-request -j LOG_ICMP + +## LOG and DROP IP spoofing (eth1:WAN) +-A LOG_SPOOF -j LOG --log-prefix "[UFW BLOCK IP-SPOOFING]: " --log-level err -m limit --limit 3/min --limit-burst 10 +-A LOG_SPOOF -j DROP +-A PREROUTING -i eth1 -s 127.0.0.0/8 -j LOG_SPOOF +-A PREROUTING -i eth1 -s 10.0.0.0/8 -j LOG_SPOOF +-A PREROUTING -i eth1 -s 172.16.0.0/12 -j LOG_SPOOF +-A PREROUTING -i eth1 -s 192.168.0.0/16 -j LOG_SPOOF + +COMMIT Index: TipAndDoc/openssl/CA.sh =================================================================== --- TipAndDoc/openssl/CA.sh (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/openssl/CA.sh (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,140 @@ +#!/bin/sh +# +# CA - wrapper around ca to make it easier to use ... basically ca requires +# some setup stuff to be done before you can use it and this makes +# things easier between now and when Eric is convinced to fix it :-) +# +# CA -newca ... will setup the right stuff +# CA -newreq ... will generate a certificate request +# CA -sign ... will sign the generated request and output +# +# At the end of that grab newreq.pem and newcert.pem (one has the key +# and the other the certificate) and cat them together and that is what +# you want/need ... I'll make even this a little cleaner later. +# +# +# 12-Jan-96 tjh Added more things ... including CA -signcert which +# converts a certificate to a request and then signs it. +# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG +# environment variable so this can be driven from +# a script. +# 25-Jul-96 eay Cleaned up filenames some more. +# 11-Jun-96 eay Fixed a few filename missmatches. +# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. +# 18-Apr-96 tjh Original hacking +# +# Tim Hudson +# tjh@cryptsoft.com +# + +# default openssl.cnf file has setup as per the following +# demoCA ... where everything is stored + +if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi + +DAYS="-days 3650" # 10 years +CADAYS="-days 3650" # 10 years +REQ="$OPENSSL req $SSLEAY_CONFIG" +CA="$OPENSSL ca $SSLEAY_CONFIG" +VERIFY="$OPENSSL verify" +X509="$OPENSSL x509" + +CATOP=./demoCA +CAKEY=./cakey.pem +CAREQ=./careq.pem +CACERT=./cacert.pem + +for i +do +case $i in +-\?|-h|-help) + echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" >&2 + exit 0 + ;; +-newcert) + # create a certificate + $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS + RET=$? + echo "Certificate is in newcert.pem, private key is in newkey.pem" + ;; +-newreq) + # create a certificate request + $REQ -new -keyout newkey.pem -out newreq.pem $DAYS + RET=$? + echo "Request is in newreq.pem, private key is in newkey.pem" + ;; +-newca) + # if explicitly asked for or it doesn't exist then setup the directory + # structure that Eric likes to manage things + NEW="1" + if [ "$NEW" -o ! -f ${CATOP}/serial ]; then + # create the directory hierarchy + mkdir ${CATOP} + mkdir ${CATOP}/certs + mkdir ${CATOP}/crl + mkdir ${CATOP}/newcerts + mkdir ${CATOP}/private + echo "00" > ${CATOP}/serial + touch ${CATOP}/index.txt + fi + if [ ! -f ${CATOP}/private/$CAKEY ]; then + echo "CA certificate filename (or enter to create)" + read FILE + + # ask user for existing CA certificate + if [ "$FILE" ]; then + cp $FILE ${CATOP}/private/$CAKEY + RET=$? + else + echo "Making CA certificate ..." + $REQ -new -keyout ${CATOP}/private/$CAKEY \ + -out ${CATOP}/$CAREQ + $CA -out ${CATOP}/$CACERT $CADAYS -batch \ + -keyfile ${CATOP}/private/$CAKEY -selfsign \ + -extensions v3_ca \ + -infiles ${CATOP}/$CAREQ + RET=$? + fi + fi + ;; +-xsign) + $CA -policy policy_anything -infiles newreq.pem + RET=$? + ;; +-sign|-signreq) + $CA -policy policy_anything -out newcert.pem -infiles newreq.pem + RET=$? + cat newcert.pem + echo "Signed certificate is in newcert.pem" + ;; +-signcert) + echo "Cert passphrase will be requested twice - bug?" + $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem + $CA -policy policy_anything -out newcert.pem -infiles tmp.pem + cat newcert.pem + echo "Signed certificate is in newcert.pem" + ;; +-verify) + shift + if [ -z "$1" ]; then + $VERIFY -CAfile $CATOP/$CACERT newcert.pem + RET=$? + else + for j + do + $VERIFY -CAfile $CATOP/$CACERT $j + if [ $? != 0 ]; then + RET=$? + fi + done + fi + exit 0 + ;; +*) + echo "Unknown arg $i"; + exit 1 + ;; +esac +done +exit $RET + Index: TipAndDoc/openssl/openssl.cnf =================================================================== --- TipAndDoc/openssl/openssl.cnf (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/openssl/openssl.cnf (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,313 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 3650 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha1 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (eg, YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo Index: TipAndDoc/pxelinux.cfg/default =================================================================== --- TipAndDoc/pxelinux.cfg/default (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/pxelinux.cfg/default (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,24 @@ +TIMEOUT 300 + +menu title Installer multi boot menu + +LABEL localHDD +localboot 0 + +menu begin lucid-amd64 + label backmain + menu label ^Back.. + menu exit + menu title Install Ubuntu 10.04 on AMD64 + include ubuntu-installer/amd64/boot-screens/menu.cfg + default ubuntu-installer/amd64/boot-screens/vesamenu.c32 +menu end + +menu begin lucid-i386 + label backmain + menu label ^Back.. + menu exit + menu title Install Ubuntu 10.04 on Intel x86 + include ubuntu-installer/i386/boot-screens/menu.cfg + default ubuntu-installer/i386/boot-screens/vesamenu.c32 +menu end Index: TipAndDoc/swat/lang/ja/help/welcome.html =================================================================== --- TipAndDoc/swat/lang/ja/help/welcome.html (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/swat/lang/ja/help/welcome.html (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,71 @@ +

SWAT へようこそ!

+ +上のボタンをクリックして設定を行ってください。 + +

Samba ドキュメント

+ +
    +
  • デーモン +
      +
    • smbd - SMB デーモン +
    • nmbd - NetBIOS ネームサーバ +
    • winbindd - winbind デーモン +
    +
  • 設定ファイル +
      +
    • smb.conf - Samba 設定ファイル +
    • lmhosts - NetBIOS の hosts ファイル +
    • smbpasswd - SMB パスワードファイル +
    +
  • 管理ユーティリティ +
      +
    • smbcontrol - Samba デーモンへのコントロールメッセージの送出 +
    • smbpasswd - SMB パスワードの管理 +
    • SWAT - Web 設定ツール +
    • net - Samba およびリモートの CIFS サーバの管理ツール +
    • pdbedit - Samba のユーザアカウント管理ツール +
    • tdbbackup - TDB データベースのバックアップツール +
    +
  • クライアントツール +
      +
    • rpcclient - コマンドラインの MS-RPC クライアント +
    • smbtar - SMB バックアップツール +
    • smbclient - コマンドラインの SMB クライアント +
    • smbmnt - Linux 上の SMB ファイルシステムをマウントする際の補助ツール +
    • smbmount - Linux における SMB ファイルシステムのマウントを実現するユーザ空間のツール +
    • smbspool - コマンドラインの SMB 印刷クライアント +
    • smbumount - Linux における SMB ファイルシステムのアンマウントを実現するユーザ空間のツール +
    • ntlm_auth - 別プログラムからの NTLM 認証の使用を実現 +
    • smbcquotas - NTFS 5 共有のクォータ情報の設定と取得 +
    • smbsh - UNIX シェルを用いたリモート SMB 共有へのアクセスを実現 +
    • smbtree - テキストベースの SMB ネットワークブラウジング +
    • smbspool - 印刷ジョブを SMB プリンタに送信 +
    +
  • 診断ユーティリティ +
      +
    • smbstatus - Samba の監視 +
    • testparm - 設定ファイルの整合性の検査 +
    • testprns - プリンタ設定の検査 +
    • nmblookup - NetBIOS 名の検索ツール +
    • wbinfo - winbind 情報の取得ツール +
    +
  • その他のユーティリティ +
      +
    • profiles - 別ドメインへのプロファイルの移行 +
    • editreg - Windows レジストリファイルの編集 +
    • log2pcap - Samba のログファイルから pcap ファイルの生成 +
    +
  • 書籍 + +
+ +

フィードバック

+ + このバージョンの SWAT に関する問題についての議論を行ないたい方は、 + samba メーリングリストへの参加をお願いします。 +(もしくは sugj-tech メーリングリストに日本語でお願いします) Index: TipAndDoc/swat/xinetd.d/swat =================================================================== --- TipAndDoc/swat/xinetd.d/swat (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/swat/xinetd.d/swat (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,12 @@ +service swat +{ + port = 901 + socket_type = stream + wait = no + only_from = 127.0.0.1 + only_from += 192.168.0.0/24 + user = root + server = /usr/sbin/swat + log_on_failure += USERID + disable = no +} Index: TipAndDoc/trac/custom.css =================================================================== --- TipAndDoc/trac/custom.css (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/trac/custom.css (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,56 @@ +.wikipage h1 {; + background-color: #ffffcc; + border-color: yellow; + border-style: solid; + border-width: 0 0 0.3em 0.3em; + padding: 0.2em 0.4em; + /* cancel browser.css */ + margin-right: 0; +} + +.wikipage h2 { + background-color: #ffffcc; + border-color: yellow; + border-style: solid; + border-width: 0 0 0.2em 0.6em; + padding: 0.2em 0.6em; +} + +.wikipage h3 { + background-color: #ffffcc; + border-color: yellow; + border-style: double; + border-width: 0 0 0.2em 1em; + padding: 0.2em 0.7em; +} + +.wikipage h4 { + background-color: #ffffcc; + padding: 0.2em 0.6em; +} + +.wikipage h5 { + background-color: #ffffcc; + border-color: yellow; + border-style: solid; + border-width: 0 0 0 1em; + padding: 0.2em 0.4em; +} + +.wikipage h6 { + background-color: #ffffcc; + border-color: yellow; + border-style: double; + border-width: 0 0 0 2em; + padding: 0.2em 0.4em; +} + +/* expand edit text area */ +#edit #text { + min-height: 20em; +} + +/* Quick search */ +#proj-search { + width: 20em; +} Index: TipAndDoc/trac/site.html =================================================================== --- TipAndDoc/trac/site.html (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/trac/site.html (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,11 @@ + + + + ${select('*|comment()|text()')} + + + Index: TipAndDoc/vmware/hotaddbridge =================================================================== --- TipAndDoc/vmware/hotaddbridge (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) +++ TipAndDoc/vmware/hotaddbridge (revision 8333ea00a9fe608c90c20af12ea0c51548f66f4e) @@ -0,0 +1,69 @@ +#!/bin/bash +############################################## +# Add VMWare Network Bridged devices hot +# +# Revisions +# J.Gargano - 2009-07-08 - 1.1 +# +############################################# + +echo "Locating Existing Devices" +for dev in $(ls /dev/vmnet*); +do + echo " Found $dev" +done +echo +printf "Please enter a device number that does not exist in this list: " +read num +# Check if it exists +if [ -e /dev/vmnet$num ];then + echo "/dev/vmnet$num exists! Exiting." + exit 1 +fi + + +# Select an interface +echo +echo "Locating interfaces to bridge" +for int in $(ifconfig |grep "^[a-z,A-Z]" |cut -d' ' -f1); +do + echo $int +done +printf "Please enter a interface: " +read interface + +# Check if it exists +ifconfig $interface >/dev/null 2>&1 +ret=$? +if [ $ret != 0 ];then + if [ "$1" != "-d" ]; then + echo "Can't find interface. Exiting!" + exit 1 + else + echo "Use dummy device: $interface" + dummy="Dummy " + fi +fi + + +# Create device +echo "Creating device /dev/vmnet$num" +mknod --mode=600 /dev/vmnet$num c 119 $num + +# Add to vmware netmap configuration +# open netmap.conf and get next number in list +let nextnetnum=$(cat /etc/vmware/netmap.conf | tail -1 | cut -d'.' -f1 | sed -e s/network//)+1 + +echo "Adding network$nextnetnum to /etc/vmware/netmap.conf" + +echo "network$nextnetnum.name = \"${dummy}Bridged to $interface\"">> /etc/vmware/netmap.conf +echo "network$nextnetnum.device = \"vmnet$num\"">> /etc/vmware/netmap.conf + +# Add to vmware locations configuration +echo "answer VNET_${num}_NAME ${dummy}Bridged to $interface" >> /etc/vmware/locations +echo "answer VNET_${num}_INTERFACE $interface" >> /etc/vmware/locations +echo "remove_file /dev/vmnet$num" >> /etc/vmware/locations +echo "file /dev/vmnet$num" >> /etc/vmware/locations + +# Start Service +`which vmnet-bridge` -d /var/run/vmnet-bridge-$num.pid -n $num -i $interface