Mailing lists
- Announcements of talks, and major events. 1-2 mails/month.
Chat
IRC channel #hal9k at Freenode.
You can use Freenodes web-chat in your browser.
Mailing lists
Chat
IRC channel #hal9k at Freenode.
You can use Freenodes web-chat in your browser.
This is an old revision of the document!
Overordnede bemærkninger
Denne side er begrænset til læsning for almindelige brugere.
Der tages ikke backup af hosten. Ved ændringer i konfigurationsfiler (typisk /etc/pf.conf) opdateres denne side (dog indsættes adgangskoden til SIXXS ikke for konfigurationen for AICCU :).
Mht. logning ifølge logningsbekendtgørelsen har ITST svaret at vi ikke er omfattet.
Konfigurationsfiler
/etc/rc.local (add):
if [ -x /usr/local/sbin/aiccu -a -f /etc/aiccu.conf ]; then echo -n ' aiccu' /usr/local/sbin/aiccu start fi
install aiccu (pkg_add aiccu)
net-snmpd
pkg_add net-snmp
Enable in rc.conf
Conf in /etc/snmp/snmpd.conf
/etc/sysctl.conf
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets
/etc/hostname.em0
description 'outside' dhcp
/etc/hostname.em1
description 'Wireless network' inet 10.42.2.1 255.255.255.0 inet6 2001:16d8:dd56:2::1 64
/etc/hostname.em2
description 'Cabled network' inet 10.42.3.1 255.255.255.0 inet6 2001:16d8:dd56:3::1 64
/etc/hostname.em3
description 'Server network' inet 10.42.4.1 255.255.255.0 inet6 2001:16d8:dd56:4::1 64
/etc/hostname.em4
description 'BMX network' inet 10.42.5.1 255.255.255.0 inet6 2001:16d8:dd56:5::1 64
For /etc/ssh/sshd_config ret:
PermitRootLogin without-password
/etc/rtadvd.conf
em1:\ :addr="2001:16d8:dd56:2::":prefixlen#64:vltime=300:maxinterval=20:mininterval=10: em2:\ :addr="2001:16d8:dd56:3::":prefixlen#64:vltime=300:maxinterval=20:mininterval=10: em4:\ :addr="2001:16d8:dd56:5::":prefixlen#64:vltime=300:maxinterval=20:mininterval=10:
/etc/rc.conf.local
ntpd_flags= # enabled during install dhcpd_flags="em1 em2 em4" rtadvd_flags="em1 em2 em4" ftpproxy_flags=""
/etc/aiccu.conf
username GSW2-SIXXS password s3cret ipv6_interface gif0 tunnel_id T28389 verbose false daemonize true automatic true requiretls false
/etc/dhcpd.conf
# dhcpd.conf # # option definitions common to all supported networks... option domain-name "hal9k.dk"; option domain-name-servers 89.233.43.71, 89.104.194.142; option ntp-servers 130.225.51.74, 130.225.51.85, 130.225.51.73; option time-offset 1; default-lease-time 3600; max-lease-time 7200; # filename "pxelinux.0"; # next-server 10.42.4.42; # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. authoritative; ##ddns-update-style none; # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). ##log-facility local7; #Wireless network subnet 10.42.2.0 netmask 255.255.255.0 { range 10.42.2.100 10.42.2.254; option routers 10.42.2.1; } #host example.hal9k.dk { # hardware ethernet 00:00:f3:00:00:33; # fixed-address 10.42.2.10; #} #Cabled network subnet 10.42.3.0 netmask 255.255.255.0 { range 10.42.3.100 10.42.3.254; option routers 10.42.3.1; #next-server 10.42.4.9; # get-lease-hostnames true; option subnet-mask 255.255.255.0; option root-path "/opt/ltsp/i386"; #if substring( option vendor-class-identifier, 0, 9 ) = "PXEClient" { # filename "/ltsp/i386/pxelinux.0"; #} else { # filename "/ltsp/i386/nbi.img"; #} host printer1.hal9k.dk { hardware ethernet 00:00:f0:a9:c7:0f; fixed-address 10.42.3.12; } host halcam1.hal9k.dk { hardware ethernet 80:1f:02:8b:ef:c5; fixed-address 10.42.3.20; } host halcam2.hal9k.dk { hardware ethernet 80:1f:02:8b:ef:be; fixed-address 10.42.3.21; } host halcam3.hal9k.dk { hardware ethernet 80:1f:02:8b:e6:60; fixed-address 10.42.3.22; } host halcam4.hal9k.dk { hardware ethernet 80:1f:02:8b:e6:3c; fixed-address 10.42.3.23; } host halcam5.hal9k.dk { hardware ethernet 80:1f:02:8b:ef:cc; fixed-address 10.42.3.24; } host halcam6.hal9k.dk { hardware ethernet 80:1f:02:8b:ef:bd; fixed-address 10.42.3.25; } } #host example2.hal9k.dk { # hardware ethernet 00:00:f3:00:00:33; # fixed-address 10.42.3.10; #} #BMX network subnet 10.42.5.0 netmask 255.255.255.0 { range 10.42.5.100 10.42.5.254; option routers 10.42.5.1; }
/etc/pf.conf
# Rules for HAL9k. Last edited by sman 2013-08-15 ### Macros ### ext_if = "em0" ext6_if = "tun0" wlan_if = "em1" clan_if = "em2" srv_if = "em3" bmx_if = "em4" extv4 = "95.166.117.167" # SRV hosts 3dprint01 = "10.42.4.11" 3dprint016 = "2001:16d8:dd56:4::11" ### Tables ### table <wlan_network> const { 10.42.2.0/24, 2001:16d8:dd56:2::/64 } table <clan_network> const { 10.42.3.0/24, 2001:16d8:dd56:3::/64 } table <srv_network> const { 10.42.4.0/24, 2001:16d8:dd56:4::/64 } table <bmx_network> const { 10.42.5.0/24, 2001:16d8:dd56:5::/64 } table <int_network> const { 10.0.0.0/8, 2001:16d8:dd6e::/48 } table <ip6_multic> const { fe80::/10, ff00::/8 } table <ext_addr> const { 95.166.117.167, 2001:16d8:dd00:a1::2 } table <switches> const { 2001:16d8:dd56:4::2, 2001:16d8:dd56:4::3 } table <gip> const { 130.225.254.108, 90.185.56.186, 77.243.53.201, 77.243.53.195, 2a03:dc80:0:f156::1003, 2a03:dc80:0:f101::5 2001:16d8:dd6a:231::5 } ### Options ### set skip on lo set limit states 100000 # Make AFS happy (call-backs) set timeout udp.first 600 set timeout udp.single 600 set timeout udp.multiple 600 ### Traffic Normalization ### match in all scrub (no-df) ### Queueing ### ### Translation ### anchor "ftp-proxy/*" ### Packet filtering ### # Deny everything - first match block in log all pass out #TEMP pass in proto udp from <srv_network> to <clan_network> block in log quick from urpf-failed pass in quick on $ext_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021 # Allow ssh, www and dhcp to self pass in proto {tcp,udp} from any to any port 67:68 # update this line.. pass in on $ext_if proto tcp from any to $extv4 port { ssh, 8573 } pass in on $ext6_if proto tcp from any to <ext_addr> port { ssh, 8573 } pass in proto tcp from any to <ext_addr> port 80 # Traffic from internal networks pass in on $wlan_if from <wlan_network> to any pass in on $wlan_if from <ip6_multic> to any block in log on $wlan_if proto tcp from <wlan_network> to any port 25 pass in on $clan_if from <clan_network> to any pass in on $clan_if from <ip6_multic> to any pass in on $bmx_if from <bmx_network> to any pass in on $bmx_if from <ip6_multic> to any block in log on $bmx_if proto tcp from <bmx_network> to any port 25 pass in on $srv_if from <srv_network> to ! <int_network> pass in on $srv_if from <srv_network> to self pass in on $srv_if from <ip6_multic> to ! <int_network> # NAT match out on $ext_if inet from <int_network> to any nat-to $ext_if # Traffic from external networks # Allow ping to any pass in inet proto icmp from any to any icmp-type echoreq pass in inet6 proto icmp6 from any to any icmp6-type echoreq # SRV net #pass in on $ext_if inet proto tcp from any to $extv4 port { 80, 443 } rdr-to $rationell #pass in on $ext6_if inet6 proto tcp from any to $rationell6 port { 80, 1443} # 3dprint01 (mchro) pass in on $ext_if inet proto tcp from any to $extv4 port 2022 rdr-to $3dprint01 port 22 pass in on $ext_if inet proto tcp from any to $extv4 port 2059 rdr-to $3dprint01 port 5900 pass in on $ext6_if inet6 proto tcp from any to $3dprint016 port {22, 5900} # sw1 sw2 (Georg) pass in on $ext6_if proto { tcp, udp } from <gip> to <switches> port 161 pass in on $ext6_if proto { tcp, udp } from <gip> to $halvm16 port 161