diff options
author | Andrew Cady <d@jerkface.net> | 2021-10-09 05:17:46 -0400 |
---|---|---|
committer | Andrew Cady <d@jerkface.net> | 2021-10-09 05:19:13 -0400 |
commit | bdec7d13e5514489693f29111783592ba613988a (patch) | |
tree | 1a8569dc198faf28a1d905af402f13b723180eb4 /notes | |
parent | 001803289d137b61b84778a518744be47bf3e70b (diff) |
move scrap notes into notes/
Diffstat (limited to 'notes')
-rw-r--r-- | notes/andy.brief.conf | 28 | ||||
-rw-r--r-- | notes/andy.conf | 580 | ||||
-rw-r--r-- | notes/disable-outgoing-tcp-connections-through-ipv6-tunnel.sh | 26 | ||||
-rw-r--r-- | notes/gai.conf | 65 | ||||
-rw-r--r-- | notes/ipsec.conf | 41 | ||||
-rw-r--r-- | notes/ipsec.conf.empty | 5 |
6 files changed, 745 insertions, 0 deletions
diff --git a/notes/andy.brief.conf b/notes/andy.brief.conf new file mode 100644 index 0000000..977a546 --- /dev/null +++ b/notes/andy.brief.conf | |||
@@ -0,0 +1,28 @@ | |||
1 | connections { | ||
2 | andy { | ||
3 | remote_addrs = 68.48.18.140 | ||
4 | vips = :: | ||
5 | local1 { | ||
6 | pubkeys = ssh_host_rsa_key.pub | ||
7 | auth = pubkey | ||
8 | id = dd6c:fbfd:eeb8:4709 | ||
9 | } | ||
10 | remote1 { | ||
11 | id = "68.48.18.140" | ||
12 | pubkeys = andy.pub | ||
13 | auth = pubkey | ||
14 | } | ||
15 | children { | ||
16 | child1 { | ||
17 | remote_ts = 0::0/0 | ||
18 | mode = tunnel | ||
19 | dpd_action = restart | ||
20 | } | ||
21 | } | ||
22 | } | ||
23 | } | ||
24 | secrets { | ||
25 | private1 { | ||
26 | file = ssh_host_rsa_key | ||
27 | } | ||
28 | } | ||
diff --git a/notes/andy.conf b/notes/andy.conf new file mode 100644 index 0000000..ea5e71a --- /dev/null +++ b/notes/andy.conf | |||
@@ -0,0 +1,580 @@ | |||
1 | # conn andy | ||
2 | # type=tunnel | ||
3 | # auto=add | ||
4 | # | ||
5 | # left=%any | ||
6 | # leftsourceip=%config | ||
7 | # leftsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQC8b9n1/1p5HposHmP1xbrKCOP+3PSnaycQvIbcB3ugYBFgTfUoVZ0c6pUzpw8uR93iQ/mSyeEvjaUDctBASg67jxyeSU78p9qJ/y/Eg2uBiMNx1fUljVryqXCbQRebjtVWNjIhr99qowzYrV+ztTNpQ2oI/VhQ9C+cbDLKySoR5L8wrkSPqvYH4oZJtyKQmv7lN3/MKFONZlTo1RMw2+4214uaQJF1dcwW3erHh15SpqoQ7LidqNH2Q6SInzVdJbZtQSWjFM29m4nQMv55g6VlUK8NfcGJuIKghO0urZvYQpdeBe05Lr/y/n3wqJb97Eh5hzQc9Jx5kKQZeueHWEkz" | ||
8 | # leftid=dd6c:fbfd:eeb8:4709 | ||
9 | # right=%any | ||
10 | # right=68.48.18.140 | ||
11 | # #rightsubnet=2601:401:8200:2d4c::1/64 | ||
12 | # rightsubnet=0::0/0 | ||
13 | # rightsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQD0v/20UNR7vpib9amq1xMrJSiyIWXjpiHq1O2BIrzZ2nuilSxn1dYVhelUTR2siDKAxoo3sX0GDWayMekHtzPr1DBXQ/eu9PNhp9Q0QvkgRSay9HggelpGukxP8N72kbthggmCkWufaM/OoDOVHBYngJFbrwOwhDKJyL+q8f3u1LFOErRxVJ7f7/C1o+NLkWXayfwOK8kk4Hc9tcy1MXk5jLx927evsyOYXV2Lbzf9qwXSV6MjUlFDhqhW/v2IOBCxXG7GhpoHTmpdtv0JxDLnc5zYBxgleiS74DmC5GKU5EgU63e7FNnPSvVnYO+S3mO+Y4PwNv4BYnKSpSGe/0tt" | ||
14 | |||
15 | # Section defining IKE connection configurations. | ||
16 | connections { | ||
17 | |||
18 | # Section for an IKE connection named andy. | ||
19 | andy { | ||
20 | |||
21 | # IKE major version to use for connection. | ||
22 | # version = 0 | ||
23 | |||
24 | # Local address(es) to use for IKE communication, comma separated. | ||
25 | # local_addrs = %any | ||
26 | |||
27 | # Remote address(es) to use for IKE communication, comma separated. | ||
28 | remote_addrs = 68.48.18.140 | ||
29 | |||
30 | # Local UDP port for IKE communication. | ||
31 | # local_port = 500 | ||
32 | |||
33 | # Remote UDP port for IKE communication. | ||
34 | # remote_port = 500 | ||
35 | |||
36 | # Comma separated proposals to accept for IKE. | ||
37 | # proposals = default | ||
38 | |||
39 | # Virtual IPs to request in configuration payload / Mode Config. | ||
40 | vips = :: | ||
41 | |||
42 | # Use Aggressive Mode in IKEv1. | ||
43 | # aggressive = no | ||
44 | |||
45 | # Set the Mode Config mode to use. | ||
46 | # pull = yes | ||
47 | |||
48 | # Differentiated Services Field Codepoint to set on outgoing IKE packets | ||
49 | # (six binary digits). | ||
50 | # dscp = 000000 | ||
51 | |||
52 | # Enforce UDP encapsulation by faking NAT-D payloads. | ||
53 | # encap = no | ||
54 | |||
55 | # Enables MOBIKE on IKEv2 connections. | ||
56 | # mobike = yes | ||
57 | |||
58 | # Interval of liveness checks (DPD). | ||
59 | # dpd_delay = 0s | ||
60 | |||
61 | # Timeout for DPD checks (IKEV1 only). | ||
62 | # dpd_timeout = 0s | ||
63 | |||
64 | # Use IKE UDP datagram fragmentation (yes, accept, no or force). | ||
65 | # fragmentation = yes | ||
66 | |||
67 | # Use childless IKE_SA initiation (allow, force or never). | ||
68 | # childless = allow | ||
69 | |||
70 | # Send certificate requests payloads (yes or no). | ||
71 | # send_certreq = yes | ||
72 | |||
73 | # Send certificate payloads (always, never or ifasked). | ||
74 | # send_cert = ifasked | ||
75 | |||
76 | # String identifying the Postquantum Preshared Key (PPK) to be used. | ||
77 | # ppk_id = | ||
78 | |||
79 | # Whether a Postquantum Preshared Key (PPK) is required for this | ||
80 | # connection. | ||
81 | # ppk_required = no | ||
82 | |||
83 | # Number of retransmission sequences to perform during initial connect. | ||
84 | # keyingtries = 1 | ||
85 | |||
86 | # Connection uniqueness policy (never, no, keep or replace). | ||
87 | # unique = no | ||
88 | |||
89 | # Time to schedule IKE reauthentication. | ||
90 | # reauth_time = 0s | ||
91 | |||
92 | # Time to schedule IKE rekeying. | ||
93 | # rekey_time = 4h | ||
94 | |||
95 | # Hard IKE_SA lifetime if rekey/reauth does not complete, as time. | ||
96 | # over_time = 10% of rekey_time/reauth_time | ||
97 | |||
98 | # Range of random time to subtract from rekey/reauth times. | ||
99 | # rand_time = over_time | ||
100 | |||
101 | # Comma separated list of named IP pools. | ||
102 | # pools = | ||
103 | |||
104 | # Default inbound XFRM interface ID for children. | ||
105 | # if_id_in = 0 | ||
106 | |||
107 | # Default outbound XFRM interface ID for children. | ||
108 | # if_id_out = 0 | ||
109 | |||
110 | # Whether this connection is a mediation connection. | ||
111 | # mediation = no | ||
112 | |||
113 | # The name of the connection to mediate this connection through. | ||
114 | # mediated_by = | ||
115 | |||
116 | # Identity under which the peer is registered at the mediation server. | ||
117 | # mediation_peer = | ||
118 | |||
119 | # Section for a local authentication round. | ||
120 | local1 { | ||
121 | |||
122 | # Optional numeric identifier by which authentication rounds are | ||
123 | # sorted. If not specified rounds are ordered by their position in | ||
124 | # the config file/VICI message. | ||
125 | # round = 0 | ||
126 | |||
127 | # Comma separated list of certificate candidates to use for | ||
128 | # authentication. | ||
129 | # certs = | ||
130 | |||
131 | # Section for a certificate candidate to use for authentication. | ||
132 | # cert<suffix> = | ||
133 | |||
134 | # Comma separated list of raw public key candidates to use for | ||
135 | # authentication. | ||
136 | pubkeys = ssh_host_rsa_key.pub | ||
137 | |||
138 | # Authentication to perform locally (pubkey, psk, xauth[-backend] or | ||
139 | # eap[-method]). | ||
140 | auth = pubkey | ||
141 | |||
142 | # IKE identity to use for authentication round. | ||
143 | id = dd6c:fbfd:eeb8:4709 | ||
144 | |||
145 | # Client EAP-Identity to use in EAP-Identity exchange and the EAP | ||
146 | # method. | ||
147 | # eap_id = id | ||
148 | |||
149 | # Server side EAP-Identity to expect in the EAP method. | ||
150 | # aaa_id = remote-id | ||
151 | |||
152 | # Client XAuth username used in the XAuth exchange. | ||
153 | # xauth_id = id | ||
154 | |||
155 | # cert<suffix> { | ||
156 | |||
157 | # Absolute path to the certificate to load. | ||
158 | # file = | ||
159 | |||
160 | # Hex-encoded CKA_ID of the certificate on a token. | ||
161 | # handle = | ||
162 | |||
163 | # Optional slot number of the token that stores the certificate. | ||
164 | # slot = | ||
165 | |||
166 | # Optional PKCS#11 module name. | ||
167 | # module = | ||
168 | |||
169 | # } | ||
170 | |||
171 | } | ||
172 | |||
173 | # Section for a remote authentication round. | ||
174 | remote1 { | ||
175 | |||
176 | # Optional numeric identifier by which authentication rounds are | ||
177 | # sorted. If not specified rounds are ordered by their position in | ||
178 | # the config file/VICI message. | ||
179 | # round = 0 | ||
180 | |||
181 | # IKE identity to expect for authentication round. | ||
182 | #id = %any | ||
183 | id = "68.48.18.140" | ||
184 | |||
185 | # Identity to use as peer identity during EAP authentication. | ||
186 | # eap_id = id | ||
187 | |||
188 | # Authorization group memberships to require. | ||
189 | # groups = | ||
190 | |||
191 | # Certificate policy OIDs the peer's certificate must have. | ||
192 | # cert_policy = | ||
193 | |||
194 | # Comma separated list of certificate to accept for authentication. | ||
195 | # certs = | ||
196 | |||
197 | # Section for a certificate to accept for authentication. | ||
198 | # cert<suffix> = | ||
199 | |||
200 | # Comma separated list of CA certificates to accept for | ||
201 | # authentication. | ||
202 | # cacerts = | ||
203 | |||
204 | # Section for a CA certificate to accept for authentication. | ||
205 | # cacert<suffix> = | ||
206 | |||
207 | # Identity in CA certificate to accept for authentication. | ||
208 | # ca_id = | ||
209 | |||
210 | # Comma separated list of raw public keys to accept for | ||
211 | # authentication. | ||
212 | pubkeys = andy.pub | ||
213 | |||
214 | # Certificate revocation policy, (strict, ifuri or relaxed). | ||
215 | # revocation = relaxed | ||
216 | |||
217 | # Authentication to expect from remote (pubkey, psk, xauth[-backend] | ||
218 | # or eap[-method]). | ||
219 | auth = pubkey | ||
220 | |||
221 | # cert<suffix> { | ||
222 | |||
223 | # Absolute path to the certificate to load. | ||
224 | # file = | ||
225 | |||
226 | # Hex-encoded CKA_ID of the certificate on a token. | ||
227 | # handle = | ||
228 | |||
229 | # Optional slot number of the token that stores the certificate. | ||
230 | # slot = | ||
231 | |||
232 | # Optional PKCS#11 module name. | ||
233 | # module = | ||
234 | |||
235 | # } | ||
236 | |||
237 | # cacert<suffix> { | ||
238 | |||
239 | # Absolute path to the certificate to load. | ||
240 | # file = | ||
241 | |||
242 | # Hex-encoded CKA_ID of the CA certificate on a token. | ||
243 | # handle = | ||
244 | |||
245 | # Optional slot number of the token that stores the CA | ||
246 | # certificate. | ||
247 | # slot = | ||
248 | |||
249 | # Optional PKCS#11 module name. | ||
250 | # module = | ||
251 | |||
252 | # } | ||
253 | |||
254 | } | ||
255 | |||
256 | children { | ||
257 | |||
258 | # CHILD_SA configuration sub-section. | ||
259 | child1 { | ||
260 | |||
261 | # AH proposals to offer for the CHILD_SA. | ||
262 | # ah_proposals = | ||
263 | |||
264 | # ESP proposals to offer for the CHILD_SA. | ||
265 | # esp_proposals = default | ||
266 | |||
267 | # Use incorrect 96-bit truncation for HMAC-SHA-256. | ||
268 | # sha256_96 = no | ||
269 | |||
270 | # Local traffic selectors to include in CHILD_SA. | ||
271 | # local_ts = dynamic | ||
272 | |||
273 | # Remote selectors to include in CHILD_SA. | ||
274 | remote_ts = 0::0/0 | ||
275 | |||
276 | # Time to schedule CHILD_SA rekeying. | ||
277 | # rekey_time = 1h | ||
278 | |||
279 | # Maximum lifetime before CHILD_SA gets closed, as time. | ||
280 | # life_time = rekey_time + 10% | ||
281 | |||
282 | # Range of random time to subtract from rekey_time. | ||
283 | # rand_time = life_time - rekey_time | ||
284 | |||
285 | # Number of bytes processed before initiating CHILD_SA rekeying. | ||
286 | # rekey_bytes = 0 | ||
287 | |||
288 | # Maximum bytes processed before CHILD_SA gets closed. | ||
289 | # life_bytes = rekey_bytes + 10% | ||
290 | |||
291 | # Range of random bytes to subtract from rekey_bytes. | ||
292 | # rand_bytes = life_bytes - rekey_bytes | ||
293 | |||
294 | # Number of packets processed before initiating CHILD_SA | ||
295 | # rekeying. | ||
296 | # rekey_packets = 0 | ||
297 | |||
298 | # Maximum number of packets processed before CHILD_SA gets | ||
299 | # closed. | ||
300 | # life_packets = rekey_packets + 10% | ||
301 | |||
302 | # Range of random packets to subtract from packets_bytes. | ||
303 | # rand_packets = life_packets - rekey_packets | ||
304 | |||
305 | # Updown script to invoke on CHILD_SA up and down events. | ||
306 | # updown = | ||
307 | |||
308 | # Hostaccess variable to pass to updown script. | ||
309 | # hostaccess = no | ||
310 | |||
311 | # IPsec Mode to establish (tunnel, transport, transport_proxy, | ||
312 | # beet, pass or drop). | ||
313 | mode = tunnel | ||
314 | |||
315 | # Whether to install IPsec policies or not. | ||
316 | # policies = yes | ||
317 | |||
318 | # Whether to install outbound FWD IPsec policies or not. | ||
319 | # policies_fwd_out = no | ||
320 | |||
321 | # Action to perform on DPD timeout (clear, trap or restart). | ||
322 | dpd_action = restart | ||
323 | |||
324 | # Enable IPComp compression before encryption. | ||
325 | # ipcomp = no | ||
326 | |||
327 | # Timeout before closing CHILD_SA after inactivity. | ||
328 | # inactivity = 0s | ||
329 | |||
330 | # Fixed reqid to use for this CHILD_SA. | ||
331 | # reqid = 0 | ||
332 | |||
333 | # Optional fixed priority for IPsec policies. | ||
334 | # priority = 0 | ||
335 | |||
336 | # Optional interface name to restrict IPsec policies. | ||
337 | # interface = | ||
338 | |||
339 | # Netfilter mark and mask for input traffic. | ||
340 | # mark_in = 0/0x00000000 | ||
341 | |||
342 | # Whether to set *mark_in* on the inbound SA. | ||
343 | # mark_in_sa = no | ||
344 | |||
345 | # Netfilter mark and mask for output traffic. | ||
346 | # mark_out = 0/0x00000000 | ||
347 | |||
348 | # Netfilter mark applied to packets after the inbound IPsec SA | ||
349 | # processed them. | ||
350 | # set_mark_in = 0/0x00000000 | ||
351 | |||
352 | # Netfilter mark applied to packets after the outbound IPsec SA | ||
353 | # processed them. | ||
354 | # set_mark_out = 0/0x00000000 | ||
355 | |||
356 | # Inbound XFRM interface ID. | ||
357 | # if_id_in = 0 | ||
358 | |||
359 | # Outbound XFRM interface ID. | ||
360 | # if_id_out = 0 | ||
361 | |||
362 | # Traffic Flow Confidentiality padding. | ||
363 | # tfc_padding = 0 | ||
364 | |||
365 | # IPsec replay window to configure for this CHILD_SA. | ||
366 | # replay_window = 32 | ||
367 | |||
368 | # Enable hardware offload for this CHILD_SA, if supported by the | ||
369 | # IPsec implementation. | ||
370 | # hw_offload = no | ||
371 | |||
372 | # Whether to copy the DF bit to the outer IPv4 header in tunnel | ||
373 | # mode. | ||
374 | # copy_df = yes | ||
375 | |||
376 | # Whether to copy the ECN header field to/from the outer IP | ||
377 | # header in tunnel mode. | ||
378 | # copy_ecn = yes | ||
379 | |||
380 | # Whether to copy the DSCP header field to/from the outer IP | ||
381 | # header in tunnel mode. | ||
382 | # copy_dscp = out | ||
383 | |||
384 | # Action to perform after loading the configuration (none, trap, | ||
385 | # start). | ||
386 | # start_action = none | ||
387 | |||
388 | # Action to perform after a CHILD_SA gets closed (none, trap, | ||
389 | # start). | ||
390 | # close_action = none | ||
391 | |||
392 | } | ||
393 | |||
394 | } | ||
395 | |||
396 | } | ||
397 | |||
398 | } | ||
399 | |||
400 | # Section defining secrets for IKE/EAP/XAuth authentication and private key | ||
401 | # decryption. | ||
402 | secrets { | ||
403 | |||
404 | # EAP secret section for a specific secret. | ||
405 | # eap<suffix> { | ||
406 | |||
407 | # Value of the EAP/XAuth secret. | ||
408 | # secret = | ||
409 | |||
410 | # Identity the EAP/XAuth secret belongs to. | ||
411 | # id<suffix> = | ||
412 | |||
413 | # } | ||
414 | |||
415 | # XAuth secret section for a specific secret. | ||
416 | # xauth<suffix> { | ||
417 | |||
418 | # } | ||
419 | |||
420 | # NTLM secret section for a specific secret. | ||
421 | # ntlm<suffix> { | ||
422 | |||
423 | # Value of the NTLM secret. | ||
424 | # secret = | ||
425 | |||
426 | # Identity the NTLM secret belongs to. | ||
427 | # id<suffix> = | ||
428 | |||
429 | # } | ||
430 | |||
431 | # IKE preshared secret section for a specific secret. | ||
432 | # ike<suffix> { | ||
433 | |||
434 | # Value of the IKE preshared secret. | ||
435 | # secret = | ||
436 | |||
437 | # IKE identity the IKE preshared secret belongs to. | ||
438 | # id<suffix> = | ||
439 | |||
440 | # } | ||
441 | |||
442 | # Postquantum Preshared Key (PPK) section for a specific secret. | ||
443 | # ppk<suffix> { | ||
444 | |||
445 | # Value of the PPK. | ||
446 | # secret = | ||
447 | |||
448 | # PPK identity the PPK belongs to. | ||
449 | # id<suffix> = | ||
450 | |||
451 | # } | ||
452 | |||
453 | # Private key decryption passphrase for a key in the private folder. | ||
454 | private1 { | ||
455 | |||
456 | # File name in the private folder for which this passphrase should be | ||
457 | # used. | ||
458 | file = ssh_host_rsa_key | ||
459 | |||
460 | # Value of decryption passphrase for private key. | ||
461 | # secret = | ||
462 | |||
463 | } | ||
464 | |||
465 | # Private key decryption passphrase for a key in the rsa folder. | ||
466 | # rsa<suffix> { | ||
467 | |||
468 | # File name in the rsa folder for which this passphrase should be used. | ||
469 | # file = | ||
470 | |||
471 | # Value of decryption passphrase for RSA key. | ||
472 | # secret = | ||
473 | |||
474 | # } | ||
475 | |||
476 | # Private key decryption passphrase for a key in the ecdsa folder. | ||
477 | # ecdsa<suffix> { | ||
478 | |||
479 | # File name in the ecdsa folder for which this passphrase should be | ||
480 | # used. | ||
481 | # file = | ||
482 | |||
483 | # Value of decryption passphrase for ECDSA key. | ||
484 | # secret = | ||
485 | |||
486 | # } | ||
487 | |||
488 | # Private key decryption passphrase for a key in the pkcs8 folder. | ||
489 | # pkcs8<suffix> { | ||
490 | |||
491 | # File name in the pkcs8 folder for which this passphrase should be | ||
492 | # used. | ||
493 | # file = | ||
494 | |||
495 | # Value of decryption passphrase for PKCS#8 key. | ||
496 | # secret = | ||
497 | |||
498 | # } | ||
499 | |||
500 | # PKCS#12 decryption passphrase for a container in the pkcs12 folder. | ||
501 | # pkcs12<suffix> { | ||
502 | |||
503 | # File name in the pkcs12 folder for which this passphrase should be | ||
504 | # used. | ||
505 | # file = | ||
506 | |||
507 | # Value of decryption passphrase for PKCS#12 container. | ||
508 | # secret = | ||
509 | |||
510 | # } | ||
511 | |||
512 | # Definition for a private key that's stored on a token/smartcard. | ||
513 | # token<suffix> { | ||
514 | |||
515 | # Hex-encoded CKA_ID of the private key on the token. | ||
516 | # handle = | ||
517 | |||
518 | # Optional slot number to access the token. | ||
519 | # slot = | ||
520 | |||
521 | # Optional PKCS#11 module name to access the token. | ||
522 | # module = | ||
523 | |||
524 | # Optional PIN required to access the key on the token. If none is | ||
525 | # provided the user is prompted during an interactive --load-creds call. | ||
526 | # pin = | ||
527 | |||
528 | # } | ||
529 | |||
530 | } | ||
531 | |||
532 | # Section defining named pools. | ||
533 | # pools { | ||
534 | |||
535 | # Section defining a single pool with a unique name. | ||
536 | # <name> { | ||
537 | |||
538 | # Addresses allocated in pool. | ||
539 | # addrs = | ||
540 | |||
541 | # Comma separated list of additional attributes from type <attr>. | ||
542 | # <attr> = | ||
543 | |||
544 | # } | ||
545 | |||
546 | # } | ||
547 | |||
548 | # Section defining attributes of certification authorities. | ||
549 | # authorities { | ||
550 | |||
551 | # Section defining a certification authority with a unique name. | ||
552 | # <name> { | ||
553 | |||
554 | # CA certificate belonging to the certification authority. | ||
555 | # cacert = | ||
556 | |||
557 | # Absolute path to the certificate to load. | ||
558 | # file = | ||
559 | |||
560 | # Hex-encoded CKA_ID of the CA certificate on a token. | ||
561 | # handle = | ||
562 | |||
563 | # Optional slot number of the token that stores the CA certificate. | ||
564 | # slot = | ||
565 | |||
566 | # Optional PKCS#11 module name. | ||
567 | # module = | ||
568 | |||
569 | # Comma-separated list of CRL distribution points. | ||
570 | # crl_uris = | ||
571 | |||
572 | # Comma-separated list of OCSP URIs. | ||
573 | # ocsp_uris = | ||
574 | |||
575 | # Defines the base URI for the Hash and URL feature supported by IKEv2. | ||
576 | # cert_uri_base = | ||
577 | |||
578 | # } | ||
579 | |||
580 | # } | ||
diff --git a/notes/disable-outgoing-tcp-connections-through-ipv6-tunnel.sh b/notes/disable-outgoing-tcp-connections-through-ipv6-tunnel.sh new file mode 100644 index 0000000..842cc0f --- /dev/null +++ b/notes/disable-outgoing-tcp-connections-through-ipv6-tunnel.sh | |||
@@ -0,0 +1,26 @@ | |||
1 | #!/bin/bash -xe | ||
2 | [ "$UID" = 0 ] || exec sudo -- "$0" "$@" || exit | ||
3 | |||
4 | if [ "$1" = delete ] | ||
5 | then | ||
6 | ONLY_DELETE_RULES=y | ||
7 | fi | ||
8 | |||
9 | ip6tables_add() | ||
10 | { | ||
11 | ip6tables -D "$@" 2>/dev/null || : not deleted | ||
12 | ${ONLY_DELETE_RULES:+: not added -- } ip6tables -A "$@" | ||
13 | } | ||
14 | ip6rule_add() | ||
15 | { | ||
16 | ip -6 rule delete "$@" 2>/dev/null || : not deleted | ||
17 | ${ONLY_DELETE_RULES:+: not added -- } ip -6 rule add "$@" | ||
18 | } | ||
19 | |||
20 | mark=22 | ||
21 | ip6tables_add OUTPUT -t mangle -p tcp --syn -m state --state NEW -j MARK --set-mark $mark | ||
22 | ip6tables_add OUTPUT -t mangle -p tcp --syn -m state --state NEW -j CONNMARK --save-mark | ||
23 | ip6tables_add OUTPUT -t mangle -p tcp -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark | ||
24 | ip6rule_add fwmark $mark prohibit | ||
25 | ip6rule_add fwmark $mark table main | ||
26 | exit $? | ||
diff --git a/notes/gai.conf b/notes/gai.conf new file mode 100644 index 0000000..1a1770b --- /dev/null +++ b/notes/gai.conf | |||
@@ -0,0 +1,65 @@ | |||
1 | # Configuration for getaddrinfo(3). | ||
2 | # | ||
3 | # So far only configuration for the destination address sorting is needed. | ||
4 | # RFC 3484 governs the sorting. But the RFC also says that system | ||
5 | # administrators should be able to overwrite the defaults. This can be | ||
6 | # achieved here. | ||
7 | # | ||
8 | # All lines have an initial identifier specifying the option followed by | ||
9 | # up to two values. Information specified in this file replaces the | ||
10 | # default information. Complete absence of data of one kind causes the | ||
11 | # appropriate default information to be used. The supported commands include: | ||
12 | # | ||
13 | # reload <yes|no> | ||
14 | # If set to yes, each getaddrinfo(3) call will check whether this file | ||
15 | # changed and if necessary reload. This option should not really be | ||
16 | # used. There are possible runtime problems. The default is no. | ||
17 | # | ||
18 | # label <mask> <value> | ||
19 | # Add another rule to the RFC 3484 label table. See section 2.1 in | ||
20 | # RFC 3484. The default is: | ||
21 | # | ||
22 | #label ::1/128 0 | ||
23 | #label ::/0 1 | ||
24 | #label 2002::/16 2 | ||
25 | #label ::/96 3 | ||
26 | #label ::ffff:0:0/96 4 | ||
27 | #label fec0::/10 5 | ||
28 | #label fc00::/7 6 | ||
29 | #label 2001:0::/32 7 | ||
30 | # | ||
31 | # This default differs from the tables given in RFC 3484 by handling | ||
32 | # (now obsolete) site-local IPv6 addresses and Unique Local Addresses. | ||
33 | # The reason for this difference is that these addresses are never | ||
34 | # NATed while IPv4 site-local addresses most probably are. Given | ||
35 | # the precedence of IPv6 over IPv4 (see below) on machines having only | ||
36 | # site-local IPv4 and IPv6 addresses a lookup for a global address would | ||
37 | # see the IPv6 be preferred. The result is a long delay because the | ||
38 | # site-local IPv6 addresses cannot be used while the IPv4 address is | ||
39 | # (at least for the foreseeable future) NATed. We also treat Teredo | ||
40 | # tunnels special. | ||
41 | # | ||
42 | # precedence <mask> <value> | ||
43 | # Add another rule to the RFC 3484 precedence table. See section 2.1 | ||
44 | # and 10.3 in RFC 3484. The default is: | ||
45 | # | ||
46 | precedence ::1/128 50 | ||
47 | precedence ::/0 40 | ||
48 | precedence 2002::/16 30 | ||
49 | precedence ::/96 20 | ||
50 | #precedence ::ffff:0:0/96 10 | ||
51 | # | ||
52 | # For sites which prefer IPv4 connections change the last line to | ||
53 | # | ||
54 | precedence ::ffff:0:0/96 100 | ||
55 | |||
56 | # | ||
57 | # scopev4 <mask> <value> | ||
58 | # Add another rule to the RFC 6724 scope table for IPv4 addresses. | ||
59 | # By default the scope IDs described in section 3.2 in RFC 6724 are | ||
60 | # used. Changing these defaults should hardly ever be necessary. | ||
61 | # The defaults are equivalent to: | ||
62 | # | ||
63 | #scopev4 ::ffff:169.254.0.0/112 2 | ||
64 | #scopev4 ::ffff:127.0.0.0/104 2 | ||
65 | #scopev4 ::ffff:0.0.0.0/96 14 | ||
diff --git a/notes/ipsec.conf b/notes/ipsec.conf new file mode 100644 index 0000000..82728d3 --- /dev/null +++ b/notes/ipsec.conf | |||
@@ -0,0 +1,41 @@ | |||
1 | |||
2 | # basic configuration | ||
3 | |||
4 | config setup | ||
5 | # strictcrlpolicy=yes | ||
6 | # uniqueids = no | ||
7 | |||
8 | conn andy | ||
9 | type=tunnel | ||
10 | auto=add | ||
11 | left=%any | ||
12 | leftsourceip=%config | ||
13 | leftsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQC8b9n1/1p5HposHmP1xbrKCOP+3PSnaycQvIbcB3ugYBFgTfUoVZ0c6pUzpw8uR93iQ/mSyeEvjaUDctBASg67jxyeSU78p9qJ/y/Eg2uBiMNx1fUljVryqXCbQRebjtVWNjIhr99qowzYrV+ztTNpQ2oI/VhQ9C+cbDLKySoR5L8wrkSPqvYH4oZJtyKQmv7lN3/MKFONZlTo1RMw2+4214uaQJF1dcwW3erHh15SpqoQ7LidqNH2Q6SInzVdJbZtQSWjFM29m4nQMv55g6VlUK8NfcGJuIKghO0urZvYQpdeBe05Lr/y/n3wqJb97Eh5hzQc9Jx5kKQZeueHWEkz" | ||
14 | leftid=dd6c:fbfd:eeb8:4709 | ||
15 | right=%any | ||
16 | right=68.48.18.140 | ||
17 | #rightsubnet=2601:401:8200:2d4c::1/64 | ||
18 | rightsubnet=0::0/0 | ||
19 | rightsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQD0v/20UNR7vpib9amq1xMrJSiyIWXjpiHq1O2BIrzZ2nuilSxn1dYVhelUTR2siDKAxoo3sX0GDWayMekHtzPr1DBXQ/eu9PNhp9Q0QvkgRSay9HggelpGukxP8N72kbthggmCkWufaM/OoDOVHBYngJFbrwOwhDKJyL+q8f3u1LFOErRxVJ7f7/C1o+NLkWXayfwOK8kk4Hc9tcy1MXk5jLx927evsyOYXV2Lbzf9qwXSV6MjUlFDhqhW/v2IOBCxXG7GhpoHTmpdtv0JxDLnc5zYBxgleiS74DmC5GKU5EgU63e7FNnPSvVnYO+S3mO+Y4PwNv4BYnKSpSGe/0tt" | ||
20 | |||
21 | # Add connections here. | ||
22 | |||
23 | # Sample VPN connections | ||
24 | |||
25 | #conn sample-self-signed | ||
26 | # leftsubnet=10.1.0.0/16 | ||
27 | # leftcert=selfCert.der | ||
28 | # leftsendcert=never | ||
29 | # right=192.168.0.2 | ||
30 | # rightsubnet=10.2.0.0/16 | ||
31 | # rightcert=peerCert.der | ||
32 | # auto=start | ||
33 | |||
34 | #conn sample-with-ca-cert | ||
35 | # leftsubnet=10.1.0.0/16 | ||
36 | # leftcert=myCert.pem | ||
37 | # right=192.168.0.2 | ||
38 | # rightsubnet=10.2.0.0/16 | ||
39 | # rightid="C=CH, O=Linux strongSwan CN=peer name" | ||
40 | # auto=start | ||
41 | #include /var/cache/kiki/config/ipsec.conf | ||
diff --git a/notes/ipsec.conf.empty b/notes/ipsec.conf.empty new file mode 100644 index 0000000..ff9cca2 --- /dev/null +++ b/notes/ipsec.conf.empty | |||
@@ -0,0 +1,5 @@ | |||
1 | # basic configuration | ||
2 | |||
3 | config setup | ||
4 | # strictcrlpolicy=yes | ||
5 | # uniqueids = no | ||