emdee/proxy_role
1
0
Fork 0
Code Issues Pull Requests Wiki Activity

first

Browse Source
This commit is contained in:
emdee 2024-01-06 01:57:28 +00:00
commit 757ca483f0
115 changed files with 13170 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
Makefile Normal file
View File

@ -0,0 +1,41 @@
# -*-mode: makefile; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
VAGRANT_DOCTEST=python3.sh ../../../src/ansible/bin/vagrant_doctest-ssh.py
PYTHON_DOCTEST=python3.sh -m doctest
SSH_DOCTEST=python3.sh ../../../src/ansible/bin/vagrant_doctest-ssh.py -p 2222 --box="vagrant@127.0.0.1"
LOCAL_DOCTEST=/var/local/bin/testforge_run_doctest2.bash
DOCTEST=$(LOCAL_DOCTEST)
USER=`grep PRIV_SKEL_USERS_LIST /usr/local/etc/testforge/testforge.bash|sed -e 's/.*=//' -e 's/"//g'`
default:: local
test:: local
check::
sudo -u ${USER} ${PREFIX}/src/usr_local_$(ROLE).bash $@
test::
sudo -u ${USER} ${PREFIX}/src/usr_local_$(ROLE).bash $@
lint::
sudo -u ${USER} ${PREFIX}/src/usr_local_$(ROLE).bash $@
local::
[ -f $(LOCAL_DOCTEST) ] || exit 0
$(DOCTEST) overlay/Linux/usr/local/share/doc/txt/proxy2.txt
$(DOCTEST) overlay/Linux/usr/local/share/doc/txt/proxy3.txt
refresh::
find . -maxdepth 1 -type l -delete
ln -s overlay/Linux/var/local/share/doc/txt/*txt .
veryclean:: clean
find * -name \*.py | xargs grep -l '[ ]*$$' | \
xargs sed -i -e 's/[ ]*$$//'
clean::
find * -name \*~ -delete

97
defaults/main.yml Normal file
View File

@ -0,0 +1,97 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
# these can be overridden using --extra-vars on the playbook command line
# bind to all interfaces for docker
# this is base - before /var/local is used
PROXY_VAR_LOCAL: "{{ VAR_LOCAL }}"
PROXY_USR_LOCAL: "{{ USR_LOCAL }}"
PROXY_POLIPO_HTTPPORT: 3128
PROXY_POLIPO_PROXYPORT: 3128
PROXY_PRIVOXY_HTTPPORT: 3128
PROXY_TOR_DNS_FORWARD: socat # polipo privoxy socat
PLAY_CA_CERT: "/usr/local/etc/ssl/cacert-curl.haxx.se.pem" # proxy?
PROXY_POLIPO_LOG: '{{ "/var/log/polipo.log" if ansible_distribution == "Gentoo" else "/var/log/polipo/polipo.log" }}'
PROXY_POLIPO_OWNER: '{{ "polipo" if ansible_distribution == "Gentoo" else "proxy" }}'
PROXY_POLIPO_GROUP: '{{ "root" if ansible_distribution == "Gentoo" else "adm" }}'
PROXY_PRIVOXY_LOG: '{{ "/var/log/privoxy.log" if ansible_distribution == "Gentoo" else "/var/log/privoxy/privoxy.log" }}'
PROXY_PRIVOXY_OWNER: '{{ "privoxy" if ansible_distribution == "Gentoo" else "proxy" }}'
PROXY_PRIVOXY_GROUP: '{{ "root" if ansible_distribution == "Gentoo" else "adm" }}'
PROXY_DNS_PORT: 53
HARDEN_DNS_PORT: "{{PROXY_DNS_PORT}}"
PROXY_SERVICE_DNSPORT: 53
PROXY_SERVICE_NTPPORT: 123
PROXY_NTP_OWNER: "ntp"
# could derive from SOCKS
PROXY_WHONIX_HTTPS_PORT: "{{BOX_WHONIX_HTTPS_PORT|default(9128)}}"
PROXY_WHONIX_SOCKS_HOST: "{{BOX_WHONIX_HTTPS_PORT|default('10.0.2.15')}}"
PROXY_WHONIX_SOCKS_NET: "{{BOX_WHONIX_HTTPS_PORT|default('10.0.2.2')}}"
PROXY_WHONIX_SOCKS_PORT: "{{BOX_WHONIX_SOCKS_PORT|default(9050)}}"
PROXY_WHONIX_SOCKS_USER: ""
PROXY_WHONIX_SOCKS_PASS: ""
PROXY_WHONIX_DNS_PORT: "{{BOX_WHONIX_DNS_PORT|default(9053)}}"
PROXY_WHONIX_TRANS_PORT: "{{BOX_WHONIX_TRANS_PORT|default(9040)}}"
PROXY_WHONIX_BUKU_PORT: "{{BOX_WHONIX_BUKU_PORT|default(7001)}}"
PROXY_DNSCRYPT_TGZ_URL: github.com/jedisct1/dnscrypt-proxy/releases/download/2.0.19/dnscrypt-proxy-linux_x86_64-2.0.19.tar.gz
PROXY_GATEWAY_QEMU_DIR: /c/data/Vms/Lati/Qemu/var/lib/kvm/2020-10-30
PRIV_WHONIX_VERSION: 15.0.1.4.9
# was dnscrypt was "pdnsd"
# new default - figure out tor/gateway/socks-neither
PROXY_DNS_PROXY: "dnsmasq"
HARDEN_DNS_PROXY: "{{PROXY_DNS_PROXY}}"
PROXY_DNS_PROXY_ALL:
- "dnsmasq"
- "dnscrypt"
- socat
# - "pdnsd"
PROXY_DNS_NETMAN: "{{BOX_NET_MANAGER}}"
PROXY_DNS_NETMAN_ALL:
- "networkmanager"
- "wicd"
PROXY_NTP_GROUP: "{{BOX_NTP_GROUP}}"
PROXY_NTP_SERVERS:
- 132.163.97.4
- time.nist.gov
- 159.203.158.197
- pool.ntp.org
PROXY_GNUPG_SERVERS:
#dead keyserver hkp://keys.gnupg.net
#dead keyserver hkp://hkps.pool.sks-keyservers.net
# 18.9.60.141
- hkp://pgp.mit.edu
# 162.213.33.8
- hkp://keyserver.ubuntu.com
PROXY_GNUPG_CERTS:
- "{{PLAY_CA_CERT}}"
# these are ignored
- /usr/local/etc/ssl/cacert-testforge.pem
- /usr/share/gnupg/sks-keyservers.netCA.pem
#? - /usr/share/gnupg/sks-keyservers.netCA.pem
#hkp-cacert /usr/local/etc/ssl/cacert-curl.se.pem
#hkp-cacert /usr/local/etc/ssl/cacert-testforge.pem
#hkp-cacert /usr/share/gnupg/sks-keyservers.netCA.pem
PROXY_FEATURES: "{{BOX_PROXY_FEATURES}}"
proxy_also_users: "{{BOX_ALSO_USERS}}"
#- stat: path=/etc/java-config-2/current-system-vm/jre/lib/net.properties
# register: net_properties_file
proxy_net_properties_file: "{{BOX_PROXY_JAVA_NET_PROPERTIES}}"

10
handlers/main.yml Normal file
View File

@ -0,0 +1,10 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
#- name: update env
# command: env-update
- name: update locales
command: locale-gen --update

21
meta/main.yml Normal file
View File

@ -0,0 +1,21 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
galaxy_info:
# author:
# company:
# description:
# license: MIT
min_ansible_version: 2.3 # maybe - curently tested under 2.7
platforms:
- name: "Gentoo"
- name: "Ubuntu"
categories:
- system
# The proxy role is a base role that is required before all other roles
# proxy role is a dependency even if you dont use a proxy
# dependencies seem to get pulled in again even if they have already been run!
dependencies: []

31
overlay/Debian/usr/local/sbin/debian_uris_to_urls.bash Executable file
View File

@ -0,0 +1,31 @@
#!/bin/sh
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
# filter or .uris
ROLE=base
[ -z "$CACHE" ] && CACHE=/mnt/o/Cache/Apt/Debian/10.6
[ -d "$CACHE" ] || mkdir $CACHE # || exit 1$?
# debian --print-uris
if [ $? -eq 0 ] ; then
# filter
grep 'https*://' | \
sed -e 's@ftp://[^ ]*@@g' -e 's@.*https*://@https://@g' -e "s@'.*@@g" | \
while read line ; do
for url in $line ; do
base=`basename "$url"`
pre=`sed -e "s@https*://@${CACHE}@" <<< $url`
[ -e $pre ] && break
echo $line
break
done
done
fi
for elt in "$@" ; do
base=$( basename $elt .elts )
[ -s $base.urls ] && continue
sh $0 < $elt > $base.urls
[ -s $base.urls ] || rm $base.urls
done
exit 0

34
overlay/Debian/usr/local/sbin/debian_whonix_tor.bash Executable file
View File

@ -0,0 +1,34 @@
#!/bin/sh
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
ROLE=privacy
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor
# Nov 09 21:00:27 host vanguards[715]: WARNING[Mon Nov 09 21:00:27 2020]: Tor daemon connection failed: [Errno 24] Too many open files. Trying again...
systemctl stop vanguards
systemctl stop onion-grater
sh /etc/rc.local
#su -c 'tor --verify-config' -s /bin/sh $PRIV_TOR_OWNER || exit 1
tor --verify-config | grep -v 'notice\|DisableNetwork'
rm -f /etc/torrc.d/*~
netstat -nlp -t inet|grep 15:90 || { echo ERROR: alrady running ; exit 2 ; }
cp /dev/null /run/tor/log.err
cp /dev/null /run/tor/log.log
rm -f /usr/local/etc/torrc.d/*~ /etc/torrc.d/*~
#su -c '/etc/init.d/tor stop' -s /bin/sh $PRIV_TOR_OWNER
#sleep 5
# su -c '/etc/init.d/tor start' -s /bin/sh $PRIV_TOR_OWNER
systemctl start tor || exit 4$?
sleep 10
sed -e '/configured a non-loopback address/d' /run/tor/log.*
[ -f /run/tor/log.err ] && cat /run/tor/log.err && exit 5
grep % /run/tor/log.*

1
overlay/Devuan Symbolic link
View File

@ -0,0 +1 @@
Debian

30
overlay/Gentoo/usr/local/bin/gentoo_curl_urls.sh Normal file
View File

@ -0,0 +1,30 @@
#!/bin/sh
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# filter - arguments are to wget - quoted?
ROOTDIR=/mnt/i
ROLE=base
LARGS="-X -P $ROOTDIR/net/Http "
RARGS="--retry 1"
grep ^http | \
sed -e 's@http://@https://@g' \
-e 's@^\(https://distfiles.gentoo.org/distfiles/[a-f0-9][a-f0-9]/[^ ]*\) \(https*://[^ ]*\) @\2 \1@' \
-e 's@^\(https://distfiles.gentoo.org/distfiles/[^ ]*\) \(https*://[^ ]*\) @\2 \1@' \
-e 's@^\(https://dev.gentoo.org/~sam/distfiles/[^ ]*\) \(https*://[^ ]*\) @\2 \1@' \
| \
sed -e 's@ftp://[^ ]*@@' \
-e 's@^https://distfiles.gentoo.org/distfiles/[^ ]* https://pypi.python.org/@https://pypi.python.org/@' \
-e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' \
-e 's@https*://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' \
-e 's@https*://download.sourceforge.net@https://download.sourceforge.net@g' | \
while read urls ; do
url=`echo $urls|sed -e 's@ .*@@'`
base=`basename "$url"`
[ -e /usr/portage/distfiles/$base ] && echo distfiles/$base && continue
for url in $urls ; do
/usr/local/bin/scurl.bash $LARGS -- $RARGS $url || continue
break
done
done

90
overlay/Gentoo/usr/local/bin/gentoo_scurl_urls.sh Executable file
View File

@ -0,0 +1,90 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# filter - arguments are to wget - quoted?
prog=$( basename $0 .bash )
prog=ScurlU
ROOTDIR=/mnt/i/net/Http
ROLE=base
CACHE=/usr/portage/distfiles
[ -z "$SCURL_BG" ] && SCURL_BG=0
SSL_VER=2
. /usr/local/bin/proxy_curl_lib.bash
. /usr/local/bin/usr_local_tput.bash
route | grep -q ^def || { ERROR not connected ; exit -1 ; }
FETCHCOMMAND='/usr/local/bin/scurl.bash --force-directories --directory-prefix "\${DISTDIR}" -- "\${URI}"'
# RARGS="--retry 1 --connect-timeout 10"
RARGS=" -S $SSL_VER"
if [ "$#" -eq 0 ] ; then
LARGS="--force-directories --directory-prefix $ROOTDIR"
else
LARGS="$@"
fi
cp /dev/null /tmp/$prog$$.urls
# //www.simplesystems.org/users/bfriesen/public-key.txt no https:
# https://opencoder.net/WayneDavison.key cloudflare 403
# https://www.simplesystems.org/users/bfriesen/public-key.txt 503
# https://tiswww.case.edu/php/chet/gpgkey.asc 500 timeout
# https://botan.randombit.net/pgpkey.txt no tls1.3
# https://sourceware.org/elfutils/ftp/gpgkey-1AA44BE649DE760A.gpg no tls1.3
# https://gnutls.org/gnutls-release-keyring.gpg no tls1.3
declare -A IPS
retval=0
# NOT 1.3 -e 's@^https://distfiles.gentoo.org/distfiles/[^ ]* https://pypi.python.org/@https://pypi.python.org/@'
grep ^http | \
sed -e 's@ftp://[^ ]*@@' \
-e 's/http:/https:/' \
-e 's@^https://distfiles.gentoo.org/distfiles/openpgp-keys-[^ ]*.asc @@' \
-e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' \
-e 's@https://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' \
| \
while read urls ; do
url=`echo $urls|sed -e 's@ .*@@'`
base=`basename "$url"`
[ -e $CACHE/$base ] && echo $CACHE/$base && continue
base=`echo $url | sed -e 's@ .*@@' -e 's@https*://@@'`
[ -e $ROOTDIR/"$base" ] && echo $ROOTDIR/"$base" && continue
for url in $urls ; do
url=`sed -e 's@http://@https://@g' <<< $url`
domain=`sed -e 's@^https*://@@' -e 's@/.*@@' <<< $url`
a=`proxy_ami_nottlsv3 $domain`
ar=$?
[ $ar -eq 0 -a "$a" = True ] && \
WARN $prog proxy_ami_nottlsv3 $domain $url && continue
if [ -z "${IPS[$domain]}" ] ; then
ip=`tor-resolve $domain`
ir=$?
[ $ir -eq 0 ] && IPS[$domain]=$ip
else
ip="${IPS[$domain]}"
ir=0
fi
if [ $ir -eq 0 -a -n "$ip" ] ; then
a=`proxy_ami_cloudflared $ip`
[ $? -eq 0 -a "$a" = True ] && \
WARN $prog $url Cloudflared $ip && \
continue
fi
if [ "$SCURL_BG" = 1 ] ; then
/usr/local/bin/scurl.bash $LARGS -- $RARGS $url &
INFO $prog /usr/local/bin/scurl.bash $LARGS -- $RARGS $url
else
/usr/local/bin/scurl.bash $LARGS -- $RARGS $url || {
retval=$?
WARN $prog retval=$retval /usr/local/bin/scurl.bash $LARGS -- $RARGS $url
continue
}
fi
break
done
done
exit $retval

26
overlay/Gentoo/usr/local/bin/gentoo_wget_urls.sh Executable file
View File

@ -0,0 +1,26 @@
#!/bin/sh
# filter - arguments are to wget - quoted?
ROOTDIR=/mnt/i
ROLE=base
if [ "$#" -eq 0 ] ; then
WARGS="-xc -P $ROOTDIR/net/Http --tries=1"
else
WARGS="$@"
fi
# NOT 1.3 -e 's@^https://distfiles.gentoo.org/distfiles/[^ ]* https://pypi.python.org/@https://pypi.python.org/@'
grep ^http | \
sed -e 's@^\(https://distfiles.gentoo.org/distfiles/[a-f0-9][a-f0-9]/[^ ]*\) \(https*://[^ ]*\) @\2 \1@' | \
sed -e 's@ftp://[^ ]*@@' -e 's/http:/https:/' \
-e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' \
-e 's@https*://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' \
-e 's@https*://download.sourceforge.net@https://download.sourceforge.net@g' | \
while read urls ; do
url=`echo $urls|sed -e 's@ .*@@'`
base=`basename "$url"`
[ -e /usr/portage/distfiles/$base ] && echo distfiles/$base && continue
for url in $urls ; do
wget --restrict-file-names=windows --no-verbose $WARGS $url || continue
break
done
done

52
overlay/Gentoo/usr/local/bin/str_replace Executable file
View File

@ -0,0 +1,52 @@
#!/usr/bin/perl -w
use strict;
use warnings;
my $numarg = $#ARGV + 1;
if ($numarg < 2) {
print "Usage: str_replace Search Replace File\nOr: STDIN str_replace Search Replace\n";
exit 1;
}
my $find=$ARGV[0];
my $replace=$ARGV[1];
my $file;
my $contents;
my $found=0;
my $fh;
if(defined $ARGV[2]){
$file=$ARGV[2];
open($fh, '<', $file) or die "Cannot open the file '$file'";
{
local $/;
$contents = <$fh>;
}
close($fh);
}
else{
{
local $/;
$contents = <STDIN>;
}
}
my $pos = index($contents, $find);
while ( $pos > -1 ) {
if(substr( $contents, $pos, length( $find ), $replace )){$found =$found+1;}
$pos = index( $contents, $find, $pos + length( $replace ));
}
if(!defined $ARGV[2]){
print $contents;
exit;
}
if($found==0) {print "Nothing replaced\n";}
else{ print "$found occurrences of '$find' have been replaced with '$replace'\n";}
open($fh, '>', $file);
print $fh $contents;
close $fh;

168
overlay/Gentoo/usr/local/sbin/gentoo_base_verify-sig.bash Executable file
View File

@ -0,0 +1,168 @@
#!/bin/sh
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
prog=$( basename $0 .bash )
ROLE=base
. /usr/local/bin/usr_local_tput.bash
PYVER=3
PYTHON_MINOR=$( python$PYVER --version 2>&1| sed -e 's@^.* @@' -e 's@\.[0-9]*$@@' )
[ -d /etc/portage ] || exit 0
usage () { echo "USAGE: $prog [command args] -" $* ; exit 1 ; }
error () { retval=$1 ; shift; ERROR "$prog" $* ; exit $retval ; }
warn () { : ; }
info () { : ; }
debug () { : ; }
# must be run as root
[ "$( id -u )" -ne "0" ] && error 1 "must be run as root"
[ -f /etc/portage/package.use/2021-00_verify-sig.txt ] || \
touch /etc/portage/package.use/2021-00_verify-sig.txt || exit 2
equery h -F '$cp:$slot' verify-sig | \
sed -e 's/:0.*//' | while read b ; do \
grep -q "^$b " /etc/portage/package.use/2021-00_verify-sig.txt && continue
eix -r "^$b$" | grep -q Installed && \
echo '#' $b verify-sig>>/etc/portage/package.use/2021-00_verify-sig.txt || \
echo '##' $b verify-sig>>/etc/portage/package.use/2021-00_verify-sig.txt
done
[ -f /usr/lib/python$PYTHON_MINOR/site-packages/portage/eclass_cache.py.diff ] || \
cat > /usr/lib/python$PYTHON_MINOR/site-packages/portage/eclass_cache.py.diff << EOF
*** eclass_cache.py.dst 2021-06-13 21:26:05.000000000 +0000
--- eclass_cache.py 2021-06-24 10:45:12.422857990 +0000
***************
*** 166,175 ****
--- 166,176 ----
return d
def get_eclass_data(self, inherits):
ec_dict = {}
for x in inherits:
+ if x not in self.eclasses: continue
ec_dict[x] = self.eclasses[x]
return ec_dict
@property
EOF
[ -f /usr/lib/python$PYTHON_MINOR/site-packages/portage/eclass_cache.py.dst ] || \
patch -b -z .dst /usr/lib/python$PYTHON_MINOR/site-packages/portage/eclass_cache.py \
< /usr/lib/python$PYTHON_MINOR/site-packages/portage/eclass_cache.py.diff
[ -f /usr/portage/eclass/verify-sig.eclass.diff ] || \
cat > /usr/portage/eclass/verify-sig.eclass.diff << EOF
*** /usr/portage/eclass/verify-sig.eclass.dst 2021-07-29 06:09:55.000000000 +0000
--- /usr/portage/eclass/verify-sig.eclass 2021-08-18 19:13:29.502980940 +0000
***************
*** 86,95 ****
--- 86,99 ----
[[ -n ${key} ]] ||
die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
local extra_args=()
[[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
+ # gemato -R, --no-refresh-keys
+ # Disable refreshing OpenPGP key (prevents network
+ # access, applicable when using -K only)
+ [ -z "$http_proxy" ] || extra_args+=( --proxy $http_proxy )
[[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=(
--keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
)
# GPG upstream knows better than to follow the spec, so we can't
***************
*** 98,110 ****
addpredict /run/user
local filename=${file##*/}
[[ ${file} == - ]] && filename='(stdin)'
einfo "Verifying ${filename} ..."
! gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
! gpg --verify "${sig}" "${file}" ||
! die "PGP signature verification failed"
}
# @FUNCTION: verify-sig_verify_message
# @USAGE: <file> <output-file> [<key-file>]
# @DESCRIPTION:
--- 102,121 ----
addpredict /run/user
local filename=${file##*/}
[[ ${file} == - ]] && filename='(stdin)'
einfo "Verifying ${filename} ..."
! einfo gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
! gpg --verify --disable-dirmngr \
! "${sig}" "${file}"
! # --keyserver-options http-proxy=http://localhost:3128
! einfo `env |sort`
! # env - is necessary andx sufficient
! env - gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
! gpg --verify --disable-dirmngr \
! "${sig}" "${file}" || \
! die "PGP signature verification failed"
}
# @FUNCTION: verify-sig_verify_message
# @USAGE: <file> <output-file> [<key-file>]
# @DESCRIPTION:
***************
*** 122,131 ****
--- 133,143 ----
[[ -n ${key} ]] ||
die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
local extra_args=()
[[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
+ [ -z "$http_proxy" ] || extra_args+=( --proxy $http_proxy )
[[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=(
--keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
)
# GPG upstream knows better than to follow the spec, so we can't
***************
*** 134,146 ****
addpredict /run/user
local filename=${file##*/}
[[ ${file} == - ]] && filename='(stdin)'
einfo "Verifying ${filename} ..."
! gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
! gpg --verify --output="${output_file}" "${file}" ||
! die "PGP signature verification failed"
}
# @FUNCTION: verify-sig_verify_signed_checksums
# @USAGE: <checksum-file> <algo> <files> [<key-file>]
# @DESCRIPTION:
--- 146,165 ----
addpredict /run/user
local filename=${file##*/}
[[ ${file} == - ]] && filename='(stdin)'
einfo "Verifying ${filename} ..."
! einfo gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
! gpg --verify --disable-dirmngr --output="${output_file}" \
! "${file}"
! # --keyserver-options http-proxy=http://localhost:3128
! einfo `env |sort`
! # env - is necessary and sufficient
! env - gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
! gpg --verify --disable-dirmngr --output="${output_file}" \
! "${file}" || \
! die "PGP signature verification failed"
}
# @FUNCTION: verify-sig_verify_signed_checksums
# @USAGE: <checksum-file> <algo> <files> [<key-file>]
# @DESCRIPTION:
EOF
[ -f /usr/portage/eclass/verify-sig.eclass.dst ] || \
patch -b -z .dst /usr/portage/eclass/verify-sig.eclass \
< /usr/portage/eclass/verify-sig.eclass.diff || exit 3

39
overlay/Gentoo/usr/local/sbin/gentoo_check_manifest.bash Executable file
View File

@ -0,0 +1,39 @@
# This is recent - Pentoo not Funtoo
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
BASE_PORTDIR=/usr/portage
keyf=/usr/share/openpgp-keys/gentoo-release.asc
[ -f $keyf ] || exit 1
gpg2 --disable-dirmngr --list-keys --with-sig-check --keyring $keyf >/tmp/G$$.log # 2>&1 || exit 1
# gpg: 1 bad signature on Clipos
# gpg: 1 bad signature on Pentoo19
if grep 'bad signature' /tmp/G$$.log ; then
echo ERROR: bad signature /tmp/G$$.log # exit 2
# sig-3 BB572E0E2D182910 2009-08-25 Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
gpg2 --disable-dirmngr --batch --delete-key BB572E0E2D182910
fi
# numbers 1-3 for certificate check level (see --ask-cert-level)
grep '^sig-[0-9]' /tmp/G$$.log && { echo WARN: bad signature ; exit 3 ;}
# gpg: 104 signatures not checked due to missing keys
[ -f $BASE_PORTDIR/Manifest ] || exit 0
# on stderr!
gpg2 --verify --keyring $keyf $BASE_PORTDIR/Manifest >/tmp/K$$.log 2>&1 || exit 3
# DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D
# grep 'This key has expired' /tmp/K$$.log && exit 3
grep 'using RSA key' /tmp/K$$.log || exit 4
grep 'Primary key fingerprint:' /tmp/K$$.log | sed -e 's/.*: //' -e 's/ //g' > /tmp/K$$.key || exit 5
if route | grep -q ^default ; then
. /root/bin/tor.sh
wget -O /tmp/K$$.html https://www.gentoo.org/downloads/signatures/ || exit 0
grep "`cat /tmp/K$$.key`" /tmp/K$$.html || {
echo ERROR: failed 'Primary key fingerprint:' "`cat /tmp/K$$.key`"
exit 5
}
fi
exit 0

120
overlay/Gentoo/usr/local/sbin/gentoo_chroot_pentoo.bash Executable file
View File

@ -0,0 +1,120 @@
#!/bin/sh
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
ROLE=testforge
# export PATH=$PATH:/usr/local/bin
MOUNTS="mnt/i mnt/j mnt/o"
. /usr/local/bin/usr_local_tput.bash
error () { retval=$1 ; shift; ERROR "$0" $* ; exit $retval ; }
info () { INFO " $0 " $* ; }
# must be run as root
[ "`id -u`" -ne "0" ] && error 1 "must be run as root"
if [ "$#" -eq "0" ] ; then
error 2 "give an absolute directory name as argument"
fi
LARGS=""
CMD=""
while true; do
case "$1" in
'-'*)
LARGS="$LARGS $1"
shift
;;
*)
break
;;
esac
done
root=$1
shift
if [ ! -d "$root" ] ; then
error 3 "absolute directory name for chroot not found - $root"
fi
# unix partition
[ -d $root/lost+found ] || exit 4
# linux partition
[ -e $root/usr/src/ ] || exit 5
cd $root || exit 6
if [ ! -d boot ] ; then
error 7 "missing boot/"
fi
for file in tmp usr/tmp var/tmp ; do
[ -d $file ] && continue
mkdir $file || error 8 " missing directory $file"
chmod 1777 $file
done
# df /var/tmp | grep -q sd.12 || mount /var/tmp
for file in proc sys dev dev/pts dev/shm usr ; do
[ -d $file ] && continue
mkdir $file || exit 9
chmod 755 $file
done
# Think -R is causing problems
[ -e proc/self ] || mount -t proc none proc || error 10
# this was rbind
[ -e sys/kernel ] || mount -o bind /sys sys || error 12
[ -e dev/null ] || mount -o bind /dev dev || error 11
[ -e /dev/pts/0 ] || \
mount -t devpts -o rw,relatime,mode=600 devpts dev/pts \
|| error 12
#? try mount| while read a on what type [ tmpfs cgroup binfmt_misc? ] without rbind
mount| while read what foo on bar type rest ; do
# cgroup devpts devtmpfs ecryptfs ext2 fuseblk proc rpc_pipefs sysfs tmpfs vfat
# leave real disks for $MOUNTS
[ $type = 'fuse' -o $type = 'ext2' -o $type = 'ext4' -o $type = 'vfat' -o ] && continue
# have done these
[ $type = 'proc' -o $type = 'sys' -o $type = 'dev' -o $type = 'devpts' -o ] && continue
DBUG "Dunno $what $on $type"
done
# check for /dev/loop devices - up to 255 on android
[ -e /dev/loop1 ] || \
( cd /dev && \
for i in 0 1 2 3 4 5 6 7 ; do
[ -e loop$i ] && continue
mknod loop$i b 7 $i
chmod 660 loop$i
chgrp disk loop$i
done )
for elt in $MOUNTS ; do
[ -d $elt ] || { mkdir $elt ; chmod 755 $elt ; }
grep -q /$elt /proc/mounts || continue
[ -d $elt/tmp ] && continue
grep -q $root/$elt /proc/mounts && continue
mount --bind /$elt $root/$elt
done
# You'll also want to copy over resolv.conf in order to have proper DNS name
# resolution from inside the chroot:
# but in chroot, you'll need to change this to your connected IP address.
cp -L /etc/resolv.conf etc || exit 16
for file in .bashrc .profile .jedrc ; do
[ -f root/$file ] || \
cp -p /root/$file root/$file
done
EARGS="CHROOT=1 LANG=en_US.UTF-8 LC_COLLATE=C"
EELTS="$EELTS TERM DISPLAY HOME USER LOGNAME USERNAME PATH"
EELTS="$EELTS http_proxy https_proxy socks_proxy no_proxy"
for elt in $EELTS ; do
EARGS="$EARGS `env|grep ^${elt}=`"
done
# was /bin/bash -l
[ "$#" -eq 0 ] && set -- /bin/sh -i
# Now you can chroot into your new system. Use env before chroot to ensure that no
# environment variables from the installation media are used by your new system:
#? PATH=$PATH
echo chroot $LARGS $root /usr/bin/env -i $EARGS "$@"
chroot $LARGS $root /usr/bin/env -i $EARGS "$@"

45
overlay/Gentoo/usr/local/sbin/gentoo_clean_portage_packages.bash Executable file
View File

@ -0,0 +1,45 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
# shopt -s nullglob
[ -f /etc/conf.d/hostname ] && . /etc/conf.d/hostname
if [ $# -eq 1 ] ; then
TO=$1
elif [ -n "$hostname" -a "$hostname" = "pentoo" ] ; then
TO=/mnt/o/Cache/linuxPen19/var/cache/portage/packages
elif [ -f /etc/dracut.conf.d/funtoo.conf ] ; then
TO=/mnt/o/Cache/linuxFun64/var/cache/portage/packages
elif [ -f /etc/dracut.conf.d/clipos.conf ] ; then
TO=/mnt/o/Cache/linuxClipos/var/cache/portage/packages
else
exit 3
fi
[ -n "$TO" ] || { echo ERROR: empty TO ; exit 4 ; }
[ -d $TO ] || { echo ERROR: mkdir -p $TO ; exit 5 ; }
pushd $TO
# -o -name \*.xpak
find *-* virtual pentoo -type f -name \*tbz2 | grep -v '_sources\|_download_' | while read file ; do
dir=`dirname $file`
base=`basename $file`
subdir=`sed -e 's/-[0-9].*//' <<< $base`
xdir=$dir/$subdir
[ -d $xdir ] || continue
xpak=`sed -e 's/.tbz2/-?.xpak/' <<< $base`
ls $file $xdir/$xpak 2>/dev/null && rm -f $xdir/$xpak
done
popd
cd $OUT
rm -rf sys-firmware/intel-microcode* \
sys-kernel/linux-firmware/* qpkg.*
find -L *-*/ -type l -delete 2>&1| \
grep 'Too many levels'| \
sed -e 's/find: .//' -e 's/xpak.:.*/xpak/'| \
xargs rm -f
exit 0

16
overlay/Gentoo/usr/local/sbin/gentoo_early-ucode.cpio.bash Executable file
View File

@ -0,0 +1,16 @@
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
ROLE=gpgkey
DST=/boot/intel-uc_pentoo19.cpio
a=$( find /lib/firmware/intel-ucode/ -type f -newer $DST |wc -l )
[ $? -ne 0 -o $a -eq 0 ] && exit 0
iucode_tool -S --write-earlyfw=$DST /lib/firmware/intel-ucode/*
base=$( basename $DST )
dir=/l/syslinux
[ -d $dir ] || exit 0
[ -f $dir/$base ] && diff -q $DST /l/syslinux/$base && exit 0
cp -p $DST /l/syslinux/$base
exit 0

8
overlay/Gentoo/usr/local/sbin/gentoo_eix-test-obsolete.bash Executable file
View File

@ -0,0 +1,8 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# https://forums.gentoo.org/viewtopic-t-1044220-start-0.html
ROLE=base
eix-test-obsolete -H brief | grep -v -e "^No " -e "^Skipping " -e "^$"
exit 0

11
overlay/Gentoo/usr/local/sbin/gentoo_emerge-rebuild-missing.bash Executable file
View File

@ -0,0 +1,11 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# https://www.commandlinefu.com/commands/view/5988/re-emerge-all-ebuilds-with-missing-files-gentoo-linux
# Re-emerge all ebuilds with missing files (Gentoo Linux)
qlist --installed --nocolor | uniq | while read cp; do
qlist --exact $cp | while read file; do
test -e $file || { echo $cp; echo "$cp: missing $file (and maybe more)" 1>&2; break; };
done;
done
exit 0

109
overlay/Gentoo/usr/local/sbin/gentoo_etc_portage.bash Executable file
View File

@ -0,0 +1,109 @@
#!/bin/sh
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
PREFIX=/var/local
ROLE=base
. /usr/local/etc/testforge/testforge.bash || exit 1
. /usr/local/bin/usr_local_base.bash || exit 2
USAGE="$0 role-directory"
#echo 1
[ $# -ge 1 ] || { ERROR $USAGE ; exit 3 ; }
[ -n "$TESTFORGE_ANSIBLE_SRC" ] || TESTFORGE_ANSIBLE_SRC=/g/TestForge/src/ansible
base=`cat /etc/hostname`
json="$TESTFORGE_ANSIBLE_SRC"/tmp/Hosts/$base.json
if [ -d "$TESTFORGE_ANSIBLE_SRC" ] ; then
if [ ! -s $json ] || [ "$TESTFORGE_ANSIBLE_SRC"/hosts.yml -nt $json ] ; then
/usr/local/sbin/gentoo_hosts_json.bash || exit 4$?
fi
fi
BOX_OS_FLAVOR=`/usr/local/sbin/gentoo_hosts_json.bash` || exit 4$?
# "BOX_PYTHON3_MINOR": "3.10"
PYTHON3_VER=`grep BOX_PYTHON3_MINOR <$json|sed -e 's/.*\.//' -e 's/,//' -e 's/"//'`
TASKS="Gentoo/$BOX_OS_FLAVOR"
YAML_HEAD="# -*- mode: yaml; tab-width: 0; coding: utf-8-unix -*-
# This is an automatically generated file: do not edit
---
"""
TEXT_HEAD="# -*- mode: text; tab-width: 8; coding: utf-8-unix -*-
"""
for dir in $* ; do
[ -d $dir ] || { ERROR $dir ; exit 5 ; }
[ -d $dir/vars ] || { WARN not a roles directory $dir/vars ; }
YAML_BODY="- name: \"\\1\"\n blockinfile:\n dest: \\1\n create: true\n marker: \"# {mark} Ansible Managed Block $dir \\2\"\n block: |"
for port in use mask unmask license accept_keywords ; do
# DBUG $dir $port
cp /dev/null $dir/vars/$port.txt
grep '^ *- .*/' $dir/vars/Gentoo2.yml \
| sed -e 's@^ *- @@' -e 's@ .*@@' \
| uniq \
| while read elt ; do
base=`basename $elt`
# override with $dir/tasks/$TASKS/portage.yml
file=$dir/tasks/$TASKS/portage.yml
[ -f $file ] && \
grep -Hq "^ *[=>]*$elt" $file && \
DBUG $port - "^ *[=>]*$elt" is already in $file && \
continue
file=$dir/vars/$port.txt
[ -f $file ] && \
grep -Hq "^ *[=>]*$elt" $file && \
DBUG "^ *[=>]*$elt" is already in $file
# && continue
grep "^[=<>]*$elt" /etc/portage/package.$port/2*txt \
| sed -e 's@^@# @' -e 's@.txt:@.txt '$base'\n@' \
| sed -e 's@^\([^#][^ ]*\)@ \1%@' -e 's@^#@\n#@' \
>> $dir/vars/$port.txt || exit 6
#? grep "^#.*required by $elt" /etc/portage/package.$port/2*txt
done
#echo 2
if [ ! -s $dir/vars/$port.txt ] ; then
rm -f $dir/vars/$port.txt $dir/tasks/$TASKS/$port.yml
continue
fi
INFO $port lines `wc -l $dir/vars/$port.txt`
[ -d $dir/tasks/$TASKS ] || { ERROR no dir $dir/tasks/$TASKS ; continue ; }
#echo 3
to_yaml=$dir/tasks/$TASKS/$port.yml.new
# overwrite if its there as .new
echo "$YAML_HEAD" > $to_yaml
# sed -e "s/\"\n block: |/ $base\0/"
sed -e 's@^# \([^ ]*\) \([^ /]*\)$@'"$YAML_BODY"'@' $dir/vars/$port.txt \
>> $to_yaml || exit 7
# | sed -e "s/BLOCK $dir/BLOCK $dir $base/"
if [ "$port" = "use" -o "$port" = "license" ] ; then
sed -e 's@^ [=<>][=<>]*\([^:<>=]*\)-[0-9][-0-9.]*%@ \1@' -i $to_yaml || exit 8
sed -e 's@^ [>=][>=]*\([^%]*\)%@ \1@' -i $to_yaml || exit 9
elif [ "$port" = "mask" -o "$port" = "unmask" -o "$port" = "accept_keywords" ] ; then
sed -e 's@^ \([^:]*\)/\([^%]*\)%@ \1/\2@' -i $to_yaml || exit 10
fi
sed -e 's@^ \([^:\n]*\)/\([^%\n]*\)%@ \1/\2@' -i $to_yaml || exit 11
echo >> $to_yaml
#echo 5
grep % $to_yaml && ERROR "% in $to_yaml" && exit 12
grep -q "^- [importinclude]*_tasks:.*$port.yml" $dir/tasks/$TASKS/main.yml || { \
echo "- include_tasks: $TASKS/$port.yml" >> $dir/tasks/$TASKS/main.yml
WARN "ADDED $port.yml to $dir/tasks/$TASKS/main.yml"
}
if [ ! -f $dir/tasks/$TASKS/$port.yml ] ; then
mv $to_yaml $dir/tasks/$TASKS/$port.yml
INFO created $dir/tasks/$TASKS/$port.yml
elif diff -qw $to_yaml $dir/tasks/$TASKS/$port.yml ; then
rm -f $to_yaml
# DBUG unchanged $to_yaml
else
: diff is verbose
fi
done | sed -e 's/ and / /' -e 's/ differ$//' -e 's/^Files/mv/'
done
exit 0

119
overlay/Gentoo/usr/local/sbin/gentoo_funtoo_world.bash Executable file
View File

@ -0,0 +1,119 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
if [ "$#" -ne 0 ] ; then
ARGS=$*
LARGS=""
else
ARGS="@world"
# --changed-deps --deep
LARGS="-vb --update"
fi
LARGS="$LARGS --changed-use --with-bdeps=y --changed-deps-report -k"
LARGS="$LARGS --backtrack=30 --ignore-built-slot-operator-deps=y --keep-going"
# Skips the packages specified on the command-line that have already been installed.
LARGS="$LARGS --noreplace"
# dangerous
LARGS="$LARGS --exclude baselayout"
# gone
LARGS="$LARGS --exclude sci-chemistry/PyMca"
LARGS="$LARGS --exclude dev-python/PyQt4"
LARGS="$LARGS --exclude dev-python/pyqwt"
# I wont do this routinely
#?LARGS="$LARGS --exclude app-office/libreoffice"
#?LARGS="$LARGS --exclude app-office/libreoffice-bin"
# /usr/local
LARGS="$LARGS --exclude seamonkey"
LARGS="$LARGS --exclude firefox"
LARGS="$LARGS --exclude thunderbird"
LARGS="$LARGS --exclude gentoo-sources"
#? LARGS="$LARGS --exclude net-analyzer/openvas*"
#LARGS="$LARGS --exclude "
#LARGS="$LARGS --exclude sys-libs/zlib"
LARGS="$LARGS --exclude dev-util/android-sdk-update-manager"
LARGS="$LARGS --exclude dev-util/android-ndk"
LARGS="$LARGS --exclude sys-kernel/clipos-kernel"
# always problems with icu
LARGS="$LARGS --exclude dev-libs/icu"
#emerge: there are no ebuilds to satisfy ">=dev-libs/nsgenbind-0.7".
LARGS="$LARGS --exclude www-client/netsurf"
# emerge: there are no ebuilds to satisfy ">=dev-python/attrs-19.1.0[python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python3_6(-),-python_single_target_python3_7(-)]".
#LARGS="$LARGS --exclude www-client/qutebrowser"
LARGS="$LARGS --exclude dev-ruby/builder:3.1"
# required by dev-python/pyqtgraph-0.10.0-r1::python-modules-kit
# required by @selected
# required by @world (argument)
# >=dev-python/PyQt5-5.10.1-r1 -opengl
LARGS="$LARGS --exclude dev-python/pyqtgraph"
LARGS="$LARGS --exclude net-print/hplip"
LARGS="$LARGS --exclude pentoo/pentoo-scanner"
#LARGS="$LARGS --exclude net-analyzer/wpscan"
#LARGS="$LARGS --exclude dev-ruby/cms_scanner"
LARGS="$LARGS --exclude net-wireless/gnuradio" # [python_single_target_python2_7,qt5]
LARGS="$LARGS --exclude net-wireless/gr-iio"
LARGS="$LARGS --exclude net-wireless/gr-iqbal"
LARGS="$LARGS --exclude net-wireless/gr-osmosdr" # [iqbalance]
LARGS="$LARGS --exclude pentoo/pentoo-radio"
LARGS="$LARGS --exclude gnuradio"
# LARGS="$LARGS --exclude "
# morons
#(dependency required by "dev-ruby/activesupport-4.2.11.1-r1::pentoo[ruby_targets_ruby26,-test]" [ebuild])
#(dependency required by "dev-ruby/activemodel-4.2.11.1::pentoo[ruby_targets_ruby26]" [ebuild])
#(dependency required by "dev-ruby/metasploit-model-2.0.4::pentoo[ruby_targets_ruby26]" [ebuild])
#(dependency required by "net-analyzer/metasploit-4.17.21-r8::pentoo[ruby_targets_ruby25]" [ebuild])
#
#(dependency required by "dev-ruby/metasploit-concern-2.0.5::pentoo[ruby_targets_ruby26]" [ebuild])
#(dependency required by "dev-ruby/metasploit-credential-2.0.14::pentoo[ruby_targets_ruby25]" [ebuild])
#(dependency required by "net-analyzer/metasploit-4.17.21-r8::pentoo[ruby_targets_ruby25]" [ebuild])
LARGS="$LARGS --exclude net-analyzer/metasploit"
# pentoo-rce
#?LARGS="$LARGS --exclude dev-util/redasm --exclude pentoo-rce"
#(dependency required by "dev-ml/ocaml-gettext-0.3.7::gentoo" [ebuild])
#(dependency required by "app-emulation/libguestfs-1.38.6::gentoo" [ebuild])
LARGS="$LARGS --exclude dev-ml/ocaml-gettext --exclude app-emulation/libguestfs"
# broken
#LARGS="$LARGS --exclude net-libs/libtorrent-rasterbar"
#LARGS="$LARGS --exclude net-p2p/qbittorrent"
# 9.0.1 even though it did work before
LARGS="$LARGS --exclude sys-devel/llvm"
# 6.1.6 even though app-emulation/virtualbox worked
# cc1: error: incompatible gcc/plugin versions
# cc1: error: fail to initialize plugin ./scripts/gcc-plugins/randomize_layout_plugin.so
LARGS="$LARGS --exclude app-emulation/virtualbox-modules"
# Unpacking NVIDIA-Linux-x86_64-440.82.run to /mnt/linuxBack52/mnt/tmp/Pentoo19/portage/x11-drivers/nvidia-drivers-440.82-r3/work
#tar: Archive is compressed. Use -J option
LARGS="$LARGS --exclude x11-drivers/nvidia-drivers"
#(dependency required by "dev-qt/qtx11extras-5.14.2::gentoo" [ebuild])
#(dependency required by "app-emulation/virtualbox-6.1.6::gentoo[-headless,qt5]" [installed])
#(dependency required by "app-emulation/libvirt-6.1.0-r1::gentoo[virtualbox]" [ebuild])
#(dependency required by "app-emulation/qt-virt-manager-9999::testforge" [ebuild])
LARGS="$LARGS --exclude dev-qt/qtx11extras --exclude app-emulation/virtualbox --exclude app-emulation/libvirt --exclude app-emulation/qt-virt-manager"
echo INFO: nice python3 emerge $LARGS $ARGS |tee -a world.log
nice python3 `which emerge` $LARGS $ARGS >> world.log 2>&1
# grep ' U ' world.log |grep -v =|sed -e 's@^.* \] @@' -e 's@-[0-9].*@@'
# cat /var/lib/portage/world>world.elts;grep '^L.*exclude' world.sh|sed -e 's/.*exclude//' -e 's/"$//' -e 's/[*:].*$//' -e 's@/@\\\\/@' |sort -u |while read elt;do [ -z "$elt" ] && continue ; sed -e "/$elt/d" -i world.elts ;done

32
overlay/Gentoo/usr/local/sbin/gentoo_gemato.bash Executable file
View File

@ -0,0 +1,32 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# Gentoo only
ROLE=base
PY_MINOR=3.8
if [ $# -gt 0 -a $1 = --help ] ; then
/usr/lib/python-exec/python${PY_MINOR}/gemato "$@"
exit $?
fi
. /usr/local/bin/proxy_export.bash >/dev/null
declare -a G
if [ $1 = gpg-wrap ] ; then
G=(${*:1:1} -W ${*:2})
# need --
[[ $G =~ '--' ]] && G+=('--')
[ -f /etc/gnupg/gpgconf.conf ] && G+=(--options /etc/gnupg/gpgconf.conf)
else
G=(${*:1:1} ${*:2})
fi
# The --proxy code is for requests and is wrong: $http_proxy or $https_proxy
#? [ -z "$https_proxy" ] || G=(${G:1:1} --proxy $https_proxy ${G:2})
echo INFO: /usr/lib/python-exec/python${PY_MINOR}/gemato ${G[@]} >> /tmp/G$$.log 2>&1
/usr/lib/python-exec/python${PY_MINOR}/gemato "${G[@]}" >> /tmp/G$$.log 2>&1
ret=$?
DBUG "$ret" >> /tmp/G$$.log 2>&1
cat /tmp/G$$.log
exit 0

43
overlay/Gentoo/usr/local/sbin/gentoo_link_portage_packages.bash Executable file
View File

@ -0,0 +1,43 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash
ROLE=testforge
shopt -s nullglob || exit 1
. /usr/local/bin/usr_local_tput.bash
[ -f /etc/conf.d/hostname ] && . /etc/conf.d/hostname
if [ -n "$hostname" -a "$hostname" = "pentoo" ] ; then
TO=/mnt/o/Cache/linuxPen19/var/cache/portage/packages
elif [ -f /etc/dracut.conf.d/funtoo.conf ] ; then
TO=/mnt/o/Cache/linuxFun64/var/cache/portage/packages
elif [ -f /etc/dracut.conf.d/clipos.conf ] ; then
TO=/mnt/o/Cache/linuxClipos/var/cache/portage/packages
else
exit 3
fi
[ -n "$TO" ] || { echo ERROR: empty TO ; exit 4 ; }
[ -d $TO ] || { echo ERROR: mkdir -p $TO ; exit 5 ; }
[ "$#" -eq 0 ] && set -- /usr/portage/packages
for root in $* ; do
cd $root || exit 2$?
INFO $root
find -L $root -type l -delete &
pushd $TO
# -o -name \*.xpak
find *-* virtual pentoo -type f -name \*tbz2 | grep -v '_sources\|_download_' | while read file ; do
[ -h $root/$file ] && [ -f $file ] && continue
dir=`dirname $root/$file`
[ -d $dir ] || mkdir $dir
ln -s $TO/$file $root/$file
done
popd
done
exit 0

45
overlay/Gentoo/usr/local/sbin/gentoo_link_to_cache.bash Executable file
View File

@ -0,0 +1,45 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
ROLE=testforge
TXT=/usr/local/sbin/gentoo_link_to_cache.txt
# replace /usr/net/Http/Makefile
[ "$#" -gt 0 ] && cd $1 || cd /usr/net/Http
[ -z "$DISTFILES" ] && DISTFILES=../../portage/distfiles
find -L $DISTFILES/ -type l -delete
find */ prdownloads.sourceforge.net/*/ github.com/*/ -type f -o -type l -name \*.\* | \
grep -v ' \|\.[a-z]\|/archive/\|/tarball/' \
| grep -v 'htm$\|html$\|txt$\|Makefile$\|\.py$\|~$' \
| while read file ; do
base=`basename $file`
[ -h ${DISTFILES}/"$base" ] && continue
from=$(readlink ../../net/Http/"$file")
[ -z "$from" ] && from=../../net/Http/"$file"
ln -s $from ${DISTFILES}/"$base"
done
# golang/net/archive/8d16fa6dc9a8.tar.gz
# burpsuite_community_v2020.9.1.jar portswigger.net/burp/releases/download@product=community&version=2020.9.1
# burpsuite_community_v2020.4.jar mirror.leaseweb.com/gentoo/distfiles/0f/burpsuite_community_v2020.4.jar
# burpsuite_community_v2020.4.jar portswigger.net/burp/releases/download@product=community&version=2020.4
# burpsuite_community_v2020.4.1.jar portswigger.net/burp/releases/download@product=community&version=2020.4.1
grep -v '^#' $TXT | while read base file ; do
if [ -z "$base" ] ; then
continue
fi
if [ -z "$file" ] ; then
echo ERROR: empty target for $base && continue
fi
rm -f "${DISTFILES}/$base"
ln -s ../../net/Http/"$file" ${DISTFILES}/"$base"
[ -e /i/net/Http/distfiles.gentoo.org/distfiles/"$base" ] || \
ln -s /i/net/Http/"$file" /i/net/Http/distfiles.gentoo.org/distfiles/"$base"
base=""
done
exit 0
# RfCatDonsCCBootloader-1.9.2.hex atlas0fd00m/rfcat/releases/download/v1.9.2/RfCatDonsCCBootloader.hex

18
overlay/Gentoo/usr/local/sbin/gentoo_lis_to_urls.bash Executable file
View File

@ -0,0 +1,18 @@
#!/bin/sh
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
# filter
CACHE=/mnt/i/net/Http
grep ^http:// | \
sed -e 's@ftp://[^ ]*@@g' | \
while read line ; do
for url in $line ; do
base=`basename "$url"`
[ -e /usr/portage/distfiles/$base ] && break
pre=`sed -e "s@http://@${CACHE}@" <<< $url`
[ -e $pre ] && break
echo $line
break
done
done
exit 0

17
overlay/Gentoo/usr/local/sbin/gentoo_lis_to_urls.sh Executable file
View File

@ -0,0 +1,17 @@
#!/bin/sh
# filter
grep ^http:// | \
sed -e 's@ftp://[^ ]*@@g' | \
while read line ; do
for url in $line ; do
base=`basename "$url"`
[ -e /usr/portage/distfiles/$base ] && break
pre=`echo $url|sed -e 's@http://@/k/net/Http@'`
[ -e $pre ] && break
pre=`echo $url|sed -e 's@http://@/o/net/Http@'`
[ -e $pre ] && break
echo $line
break
done
done

60
overlay/Gentoo/usr/local/sbin/gentoo_missing_roles.bash Executable file
View File

@ -0,0 +1,60 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
ROLE=testforge
. /usr/local/bin/usr_local_tput.bash
BASE_ROLES="base proxy"
VAR_ROLES="testforge text"
DEV_ROLES="${VAR_ROLES} testing pydev logging"
WWORK_ROLES="${DEV_ROLES}"
# LXD_ROLES="${DEV_ROLES} ansible-lxd"
# text must come before harden
HARD_ROLES="${DEV_ROLES} gpgkey harden privacy hostvms"
PEN_ROLES="${HARD_ROLES} pentest ${juju4}"
GUEST_ROLES="${HARD_ROLES} trading update"
UPD_ROLES="${PEN_ROLES} update trading winrm "
ALL_ROLES="${BASE_ROLES} ${UPD_ROLES}"
cd /o/data/TestForge/src/ansible/ || exit 1
for dir in src ; do
grep -L 'ROLE=$' /usr/local/*$dir/*bash 2>/dev/null | \
xargs grep -L 'ROLE=[a-z"]' 2>/dev/null | \
xargs echo ERROR: missing in $dir
INFO /usr/local/$dir
for role in ${BASE_ROLES} ; do
grep -L 'ROLE=$' /usr/local/*$dir/${role}*bash 2>/dev/null | \
xargs grep -L ROLE=$role 2>/dev/null | while read f; do
! grep -q ROLE= "$f" && echo ROLE=$role >> "$f" && continue
sed -e "s/^ROLE=.*/ROLE=$role/" -i "$f"
done
grep -L 'ROLE=$' /usr/local/*$dir/${role}*bash 2>/dev/null | \
xargs grep -l ROLE=$role | while read f ; do
num=`ls roles/*/overlay/Linux/"$f" 2>/dev/null|wc -l|sed -e 's/ .*//'`
[ $num -gt 1 ] && WARN DUP $f && echo `ls roles/*/overlay/Linux/"$f" 2>/dev/null` && continue
[ ! -e roles/$role/overlay/Linux/"$f" ] && \
echo cp -ip "$f" roles/$role/overlay/Linux/"$f"
done
done
INFO /var/local/$dir
grep -L 'ROLE=$' /var/local/*$dir/*bash 2>/dev/null | \
xargs grep -L 'ROLE=[a-z"]' 2>/dev/null | \
xargs echo ERROR: missing in $dir
for role in ${UPD_ROLES} ; do
grep -L 'ROLE=$' /var/local/*$dir/${role}*bash 2>/dev/null | \
xargs grep -L ROLE=$role 2>/dev/null | while read f; do
! grep -q ROLE= "$f" && echo ROLE=$role >> "$f" && continue
sed -e "s/^ROLE=.*/ROLE=$role/" -i "$f"
done
grep -L 'ROLE=$' /var/local/*$dir/${role}*bash 2>/dev/null | \
xargs grep -l ROLE=$role 2>/dev/null | while read f ; do
num=`ls roles/*/overlay/Linux/"$f" 2>/dev/null | wc -l|sed -e 's/ .*//'`
[ $num -gt 1 ] && WARN DUP $f && echo `ls roles/*/overlay/Linux/"$f" 2>/dev/null` && continue
[ ! -e roles/$role/overlay/Linux/"$f" ] && \
echo cp -ip "$f" roles/$role/overlay/Linux/"$f"
done
done
done

68
overlay/Gentoo/usr/local/sbin/gentoo_move_portage_packages.bash Executable file
View File

@ -0,0 +1,68 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
ROLE=base
DEBUG=1
shopt -s nullglob || exit 1
. /usr/local/bin/usr_local_tput.bash || exit 2
[ -f /etc/conf.d/hostname ] && . /etc/conf.d/hostname
if [ -n "$hostname" -a "$hostname" = "pentoo" ] ; then
TO=/mnt/o/Cache/linuxPen19/var/cache/portage/packages
elif [ -f /etc/dracut.conf.d/funtoo.conf ] ; then
TO=/mnt/o/Cache/linuxFun64/var/cache/portage/packages
elif [ -f /etc/dracut.conf.d/clipos.conf ] ; then
TO=/mnt/o/Cache/linuxClipos/var/cache/portage/packages
elif [ -d /mnt/o/Cache/linuxPen19/var/cache/portage/packages ] ; then
TO=/mnt/o/Cache/linuxPen19/var/cache/portage/packages
else
exit 3
fi
[ -n "$TO" ] || { ERROR empty TO ; exit 4 ; }
[ -d $TO ] || { ERROR mkdir -p $TO ; exit 5 ; }
find $TO -type f -exec chmod 644 {} \; &
[ "$#" -eq 0 ] && set -- /usr/portage/packages
grep -v : /var/lib/portage/world | while read f; do \
ls /var/db/repos/*/$f 2>/dev/null >/dev/null && continue;
ls /var/local/portage/*/$f 2>/dev/null >/dev/null && continue;
echo $f
done |tee /var/lib/portage/world.dead
for root in $* ; do
cd $root || exit 2$?
INFO $root
find -L . -type l -delete 2>&1 | grep Too | \
sed -e 's/.: Too.*//' -e 's/find: .//'|xargs rm -f
find . -type f -exec chmod 644 {} \; &
find *-* virtual pentoo -type f -name \*tbz2 -o -name \*qpkg.tar -o -name \*.xpak | grep -v '_sources\|_download_' | while read file ; do
dir=$( dirname $file )
[[ $dir =~ dev-python/nltk-data ]] && continue
[[ $dir =~ sys-kernel/pentoo-sources ]] && continue
[[ $dir =~ app-emulation/virtio-win ]] && continue
[ -d $TO/$dir ] || { DBUG mkdir -p $TO/$dir ; mkdir -p $TO/$dir ; }
[ -h $TO/$file ] && [ -f $file ] && DBUG rm $TO/$file && rm $TO/$file
if [ -f $TO/$file -a -f $file ] ; then
diff -q $TO/$file $file && rm -f $file && ln -s $TO/$file $file && continue
echo WARN: exists $TO/$file $file && mv $file $TO/$file && ln -s $TO/$file $file && continue
fi
[ ! -h $file ] && mv $root/$file $TO/$file && ln -s $TO/$file $root/$file && DBUG ln -s $TO/$file $root/$file && continue || exit 1
DBUG dunno $file `ls -lF $TO/$file $file`
done
pushd $TO
# -o -name \*.xpak
find *-* virtual pentoo -type f -name \*tbz2 -o -name \*.tar | grep -v '_sources\|_download_' | while read file ; do
[ -h $root/$file ] && [ -f $file ] && continue
dir=`dirname $root/$file`
[ -d $dir ] || mkdir $dir
ln -s $TO/$file $root/$file
done
popd
done
exit 0

9
overlay/Gentoo/usr/local/sbin/gentoo_qcheck_missing.bash Executable file
View File

@ -0,0 +1,9 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# https://forums.gentoo.org/viewtopic-t-1044220-start-0.html
qcheck -C \
| grep -v -e '.*\.pyo$' -e '.*\.pyc$' \
-e '.*/examples/.*' -e '^.*/doc/.*/[^/.]*$' \
-e '^/usr/lib/debug/.*' -e '.*\.debug' \
-e '^/usr/.*compiled' -e '^/usr/.*\.cache' \
| grep -B 1 -e '^ MD5-DIGEST:' -e '^ AFK:' -e '^ MTIME:'

70
overlay/Gentoo/usr/local/sbin/gentoo_scurl_urls.sh Executable file
View File

@ -0,0 +1,70 @@
#!/bin/bash
# filter - arguments are to wget - quoted?
prog=$( basename $0 .bash )
prog=ScurlU
ROOTDIR=/mnt/i/net/Http
ROLE=base
CACHE=/usr/portage/distfiles
. /usr/local/bin/proxy_curl_lib.bash
route | grep -q ^def || { echo ERROR: not connected ; exit 1 ; }
. /usr/local/bin/usr_local_tput.bash
FETCHCOMMAND='/usr/local/bin/scurl.bash --force-directories --directory-prefix "\${DISTDIR}" -- "\${URI}"'
# RARGS="--retry 1 --connect-timeout 10"
if [ "$#" -eq 0 ] ; then
LARGS="--force-directories --directory-prefix $ROOTDIR"
else
LARGS="$@"
fi
cp /dev/null /tmp/$prog$$.urls
# //www.simplesystems.org/users/bfriesen/public-key.txt no https:
# https://opencoder.net/WayneDavison.key cloudflare 403
# https://www.simplesystems.org/users/bfriesen/public-key.txt 503
# https://tiswww.case.edu/php/chet/gpgkey.asc 500 timeout
# https://botan.randombit.net/pgpkey.txt no tls1.3
# https://sourceware.org/elfutils/ftp/gpgkey-1AA44BE649DE760A.gpg no tls1.3
# https://gnutls.org/gnutls-release-keyring.gpg no tls1.3
retval=0
# NOT 1.3 -e 's@^https://distfiles.gentoo.org/distfiles/[^ ]* https://pypi.python.org/@https://pypi.python.org/@'
grep ^http | \
sed -e 's@ftp://[^ ]*@@' \
-e 's/http:/https:/' \
-e 's@^https://distfiles.gentoo.org/distfiles/openpgp-keys-[^ ]*.asc @@' \
-e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' \
-e 's@https://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' \
-e 's@https*://download.sourceforge.net@https://download.sourceforge.net@g' | \
while read urls ; do
url=`echo $urls|sed -e 's@ .*@@'`
base=`basename "$url"`
[ -e $CACHE/$base ] && echo $CACHE/$base && continue
base=`echo $url | sed -e 's@ .*@@' -e 's@https*://@@'`
[ -e $ROOTDIR/"$base" ] && echo $ROOTDIR/"$base" && continue
for url in $urls ; do
for no in "${NOTLSV3[@]}" ; do
[[ $url =~ $no ]] && continue
done
domain=`sed -e 's@/.*@@' <<< $base`
ip=`tor-resolve $domain`
if [ $? -eq 0 -a -n "$ip" ] ; then
a=`proxy_ami_cloudflared $ip`
[ $? -eq 0 -a "$a" = True ] && \
WARN $url Cloudflared $ip $no && \
continue
fi
DBUG $prog /usr/local/bin/scurl.bash $LARGS -- $RARGS $url
/usr/local/bin/scurl.bash $LARGS -- $RARGS $url || {
retval=$?
continue
}
break
done
done
exit $retval

62
overlay/Gentoo/usr/local/sbin/gentoo_sec-keys_overlay.bash Executable file
View File

@ -0,0 +1,62 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
shopt -s nullglob || exit 1
prog=`basename $0 .bash`
ROLE=base
export PATH=/sbin:$PATH
PREFIX=/usr/local
. /usr/local/bin/usr_local_tput.bash || exit 2
DEST=$PREFIX/portage/testforge/sec-keys
FROM=/usr/portage/sec-keys
cd /
grep /~sam/ /usr/portage/sec-keys/*/*d| \
sed -e 's@.*/@@' -e 's/"//' -e 's/.*-//'|grep -v P | \
while read f;do
b=`ls /usr/portage/distfiles/*"$f"`|| continue;
a=`readlink "$b"`;
echo $a;[ -h "$a" ] && continue;
echo $b;
done | \
sed -e 's@\.\./\.\.@/i@'|zip -m9 --symlinks sam.zip -@
cd $FROM
#
tar cf - *-* | tar xf - --keep-newer-files -C $DEST 2>/dev/null >/dev/null
[ -d $DEST ] || mkdir -p $DEST
cd $FROM
i=0
for dir in *-*; do
[ -d $dir ] || continue
[ -d $DEST/$dir ] || mkdir $DEST/$dir
ls $dir/*ebuild >/dev/null 2>/dev/null || { WARN no *ebuild in $dir ; continue ; }
for file in $dir/*ebuild ; do
[ -f $DEST/$file ] && [ $DEST/$file -nt $FROM/$file ] && continue
sed -e 's/^LICENSE=/RESTRICT="mirror"\nLICENSE=/' > $DEST/$file < $FROM/$file
if grep -q 'Mirrored from ' $FROM/$file ; then
url="`grep 'Mirrored from ' $FROM/$file|sed -e 's/.*Mirrored from //' -e 's/ .*//'`"
if [ -n "$url" ] ; then
i=`expr $i + 1`
rep=`sed -e 's/[$]/\\\\$/g' -e 's/[&]/\\\\&/g' <<< $url`
# could change some keyservers here
rep=`sed -e 's/http:/https:/' <<< $rep`
DBUG rep="$rep"
sed -e "s@https://dev.gentoo.org/.sam/[^ \"]*@$rep@" \
-i $DEST/$file
fi
fi
cd $DEST/$dir
for dfile in $dir/*ebuild ; do
ddir=`dirname $dfile`
cd $ddir
ebuild manifest *ebuild
done
cd $DEST
done
done
INFO $i $DEST

24
overlay/Gentoo/usr/local/sbin/gentoo_wget_urls.bash Executable file
View File

@ -0,0 +1,24 @@
#!/bin/sh
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
# filter - arguments are to wget - quoted?
ROOTDIR=/mnt/i
if [ "$#" -eq 0 ] ; then
WARGS="-xc -P $ROOTDIR/net/Http --tries=1"
else
WARGS="$@"
fi
grep ^http | \
sed -e 's@^\(https://distfiles.gentoo.org/distfiles/[a-f0-9][a-f0-9]/[^ ]*\) \(https://[^ ]*\) @\2 \1@' | \
sed -e 's@ftp://[^ ]*@@' -e 's@^https://distfiles.gentoo.org/distfiles/[^ ]* https://pypi.python.org/@https://pypi.python.org/@' -e 's/http:/https:/' \
-e 's@https*://mirror.leaseweb.com/gentoo/@https://gentoo.osuosl.org@g' \
-e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' | \
while read urls ; do
url=`sed -e 's@ .*@@' <<< $urls`
base=`basename "$url"`
[ -e /usr/portage/distfiles/$base ] && echo distfiles/$base && continue
for url in $urls ; do
wget --restrict-file-names=windows --no-verbose $WARGS $url || continue
break
done
done

BIN
overlay/Gentoo/usr/local/src/wicd-old.zip Normal file
View File

Binary file not shown.

13
overlay/Linux/etc/firewall.conf.block Normal file
View File

@ -0,0 +1,13 @@
# Add your spoofed IP range/IPs here
0.0.0.0/8
127.0.0.0/8
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
224.0.0.0/3
#
51.79.22.224/32
37.191.192.147/32
5.1.56.52/32
5.39.72.2/32
71.143.196.76/32

143
overlay/Linux/etc/firewall.conf.blocks.dig Normal file
View File

@ -0,0 +1,143 @@
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 95.211.136.23
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31931
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;23.136.211.95.in-addr.arpa. IN PTR
;; Query time: 1282 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Dec 11 07:40:43 UTC 2020
;; MSG SIZE rcvd: 44
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 51.79.22.224
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64446
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;224.22.79.51.in-addr.arpa. IN PTR
;; ANSWER SECTION:
REVERSE[224.22.79.51.in-addr.arpa]. 60 IN PTR ip224.ip-51-79-22.net.
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Dec 11 07:45:05 UTC 2020
;; MSG SIZE rcvd: 112
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 37.191.192.147
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21844
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;147.192.191.37.in-addr.arpa. IN PTR
;; ANSWER SECTION:
147.192.191.37.in-addr.arpa. 3261 IN PTR host-37-191-192-147.lynet.no.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Dec 11 07:45:05 UTC 2020
;; MSG SIZE rcvd: 98
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 5.1.56.52
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13766
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;52.56.1.5.in-addr.arpa. IN PTR
;; Query time: 192 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Dec 11 07:45:05 UTC 2020
;; MSG SIZE rcvd: 40
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 5.39.72.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59857
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;2.72.39.5.in-addr.arpa. IN PTR
;; ANSWER SECTION:
2.72.39.5.in-addr.arpa. 3335 IN PTR ns3065363.ip-5-39-72.eu.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Dec 11 07:45:05 UTC 2020
;; MSG SIZE rcvd: 88
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 51.38.81.39
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24210
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;39.81.38.51.in-addr.arpa. IN PTR
;; ANSWER SECTION:
39.81.38.51.in-addr.arpa. 3336 IN PTR vps-87b023ab.vps.ovh.net.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Dec 11 07:45:05 UTC 2020
;; MSG SIZE rcvd: 91
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 136.243.4.139
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25018
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;139.4.243.136.in-addr.arpa. IN PTR
;; ANSWER SECTION:
139.4.243.136.in-addr.arpa. 3336 IN PTR static.139.4.243.136.clients.your-server.de.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Dec 11 07:45:05 UTC 2020
;; MSG SIZE rcvd: 112
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 95.211.136.23
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23102
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;23.136.211.95.in-addr.arpa. IN PTR
;; Query time: 192 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Dec 11 07:45:05 UTC 2020
;; MSG SIZE rcvd: 44

134
overlay/Linux/etc/firewall.conf.gateway Normal file
View File

@ -0,0 +1,134 @@
# Generated by xtables-save v1.8.2 on Sat Dec 12 13:40:39 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9050 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9053 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9040 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9128 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 5300 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9040 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9051 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9124 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9104 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9111 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9117 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9107 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9123 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9105 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9103 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9101 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9122 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9121 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9120 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9113 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9112 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9118 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9108 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9106 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9100 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9150 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9115 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9116 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9102 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9119 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9050 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9109 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9110 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9114 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 9125 -j ACCEPT
-A INPUT -i eth1 -p tcp -m multiport --dports 9152:9189 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 9053 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -m iprange --dst-range 127.0.0.0-127.0.0.24 -j ACCEPT
-A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.0.24 -j ACCEPT
-A OUTPUT -m iprange --dst-range 192.168.1.0-192.168.1.24 -j ACCEPT
-A OUTPUT -m iprange --dst-range 10.152.152.0-10.152.152.24 -j ACCEPT
-A OUTPUT -m iprange --dst-range 10.0.2.2-10.0.2.24 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m owner --uid-owner 108 -j ACCEPT
-A OUTPUT -m owner --uid-owner 106 -j ACCEPT
-A OUTPUT -m owner --uid-owner 105 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
COMMIT
# Completed on Sat Dec 12 13:40:40 2020
# Generated by xtables-save v1.8.2 on Sat Dec 12 13:40:40 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9051 -j REDIRECT --to-ports 9051
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9124 -j REDIRECT --to-ports 9124
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9104 -j REDIRECT --to-ports 9104
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9111 -j REDIRECT --to-ports 9111
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9117 -j REDIRECT --to-ports 9117
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9107 -j REDIRECT --to-ports 9107
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9123 -j REDIRECT --to-ports 9123
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9105 -j REDIRECT --to-ports 9105
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9103 -j REDIRECT --to-ports 9103
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9101 -j REDIRECT --to-ports 9101
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9122 -j REDIRECT --to-ports 9122
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9121 -j REDIRECT --to-ports 9121
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9120 -j REDIRECT --to-ports 9120
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9113 -j REDIRECT --to-ports 9113
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9112 -j REDIRECT --to-ports 9112
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9118 -j REDIRECT --to-ports 9118
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9108 -j REDIRECT --to-ports 9108
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9106 -j REDIRECT --to-ports 9106
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9100 -j REDIRECT --to-ports 9100
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9150 -j REDIRECT --to-ports 9150
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9115 -j REDIRECT --to-ports 9115
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9116 -j REDIRECT --to-ports 9116
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9102 -j REDIRECT --to-ports 9102
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9119 -j REDIRECT --to-ports 9119
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9050 -j REDIRECT --to-ports 9050
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9109 -j REDIRECT --to-ports 9109
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9110 -j REDIRECT --to-ports 9110
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9114 -j REDIRECT --to-ports 9114
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9125 -j REDIRECT --to-ports 9125
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9152:9189 -j REDIRECT
-A PREROUTING -i eth1 -p udp -m udp --dport 53 -j REDIRECT --to-ports 5300
-A PREROUTING -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
-A OUTPUT -m owner --uid-owner 108 -j RETURN
-A OUTPUT -m owner --uid-owner 106 -j RETURN
-A OUTPUT -m owner --uid-owner 105 -j RETURN
-A OUTPUT -m iprange --dst-range 127.0.0.0-127.0.0.24 -j RETURN
-A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.0.24 -j RETURN
-A OUTPUT -m iprange --dst-range 192.168.1.0-192.168.1.24 -j RETURN
-A OUTPUT -m iprange --dst-range 10.152.152.0-10.152.152.24 -j RETURN
-A OUTPUT -m iprange --dst-range 10.0.2.2-10.0.2.24 -j RETURN
COMMIT
# Completed on Sat Dec 12 13:40:40 2020
# Generated by xtables-save v1.8.2 on Sat Dec 12 13:40:40 2020
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Dec 12 13:40:40 2020

183
overlay/Linux/etc/firewall.conf.host Normal file
View File

@ -0,0 +1,183 @@
# -*-mode: conf[Space]; tab-width: 8; coding: utf-8-unix -*-
# firewall.bash.libvirt.9
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
#D#-A INPUT -j LOG --log-prefix "iptables_mangle_END-i: " --log-uid
-A POSTROUTING -j LIBVIRT_PRT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
# was ! -o lo - -o wlan4
# let resolve.conf redirect to lo - this rule cannot be removed
#-A OUTPUT -o wlan4 -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53
#-A OUTPUT -o wlan4 -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53
# .onion mapped addresses redirection to Tor.
###-A OUTPUT -d 172.16.0.0/12 -p tcp -j DNAT --to-destination 127.0.0.1:9040
## Log.
#D-A INPUT -j LOG --log-prefix "iptables_nat_END-i: " --log-uid
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
#D#-A INPUT -j LOG --log-prefix "iptables_filter_BEGIN-i: firewall.conf.new.9" --log-uid
# blocks
-A INPUT -i wlan6 -s 5.1.56.52 -p tcp -j DROP
-A INPUT -i wlan6 -s 5.39.72.2 -p tcp -j DROP
-A INPUT -i wlan4 -s 37.191.192.147 -p tcp -j DROP
-A INPUT -i wlan4 -s 51.79.22.224 -p tcp -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
### this is required for outgoing pings
-A INPUT -i wlan4 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
-A INPUT -i wlan4 -p icmp -j ACCEPT
# these are NOT needed
#!-A INPUT -i wlan4 -m owner --gid-owner 226 -p udp --sport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
#!-A INPUT -i wlan4 -m owner --gid-owner 226 -p udp --sport 123 -j ACCEPT
#!-A INPUT -i wlan4 -m owner --uid-owner 0 -p udp --sport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
#!-A INPUT -i wlan4 -m owner --uid-owner 0 -p udp --sport 123 -j ACCEPT
# these are NOT needed
#!-A INPUT -i wlan4 -p tcp -m owner --gid-owner 1 -j ACCEPT
# these are NOT needed
#!-A INPUT -i wlan4 -p tcp -m owner --gid-owner 216 -j ACCEPT
#?# let dhcp through?
#?-A INPUT -p udp --sport 68 -j ACCEPT
#?-A INPUT -p udp --sport 67 -j ACCEPT
-A INPUT -i wlan4 -p udp --sport 137 -j DROP
-A INPUT -i wlan4 -p udp --sport 138 -j DROP
-A INPUT -i wlan4 -p udp --sport 139 -j DROP
### this is required for outgoing pings
-A INPUT -i virbr1 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
-A INPUT -i virbr1 -p icmp -j ACCEPT
#D#-A INPUT -i virbr1 -p tcp --sport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-i: "
-A INPUT -i virbr1 -p tcp --sport 22 -j ACCEPT
#D#-A INPUT -i virbr1 -p tcp --sport 9128 -j LOG --log-uid --log-prefix "iptables_9128_ACCEPT-i: "
-A INPUT -i virbr1 -p tcp --sport 9128 -j ACCEPT
#D#-A INPUT -i virbr1 -p tcp --sport 9050 -j LOG --log-uid --log-prefix "iptables_9050_ACCEPT-i: "
-A INPUT -i virbr1 -p tcp --sport 9050 -j ACCEPT
#D#-A INPUT -i virbr1 -p tcp --sport 7001 -j LOG --log-uid --log-prefix "iptables_7001_ACCEPT-i: "
-A INPUT -i virbr1 -p tcp --sport 7001 -j ACCEPT
#D#-A INPUT -i virbr1 -p udp --sport 9053 -j LOG --log-uid --log-prefix "iptables_9053_ACCEPT-i: "
-A INPUT -i virbr1 -p udp --sport 9053 -j ACCEPT
#D#-A INPUT -j LOG --log-prefix "IPTABLES_filter_DROP-i: " --log-uid
#D#-A INPUT -j DROP
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
#D#-A OUTPUT -o wlan4 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
-A OUTPUT -o wlan4 -p icmp -j ACCEPT
#?-A OUTPUT -d 10.16.238.81/24 -j ACCEPT
#?-A OUTPUT -d 10.152.152.0/24 -j ACCEPT
#?-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
# The ntp user is allowed to connect to services listening on the ntp port...
# If root runs ntpdate manually you will see requests to port 53 UID=0
#D#-A OUTPUT -o wlan4 -m owner --gid-owner 226 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
-A OUTPUT -o wlan4 -m owner --gid-owner 226 -p udp --dport 123 -j ACCEPT
#D#-A OUTPUT -o wlan4 -m owner --uid-owner 0 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
-A OUTPUT -o wlan4 -m owner --uid-owner 0 -p udp --dport 123 -j ACCEPT
# ssh - specifically forbid ssh out the wlan
-A OUTPUT -o wlan4 -p tcp --dport 22 -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT-o: "
-A OUTPUT -o wlan4 -p tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o wlan4 -m owner --gid-owner 1 -j ACCEPT
# necessary and sufficient
-A OUTPUT -o wlan4 -m owner --gid-owner 216 -j ACCEPT
#D#-A OUTPUT -o virbr1 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
-A OUTPUT -o virbr1 -p icmp -j ACCEPT
#D#-A OUTPUT -o virbr1 -p tcp --dport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-o: "
-A OUTPUT -o virbr1 -p tcp --dport 22 -j ACCEPT
#D#-A OUTPUT -o virbr1 -p tcp --dport 9128 -j LOG --log-uid --log-prefix "iptables_9128_ACCEPT-o: "
-A OUTPUT -o virbr1 -p tcp --dport 9128 -j ACCEPT
#D#-A OUTPUT -o virbr1 -p tcp --dport 9050 -j LOG --log-uid --log-prefix "iptables_9050_ACCEPT-o: "
-A OUTPUT -o virbr1 -p tcp --dport 9050 -j ACCEPT
#D#-A OUTPUT -o virbr1 -p tcp --dport 7001 -j LOG --log-uid --log-prefix "iptables_7001_ACCEPT-o: "
-A OUTPUT -o virbr1 -p tcp --dport 7001 -j ACCEPT
#D#-A OUTPUT -o virbr1 -p udp --dport 9053 -j LOG --log-uid --log-prefix "iptables_9053_ACCEPT-o: "
-A OUTPUT -o virbr1 -p udp --dport 9053 -j ACCEPT
#??-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j RETURN
#?-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
-A LIBVIRT_FWI -o virbr2 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 10.0.2.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -i virbr2 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
-A LIBVIRT_FWO -i virbr2 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 10.0.2.0/24 -i virbr1 -j ACCEPT
-A LIBVIRT_FWO -i virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr2 -o virbr2 -j ACCEPT
-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
# FixMe: sic this is what libvirt did -i --dport
# FixMe: I will disable them as I dont think theyre needed or wanted
#no -A LIBVIRT_INP -i virbr2 -p udp --dport 53 -j ACCEPT
#no -A LIBVIRT_INP -i virbr2 -p tcp --dport 53 -j ACCEPT
#no -A LIBVIRT_INP -i virbr2 -p udp --dport 67 -j ACCEPT
#no -A LIBVIRT_INP -i virbr2 -p tcp --dport 67 -j ACCEPT
#no
#no # FixMe:sic this is what libvirt did -i --dport
#no -A LIBVIRT_INP -i virbr1 -p udp --dport 53 -j ACCEPT
#no -A LIBVIRT_INP -i virbr1 -p tcp --dport 53 -j ACCEPT
#no -A LIBVIRT_INP -i virbr1 -p udp --dport 67 -j ACCEPT
#no -A LIBVIRT_INP -i virbr1 -p tcp --dport 67 -j ACCEPT
#no
#no -A LIBVIRT_OUT -o virbr2 -p udp --dport 53 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr2 -p tcp --dport 53 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr2 -p udp --dport 68 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr2 -p tcp --dport 68 -j ACCEPT
#no
#no -A LIBVIRT_OUT -o virbr1 -p udp --dport 53 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr1 -p tcp --dport 53 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr1 -p udp --dport 68 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr1 -p tcp --dport 68 -j ACCEPT
-A OUTPUT -j LOG --log-uid --log-prefix "IPTABLES_filter_DROP-o: "
#D#-A OUTPUT -j DROP
COMMIT
# Generated Mon 23 Nov 2020 10:02:17 PM UTC
# Whonix firewall for wlan=wlan4 IP=10.16.238.81 NET=10.16.238.81/24 LIBVIRT_FW=1

53
overlay/Linux/etc/firewall.conf.vda Executable file
View File

@ -0,0 +1,53 @@
# Generated by xtables-save v1.8.2 on Mon Nov 23 20:47:58 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7001 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j DROP
-A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 10.152.152.10/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 10.152.152.10/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT ! -p tcp -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Mon Nov 23 20:47:58 2020
# Generated by xtables-save v1.8.2 on Mon Nov 23 20:47:58 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Mon Nov 23 20:47:58 2020
# Generated by xtables-save v1.8.2 on Mon Nov 23 20:47:58 2020
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Nov 23 20:47:58 2020

232
overlay/Linux/etc/firewall.conf.whonix Normal file
View File

@ -0,0 +1,232 @@
# firewall.conf.new.9
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
#D#-A INPUT -j LOG --log-prefix "iptables_mangle_END-i: " --log-uid
-A POSTROUTING -j LIBVIRT_PRT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
# was ! -o lo - -o wlan6
# let resolve.conf redirect to lo - this rule cannot be removed
#-A OUTPUT -o wlan6 -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53
#-A OUTPUT -o wlan6 -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53
# .onion mapped addresses redirection to Tor.
###-A OUTPUT -d 172.16.0.0/12 -p tcp -j DNAT --to-destination 127.0.0.1:9040
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
#D#-A INPUT -j LOG --log-prefix "iptables_filter_BEGIN-i: firewall.conf.new.9" --log-uid
# blocks wlan
-A INPUT -s 217.182.196.70 -p tcp -j DROP
-A INPUT -s 185.213.20.105 -p tcp -j DROP
-A INPUT -s 185.32.222.237 -p tcp -j DROP
-A INPUT -s 92.223.105.174 -p tcp -j DROP
-A INPUT -s 195.201.168.111 -p tcp -j DROP
-A INPUT -s 51.15.115.217 -p tcp -j DROP
-A INPUT -s 89.163.224.33 -p tcp -j DROP
-A INPUT -s 130.193.15.49 -p tcp -j DROP
-A INPUT -s 95.216.19.207 -p tcp -j DROP
-A INPUT -s 176.158.122.84 -p tcp -j DROP
-A INPUT -s 80.66.135.13 -p tcp -j DROP
-A INPUT -s 176.9.118.73 -p tcp -j DROP
-A INPUT -s 109.236.90.209 -p tcp -j DROP
-A INPUT -s 51.79.22.224 -m tcp -p tcp -j DROP
-A INPUT -s 37.191.192.147 -m tcp -p tcp -j DROP
-A INPUT -s 5.1.56.52 -m tcp -p tcp -j DROP
-A INPUT -s 5.39.72.2 -m tcp -p tcp -j DROP
-A INPUT -s 51.38.81.39 -m tcp -p tcp -j DROP
-A INPUT -s 136.243.4.139 -m tcp -p tcp -j DROP
-A INPUT -s 95.211.136.23 -m tcp -p tcp -j DROP
## DROP INVALID
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m state --state INVALID -j DROP
## DROP INVALID SYN PACKETS
-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
-A INPUT -f -j DROP
## DROP INCOMING MALFORMED XMAS PACKETS
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
## DROP INCOMING MALFORMED NULL PACKETS
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
### this is required for outgoing pings
-A INPUT -i wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
-A INPUT -i wlan6 -p icmp -j ACCEPT
#!-A INPUT -i wlan6 -m owner --gid-owner 226 -p udp --sport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
#!-A INPUT -i wlan6 -m udp -p udp --sport 123 -m owner --gid-owner 226 -j ACCEPT
#!-A INPUT -i wlan6 -m owner --uid-owner 0 -p udp --sport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
#!-A INPUT -i wlan6 -p udp --sport 123 -m owner --uid-owner 0 -j ACCEPT
#!-A INPUT -i wlan6 -p udp --sport 123 -m owner --uid-owner 0 -j ACCEPT
#!!-A INPUT -i wlan6 -p tcp -m owner --gid-owner 216 -j ACCEPT
#!!-A INPUT -i wlan6 -p tcp -m owner --gid-owner 1 -j ACCEPT
#!!-A INPUT -i wlan6 -p tcp -m owner --gid-owner 115 -j ACCEPT
### let dhcp through?
#?-A INPUT -p udp --sport 68 -j ACCEPT
#?-A INPUT -p udp --sport 67 -j ACCEPT
-A INPUT -i wlan6 -p udp --sport 137 -j DROP
-A INPUT -i wlan6 -p udp --sport 138 -j DROP
-A INPUT -i wlan6 -p udp --sport 139 -j DROP
### this is required for outgoing pings
-A INPUT -i virbr1 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
-A INPUT -i virbr1 -p icmp -j ACCEPT
-A INPUT -i virbr1 -p tcp --sport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-i: "
-A INPUT -i virbr1 -p tcp --sport 22 -j ACCEPT
-A INPUT -i virbr1 -p tcp --sport 9128 -j LOG --log-uid --log-prefix "iptables_9128_ACCEPT-i: "
-A INPUT -i virbr1 -p tcp --sport 9128 -j ACCEPT
-A INPUT -i virbr1 -p tcp --sport 9040 -j LOG --log-uid --log-prefix "iptables_9040_ACCEPT-i: "
-A INPUT -i virbr1 -p tcp --sport 9040 -j ACCEPT
-A INPUT -i virbr1 -p tcp --sport 9050 -j LOG --log-uid --log-prefix "iptables_9050_ACCEPT-i: "
-A INPUT -i virbr1 -p tcp --sport 9050 -j ACCEPT
-A INPUT -i virbr1 -p udp --sport 9053 -j LOG --log-uid --log-prefix "iptables_9053_ACCEPT-i: "
-A INPUT -i virbr1 -p udp --sport 9053 -j ACCEPT
-A INPUT -i virbr1 -p udp --sport 7001 -j LOG --log-uid --log-prefix "iptables_7001_ACCEPT-i: "
-A INPUT -i virbr1 -p udp --sport 7001 -j ACCEPT
#D#-A INPUT -j LOG --log-prefix "IPTABLES_filter_DROP-i: " --log-uid
#D#-A INPUT -j DROP
##-A FORWARD -j LOG --log-prefix "IPTABLES_forward_DROP-i: " --log-uid
##-A FORWARD -j REJECT --reject-with icmp-admin-prohibited
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
-A OUTPUT -o wlan6 -p icmp -j ACCEPT
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
#? WHY?!
##-A OUTPUT -d 192.168.1.0/24 -j ACCEPT
##-A OUTPUT -d 10.16.238.0/24 -j ACCEPT
##-A OUTPUT -d 10.152.152.0/24 -j ACCEPT
##-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
# The ntp user is allowed to connect to services listening on the ntp port...
# If root runs ntpdate manually you will see requests to port 53 UID=0
-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p udp --dport 123 -j ACCEPT
-A OUTPUT -o wlan6 -m owner --uid-owner 0 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
-A OUTPUT -o wlan6 -m owner --uid-owner 0 -p udp --dport 123 -j ACCEPT
-A OUTPUT -o wlan6 -p tcp --dport 22 -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT-o: "
-A OUTPUT -o wlan6 -p tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o wlan6 -m owner --gid-owner 216 -j ACCEPT
-A OUTPUT -o wlan6 -m owner --gid-owner 115 -j ACCEPT
-A OUTPUT -o wlan6 -m owner --gid-owner 1 -j ACCEPT
-A OUTPUT -o virbr1 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
-A OUTPUT -o virbr1 -p icmp -j ACCEPT
-A OUTPUT -o virbr1 -p tcp --dport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-o: "
-A OUTPUT -o virbr1 -p tcp --dport 22 -j ACCEPT
-A OUTPUT -o virbr1 -p tcp --dport 9128 -j LOG --log-uid --log-prefix "iptables_9128_ACCEPT-o: "
-A OUTPUT -o virbr1 -p tcp --dport 9128 -j ACCEPT
-A OUTPUT -o virbr1 -p tcp --dport 9040 -j LOG --log-uid --log-prefix "iptables_9040_ACCEPT-o: "
-A OUTPUT -o virbr1 -p tcp --dport 9040 -j ACCEPT
-A OUTPUT -o virbr1 -p tcp --dport 9050 -j LOG --log-uid --log-prefix "iptables_9050_ACCEPT-o: "
-A OUTPUT -o virbr1 -p tcp --dport 9050 -j ACCEPT
-A OUTPUT -o virbr1 -p udp --dport 9053 -j LOG --log-uid --log-prefix "iptables_9053_ACCEPT-o: "
-A OUTPUT -o virbr1 -p udp --dport 9053 -j ACCEPT
-A OUTPUT -o virbr1 -p tcp --dport 7001 -j LOG --log-uid --log-prefix "iptables_7001_ACCEPT-o: "
-A OUTPUT -o virbr1 -p tcp --dport 7001 -j ACCEPT
#??-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j RETURN
#?-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -j LIBVIRT_OUT
# blocks virbr1
-A LIBVIRT_FWI -s 217.182.196.70 -p tcp -j DROP
-A LIBVIRT_FWI -s 185.213.20.105 -p tcp -j DROP
-A LIBVIRT_FWI -s 185.32.222.237 -p tcp -j DROP
-A LIBVIRT_FWI -s 92.223.105.174 -p tcp -j DROP
-A LIBVIRT_FWI -s 195.201.168.111 -p tcp -j DROP
-A LIBVIRT_FWI -s 51.15.115.217 -p tcp -j DROP
-A LIBVIRT_FWI -s 89.163.224.33 -p tcp -j DROP
-A LIBVIRT_FWI -s 130.193.15.49 -p tcp -j DROP
-A LIBVIRT_FWI -s 95.216.19.207 -p tcp -j DROP
-A LIBVIRT_FWI -s 176.158.122.84 -p tcp -j DROP
-A LIBVIRT_FWI -s 80.66.135.13 -p tcp -j DROP
-A LIBVIRT_FWI -s 176.9.118.73 -p tcp -j DROP
-A LIBVIRT_FWI -s 109.236.90.209 -p tcp -j DROP
-A LIBVIRT_FWI -s 51.79.22.224 -m tcp -p tcp -j DROP
-A LIBVIRT_FWI -s 37.191.192.147 -m tcp -p tcp -j DROP
-A LIBVIRT_FWI -s 5.1.56.52 -m tcp -p tcp -j DROP
-A LIBVIRT_FWI -s 5.39.72.2 -m tcp -p tcp -j DROP
-A LIBVIRT_FWI -s 51.38.81.39 -m tcp -p tcp -j DROP
-A LIBVIRT_FWI -s 136.243.4.139 -m tcp -p tcp -j DROP
-A LIBVIRT_FWI -s 95.211.136.23 -m tcp -p tcp -j DROP
# Drop any TCP Acknowlegements they are not needed an they trigger the logs
# https://serverfault.com/questions/578735/for-what-is-a-general-allow-ack-rule-in-iptables-good-for
# This creates a hole in the firewall big enough to portscan through;
# nmap even has a flag to do an ACK scan which this rule will permit. Michael Hampton
# -A LIBVIRT_FWI -i wlan6 -m tcp -p tcp --tcp-flags ACK ACK -j DROP
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
-A LIBVIRT_FWI -o virbr2 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 10.0.2.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -i virbr2 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
-A LIBVIRT_FWO -i virbr2 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 10.0.2.0/24 -i virbr1 -j ACCEPT
-A LIBVIRT_FWO -i virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr2 -o virbr2 -j ACCEPT
-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
# FixMe: sic this is what libvirt did -i --dport
# FixMe: I will disable them as I dont think theyre needed
#no -A LIBVIRT_INP -i virbr2 -p udp --dport 53 -j ACCEPT
#no -A LIBVIRT_INP -i virbr2 -p tcp --dport 53 -j ACCEPT
#no -A LIBVIRT_INP -i virbr2 -p udp --dport 67 -j ACCEPT
#no -A LIBVIRT_INP -i virbr2 -p tcp --dport 67 -j ACCEPT
#no -A LIBVIRT_INP -i virbr1 -p udp --dport 53 -j ACCEPT
#no -A LIBVIRT_INP -i virbr1 -p tcp --dport 53 -j ACCEPT
#no -A LIBVIRT_INP -i virbr1 -p udp --dport 67 -j ACCEPT
#no -A LIBVIRT_INP -i virbr1 -p tcp --dport 67 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr2 -p udp --dport 53 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr2 -p tcp --dport 53 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr2 -p udp --dport 68 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr2 -p tcp --dport 68 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr1 -p udp --dport 53 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr1 -p tcp --dport 53 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr1 -p udp --dport 68 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr1 -p tcp --dport 68 -j ACCEPT
-A OUTPUT -j LOG --log-uid --log-prefix "IPTABLES_filter_DROP-o: "
-A OUTPUT -j DROP
COMMIT
# Completed on Wed Nov 4 01:14:37 2020
# Whonix firewall for wlan6 10.16.238.64 10.16.238.64/24 LIBVIRT_FW=1
# WORKS with Gateway tor - ssh

52
overlay/Linux/etc/firewall.conf.ws Executable file
View File

@ -0,0 +1,52 @@
# Generated by xtables-save v1.8.2 on Mon Nov 23 20:47:58 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7002 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j DROP
-A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 10.152.152.10/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 10.152.152.10/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT ! -p tcp -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Mon Nov 23 20:47:58 2020
# Generated by xtables-save v1.8.2 on Mon Nov 23 20:47:58 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Mon Nov 23 20:47:58 2020
# Generated by xtables-save v1.8.2 on Mon Nov 23 20:47:58 2020
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Nov 23 20:47:58 2020

89
overlay/Linux/etc/gnupg/gpgconf.conf.tor Normal file
View File

@ -0,0 +1,89 @@
# -*- mode: conf; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
# https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf
#
# This is an implementation of the Riseup OpenPGP Best Practices
# https://help.riseup.net/en/security/message-security/openpgp/best-practices
#
#-----------------------------
# default key
#-----------------------------
# The default key to sign with. If this option is not used, the default key is
# the first key found in the secret keyring
#default-key 0xD8692123C4065DEA5E0F3AB5249B39D24F25E3B6
#-----------------------------
# behavior
#-----------------------------
# Disable inclusion of the version string in ASCII armored output
no-emit-version
# Disable comment string in clear text signatures and ASCII armored messages
no-comments
# Display long key IDs
keyid-format 0xlong
# List all keys (or the specified ones) along with their fingerprints
with-fingerprint
# Display the calculated validity of user IDs during key listings
list-options show-uid-validity
verify-options show-uid-validity
# Try to use the GnuPG-Agent. With this option, GnuPG first tries to connect to
# the agent before it asks for a passphrase.
use-agent
#-----------------------------
# keyserver
#-----------------------------
# This is the server that --recv-keys, --send-keys, and --search-keys will
# communicate with to receive keys from, send keys to, and search for keys on
keyserver hkps://keys.openpgp.org/
# Set the proxy to use for HTTP and HKP keyservers - default to the standard
# local Tor socks proxy
# It is encouraged to use Tor for improved anonymity. Preferrably use either a
# dedicated SOCKSPort for GnuPG and/or enable IsolateDestPort and
# IsolateDestAddr
keyserver-options http-proxy=http://localhost:3128
# Don't leak DNS, see https://trac.torproject.org/projects/tor/ticket/2846
# Debian! gpg: keyserver option 'no-try-dns-srv' is unknown
#keyserver-options no-try-dns-srv
# When using --refresh-keys, if the key in question has a preferred keyserver
# URL, then disable use of that preferred keyserver to refresh the key from
keyserver-options no-honor-keyserver-url
# When searching for a key with --search-keys, include keys that are marked on
# the keyserver as revoked
keyserver-options include-revoked
#-----------------------------
# algorithm and ciphers
#-----------------------------
# list of personal digest preferences. When multiple digests are supported by
# all recipients, choose the strongest one
personal-cipher-preferences AES256 AES192 AES CAST5
# list of personal digest preferences. When multiple ciphers are supported by
# all recipients, choose the strongest one
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
# message digest algorithm used when signing a key
cert-digest-algo SHA512
# This preference list is used for new keys and becomes the default for
# "setpref" in the edit menu
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

89
overlay/Linux/etc/gnupg/gpgconf.conf.whonix Normal file
View File

@ -0,0 +1,89 @@
# -*- mode: conf; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
# https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf
#
# This is an implementation of the Riseup OpenPGP Best Practices
# https://help.riseup.net/en/security/message-security/openpgp/best-practices
#
#-----------------------------
# default key
#-----------------------------
# The default key to sign with. If this option is not used, the default key is
# the first key found in the secret keyring
#default-key 0xD8692123C4065DEA5E0F3AB5249B39D24F25E3B6
#-----------------------------
# behavior
#-----------------------------
# Disable inclusion of the version string in ASCII armored output
no-emit-version
# Disable comment string in clear text signatures and ASCII armored messages
no-comments
# Display long key IDs
keyid-format 0xlong
# List all keys (or the specified ones) along with their fingerprints
with-fingerprint
# Display the calculated validity of user IDs during key listings
list-options show-uid-validity
verify-options show-uid-validity
# Try to use the GnuPG-Agent. With this option, GnuPG first tries to connect to
# the agent before it asks for a passphrase.
use-agent
#-----------------------------
# keyserver
#-----------------------------
# This is the server that --recv-keys, --send-keys, and --search-keys will
# communicate with to receive keys from, send keys to, and search for keys on
keyserver hkps://keys.openpgp.org/
# Set the proxy to use for HTTP and HKP keyservers - default to the standard
# local Tor socks proxy
# It is encouraged to use Tor for improved anonymity. Preferrably use either a
# dedicated SOCKSPort for GnuPG and/or enable IsolateDestPort and
# IsolateDestAddr
keyserver-options http-proxy=http://localhost:3128
# Don't leak DNS, see https://trac.torproject.org/projects/tor/ticket/2846
# Debian! gpg: keyserver option 'no-try-dns-srv' is unknown
keyserver-options no-try-dns-srv
# When using --refresh-keys, if the key in question has a preferred keyserver
# URL, then disable use of that preferred keyserver to refresh the key from
keyserver-options no-honor-keyserver-url
# When searching for a key with --search-keys, include keys that are marked on
# the keyserver as revoked
keyserver-options include-revoked
#-----------------------------
# algorithm and ciphers
#-----------------------------
# list of personal digest preferences. When multiple digests are supported by
# all recipients, choose the strongest one
personal-cipher-preferences AES256 AES192 AES CAST5
# list of personal digest preferences. When multiple ciphers are supported by
# all recipients, choose the strongest one
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
# message digest algorithm used when signing a key
cert-digest-algo SHA512
# This preference list is used for new keys and becomes the default for
# "setpref" in the edit menu
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

138
overlay/Linux/usr/local/Whonix-Host.rc Executable file
View File

@ -0,0 +1,138 @@
#!/bin/sh
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
. /usr/local/etc/local.d/local.bash
chmod 775 /usr/local/sbin/*sh /usr/local/bin/*sh
export PATH=$PATH:/usr/local/bin:/usr/local/sbin
grep -q root=/dev/vda /proc/cmdline
PROXY_IS_VDA=$?
if [ $PROXY_IS_VDA -eq 0 ] ; then
/usr/local/sbin/proxy_whonix_lib.bash proxy_vda_config
fi
# Host and Vda
[ -d /etc/apt ] && \
local_manual_stop_services openvpn exim4 apt-daily-upgrade udisks2 \
sdwdate tb-updater-first-boot lvm2-monitor
# BEGIN ANSIBLE MANAGED BLOCK base initctl
if [ ! -e /dev/initctl -a -e /run/initctl ] ; then
ln -s /run/initctl /dev/initctl
elif [ ! -e /dev/initctl ] ; then
mknod -m=0600 /dev/initctl p
fi
# END ANSIBLE MANAGED BLOCK base initctl
# BEGIN ANSIBLE MANAGED BLOCK base
( cd /var/tmp && rm -rf ansible-local-* Temp-* ssh-* pulse-* .xfsm-ICE-* )
# END ANSIBLE MANAGED BLOCK base
# sh "/var/local/etc/local.d/testforge.start"
# redis
# WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
#? echo never > /sys/kernel/mm/transparent_hugepage/enabled
if false;then
# failsafe but independent of whether wlan exists
[ -f /usr/local/sbin/proxy_whonix_host_libvirt.bash ] && \
sh /usr/local/sbin/proxy_whonix_host_libvirt.bash proxy_whonix_libvirt_start
if ! /usr/local/sbin/proxy_whonix_host.bash config ; then
echo WARN: Whonix-Host.rc proxy_whonix_host.bash config failed $?
fi
if ! /usr/local/sbin/proxy_whonix_host.bash start ; then
echo WARN: Whonix-Host.rc proxy_whonix_host.bash start failed $?
fi
if ! /usr/local/sbin/proxy_whonix_host.bash test ; then
echo WARN: Whonix-Host.rc proxy_whonix_host.bash test failed $?
fi
fi
exit 0
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml text
local_systemd_stop_services display-manager
# END ANSIBLE MANAGED BLOCK update lati_unix.yml text
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
for eltin h i j o q v q w l ; do
[ -d /mnt/$elt/tmp ] || mount /mnt/$elt
done
exit 0
# END ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml mask
# local_manual_stop_services
SYSTEMD_STOP_AND_MASK="
debug-shell.service
systemd-backlight@.service
phpsessionclean.service
phpsessionclean.timer
apt-daily-upgrade.service
apt-daily-upgrade.timer
dbus-org.freedesktop.nm-dispatcher.service
tb-updater-first-boot.service
openvpn.service
systemd-backlight@.service
systemd-backlight@backlight.service
vboxadd-service.service
vboxautostart-service.service
vboxballoonctrl-service.service
vboxdrv.service
vboxweb-service.service
"
# /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask $SYSTEMD_STOP_AND_MASK
for file in /usr/local/etc/systemd/*.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK update lati_unix.yml mask
/var/local/bin/harden_dbus_neuter.bash
which brightnessctl 2>/dev/null >/dev/null && brightnessctl set 90%
# BEGIN ANSIBLE MANAGED BLOCK update
/usr/local/etc/local.d/local.bash local_disable_lid
# END ANSIBLE MANAGED BLOCK update
# BEGIN ANSIBLE MANAGED BLOCK update local_disable_lid
/usr/local/etc/local.d/local.bash local_disable_lid
# END ANSIBLE MANAGED BLOCK update local_disable_lid
# BEGIN ANSIBLE MANAGED BLOCK base lati_unix.yml mask
ROLE=base
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK base lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK gpgkey lati_unix.yml mask
ROLE=gpgkey
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK gpgkey lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK hostvms lati_unix.yml mask
ROLE=hostvms
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK hostvms lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK privacy lati_unix.yml mask
ROLE=privacy
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK privacy lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK proxy lati_unix.yml mask
ROLE=proxy
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK proxy lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK testforge lati_unix.yml mask
ROLE=testforge
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK testforge lati_unix.yml mask

45
overlay/Linux/usr/local/bin/curl.bash Executable file
View File

@ -0,0 +1,45 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
ROLE=proxy
ip route | grep -q ^def || {
WARN we are not connected
}
[ -f $HOME/.curlrc ] || touch $HOME/.curlrc
declare -a CURL_OPTS
if [[ "$socks_proxy" =~ socks5://.* ]] ; then
export socks_proxy="$( echo $socks_proxy | sed -e 's@socks5://@socks5h://@' )"
CURL_OPTS+=( --proxy $socks_proxy )
[ -n "$https_proxy" ] && export https_proxy= && unset https_proxy
[ -n "$http_proxy" ] && export http_proxy= && unset http_proxy
elif [ -n "$https_proxy" ] ; then
CURL_OPTS+=( --proxy $https_proxy )
[ -n "$http_proxy" ] && export http_proxy= && unset http_proxy
elif [ -n "$http_proxy" ] ; then
CURL_OPTS+=( --proxy $http_proxy )
fi
export CURL_OPTS+=( -L --remote-time )
if ! uname -a | grep -q 'Devuan\|Debian' && [ -s $HOME/.local/alt.svc ] ; then
export CURL_OPTS+=( --alt-svc $HOME/.local/alt.svc )
# #define CURLALTSVC_H2 (1<<4)
export CURLOPT_ALTSVC_CTRL=16
fi
[[ ! "$*" =~ --config ]] && [ -s "$HOME/.curlrc" ] && \
export CURL_OPTS+=( --config $HOME/.curlrc )
[[ ! "$*" =~ --cookie-jar ]] && [ -s $HOME/.local/jar.cookie ] && \
export CURL_OPTS+=( --cookie-jar $HOME/.local/jar.cookie )
if [[ ! "$*" =~ --capath ]] && \
[[ ! "$*" =~ --cacert ]] && \
[ -s /usr/local/etc/ssl/cacert-testforge.pem ] ; then
# --capath /usr/local/etc/:/etc/ssl/certs
export CURL_OPTS+=( --cacert /usr/local/etc/ssl/cacert-testforge.pem )
export CURL_CA_BUNDLE=/usr/local/etc/ssl/cacert-testforge.pem
fi
echo INFO: curl $CURL_OPTS "$@"
exec curl $CURL_OPTS "$@"

63
overlay/Linux/usr/local/bin/dirmngr.bash Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_base.bash || exit 2
if [ "$#" -eq 1 -a "$1" = '--version' ] ; then
exec /usr/bin/dirmngr.bin --version
return 0
fi
# echo "DEBUG: $0 GNUPGHOME=$GNUPGHOME $*" >> /tmp/$$.out
PROXY_GPG_KEYSERVER=keys.openpgp.org
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash >/dev/null
[ -z "$PROXY_GPG_KEYERVER_URL" ] && PROXY_GPG_KEYERVER_URL=hkps://$PROXY_GPG_KEYSERVER
# ONLY disabling on the command line or
[ -e /proc/sys/net/ipv6/conf/default/disable_ipv6 ] && \
[ `cat /proc/sys/net/ipv6/conf/default/disable_ipv6` -eq 0 ] && \
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_set_if ) # || return 1$?
if [ -n "$PROXY_WLAN" ] ; then
wlan7=$PROXY_WLAN
[ -e /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6 ] && \
[ `cat /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6` -eq 0 ] && \
echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
fi
route | grep -q ^default || { ERROR no route ; exit 1; }
[ ! -x /usr/bin/netstat ] || \
netstat -nlp | grep -q 127.0.0.1:53 || { ERROR no nameserver ; exit 4; }
[ -z "$USER" ] && USER=$(id -un )
if [ $USER = root ] ; then
[ -x /usr/bin/dirmngr -a ! -x /usr/bin/dirmngr.bin ] && \
mv /usr/bin/dirmngr /usr/bin/dirmngr.bin
[ -x /usr/bin/dirmngr.bin -a ! -x /usr/bin/dirmngr ] && \
ln -s /usr/local/bin/proxy_dirmngr.bash /usr/bin/dirmngr
fi
[ ! -x /usr/bin/dirmngr -o ! -x /usr/bin/dirmngr.bin ] && exit 2
[ -f /etc/dirmngr/dirmngr.conf ] || exit 3
# This is not enough: --disable-ipv6
# --keyserver hkps://keys.gentoo.org is required
# --http-proxy http://127.0.0.1:3128
# --keyserver $PROXY_GPG_KEYERVER_URL
# --no-use-tor is REQUIRED if you are running tor
# EVEN IF YOU DOT USE use-tor - silent dns failure
exec /usr/bin/dirmngr.bin --server -vvv --debug-all \
--options /etc/dirmngr/dirmngr.conf \
--nameserver 127.0.0.1 \
--disable-ipv6 \
--disable-ldap \
--no-use-tor \
--log-file /var/log/dirmngr.log --debug-level 4 \
"$@"

10
overlay/Linux/usr/local/bin/gitproxy.bash Executable file
View File

@ -0,0 +1,10 @@
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
# BEGIN ANSIBLE MANAGED BLOCK proxy
exec corkscrew $1 $2
# $1 %h $2 %p
#? exec connect -4 -S : $(tor-resolve $1 :) $2
# END ANSIBLE MANAGED BLOCK proxy

89
overlay/Linux/usr/local/bin/ping2.py Executable file
View File

@ -0,0 +1,89 @@
#!/usr/local/bin/python2.sh
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# Simple ICMP ping.
#
# This implementation of ping uses the ICMP echo and echo-reply packets
# to check the status of a host. If the remote host is up, it should reply
# to the echo probe with an echo-reply packet.
# Note that this isn't a definite test, as in the case the remote host is up
# but refuses to reply the probes.
# Also note that the user must have special access to be able to open a raw
# socket, which this program requires.
#
# Authors:
# Gerardo Richarte <gera@coresecurity.com>
# Javier Kohen <jkohen@coresecurity.com>
#
# Reference for:
# ImpactPacket: IP, ICMP, DATA.
# ImpactDecoder.
import select
import socket
import time
import sys
from impacket import ImpactDecoder, ImpactPacket
if len(sys.argv) < 3:
print("Use: %s <src ip> <dst ip>" % sys.argv[0])
sys.exit(1)
src = sys.argv[1]
dst = sys.argv[2]
# Create a new IP packet and set its source and destination addresses.
ip = ImpactPacket.IP()
ip.set_ip_src(src)
ip.set_ip_dst(dst)
# Create a new ICMP packet of type ECHO.
icmp = ImpactPacket.ICMP()
icmp.set_icmp_type(icmp.ICMP_ECHO)
# Include a 156-character long payload inside the ICMP packet.
icmp.contains(ImpactPacket.Data("A"*156))
# Have the IP packet contain the ICMP packet (along with its payload).
ip.contains(icmp)
# Open a raw socket. Special permissions are usually required.
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP)
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
seq_id = 0
i = 0
while i < 10:
i += 1
# Give the ICMP packet the next ID in the sequence.
seq_id += 1
icmp.set_icmp_id(seq_id)
# Calculate its checksum.
icmp.set_icmp_cksum(0)
icmp.auto_checksum = 1
# Send it to the target host.
s.sendto(ip.get_packet(), (dst, 0))
# Wait for incoming replies.
if s in select.select([s],[],[],1)[0]:
reply = s.recvfrom(2000)[0]
# Use ImpactDecoder to reconstruct the packet hierarchy.
rip = ImpactDecoder.IPDecoder().decode(reply)
# Extract the ICMP packet from its container (the IP packet).
ricmp = rip.child()
# If the packet matches, report it to the user.
if rip.get_ip_dst() == src and rip.get_ip_src() == dst and icmp.ICMP_ECHOREPLY == ricmp.get_icmp_type():
print("Ping reply for sequence #%d" % ricmp.get_icmp_id())
time.sleep(1)

89
overlay/Linux/usr/local/bin/ping3.py Executable file
View File

@ -0,0 +1,89 @@
#!/usr/local/bin/python3.sh
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# Simple ICMP ping.
#
# This implementation of ping uses the ICMP echo and echo-reply packets
# to check the status of a host. If the remote host is up, it should reply
# to the echo probe with an echo-reply packet.
# Note that this isn't a definite test, as in the case the remote host is up
# but refuses to reply the probes.
# Also note that the user must have special access to be able to open a raw
# socket, which this program requires.
#
# Authors:
# Gerardo Richarte <gera@coresecurity.com>
# Javier Kohen <jkohen@coresecurity.com>
#
# Reference for:
# ImpactPacket: IP, ICMP, DATA.
# ImpactDecoder.
import select
import socket
import time
import sys
from impacket import ImpactDecoder, ImpactPacket
if len(sys.argv) < 3:
print("Use: %s <src ip> <dst ip>" % sys.argv[0])
sys.exit(1)
src = sys.argv[1]
dst = sys.argv[2]
# Create a new IP packet and set its source and destination addresses.
ip = ImpactPacket.IP()
ip.set_ip_src(src)
ip.set_ip_dst(dst)
# Create a new ICMP packet of type ECHO.
icmp = ImpactPacket.ICMP()
icmp.set_icmp_type(icmp.ICMP_ECHO)
# Include a 156-character long payload inside the ICMP packet.
icmp.contains(ImpactPacket.Data(b"A"*156))
# Have the IP packet contain the ICMP packet (along with its payload).
ip.contains(icmp)
# Open a raw socket. Special permissions are usually required.
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP)
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
seq_id = 0
i = 0
while i < 10:
i += 1
# Give the ICMP packet the next ID in the sequence.
seq_id += 1
icmp.set_icmp_id(seq_id)
# Calculate its checksum.
icmp.set_icmp_cksum(0)
icmp.auto_checksum = 1
# Send it to the target host.
s.sendto(ip.get_packet(), (dst, 0))
# Wait for incoming replies.
if s in select.select([s],[],[],1)[0]:
reply = s.recvfrom(2000)[0]
# Use ImpactDecoder to reconstruct the packet hierarchy.
rip = ImpactDecoder.IPDecoder().decode(reply)
# Extract the ICMP packet from its container (the IP packet).
ricmp = rip.child()
# If the packet matches, report it to the user.
if rip.get_ip_dst() == src and rip.get_ip_src() == dst and icmp.ICMP_ECHOREPLY == ricmp.get_icmp_type():
print("Ping reply for sequence #%d" % ricmp.get_icmp_id())
time.sleep(1)

82
overlay/Linux/usr/local/bin/ping62.py Executable file
View File

@ -0,0 +1,82 @@
#!/usr/local/bin/python2.sh
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# Simple ICMP6 ping.
#
# This implementation of ping uses the ICMP echo and echo-reply packets
# to check the status of a host. If the remote host is up, it should reply
# to the echo probe with an echo-reply packet.
# Note that this isn't a definite test, as in the case the remote host is up
# but refuses to reply the probes.
# Also note that the user must have special access to be able to open a raw
# socket, which this program requires.
#
# Authors:
# Alberto Solino (@agsolino)
#
# Reference for:
# ImpactPacket: ICMP6
# ImpactDecoder.
import select
import socket
import time
import sys
from impacket import ImpactDecoder, IP6, ICMP6, version
print(version.BANNER)
if len(sys.argv) < 3:
print("Use: %s <src ip> <dst ip>" % sys.argv[0])
sys.exit(1)
src = sys.argv[1]
dst = sys.argv[2]
# Create a new IP packet and set its source and destination addresses.
ip = IP6.IP6()
ip.set_ip_src(src)
ip.set_ip_dst(dst)
ip.set_traffic_class(0)
ip.set_flow_label(0)
ip.set_hop_limit(64)
# Open a raw socket. Special permissions are usually required.
s = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_ICMPV6)
payload = "A"*156
print("PING %s %d data bytes" % (dst, len(payload)))
seq_id = 0
while 1:
# Give the ICMP packet the next ID in the sequence.
seq_id += 1
icmp = ICMP6.ICMP6.Echo_Request(1, seq_id, payload)
# Have the IP packet contain the ICMP packet (along with its payload).
ip.contains(icmp)
ip.set_next_header(ip.child().get_ip_protocol_number())
ip.set_payload_length(ip.child().get_size())
icmp.calculate_checksum()
# Send it to the target host.
s.sendto(icmp.get_packet(), (dst, 0))
# Wait for incoming replies.
if s in select.select([s],[],[],1)[0]:
reply = s.recvfrom(2000)[0]
# Use ImpactDecoder to reconstruct the packet hierarchy.
rip = ImpactDecoder.ICMP6Decoder().decode(reply)
# If the packet matches, report it to the user.
if ICMP6.ICMP6.ECHO_REPLY == rip.get_type():
print("%d bytes from %s: icmp_seq=%d " % (rip.child().get_size()-4,dst,rip.get_echo_sequence_number()))
time.sleep(1)

344
overlay/Linux/usr/local/bin/pr$ Executable file
View File

@ -0,0 +1,344 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash || exit 2
## proxy_ami_cloudflared
proxy_ami_cloudflared() {
[ $# -gt 0 ] || return 1
local ip=$1
# https://netaddr.readthedocs.io/en/latest/tutorial_01.html
# a=`python3 -c "import netaddr; print(netaddr.IPAddress('$ip') in list(netaddr.IPNetwork('$no')))"`
# https://stackoverflow.com/questions/819355/how-can-i-check-if-an-ip-is-in-a-network-in-python
for no in "${CLOUDF[@]}" ; do
nopat=`sed -e 's/\.0.*//' <<< $no`
[[ $ip =~ ${nopat}.* ]] && {
# WARN $url cloudflared $ip $no
echo True
return 0
}
done
echo False
return 0
}
## proxy_ami_cloudflared_py
proxy_ami_cloudflared_py() {
[ $# -gt 0 ] || return 1
local ip=$1
a=`proxy_ami_cloudflared $ip`
if [ $? -eq 0 -a "$a" = True ] ; then
echo $a
return 0
fi
for no in "${CLOUDF[@]}" ; do
a=`python3 -c "import ipaddress; print(ipaddress.IPv4Address('$ip') in list(ipaddress.IPv4Network('$no')))"`
if [ $? -eq 0 -a "$a" = True ] ; then
echo $a
return 0
fi
done
echo False
return 0
}
# /usr/include/openssl/x509_vfy.h
declare -A OPENSSL_X509_V
OPENSSL_X509_V=(
[0]=OK
[1]=ERR_UNSPECIFIED
[2]=ERR_UNABLE_TO_GET_ISSUER_CERT
[3]=ERR_UNABLE_TO_GET_CRL
[4]=ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
[5]=ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
[6]=ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
[7]=ERR_CERT_SIGNATURE_FAILURE
[8]=ERR_CRL_SIGNATURE_FAILURE
[9]=ERR_CERT_NOT_YET_VALID
[10]=ERR_CERT_HAS_EXPIRED
[11]=ERR_CRL_NOT_YET_VALID
[12]=ERR_CRL_HAS_EXPIRED
[13]=ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
[14]=ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
[15]=ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
[16]=ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
[17]=ERR_OUT_OF_MEM
[18]=ERR_DEPTH_ZERO_SELF_SIGNED_CERT
[19]=ERR_SELF_SIGNED_CERT_IN_CHAIN
[20]=ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
[21]=ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
[22]=ERR_CERT_CHAIN_TOO_LONG
[23]=ERR_CERT_REVOKED
[24]=ERR_INVALID_CA
[25]=ERR_PATH_LENGTH_EXCEEDED
[26]=ERR_INVALID_PURPOSE
[27]=ERR_CERT_UNTRUSTED
[28]=ERR_CERT_REJECTED
# These are 'informational' when looking for issuer cert
[29]=ERR_SUBJECT_ISSUER_MISMATCH
[30]=ERR_AKID_SKID_MISMATCH
[31]=ERR_AKID_ISSUER_SERIAL_MISMATCH
[32]=ERR_KEYUSAGE_NO_CERTSIGN
[33]=ERR_UNABLE_TO_GET_CRL_ISSUER
[34]=ERR_UNHANDLED_CRITICAL_EXTENSION
[35]=ERR_KEYUSAGE_NO_CRL_SIGN
[36]=ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
[37]=ERR_INVALID_NON_CA
[38]=ERR_PROXY_PATH_LENGTH_EXCEEDED
[39]=ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
[40]=ERR_PROXY_CERTIFICATES_NOT_ALLOWED
[41]=ERR_INVALID_EXTENSION
[42]=ERR_INVALID_POLICY_EXTENSION
[43]=ERR_NO_EXPLICIT_POLICY
[44]=ERR_DIFFERENT_CRL_SCOPE
[45]=ERR_UNSUPPORTED_EXTENSION_FEATURE
[46]=ERR_UNNESTED_RESOURCE
[47]=ERR_PERMITTED_VIOLATION
[48]=ERR_EXCLUDED_VIOLATION
[49]=ERR_SUBTREE_MINMAX
# The application is not happy
[50]=ERR_APPLICATION_VERIFICATION
[51]=ERR_UNSUPPORTED_CONSTRAINT_TYPE
[52]=ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
[53]=ERR_UNSUPPORTED_NAME_SYNTAX
[54]=ERR_CRL_PATH_VALIDATION_ERROR
# Another issuer check debug option
[55]=ERR_PATH_LOOP
# Suite B mode algorithm violation
[56]=ERR_SUITE_B_INVALID_VERSION
[57]=ERR_SUITE_B_INVALID_ALGORITHM
[58]=ERR_SUITE_B_INVALID_CURVE
[59]=ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
[60]=ERR_SUITE_B_LOS_NOT_ALLOWED
[61]=ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
# Host, email and IP check errors
[62]=ERR_HOSTNAME_MISMATCH
[63]=ERR_EMAIL_MISMATCH
[64]=ERR_IP_ADDRESS_MISMATCH
# DANE TLSA errors
[65]=ERR_DANE_NO_MATCH
# security level errors
[66]=ERR_EE_KEY_TOO_SMALL
[67]=ERR_CA_KEY_TOO_SMALL
[68]=ERR_CA_MD_TOO_WEAK
# Caller error
[69]=ERR_INVALID_CALL
# Issuer lookup error
[70]=ERR_STORE_LOOKUP
# Certificate transparency
[71]=ERR_NO_VALID_SCTS
[72]=ERR_PROXY_SUBJECT_NAME_VIOLATION
# OCSP status errors
[73]=ERR_OCSP_VERIFY_NEEDED # Need OCSP verification
[74]=ERR_OCSP_VERIFY_FAILED # Couldn't verify cert through OCSP
[75]=ERR_OCSP_CERT_UNKNOWN # Certificate wasn't recognized by the OCSP responder
[76]=ERR_SIGNATURE_ALGORITHM_MISMATCH
[77]=ERR_NO_ISSUER_PUBLIC_KEY
[78]=ERR_UNSUPPORTED_SIGNATURE_ALGORITHM
[79]=ERR_EC_KEY_EXPLICIT_PARAMS
)
# man 3 libcurl-errors
declare -A CURLE
CURLE=(
[0]=CURLE_OK
[1]=CURLE_UNSUPPORTED_PROTOCOL
[2]=CURLE_FAILED_INIT
[3]=CURLE_URL_MALFORMAT
[4]=CURLE_NOT_BUILT_IN
[5]=CURLE_COULDNT_RESOLVE_PROXY
[6]=CURLE_COULDNT_RESOLVE_HOST
[7]=CURLE_COULDNT_CONNECT
[8]=CURLE_WEIRD_SERVER_REPLY
[9]=CURLE_REMOTE_ACCESS_DENIED
[10]=CURLE_FTP_ACCEPT_FAILED
[11]=CURLE_FTP_WEIRD_PASS_REPLY
[12]=CURLE_FTP_ACCEPT_TIMEOUT
[13]=CURLE_FTP_WEIRD_PASV_REPLY
[14]=CURLE_FTP_WEIRD_227_FORMAT
[15]=CURLE_FTP_CANT_GET_HOST
[16]=CURLE_HTTP2
[17]=CURLE_FTP_COULDNT_SET_TYPE
[18]=CURLE_PARTIAL_FILE
[19]=CURLE_FTP_COULDNT_RETR_FILE
[21]=CURLE_QUOTE_ERROR
[22]=CURLE_HTTP_RETURNED_ERROR
[23]=CURLE_WRITE_ERROR
[25]=CURLE_UPLOAD_FAILED
[26]=CURLE_READ_ERROR
[27]=CURLE_OUT_OF_MEMORY
[28]=CURLE_OPERATION_TIMEDOUT
[30]=CURLE_FTP_PORT_FAILED
[31]=CURLE_FTP_COULDNT_USE_REST
[33]=CURLE_RANGE_ERROR
[34]=CURLE_HTTP_POST_ERROR
[35]=CURLE_SSL_CONNECT_ERROR
[36]=CURLE_BAD_DOWNLOAD_RESUME
[37]=CURLE_FILE_COULDNT_READ_FILE
[38]=CURLE_LDAP_CANNOT_BIND
[39]=CURLE_LDAP_SEARCH_FAILED
[41]=CURLE_FUNCTION_NOT_FOUND
[42]=CURLE_ABORTED_BY_CALLBACK
[43]=CURLE_BAD_FUNCTION_ARGUMENT
[45]=CURLE_INTERFACE_FAILED
[47]=CURLE_TOO_MANY_REDIRECTS
[48]=CURLE_UNKNOWN_OPTION
[49]=CURLE_SETOPT_OPTION_SYNTAX
[52]=CURLE_GOT_NOTHING
[53]=CURLE_SSL_ENGINE_NOTFOUND
[54]=CURLE_SSL_ENGINE_SETFAILED
[55]=CURLE_SEND_ERROR
[56]=CURLE_RECV_ERROR
[58]=CURLE_SSL_CERTPROBLEM
[59]=CURLE_SSL_CIPHER
[60]=CURLE_PEER_FAILED_VERIFICATION
[61]=CURLE_BAD_CONTENT_ENCODING
[62]=CURLE_LDAP_INVALID_URL
[63]=CURLE_FILESIZE_EXCEEDED
[64]=CURLE_USE_SSL_FAILED
[65]=CURLE_SEND_FAIL_REWIND
[66]=CURLE_SSL_ENGINE_INITFAILED
[67]=CURLE_LOGIN_DENIED
[68]=CURLE_TFTP_NOTFOUND
[69]=CURLE_TFTP_PERM
[70]=CURLE_REMOTE_DISK_FULL
[71]=CURLE_TFTP_ILLEGAL
[72]=CURLE_TFTP_UNKNOWNID
[73]=CURLE_REMOTE_FILE_EXISTS
[74]=CURLE_TFTP_NOSUCHUSER
[75]=CURLE_CONV_FAILED
[76]=CURLE_CONV_REQD
[77]=CURLE_SSL_CACERT_BADFILE
[78]=CURLE_REMOTE_FILE_NOT_FOUND
[79]=CURLE_SSH
[80]=CURLE_SSL_SHUTDOWN_FAILED
[81]=CURLE_AGAIN
[82]=CURLE_SSL_CRL_BADFILE
[83]=CURLE_SSL_ISSUER_ERROR
[84]=CURLE_FTP_PRET_FAILED
[85]=CURLE_RTSP_CSEQ_ERROR
[86]=CURLE_RTSP_SESSION_ERROR
[87]=CURLE_FTP_BAD_FILE_LIST
[88]=CURLE_CHUNK_FAILED
[89]=CURLE_NO_CONNECTION_AVAILABLE
[90]=CURLE_SSL_PINNEDPUBKEYNOTMATCH
[91]=CURLE_SSL_INVALIDCERTSTATUS
[92]=CURLE_HTTP2_STREAM
[93]=CURLE_RECURSIVE_API_CALL
[94]=CURLE_AUTH_ERROR
[95]=CURLE_HTTP3
[96]=CURLE_QUIC_CONNECT_ERROR
[98]=CURLE_SSL_CLIENTCERT
[99]=CURLE_UNRECOVERABLE_POLL
)
# 20 HTTP response status codes
declare -A HTTP_RESPONSE
HTTP_RESPONSE=(
[100]="Continue"
[101]="Switching Protocols"
[103]="Early Hints"
[200]="OK"
[201]="Created"
[202]="Accepted"
[203]="Non-Authoritative Information"
[204]="No Content"
[205]="Reset Content"
[206]="Partial Content"
[300]="Multiple Choices"
[301]="Moved Permanently"
[302]="Found"
[303]="See Other"
[304]="Not Modified"
[307]="Temporary Redirect"
[308]="Permanent Redirect"
[400]="Bad Request"
[401]="Unauthorized"
[402]="Payment Required"
[403]="Forbidden"
[404]="Not Found"
[405]="Method Not Allowed"
[406]="Not Acceptable"
[407]="Proxy Authentication Required"
[408]="Request Timeout"
[409]="Conflict"
[410]="Gone"
[411]="Length Required"
[412]="Precondition Failed"
[413]="Payload Too Large"
[414]="URI Too Long"
[415]="Unsupported Media Type"
[416]="Range Not Satisfiable"
[417]="Expectation Failed"
[418]="Im a teapot"
[422]="Unprocessable Entity"
[425]="Too Early"
[426]="Upgrade Required"
[428]="Precondition Required"
[429]="Too Many Requests"
[431]="Request Header Fields Too Large"
[451]="Unavailable For Legal Reasons"
[500]="Internal Server Error"
[501]="Not Implemented"
[502]="Bad Gateway"
[503]="Service Unavailable"
[504]="Gateway Timeout"
[505]="HTTP Version Not Supported"
[506]="Variant Also Negotiates"
[507]="Insufficient Storage"
[508]="Loop Detected"
[510]="Not Extended"
[511]="Network Authentication Required"
)
# https://curl.se/docs/ssl-ciphers.html
# openssl
# https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html
# https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
openssl=openssl
# CURLOPT_TLS13_CIPHERS --tls13-ciphers
if [ $openssl = openssl ] ; then
export CURLOPT_TLS13_CIPHERS="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256"
elif [ $openssl = nss ] ; then
export CURLOPT_TLS13_CIPHERS="aes_128_gcm_sha_256,aes_256_gcm_sha_384,chacha20_poly1305_sha_256"
fi
declare -a NOTLSV3
NOTLSV3=(
# connection refused
www.mirrorservice.org
# no ipv3
files.pythonhosted.org
)
# https://web.archive.org/web/20220722104744/https://www.cloudflare.com/ips-v4
declare -a CLOUDFN
CLOUDFN=(
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22
)
#for no in "${CLOUDF[@]}" ; do
# # https://netaddr.readthedocs.io/en/latest/tutorial_01.html
# a=`python3 -c "import netaddr; print('\n'.join(map(str,list(netaddr.IPNetwork('$no')))))"`
#done

23
overlay/Linux/usr/local/bin/pro Executable file
View File

@ -0,0 +1,23 @@
#!/bin/sh
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# https://unix.stackexchange.com/questions/293304/using-netcat-for-port-forwarding
. /usr/local/bin/usr_local_tput.bash || exit 2
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
netstat -nlpe4 | grep -q 127.0.0.1:53 && {
ERROR 127.0.0.1:53 already bound
exit 1
}
MODE=$( /usr/local/bin/proxy_ping_lib.bash proxy_whonix_mode )
if [ "$MODE" = tor -o "$MODE" = tor -o "$MODE" = gateway -o "$MODE" = selektor ] ; then
socat udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:127.0.0.1:9053
elif [ "$MODE" = whonix -o "$MODE" = ws -o "$MODE" = tor -o "$MODE" = selektor ] ; then
socat udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:10.0.2.2:9053
fi

12
overlay/Linux/usr/local/bin/proxy_ansible.bash Executable file
View File

@ -0,0 +1,12 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
. /usr/local/etc/testforge/testforge.bash
PREFIX=$PROXY_VAR_LOCAL
[ "$#" -eq 0 ] && set -- proxy
exec bash $PREFIX/bin/testforge_ansible.bash "$@"
ROLE=proxy

401
overlay/Linux/usr/local/bin/proxy_curl_lib.bash Executable file
View File

@ -0,0 +1,401 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash || exit 2
## proxy_ami_cloudflared
proxy_ami_cloudflared() {
[ $# -gt 0 ] || return 1
local ip=$1
for no in "${CLOUDFN[@]}" ; do
nopat=`sed -e 's@[.0]*/[0-9][0-9]@@' <<< $no`
[[ $ip =~ ${nopat}.* ]] && {
# WARN $url cloudflared $ip $no
echo True
return 0
}
done
echo False
return 0
}
## proxy_ami_cloudflared_py
proxy_ami_cloudflared_py() {
[ $# -gt 0 ] || return 1
local ip=$1
a=`proxy_ami_cloudflared $ip`
if [ $? -eq 0 -a "$a" = True ] ; then
echo $a
return 0
fi
# https://netaddr.readthedocs.io/en/latest/tutorial_01.html
# a=`python3 -c "import netaddr; print(netaddr.IPAddress('$ip') in list(netaddr.IPNetwork('$no')))"`
# https://stackoverflow.com/questions/819355/how-can-i-check-if-an-ip-is-in-a-network-in-python
for no in "${CLOUDFN[@]}" ; do
a=`python3 -c "import ipaddress; print(ipaddress.IPv4Address('$ip') in list(ipaddress.IPv4Network('$no')))"`
if [ $? -eq 0 -a "$a" = True ] ; then
echo $a
return 0
fi
done
echo False
return 0
}
## proxy_ami_nottlsv3
proxy_ami_nottlsv3() {
[ $# -gt 0 ] || return 1
local site=$1
for no in "${NOTLSV3[@]}" ; do
[[ $site =~ $no ]] && echo True && return 0
done
echo False
return 0
}
declare -a NOTLSV3
NOTLSV3=(
# connection refused
www.mirrorservice.org
# no ipv3
files.pythonhosted.org
# forbidden
download.nvidia.com
# 500
www.x.org
)
# https://web.archive.org/web/20220722104744/https://www.cloudflare.com/ips-v4
declare -a CLOUDFN
CLOUDFN=(
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
104.16.0.0/13
104.24.0.0/14
108.162.192.0/18
131.0.72.0/22
141.101.64.0/18
162.158.0.0/15
172.64.0.0/13
188.114.96.0/20
190.93.240.0/20
197.234.240.0/22
198.41.128.0/17
)
#for no in "${CLOUDFN[@]}" ; do
# # https://netaddr.readthedocs.io/en/latest/tutorial_01.html
# a=`python3 -c "import netaddr; print('\n'.join(map(str,list(netaddr.IPNetwork('$no')))))"`
#done
# /usr/include/openssl/x509_vfy.h
declare -A OPENSSL_X509_V
OPENSSL_X509_V=(
[0]=OK
[1]=ERR_UNSPECIFIED
[2]=ERR_UNABLE_TO_GET_ISSUER_CERT
[3]=ERR_UNABLE_TO_GET_CRL
[4]=ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
[5]=ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
[6]=ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
[7]=ERR_CERT_SIGNATURE_FAILURE
[8]=ERR_CRL_SIGNATURE_FAILURE
[9]=ERR_CERT_NOT_YET_VALID
[10]=ERR_CERT_HAS_EXPIRED
[11]=ERR_CRL_NOT_YET_VALID
[12]=ERR_CRL_HAS_EXPIRED
[13]=ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
[14]=ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
[15]=ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
[16]=ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
[17]=ERR_OUT_OF_MEM
[18]=ERR_DEPTH_ZERO_SELF_SIGNED_CERT
[19]=ERR_SELF_SIGNED_CERT_IN_CHAIN
[20]=ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
[21]=ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
[22]=ERR_CERT_CHAIN_TOO_LONG
[23]=ERR_CERT_REVOKED
[24]=ERR_INVALID_CA
[25]=ERR_PATH_LENGTH_EXCEEDED
[26]=ERR_INVALID_PURPOSE
[27]=ERR_CERT_UNTRUSTED
[28]=ERR_CERT_REJECTED
# These are 'informational' when looking for issuer cert
[29]=ERR_SUBJECT_ISSUER_MISMATCH
[30]=ERR_AKID_SKID_MISMATCH
[31]=ERR_AKID_ISSUER_SERIAL_MISMATCH
[32]=ERR_KEYUSAGE_NO_CERTSIGN
[33]=ERR_UNABLE_TO_GET_CRL_ISSUER
[34]=ERR_UNHANDLED_CRITICAL_EXTENSION
[35]=ERR_KEYUSAGE_NO_CRL_SIGN
[36]=ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
[37]=ERR_INVALID_NON_CA
[38]=ERR_PROXY_PATH_LENGTH_EXCEEDED
[39]=ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
[40]=ERR_PROXY_CERTIFICATES_NOT_ALLOWED
[41]=ERR_INVALID_EXTENSION
[42]=ERR_INVALID_POLICY_EXTENSION
[43]=ERR_NO_EXPLICIT_POLICY
[44]=ERR_DIFFERENT_CRL_SCOPE
[45]=ERR_UNSUPPORTED_EXTENSION_FEATURE
[46]=ERR_UNNESTED_RESOURCE
[47]=ERR_PERMITTED_VIOLATION
[48]=ERR_EXCLUDED_VIOLATION
[49]=ERR_SUBTREE_MINMAX
# The application is not happy
[50]=ERR_APPLICATION_VERIFICATION
[51]=ERR_UNSUPPORTED_CONSTRAINT_TYPE
[52]=ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
[53]=ERR_UNSUPPORTED_NAME_SYNTAX
[54]=ERR_CRL_PATH_VALIDATION_ERROR
# Another issuer check debug option
[55]=ERR_PATH_LOOP
# Suite B mode algorithm violation
[56]=ERR_SUITE_B_INVALID_VERSION
[57]=ERR_SUITE_B_INVALID_ALGORITHM
[58]=ERR_SUITE_B_INVALID_CURVE
[59]=ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
[60]=ERR_SUITE_B_LOS_NOT_ALLOWED
[61]=ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
# Host, email and IP check errors
[62]=ERR_HOSTNAME_MISMATCH
[63]=ERR_EMAIL_MISMATCH
[64]=ERR_IP_ADDRESS_MISMATCH
# DANE TLSA errors
[65]=ERR_DANE_NO_MATCH
# security level errors
[66]=ERR_EE_KEY_TOO_SMALL
[67]=ERR_CA_KEY_TOO_SMALL
[68]=ERR_CA_MD_TOO_WEAK
# Caller error
[69]=ERR_INVALID_CALL
# Issuer lookup error
[70]=ERR_STORE_LOOKUP
# Certificate transparency
[71]=ERR_NO_VALID_SCTS
[72]=ERR_PROXY_SUBJECT_NAME_VIOLATION
# OCSP status errors
[73]=ERR_OCSP_VERIFY_NEEDED # Need OCSP verification
[74]=ERR_OCSP_VERIFY_FAILED # Couldn't verify cert through OCSP
[75]=ERR_OCSP_CERT_UNKNOWN # Certificate wasn't recognized by the OCSP responder
[76]=ERR_SIGNATURE_ALGORITHM_MISMATCH
[77]=ERR_NO_ISSUER_PUBLIC_KEY
[78]=ERR_UNSUPPORTED_SIGNATURE_ALGORITHM
[79]=ERR_EC_KEY_EXPLICIT_PARAMS
)
# man 3 libcurl-errors
declare -A CURLE
CURLE=(
[0]=CURLE_OK
[1]=CURLE_UNSUPPORTED_PROTOCOL
[2]=CURLE_FAILED_INIT
[3]=CURLE_URL_MALFORMAT
[4]=CURLE_NOT_BUILT_IN
[5]=CURLE_COULDNT_RESOLVE_PROXY
[6]=CURLE_COULDNT_RESOLVE_HOST
[7]=CURLE_COULDNT_CONNECT
[8]=CURLE_WEIRD_SERVER_REPLY
[9]=CURLE_REMOTE_ACCESS_DENIED
[10]=CURLE_FTP_ACCEPT_FAILED
[11]=CURLE_FTP_WEIRD_PASS_REPLY
[12]=CURLE_FTP_ACCEPT_TIMEOUT
[13]=CURLE_FTP_WEIRD_PASV_REPLY
[14]=CURLE_FTP_WEIRD_227_FORMAT
[15]=CURLE_FTP_CANT_GET_HOST
[16]=CURLE_HTTP2
[17]=CURLE_FTP_COULDNT_SET_TYPE
[18]=CURLE_PARTIAL_FILE
[19]=CURLE_FTP_COULDNT_RETR_FILE
[21]=CURLE_QUOTE_ERROR
[22]=CURLE_HTTP_RETURNED_ERROR
[23]=CURLE_WRITE_ERROR
[25]=CURLE_UPLOAD_FAILED
[26]=CURLE_READ_ERROR
[27]=CURLE_OUT_OF_MEMORY
[28]=CURLE_OPERATION_TIMEDOUT
[30]=CURLE_FTP_PORT_FAILED
[31]=CURLE_FTP_COULDNT_USE_REST
[33]=CURLE_RANGE_ERROR
[34]=CURLE_HTTP_POST_ERROR
[35]=CURLE_SSL_CONNECT_ERROR
[36]=CURLE_BAD_DOWNLOAD_RESUME
[37]=CURLE_FILE_COULDNT_READ_FILE
[38]=CURLE_LDAP_CANNOT_BIND
[39]=CURLE_LDAP_SEARCH_FAILED
[41]=CURLE_FUNCTION_NOT_FOUND
[42]=CURLE_ABORTED_BY_CALLBACK
[43]=CURLE_BAD_FUNCTION_ARGUMENT
[45]=CURLE_INTERFACE_FAILED
[47]=CURLE_TOO_MANY_REDIRECTS
[48]=CURLE_UNKNOWN_OPTION
[49]=CURLE_SETOPT_OPTION_SYNTAX
[52]=CURLE_GOT_NOTHING
[53]=CURLE_SSL_ENGINE_NOTFOUND
[54]=CURLE_SSL_ENGINE_SETFAILED
[55]=CURLE_SEND_ERROR
[56]=CURLE_RECV_ERROR
[58]=CURLE_SSL_CERTPROBLEM
[59]=CURLE_SSL_CIPHER
[60]=CURLE_PEER_FAILED_VERIFICATION
[61]=CURLE_BAD_CONTENT_ENCODING
[62]=CURLE_LDAP_INVALID_URL
[63]=CURLE_FILESIZE_EXCEEDED
[64]=CURLE_USE_SSL_FAILED
[65]=CURLE_SEND_FAIL_REWIND
[66]=CURLE_SSL_ENGINE_INITFAILED
[67]=CURLE_LOGIN_DENIED
[68]=CURLE_TFTP_NOTFOUND
[69]=CURLE_TFTP_PERM
[70]=CURLE_REMOTE_DISK_FULL
[71]=CURLE_TFTP_ILLEGAL
[72]=CURLE_TFTP_UNKNOWNID
[73]=CURLE_REMOTE_FILE_EXISTS
[74]=CURLE_TFTP_NOSUCHUSER
[75]=CURLE_CONV_FAILED
[76]=CURLE_CONV_REQD
[77]=CURLE_SSL_CACERT_BADFILE
[78]=CURLE_REMOTE_FILE_NOT_FOUND
[79]=CURLE_SSH
[80]=CURLE_SSL_SHUTDOWN_FAILED
[81]=CURLE_AGAIN
[82]=CURLE_SSL_CRL_BADFILE
[83]=CURLE_SSL_ISSUER_ERROR
[84]=CURLE_FTP_PRET_FAILED
[85]=CURLE_RTSP_CSEQ_ERROR
[86]=CURLE_RTSP_SESSION_ERROR
[87]=CURLE_FTP_BAD_FILE_LIST
[88]=CURLE_CHUNK_FAILED
[89]=CURLE_NO_CONNECTION_AVAILABLE
[90]=CURLE_SSL_PINNEDPUBKEYNOTMATCH
[91]=CURLE_SSL_INVALIDCERTSTATUS
[92]=CURLE_HTTP2_STREAM
[93]=CURLE_RECURSIVE_API_CALL
[94]=CURLE_AUTH_ERROR
[95]=CURLE_HTTP3
[96]=CURLE_QUIC_CONNECT_ERROR
[98]=CURLE_SSL_CLIENTCERT
[99]=CURLE_UNRECOVERABLE_POLL
)
# 20 HTTP response status codes
declare -A HTTP_RESPONSE
HTTP_RESPONSE=(
[100]="Continue"
[101]="Switching Protocols"
[103]="Early Hints"
[200]="OK"
[201]="Created"
[202]="Accepted"
[203]="Non-Authoritative Information"
[204]="No Content"
[205]="Reset Content"
[206]="Partial Content"
[300]="Multiple Choices"
[301]="Moved Permanently"
[302]="Found"
[303]="See Other"
[304]="Not Modified"
[307]="Temporary Redirect"
[308]="Permanent Redirect"
[400]="Bad Request"
[401]="Unauthorized"
[402]="Payment Required"
[403]="Forbidden"
[404]="Not Found"
[405]="Method Not Allowed"
[406]="Not Acceptable"
[407]="Proxy Authentication Required"
[408]="Request Timeout"
[409]="Conflict"
[410]="Gone"
[411]="Length Required"
[412]="Precondition Failed"
[413]="Payload Too Large"
[414]="URI Too Long"
[415]="Unsupported Media Type"
[416]="Range Not Satisfiable"
[417]="Expectation Failed"
[418]="Im a teapot"
[422]="Unprocessable Entity"
[425]="Too Early"
[426]="Upgrade Required"
[428]="Precondition Required"
[429]="Too Many Requests"
[431]="Request Header Fields Too Large"
[451]="Unavailable For Legal Reasons"
[500]="Internal Server Error"
[501]="Not Implemented"
[502]="Bad Gateway"
[503]="Service Unavailable"
[504]="Gateway Timeout"
[505]="HTTP Version Not Supported"
[506]="Variant Also Negotiates"
[507]="Insufficient Storage"
[508]="Loop Detected"
[510]="Not Extended"
[511]="Network Authentication Required"
)
# https://techcommunity.microsoft.com/t5/iis-support-blog/ssl-tls-alert-protocol-and-the-alert-codes/ba-p/377132
declare -a SSL_ALERT_CODES
# B.2. Alert Messages
SSL_ALERT_CODES=(
[0]="close_notify"
[10]="unexpected_message"
[20]="bad_record_mac"
[21]="decryption_failed_RESERVED"
[22]="record_overflow"
[30]="decompression_failure_RESERVED"
[40]="handshake_failure"
[41]="no_certificate_RESERVED"
[42]="bad_certificate"
[43]="unsupported_certificate"
[44]="certificate_revoked"
[45]="certificate_expired"
[46]="certificate_unknown"
[47]="illegal_parameter"
[48]="unknown_ca"
[49]="access_denied"
[50]="decode_error"
[51]="decrypt_error"
[60]="export_restriction_RESERVED"
[70]="protocol_version"
[71]="insufficient_security"
[80]="internal_error"
[86]="inappropriate_fallback"
[90]="user_canceled"
[100]="no_renegotiation_RESERVED"
[109]="missing_extension"
[110]="unsupported_extension"
[111]="certificate_unobtainable_RESERVED"
[112]="unrecognized_name"
[113]="bad_certificate_status_response"
[114]="bad_certificate_hash_value_RESERVED"
[115]="unknown_psk_identity"
[116]="certificate_required"
[120]="no_application_protocol"
)
# https://curl.se/docs/ssl-ciphers.html
# openssl
# https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html
# https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
openssl=openssl
# CURLOPT_TLS13_CIPHERS --tls13-ciphers
if [ $openssl = openssl ] ; then
export CURLOPT_TLS13_CIPHERS="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256"
elif [ $openssl = nss ] ; then
export CURLOPT_TLS13_CIPHERS="aes_128_gcm_sha_256,aes_256_gcm_sha_384,chacha20_poly1305_sha_256"
fi

55
overlay/Linux/usr/local/bin/proxy_daily.bash Executable file
View File

@ -0,0 +1,55 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
# The idea here is to run ansible_local.bash --tags daily
# and then use this to do the parsing and throwing errors based on the output.
# This was the ansible run can be free from erroring and this can be
# run repeatedly anytime outside of ansible to deal with the issues raised.
# It is also run at the end of ansible_local.bash --tags daily to raise the issues.
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
MYID=$( id -u )
[ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ; exit 1 ; }
# . $PREFIX/src/var_local_src.bash
which ansifilter >/dev/null 2>&1 && ansifilter=ansifilter || ansifilter=cat
ly=daily
errs=0
warns=0
elt=proxy
LOG_DIR=/usr/local/tmp
ELOG=$LOG_DIR/E${prog}_${ly}$$.log
WLOG=$LOG_DIR/W${prog}_${ly}$$.log
OUT=$LOG_DIR/O${prog}_${ly}$$.log
rm -f $LOG_DIR/*${prog}_${ly}*.log
elt=doctest3
if [ $MYID -ne 0 ] && [ -f /var/local/bin/testforge_python_doctest3.bash ] ; then
/var/local/bin/testforge_python_doctest3.bash \
/var/local/share/doc/txt/proxy3.txt \
> "$LOG_DIR"/$ly/$elt$$.log 2>> $ELOG || ERROR $elt >> $ELOG
fi
[ -f $WLOG ] && warns=$( wc -l $WLOG | cut -f 1 -d ' ' )
[ $? -eq 0 -a $warns -ne 0 ] && \
WARN "$prog $warns $ly $prog warnings in $WLOG"
[ -f $ELOG ] && errs=$( wc -l $ELOG | cut -f 1 -d ' ' )
[ $? -eq 0 -a $errs -ne 0 ] && \
ERROR "$prog $errs $ly $prog errors in $ELOG" && cat $ELOG
[ $errs -eq 0 ] && \
[ $warns -eq 0 ] && \
INFO "$prog No $ly errors" && \
rm -f $WLOG $ELOG $OUT
exit $errs

64
overlay/Linux/usr/local/bin/proxy_dirmngr.bash Executable file
View File

@ -0,0 +1,64 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_base.bash || exit 2
# NO allow-version-check CALLS ANYWAY versions.gnupg.org
# echo "DEBUG: $0 GNUPGHOME=$GNUPGHOME $*" >> /tmp/$$.out
PROXY_GPG_KEYSERVER=keys.openpgp.org
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash >/dev/null
[ -z "$PROXY_GPG_KEYERVER_URL" ] && PROXY_GPG_KEYERVER_URL=hkps://$PROXY_GPG_KEYSERVER
# ONLY disabling on the command line or
[ -e /proc/sys/net/ipv6/conf/default/disable_ipv6 ] && \
[ `cat /proc/sys/net/ipv6/conf/default/disable_ipv6` -eq 0 ] && \
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_set_if ) # || return 1$?
if [ -n "$PROXY_WLAN" ] ; then
wlan7=$PROXY_WLAN
[ -e /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6 ] && \
[ `cat /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6` -eq 0 ] && \
echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
fi
route | grep -q ^default || { ERROR no route ; exit 1; }
[ -z "$USER" ] && USER=$(id -un )
if [ $USER = root ] ; then
[ -x /usr/bin/dirmngr -a ! -x /usr/bin/dirmngr.bin ] && \
mv /usr/bin/dirmngr /usr/bin/dirmngr.bin
[ -x /usr/bin/dirmngr.bin -a ! -x /usr/bin/dirmngr ] && \
ln -s /usr/local/bin/proxy_dirmngr.bash /usr/bin/dirmngr
fi
[ ! -x /usr/bin/dirmngr -o ! -x /usr/bin/dirmngr.bin ] && exit 2
[ -f /etc/dirmngr/dirmngr.conf ] || exit 3
[ -x /usr/bin/dirmngr.bin ] || exit 4
[ ! -x /usr/bin/netstat ] || \
netstat -nlp|grep -q 127.0.0.1:53 || { ERROR no nameserver ; exit 5; }
[ ! -x /usr/bin/netstat ] || \
netstat -nlp|grep -q 127.0.0.1:3128 || { ERROR no proxy 3128 ; exit 6; }
# This is not enough: --disable-ipv6
# --keyserver hkps://keys.gentoo.org is required
# --http-proxy http://127.0.0.1:3128
# --keyserver $PROXY_GPG_KEYERVER_URL
# --no-use-tor is REQUIRED if you are running tor
# EVEN IF YOU DOT USE use-tor - silent dns failure
exec /usr/bin/dirmngr.bin --server -vvv --debug-all \
--options /etc/dirmngr/dirmngr.conf \
--nameserver 127.0.0.1 \
--disable-ipv6 \
--disable-ldap \
--no-use-tor \
--log-file /var/log/dirmngr.log --debug-level 4 \
"$@"

63
overlay/Linux/usr/local/bin/proxy_dirmngr_test.bash Executable file
View File

@ -0,0 +1,63 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# Dual Linux or msys64
prog=$( basename $0 .bash )
ROLE=proxy
PREFIX=/usr/local
[ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
[ -f $PREFIX/etc/testforge/testforge.bash ] \
&& . /usr/local/etc/testforge/testforge.bash
# Dual Linux or msys64
PROXIES=""
if [ -d /etc/pacman.d/gnupg ] ; then
ROLE=msys64
HOMEDIR=/etc/pacman.d/gnupg
# proxy or striaght through
PROXIES="10.152.152.12"
elif [ -d /q/Pg64/Msys64/etc/pacman.d/gnupg ] ; then
ROLE=q
HOMEDIR=/q/Pg64/Msys64/etc/pacman.d/gnupg
ppl=/usr/local/bin/proxy_ping_lib.bash
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
[ "$USER" != root ] && export PATH=/sbin:$PATH
[ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
if [ "$MODE" = tor ] ; then
PROXIES="127.0.0.1:3128"
elif [ "$MODE" = whonix ] ; then
PROXIES="10.0.2.15:9128"
elif [ "$MODE" = gateway ] ; then
PROXIES="10.0.2.15:9128"
elif ps ax | grep -q polipo ; then
PROXIES="127.0.0.1:3128"
else
echo ERROR: unknown proxy
exit 2
fi
fi
GPG="gpg --verbose --home $HOMEDIR"
[ -f /etc/dirmngr/dirmngr.conf ] || { echo ERROR: no ^keyserver in /etc/dirmngr/dirmngr.conf ; exit 1 ; }
$GPG --refresh-keys --verbose
ps ax | grep /usr/bin/dirmngr.bin|grep -v grep|sed -e 's/ .*//'|xargs kill
grep '^keyserver hkp' /etc/dirmngr/dirmngr.conf| \
sed -e 's@keyserver hkp://@@' | \
while read elt;do
for proxy in $PROXIES; do
echo 1 | http_proxy=$proxy $GPG --yes \
--debug-level guru \
--keyserver hkp://$elt \
--search-keys abcdefghij || exit 3$?
echo INFO: $proxy $elt
done
done

42
overlay/Linux/usr/local/bin/proxy_dirmngr_test.exp Executable file
View File

@ -0,0 +1,42 @@
#!/usr/bin/expect --
# -*- mode: tcl; tab-width: 8; encoding: utf-8-unix -*-
set timeout 60
set elt $env(keyserver)
spawn gpg --verbose \
--homedir $env(HOMEDIR) \
--debug-level guru \
--keyserver hkp://$elt \
--search-keys $env(KEY_ID)
# keyserver search failed: Not found
# 0x6923CE7991ABF7338DB1C9AA5F0142A080E4A9A0
expect "1-1*"
send_user "Sending 1\r"
send "1\r"
expect -re .+ {
exp_continue
} 0x6923CE7991ABF7338DB1C9AA5F0142A080E4A9A0 {
send_user "Quitting 0x6923CE7991ABF7338DB1C9AA5F0142A080E4A9A0\r"
exit 0
} AbCdEfGhIj {
send_user "Quitting AbCdEfGhIj\r"
exit 0
} BYE {
send_user "Quitting BYE\r"
exit 0
} "6923 CE79 91AB F733 8DB1 C9AA 5F01 42A0 80E4 A9A0" {
send_user "Quitting FP\r"
exit 0
} timeout {
exit 1
} eof {
exit 0
}
# expect -r .+ {send "\r"}

22
overlay/Linux/usr/local/bin/proxy_dns_forward.bash Executable file
View File

@ -0,0 +1,22 @@
#!/bin/sh
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# https://unix.stackexchange.com/questions/293304/using-netcat-for-port-forwarding
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash || exit 2
netstat -nlpe4 | grep -q 127.0.0.1:53 && {
ERROR 127.0.0.1:53 already bound
exit 1
}
MODE=$( /usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
if [ "$MODE" = tor -o "$MODE" = gateway -o "$MODE" = selektor ] ; then
socat -L/run/socat.lck udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:127.0.0.1:9053 >/dev/null
elif a[ "$MODE" = whonix ] ; then
socat -L/run/socat.lck udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:10.0.2.2:9053 >/dev/null
fi

166
overlay/Linux/usr/local/bin/proxy_export.bash Executable file
View File

@ -0,0 +1,166 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
#NO prog=proxy_export
. /usr/local/bin/usr_local_tput.bash || exit 2
[ -f /usr/local/bin/proxy_ping_lib.bash ] || \
{ ERROR missing /usr/local/bin/proxy_ping_lib.bash ; exit 1; }
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
# [ "$USER" != root ] && export PATH=/sbin:$PATH
## proxy_to_virbr1_15
proxy_to_virbr1_15 () {
if ifconfig | grep -q virbr1 ; then
PROXY_VIREXT_IP=$( ifconfig virbr1 | grep inet | sed -e 's/.*inet //' -e 's/ .*//' )
[ $? -eq 0 -a -n "$PROXY_VIREXT_IP" ] && \
PROXY_VIREXT_HOST=$( echo $PROXY_VIREXT_IP | sed -e 's/2$/15/' ) && \
[ -n "$PROXY_VIREXT_HOST" ] && \
export no_proxy="localhost,127.0.0.1,$PROXY_VIREXT_HOST" && \
export https_proxy=http://$PROXY_VIREXT_HOST:9128 && \
export socks_proxy=socks5://$PROXY_VIREXT_HOST:9050 && \
export TOR_SOCKS_HOST=$PROXY_VIREXT_HOST && \
export TOR_SOCKS_PORT=9050
fi
return 0
}
## proxy_http_host_httpproxy
proxy_http_host_httpproxy () {
if netstat -nle4 | grep -q 127.0.0.1:3128 >/dev/null ; then
export http_proxy=http://127.0.0.1:3128
export https_proxy=http://127.0.0.1:3128
export RSYNC_PROXY=127.0.0.1:3128
fi
return 0
}
proxy_https_host_selektor () { proxy_https_host_tor $* ; }
proxy_https_host_tor () {
if netstat -nle4 | grep -q 127.0.0.1:9128 >/dev/null ; then
export https_proxy=http://127.0.0.1:9128
fi
return 0
}
proxy_socks_host_tor () {
local file=/etc/tor/torrc
if [ -f $file ] ; then
port=`grep -hi ^socksport /etc/tor/torrc /etc/tor/torrc-defaults | sed -e 's/SocksPort //' -e 's/.*://'`
[ -z "$port" ] && port=9050
export socks_proxy=socks5://127.0.0.1:$port
return 0
else
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
echo >&2 WARN: $prog $file not found
return 1
fi
if netstat -nle4 | grep -q 127.0.0.1:$port >/dev/null ; then
export socks_proxy=socks5://127.0.0.1:$port
fi
return 0
}
proxy_socks_host_selektor () {
local file=/var/lib/tor/.SelekTOR/3xx/SelekTOR.xml
if [ -f $file ] ; then
port=`grep PREF_LISTENPORT $file | sed -e 's/.*">//' -e 's/<.*//'`
[ -z "$port" ] && port=9050
export socks_proxy=socks5://127.0.0.1:$port
return 0
else
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
echo >&2 WARN: $prog $file not found
fi
return 0
}
# proxy_export_mode
proxy_export_mode () {
ppl=/usr/local/bin/proxy_ping_lib.bash
[ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
[ -z "$MODE" ] && MODE=host
# $0=bash
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
debug $prog MODE=$MODE ONE=$MODE 0=$0 "$#" "$@"
if [ "$MODE" = from -o "$MODE" = whonix ] ; then
export no_proxy="localhost,127.0.0.1,10.0.2.15"
proxy_http_host_httpproxy
proxy_to_virbr1_15
elif [ "$MODE" = client ] ; then
# inherit the environment
proxy_http_host_httpproxy
proxy_https_host_tor
proxy_socks_host_tor
elif [ "$MODE" = nat ] ; then
export no_proxy="localhost,127.0.0.1,10.0.2.2,10.0.2.0/24"
# get external
external=`grep external$ /etc/hosts|sed -e 's/ .*//'`
if [ $? -eq 0 ] && [ -n "$external" ] ; then
# get the ports and PROXY_MODE of the host
export socks_proxy=socks5://$external:9050
export http_proxy=http://$external:3128
export https_proxy=http://$external:9128
fi
elif [ "$MODE" = vda -o "$MODE" = workstation ] ; then
export no_proxy="localhost,127.0.0.1,10.152.152.10"
export socks_proxy=socks5://10.152.152.10:9050
proxy_http_host_httpproxy
export https_proxy=http://10.152.152.10:9128
elif [ "$MODE" = gateway ] ; then
export no_proxy="localhost,127.0.0.1,10.0.2.2,10.0.2.15"
export socks_proxy=socks5://10.0.2.15:9050
proxy_http_host_httpproxy
export https_proxy=http://10.0.2.15:9128
elif [ "$MODE" = selektor ] ; then
export http_proxy=http://127.0.0.1:3128
export https_proxy=http://127.0.0.1:9128
export no_proxy="localhost,127.0.0.1"
proxy_http_host_httpproxy
proxy_https_host_selektor
proxy_socks_host_selektor
elif true || [ "$MODE" = to -o "$MODE" = to_tor -o "$MODE" = tor ] ; then
export http_proxy=http://127.0.0.1:3128
export https_proxy=http://127.0.0.1:9128
export socks_proxy=http://127.0.0.1:9050
export no_proxy="localhost,127.0.0.1"
proxy_http_host_httpproxy
proxy_https_host_tor
proxy_socks_host_tor
fi
}
# echo $0 $* "$0" = 'tostop' -o
if [ "$0" = '-bash' -o "$0" = '/bin/bash' -o "$0" = 'bash' ] ; then
proxy_export_mode
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
env | grep proxy | while read line ; do debug $line ; done
elif [ -x /usr/bin/basename ] && \
[ `basename -- "$0"` = 'proxy_export.bash' -o \
"$( basename -- "`readlink $0`" )" = 'proxy_export.bash' ] ; then
if [ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] ; then
echo USAGE: $0 && grep '^## ' $0 | sed -e 's/^## //'|sort
elif [ "$#" -eq 0 ] || [ "$#" -eq 1 -a $1 = mode ]; then
set -- proxy_export_mode
fi
eval "$@"
exit $?
fi

8
overlay/Linux/usr/local/bin/proxy_firewall_start.bash Executable file
View File

@ -0,0 +1,8 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/proxy_ping_lib.bash || { echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 3; }
proxy_ping_firewall_restart $*

16
overlay/Linux/usr/local/bin/proxy_get_if.bash Executable file
View File

@ -0,0 +1,16 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
# on stdout - messages on stderr
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
export PATH=$PATH:/usr/local/bin
PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_get_if )
retval=$?
echo -n $PROXY_WLAN
exit $retval

25
overlay/Linux/usr/local/bin/proxy_hosts_test.bash Executable file
View File

@ -0,0 +1,25 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# Dual Linux or msys64
prog=$( basename $0 .bash )
ROLE=proxy
PREFIX=/usr/local
[ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
. /usr/local/bin/usr_local_tput.bash
[ -f $PREFIX/etc/testforge/testforge.bash ] \
&& . /usr/local/etc/testforge/testforge.bash
grep -v '#\|127.0.0.1' /etc/hosts | while read ip b ; do
[ -z "$ip" ] && continue
[ -z "$b" ] && continue
dig -x $ip | grep "$b" && \
INFO $ip $b || \
WARN $ip $b `dig -x $ip | grep 'IN.*\.'`
dig $b | grep 'IN.*\.'
dig @8.8.8.8 $b | grep 'IN.*\.'
done

192
overlay/Linux/usr/local/bin/proxy_hourly.bash Executable file
View File

@ -0,0 +1,192 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
DEBUG=1
# The idea here is to run ansible_local.bash --tags daily
# and then use this to do the parsing and throwing errors based on the output.
# This was the ansible run can be free from erroring and this can be
# run repeatedly anytime outside of ansible to deal with the issues raised.
# It is also run at the end of ansible_local.bash --tags daily to raise the issues.
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash || exit 2
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ -f /usr/local/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash >/dev/null
PL=/usr/local/bin/proxy_ping_lib.bash
. $PL
PL=
[ -z "$USER" ] && USER=$(id -un )
MYID=$( id -u )
[ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ; exit 1 ; }
# . $PREFIX/src/var_local_src.bash
which ansifilter >/dev/null 2>&1 && ansifilter=ansifilter || ansifilter=cat
[ -d /dev/virtio-ports ] && ONE_GUEST=1 || ONE_GUEST=0
ly=hourly
errs=0
warns=0
elt=proxy
LOG_DIR=/usr/local/tmp
ELOG=$LOG_DIR/E${prog}_${ly}$$.log
WLOG=$LOG_DIR/W${prog}_${ly}$$.log
OUT=$LOG_DIR/O${prog}_${ly}$$.log
[ -f /usr/local/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash
export PATH=$PATH:/usr/local/bin
[ -z "$MODE" ] && MODE=$( $PL proxy_ping_mode )
[ -n "$DEBUG" ] && echo >&2 DEBUG: $prog $ly MODE=$MODE 0=$0 "$#" "$@"
[ -z "$MODE" ] && exit 2
# ubuntu / devuan oddball
route | grep -q 'lo$' || \
ip route add 127.0.0.0/8 dev lo scope host
/usr/local/bin/proxy_ping_test.bash $MODE 2> $ELOG
if [ $ONE_GUEST -eq 0 ] ; then
IP=`ifconfig |grep -A1 wlan|grep inet|sed -e 's/.*inet //' -e 's/ .*//'`
# 10.24.216.64
if [ -n "$IP" ] ; then
grep -q " external" /etc/hosts && \
sed -e "s/.* external/$IP external/" -i /etc/hosts || \
echo "$IP external" >> /etc/hosts
fi
a=`grep nameserver /etc/resolv.conf | grep -v 'nameserver 127.0.0.1'| wc -l`
if [ $? -eq 0 -a -n "$a" -a "$a" -gt 0 ] ; then
/usr/local/bin/base_wall.bash "CRIT: $prog /etc/resolv.conf" `grep nameserver /etc/resolv.conf`
echo 'nameserver 127.0.0.1' > /etc/resolv.conf
fi
[ -d $LOG_DIR/ ] || mkdir -p $LOG_DIR/ || true
find $LOG_DIR/*${prog}_${ly}*.log -ctime +2 -delete || true
if [ -d /etc/ssl/certs/ ] ; then
find -L /etc/ssl/certs/ -type l >> $WLOG
find -L /etc/ssl/certs/ -type l -delete
else
WARN /etc/ssl/certs/ missing
fi
if [ "$MODE" = whonix ] ; then
[ -n "$BASE_SRC_ANSIBLE" ] || BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
BOX_WHONIX_PROXY_HOST=$( /usr/local/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST )
if [ -n "$BOX_WHONIX_PROXY_HOST" ] && \
which virsh 2>/dev/null >/dev/null && \
virsh list | grep -q "$BOX_WHONIX_PROXY_HOST" ; then
# sh proxy_whonix_host_tor.bash whonix
/usr/local/sbin/proxy_whonix_host.bash proxy_whonix_host_add_block >>$OUT 2>>$ELOG
fi
$PL proxy_libvirt_test >$OUT 2>&1
retval=$?
[ $retval -gt 1 ] && ERROR $prog proxy_libvirt_test retval=$retval >> $ELOG
fi
[ -f /etc/firewall.conf ] || {
ERROR $prog NO FIREWALL /etc/firewall.conf | tee -a $ELOG | \
xargs /usr/local/bin/base_wall.bash
}
ifconfig | grep -q ^wlan
if [ $? -eq 0 ] ; then
wlan7=`ifconfig|grep ^wlan|tail -1| sed -e 's/:.*//'`
grep -q $wlan7 /etc/firewall.conf || {
ERROR $prog NO $wlan7 in /etc/firewall.conf | tee -a $ELOG | \
xargs /usr/local/bin/base_wall.bash
/usr/local/bin/firewall.bash
}
fi
[ -f /var/log/privoxy/logfile ] && \
grep -i fatal /var/log/privoxy/logfile >> $WLOG && \
echo ERROR: Fatal in /var/log/privoxy/logfile |tee -a $ELOG
if route | grep -q ^def ; then
$PL proxy_ping_gw_check || {
ERROR proxy_ping_gw_check >> $ELOG
}
$PL proxy_ping_dnsmasq_check || {
x ERROR proxy_ping_dnsmasq_check >> $ELOG
}
$PL proxy_ping_firewall_check || {
ERROR proxy_ping_firewall_check >> $ELOG
}
$PL proxy_iptables_save >$OUT 2>&1
if [ $? -ne 0 ] || ! grep -q DROP $OUT ; then
ERROR $prog NO FIREWALL - DROP `cat $OUT` | tee -a $ELOG
/usr/local/bin/base_wall.bash ERROR $prog NO FIREWALL - DROP
#? /usr/local/bin/proxy_firewall_restore_iptable.bash /etc/firewall.conf
fi
$PL proxy_test_dirmngr $OUT || \
{ retval=$? ; ERROR proxy_test_dirmngr $retval >> $ELOG ; }
if dmesg | grep --text -A 1 'martian' ; then
dmesg | grep --text -A 1 'martian' | \
xargs echo WARN: martians >> $WLOG
dmesg | grep --text -A 1 'martian' | \
sed -e 's/DST=.*//' -e 's/.*martian_//' -e 's/ OUT=.*SRC=/ /' >> $WLOG
fi
/usr/local/bin/proxy_ping_test.bash dns || {
ERROR $prog no dns >> $ELOG ;
}
/usr/local/bin/proxy_ping_test.bash 3128 || {
# can be false
WARN $prog no 3128 >> $WLOG
}
PROXY_WLAN=$( $PL proxy_get_if )
[ -n "$PROXY_WLAN" -a -f /etc/wicd/wireless-settings.conf ] && \
ps ax | grep -q wpa_supplicant && \
grep -A 1 bad$ /etc/wicd/wireless-settings.conf | \
grep bssid | sed -e 's/.*= //' | \
while read elt ; do \
wpa_cli -i "$PROXY_WLAN" blacklist $elt
done
$PL proxy_ping_firewall_check || \
/usr/local/bin/base_wall.bash $prog 'CRIT: proxy_ping_firewall_check' retval=$?
fi
fi
[ -s $OUT ] && grep WARN: $OUT >> $WLOG
if [ -s $ELOG ] ; then
errs=$( wc -l $ELOG | cut -f 1 -d ' ' )
if [ $? -eq 0 -a $errs -ne 0 ] ; then
ERROR $prog $errs $ly $prog errors in $ELOG
cat $ELOG
/usr/local/bin/base_wall.bash "ERROR: $prog $errs errors in $ELOG"
exit $errs
fi
fi
[ -f $WLOG ] && warns=`wc -l $WLOG | cut -f 1 -d ' '`
[ $? -eq 0 -a $warns -ne 0 ] && \
WARN "$warns $ly $prog warnings in $WLOG"
[ -f $ELOG ] && errs=`wc -l $ELOG | cut -f 1 -d ' '`
if [ $? -eq 0 -a $errs -ne 0 ] ; then
ERROR "$errs $ly $prog errors in $ELOG"
cat $ELOG
exit $errs
fi
[ $errs -eq 0 ] && \
ols_clean_testforge_logs $HARDEN_LOG_DIR && \
[ $warns -eq 0 ] && \
INFO "$prog No $ly errors in $HARDEN_LOG_DIR"
exit 0

35
overlay/Linux/usr/local/bin/proxy_jnettop.bash Executable file
View File

@ -0,0 +1,35 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
route | grep -q ^default || exit 0
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash \
|| { echo >&2 ERROR: $prog "$PREFIX/etc/testforge/testforge.bash" ; exit 1 ; }
error () { retval=$1 ; shift; echo "ERROR: $prog" $* ; exit $retval ; }
warn () { WARN "$prog " $* ; }
info () { echo "INFO: $prog " $* ; }
usage () { echo "USAGE: $prog chroot-dir [command args] -" $* ; exit 1 ; }
# must be run as root
[ "$( id -u )" -ne "0" ] && error 1 "must be run as root"
PROXY_WLAN=$( /usr/local/bin/proxy_get_if.bash )
[ $? -eq 0 ] || error 2 " error getting device $?"
PROXY_WLAN_IP=$( proxy_ping_lib.bash proxy_get_wlan_ip )
LARGS="-i $PROXY_WLAN"
CONF=/usr/local/etc/jnettop.conf
if [ -f $CONF ] ; then
LARGS="$LARGS --config-file $CONF"
# sed -e 's/^#* *interface.*/interface "'$PROXY_WLAN'"/' -i $CONF
[ -n "$PROXY_WLAN_IP" ] && sed -e 's/"me"\t.*/"me" "net '$PROXY_WLAN_IP'"/' -i $CONF && grep -q $PROXY_WLAN_IP $CONF
fi
exec jnettop $LARGS $* # 2>/dev/null

35
overlay/Linux/usr/local/bin/proxy_libvirt_forward.bash Normal file
View File

@ -0,0 +1,35 @@
#!/bin/sh
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# https://unix.stackexchange.com/questions/293304/using-netcat-for-port-forwarding
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash || exit 2
if [ ! -d /run/tmp ] ; then
sudo mkdir /run/tmp
sudo chown 1777 /run/tmp
fi
[ -z "$MODE" ] && MODE=$(/usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
IP=`grep ' external$' /etc/hosts|sed -e 's/ .*//'`
retval=$?
if [ $retval -ne 0 ] || [ -z "$IP" ] ; then
exit $retval
fi
if [ "$MODE" = tor -o "$MODE" = gateway -o "$MODE" = selektor ] ; then
socat -L/run/socat.lck udp-l:53,bind=$IP,fork,reuseaddr udp:127.0.0.1:9053 >/dev/null || \
WARN 53,bind=$IP in use
for elt in 9050 9128 ; do
netstat -nle4 | grep -q $IP:$elt && {
ERROR $IP:$elt already bound
continue # exit 1
}
DBUG socat -L/run/tmp/socat$elt.lck tcp-l:$elt,bind=${IP},fork,reuseaddr tcp:127.0.0.1:$elt
socat -L/run/tmp/socat$elt.lck tcp-l:$elt,bind=${IP},fork,reuseaddr tcp:127.0.0.1:$elt &
done
#else
# WARN $MODE
#fi

64
overlay/Linux/usr/local/bin/proxy_libvirt_ga_test.bash Executable file
View File

@ -0,0 +1,64 @@
#!/bin/bash
ROLE=proxy
MODE=host
#[ $# -eq 0 ] && set -- Whonix-Gateway /bin/cat /proc/cmdline
[ $# -eq 0 ] && set -- Whonix-Gateway /bin/netstat -lnp4
[ $# -lt 2 ] && echo USAGE: $0 domain command arguments
HOST=$1
shift
CMD=$1
shift
# FixMe
if [ $? -gt 1 ] ; then
ARGS=""
elif [ $? -gt 1 ] ; then
ARGS=`sed -e 's/ /","/g' <<< $@`
else
ARGS="$1"
fi
[ "$HOST" = WWork106 ] && HOST=Whonix-Workstation || true
[ "$HOST" = WGate106 ] && HOST=Whonix-Gateway || true
echo INFO: $0 $HOST $CMD $ARGS
false && echo DEBUG: virsh qemu-agent-command $HOST \
'{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}'
virsh qemu-agent-command $HOST \
'{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}' \
>/tmp/Q$$.out || exit 1$?
grep -q return /tmp/Q$$.out || exit 2
pid=`sed -e 's/.*://' -e 's/}.*//' /tmp/Q$$.out`
[ $? -eq 0 ] || exit 3
# echo DEBUG: virsh qemu-agent-command $HOST \
# '{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}'
virsh qemu-agent-command $HOST \
'{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \
>/tmp/R$$.out || exit 4$?
TRIES=10
i=0
while [ $i -lt $TRIES ] ; do
i=`expr $i + 1`
virsh qemu-agent-command $HOST \
'{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \
>/tmp/R$$.out || exit 4$i$?
grep -q '"exitcode":0' /tmp/R$$.out && break
sleep 5
echo DEBUG: $i
done
[ $i -lt $TRIES ] || \
{ echo ERROR: $i no exitcode in /tmp/R$$.out; exit 5 ; }
b64=`sed -e 's/{"return":{"exitcode":0,"out-data":"//' -e 's/",".*//' /tmp/R$$.out`
[ $? -eq 0 ] || exit 6
[ -n "$b64" ] || exit 7
echo $b64 | base64 -d -
rm -f /tmp/{Q,R}$$.out
exit 0

42
overlay/Linux/usr/local/bin/proxy_libvirt_hook_network.bash Executable file
View File

@ -0,0 +1,42 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# Aruments ignored: dom plugged begin
# so must be idempotemt - as its called by things it calls?
prog=$( basename $0 .bash )
[ -z "$TERM" ] || . /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
[ -z "$USER" ] && USER=$(id -un )
[ -n "$USER" -a "$USER" = root ] && \
for file in /usr/local/etc/modules-load.d/vda*.conf ; do
base=$( basename $file )
[ -e /etc/modules-load.d/$base ] && continue
cp -p $file /etc/modules-load.d/$base
done
/etc/init.d/virtlogd status || /etc/init.d/virtlogd start
/etc/init.d/libvirtd status
retval=$?
[ $retval -eq 32 ] && WARN libvirtd crashed - zapping && /etc/init.d/libvirtd zap
[ $retval -eq 0 ] || /etc/init.d/libvirtd start
grep "`date +%Y-%m-%d`.* error :" /var/log/libvirt/libvirtd.log
. /usr/local/bin/proxy_ping_lib.bash
proxy_ping_firewall_restart
retval=$?
if [ $retval -eq 0 ] ; then
[ "$DEBUG" = 1 ] && logger INFO: $prog proxy_ping_firewall_restart $*
else
logger ERROR: $prog proxy_ping_firewall_restart retval=$retval $*
exit $retval
fi
[ -n "$HTTPPROXY" ] || HTTPPROXY=privoxy
/etc/init.d/$HTTPPROXY status || /etc/init.d/$HTTPPROXY start
/etc/init.d/dnsmasq status || /etc/init.d/dnsmasq start
# clean
exit 0

11
overlay/Linux/usr/local/bin/proxy_libvirt_hook_qemu.bash Executable file
View File

@ -0,0 +1,11 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
logger INFO: $0 $PWD $*
exit 0

285
overlay/Linux/usr/local/bin/proxy_libvirt_lib.bash Executable file
View File

@ -0,0 +1,285 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
base=proxy_libvirt_lib
# shellcheck disable=SC2154
[ -z "$USER" ] && USER=$(id -un )
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
. /usr/local/bin/usr_local_tput.bash || exit 2
. /usr/local/bin/proxy_ping_lib.bash || exit 2
## proxy_libvirt_test_dnsmasq
proxy_libvirt_test_dnsmasq () { DBUG proxy_libvirt_test_dnsmasq $* ;
proxy_rc_service libvirtd status </dev/null >/dev/null || {
DBUG $prog libvirtd not running ; return 0
}
if ls /var/lib/libvirt/dnsmasq/*conf >/dev/null 2>/dev/null ; then
dbug $prog checking libvirtd dnsmasq conf
PROXY_WLAN=$( proxy_get_if )
retval=$?
[ $retval -eq 0 -a -n "$PROXY_WLAN" ] || {
ERROR proxy_get_if empty wlan7 retval=$retval
return 2$retval
}
for elt in bind-interfaces except-interface=$PROXY_WLAN no-dhcp-interface=$PROXY_WLAN ; do
for file in /var/lib/libvirt/dnsmasq/*conf ; do
if ! grep -q $elt $file ; then
[ -f $file.$$ ] || cp -p $file $file.$$
echo $elt >> $file
fi
done
done
if ls /var/lib/libvirt/dnsmasq/*conf.$$ >/dev/null 2>/dev/null ; then
dbug $prog restarting libvirtd dnsmasq conf
# FixMe: use virsh net-update net-edit
# ps ax | grep dnsmasq|grep -v grep|while read pid rest ; do kill -HUP $pid; done
for file in /var/lib/libvirt/dnsmasq/*conf.$$ ; do
pid=$( grep ^pid-file= $file|sed -e 's/.*=//' )
[ $? -ne 0 -o -z "$pid" ] && WARN $prog not pid-file in $file && continue
[ -f $pid ] || dbug $prog no pid-file in $file && continue
pid=$( cat $pid )
dbug $prog HUPing libvirtd dnsmasq $pid
kill -HUP $pid || WARN $prog error killing $file $pid && continue
done
fi
fi
return 0
}
## proxy_libvirt_clean_virbr1_rules
proxy_libvirt_clean_virbr1_rules () {
local line
proxy_iptables_save | \
grep -e '-A LIBVIRT_[OUTINP]* -i virbr[12] .* --dport [56][378] -j ACCEPT' | \
sed -e 's/-A/-D/' | while read line ; do
proxy_iptables $line
done
return 0
}
## proxy_libvirt_no_autostart
proxy_libvirt_no_autostart () { DBUG proxy_libvirt_no_autostart $* ;
proxy_libvirt_hung || return 1
proxy_virsh net-list --autostart | while read n s a p ; do
[ "$a" = yes ] || continue
virsh net-autostart $n --disable || { ERROR $prog net-autostart $n --disable ; return 1 ; }
dbug $prog net-autostart $n --disable
[ "$s" = active ] || continue
virsh net-destroy $n || { dbug $prog net-destroy $n ; return 2 ; }
dbug $prog net-destroy $n
done
return 0
}
## proxy_libvirt_status tests and checks logs - noisy
proxy_libvirt_status () { proxy_libvirt_status_host $* ; return $? ; }
proxy_libvirt_status_host () { DBUG proxy_libvirt_status $* ;
/etc/init.d/virtlogd status >/dev/null || /etc/init.d/virtlogd start || return 1$?
/etc/init.d/libvirtd status >/dev/null || /etc/init.d/libvirtd start || return 2$?
if ! proxy_rc_service libvirtd status >/dev/null ; then
DBUG proxy_libvirt_status proxy_rc_service libvirtd start
proxy_rc_service libvirtd start || return 3$?
fi
if ! proxy_rc_service libvirtd status >/dev/null ; then
ERROR proxy_libvirt_status proxy_rc_service libvirtd not started
return 4
fi
if [ ! -e /run/libvirt/libvirt-sock ] ; then
WARN proxy_libvirt_status no /run/libvirt/libvirt-sock
fi
if [ ! -e /run/libvirt/virtlogd-sock ] ; then
WARN proxy_libvirt_status no /run/libvirt/virtlogd-sock
fi
# virtlockd-sock
# shellcheck disable=SC2154
[ -z "$GATEW_DOM" ] && GATEW_DOM="$( proxy_testforge_get_gateway_dom )"
if [ -n "$GATEW_DOM" ] ; then
proxy_libvirt_list | grep -q $GATEW_DOM
[ $? -ne 0 ] && DBUG proxy_libvirt_status $GATEW_DOM not in virsh list
#? && return 3
else
WARN proxy_libvirt_status null GATEW_DOM
fi
return 0
}
## proxy_libvirt_restart
proxy_libvirt_restart () { DBUG proxy_libvirt_restart $* ;
# tests restarts
proxy_libvirt_start || return 3$?
proxy_libvirt_test || return 4$?
[ -x /etc/libvirt/hooks/network ] || return 7$?
/etc/libvirt/hooks/network || return 8$?
proxy_ping_firewall_restart
# /etc/modules-load.d/firewall.conf
return 0
}
## proxy_libvirt_start_guest
proxy_libvirt_start_guest () {
local dire=$1
[ ! -f /etc/init.d/qemu-guest-agent ] && return 0
proxy_rc_service qemu-guest-agent status >/dev/null \
|| proxy_rc_service qemu-guest-agent start || return 2$?
return $?
}
# proxy_libvirt_test_host
proxy_libvirt_test_host () {
local dire=$1
[ -z "$dire" ] && MODE="$( proxy_whonix_mode )" && dire=$MODE
[ -n "$MODE" ] || MODE=host
if [ $MODE = tor ] ; then
proxy_rc_service tor status >/dev/null || \
{ echo ERROR: $prog tor is not running ; return 2 ; }
# different for selector
fi
$PREFIX/bin/proxy_ping_test.bash to_tor || return 6$?
return $?
}
# proxy_libvirt_test_guest
proxy_libvirt_test_guest () {
[ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || \
echo WARN: /dev/virtio-ports/org.qemu.guest_agent.0 not created
proxy_rc_service qemu-guest-agent status
return $?
}
## proxy_libvirt_status tests and checks logs - noisy
proxy_libvirt_test () { DBUG proxy_libvirt_test $* ;
[ -e /dev/virtio-ports ] && proxy_libvirt_test_guest || \
proxy_libvirt_test_host
return $?
}
## proxy_libvirt_status tests and checks logs - noisy
proxy_libvirt_test_host () { DBUG proxy_libvirt_test_host $* ;
proxy_libvirt_status || return 1$?
[ -f /var/log/libvirt/libvirtd.log ] && \
INFO proxy_libvirt_test /var/log/libvirt/libvirtd.log && \
tail /var/log/libvirt/libvirtd.log
# shellcheck disable=SC2154
[ -z "$GATEW_DOM" ] && GATEW_DOM="$( proxy_testforge_get_gateway_dom )"
if [ -n "$GATEW_DOM" ] ; then
if [ -f /var/log/libvirt/qemu/$GATEW_DOM.log ] ; then
INFO proxy_libvirt_test /var/log/libvirt/qemu/$GATEW_DOM.log
tail /var/log/libvirt/qemu/$GATEW_DOM.log
else
WARN proxy_libvirt_test missing /var/log/libvirt/qemu/$GATEW_DOM.log
fi
else
WARN proxy_libvirt_test null GATEW_DOM
fi
proxy_libvirt_test_dnsmasq || return 6$?
return 0
}
## proxy_libvirt_start
proxy_libvirt_start () { DBUG proxy_libvirt_start $* ;
proxy_ping_firewall_modules
proxy_libvirt_hung || return 2
proxy_rc_service libvirtd status >/dev/null 2>/dev/null || \
proxy_rc_service libvirtd start || return 3$?
return 0
}
## proxy_libvirt_hung
proxy_libvirt_hung () { DBUG proxy_libvirt_hung $* ;
# 1 means hung
[ -f /etc/init.d/libvirtd ] || return 0
if [ ! -e /run/libvirt/libvirt-sock ] || ! proxy_rc_service libvirtd status >/dev/null ; then
INFO proxy_libvirt_hung proxy_rc_service libvirtd start
proxy_rc_service libvirtd start || return 1
sleep $DELAY
fi
/etc/init.d/libvirtd status 2>/dev/null >/dev/null || return 1
a=$( /etc/init.d/libvirtd status |grep '├─' |grep -c -v '/usr/s.*bin' )
# hung processes will hang proxy_virsh list
[ $? -eq 0 -a $a -gt 1 ] && {
WARN proxy_libvirt_hung - too many subprocesses $a
return 1
}
# ├─ 820 /usr/sbin/libvirtd
# ├─ 2221 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/Whonix-External.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
# ├─28153 /bin/sh /etc/libvirt/hooks/network Whonix-External plugged begin -
# ├─28154 bash /usr/local/bin/proxy_libvirt_hook_network.bash Whonix-External plugged begin -
return 0
}
## proxy_libvirt_list
proxy_libvirt_list () { DBUG proxy_libvirt_list $* ;
local a
proxy_libvirt_hung || return 10
proxy_virsh list
return $?
}
## proxy_libvirt_clean_iptables
proxy_libvirt_clean_iptables () {
local i int dir dcp prot port
for dir in i ; do
for int in virbr2 virbr1; do
dcp=67
[ $dir = i ] || dcp=68
for port in 53 $dcp ; do
[ $dir = i ] && table=INP || table=OUT
for prot in udp tcp; do
proxy_iptables_save | grep -q -e "-A LIBVIRT_$table -i $int -p $prot -m $prot --dport $port -j ACCEPT" || continue
iptables -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT || \
echo WARN: $? -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT
done
done
done
done
for dir in o ; do
for int in virbr2 virbr1; do
dcp=68
[ $dir = o ] || dcp=67
for port in 53 68 ; do
table=OUT
[ $dir = i ] && table=INP
for prot in udp tcp; do
proxy_iptables_save | grep -q -e "-A LIBVIRT_$table -i $int -p $prot -m $prot --dport $port -j ACCEPT" || continue
iptables -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT || \
echo WARN: $? -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT
done
done
done
done
return 0
}
# DBUG 0=$0
base=proxy_libvirt_lib
if [ -x /usr/bin/basename ] && \
[ $( basename -- "$0" .bash ) = $base \
-o $( basename -- "$0" .sh ) = $base ] ; then
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//' && exit 0
"$@"
exit $?
fi

51
overlay/Linux/usr/local/bin/proxy_nm_wireless_clean.bash Executable file
View File

@ -0,0 +1,51 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash
PREFIX=/usr/local
[ $( id -u ) -eq 0 ] || { ERROR "this must be run as root" ; exit 1 ; }
LOG=/tmp/I$$.log
JSON=/tmp/I$$.json
. /usr/local/bin/proxy_ping_lib.bash || \
{ echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 3; }
. /usr/local/bin/usr_local_base.bash || exit 2
PROXY_WLAN=$(route |grep ^def |sed -e 's/.* //') || { echo ERROR: " no route $?" ; exit 4 ; }
if [ -z "$PROXY_WLAN" ] ; then
PROXY_WLAN=$( proxy_get_if )
[ $? -eq 0 ] || { echo ERROR: " error getting device $?" ; exit 5 ; }
fi
[ -d /etc/NetworkManager/system-connections ] || exit 0
cd /etc/NetworkManager/system-connections/ || exit 6
pgrep NetworkManager >/dev/null || \
/etc/init.d/network-manager start # || exit 7
iwlist $PROXY_WLAN scan > $LOG 2>&1 || { echo ERROR: failed iwlist scan ; exit 2 ; }
which yq 2>/dev/null >/dev/null && \
for file in *.nmconnection; do
elt=$( basename "$file" .nmconnection )
grep -q "$elt" "$LOG" || continue
L=$( cat $LOG | grep -B 5 "$elt" | sed -e 's@/.*@@' -e 's@[=:]@: @' -e 's/.*Addre/- Addre/' -e '/^--\|Frequency:\|Encryption/d' -e 's/^ */ /' | yq 'sort_by(.Quality)|reverse|map(del(.Channel))|.[0:4]'|grep Address|sed -e 's/,/;/' -e 's/ *.Address.: //'|xargs echo|sed -e 's/ //g' )
[ -z "$L" ] && continue
sed -e "s@^seen-bssids=.*@seen-bssids=$L@" -i "$file"
grep -q lldp=0 "$file" || echo WARN: nmcli con modify $elt connection.lldp 0
grep -q llmnr=0 "$file" || echo WARN: nmcli con modify $elt connection.llmnr 0
grep -q mdns=0 "$file" || echo WARN: nmcli con modify $elt connection.mdns 0
INFO $prog $PWD/$file
done
rm -f /tmp/I$$.log
[ "$#" -eq 0 ] && exit 0
[ $1 = connect ] && nmtui-connect
[ $1 = edit ] && nmtui-edit

55
overlay/Linux/usr/local/bin/proxy_pacman_gpg_test.bash Executable file
View File

@ -0,0 +1,55 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# Dual Linux or msys64
prog=$( basename $0 .bash )
ROLE=proxy
PREFIX=/usr/local
[ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
[ -f $PREFIX/etc/testforge/testforge.bash ] \
&& . /usr/local/etc/testforge/testforge.bash
. /usr/local/bin/usr_local_tput.bash || exit 2
PROXIES=""
if [ -d /etc/pacman.d/gnupg ] ; then
ROLE=msys64
HOMEDIR=/etc/pacman.d/gnupg
# proxy or striaght through
PROXIES="10.152.152.12"
elif [ -d /q/Pg64/Msys64/etc/pacman.d/gnupg ] ; then
ROLE=q
HOMEDIR=/q/Pg64/Msys64/etc/pacman.d/gnupg
ppl=/usr/local/bin/proxy_ping_lib.bash
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
[ "$USER" != root ] && export PATH=/sbin:$PATH
[ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
if [ "$MODE" = tor ] ; then
PROXIES="127.0.0.1:3128"
elif [ "$MODE" = whonix ] ; then
PROXIES="10.0.2.15:9128"
elif [ "$MODE" = gateway ] ; then
PROXIES="10.0.2.15:9128"
elif ps ax | grep -q polipo ; then
PROXIES="127.0.0.1:3128"
else
echo ERROR: unknown proxy
exit 2
fi
fi
GPG="gpg --verbose --home $HOMEDIR"
a=`ls $HOMEDIR/private-keys-v1.d/|wc -l`
if [ $? -ne 0 -o "$a" -eq 0 ] ; then
ERROR you need a private kepair with $GPG --quick-gen-key
exit 3
fi
# shellcheck disable=SC2154
$GPG --list-keys | grep -B 1 unknown && \
WARN un-signed keys in pacman && \
DBUG "$GPG --list-keys 2>/dev/null |grep -B1 unknown|grep '^ ' |while read elt;do \$GPG --edit-key $elt ;done"

1500
overlay/Linux/usr/local/bin/proxy_ping_lib.bash Executable file
View File

File diff suppressed because it is too large Load Diff

974
overlay/Linux/usr/local/bin/proxy_ping_test.bash Executable file
View File

@ -0,0 +1,974 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
PYVER=3
# DEBUG=1
. /usr/local/bin/proxy_ping_lib.bash || \
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 6; }
PL=/usr/local/bin/proxy_libvirt_lib.bash
declare -a tests
which traceroute 2>/dev/null >/dev/null && HAVE_TRACEROUTE=1 || HAVE_TRACEROUTE=0
which dig 2>/dev/null >/dev/null && HAVE_DIG=1 || HAVE_DIG=0
which nslookup 2>/dev/null >/dev/null && HAVE_NSLOOKUP=1 || HAVE_NSLOOKUP=0
which tor-resolve 2>/dev/null >/dev/null && HAVE_TOR_RESOLVE=1 || HAVE_TOR_RESOLVE=0
[ -z "$prog" ] || prog=proxy_ping_test
proxy_ping_get_socks
[ -z "$SOCKS_HOST" ] && SOCKS_HOST=127.0.0.1
[ -z "$SOCKS_PORT" ] && SOCKS_PORT=9050
[ -z "$SOCKS_DNS" ] && SOCKS_DNS=9053
HTTPS_PORT=9128
HTTPS_HOST=127.0.0.1
proxy_ping_get_https
[ -z "$HTTPS_HOST" ] && HTTPS_HOST=127.0.0.1
HTTP_PORT=3128
HTTP_PROXY_HOST=127.0.0.1
proxy_ping_get_http
[ -z "$HTTP_HOST" ] && HTTP_HOST=127.0.0.1
[ -f $PREFIX/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash >/dev/null || exit 1
P="BASE_PYTHON${PYVER}_MINOR"
PYTHON_MINOR="$(eval echo \$$P)"
[ -n "$PYTHON_MINOR" ] || \
PYTHON_MINOR=$( python$PYVER --version 2>&1| sed -e 's@^.* @@' -e 's@\.[0-9]*$@@' )
[ -n "$PYTHON_MINOR" ] || exit 4
if [ -z "$LIB" -a -d /usr/lib/python$PYTHON_MINOR ] ; then
LIB=lib
elif [ -z "$LIB" -a -d /usr/lib64/python$PYTHON_MINOR ] ; then
LIB=lib64
elif [ -n "$LIB" -a ! -d /usr/$LIB/python$PYTHON_MINOR ] ; then
#? ERROR LIB=$LIB but no /usr/$LIB/python$PYTHON_MINOR
exit 5
fi
THOPS=40
NEEDED_BINS="ping traceroute nmap dig nslookup tor-resolve"
NEEDED_SCRIPTS="
/usr/local/bin/proxy_ping_lib.bash
/usr/local/bin/proxy_ping_test.bash
"
grep -q Debian /etc/os-release
DEBIAN=$?
TIMEOUT=30
[ -n "$GATEW_DOM" ] || GATEW_DOM="$( proxy_testforge_get_gateway_dom )"
[ -n "$GATEW_DOM" ] || GATEW_DOM="Whonix-Gateway"
DNS_HOST1="208.67.220.220"
DNS_HOST2="8.8.8.8"ggggg
[ -n "$DNS_TARGET" ] || DNS_TARGET=www.whatismypublicip.com # 108.160.151.39
[ -n "$HTTP_TARGET" ] || HTTP_TARGET=www.whatismypublicip.com # 108.160.151.39
HTTP_TARGET=www.whatismypublicip.com
# time.nist.gov 132.163.97.3
NTP_HOST1=132.163.97.3
# pool.ntp.org 78.46.53.2
NTP_HOST2=78.46.53.2
# --no-check-certificate
WGET="wget --tries=1 --max-redirect=0 --timeout=$TIMEOUT -O /dev/null"
CURL="curl -o /dev/null $CURL_ARGS"
SCURL="/usr/local/bin/scurl.bash --output /dev/null"
NSL='nslookup -querytype=A -debug'
NETS='netstat -nl4e'
ALL=""
[ -z "$USER" ] && USER=$(id -un )
[ $USER = root ] && DMESG_LINES=1 || DMESG_LINES=0
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=`proxy_ping_get_wlan`
# fixme - required
PROXY_WLAN=$( echo $PROXY_WLAN | grep ^wlan |sed -e 's/:.*//' )
[ -n "$PROXY_WLAN_GW" ] || PROXY_WLAN_GW=`proxy_ping_get_wlan_gw`
# fixme - required
PROXY_WLAN_GW=$( echo $PROXY_WLAN_GW | grep ^wlan |sed -e 's/:.*//' )
MODE=$( proxy_ping_mode )
USAGE="$prog without arguments tests the current MODE=$MODE,
or 0 to list the tests by number,
or one or more of the groups:
"
DNS_HOST=$SOCKS_HOST
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
[ -z "$PRIV_BIN_GID" ] && PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 )
## proxy_test_netstat_dns
proxy_test_netstat_dns () { DBUG proxy_test_netstat_dns $* ;
$NETS | grep -q ":53"
retval=$?
[ $retval -eq 0 ] && return 0
ERROR $prog test=$ARG "${tests[$ARG]}" dns not running
[ -z "$ALL" ] && exit $ARG$retval || return 1
}
## proxy_test_traceroute_icmp_gw
proxy_test_traceroute_icmp_gw () { DBUG proxy_test_traceroute_icmp_gw $* ;
[ -n "$PROXY_WLAN_GW" ] || PROXY_WLAN_GW=`proxy_ping_get_wlan_gw` || return 1
traceroute --icmp $PROXY_WLAN_GW
retval=$?
[ $retval -eq 0 ] && return 0
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute --icmp $PROXY_WLAN_GW
[ -z "$ALL" ] && exit $ARG$retval || return 1
# works
GREP="-i icmp"
return 0
}
## proxy_test_dig_direct
proxy_test_dig_direct () { DBUG proxy_test_dig_direct $* ;
dig @$DNS_HOST1 pool.ntp.org +timeout=$TIMEOUT >/dev/null
retval=$?
[ $retval -eq 0 ] && return 0
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @$DNS_HOST1
[ -z "$ALL" ] && exit $ARG$retval || return 1
INFO $prog test=$ARG "${tests[$ARG]}" dig @$DNS_HOST1
# works
GREP="53"
return 0
}
## proxy_test_curl_firewall_bin
proxy_test_curl_firewall_bin () { DBUG proxy_test_curl_firewall_bin $* ;
su -c "$CURL -k --noproxy '*' https://$HTTP_TARGET" -s /bin/sh $PRIV_BIN_OWNER >/dev/null
retval=$?
[ $retval -eq 0 ] && return 0
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval \
su -c "$CURL -k --noproxy '*' https://$HTTP_TARGET" -s /bin/sh $PRIV_BIN_OWNER
proxy_iptables_save|tail|grep PTABLES_filter_DROP-o
[ -z "$ALL" ] && exit $ARG$retval || return $retval
}
## proxy_ping_curl
proxy_ping_curl () { DBUG proxy_ping_curl $* ;
local retval
timeout -k $TIMEOUT $TIMEOUT $CURL "$@"
retval=$?
# "DEBUG: wierd failure curl: (35) Encountered end of file"
[ $retval -eq 0 -o $retval -eq 35 ] && return 0
return $retval
}
## proxy_ping_make_help
proxy_ping_make_help () {
grep 'tests\[[0-9][0-9]*\]=' /usr/local/bin/proxy_ping_test.bash \
> /tmp/proxy_ping_test.hlp
return 0
}
## proxy_ping_test_virbr
proxy_ping_test_virbr () {
local n=$1
[ -z "$n" ] && n=1
[ -z "$CONN" ] || proxy_whonix_get_conn
[ "$CONN" = guest ] && return 0
[ -e /proc/sys/net/ipv4/conf/virbr$n ] || return 0
proxy_ifconfig virbr$n >/dev/null && return 0
return 0
}
## proxy_ping_broken
proxy_ping_broken () { DBUG proxy_ping_broken PROXY_WLAN=$PROXY_WLAN $* ;
# 0 is true
local a=$MODE
if [ "$a" = vda -o "$a" = ws ]; then
# grep 10.152.152.10 /etc/resolv.conf &&
PING_BROKEN=0
return 0
elif [ "$a" = gateway ]; then
PING_BROKEN=0
return 0
elif [ -z "$PROXY_WLAN_GW" ] ; then
PING_BROKEN=0
return 0
fi
[ -n "$PING_BROKEN" ] && return $PING_BROKEN
DBUG $prog proxy_ping_mode=$a PROXY_WLAN=$PROXY_WLAN PROXY_WLAN_GW=$PROXY_WLAN_GW
ping -4 -I $PROXY_WLAN -c 1 -W $TIMEOUT $PROXY_WLAN_GW # 10.16.238.1
if [ $? -ne 0 ] ; then
PING_BROKEN=0
else
PING_BROKEN=1
fi
return $PING_BROKEN
}
## proxy_do_ping
proxy_do_ping () { DBUG proxy_do_ping $* ;
proxy_route_check || { ERROR $prog route not connected ; return 1$? ; }
proxy_ping_broken && return 0
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=`proxy_get_if` || {
ERROR $prog unable to get wlan $? ; return 2 ;
}
ping -4 -I $PROXY_WLAN -c 1 -W $TIMEOUT $DNS_HOST2 >/tmp/P$$.log 2>&1
retval=$?
if [ $retval -eq 1 ] ; then
# false negatives
sleep 4
ping -4 -I $PROXY_WLAN -c 1 -W $TIMEOUT $DNS_HOST2 >/tmp/P$$.log 2>&1
retval=$?
fi
[ $retval -lt 1 ] || {
ERROR $prog do_ping $PROXY_WLAN retval=$retval
rm /tmp/P$$.log
PING_BROKEN=0
return 3$retval
}
grep -q ' 0% ' /tmp/P$$.log || \
{ ERROR $prog retval=$? test=$1 ping retval=$retval ; rm /tmp/P$$.log ; return 4 ; }
PING=1
grep 'packet\|bytes from' /tmp/P$$.log
rm /tmp/P$$.log
return 0
}
proxy_run_as_root () { DBUG proxy_run_as_root $* ;
[ $( id -u ) -eq 0 ] && return 0
ERROR must be root
[ -z "$ALL" ] && exit 9
return 1
}
## proxy_test_pretests
proxy_test_pretests () {
if [ "$1" = panic ] ; then
: dont ping on panic
proxy_ping_broken || proxy_do_ping || \
{ WARN ping failed for panic so skipping ; exit 0 ; }
elif [ "$1" = direct -o "$1" = gateway -o "$1" = vda -o "$1" = kick ] ; then
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
proxy_ping_broken || proxy_do_ping || exit 3$?
proxy_ping_test_resolv $MODE ||\
{ WARN $prog proxy_ping_test_resolv=$? 'echo nameserver 127.0.0.1 > /etc/resolv.conf' ; exit 4 ; }
proxy_ping_firewall_start || { ERROR "proxy_ping_firewall_start ret=$?" ; exit 5 ; }
elif [ "$1" = nat ] ; then
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
else
proxy_do_ping || exit 4$?
proxy_ping_test_resolv $MODE || \
{ WARN "$prog proxy_ping_test_resolv=$? /etc/resolv.conf.$dire" MODE=$MODE
exit 4 ; }
fi
return 0
}
## proxy_test_help_args
proxy_test_help_args () {
declare -a ret=()
ret=( $(grep " -.* $1 " /tmp/proxy_ping_test.hlp | \
sed -e 's/.=.*//' -e 's/.*tests.//') )
echo "${ret[@]}"
return 0
}
ALL=0
## proxy_ping_test_set_args
proxy_ping_test_set_args () {
local args="$@"
local val="$@"
declare -a aret=()
rm -f /tmp/proxy_ping_test.hlp
[ -f /tmp/proxy_ping_test.hlp ] || proxy_ping_make_help
## to_tor - tor with the firewall host side client setup tor server - call tor,dns,ntp in addition
[ "$1" = to_tor -o "$1" = test_tor -o "$1" = test_to ] &&
aret=( 6 13 16 ) && \
! proxy_ping_test_env && WARN to_tor and no proxy in env - use noenv
## vda - through the Gateway with the firewall - also polipo,panic - uses env
[ "$1" = vda ] &&
aret=( 35 3 20 ) #
## tor - tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition
[ "$1" = tor ] &&
aret=( 21 30 20 4 5 36 3 )
## kick - open firewall with tor running - call dns,polipo +tor in addition
[ "$1" = kick -o "$1" = host ] &&
aret=( 24 31 13 16 6 )# 30 24 31 6 13 16
## gateway - on the Gateway, trans firewall with tor running - call dns in addition
[ "$1" = gateway ] &&
aret=( 23 25 4 5 30 24 17 3 21 ) # 31 6 16
# aliases
[ "$1" = "$SOCKS_PORT" ] && set -- socks
[ "$1" = "$HTTP_PORT" ] && set -- http
[ "$1" = "$HTTPS_PORT" ] && set -- https
[ "$1" = "53" ] && set -- dns
[ "$1" = "9053" ] && set -- tordns
[ "$1" = scan ] && set -- iwlist
[ "$1" = panic ] && set -- firewall
[ "$1" = tor ] && set -- torhost
[ "$1" = to_gateway ] && set -- whonix
[ "$1" = from_tor ] && set -- whonix
[ "$1" = from_gateway ] && set -- gateway
[ "$1" = traceroute ] && set -- = trace
[ "$1" = connected ] && set -- wifi
[ "$1" = clear ] && set -- direct
# scenarios - modes: nat selektor
## nat - through the Gateway via the nat
[ "$1" = nat ] && \
set -- ping dns socks http https tordns firefail libvirtguest
# wifi?
[ "$1" = whonix ] && \
set -- ping tordns dns socks http https torhost tordns firefail gw
[ "$1" = tor ] && \
set -- ping tordns dns trace socks http https torhost tordns firefail nmap gw
[ "$1" = selektor ] && \
set -- ping tordns dns trace socks http https torhost tordns firefail nmap gw
[ "$1" = direct -o "$1" = '' ] && \
set -- ping dns trace nmap gw
## all - all tests not stopping on the first error
[ "$1" = all ] && ALL=1
# aret="${#tests[@]}"
## gw - test if we are connected to the gateway
## torhost - running tor with the firewall
## env - from the cmdline with a properly setup env
## firefail - test the proxy without env vars to expect failure
## http - assumes torhost or whonix and env setup
## https - assumes torhost or whonix and env setup
## socks - assumes torhost or whonix and env setup
## ping - connected routed test the ping to DNS hosts
## ntp - ntpdate through the firewall
## nmap - nmap sgid through the firewall - does not assume env
## iwlist - wlan scan
## firewall - test that the firewall blocks
## virbr1 - assumes tor or whonix
## gateway - ssh to the whonix gateway
## trace - traceroute to DNSHOST - icmp is allowed by the firewall, except on vda
## wifi - test if we are connected - call scan in addition
## libvirthost - hosting a libvirt container
## libvirtguest - in a libvirt container
## tordns - test 9053 for dns using tor-resolve
## dns - dns using tor or the gateway, with the firewall - does not assume env
## whonix - whonix to the Gateway with the firewall - also panic - not assume env
## whonix - whonix gateway host side client setup with the firewall was from_to## direct - assume no firewall and no proxy - but may work depend on env
r
for elt in "$@" ; do
if [ "$elt" = gw -o "$elt" = '' -o "$elt" = env -o \
"$elt" = https -o "$elt" = http -o "$elt" = socks -o "$elt" = dns -o \
"$elt" = torhost -o "$elt" = tordns -o "$elt" = whonix -o \
"$elt" = libvirthost -o "$elt" = libvirtguest -o "$elt" = virbr1 -o \
"$elt" = ping -o "$elt" = trace -o "$elt" = ntp -o "$elt" = nmap -o \
"$elt" = iwlist -o "$elt" = firefail -o "$elt" = direct -o \
"$elt" = trace -o "$elt" = wifi -o "$elt" = '' -o "$elt" = '' \
] ; then
aret+=( `proxy_test_help_args $elt` )
else
WARN unrecognized: $elt >&2
fi
done
DBUG "${aret[@]}" >&2
echo "${aret[@]}"
return 0
}
# -I $PROXY_WLAN -c 1 $DNS_HOST2
if [ "$#" = 0 ] ; then
# default to mode
set -- $MODE
fi
if [ $1 = '-h' -o $1 = '--help' ] ; then
echo USAGE: $USAGE | sed -e 's/[0-9][0-9]*)/\n&/g'
grep '^## [a-oq-z]' $0 | sed -e 's/^## / /'
exit 0
elif [ "$1" = 0 ] ; then
INFO $prog PROXY_WLAN=$PROXY_WLAN MODE=$MODE
echo 0 help /tmp/proxy_ping_test.hlp
[ -f /tmp/proxy_ping_test.hlp ] || proxy_ping_make_help
. /tmp/proxy_ping_test.hlp
for elt in "${!tests[@]}" ; do
echo $elt "${tests[$elt]}"
done
exit 0
elif [[ $1 =~ ^[0-9] ]] ; then
: passthrough
else
set -- `proxy_ping_test_set_args "$@"`
DBUG running tests numbered "$@"
fi
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
proxy_test_pretests "$1"
# https://stackoverflow.com/questions/8290046/icmp-sockets-linux/20105379#20105379
if [ $( id -u ) -eq 0 ] ; then
proxy_ping_chattr
fi
DBUG $prog PROXY_WLAN=$PROXY_WLAN MODE=$MODE $*
# $( sysctl net.ipv4.ping_group_range )
# proxy_iptables_save|grep 216
while [ "$#" -gt 0 ] ; do
# DBUG $prog $1
ARG=$1 ; shift
GREP=""
if [ -z "$ARG" ] ; then
continue
elif ! [ "$ARG" -ge 0 ] ; then
ERROR $prog called with an unrecognized argument $ARG from $0
exit 9
elif [ $ARG -le 0 ] ; then
# do the ping and resov.conf
true
elif [ $ARG -eq 1 ] ; then
tests[1]="wget_https_as_user wget ${HTTPS_PORT} - https "
[ -n "$https_proxy" ] && LARGS="" || \
LARGS="env https_proxy=https://${HTTPS_HOST}:${HTTPS_PORT}"
$LARGS $WGET https://$HTTP_TARGET
retval=$?
if [ $retval -eq 8 -o $retval -eq 0 ] ; then
INFO $prog test=$ARG "${tests[$ARG]}"
else
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval test=$ARG
[ -z "$ALL" ] && continue
fi
# works with fix
GREP="${HTTPS_PORT}"
elif [ $ARG -eq 2 ] ; then
[ -n "$https_proxy" ] && LARGS="--proxy $https_proxy" || \
LARGS="--proxy https://${HTTPS_HOST}:${HTTPS_PORT}"
tests[2]="curl_https_as_user curl $LARGS https://$HTTP_TARGET - https "
proxy_ping_curl $LARGS https://$HTTP_TARGET >/dev/null || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $LARGS https://$HTTP_TARGET
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works with fix
GREP="${HTTPS_PORT}"
elif [ $ARG -eq 3 ] ; then
tests[3]="curl_socks_virbr1_as_user $SOCKS_HOST $SOCKS_PORT - torhost "
# proxy_dest_port_wlan_config || { ERROR DEST=$DEST ; continue ; }
# curl: (4) A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision
[ $DEBIAN -eq 0 ] && continue
[ -z "$socks_proxy" ] && socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
if [ $MODE = whonix ] ; then
ssh -o ForwardX11=no user@10.0.2.15 netstat -nl4e| grep 15:$SOCKS_PORT || {
retval=$?
ERROR ssh -o ForwardX11=no user@10.0.2.15 netstat
[ -z "$ALL" ] && exit $ARG$retval || continue ;
}
socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
proxy_ping_curl -x $socks_proxy \
--interface virbr1 n--dns-interface virbr1 https://$HTTP_TARGET >/dev/null || {
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl -x $socks_proxy --interface virbr1 --dns-interface virbr1 https://$HTTP_TARGET
[ -z "$ALL" ] && exit $ARG$retval || continue
}
else
socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
proxy_ping_curl -x $socks_proxy https://$HTTP_TARGET >/dev/null \
|| { retval=$? ; ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl ${SOCKS_HOST} $SOCKS_PORT
[ -z "$ALL" ] && exit $ARG$retval || continue ; }
fi
INFO $prog test=$ARG "${tests[$ARG]}"
# works with user/pass
GREP="$SOCKS_PORT"
elif [ $ARG -eq 4 ] ; then
tests[4]="dig_socks_through_as_user @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com - tordns "
[ $HAVE_DIG = 1 ] || continue
if [ $MODE = whonix ] ; then
ssh -o ForwardX11=no user@10.0.2.15 netstat -nl4e | grep 15:$SOCKS_DNS
fi
dig @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works with fix
GREP="$SOCKS_DNS"
elif [ $ARG -eq 5 ] ; then
tests[5]="nslookup_socks_as_user - tordns "
[ $HAVE_NSLOOKUP = 1 ] || continue
desc="$NSL -port=$SOCKS_DNS www.whatismypublicip.com ${DNS_HOST}"
$desc >/dev/null || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval $desc
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}" $desc
# works with fix
GREP="$SOCKS_DNS"
elif [ $ARG -eq 6 ] ; then
proxy=`proxy_ping_get_https`
desc="curl --proxy http://${proxy}"
tests[6]="curl_https_as_user - https "
proxy_ping_curl --proxy http://${proxy} \
--proxy-insecure https://$HTTP_TARGET || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval $desc
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}" $desc
# works
GREP="$HTTP_PORT"
elif [ $ARG -eq 7 ] ; then
tests[8]="traceroute_icmp_dns_as_root --icmp - trace "
[ $USER = root ] || continue
[ -n "$PROXY_WLAN" ] || proxy_get_if || continue
[ $HAVE_TRACEROUTE = 1 ] || continue
traceroute -i $PROXY_WLAN --icmp $DNS_TARGET -m $THOPS || { \
retval=$?
ERROR $retval traceroute --icmp -m $THOPS
[ -z "$ALL" ] && exit 7$retval
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="-i icmp"
elif [ $ARG -eq 8 ] ; then
tests[8]="traceroute_tcp_dns_as_root -i $PROXY_WLAN -p 53 -T4 - trace "
[ $USER = root ] || continue
[ -n "$PROXY_WLAN" ] || proxy_get_if || continue
[ $HAVE_TRACEROUTE = 1 ] || continue
traceroute -i $PROXY_WLAN -p 53 -T4 $DNS_TARGET -m $THOPS || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute -T4 -p 53 -m $THOPS
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="53"
elif [ $ARG -eq 9 ] ; then
tests[9]="traceroute_icmp_dns_as_user -p 53 - trace "
[ $USER = root ] || continue
[ -n "$PROXY_WLAN" ] || proxy_get_if || continue
[ $HAVE_TRACEROUTE = 1 ] || continue
traceroute -i $PROXY_WLAN --icmp $DNS_TARGET -p 53 -m $THOPS || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute -i $PROXY_WLAN --icmp -m $THOPS
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="53"
elif [ $ARG -eq 10 ] ; then
tests[10]="wget_http_as_user $HTTP_PORT - http "
proxy=`proxy_ping_get_http`
env http_proxy=http://${proxy} \
$WGET -S http://$HTTP_TARGET 2>/dev/null
retval=$?
# 8 is an oddball
if [ $retval -eq 8 -o $retval -eq 0 ] ; then
INFO $prog test=$ARG "${tests[$ARG]}" wget $HTTP_PORT
else
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval wget $HTTP_PORT
[ -z "$ALL" ] && exit $ARG$retval || continue
fi
GREP="$HTTP_PORT"
elif [ $ARG -eq 11 ] ; then
tests[11]="curl_https_as_user - https "
proxy=`proxy_ping_get_https`
proxy_ping_curl --proxy http://${proxy} \
--proxy-insecure https://$HTTP_TARGET || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $HTTP_PORT
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="$HTTP_PORT"
elif [ $ARG -eq 12 ] ; then
tests[12]="nmap_dns_as_root --privileged --send-eth -Pn -sU -p U:53 $DNS_HOST1 - nmap direct "
[ $USER = root ] || continue
which nmap 2>/dev/null >/dev/null || continue
[ -z "$DNS_HOST1" ] && DNS_HOST1="208.67.220.220"
nmap --privileged --send-eth -Pn -sU -p U:53 "$DNS_HOST1" || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval nmap 53
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
GREP="53"
elif [ $ARG -eq 13 ] ; then
tests[13]="curl_firewall_bin - wifi "
[ $USER = root ] || continue
proxy_test_curl_firewall_bin || continue
INFO $prog test=$ARG "${tests[$ARG]}" curl bin
# works
GREP="443"
elif [ $ARG -eq 14 ] ; then
tests[14]="traceroute_icmp_gw_as_root --icmp $PROXY_WLAN_GW - gw wifi "
[ $USER = root ] || continue
[ $HAVE_TRACEROUTE = 1 ] || continue
proxy_test_traceroute_icmp_gw || continue
# works
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="-i icmp"
elif [ $ARG -eq 15 ] ; then
tests[15]="test_dig_direct - direct "
[ $HAVE_DIG = 1 ] || continue
proxy_test_dig_direct || continue
INFO $prog test=$ARG "${tests[$ARG]}" proxy_test_dig_direct
elif [ $ARG -eq 16 ] ; then
tests[16]="nslookup_as_root nslookup $PRIV_BIN_OWNER - torhost "
[ $USER = root ] || continue
[ $HAVE_NSLOOKUP = 1 ] || continue
su -c "$NSL $DNS_TARGET $DNS_HOST1" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval "$NSL $DNS_TARGET $DNS_HOST1" -s /bin/sh $PRIV_BIN_OWNER
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works /fails but maybe a noop
GREP="53"
elif [ $ARG -eq 17 ] ; then
tests[17]="ntpdate_as_root ntpdate without service - ntp "
proxy_run_as_root || exit 9
[ -x /usr/sbin/ntpdate ] || continue
# Curious: even though sgid 2755 ntp it fails as su ntp
# 12 Nov 23:28:35 ntpdate[17341]: bind() fails: Permission denied
/usr/sbin/ntpdate "$NTP_HOST1" || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval ntpdate
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="123"
elif [ $ARG -eq 18 ] ; then
tests[18]="ntpdate_as_root ntpdate with servie - ntp "
proxy_run_as_root || exit 9
proxy_rc_service ntpd status >/dev/null && \
proxy_rc_service ntpd stop >/dev/null && sleep 2
/usr/sbin/ntpdate $NTP_HOST1 || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval ntpdate
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
proxy_rc_service ntpd status >/dev/null || proxy_rc_service ntpd start
GREP="123"
elif [ $ARG -eq 19 ] ; then
tests[19]="curl_noproxy_http_as_user curl raw noproxy - firefail "
proxy_ping_curl --noproxy "'*.*'" --connect-timeout $TIMEOUT \
http://$HTTP_TARGET >/dev/null && {
retval=$?
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" curl raw --noproxy
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP=80
elif [ $ARG -eq 20 ] ; then
tests[20]="curl_socksproxy_as_user curl $SOCKS_PORT - socks "
# needs dns
[ $DEBIAN -eq 0 ] && continue
socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
proxy_ping_curl -x $socks_proxy https://$HTTP_TARGET >/dev/null \
|| { retval=$? ; ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $SOCKS_PORT
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works with user/pass
GREP="$SOCKS_PORT"
elif [ $ARG -eq 21 ] ; then
tests[21]="curl_httpsproxy_as_user - https "
[ -z "$https_proxy" ] && https_proxy=http://${HTTPS_PROXY_HOST}:${HTTPS_PORT}
proxy_ping_curl -x $https_proxy https://$HTTP_TARGET >/dev/null || { \
if [ "$MODE" = gateway ] ; then
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval curl ${HTTPS_HOST} ${HTTPS_PORT}
continue
else
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl ${HTTPS_HOST} HTTPS_PORT=${HTTPS_PORT}
[ -z "$ALL" ] && exit $ARG$retval || continue
fi
}
INFO $prog test=$ARG "${tests[$ARG]}" curl ${HTTPS_HOST} ${HTTPS_PORT}
GREP="${HTTPS_PORT}"
elif [ $ARG -eq 22 ] ; then
tests[22]="iwlist_scan_as_user iwlist $PROXY_WLAN scan - iwlist "
[ $USER = root ] || continue
which iwlist 2>/dev/null || continue
[ -n "$PROXY_WLAN" ] || proxy_get_if || continue
iwlist $PROXY_WLAN scan >/dev/null || {
ERROR $prog retval=$? test=$ARG $PROXY_WLAN scan
[ -z "$ALL" ] && exit $ARG$1 || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
elif [ $ARG -eq 23 ] ; then
tests[23]="curl_proxy_as_user - direct "
proxy_ping_curl --insecure https://$HTTP_TARGET >/dev/null || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl direct
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
elif [ $ARG -eq 24 ] ; then
tests[24]="dig_direct_or_dnsmasq dig -b $IP www.whatismypublicip.com - direct "
[ $HAVE_DIG = 1 ] || continue
[ -n "$PROXY_WLAN" -a -n "$IP" ] || proxy_ping_get_wlan_gw || continue
[ -n "$IP" ] || continue
dig -b $IP www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}" dig -b $IP
elif [ $ARG -eq 25 ] ; then
tests[25]="nslookup_as_user - direct "
[ $HAVE_NSLOOKUP = 1 ] || continue
# noenv with or without proxy
# @$DNS_HOST1 should fail for firewall unless dnsmasq is working
$NSL >/dev/null www.whatismypublicip.com || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval nslookup www.whatismypublicip.com
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}" nslookup
elif [ $ARG -eq 26 ] ; then
tests[26]="route_connected_ping_scan - direct "
[ $HAVE_DIG = 1 ] || continue
#? proxy_test_pretests
proxy_do_ping && \
INFO $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP || \
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP
elif [ $ARG -eq 27 ] ; then
tests[27]="dns_as_user dig -b 127.0.0.1 - direct "
[ $HAVE_DIG = 1 ] || continue
[ -n "$PROXY_WLAN" -a -n "$IP" ] || proxy_ping_get_wlan_gw || continue
dig -b 127.0.0.1 www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
elif [ $ARG -eq 28 ] ; then
tests[28]="wget_as_user - direct "
proxy_ping_test_env || { WARN $prog test=$ARG "${tests[$ARG]}" no proxy in env ; }
$WGET -S https://$HTTP_TARGET 2>/dev/null
retval=$?
if [ $retval -eq 8 -o $retval -eq 0 ] ; then
INFO $prog test=$ARG "${tests[$ARG]}" wget
else
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval wget
[ -z "$ALL" ] && exit $ARG$retval || continue
fi
elif [ $ARG -eq 29 ] ; then
tests[29]="curl_as_user - direct "
proxy_ping_test_env || { WARN $prog test=$ARG "${tests[$ARG]}" no proxy in env ; }
proxy_ping_curl https://$HTTP_TARGET >/dev/null || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
elif [ $ARG -eq 30 ] ; then
tests[30]="tor_bootstrap_check_as_root tor_bootstrap_check.py - torhost "
[ $MODE = tor -o $MODE = selektor ] || {
ERROR $prog MODE != tor test=$ARG
[ -z "$ALL" ] && exit $ARG$retval || continue
}
port=$SOCKS_PORT
$NETS | grep -q :$port || {
ERROR $prog retval=$? test=$ARG tor not running on $port
[ -z "$ALL" ] && exit $ARG || continue
}
[ $USER = root ] || continue
# was /usr/local/bin/tor_bootstrap_check.bash
[ -f /usr/local/src/helper-scripts/tor_bootstrap_check.py ] || return 1
python3.sh /usr/local/src/helper-scripts/tor_bootstrap_check.py
# morons 100%
retval=$?
[ $retval -eq 0 -o $retval -eq 100 ] || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval tor_bootstrap_check
}
INFO $prog test=$ARG "${tests[$ARG]}"
elif [ $ARG -eq 31 ] ; then
tests[31]="curl_noproxy_as_root polipo http pages $HTTP_PORT - direct http "
proxy_ping_curl --noproxy http://${HTTP_HOST}:$HTTP_PORT && { \
retval=$?
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval polipo http pages $HTTP_PORT
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
GREP="$HTTP_PORT"
elif [ $ARG -eq 32 ] ; then
tests[32]="ping_nmap_direct_as_root nmap 53 - direct "
[ $USER = root ] || continue
which nmap 2>/dev/null >/dev/null || continue
[ -n "$PROXY_WLAN" -a -n "$PROXY_WLAN_GW" ] || proxy_ping_get_wlan_gw || continue
proxy_ping_nmap_direct $DNS_HOST1 "$PROXY_WLAN_GW" U:67 || {
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval nmapd 53
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
GREP="53"
elif [ $ARG -eq 33 ] ; then
tests[33]="host_virbr_as_user proxy_ping_test_virbr 1 - libvirthost "
proxy_ping_test_virbr 1 || {
retval=$?
ERROR $CONN virbr1 not running
[ -z "$ALL" ] && exit 1 || continue
}
# * Immediate connect fail for 10.0.2.15: Connection refused
INFO $prog test=$ARG "${tests[$ARG]}"
elif [ $ARG -eq 34 ] ; then
tests[34]="python_ping_as_root traceroute --icmp $PROXY_WLAN_GW - wifi "
[ $USER = root ] || continue
[ -n "$PROXY_WLAN_GW" -a -n "$IP" ] || PROXY_WLAN_GW=`proxy_ping_get_wlan_gw` || continue
[ -f /usr/local/bin/ping2.py ] || continue
/usr/local/bin/ping2.py $IP $DNS_HOST1 $PROXY_WLAN_GW || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval ping2.py $DNS_HOST1
[ -z "$ALL" ] && exit $ARG$retval || continue
}
# works
INFO $prog test=$ARG "${tests[$ARG]}"
GREP="-i icmp"
elif [ $ARG -eq 35 ] ; then
tests[35]="dig_as_root - firewall dig @$DNS_HOST1 - torhost dns "
[ $USER = root ] || continue
[ $HAVE_DIG = 1 ] || continue
# @$DNS_HOST1
su -c "dig pool.ntp.org +timeout=$TIMEOUT" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval dig pool.ntp.org $PRIV_BIN_OWNER
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
GREP="53"
elif [ $ARG -eq 36 ] ; then
tests[36]="tor_resolve_as_user tor-resolve pool.ntp.org - tordns "
[ $HAVE_TOR_RESOLVE = 1 ] || continue
tor-resolve pool.ntp.org >/dev/null || { \
retval=$?
# dunno Failed parsing SOCKS5 response conf?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval tor-resolve pool.ntp.org
continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
# works
GREP="9053"
elif [ $ARG -eq 37 ] ; then
tests[37]="qemu-guest-agent and ports - libvirtguest "
ser=qemu-guest-agent
proxy_rc_service $ser status >/dev/null || proxy_rc_service $ser start
proxy_rc_service $ser status >/dev/null || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval $ser status
[ -z "$ALL" ] && exit $ARG$retval || continue
}
[ -d /dev/virtio-ports ] || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval /dev/virtio-ports
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP=""
elif [ $ARG -eq 38 ] ; then
tests[38]="qemu-guest-agent and ports - libvirthost whonix "
[ $USER = root ] || continue
$PL proxy_libvirt_list
aret=$?
if [ $aret -eq 10 ] ;then
WARN proxy_libvirt_status hung
elif [ $aret -ne 10 -a $aret -ne 0 ] ; then
DBUG proxy_libvirt_status aret=$aret
else
$PL proxy_libvirt_list | grep -q "$GATEW_DOM" || {
ERROR MODE=$MODE and $GATEW_DOM not running ;
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
fi
elif false ; then
if ! grep -q '10.152.152.10\|127.0.0.1' /etc/resolv.conf ; then
$NETS | grep -q :53 || {
ERROR $prog retval=$? test=$ARG local resolv.conf but :53 not running
[ -z "$ALL" ] && exit 1 || continue
}
fi
fi
[ -n "$GREP" ] && [ $DMESG_LINES -gt 0 ] && \
DBUG `dmesg|tail|grep $GREP|tail -$DMESG_LINES`
done
exit 0
1)
env https_proxy=http://${SOCKS_HOST}:${HTTPS_PORT} wget $D -O - --no-check-certificate
2)
curl $D -k --proxy
3)
curl $D -k --proxy socks5://${SOCKS_HOST}:$SOCKS_PORT --proxy-insecure
5)
nslookup -port=$SOCKS_DNS www.whatismypublicip.com ${SOCKS_HOST} \
6)
curl -k --proxy $HTTP_PORT
16)
nslookup $PRIV_BIN_OWNER
18)
ntpdate as sroot
19)
curl raw noproxy
0)
usage

10
overlay/Linux/usr/local/bin/proxy_sdwdate.bash Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
sh $PREFIX/bin/proxy_ping_test.bash wifi || exit 1
sh $PREFIX/bin/proxy_ping_test.bash tor || exit 2
exec $PREFIX/bin/python3.7.sh $PREFIX/bin/sdwdate_.py "$@"

69
overlay/Linux/usr/local/bin/proxy_ssl_certs.bash Executable file
View File

@ -0,0 +1,69 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# https://medium.com/@appmattus/android-security-ssl-pinning-1db8acb6621e
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/proxy_ping_lib.bash || \
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
. /usr/local/bin/usr_local_base.bash || exit 2
proxy_ping_mode
#? . /usr/local/bin/proxy_export.bash $MODE
. /usr/local/bin/usr_local_base.bash || exit 2
CERT=$( proxy_ping_update_cacert )
[ "$?" -ne 0 -o -n "$CERT" ] && CAFILE=$CERT || \
CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
openssl=openssl
OPENSSL_ARGS="-4 --CAfile $CAFILE -bugs -showcerts"
if [ -n "$https_proxy" ] ; then
HTTPS_HOST=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/https* //' -e 's/ .*//' )
HTTPS_PORT=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
OPENSSL_ARGS="$OPENSSL_ARGS -proxy ${HTTPS_HOST}:$HTTPS_PORT"
elif [ -n "$socks_proxy" ] ; then
SOCKS_HOST=$( echo $socks_proxy|sed -e 's/.*@//' -e 's@/@@g' -e 's/:/ /g' -e 's/socks5* //' -e 's/ .*//' )
SOCKS_PORT=$( echo $socks_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
# check /etc/tor/torsocks.conf
openssl='torsocks openssl'
fi
OUTR=/tmp/$prog$$
for item in "$@" ; do
i=0
OUTRF=$OUTR.$item
INFO openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS
$openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS \
</dev/null 2>$OUTRF.err >$OUTRF.out
[ $? -eq 0 ] || {
retval=$?
ERROR $prog $retval see $OUTRF.err
cat $OUTRF.err
exit 1$retval
}
[ -s $OUTRF.out ] || { ERROR $prog empty $OUTRF.out ; exit 2 ; }
sed -n '/Certificate chain/,/Server certificate/p' $OUTRF.out >$OUTRF.chain
DBUG $prog Certificate chain:
grep '^ [0-9][0-9]* ' $OUTRF.chain
INFO $prog Base64 Certificate sha256 digests:
rest=$( cat $OUTRF.chain )
while [[ "$rest" =~ '-----BEGIN CERTIFICATE-----' ]] ; do
cert="${rest%%-----END CERTIFICATE-----*}-----END CERTIFICATE-----"
rest=${rest#*-----END CERTIFICATE-----}
echo $( echo "$cert" | grep 's:' | sed 's/.*s:\(.*\)/\1/' ) echo "$cert" |
openssl x509 -pubkey -noout |
openssl rsa -pubin -outform der 2>/dev/null |
openssl dgst -sha256 -binary | openssl enc -base64
done
# rm -f $OUTRF.chain $OUTRF.out $OUTRF.err
done
exit 0

351
overlay/Linux/usr/local/bin/proxy_test_ssl.bash Executable file
View File

@ -0,0 +1,351 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
NOW=$( date -u +%y-%m-%d_%H%m )
DEBUG=1
PROXY_WLAN=wlan4
prog=$( basename $0 .bash )
# SocksPolicy Accept in /etc/tor/torrc - required and works with sslscan
ip route | grep ^default || { ERROR "not connected" ; exit 1 ; }
PATH=$PATH:/sbin
BADSSL_SITES=(
self-signed.badssl.com
expired.badssl.com
mixed.badssl.com
rc4.badssl.com
hsts.badssl.com
)
badssl=0
[ "$#" -eq 0 ] && badssl=1
# tests="$MODE"
tests=""
nodig=1
verbosity=2
outdir=/tmp
timeout=20
#[ -f /usr/local/etc/testforge/testforge.bash ] && \
# . /usr/local/etc/testforge/testforge.bash
. /usr/local/bin/proxy_ping_lib.bash || \
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
if [ -f /usr/local/etc/ssl/cacert-testforge.pem ] ; then
CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
else
CERT=$( proxy_ping_update_cacert )
[ "$?" -ne 0 -o -n "$CERT" ] && CAFILE=$CERT || \
CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
fi
[ -z "$MODE" ] || MODE=`proxy_ping_mode`
if [ "$MODE" = tor ] ; then
[ -z "PROXY_WLAN" ] && PROXY_WLAN=`proxy_get_if`
[ -z "PROXY_WLAN" ] && { ERROR " error getting device $?" ; exit 3 ; }
if ip route | grep ^def ; then
PROXY_WLAN_IP=$( proxy_get_wlan_ip )
[ -n "$PROXY_WLAN_IP" ] || { ERROR "no PROXY_WLAN_IP" ; exit 4 ; }
fi
fi
usage() {
echo "Usage: $0 [OPTIONS] dirs-or-files"
echo
echo " -B | --badssl - test badssl.org sites"
echo " -D | --nodig - no dig sites"
echo " -T | --tests - ping tests to run first"
echo " -o | --outdir=/tmp - output directory"
echo " -v | --verbosity=$verbosity - verbosity 0 least 5 most"
echo
echo " -V | --version - print version of this script"
echo " -h | --help - print this help"
}
SHORTOPTS="hVBDT:v:"
LONGOPTS="help,version:,badssl,nodig,tests:,verbosity:"
HOSTS=
ARGS=$(getopt --options $SHORTOPTS --longoptions $LONGOPTS -- "$@")
[ $? != 0 ] && { ERROR "error parsing getopt" ; exit 5 ; }
eval set -- "$ARGS"
while true; do
case "$1" in
# -t --tests
-o|--outdir)
shift
outdir="$1"
;;
-v|--verbosity)
shift
verbosity="$1"
;;
-B|--badssl)
badssl=1
;;
-D|--nodig)
nodig=1
;;
-T|--tests)
shift
tests="$1"
;;
-V|--version)
usage
exit 0
;;
-h|--help)
usage
exit 0
;;
'--')
shift
HOSTS="$*"
break
;;
*)
{ ERROR "unrecognized arguments $*" ; exit 6 ; }
break
;;
esac
shift
done
[ $badssl -ne 0 ] && HOSTS="${BADSSL_SITES[*]}"
[ -z "$HOSTS" ] && { ERROR "no arguments $*" ; exit 0 ; }
[ -d "$outdir" ] || mkdir -p "$outdir" || { ERROR "mkdir $outdir" ; exit 7 ; }
kill_time=$( expr $timeout + 10 )
[ -z "$tests" ] || \
for elt in $tests ; do
/usr/local/bin/proxy_ping_test.bash $elt || exit 9$?
done
if which sslscan 2>/dev/null ; then
sslscan='sslscan'
SSLSCAN_ARGS="-4 --show-client-cas --show-certificate --bugs --timeout $timeout --tlsall --show-ciphers --no-colour --verbose"
else
# no proxy support
sslscan=''
fi
# sslscan --show-client-cas - no proxy
openssl=openssl
OPENSSL_ARGS="-4 -bugs -showcerts"
if [ -e /dev/tcp ] && which testssl.bash 2>/dev/null ; then
testssl='testssl.bash'
TESTSSL_ARGS="--connect-timeout $timeout --openssl-timeout $timeout --standard --vulnerable"
#? --ssl-native
TESTSSL_ARGS="$TESTSSL_ARGS --add-ca $CAFILE --assume-http --hints --color=0 --append"
else
# no proxy support
testssl=''
fi
if [ -f /usr/local/bin/scurl.bash ] ; then
curl="/usr/local/bin/scurl.bash -- -s -S"
else
curl='curl -s -S'
fi
CURL_ARGS="-vvv --cacert $CAFILE --cert-status --connect-timeout $timeout"
if [ -f /var/local/bin/analyze-ssl.pl.bash ] ; then
analyze=/var/local/bin/analyze-ssl.pl.bash
ANALYZE_ARGS="-v --timeout $timeout --CApath $CAFILE --all-ciphers"
else
analyze=""
fi
warns=0
OUTR=$outdir/$prog-$NOW
if [ $nodig -eq 0 ] ; then
for item in $HOSTS ; do
i=0
OUTRF=$OUTR.$item
if [ $MODE = tor ] ; then
torresolve $item > $OUTRF.dig.out 2>&1
retval=$?
[ $retval -ne 0 ] && ERROR "torresolve $item $? - see $OUTRF.dig.out" && exit 1$?
elif false ; then
nslookup $item > $OUTRF.nslookup.out 2>&1
#?[ $? -eq 0 ] || WARN "nslookup $item $? - see $OUTRF.nslookup.out"
#?grep NXDOMAIN "$OUTRF.nslookup.out" && WARN "nslookup $item NXDOMAIN - see $OUTRF.nslookup.out"
else
dig $item > $OUTRF.dig.out 2>&1
[ $? -ne 0 ] && ERROR "dig $item $? - see $OUTRF.dig.out" && exit 1$?
grep 'ANSWER: 1' "$OUTRF.dig.out" || ERROR "dig $item no ANSWER - see $OUTRF.dig.out" && exit 2$?
fi
done
fi
# [ -r /etc/tor/torrc ]
# was https take precedence over socks
if [ -n "$socks_proxy" ] ; then
SOCKS_HOST=$( echo $socks_proxy|sed -e 's/.*@//' -e 's@/@@g' -e 's/:/ /g' -e 's/socks5* //' -e 's/ .*//' )
SOCKS_PORT=$( echo $socks_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
openssl='torsocks openssl'
# --interface lo --dns-interface lo
[ -n "$analyze" ] && analyze="torsocks $analyze"
[ -n "$testssl" ] && testssl="torsocks $testssl"
[ -n "$sslscan" ] && sslscan="torsocks $sslscan"
if [ $MODE = tor -o $MODE = selektor ] ; then
sudo grep -q "SocksPolicy *accept *$PROXY_WLAN_IP" /etc/tor/torrc || \
{ WARN "need SocksPolicy accept $PROXY_WLAN_IP in /etc/tor/torrc" ; }
fi
CURL_ARGS="$CURL_ARGS --proxy $socks_proxy "
if [ ${HTTPS_HOST} = 127.0.0.1 ] ; then
CURL_ARGS="$CURL_ARGS --interface"
fi
if netstat -nle4 | grep 127.0.1:53 ; then
CURL_ARGS="$CURL_ARGS --dns-interface lo"
fi
elif [ -n "$https_proxy" ] ; then
HTTPS_HOST=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/https* //' -e 's/ .*//' )
HTTPS_PORT=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
OPENSSL_ARGS="$OPENSSL_ARGS -proxy ${HTTPS_HOST}:$HTTPS_PORT"
TESTSSL_ARGS="$TESTSSL_ARGS --proxy=auto"
CURL_ARGS="$CURL_ARGS --proxy http://${HTTPS_HOST}:$HTTPS_PORT"
ANALYZE_ARGS="$ANALYZE_ARGS --starttls http_proxy:${HTTPS_HOST}:$HTTPS_PORT"
[ -n "$testssl" ] && testssl="torsocks $testssl"
[ -n "$sslscan" ] && sslscan="torsocks $sslscan"
else
: direct
fi
TENVS="DNS_VIA_PROXY=true"
errs=0
for CAFILE in /etc/ssl/certs/ca-certificates.crt /usr/local/etc/ssl/cacert-testforge.pem ; do
[ -f $CAFILE ] || { ERROR "CAfile not found $CAFILE" ; exit 8; }
for item in $HOSTS ; do
i=0
OUTRF=$OUTR.$item
if [ -n "$openssl" ] ; then
INFO "$openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE"
echo $openssl s_client \
-connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE \
< /dev/null > $OUTRF.s_client.out
timeout ${kill_time}s \
$openssl s_client \
-connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE \
< /dev/null >> $OUTRF.s_client.out 2>&1
# :error:\|
if [ $? -eq 124 ] ; then
echo "DEBUG: timeout openssl s_client failed $? see $OUTRF.s_client.out"
elif [ $? -ne 0 ] ; then
WARN "openssl s_client failed $? see $OUTRF.s_client.out"
i=$( expr $i + 1 )
elif str='unable to get local issuer certificate' && \
grep "$str" $OUTRF.s_client.out; then
WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
i=$( expr $i + 1 )
elif str='Cipher is (NONE)' && \
grep "$str" $OUTRF.s_client.out; then
WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
i=$( expr $i + 1 )
elif str='SSL handshake has read 0 bytes' && \
grep "$str" $OUTRF.s_client.out; then
WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
i=$( expr $i + 1 )
else
echo "DEBUG: openssl s_client -showcerts $OPENSSL_ARGS --CAfile $CAFILE $item"
timeout ${kill_time}s \
$openssl s_client -showcerts \
-connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE < /dev/null \
> $OUTRF.s_client.certs 2>&1
fi
fi
if [ -n "$sslscan" ] ; then
echo $sslscan $SSLSCAN_ARGS --certs $CAFILE --sni-name $item $item > $OUTRF.sslscan.out
timeout ${kill_time}s \
$sslscan $SSLSCAN_ARGS --sni-name $item $item >> $OUTRF.sslscan.out 2>&1
if [ $? -eq 124 ] ; then
echo "DEBUG: timeout sslscan failed $? see $OUTRF.sslscan.out "
elif [ $? -ne 0 ] ; then
WARN "sslscan failed $? see $OUTRF.sslscan.out "
i=$( expr $i + 1 )
elif grep 'SSL Certificate' $OUTRF.sslscan.out ; then
WARN "sslscan failed see $OUTRF.sslscan.out "
i=$( expr $i + 1 )
elif grep 'Connection failed' $OUTRF.sslscan.out ; then
# tail -1 $OUTRF.sslscan.out | grep 'Supported Server Cipher'
WARN "sslscan failed see $OUTRF.sslscan.out "
i=$( expr $i + 1 )
else
INFO "$sslscan $SSLSCAN_ARGS $item"
fi
fi
if [ -n "$testssl" -a -n "$https_proxy" ] ; then
# rDNS (140.82.114.3): lb-140-82-114-3-iad.github.com.testssl.sh: line 10330: /dev/tcp/140.82.114.3/443: No such file or directory
echo $TENVS $testssl $TESTSSL_ARGS $item > $OUTRF.testssl.out
env $TENVS $testssl $TESTSSL_ARGS $item >> $OUTRF.testssl.out 2>&1
if [ $? -ne 0 ] ; then
WARN "testssl failed $? see $OUTRF.testssl.out"
i=$( expr $i + 1 )
elif grep ': unable to\| error:\|doesn.t seem to be a TLS/SSL enabled server' $OUTRF.testssl.out; then
WARN "testssl failure see $OUTRF.testssl.out"
i=$( expr $i + 1 )
else
INFO "$testssl $TESTSSL_ARGS $item"
echo "DEBUG: $testssl $TESTSSL_ARGS --jsonfile-pretty $OUTRF.testssl.json $item"
env $TENVS $testssl $TESTSSL_ARGS --jsonfile-pretty $OUTRF.testssl.json $item > $OUTRF.testssl-json.out 2>&1
fi
fi
if [ -n "$curl" ] ; then
DBUG $TENVS $curl $CURL_ARGS -o /dev/null https://$item/
env $TENVS $curl $CURL_ARGS -o /dev/null https://$item/ > $OUTRF.curl-vvv.out 2>&1
if [ $? -eq 0 ] ; then
grep 'SSL certificate problem:' $OUTRF.curl-vvv.out && \
{ WARN "curl -vvv failed $? see $OUTRF.curl-vvv.out" ;
i=$( expr $i + 1 ) ; } || \
INFO $curl $CURL_ARGS $item
else
INFO $curl $CURL_ARGS $item
fi
fi
if [ -n "$analyze" ] ; then
timeout ${kill_time}s \
$analyze $ANALYZE_ARGS --name $item ${item}:443 \
> $OUTRF.analyze-ssl.out 2>&1
# certificate verified : ok
if [ $? -eq 124 ] ; then
echo "DEBUG: timeout $analyze $ANALYZE_ARGS $item"
elif [ $? -eq 0 ] ; then
INFO "$analyze $ANALYZE_ARGS $item"
else
WARN "$analyze failed $? see $OUTRF.analyze-ssl.out"
i=$( expr $i + 1 )
fi
fi
[ $i -eq 0 ] && continue
WARN "$i failures for $item"
errs=$(expr $errs + $i )
DBUG $OUTRF.*.out
done
done
find $OUTRF.* -type f -empty -delete
exit $errs

137
overlay/Linux/usr/local/bin/proxy_whonix.bash Executable file
View File

@ -0,0 +1,137 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
USAGE="host|to_tor|tor|from_tor|client|whonix|gateway|vda|nat|workstation|ping|ssl|status|test|refresh|update|up|down"
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
[ $( id -u ) -eq 0 ] || { ERROR $prog should be run as root ; exit 1 ; }
. /usr/local/sbin/proxy_whonix_lib.bash || \
{ ERROR loading /usr/local/sbin/proxy_whonix_host_lib.bash ; exit 2; }
#. /usr/local/bin/proxy_ping_lib.bash || \
# { ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
. /usr/local/bin/usr_local_base.bash || exit 2
proxy_whonix_mode
## proxy_whonix_test_mode - proxy_whonix_host.bash test
proxy_whonix_test_mode () { DBUG proxy_whonix_test_mode $* ;
if [ $MODE = tor -o $MODE = whonix -o $MODE = host ]; then
/usr/local/sbin/proxy_whonix_host.bash test || return 1$?
fi
return 0
}
## proxy_whonix_status - proxy_ping_test.bash "$MODE"
proxy_whonix_status () { DBUG proxy_whonix_status $* ;
$PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$?
return 0
}
## proxy_whonix_refresh
proxy_whonix_refresh () { DBUG proxy_whonix_refresh $* ;
local USAGE="python|pip"
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $USAGE
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
elif [ "$1" = 'python' ] ; then
/usr/local/bin/testforge_clean_usr_local_lib.bash
elif [ "$1" = 'pip' ] ; then
/usr/local/bin/base_pip_upgrade.bash -p 2 -i 0
/usr/local/bin/base_pip_upgrade.bash -p 3 -i 0
base_sheebang_after_pip.bash
else
:
fi
}
UPGRADE_USAGE="python|pip"
## proxy_whonix_update - $UPGRADE_USAGE
proxy_whonix_update() {
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $UPGRADE_USAGE
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
elif [ "$1" = 'python' ] ; then
:
elif [ "$1" = 'pip' ] ; then
:
else
:
fi
}
TEST_USAGE="ssl|ping|mode|libvirt|ga"
## proxy_whonix_test - test $TEST_USAGE
proxy_whonix_test () { DBUG proxy_whonix_test $* ;
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $TEST_USAGE
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
elif [ "$1" = 'ssl' ] ; then
$PREFIX/sbin/proxy_test_ssl.bash "$@" || exit 3$?
elif [ "$1" = 'mode' ] ; then
proxy_whonix_test_mode || exit 4$?
elif [ "$1" = 'ping' ] ; then
$PREFIX/sbin/proxy_ping_test.bash "$@" || exit 4$?
elif [ "$1" = 'libvirt' ] ; then
$PREFIX/bin/proxy_ping_lib.bash proxy_libvirt_test || exit 5$?
elif [ "$1" = 'ga' ] ; then
$PREFIX/bin/proxy_libvirt_ga_test.bash || exit 5$?
else
:
fi
return 0
}
WD=$PWD
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $USAGE
exit 0
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
grep '^## ' $0 | sed -e 's/^## //'
exit 0
elif [ "$1" = client ] ; then
shift
elif [ "$1" = ws -o "$1" = 'workstation' -o "$1" = 'gateway' ] ; then
[ $1 = ws ] && arg=workstation || arg=$1
shift
$PREFIX/sbin/proxy_whonix_guest_$arg.bash "$*" || exit 3$?
elif [ 'to_tor' -o "$1" = 'tor' -o "$1" = 'from_tor' -o "$1" = 'whonix' ] ; then
$PREFIX/sbin/proxy_whonix_host.bash "$@" || exit $?
elif [ "$1" = host ] ; then
shift
$PREFIX/sbin/proxy_whonix_host.bash "$@" || exit $?
elif [ "$1" = refresh -o "$1" = update -o "$1" = 'test' -o "$1" = 'status' ] ; then
arg=$1;shift
proxy_whonix_$arg "$@"
elif [ "$1" = 'down' -o "$1" = 'up' ] ; then
arg=$1;shift
proxy_whonix_$arg "$@"
elif [ "$1" = hourly -o "$1" = 'refresh' ] ; then
:
else
DBUG $prog $*
eval "$@"
exit $?
fi
exit 0

254
overlay/Linux/usr/local/bin/scurl.bash Executable file
View File

@ -0,0 +1,254 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# must not use stdout
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
prog=scurl
umask 022
RETRIES=2
SSL_VER=3
. /usr/local/bin/proxy_ping_lib.bash
[ -f /usr/local/bin/proxy_curl_lib.bash ] && \
. /usr/local/bin/proxy_curl_lib.bash
if ! route | grep -q ^def ; then
WARN $prog we are not connected >&2
exit -1
fi
usage="curls with some wget options
Usage: $prog options -- curl-options
Options:
-P, --directory-prefix
-X, --force-directories create directories to download to
-C, --cacert CA certs in .pem
-M, --mode proxy_ping_mode
-S, --ssl ssl version 2=tls1.2 3=tls1.3
-Y, --ciphers comma sep list of ciphers
-Q, --quiet --silent --show-error
-h, --help display this help and exit
"
if [[ $? -ne 0 ]]; then
echo "$usage"
exit 2
fi
declare -a LARGS
# --location is required to follow redirects
# im not sure about --http2
LARGS+=( --remote-time --location --max-redirs 10 --continue-at - )
LARGS+=( --retry-delay 10 --show-error --fail )
# --proto-redir https --proto =https is required to prevent protocol downgrades
LARGS+=( --proto-redir https --proto-default https --proto =https )
[ -z "$MODE" ] && MODE=$( /usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
[ -z "$socks_proxy" ] && . /usr/local/bin/proxy_export.bash
SSL_LIB=openssl # nss
if [ -x /var/local/bin/curl.bash ] ; then
EXE=/var/local/bin/curl.bash
elif which scurl ; then
EXE=`which scurl`
else
EXE=curl
fi
SHORT=M:QP:XC:F:hS:
LONG=mode:,quiet,directory-prefix:,force-directories,cacert,ca-cert:,help,ssl:
#? export POSIXLY_CORRECT=1
PARSED=$(getopt --options $SHORT --longoptions $LONG --name "$prog" -- "$@")
eval set -- "$PARSED"
P="$PWD"
X="0"
# echo DEBUG: WD=$WD rest=$*
LOGF=/tmp/$prog$$.err
SSL_CIPHERS=""
while true; do
case "$1" in
-P|--directory-prefix)
shift
P="$1"
shift
# echo DEBUG: P=$WD rest=$*
;;
-X|--force-directories)
X=1
shift
;;
-S|--ssl)
shift
SSL_VER="$1"
shift
;;
-Y|--ciphers)
shift
SSL_CIPHERS="$1"
shift
;;
-C|--cacert|-Z|--ca-cert)
shift
CA_CERT="$1"
shift
;;
-M|--mode)
shift
MODE="$1"
shift
;;
-Q|--quiet)
shift
LARGS="$LARGS --silent --show-error"
;;
-h|--help)
echo USAGE: "$usage"
exit 0
;;
--)
shift
break
;;
*)
# echo ERROR: unhandled arguments $* - use -- after -P $PWD or -X ; exit 3
break
;;
esac
done
[ "$SSL_VER" -ge 2 -a "$SSL_VER" -le 3 ] || { ERROR "SSL_VER $SSL_VER" ; exit 6 ; }
LARGS+=( --tlsv1.$SSL_VER )
if [ -n "$SSL_CIPHERS" -a "$SSL_VER" = 2 ] ; then
[ $SSL_LIB = openssl ] && \
SSL_CIPHERS="ECDHE-RSA-AES256-SHA" # ECDHE-RSA-AES256-GCM-SHA384
[ $SSL_LIB = nss ] && \
SSL_CIPHERS="ecdhe_rsa_aes_256_sha"
fi
if [ -n "$SSL_CIPHERS" -a "$SSL_VER" = 3 ] ; then
[ $SSL_LIB = openssl ] && \
SSL_CIPHERS="TLS_AES_256_GCM_SHA384" # TLS_CHACHA20_POLY1305_SHA256
[ $SSL_LIB = nss ] && \
SSL_CIPHERS="aes_256_gcm_sha_384"
fi
[ -n "$SSL_CIPHERS" ] && LARGS+=( --ciphers "$SSL_CIPHERS" )
if [ "$MODE" = tor -o "$MODE" = selektor -o "$MODE" = whonix ] && \
netstat -nle4 | grep -q 127.0.0.1:53 ; then
LARGS+=( --dns-ipv4-addr 127.0.0.1 --dns-servers 127.0.0.1 )
elif [ "$MODE" = whonix ] && ifconfig virbr1 | grep -q 10.0.2.2 ; then
LARGS+=( --dns-ipv4-addr 10.0.2.15:9053 --dns-servers 10.0.2.15:9053 )
else
debug 127.0.0.1:53 not running MODE=$MODE
fi
if ! uname -a | grep -q 'Devuan\|Debian' ; then
if [ -f $HOME/.local/ ] ; then
[ -f $HOME/.local/alt.svc ] || touch $HOME/.local/alt.svc
LARGS+=( --alt-svc $HOME/.local/alt.svc )
# #define CURLALTSVC_H2 (1<<4)
fi
export CURLOPT_ALTSVC_CTRL=16
fi
declare -a RARGS
RARGS=("$@")
DBUG "$#" "${RARGS[*]}" >&2
i=0
while [ $i -le $RETRIES ] ; do
# assumes one URL
if [ "${#RARGS[@]}" -eq 1 ] ; then
the_url=`sed -e 's@http://@https://@g' -e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' -e 's@https*://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' <<< "${RARGS[*]}"`
else
the_url=`sed -e 's@http://@https://@' -e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' -e 's@https*://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' <<< "${RARGS[-1]}"`
fi
RARGS[-1]="$the_url"
site=`sed -e 's@https*://@@g' -e 's@/.*@@' <<< $the_url`
i=`expr $i + 1`
if [ "$X" = 1 ] ; then
rel_file=$( sed -e 's@^file://*@@' -e 's@^https*://*@@' -e 's@[&?#].*@@' <<< $the_url )
rel_dir=$( sed -e 's@/$@@' <<< $rel_file )
rel_dir=$( sed -e 's@/[^/]*$@@' <<< $rel_dir )
[ -d "$P/$rel_dir" ] || mkdir -p "$P/$rel_dir"
output=`sed -e 's/[!:?#]/_/g' <<< "$P/$rel_file"`
LARGS+=( --output "$output" --create-dirs )
fi
DBUG $EXE "${LARGS[@]}" "${RARGS[@]}" >&2
echo $EXE "${LARGS[@]}" "${RARGS[@]}" > $LOGF
$EXE "${LARGS[@]}" "${RARGS[@]}" >> $LOGF 2>&1
retval=$?
if [ "$retval" -eq 22 ] || \
tail -4 $LOGF | grep -q 'The requested URL returned error:'; then
# on 22 - change to HTTP code
code=`tail -4 $LOGF | grep 'The requested URL returned error:' | sed -e 's/.*returned error: //' -e 's/ *$//'`
if [ "$code" = 416 ] ; then
INFO "$prog retval=$retval code=$code ${HTTP_RESPONSE[416]} $the_url = $LOGF" >&2
retval=$code
elif [ "$code" = 429 ] ; then
ERROR "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
retval=$code
exit $retval
elif [ -n "$code" ] && [ "$code" -ge 400 ] ; then
# 403 Cloudflare
ERROR "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
retval=$code
elif [ -n "$code" ] && [ "$code" -lt 400 ] ; then
INFO "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
else
WARN "$prog retval=$retval \"$code\" $the_url = $LOGF" >&2
fi
elif [ "$retval" = 35 ] ; then
# 35 CURLE_SSL_CONNECT_ERROR
ERROR "$prog retval=$retval CURLE_SSL_CONNECT_ERROR $the_url = $LOGF" >&2
# feedback to scurl_urls.sh
NOTLSV3+=( $site )
elif [ "$retval" = 1 ] ; then
# retval=1 CURLE=CURLE_UNSUPPORTED_PROTOCOL - seems to be a transient error
WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
continue
elif [ "$retval" = 92 ] ; then
# curl: (92) HTTP/2 stream 0 was not closed cleanly: INTERNAL_ERROR (err 2)
WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
continue
elif [ "$retval" -ne 0 ] ; then
# curl: (3) URL using bad/illegal format or missing URL - worked
WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
elif tail -3 $LOGF | grep -q "HTTP code 504 from proxy after CONNECT" ; then
WARN "$prog HTTP code 504 from proxy after CONNECT $the_url = $LOGF" >&2
continue
elif tail -3 $LOGF | grep -q "503 - Forwarding failure" ; then
WARN "$prog 503 - Forwarding failure $the_url = $LOGF" >&2
continue
else
INFO "$prog $output = $LOGF" >&2
# rm -f $LOGF
fi
break
# "$P/$rel_file"
# if [ $retval -gt 0 ] ; then
# The requested URL returned error: 416
# if [ $retval = 22 ] && [ "$code" = 416 ] && [ -f "$P/$rel_file" ] ; then
# fi
done
exit $retval

18
overlay/Linux/usr/local/bin/sdwdate.bash Executable file
View File

@ -0,0 +1,18 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
PREFIX=/usr/local
ROLE=proxy
if [ -x $PREFIX/bin/proxy_ping_test.bash ] ; then
if virsh|grep Whonix-Gateway ; then
sh $PREFIX/bin/proxy_ping_test.bash whonix || exit 1
else
sh $PREFIX/bin/proxy_ping_test.bash wifi || exit 1
sh $PREFIX/bin/proxy_ping_test.bash 30 || exit 2
fi
fi
export PYTHONPATH=$PREFIX/lib64/python3.7/site-packages
exec python3.sh $PREFIX/bin/sdwdate_.py "$@"

1
overlay/Linux/usr/local/etc/firewall.conf.gateway Symbolic link
View File

@ -0,0 +1 @@
../../../../../templates/etc/firewall.conf.gateway

1
overlay/Linux/usr/local/etc/firewall.conf.selektor Symbolic link
View File

@ -0,0 +1 @@
../../../../../templates/etc/firewall.conf.selektor

1
overlay/Linux/usr/local/etc/firewall.conf.tor Symbolic link
View File

@ -0,0 +1 @@
../../../../../templates/etc/firewall.conf.tor

1
overlay/Linux/usr/local/etc/firewall.conf.whonix Symbolic link
View File

@ -0,0 +1 @@
../../../../../templates/etc/firewall.conf.whonix

1
overlay/Linux/usr/local/etc/firewall.conf.ws Symbolic link
View File

@ -0,0 +1 @@
../../../../../templates/etc/firewall.conf.ws

20
overlay/Linux/usr/local/etc/hosts Normal file
View File

@ -0,0 +1,20 @@
151.101.122.132 deb.debian.org
216.58.204.110 google.com
151.80.211.8 pool.ntp.org
78.46.53.2 pool.ntp.org
207.34.49.172 pool.ntp.org
205.206.70.7 pool.ntp.org
206.108.0.131 pool.ntp.org
162.159.200.1 pool.ntp.org
140.82.112.4 github.com
37.58.58.140 mirror.leaseweb.com
5.79.75.37 novg.net
193.150.121.24 reseed.i2p2.no
167.71.120.31 reseed.onion.im
34.201.225.154 i2pseed.creativecowpat.net
80.74.145.70 reseed.diva.exchange
167.71.120.31 reseed.onion.im
68.183.196.133 reseed.i2pgit.org
193.150.121.24 reseed.i2p2.no
81.7.7.4 reseed.i2p-projekt.de
132.163.97.3 time.nist.gov

33
overlay/Linux/usr/local/etc/init.d/libvirtd.openrc Executable file
View File

@ -0,0 +1,33 @@
#!/sbin/openrc-run
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
description="Virtual Machine Management daemon (libvirt)"
LIBVIRTD_OPTS=${LIBVIRTD_OPTS:-"${LIBVIRTD_OPTS}"}
LIBVIRTD_TIMEOUT=${LIBVIRTD_TERMTIMEOUT:-"TERM/25/KILL/5"}
command="/usr/sbin/libvirtd"
command_args="${LIBVIRTD_OPTS}"
start_stop_daemon_args="-b --env KRB5_KTNAME=/etc/libvirt/krb5.tab"
pidfile="/run/libvirtd.pid"
retry="${LIBVIRTD_TERMTIMEOUT}"
depend() {
need virtlogd
use ceph dbus iscsid virtlockd
after cgconfig corosync ebtables iptables ip6tables nfs nfsmount ntp-client ntpdportmap rpc.statd sanlock xenconsoled
USE_FLAG_FIREWALLD
}
start_pre() {
# Test configuration directories in /etc/libvirt/ to be either not
# present or a directory, i.e. not a regular file, bug #532892
checkpath --directory /etc/libvirt/lxc || return 1
checkpath --directory /etc/libvirt/nwfilter || return 1
[ -L /etc/libvirt/qemu ] ||
checkpath --directory /etc/libvirt/qemu || return 1
[ -L /etc/libvirt/storage ] ||
checkpath --directory /etc/libvirt/storage || return 1
}

41
overlay/Linux/usr/local/etc/jnettop.conf Normal file
View File

@ -0,0 +1,41 @@
#
# jnettop, network online traffic visualiser
# Copyright (C) 2002-2005 Jakub Skopal
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# $Header: /cvsroot/jnettop/jnettop/.jnettop,v 1.7 2006/04/11 15:59:59 merunka Exp $
#
# interface "eth1"
variable "intranet" "net 192.168.0.0/16 or 10.0.0.0/8 or 172.16.0.0/12"
variable "me" "net 10.16.238.53"
variable "lo" "net 127.0.0.1/32"
variable "virbr1" "net 10.0.2.2"
variable "whonix" "net 10.0.2.0/24"
rule "Intranet<->Extranet" "((src ${intranet}) and not (dst ${intranet})) or ((dst ${intranet}) and not (src ${intranet}))"
rule "Me<->Whonix" "((src ${me}) and ((dst ${whonix}) or (dst ${lo}))) or (((dst ${me}) or (dst ${lo})) and (src ${whonix}))"
rule "Me<->Extranet" "((src ${me}) and not (dst ${me})) or ((dst ${me}) and not (src ${me}))"
rule "Google" "host www.google.com"
rule "IPv6" "ip6"
local_aggregation none
remote_aggregation none
local_network "192.168.0.0" "255.255.0.0"
local_network "10.0.0.0" "255.0.0.0"
# select_rule "Me<->Whonix"
# resolve_rule "192.168.0.0" "255.255.0.0" normal
# resolve_rule "192.168.0.0" "255.255.0.0" external "/usr/share/jnettop/jnettop-lookup-nmb"
resolve off

42
overlay/Linux/usr/local/etc/jnettop.conf.vda Normal file
View File

@ -0,0 +1,42 @@
#
# jnettop, network online traffic visualiser
# Copyright (C) 2002-2005 Jakub Skopal
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# $Header: /cvsroot/jnettop/jnettop/.jnettop,v 1.7 2006/04/11 15:59:59 merunka Exp $
#
interface "eth0"
variable "intranet" "net 192.168.0.0/16 or 10.0.0.0/8 or 172.16.0.0/12"
variable "me" "net 10.16.238.53"
variable "vda" "net 10.152.152.11"
variable "lo" "net 127.0.0.1/32"
variable "virbr1" "net 10.0.2.2"
variable "whonix" "net 10.0.2.0/24"
rule "Intranet<->Extranet" "((src ${intranet}) and not (dst ${intranet})) or ((dst ${intranet}) and not (src ${intranet}))"
rule "Me<->Whonix" "((src ${me}) and ((dst ${whonix}) or (dst ${lo}))) or (((dst ${me}) or (dst ${lo})) and (src ${whonix}))"
rule "Vda<->Intranet" "((src ${vda}) and not (dst ${vda})) or ((dst ${vda}) and not (src ${vda}))"
rule "Google" "host www.google.com"
rule "IPv6" "ip6"
local_aggregation none
remote_aggregation none
local_network "192.168.0.0" "255.255.0.0"
local_network "10.0.0.0" "255.0.0.0"
select_rule "Vda<->Intranet"
# resolve_rule "192.168.0.0" "255.255.0.0" normal
# resolve_rule "192.168.0.0" "255.255.0.0" external "/usr/share/jnettop/jnettop-lookup-nmb"
resolve off

6
overlay/Linux/usr/local/etc/libvirt/hooks/network Executable file
View File

@ -0,0 +1,6 @@
#!/bin/sh
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_host.yml
[ ! -f /usr/local/sbin/proxy_libvirt_hook_network.bash ] || \
/usr/local/sbin/proxy_libvirt_hook_network.bash
# END ANSIBLE MANAGED BLOCK proxy whonix_host.yml

381
overlay/Linux/usr/local/etc/local.bash Executable file
View File

@ -0,0 +1,381 @@
#!/bin/sh
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
# prog=rc.local
PREFIX=/usr/local
ROLE=local
export PATH=$PATH:/usr/local/sbin:/usr/local/bin
if [ -x /sbin/rc-service ] ; then
local_rc_service () { rc-service "$@" ; }
local_rc_update () { rc-update "$@" ; }
elif [ -x /bin/systemctl ] ; then
local_rc_service () {
systemctl list-units --no-pager | grep -q $1 && \
echo INFO: /usr/sbin/service "$@" || \
echo WARN: /usr/sbin/service "$@"
/usr/sbin/service "$@" 2>/dev/null
return $?
}
local_rc_update () {
if [ "$#" -eq 0 ] ; then
systemctl list-units --no-pager
return $?
fi
dir=$1 ; shift ;
svc=$1 ; shift ;
if [ $dir = add ] ; then
dire=enable
elif [ $dir = del ] ; then
dire=disable
else
dire=$dir
fi
echo INFO: $prog systemctl --no-pager $dire $svc "$@"
systemctl --no-pager $dire $svc "$@"
return $?
}
elif [ -x /usr/sbin/service ] ; then
local_rc_service () {
/usr/sbin/service --status-all 2>&1 | grep -q $1 && \
echo INFO: /usr/sbin/service "$@" || \
echo WARN: /usr/sbin/service "$@"
/usr/sbin/service "$@" 2>/dev/null
return $?
}
local_rc_update () {
if [ "$#" -eq 0 ] ; then
/usr/sbin/service --status-all 2>&1 | sed -e 's/.* //'
return $?
fi
dir=$1 ; shift ;
svc=$1 ; shift ;
# disable|enable |remove
if [ $dir = add ] ; then
dire=enable
elif [ $dir = del ] ; then
dire=disable
else
dire=$dir
fi
update-rc.d $svc $dire || echo WARN: update-rc.d $svc $dir $dire
}
fi
proxy_rc_service () { local_rc_service $* ; }
proxy_rc_update () { local_rc_update $* ; }
grep -q root=/dev/vda /proc/cmdline
PROXY_IS_VDA=$?
## local_disable_lid
local_disable_lid () {
# https://bbs.archlinux.org/viewtopic.php?id=72779
echo LID0 > /proc/acpi/wakeup
# https://forums.linuxmint.com/viewtopic.php?f=208&t=106532
if [ -f /etc/UPower/UPower.conf ] ; then
[ -f /etc/UPower/UPower.conf.bak ] || \
cp -p /etc/UPower/UPower.conf /etc/UPower/UPower.conf.bak
grep -q '^IgnoreLid=true' /etc/UPower/UPower.conf || \
sed -e 's@#*IgnoreLid=.*@IgnoreLid=true@' -i /etc/UPower/UPower.conf
fi
if [ -f /etc/systemd/logind.conf ] ; then
[ -f /etc/systemd/logind.conf.bak ] || \
cp -p /etc/systemd/logind.conf /etc/systemd/logind.conf.bak
grep -q '^HandleLidSwitch=ignore' /etc/systemd/logind.conf || \
sed -e 's@^#*HandleLidSwitch=.*@HandleLidSwitch=ignore@' -i /etc/systemd/logind.conf
fi
return 0
}
## local_guest_start_services
local_guest_start_services () {
for file in /usr/local/etc/modules-load.d/vda*conf ; do
[ -s $file ] || continue
base=`basename $file`
[ -e /etc/modules-load.d/$base ] && continue
echo "# from $file" > /etc/modules-load.d/$base
grep -v '^#' $file >> /etc/modules-load.d/$base
done
grep -hv '#' /etc/modules-load.d/vda*.conf | xargs modprobe --all
local_start_services $*
exit 0
}
local_guest_add_xorg_conf () {
[ -f /etc/X11/xorg.conf.d/80_qxl.conf ] || \
grep -q Drive.*qxl /etc/X11/xorg.conf.d/*.conf || \
cat > /etc/X11/xorg.conf.d/80_qxl.conf << EOF
# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_guest.yml
Section "Device"
Identifier "qxl"
Driver "qxl"
Option "DPI" "96 x 96"
Option "ENABLE_IMAGE_CACHE" "True"
Option "ENABLE_FALLBACK_CACHE" "False"
Option "ENABLE_SURFACES" "False"
EndSection
# END ANSIBLE MANAGED BLOCK proxy whonix_guest.yml
EOF
return 0
}
## local_guest_config
local_guest_config () {
[ -d /etc/qemu ] || mkdir /etc/qemu
[ -f /etc/qemu/qemu-ga.conf ] || cat > /etc/qemu/qemu-ga.conf <<EOF
[general]
daemon=false
method=virtio-serial
path=/dev/virtio-ports/org.qemu.guest_agent.0
pidfile=/run/qemu-ga.pid
statedir=/run
verbose=true
retry-path=false
blacklist=
logfile=/var/log/libvirtd/qemu-ga.log
EOF
[ -d /var/log/libvirtd/ ] || mkdir /var/log/libvirtd/
[ -f /etc/default/qemu-guest-agent.diff ] || cat > /etc/default/qemu-guest-agent.diff <<EOF
*** /etc/default/qemu-guest-agent.dst 2021-01-05 03:28:20.579117119 +0000
--- /etc/default/qemu-guest-agent 2021-08-27 20:26:36.234739996 +0000
***************
*** 1 ****
! DAEMON_ARGS="--logfile /var/log/libvirtd/qemu-ga.log"
--- 1 ----
! DAEMON_ARGS="--logfile /var/log/libvirtd/qemu-ga.log --verbose --pidfile /run/qemu-ga.pid"
EOF
[ -f /etc/default/qemu-guest-agent.dst ] || \
patch -z .st -b /etc/default/qemu-guest-agent \
< /etc/default/qemu-guest-agent.diff
return 0
}
## local_guest_status
local_guest_status () {
if [ ! -f /var/log/libvirtd/qemu-ga.log ] ; then
echo WARN: missing /var/log/libvirtd/qemu-ga.log
elif grep -q critical: /var/log/libvirtd/qemu-ga.log ; then
echo ERROR: critical /var/log/libvirtd/qemu-ga.log
fi
return 0
}
## local_guest_neutersystemd
local_guest_neutersystemd () {
[ ! -f /lib/lsb/init-functions.d/40-systemd ] || \
mv /lib/lsb/init-functions.d/40-systemd /lib/lsb/.40-systemd
return 0
}
# vda
## local_host_symlink_usr_src
local_host_symlink_etc_fstab () {
# guest
[ -h /etc/fstab ] && [ -f /etc/fstab.vda ] && \
rm -f /etc/fstab && ln -s /etc/fstab.vda /etc/fstab
return 0
}
## local_host_make_dmcrypt_swap
local_host_make_dmcrypt_swap () {
local two five
if ! grep -q '/dev/mapper\|/dev/sd\|/dev/dm' /proc/swaps ; then
blkid > ~/blkid.txt
five=`grep _05E ~/blkid.txt | head -1`
if [ $? -eq 0 -a -n "$five" ] ; then
two=`echo $five | sed -e 's/_.*//' -e 's/.*="//'`_02SWAP
if ! grep $two ~/blkid.txt ; then
dev=`echo $five | sed -e 's/:.*//' -e 's/5/2/'`
[ $? -eq 0 -a -n "$dev" ] && mkswap -L $two $dev
fi
grep $two /etc/conf.d/dmcrypt && local_rc_service dmcrypt restart || echo WARN: $two not in /etc/conf.d/dmcrypt
grep -q '/dev/mapper\|/dev/sd\|/dev/dm' /proc/swaps || local_rc_service swap restart
# if its not in fstab
grep -q '/dev/mapper\|/dev/sd\|/dev/dm' /proc/swaps || swapon /dev/mapper/cryptswap*
fi
fi
return 0
}
# all
## local_start_services
local_start_services () {
for elt in $*; do
local_rc_service $elt status >/dev/null || local_rc_service $elt start
local_rc_update | grep -q $elt || local_rc_update add $elt
done
return 0
}
# all
## nlocal_manual_stop_services
local_manual_stop_services () {
# set these to stop now and restart them manually as we configure them
# rsync on debian
for elt in $* ; do
local_rc_service $elt status >/dev/null && local_rc_service $elt stop
local_rc_update | grep -q $elt && local_rc_update del $elt
done
return 0
}
# all
## local_host_symlink_usr_src
local_host_symlink_usr_src () {
local dir
dir=`cat /proc/cmdline|sed -e 's/.*BOOT_IMAGE=kernel-pentoo-x86_64/linux/' -e 's/_.*//'`
WD=$PWD
cd /usr/src
if [ -d $dir ] ; then
rm -f linux
ln -s $dir linux || echo WARN: $PWD/$dir not found
fi
cd $WD
return 0
}
# all
## local_lightdm_on_text
local_lightdm_on_text () {
return 0
[ ! -f /usr/sbin/lightdm ] && return 0
if [ ! -f /usr/sbin/lightdm.bin ] ; then
[ -f /usr/sbin/lightdm.bad ] && mv /usr/sbin/lightdm.bad /usr/sbin/lightdm.bin
[ ! -f /usr/sbin/lightdm.bin ] && mv /usr/sbin/lightdm /usr/sbin/lightdm.bin
if [ -f /usr/sbin/lightdm.bin ] && [ -f /usr/sbin/lightdm ] ; then
cat > /usr/sbin/lightdm << EOF
#!/bin/sh
grep -q ' text ' /proc/cmdline && exit 0
exec /usr/sbin/lightdm.bin "$@"
EOF
chmod 755 /usr/sbin/lightdm
fi
fi
return 0
}
## local_host_restart_psmouse
local_host_restart_psmouse () {
local_rc_service gpm status && local_rc_service gpm stop
rmmod psmouse; sleep 1; modprobe psmouse proto=exps
local_rc_service gpm start
return 0
}
## local_host_restart_intel_sound
local_host_restart_intel_sound () {
which aplay >/dev/null 2>/dev/null || return 0
# both
if ! aplay -L | grep -q default:CARD=PCH ; then
rmmod snd_hda_intel ;
sleep 5
modprobe snd_hda_intel enable=1 ;
sleep 1
aplay -L >/dev/null || exit 2
fi
return 0
}
## local_all
local_all () {
local_disable_lid
touch /var/log/boot
chmod 775 /usr/local/*bin/*sh /var/local/*bin/*sh
# grep -q text /proc/cmdline && local_lightdm_on_text
( cd /var/tmp && rm -rf ansible-local-* Temp-* ssh-* pulse-* .xfsm-ICE-* )
return 0
}
## local_manual_mask_services
local_manual_mask_services () {
if [ -d /usr/local/etc/systemd/ ] ; then
local_systemd_stop_and_mask $* || return 1$?
elif [ -x /usr/sbin/update-rc.d ] ; then
/usr/sbin/invoke-rc.d $1 stop
/usr/sbin/update-rc.d $1 remove || return 2$?
elif [ /sbin/rc-update ] ; then
/sbin/rc-service $1 stop
/sbin/rc-update $1 del || return 3$?
fi
return 0
}
## local_systemd_stop_and_mask
local_systemd_stop_and_mask () {
[ $# -eq 0 ] && [ -d /usr/local/etc/systemd/ ] && \
set - `grep -v '@\.service' /usr/local/etc/systemd/*.mask`
for file in $* ; do
[ -e /lib/systemd/system/$file ] || continue
elt=`basename $file`
systemctl is-enabled $elt 2>/dev/null >/dev/null || continue
echo INFO: local_systemd_stop_and_mask systemctl disable $elt
systemctl disable --now $elt && systemctl mask $elt
# [ -h /etc/systemd/system/$file ]
# [ `readlink /etc/systemd/system/$file ` = /dev/null ]
done
return 0
}
## local_neuter_gvfs
local_neuter_gvfs () {
[ -d /usr/local/share/dbus-1/services ] || exit 0
cd /usr/local/share/dbus-1/services
for file in /usr/share/dbus-1/services/*vfs* ; do
sed -e 's@^Exec=.*@Exec=/bin/false@' > `basename $file`
done
}
local_link_linux () {
sed < /proc/cmdline -e 's@.*BOOT_IMAGE=vmlinuz-@linux-@' -e 's/[_ ].*//'| \
while read line ; do
[ -z "$line" ] && continue
[ -d "/usr/src/$line" ] || { echo WARN: /usr/src/$line ; continue ; }
rm -f /usr/src/linux
echo INFO: /usr/src/$line /usr/src/linux
ln -s /usr/src/$line /usr/src/linux
done
return 0
}
local_null_machineid () {
[ -s /etc/machine-id ] && cp /dev/null /etc/machine-id
return 0
}
base=local
if [ -x /usr/bin/basename ] && [ `/usr/bin/basename -- $0` = $base'.bash' ] ; then
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//'| sort \
&& exit 0
eval "$@"
exit $?
fi

43
overlay/Linux/usr/local/etc/local.d/Whonix-All.rc Executable file
View File

@ -0,0 +1,43 @@
#!/bin/bash -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
# run this first
ROLE=local
MODE=all
CONN=all
BIN=/usr/local/sbin
. /usr/local/etc/local.d/local.bash || exit 1
local_all
local_manual_mask_services pdnsd ntpd tor polipo dnsmasq \
NetworkManager-wait-online apt-daily-upgrade apt-daily
# support the console
local_start_services gpm
# adjust to your taste here
[ -e /dev/autofs ] && rm /dev/autofs
if false && which systemctl 2>/dev/null >/dev/null ; then
systemctl | grep -q proc-sys-fs-binfmt_misc.automount && \
systemctl mask proc-sys-fs-binfmt_misc.automount
fi
exit 0
#? systemctl unmask -- -.mount run-msgcollector.mount run-user-1000.mount

19
overlay/Linux/usr/local/etc/local.d/Whonix-Gateway.local Executable file
View File

@ -0,0 +1,19 @@
#!/bin/sh -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh /usr/local/etc/local.d/Whonix-All.rc
sh /usr/local/etc/local.d/Whonix-Guest.rc
sh /usr/local/etc/local.d/Whonix-Gateway.rc
[ -f /usr/local/etc/local.d/Whonix-Local.rc ] && \
sh /usr/local/etc/local.d/Whonix-Local.rc

29
overlay/Linux/usr/local/etc/local.d/Whonix-Gateway.rc Executable file
View File

@ -0,0 +1,29 @@
#!/bin/bash -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
ROLE=proxy
MODE=gateway
CONN=guest
BIN=/usr/local/sbin
. /usr/local/etc/local.d/local.bash || exit 1
local_guest || exit 3$?
# leave this for later when online
if false ; then
if ! $BIN/proxy_whonix_guest_gateway.bash config ; then
echo WARN: proxy_whonix_guest_gateway.bash config retval=$?
fi
if ! $BIN/proxy_whonix_guest_gateway.bash start ; then
echo WARN: proxy_whonix_guest_gateway.bash start retval=$?
fi
fi
exit 0

35
overlay/Linux/usr/local/etc/local.d/Whonix-Guest.rc Normal file
View File

@ -0,0 +1,35 @@
#!/bin/bash -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
ROLE=proxy
MODE=gateway
CONN=guest
. /usr/local/etc/local.d/local.bash || exit 1
local_start_services qemu-guest-agent # spice-vdagent
if ! [ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] ; then
echo WARN: $prog /dev/virtio-ports/org.qemu.guest_agent.0 not found
echo WARN: $prog Add "<channel type='unix'><target type='virtio' name='org.qemu.guest_agent.0'/></channel>"
echo 'WARN: to the /etc/libvirtd/qemu/*.xml file on the host'
fi
local_guest_config
local_guest_neutersystemd
local_guest_start_services qemu-guest-agent # spice-vdagent
# local_guest_add_xorg_conf
local_guest_status

25
overlay/Linux/usr/local/etc/local.d/Whonix-Host.local Normal file
View File

@ -0,0 +1,25 @@
#!/bin/sh -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
dmesg>/var/log/dmesg.log
[ -d /usr/local/tmp/rc ] || mkdir -p /usr/local/tmp/rc
chmod 1777 /usr/local/tmp/rc
for elt in All Host Local ; do
sh /usr/local/etc/local.d/Whonix-$elt.rc
done > /usr/local/tmp/rc/rc.local.log 2>&1
#[ -f /usr/local/etc/local.d/Whonix-Lati.rc ] && \
# sh /usr/local/etc/local.d/Whonix-Lati.rc
timeout 20s tail -f /usr/local/tmp/rc/rc.local.log
exit 0

138
overlay/Linux/usr/local/etc/local.d/Whonix-Host.rc Executable file
View File

@ -0,0 +1,138 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
. /usr/local/etc/local.d/local.bash
chmod 775 /usr/local/sbin/*sh /usr/local/bin/*sh
export PATH=$PATH:/usr/local/bin:/usr/local/sbin
grep -q root=/dev/vda /proc/cmdline
PROXY_IS_VDA=$?
if [ $PROXY_IS_VDA -eq 0 ] ; then
/usr/local/sbin/proxy_whonix_lib.bash proxy_vda_config
fi
# Host and Vda
[ -d /etc/apt ] && \
local_manual_stop_services openvpn exim4 apt-daily-upgrade udisks2 \
sdwdate tb-updater-first-boot lvm2-monitor
# BEGIN ANSIBLE MANAGED BLOCK base initctl
if [ ! -e /dev/initctl -a -e /run/initctl ] ; then
ln -s /run/initctl /dev/initctl
elif [ ! -e /dev/initctl ] ; then
mknod -m=0600 /dev/initctl p
fi
# END ANSIBLE MANAGED BLOCK base initctl
# BEGIN ANSIBLE MANAGED BLOCK base
( cd /var/tmp && rm -rf ansible-local-* Temp-* ssh-* pulse-* .xfsm-ICE-* )
# END ANSIBLE MANAGED BLOCK base
# sh "/var/local/etc/local.d/testforge.start"
# redis
# WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
#? echo never > /sys/kernel/mm/transparent_hugepage/enabled
if false;then
# failsafe but independent of whether wlan exists
[ -f /usr/local/sbin/proxy_whonix_host_libvirt.bash ] && \
sh /usr/local/sbin/proxy_whonix_host_libvirt.bash proxy_whonix_libvirt_start
if ! /usr/local/sbin/proxy_whonix_host.bash config ; then
echo WARN: Whonix-Host.rc proxy_whonix_host.bash config failed $?
fi
if ! /usr/local/sbin/proxy_whonix_host.bash start ; then
echo WARN: Whonix-Host.rc proxy_whonix_host.bash start failed $?
fi
if ! /usr/local/sbin/proxy_whonix_host.bash test ; then
echo WARN: Whonix-Host.rc proxy_whonix_host.bash test failed $?
fi
fi
exit 0
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml text
local_systemd_stop_services display-manager
# END ANSIBLE MANAGED BLOCK update lati_unix.yml text
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
for eltin h i j o q v q w l ; do
[ -d /mnt/$elt/tmp ] || mount /mnt/$elt
done
exit 0
# END ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml mask
# local_manual_stop_services
SYSTEMD_STOP_AND_MASK="
debug-shell.service
systemd-backlight@.service
phpsessionclean.service
phpsessionclean.timer
apt-daily-upgrade.service
apt-daily-upgrade.timer
dbus-org.freedesktop.nm-dispatcher.service
tb-updater-first-boot.service
openvpn.service
systemd-backlight@.service
systemd-backlight@backlight.service
vboxadd-service.service
vboxautostart-service.service
vboxballoonctrl-service.service
vboxdrv.service
vboxweb-service.service
"
# /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask $SYSTEMD_STOP_AND_MASK
for file in /usr/local/etc/systemd/*.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK update lati_unix.yml mask
/var/local/bin/harden_dbus_neuter.bash
which brightnessctl 2>/dev/null >/dev/null && brightnessctl set 90%
# BEGIN ANSIBLE MANAGED BLOCK update
/usr/local/etc/local.d/local.bash local_disable_lid
# END ANSIBLE MANAGED BLOCK update
# BEGIN ANSIBLE MANAGED BLOCK update local_disable_lid
/usr/local/etc/local.d/local.bash local_disable_lid
# END ANSIBLE MANAGED BLOCK update local_disable_lid
# BEGIN ANSIBLE MANAGED BLOCK base lati_unix.yml mask
ROLE=base
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK base lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK gpgkey lati_unix.yml mask
ROLE=gpgkey
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK gpgkey lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK hostvms lati_unix.yml mask
ROLE=hostvms
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK hostvms lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK privacy lati_unix.yml mask
ROLE=privacy
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK privacy lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK proxy lati_unix.yml mask
ROLE=proxy
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK proxy lati_unix.yml mask
# BEGIN ANSIBLE MANAGED BLOCK testforge lati_unix.yml mask
ROLE=testforge
for file in /usr/local/etc/systemd/$ROLE.mask ; do
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
done
# END ANSIBLE MANAGED BLOCK testforge lati_unix.yml mask

19
overlay/Linux/usr/local/etc/local.d/Whonix-Kicksecure.local Normal file
View File

@ -0,0 +1,19 @@
#!/bin/sh -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sh /usr/local/etc/local.d/Whonix-All.rc
sh /usr/local/etc/local.d/Whonix-Host.rc
sh /usr/local/etc/local.d/Whonix-Kicksecure.rc
#[ -f /usr/local/etc/local.d/Whonix-Local.rc ] && \
# sh /usr/local/etc/local.d/Whonix-Local.rc

19
overlay/Linux/usr/local/etc/local.d/Whonix-Kicksecure.rc Executable file
View File

@ -0,0 +1,19 @@
#!/bin/bash -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
ROLE=proxy
CONN=guest
BIN=/usr/local/sbin
. /usr/local/etc/local.d/local.bash || exit 1
local_kicksecure || exit 3$?
exit 0

140
overlay/Linux/usr/local/etc/local.d/Whonix-Lati.rc Executable file
View File

@ -0,0 +1,140 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
# local_host_sys_scaling
ROLE=local
MODE=all
CONN=all
BIN=/usr/local/sbin
. /usr/local/etc/local.d/local.bash || exit 1
loadkeys /etc/keymaps/us.map
# BEGIN ANSIBLE MANAGED BLOCK proxy main.yml start
grep -q root=/dev/vda /proc/cmdline
PROXY_IS_VDA=$?
# END ANSIBLE MANAGED BLOCK proxy main.yml start
if [ $PROXY_IS_VDA -eq 0 ] ; then
:
elif [ -n "$CHROOT" ] ; then
:
else
# host
:
fi
local_host_sys_scaling () {
local file
if [ $PROXY_IS_VDA -ne 0 -a -z "$CHROOT" ] ; then
for file in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor ; do
echo performance >>$file
done
for file in /sys/devices/system/cpu/cpu*/cpufreq/scaling_min_freq ; do
echo 1600000 >>$file
done
fi
return 0
}
# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_host.yml
local_host_sys_scaling
# END ANSIBLE MANAGED BLOCK proxy whonix_host.yml
# BEGIN ANSIBLE MANAGED BLOCK base Debian
[ -f /etc/init.d/console-setup.sh ] && \
/etc/init.d/console-setup.sh start
# END ANSIBLE MANAGED BLOCK base Debian
local_host_restart_psmouse
local_host_restart_intel_sound
if [ "$PROXY_IS_VDA" -ne 0 ] ; then
local_manual_stop_services redis postgresql-11
fi
# BEGIN ANSIBLE MANAGED BLOCK base Debian
/etc/init.d/console-setup.sh start
# END ANSIBLE MANAGED BLOCK base Debian
mount /mnt/o
mount /mnt/i
mount /mnt/j
mount /mnt/e
mount /mnt/q
mount /mnt/w
exit 0
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml sound
( cd /var/tmp && rm -rf ansible-local-* Temp-* ssh-* pulse-* .xfsm-ICE-* )
ls /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor 2>/dev/null >/dev/null && \
for file in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor ; do
echo performance >>$file
done
for file in /sys/devices/system/cpu/cpu*/cpufreq/scaling_min_freq ; do
echo 1600000 >>$file
done
[ -e /usr/share/netsurf/DejaVuSans.ttf ] || \
sudo ln -s /usr/share/fonts/truetype/dejavu/DejaVuSans.ttf /usr/share/netsurf
true
# END ANSIBLE MANAGED BLOCK update lati_unix.yml sound
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml sysrq
# On x86 - You press the key combo ALT-SysRq-<command key>.
# Some keyboards may not have a key labeled ?SysRq?. The ?SysRq? key is also known as the ?Print Screen? key.
# Also some keyboards cannot handle so many keys being pressed at the same time, so you might have better
# luck with press Alt, press SysRq, release SysRq, press <command key>, release everything.
echo 1> /proc/sys/kernel/sysrq 2>/dev/null
# END ANSIBLE MANAGED BLOCK update lati_unix.yml sysrq
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml dmcrypt
grep -q root=/dev/vda /proc/cmdline ; PROXY_IS_VDA=$?
if [ "$PROXY_IS_VDA" -ne 0 ] ; then
local_host_make_dmcrypt_swap
fi
exit 0
# END ANSIBLE MANAGED BLOCK update lati_unix.yml dmcrypt
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
for elt in h i j o q w l ; do
[ -d /mnt/$elt/tmp ] || mount /mnt/$elt
done
# END ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml scheduler
for elt in b c ; do
[ -d /sys/block/sd$elt ] || continue
echo deadline > /sys/block/sd$elt/queue/scheduler
done
# END ANSIBLE MANAGED BLOCK update lati_unix.yml scheduler
# BEGIN ANSIBLE MANAGED BLOCK base initctl
[ ! -e /dev/initctl -a -e /run/initctl ] && ln -s /run/initctl /dev/initctl && exit 0
[ ! -e /dev/initctl ] || mknod -m=0600 /dev/initctl p
# END ANSIBLE MANAGED BLOCK base initctl
# BEGIN ANSIBLE MANAGED BLOCK testforge npm
[ -f /usr/lib/node_modules/npm/node_modules/update-notifier/check.js ] && \
chmod 000 /usr/lib/node_modules/npm/node_modules/update-notifier/check.js
# END ANSIBLE MANAGED BLOCK testforge npm
# BEGIN ANSIBLE MANAGED BLOCK update Pentoo linux
dir=`cat /proc/cmdline|sed -e 's/BOOT_IMAGE=kernel-pentoo-x86_64/linux/' -e 's/_.*//'`
pushd /usr/src
rm -f linux
[ -d $dir ] && ln -s $dir linux || echo WARN: $PWD/$dir not found
popd
# END ANSIBLE MANAGED BLOCK update Pentoo linux
which brightnessctl 2>/dev/null >/dev/null && brightnessctl -c backlight set 95%
local_neuter_gvfs
local_link_linux
local_null_machineid
pkill gvfs
loadkeys /etc/keymaps/us.map

110
overlay/Linux/usr/local/etc/local.d/Whonix-Local.rc Executable file
View File

@ -0,0 +1,110 @@
#!/bin/bash -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
ROLE=local
MODE=all
CONN=all
BIN=/usr/local/sbin
. /usr/local/etc/local.d/local.bash || exit 1
# run this last
# BEGIN ANSIBLE MANAGED BLOCK update lati dmcrypt
if [ "$PROXY_IS_VDA" -ne 0 ] ; then
local_host_make_dmcrypt_swap
fi
# END ANSIBLE MANAGED BLOCK update lati dmcrypt
# BEGIN ANSIBLE MANAGED BLOCK update lati scheduler
## local_host_sys_set_scheduler
local_host_sys_set_scheduler () {
local elt
if [ "$PROXY_IS_VDA" -ne 0 ] ; then
for elt in b c ; do
[ -d /sys/block/sd$elt ] || continue
echo deadline > /sys/block/sd$elt/queue/scheduler
done
fi
return 0
}
local_host_sys_set_scheduler
# END ANSIBLE MANAGED BLOCK update lati scheduler
# BEGIN ANSIBLE MANAGED BLOCK update lati sysrq
# On x86 - You press the key combo ALT-SysRq-<command key>.
# Some keyboards may not have a key labeled ?SysRq?. The ?SysRq? key is also known as the ?Print Screen? key.
# Also some keyboards cannot handle so many keys being pressed at the same time, so you might have better
# luck with press Alt, press SysRq, release SysRq, press <command key>, release everything.
echo 1> /proc/sys/kernel/sysrq 2>/dev/null
# END ANSIBLE MANAGED BLOCK update lati sysrq
# BEGIN ANSIBLE MANAGED BLOCK update Pentoo linux
if [ "$PROXY_IS_VDA" -ne 0 ] ; then
local_host_symlink_usr_src
fi
# END ANSIBLE MANAGED BLOCK update Pentoo linux
## local_host_restart_intel_sound
local_host_restart_intel_sound () {
which aplay >/dev/null 2>/dev/null || return 0
# both
if ! aplay -L | grep -q default:CARD=PCH ; then
rmmod snd_hda_intel ;
sleep 5
modprobe snd_hda_intel enable=1 ;
sleep 1
aplay -L ;
fi
return 0
}
# BEGIN ANSIBLE MANAGED BLOCK update lati
#? rmmod pata_pcmcia pcmcia pcmcia_core 2>/dev/null
local_host_restart_intel_sound
# END ANSIBLE MANAGED BLOCK update lati
# BEGIN ANSIBLE MANAGED BLOCK testforge npm
[ -f /usr/lib64/node_modules/npm/node_modules/update-notifier/check.js ] && \
chmod 000 /usr/lib64/node_modules/npm/node_modules/update-notifier/check.js
# END ANSIBLE MANAGED BLOCK testforge npm
# BEGIN ANSIBLE MANAGED BLOCK update lati fstab
# END ANSIBLE MANAGED BLOCK update lati fstab
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml sysrq
# On x86 - You press the key combo ALT-SysRq-<command key>.
# Some keyboards may not have a key labeled ?SysRq?. The ?SysRq? key is also known as the ?Print Screen? key.
# Also some keyboards cannot handle so many keys being pressed at the same time, so you might have better
# luck with press Alt, press SysRq, release SysRq, press <command key>, release everything.
echo 1> /proc/sys/kernel/sysrq 2>/dev/null
# END ANSIBLE MANAGED BLOCK update lati_unix.yml sysrq
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
grep '/mnt/[a-z][ ]' /etc/fstab| \
sed -e 's@.*/mnt/@/mnt/@' -e 's/[ ].*//' | \
while read elt ;do
[ -d $elt/tmp ] || mount $elt
done
exit 0
# END ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml stop
local_systemd_stop_services display-manager
# END ANSIBLE MANAGED BLOCK update lati_unix.yml stop
# BEGIN ANSIBLE MANAGED BLOCK hostvms libvirt.yml libvirtd.log
cp /dev/null /var/local/var/log/libvirtd.log
# END ANSIBLE MANAGED BLOCK hostvms libvirt.yml libvirtd.log

23
overlay/Linux/usr/local/etc/local.d/Whonix-Vda.local Normal file
View File

@ -0,0 +1,23 @@
#!/bin/sh -e
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
for elt in All Guest Vda ; do
sh /usr/local/etc/local.d/Whonix-$elt.rc
done > /usr/local/tmp/rc.local.log 2>&1 &
#[ -f /usr/local/etc/local.d/Whonix-Local.rc ] && \
# sh /usr/local/etc/local.d/Whonix-Local.rc
#[ -f /usr/local/etc/local.d/Whonix-Lati.rc ] && \
# sh /usr/local/etc/local.d/Whonix-Lati.rc
timeout 20s tail -f /usr/local/tmp/rc.local.log
exit 0

Some files were not shown because too many files have changed in this diff Show More