From 51de93e5b6b7a6b497e78b999a754f7d5086ddcc Mon Sep 17 00:00:00 2001 From: Julien Dessaux Date: Fri, 16 Apr 2021 17:42:55 +0200 Subject: Added articles --- content/docs/gentoo/upgrades.md | 39 +++++++++++++++++++++++++++++++++++++++ content/docs/openbsd/_index.md | 6 ++++++ content/docs/openbsd/pf.md | 39 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 84 insertions(+) create mode 100644 content/docs/gentoo/upgrades.md create mode 100644 content/docs/openbsd/_index.md create mode 100644 content/docs/openbsd/pf.md (limited to 'content/docs') diff --git a/content/docs/gentoo/upgrades.md b/content/docs/gentoo/upgrades.md new file mode 100644 index 0000000..07d5c6b --- /dev/null +++ b/content/docs/gentoo/upgrades.md @@ -0,0 +1,39 @@ +--- +title: "Gentoo Packages Upgrades" +description: Gentoo packages upgrades on adyxax.org +--- + +## Introduction + +Here is my go to set of commands when I upgrade a gentoo box : +{{< highlight sh >}} +emerge-webrsync +eselect news read +{{< /highlight >}} + +The news have to be reviewed carefully and if I cannot act on it immediately I copy paste the relevant bits to my todolist. + +## The upgrade process + +I run the upgrade process in two steps. The first one is a straightforward upgrade that will stop upon any error to let you asses the situation : +{{< highlight sh >}} +emerge --update --newuse --deep --with-bdeps=y @world -q +{{< /highlight >}} + +If all went well we can get to the cleaning pass : +{{< highlight sh >}} +unset ld_library_path && unset e_src && emerge -qaavutdn world --verbose-conflicts --keep-going && emerge --depclean -a && revdep-rebuild -i -- -q --keep-going; eclean distfiles +{{< /highlight >}} + +After all this completes it is time to evaluate configuration changes : +{{< highlight sh >}} +etc-update +{{< /highlight >}} + +If a new kernel has been emerged, have a look at [the specific process for that]({{< ref "kernel_upgrades" >}}). + +## Post-upgrade + +Depending of the changes it is now time to : +- restart services that have been upgraded +- reboot if the kernel or a crucial system component (like openssl) has been upgraded diff --git a/content/docs/openbsd/_index.md b/content/docs/openbsd/_index.md new file mode 100644 index 0000000..c79bf9b --- /dev/null +++ b/content/docs/openbsd/_index.md @@ -0,0 +1,6 @@ +--- +title: "OpenBSD" +description: OpenBSD related articles +--- + +I am a long time openbsd user, my first installation dating back to 2008. diff --git a/content/docs/openbsd/pf.md b/content/docs/openbsd/pf.md new file mode 100644 index 0000000..0eaafc4 --- /dev/null +++ b/content/docs/openbsd/pf.md @@ -0,0 +1,39 @@ +--- +title: pf.conf +description: The template I use on new installations +--- + +## pf.conf + +The open ports list is refined depending on the usage obviously, and not all servers listen for wireguard... It is just a template : + +{{< highlight conf >}} +vpns="{ wg0 }" + +table const { self } +table const { 10/8, 172.16/12, 192.168/16, fd00::/8 fe80::/10 } +table const { 0.0.0.0/0, !10/8, !172.16/12, !192.168/16, ::/0, fe80::/10, !fd00::/8 } + +##### Basic rules ##### +set skip on lo +set syncookies adaptive (start 25%, end 12%) +set block-policy return +block drop in log quick from urpf-failed label uRPF +block return log + +##### This firewall ##### +block drop in on egress +pass in on egress proto { icmp, icmp6 } from to +pass in on egress proto tcp from to port { http, https, imaps, smtp, smtps, ssh, submission } +pass out from to any + +##### VPNs ##### +pass in on egress proto udp from to port 342 +pass in on $vpns from to + +##### Openbsd stock rules ##### +# By default, do not permit remote connections to X11 +block return in on ! lo0 proto tcp to port 6000:6010 +# Port build user does not need network +block return out log proto {tcp udp} user _pbuild +{{< /highlight >}} -- cgit v1.2.3