Download “install66.fs”
Open balenaEtcher on OSX
Proceed
-> seems not to work :(
mount
/dev/disk4s1 on /Volumes/Ohne Titel (hfs, local, nodev, nosuid, journaled, noowners)
Unmount “Ohne Titel”
osx$ sudo dd if=install66.fs of=/dev/disk4s1 bs=1m
wait 10min
done
sha256: 82aedd94540efdd5f343399a0d3d67cab01c64cb5ee70f441427fd5cbfa136da
puffy66# df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/sd0a 1005M 96.1M 858M 10% /
/dev/sd0k 9.6G 2.0K 9.1G 0% /home
/dev/sd0d 1.8G 12.0K 1.7G 0% /tmp
/dev/sd0f 2.5G 955M 1.4G 39% /usr
/dev/sd0g 1005M 202M 752M 21% /usr/X11R6
/dev/sd0h 4.2G 218K 3.9G 0% /usr/local
/dev/sd0j 5.8G 2.0K 5.5G 0% /usr/obj
/dev/sd0i 1.7G 2.0K 1.6G 0% /usr/src
/dev/sd0e 2.8G 5.9M 2.7G 0% /var
puffy66# df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/sd0a 3.9G 96.1M 3.6G 3% /
/dev/sd0g 7.8G 2.0K 7.4G 0% /home
/dev/sd0d 2.0G 12.0K 1.9G 0% /tmp
/dev/sd0f 7.9G 1.1G 6.4G 15% /usr
/dev/sd0e 7.9G 5.9M 7.5G 0% /var
/dev/sd0a 2G /
/dev/sd0b 1G swap
/dev/sd0d 1G /tmp
/dev/sd0e 4G /var
/dev/sd0f 4G /usr
/dev/sd0g 4G /home
/dev/sd0a 2G /
/dev/sd0b 1G swap
/dev/sd0d 1G /tmp
/dev/sd0e 6G /var
/dev/sd0f 6G /usr
/dev/sd0g 4G /home
/dev/sd0a 4G /
/dev/sd0b 2G swap
/dev/sd0d 2G /tmp
/dev/sd0e 8G /var
/dev/sd0f 8G /usr
/dev/sd0g 8G /home
/dev/sd0a 4G /
/dev/sd0b 2G swap
/dev/sd0d 2G /tmp
/dev/sd0e 8G /var
/dev/sd0f 8G /usr
/dev/sd0g 8G /home
/dev/sd0h 32G /data
cat << 'EOF' > autodisklabel
/ 2G
swap 0.5G
/tmp 1G
/usr 4G
/var 4G
/home 4G
EOF
cat << 'EOF' > autodisklabel
/ 4G
swap 4G
/tmp 4G
/usr 8G
/var 8G
/home 16G
/data 64G
EOF
a 4G /root
a 4G swap
a 4G /tmp
a 8G /usr
a 8G /home
a * /var
-> which results in:
apu-120GB# df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/sd0a 3.9G 75.0M 3.6G 2% /
/dev/sd0f 7.8G 2.0K 7.4G 0% /home
/dev/sd0d 3.9G 16.0K 3.7G 0% /tmp
/dev/sd0e 7.8G 1.2G 6.1G 17% /usr
/dev/sd0g 81.1G 7.0M 77.1G 0% /var
sha256: 8b0fa0f79f422c4d4ed8eb1ee67cda1d67470ff8aec34f18bb7715b6ea4291f0
pkg_add -v nginx
rcctl enable nginx
rcctl restart nginx
server {
...
auth_basic "Administrator’s Area";
auth_basic_user_file conf/htpasswd;
location /public/ {
auth_basic off;
}
}
htpasswd -c /etc/apache2/.htpasswd user1
rcctl restart nginx
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
sha256: b0311dad9186b4e2f8cd9730688c8e75c09a3ff687259cccc132810a706cb2f6
server "default" {
listen on * port 80
authenticate "secure area" with "/htpasswd.conf"
}
htpasswd /var/www/htpasswd.conf user-x
Password:
Retype Password:
chown www /var/www/htpasswd.conf
chmod 600 /var/www/htpasswd.conf
rcctl restart httpd
sha256: b934f5b05de5100f7a6f13e4e93003740ca9704b37a4302abe51f0b8d9a1f7b3
sha256: 92b20e0a803b2e3c9a987fe89c259ac9bd069b22732d93f80d0626fae15e733b
name LOCAL 239.255.0.0/16
phyint em1 disable
sysctl.conf
net.inet.ip.mforwarding=1
rcctl enable multicast
rcctl start multicast
rcctl enable mrouted
rcctl start mrouted
netstat -g
map-mbone
mrinfo
mtrace
https://felix-kling.de/blog/2019/sonos-dedicated-vlan.html
sha256: 8f43d20c9f3186346dfab5fb16a3de63b780d414c608ce12f0d096089fbf9642
Hint: wide-dhcpv6-20080615p9 was not working fine. So, i gave a try with dhcpcd
pkg_add dhcpcd-7.1.1p4
/etc/dhcpcd.conf
ipv6only
noipv6rs
duid
persistent
option rapid_commit
require dhcp_server_identifier
# disable running any hooks; not typically required for simple DHCPv6-PD setup
script ""
# List interfaces explicitly so that dhcpcd doesn't touch others
allowinterfaces em1 vlan108 vlan110 vlan112
interface em1
# the following two lines tell dhcpcd to do router solicitation
# itself. don't use them if using "inet6 autoconf" (slaacd)
ipv6rs
ia_na 1
# request prefixes from the provider to use for downstream networks
ia_pd 2 vlan108/1 vlan110/2 vlan112/3
rcctl enable dhcpcd
rcctl restart dhcpcd
You sould now get a ip address on your public interface. adjust the pf.conf accordingly for ipv6 !
Also Check my new Post about Wireguard on Current …
pkg_add wireguard-go \
wireguard-tools \
libqrencode
rcctl enable wireguard_go
rcctl set wireguard_go flags tun2
mkdir -p /etc/wireguard/{keys,config}
cd /etc/wireguard
wg genkey | tee keys/server-private.key | wg pubkey > keys/server-public.key
wg genkey | tee keys/client001-private.key | wg pubkey > keys/client001-public.key
wg genkey | tee keys/client002-private.key | wg pubkey > keys/client002-public.key
wg genkey | tee keys/client003-private.key | wg pubkey > keys/client003-public.key
chmod 600 keys/*private.key
cat << 'EOF' > /etc/hostname.tun2
10.0.0.1 10.0.0.2 netmask 255.255.255.0
inet6 alias 2001:db8::1 128
dest 2001:db8::2
!/bin/sleep 10 && /usr/local/bin/wg setconf tun2 /etc/wireguard/server.conf &
EOF
cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
EOF
sysctl net.inet.ip.forwarding=1
sysctl net.inet6.ip6.forwarding=1
cat << 'EOF' > server.conf
[Interface]
PrivateKey = $(cat keys/server-private.key)
ListenPort = 51820
# IPv4 only
[Peer]
PublicKey = $(cat keys/client001-public.key)
AllowedIPs = 10.0.0.2/32
# IPv6 only
[Peer]
PublicKey = $(cat keys/client002-public.key)
AllowedIPs = 2001:db8::3/128
# IPv4 and IPv6
[Peer]
PublicKey = $(cat keys/client003-public.key)
AllowedIPs = 2001:db8::4/128, 10.0.0.4/32
EOF
chmod 600 server.conf
... snip ...
set skip on { lo0 enc0 tun2 }
# WG Stuff
match out log on egress inet from (tun2:network) nat-to (egress:0)
match out log on egress inet6 from (tun2:network) nat-to (egress)
... snip ...
# Block all
block log
... snip ...
# Allow Wireguard from any
pass in log quick inet proto { tcp udp } from any to (self) port { 51820 }
pass in log quick inet6 proto { tcp udp } from any to (self) port { 51820 }
... snip ...
reboot
cd /etc/wireguard
cat << 'EOF' > wg_update_config.sh
# !/bin/sh
wg setconf tun2 server.conf
wg show
exit 0
EOF
chmod 755 wg_update_config.sh
cat << 'EOF' > config/client001.conf
[Interface]
PrivateKey = $(cat keys/client001-private.key)
Address = 10.0.0.2/32
DNS = 8.8.8.8
[Peer]
PublicKey = $(cat keys/server-public.key)
AllowedIPs = 8.8.8.8/32
Endpoint = $(ifconfig egress |awk '/inet / {print $2}'):51820
EOF
cat << 'EOF' > config/client002.conf
[Interface]
PrivateKey = $(cat keys/client002-private.key)
Address = 2001:db8::3/128
DNS = 2001:4860:4860::8888
[Peer]
PublicKey = $(cat keys/server-public.key)
AllowedIPs = 2001:4860:4860::8888/128
Endpoint = [$(ifconfig egress |awk '/inet6 / {print $2}' |grep -v 'fe80::')]:51820
EOF
cat << 'EOF' > config/client003.conf
[Interface]
PrivateKey = $(cat keys/client003-private.key)
Address = 10.0.0.4/32, 2001:db8::4/128
DNS = 8.8.8.8, 2001:4860:4860::8888
[Peer]
PublicKey = $(cat keys/server-public.key)
AllowedIPs = 8.8.8.8/32, 2001:4860:4860::8888/128
Endpoint = $(ifconfig egress |awk '/inet / {print $2}'):51820, [$(ifconfig egress |awk '/inet6 / {print $2}' |grep -v 'fe80::')]:51820
EOF
cat config/client001.conf | qrencode -t ansiutf8
cat config/client002.conf | qrencode -t ansiutf8
cat config/client003.conf | qrencode -t ansiutf8
puffy66 1 ../wireguard# wg show
interface: tun2
public key: eBzb9Q+95EQj2C2hRd7RuGH4dES9sjfgjWHHFskJ+SQ=
private key: (hidden)
listening port: 51820
peer: 6i2k+s3bgUgRRbVefCNzjQPJZbsIzipNsFOmjFCnLHE=
endpoint: 192.168.108.125:52565
allowed ips: 10.0.0.2/32
latest handshake: 56 seconds ago
transfer: 13.19 KiB received, 8.07 KiB sent
peer: gRWzWzJIelqez9/lHsL/KsDDKjCoZK6I91hggeNELmc=
allowed ips: 2001:db8::3/128
peer: pulLKxKk6dwFf6xlb+mEiP4AdS0jbs5hYOvMC7FfNXM=
allowed ips: 10.0.0.4/32, 2001:db8::4/128
sha256: eac4ea99441b96d1bd1b22b00d615ca82cda2d67a6dfada8f9876ba75e6fb4f1
ifconfig | awk '/^[^\t]/{iface=$1} /inet6? / {print iface, $2}'
lo0: ::1
lo0: fe80::1%lo0
lo0: 127.0.0.1
vio0: fe80::9400:2ff:fe16:5a70%vio0
vio0: 2a01:4f8:c0c:fff7::2
vio0: 159.69.214.12
route add -inet default 192.168.1.1
route add -inet6 default 2001:db8:efef::1
Redirect incomming Traffic from a certain Source and also NAT the Outgoing Traffic so we remain in the “Line” ;)
# Apply SNAT for outgoing Traffic
match out log on em0 inet from !(egress) to IP_OF_TARGET_HOST nat-to (egress)
# Forward Port 22 to another (hidden) Host via DNAT
pass in log quick on egress inet proto tcp from SRC_IP_OF_HOST to egress port 22 rdr-to IP_OF_TARGET_HOST port 22
pass in log quick on egress inet proto tcp from SRC_NET/MASK to egress port 22 rdr-to IP_OF_TARGET_HOST port 22
doas rcctl stop smtpd
doas smtpd -dv -Tall
you may need to redirect tty0 on arm64 boxes