o.open/Office_Networks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Christoph
2018-05-08 03:01:03 +02:00
commit 1c4c595cd6
3256 changed files with 417972 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
ANW-KM/README.txt Normal file
View File

@ -0,0 +1,25 @@
Notice:
You have to change some configuration files becaus the because
the configuration of network interfaces must not be equal.
!! Take care, to use the right device names !!
Maybe they are called i.e. 'enp0sXX', but you can rename it.
See also : README.rename.netdevices
For the backup gateway host:
eth1 --> LAN
eth2 --> WAN or ppp0 (DSL device)
eth0 --> WLAN or second LAN or what ever
or
br0 --> WLAN or second LAN or what ever
So you have to change the following files
dsl-provider.ANW-KM: ppp0 comes over eth2
interfaces.ANW-KM: see above
default_isc-dhcp-server.ANW-KM
ipt-firewall.ANW-KM: LAN device (mostly ) = eth1
second LAN WLAN or what ever (if present) = eth0

1
ANW-KM/bin/admin-stuff Submodule

Submodule ANW-KM/bin/admin-stuff added at 8d81bd8667

1
ANW-KM/bin/manage-gw-config Submodule

Submodule ANW-KM/bin/manage-gw-config added at b5fb1f7b3a

1
ANW-KM/bin/monitoring Submodule

Submodule ANW-KM/bin/monitoring added at f66029fe95

1
ANW-KM/bin/os-upgrade.sh Symbolic link
View File

@ -0,0 +1 @@
admin-stuff/os-upgrade.sh

1
ANW-KM/bin/test_email.sh Symbolic link
View File

@ -0,0 +1 @@
admin-stuff/test_email.sh

69
ANW-KM/bind/bind.keys Normal file
View File

@ -0,0 +1,69 @@
# The bind.keys file is used to override the built-in DNSSEC trust anchors
# which are included as part of BIND 9. As of the current release, the only
# trust anchors it contains are those for the DNS root zone ("."), and for
# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors
# for any other zones MUST be configured elsewhere; if they are configured
# here, they will not be recognized or used by named.
#
# The built-in trust anchors are provided for convenience of configuration.
# They are not activated within named.conf unless specifically switched on.
# To use the built-in root key, set "dnssec-validation auto;" in
# named.conf options. To use the built-in DLV key, set
# "dnssec-lookaside auto;". Without these options being set,
# the keys in this file are ignored.
#
# This file is NOT expected to be user-configured.
#
# These keys are current as of Feburary 2017. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
managed-keys {
# ISC DLV: See https://www.isc.org/solutions/dlv for details.
#
# NOTE: The ISC DLV zone is being phased out as of February 2017;
# the key will remain in place but the zone will be otherwise empty.
# Configuring "dnssec-lookaside auto;" to activate this key is
# harmless, but is no longer useful and is not recommended.
dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
TDN0YUuWrBNh";
# ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
#
# These keys are activated by setting "dnssec-validation auto;"
# in named.conf.
#
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
# the root zone.
. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
# This key (20326) is to be published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
# being set up for the first time can use the contents of this
# file as initializing keys; thereafter, the keys in the
# managed key database will be trusted and maintained
# automatically.
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
R1AkUTV74bU=";
};

12
ANW-KM/bind/db.0 Normal file
View File

@ -0,0 +1,12 @@
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.

13
ANW-KM/bind/db.127 Normal file
View File

@ -0,0 +1,13 @@
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
1.0.0 IN PTR localhost.

53
ANW-KM/bind/db.192.168.122.0 Normal file
View File

@ -0,0 +1,53 @@
;
; BIND reverse data file for local km.netz zone
;
$TTL 43600
@ IN SOA ns.anw-km.netz. ckubu.oopen.de. (
2012082701 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS ns-km.anw-km.netz.
; - Gateway/Firewall
254 IN PTR gw-km.anw-km.netz.
; - (Caching ) Nameserver
53 IN PTR ns-km.anw-km.netz.
; - Fileserver
10 IN PTR file-km.anw-km.netz.
; - KVM Windows 7
20 IN PTR file-win7.anw-km.netz.
; - IPMI
201 IN PTR ipmi-gw-km.anw-km.netz.
202 IN PTR ipmi-file-km.anw-km.netz.
; - Drucker
5 IN PTR hl-5380dn.anw-km.netz.
#177 IN PTR utax-lp-3235.anw-km.netz.
; - Accesspoint
50 IN PTR wlan-km.anw-km.netz.
; - LAN
110 IN PTR berenice.anw-km.netz.
111 IN PTR buero.anw-km.netz.
112 IN PTR buero2.anw-km.netz.
113 IN PTR buero3.anw-km.netz.
120 IN PTR berenice-alt.anw-km.netz.
; - WLAN
211 IN PTR berenice-laptop.anw-km.netz.

12
ANW-KM/bind/db.255 Normal file
View File

@ -0,0 +1,12 @@
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.

79
ANW-KM/bind/db.anw-km.netz Normal file
View File

@ -0,0 +1,79 @@
;
; BIND data file for local km.netz zone
;
$TTL 43600
@ IN SOA ns.anw-km.netz. ckubu.oopen.de. (
2012082701 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS ns-km.anw-km.netz.
; Gateway/Firewall
gw-km IN A 192.168.122.254
gate IN CNAME gw-km
gw IN CNAME gw-km
; (Caching ) Nameserver
ns-km IN A 192.168.122.53
ns IN CNAME ns-km
nscache IN CNAME ns-km
resolver IN CNAME ns-km
; - Fileserver
file-km IN A 192.168.122.10
file IN CNAME file-km
; - KVM Windows 7
file-win7 IN A 192.168.122.20
winserver IN CNAME file-win7
; - IPMI
ipmi-file-km IN A 192.168.122.201
file-ipmi IN CNAME ipmi-file-km
ipmi-gw-km IN A 192.168.122.202
gw-ipmi IN CNAME ipmi-gw-km
; - Drucker
hl-5380dn IN A 192.168.122.5
brother IN CNAME hl-5380dn
utax-lp-3235 IN A 192.168.122.177
; - Accesspoint
wlan-km IN A 192.168.122.50
ap IN CNAME wlan-km
accesspoint IN CNAME wlan-km
; - LAN
berenice IN A 192.168.122.110
berenice-desktop IN CNAME berenice
buero2 IN A 192.168.122.112
buero2-desktop IN CNAME buero2
buero IN A 192.168.122.111
buero-desktop IN CNAME buero
buero3 IN A 192.168.122.113
buero3-desktop IN CNAME buero3
berenice-alt IN A 192.168.122.120
; - WLAN
berenice-laptop IN A 192.168.122.211
; - Services

14
ANW-KM/bind/db.empty Normal file
View File

@ -0,0 +1,14 @@
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.

14
ANW-KM/bind/db.local Normal file
View File

@ -0,0 +1,14 @@
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1

88
ANW-KM/bind/db.root Normal file
View File

@ -0,0 +1,88 @@
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: Jan 3, 2013
; related version of root zone: 2013010300
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35
; End of File

11
ANW-KM/bind/named.conf Normal file
View File

@ -0,0 +1,11 @@
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

30
ANW-KM/bind/named.conf.default-zones Normal file
View File

@ -0,0 +1,30 @@
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};

19
ANW-KM/bind/named.conf.local Normal file
View File

@ -0,0 +1,19 @@
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "anw-km.netz" {
type master;
file "/etc/bind/db.anw-km.netz";
};
zone "122.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.122.0";
};

8
ANW-KM/bind/named.conf.local.INSTALL Normal file
View File

@ -0,0 +1,8 @@
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

49
ANW-KM/bind/named.conf.options Normal file
View File

@ -0,0 +1,49 @@
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
forwarders {
// OpenDNS servers
208.67.222.222;
208.67.220.220;
// DNS-Cache des CCC
213.73.91.35;
// ISP DNS Servers
217.237.150.51;
217.237.148.22;
};
// Security options
listen-on port 53 {
127.0.0.1;
192.168.122.53;
};
allow-query {
127.0.0.1;
192.168.0.0/16;
10.0.0.0/8;
};
allow-recursion {
127.0.0.1;
192.168.0.0/16;
10.0.0.0/16;
};
allow-transfer { none; };
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

20
ANW-KM/bind/named.conf.options.INSTALL Normal file
View File

@ -0,0 +1,20 @@
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

4
ANW-KM/bind/rndc.key Normal file
View File

@ -0,0 +1,4 @@
key "rndc-key" {
algorithm hmac-md5;
secret "p8uEoosC6vrcRj73ribYKg==";
};

20
ANW-KM/bind/zones.rfc1918 Normal file
View File

@ -0,0 +1,20 @@
zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };

7
ANW-KM/chap-secrets.ANW-KM Normal file
View File

@ -0,0 +1,7 @@
# Secrets for authentication using CHAP
# client server secret IP addresses
"0017005041965502052728690001@t-online.de" * "62812971"

52
ANW-KM/cron_root.ANW-KM Normal file
View File

@ -0,0 +1,52 @@
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.kbCNiX/crontab installed on Mon Apr 10 18:45:46 2017)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
## adjust system time
##
#23 0-23/4 * * * /usr/sbin/ntpdate ptbtime2.ptb.de > /dev/null
## check forwarding ( /proc/sys/net/ipv4/ip_forward contains "1" )
## if not set this entry to "1"
##
0-59/2 * * * * /root/bin/monitoring/check_forwarding.sh
## check if pppd is running and internet access works. if
## not restart it
##
#1-59/10 * * * * /root/bin/check_inet.sh
1-59/10 * * * * /root/bin/monitoring/check_dns.sh
## check if openvpn is running if not restart the service
##
0-59/30 * * * * /root/bin/monitoring/check_vpn.sh
## - copy gateway configuration
## -
13 4 * * * /root/bin/manage-gw-config/copy_gateway-config.sh ANW-KM

14
ANW-KM/ddclient.conf.ANW-KM Normal file
View File

@ -0,0 +1,14 @@
# Configuration file for ddclient generated by debconf
#
# /etc/ddclient.conf
protocol=dyndns2
use=web, web=checkip.dyndns.com/, web-skip='IP Address'
server=members.dyndns.org
login=ckubu
password=7213b4e6178a11e6ab1362f831f6741e
anw-km.homelinux.org
ssl=yes
mail=root
mail-failure=root

212
ANW-KM/dhcpd.conf.ANW-KM Normal file
View File

@ -0,0 +1,212 @@
#
# Sample configuration file for ISC dhcpd for Debian
#
# $Id: dhcpd.conf,v 1.1.1.1 2002/05/21 00:07:44 peloy Exp $
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.122.255;
option domain-name "anw-km.netz";
option domain-name-servers 192.168.122.1;
option routers 192.168.122.254;
default-lease-time 43200;
max-lease-time 86400;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
subnet 192.168.122.0 netmask 255.255.255.0 {
# --- 192.168.22.160/27 ---
# network address....: 192.168.22.160
# Broadcast address..: 192.168.22.191
# netmask............: 255.255.255.224
# network range......: 192.168.22.160 - 192.168.22.191
# Usable range.......: 192.168.22.161 - 192.168.22.190
range 192.168.122.161 192.168.122.190;
option domain-name "anw-km.netz";
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.122.255;
option domain-name-servers 192.168.122.53;
option routers 192.168.122.254;
default-lease-time 43200;
max-lease-time 86400;
}
host hl-5380dn {
hardware ethernet 30:05:5c:7a:09:15;
fixed-address hl-5380dn.anw-km.netz ;
}
host utax_lp_3235 {
hardware ethernet 00:C0:EE:62:9F:32;
fixed-address utax_lp_3235.anw-km.netz;
}
host file-km {
hardware ethernet 00:30:48:8C:DE:C0;
fixed-address file-km.anw-km.netz ;
}
host file-win7 {
hardware ethernet 52:54:00:59:ff:08;
fixed-address file-win7.anw-km.netz ;
}
host accesspoint {
hardware ethernet C4:3D:C7:BC:40:31;
fixed-address accesspoint.anw-km.netz ;
}
## - Desktop PC's
## -
host berenice-alt {
#fixed-address karsten.anw-km.netz ;
hardware ethernet e8:40:f2:ec:c6:af ;
fixed-address berenice-alt.anw-km.netz ;
}
host berenice {
hardware ethernet 80:ee:73:b9:89:78 ;
fixed-address berenice.anw-km.netz ;
}
host buero {
hardware ethernet 00:11:6B:97:C8:B9 ;
fixed-address buero.anw-km.netz ;
}
host buero2 {
hardware ethernet 00:27:0E:11:C9:D0 ;
fixed-address buero2.anw-km.netz ;
}
host buero3 {
#- interne karte - defekt
#hardware ethernet 00:27:0E:1C:DF:4D ;
hardware ethernet 00:1b:21:4d:c2:25 ;
fixed-address buero3.anw-km.netz ;
}
## - eth0 laptop berenice
## -
host berenice-laptop1 {
hardware ethernet 00:1D:72:8A:EE:BB ;
fixed-address berenice-laptop.anw-km.netz ;
}
## - wireless device laptop berenice
## -
host berenice-laptop {
hardware ethernet 00:1F:3B:4F:CF:0D ;
fixed-address berenice-laptop.anw-km.netz ;
}
host panic {
hardware ethernet 00:11:25:31:64:50 ;
fixed-address panic.anw-km.netz ;
}
host crash {
hardware ethernet 00:14:85:28:94:B1 ;
fixed-address crash.anw-km.netz ;
}
## host siemens_gigaset_515 {
## hardware ethernet 00:01:E3:08:4A:75 ;
## fixed-address siemens_gigaset_515.opp.local ;
## }
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}

38
ANW-KM/email_notice.ANW-KM Executable file
View File

@ -0,0 +1,38 @@
#!/bin/sh
file=/tmp/mail_ip-up$$
admin_email=argus@oopen.de
from_address=ip-up_anw-km@oopen.de
from_name="ip-up - ANW-KM"
echo "" > $file
echo " ********************************************************" >> $file
echo " *** This is an autogenerated mail from `hostname -f` ***" >> $file
echo "" >> $file
echo " I brought up the ppp-daemon with the following" >> $file
echo -e " parameters:\n" >> $file
echo -e "\tInterface name...............: $PPP_IFACE" >> $file
echo -e "\tThe tty......................: $PPP_TTY" >> $file
echo -e "\tThe link speed...............: $PPP_SPEED" >> $file
echo -e "\tLocal IP number..............: $PPP_LOCAL" >> $file
echo -e "\tPeer IP number..............: $PPP_REMOTE" >> $file
if [ "$USEPEERDNS" ] && [ "$DNS1" ] ; then
echo -e "\tNameserver 1.................: $DNS1" >> $file
if [ "$DNS2" ] ; then
echo -e "\tNameserver 2.................: $DNS2" >> $file
fi
fi
echo -e "\tOptional \"ipparam\" value.....: $PPP_IPPARAM" >> $file
echo "" >> $file
echo -e "\tDate.........................: `date +\"%d.%m.%Y\"`" >> $file
echo -e "\tTime.........................: `date +\"%H:%M:%S\"`" >> $file
echo "" >> $file
echo " ********************************************************" >> $file
/bin/echo -e "From:${from_name} <${from_address}>\nTo:${admin_email}\nSubject: $PPP_LOCAL\n`cat $file`" | /usr/sbin/sendmail $admin_email
rm -f $file

3
ANW-KM/generic.ANW-KM Normal file
View File

@ -0,0 +1,3 @@
root@gw-km.anw-km.netz root_anw-km@oopen.de
cron@gw-km.anw-km.netz cron_anw-km@oopen.de
@gw-km.anw-km.netz other_anw-km@oopen.de

BIN
ANW-KM/generic.db.ANW-KM Normal file
View File

Binary file not shown.

1
ANW-KM/hostname.ANW-KM Normal file
View File

@ -0,0 +1 @@
gw-km

9
ANW-KM/hosts.ANW-KM Normal file
View File

@ -0,0 +1,9 @@
127.0.0.1 localhost
127.0.1.1 gw-km.anw-km.netz gw-km
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

49
ANW-KM/interfaces.ANW-KM Normal file
View File

@ -0,0 +1,49 @@
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
#-----------------------------
# lo - loopback interface
#-----------------------------
auto lo
iface lo inet loopback
#-----------------------------
# eth2 - WAN
#-----------------------------
auto eth2
iface eth2 inet static
address 192.168.2.254
network 192.168.2.0
netmask 255.255.255.0
broadcast 192.168.2.255
gateway 192.168.2.1
dns-nameservers 127.0.0.1
dns-search anw-km.netz
#auto dsl-provider
#iface dsl-provider inet ppp
# pre-up /sbin/ifconfig eth2 up # line maintained by pppoeconf
# provider dsl-provider
#-----------------------------
# eth1 - LAN
#-----------------------------
auto eth1
iface eth1 inet static
address 192.168.122.254
network 192.168.122.0
netmask 255.255.255.0
broadcast 192.168.122.255
auto eth1:0
iface eth1:0 inet static
address 192.168.122.53
network 192.168.122.0
netmask 255.255.255.0
broadcast 192.168.122.255

841
ANW-KM/ipt-firewall.ANW-KM Executable file
View File

@ -0,0 +1,841 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: ipt-firewall
# Required-Start: $local_fs $remote_fs $syslog $network
# Required-Stop: $local_fs $remote_fs $syslog $network
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: IPv4 Firewall
### END INIT INFO
## -Load modules for FTP Connection tracking and NAT
## -
/sbin/modprobe ip_tables > /dev/null 2>&1
modprobe ip_conntrack > /dev/null 2>&1
modprobe ip_nat_ftp > /dev/null 2>&1
modprobe ip_conntrack_ftp > /dev/null 2>&1
modprobe iptable_nat > /dev/null 2>&1
log_all=false
log_syn_flood=false
log_fragments=false
log_new_not_sync=false
log_invalid_state=false
log_invalid_flags=false
log_spoofed=false
log_to_lo=false
log_blocked=false
log_rejected=false
# IP's / IP-Ranges to block
#
# 222.184.0.0 CHINANET-JS
# 61.160.0.0/16 - CHINANET-JS
# 116.8.0.0/14 CHINANET-GX
# 70.42.149.69 - ssh attack 30.06.2014
#
#blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14 70.42.149.69"
blocked_ips=""
ipt="/sbin/iptables"
local_ip="192.168.122.254"
local_net="192.168.122.254/24"
local_if="eth1"
#ext_if="ppp+"
ext_if="eth0"
vpn_if="tun+"
# unpriviligierte Ports
unprivports="1024:65535"
loopback="127.0.0.0/8"
priv_class_a="10.0.0.0/8"
priv_class_b="172.16.0.0/12"
priv_class_c="192.168.0.0/16"
class_d_multicast="224.0.0.0/4"
class_e_reserved="240.0.0.0/5"
broadcast_addr="83.223.85.255"
## - IP Forwarding aktivieren
## -
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 5 > /proc/sys/net/ipv4/ip_dynaddr
## - Reduce DoS'ing ability by reducing timeouts
## -
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
## - SYN COOKIES
## -
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
## - Schutz gegen gefälschte Fehlermeldungen einschalten.
## -
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
## - Ignorieren von broadcast Pings
## -
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
## - NO SOURCE ROUTE
## -
## - Sperren von quellbasierendem Paket-Routing
## -
for asr in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $asr
done
## - Keine ICMP Umleitungspakete akzeptieren.
## -
## - Diese können zur Veränderung der Routing Tables verwendet
## - werden, möglicherweise mit einem böswilligen Ziel.
## -
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
## - ANTISPOOFING
## -
## - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen
## - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen,
## - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat
## - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für
## - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle
## - nicht voll funktionsfähig ist.
## -
for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $rp_filter
done
## - NUMBER OF CONNECTIONS TO TRACK
## -
echo "65535" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
## - Protokollieren von Paketen die gespoofed sind, quellbasierendes
## - Routing verwenden oder Umleitungen sind.
## -
#echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
while read p; do
case $p in
-*) $ipt $p;;
esac
done << EOR
## - default policies
## -
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P FORWARD ACCEPT
-t nat -P PREROUTING ACCEPT
-t nat -P POSTROUTING ACCEPT
-t nat -P OUTPUT ACCEPT
## - flush chains
## -
-F
-F INPUT
-F OUTPUT
-F FORWARD
-F -t mangle
-F -t nat
-X
-Z
-t nat -A POSTROUTING -o $ext_if -j MASQUERADE
-I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
EOR
## - Protection against syn-flooding
## -
## - chains to DROP too many SYNs
## -
$ipt -N syn-flood
$ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
if $log_syn_flood || $log_all ; then
$ipt -A syn-flood -j LOG --log-prefix "IPv4: SYN flood: " --log-level debug
fi
$ipt -A syn-flood -j DROP
## FRAGMENTS
# I have to say that fragments scare me more than anything.
# Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
# Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
# fragments is very OS-dependent (see this paper for details).
# I am not going to trust any fragments.
# Log fragments just to see if we get any, and deny them too.
if $log_fragments || $log_all ; then
$ipt -A INPUT -i $ext_if -f -j LOG --log-prefix "IPv4: IPTABLES FRAGMENTS: " --log-level debug
fi
$ipt -A INPUT -i $ext_if -f -j DROP
# - drop new packages without syn flag
## -
if $log_new_not_sync || $log_all ; then
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPv4: New but not SYN: " --log-level debug
$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPv4: New but not SYN: " --log-level debug
fi
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
## - drop invalid packages
## -
if $log_invalid_state || $log_all ; then
$ipt -A INPUT -m state --state INVALID -j LOG --log-prefix "IPv4: Invalid state: " --log-level debug
fi
$ipt -A INPUT -m state --state INVALID -j DROP
## - ungewöhnliche Flags verwerfen
## -
if $log_invalid_flags || $log_all ; then
$ipt -A INPUT -i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "IPv4: Invalid flags: " --log-level debug
$ipt -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "IPv4: Invalid flags: " --log-level debug
$ipt -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "IPv4: Invalid flags: " --log-level debug
fi
$ipt -A INPUT -i $ext_if -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$ipt -A INPUT -i $ext_if -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$ipt -A INPUT -i $ext_if -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## - private Adressen auf externen interface verwerfen
## -
if $log_spoofed || $log_all ; then
$ipt -A INPUT -i $ext_if -s $local_ip -j LOG --log-prefix "IPv4: Spoofed (own ip): " --log-level debug
fi
$ipt -A INPUT -i $ext_if -s $local_ip -j DROP
# Refuse packets claiming to be from a
# Class A private network
# Class B private network
# Class C private network
# loopback interface
# Class D multicast address
# Class E reserved IP address
# broadcast address
if $log_spoofed || $log_all ; then
$ipt -A INPUT -i $ext_if -s $priv_class_a -j LOG --log-prefix "IPv4: Class A private net: " --log-level debug
$ipt -A INPUT -i $ext_if -s $priv_class_b -j LOG --log-prefix "IPv4: Class B private net: " --log-level debug
#$ipt -A INPUT -i $ext_if -s $priv_class_c -j LOG --log-prefix "IPv4: Class C private net: " --log-level debug
$ipt -A INPUT -i $ext_if -s $loopback -j LOG --log-prefix "IPv4: From Loopback: " --log-level debug
$ipt -A INPUT -i $ext_if -s $class_d_multicast -j LOG --log-prefix "IPv4: Class D Multicast: " --log-level debug
$ipt -A INPUT -i $ext_if -s $class_e_reserved -j LOG --log-prefix "IPv4: Class E reserved: " --log-level debug
$ipt -A INPUT -i $ext_if -d $broadcast_addr -j LOG --log-prefix "IPv4: Broadcast Address: " --log-level debug
fi
# Refuse packets claiming to be from a Class A private network.
$ipt -A INPUT -i $ext_if -s $priv_class_a -j DROP
# Refuse packets claiming to be from a Class B private network.
$ipt -A INPUT -i $ext_if -s $priv_class_b -j DROP
# Refuse packets claiming to be from a Class C private network.
#$ipt -A INPUT -i $ext_if -s $priv_class_c -j DROP
# Refuse packets claiming to be from loopback interface.
$ipt -A INPUT -i $ext_if -s $loopback -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
$ipt -A INPUT -i $ext_if -s $class_d_multicast -j DROP
# Refuse Class E reserved IP addresses.
$ipt -A INPUT -i $ext_if -s $class_e_reserved -j DROP
# Refuse broadcast address packets.
$ipt -A INPUT -i $ext_if -d $broadcast_addr -j DROP
# Refuse packets claiming to be to the loopback interface.
# Refusing packets claiming to be to the loopback interface protects against
# source quench, whereby a machine can be told to slow itself down by an icmp source
# quench to the loopback.
if $log_to_lo || $log_all ; then
$ipt -A INPUT -i $ext_if -d $loopback -j LOG --log-prefix "IPv4: To Loopback: " --log-level debug
fi
$ipt -A INPUT -i $ext_if -d $loopback -j DROP
# Don't allow spoofing from that server
$ipt -A OUTPUT -o $ext_if -s $priv_class_a -j DROP
$ipt -A OUTPUT -o $ext_if -s $priv_class_b -j DROP
#$ipt -A OUTPUT -o $ext_if -s $priv_class_c -j DROP
$ipt -A OUTPUT -o $ext_if -s $loopback -j DROP
# ------------- CHINANET-JS 222.184.0.0 - 222.191.255.255 -------------
#
for _ip in $blocked_ips ; do
if $log_blocked || $log_all ; then
$ipt -A INPUT -i $ext_if -s $_ip -j LOG --log-prefix "IPv4: Blocked ${_ip}: " --log-level debug
fi
$ipt -A INPUT -p ALL -s $_ip -j DROP
done
#
# ------------- Ende: CHINANET-JS 222.184.0.0 - 222.191.255.255 -------------
case $1 in
sto*) exit 0;;
esac
while read r; do
case $r in
-*) $ipt $r;;
esac
done << EOR
-A FORWARD -s 192.168.63.40 -p ALL -j ACCEPT
-A FORWARD -d 192.168.63.40 -p ALL -j ACCEPT
# ------------- das loopbackdevice -------------
# alles erlaubt
#
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
#
# ---------- Ende: das loopbackdevice ----------
# ---------- initialen Verkehr ----------
# von drinnen nach drausssen
#
#-A FORWARD -i $local_if -o $ext_if -p ALL -m state --state NEW -j ACCEPT
-A FORWARD -o $ext_if -p ALL -m state --state NEW -j ACCEPT
#
# ------- Ende: initialen Verkehr -------
# ------------- betsehende Verbindungen -------------
# bereits bestehende Verbindungen durchlassen
#
# -- rein --
#
-A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# -- raus --
#
-A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# foreward
#
-A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# ---------- Ende betsehende Verbindungen -----------
# ------------- OpenVPN -------------
#
# -- initial via internet
#
#-A INPUT -p udp -i $ext_if --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -p udp -i $ext_if --dport 1195 -m state --state NEW -j ACCEPT
-A INPUT -p udp -i $ext_if --dport 1196 -m state --state NEW -j ACCEPT
#
# -- initial via lan
-A INPUT -p udp -i $local_if --dport 1194 -m state --state NEW -j ACCEPT
#
# -- ausgehende Anfragen
#
#-A OUTPUT -o $ext_if -p udp --dport 1194 -m state --state NEW -j ACCEPT
#
# -- forward
#
-A FORWARD -o $ext_if -p udp --dport 1194 -m state --state NEW -j ACCEPT
#
# -- alles via vpn device zulassen/durchrouten
#
-A INPUT -i $vpn_if -j ACCEPT
-A OUTPUT -o $vpn_if -j ACCEPT
-A FORWARD -i $vpn_if -j ACCEPT
-A FORWARD -o $vpn_if -j ACCEPT
#
# ---------- Ende: OpenVPN ----------
# ------------- smbclient / smbmount -------------
#
-A OUTPUT -o $local_if -p tcp --dport 445 -j ACCEPT
-A OUTPUT -o $local_if -p tcp --dport 137:139 -j ACCEPT
#
# ---------- Ende smbclient / smbmount -----------
# ------------- grundsaetzlich ablehnen -------------
#
# reinlaufenden windows kram
#
-A INPUT -p udp -i $ext_if --dport 137:139 -j DROP
-A INPUT -p udp -i $local_if --dport 137:139 -j DROP
-A INPUT -p tcp -i $ext_if --dport 137:139 -j DROP
-A INPUT -p tcp -i $local_if --dport 137:139 -j DROP
-A INPUT -p tcp -i $ext_if --dport 445 -j DROP
-A INPUT -p tcp -i $local_if --dport 445 -j DROP
#
# .. und forwards
#
-A FORWARD -i $local_if -o $ext_if -p tcp --dport 137:139 -j DROP
-A FORWARD -i $local_if -o $ext_if -p tcp --dport 445 -j DROP
#
#
# authentication tap ident
#
-A INPUT -p tcp -i $ext_if --dport 113 -j REJECT --reject-with tcp-reset
#
#
# Location Service
#
-A INPUT -p tcp -i $ext_if --dport 135 -j DROP
-A INPUT -p udp -i $ext_if --dport 135 -j DROP
#
# ---------- Ende: grundsaetzlich ablehnen -------------
# ------------- Wake on Lan -------------
#
-A OUTPUT -p udp -o $local_if --dport 9 -j ACCEPT
#
# ---------- Ende: Wake on Lan ----------
# ------------- SSH -------------
# reingehende Anfragen
#
-A INPUT -p tcp --syn -i $local_if --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --syn -i $ext_if --dport 22 -m state --state NEW -j ACCEPT
#
# ausgehende Anfragen
#
-A OUTPUT -p tcp --syn -o $local_if --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --syn -o $ext_if --dport 22 -m state --state NEW -j ACCEPT
#
# forward
#
-A FORWARD -p tcp --syn -o $ext_if --dport 22 -m state --state NEW -j ACCEPT
-A FORWARD -p tcp --syn -i $ext_if --dport 22 -m state --state NEW -j ACCEPT
#
# ---------- Ende SSH ------------
# ------------- DHCP -------------
# reingehende Anfragen
#
-A INPUT -p udp -i $local_if -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
#
# ausgehende Anfragen
#
-A OUTPUT -p udp -o $local_if --sport 67 -d 0/0 --dport 68 -j ACCEPT
#
# ---------- Ende DHCP ------------
# ------------- DNS -------------
#
# nameserver
#
# -- rein --
#
-A INPUT -i $local_if -p udp --dport 53 -m state --state NEW -j ACCEPT
#
# -- raus --
#
-A OUTPUT -o $ext_if -p udp --dport 53 -m state --state NEW -j ACCEPT
#
# forward
#
-A FORWARD -o $ext_if -p udp --dport 53 -m state --state NEW -j ACCEPT
#
# ---------- Ende DNS -----------
# ------------- MAIL -------------
# rausgehende SMTP-Verbindungen akzeptieren
#
-A OUTPUT -p tcp --syn -o $ext_if --dport 25 -m state --state NEW -j ACCEPT
#
# ansonsten nur forward
#
# smtp
-A FORWARD -p tcp --syn -o $ext_if --dport 25 -m state --state NEW -j ACCEPT
#
# submission
-A FORWARD -p tcp --syn -o $ext_if --dport 587 -m state --state NEW -j ACCEPT
#
# smtps
-A FORWARD -p tcp --syn -o $ext_if --dport 465 -m state --state NEW -j ACCEPT
#
# pop
-A FORWARD -p tcp --syn -o $ext_if --dport 110 -m state --state NEW -j ACCEPT
#
# pop/ssl
-A FORWARD -p tcp --syn -o $ext_if --dport 995 -m state --state NEW -j ACCEPT
#
# imap
-A FORWARD -p tcp --syn -o $ext_if --dport 143 -m state --state NEW -j ACCEPT
#
# imap/ssl
-A FORWARD -p tcp --syn -o $ext_if --dport 993 -m state --state NEW -j ACCEPT
#
# ---------- Ende MAIL -----------
# ------------- HTTP -------------
#
# rausgehende Verbindungen vom Gateway akzeptieren
# ( update clamav/freshclam, dyndns, apt-get )
#
-A OUTPUT -p tcp --syn -o $local_if --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --syn -o $local_if --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --syn -o $ext_if --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --syn -o $ext_if --dport 443 -m state --state NEW -j ACCEPT
#
# ansonsten nur forward
#
-A FORWARD -p tcp --syn -o $ext_if --dport 80 -m state --state NEW -j ACCEPT
-A FORWARD -p tcp --syn -o $ext_if --dport 443 -m state --state NEW -j ACCEPT
#
#-A FORWARD -p tcp --syn -o $ext_if --dport 8443 -m state --state NEW -j ACCEPT
#-A FORWARD -p tcp --syn -o $ext_if --dport 8000:8180 -m state --state NEW -j ACCEPT
#
# ---------- Ende HTTP -----------
# ------------- FTP -------------
#
# ausgehende Anfragen
#
# (Datenkanal aktiv)
-A INPUT -i $local_if -p tcp --sport 20 -j ACCEPT
# (Datenkanal passiv)
-A OUTPUT -o $local_if -p tcp --sport $unprivports --dport $unprivports -j ACCEPT
-A OUTPUT -o $ext_if -p tcp --sport $unprivports --dport $unprivports -j ACCEPT
# (Kontrollverbindung)
-A OUTPUT -o $local_if -p tcp --dport 21 -j ACCEPT
-A OUTPUT -o $ext_if -p tcp --dport 21 -j ACCEPT
#
# forward - nur Verbindungen nach draussen
#
-A FORWARD -p tcp -o $ext_if --dport 20 -j ACCEPT
-A FORWARD -p tcp -o $ext_if --dport 21 -j ACCEPT
-A FORWARD -p tcp -o $ext_if --sport $unprivports --dport $unprivports -j ACCEPT
#
# ---------- Ende FTP -----------
# ------------- NTP -------------
# (network time protokoll)
#
# rein
#
-A INPUT -i $local_if -p udp --sport 123 -m state --state NEW -j ACCEPT
-A INPUT -i $local_if -p tcp --sport 123 -m state --state NEW -j ACCEPT
#
# raus
#
-A OUTPUT -o $ext_if -p tcp --dport 123 -m state --state NEW -j ACCEPT
-A OUTPUT -o $ext_if -p udp --dport 123 -m state --state NEW -j ACCEPT
#
# forward
#
-A FORWARD -o $ext_if -p udp --dport 123 -j ACCEPT
-A FORWARD -o $ext_if -p tcp --dport 123 -j ACCEPT
#
# ---------- Ende NTP -----------
# ------------- pgpkeyserver -------------
#
# Forward -- nur Anfragen nach draussen
#
-A FORWARD -p tcp --syn -o $ext_if --dport 11370:11371 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --syn -o $ext_if --dport 11370:11371 -m state --state NEW -j ACCEPT
#
# ---------- Ende pgpkeyserver ------------
# ------------- ldap / (z.Bsp. einige pgpkeyserver) -------------
#
# Forward -- nur Anfragen nach draussen
#
-A FORWARD -p tcp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT
-A FORWARD -p udp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT
#
# ldaps LDAP over SSL
#
-A FORWARD -p tcp --syn -o $ext_if --dport 636 -j ACCEPT
-A FORWARD -p udp -o $ext_if --dport 636 -j ACCEPT
-A OUTPUT -p tcp --syn -o $ext_if --dport 636 -j ACCEPT
-A OUTPUT -p udp -o $ext_if --dport 636 -j ACCEPT
#
# ---------- Ende ldap ------------
# ------------- Newsserver nntp -------------
#
# Forward -- nur Anfragen nach draussen
#
-A FORWARD -p tcp --syn -o $ext_if --dport 119 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --syn -o $ext_if --dport 119 -m state --state NEW -j ACCEPT
#
# ---------- Ende Newsserver nntp ------------
# ------------- Whois -------------
# nur ausgehende Anfragen und forward
#
#
-A OUTPUT -o $ext_if -p tcp --dport 43 -j ACCEPT
-A FORWARD -o $ext_if -p tcp --dport 43 -j ACCEPT
#
# ---------- Ende Whois ----------
# ------------- Chat -------------
# --- silc ---
#
# Forward und Anfragen nach draussen
#
-A FORWARD -p tcp --syn -o $ext_if --dport 706 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --syn -o $ext_if --dport 706 -m state --state NEW -j ACCEPT
#
# --- irc ---
#
# forward und Anfragen nach draussen
#
-A FORWARD -p tcp --syn -o $ext_if --dport 194 -m state --state NEW -j ACCEPT
-A FORWARD -p udp -o $ext_if --dport 194 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp --syn -o $ext_if --dport 194 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -o $ext_if --dport 194 -m state --state NEW -j ACCEPT
#
# ---jabber ---
#
-A FORWARD -p tcp --syn -o $ext_if --dport 5222:5223 -m state --state NEW -j ACCEPT
#
# ---------- Ende chat ------------
# ------------- HBCI -------------
# hbci - port 3000/tcp
#
-A FORWARD -o $ext_if -p tcp --syn --dport 3000 -m state --state NEW -j ACCEPT
#
# ---------- Ende HBCI -----------
# ------------- Hylafax (Port 4559) -------------
# reingehende Verbindungen zum Hylafax-Server
#
-A INPUT -i $local_if -p tcp --dport 4559 -m state --state NEW -j ACCEPT
#
# ---------- Ende Hylafax -----------
# ------------- CUPS -------------
# (cupssys printer system)
#
-A FORWARD -i $local_if -p tcp --dport 631 -m state --state NEW -j ACCEPT
-A FORWARD -i $local_if -p tcp --dport 631 -m state --state NEW -j ACCEPT
#
# ---------- Ende CUPS -----------
# ------------- Drucken Port 9100 -------------
#
-A FORWARD -i $local_if -p tcp --dport 9100 -m state --state NEW -j ACCEPT
#
# ---------- Ende Drucken Port 9100 -----------
# ---------- SNMP ----------
#
#-A FORWARD -i $local_if -p tcp --dport 161 -m state --state NEW -j ACCEPT
#
# ---------- SNMP ----------
# ------------- VOIP -------------
#
# SIP
#
# Standard:
# Port: 5060 / UDP (SIP-Signalisierung)
# Port: 5004 / UDP (RTP, Sprache)
# Port: 10000 UDP (STUN)
#
# X-Lite:
# Port 5060 / UDP
# Port 8000 - 8019 / UDP
# Port 10000 /UDP
# reingehende Anfragen
#
-A INPUT -p tcp --syn -i $ext_if --dport 5060 -j ACCEPT
-A INPUT -p udp -i $ext_if --dport 5060 -j ACCEPT
#
# ausgehende Anfragen
#
-A OUTPUT -p tcp --syn -o $ext_if --dport 5060 -j ACCEPT
-A OUTPUT -p udp -o $ext_if --dport 5060 -j ACCEPT
#
# Forward -- nur Anfragen nach draussen
#
-A FORWARD -p tcp --syn -o $ext_if --dport 5060 -j ACCEPT
-A FORWARD -p udp -o $ext_if --dport 5060 -j ACCEPT
-A FORWARD -p udp -i $ext_if --dport 5060 -j ACCEPT
-A FORWARD -p udp -o $ext_if --dport 5004 -j ACCEPT
-A FORWARD -p udp -i $ext_if --dport 5004 -j ACCEPT
-A FORWARD -p tcp --syn -o $ext_if --dport 10000 -j ACCEPT
-A FORWARD -p udp -o $ext_if --dport 10000 -j ACCEPT
-A FORWARD -p udp -i $ext_if --dport 10000 -j ACCEPT
-A FORWARD -p udp -o $ext_if --sport 8000:8019 -j ACCEPT
-A FORWARD -p udp -i $ext_if --sport 8000:8019 -j ACCEPT
-A FORWARD -p udp -o $ext_if --sport 32700:32799 -j ACCEPT
#
# SKIPE
#
# reingehende Anfragen
#
# -A INPUT -p tcp --syn -i $ext_if --dport 54196 -j ACCEPT
# -A INPUT -p udp -i $ext_if --dport 54196 -j ACCEPT
#
# ausgehende Anfragen
#
#
# Forward -- Anfragen von draussen
#
# -- Linux
-A FORWARD -p tcp --syn -i $ext_if --dport 34957 -j ACCEPT
-A FORWARD -p tcp --syn -o $ext_if --sport 34957 -j ACCEPT
-A FORWARD -p udp -i $ext_if --dport 34957 -j ACCEPT
-A FORWARD -p udp -o $ext_if --sport 34957 -j ACCEPT
#
# ---------- Ende VOIP ------------
# ------------- Traceroute -------------
#
-A OUTPUT -p udp --dport 33434:33530 -o $local_if -j ACCEPT
-A INPUT -p udp --dport 33434:33530 -i $local_if -j ACCEPT
-A FORWARD -p udp --dport 33434:33530 -o $ext_if -j ACCEPT
#
# -------- Ende Traceroute -------------
# ------------ Ping ------------
#
# -- rein
-A INPUT -p icmp -j ACCEPT
#
# -- raus
-A OUTPUT -p icmp -j ACCEPT
#
# -- forward
-A FORWARD -p icmp -j ACCEPT
#
# ------- Ende Ping ------------
# ------------ Portforwarding ------------- #
# -
# -- VNC berenice ---
#
#-t nat -A PREROUTING -i $ext_if -p tcp --syn \
# --dport 5901 -j DNAT --to 192.168.122.111:5900
#-t filter -A FORWARD -p tcp --dport 5900 -d 192.168.122.111 \
# -i $ext_if -o $local_if -j ACCEPT
#
# -- VNC buero ---
#
#-t nat -A PREROUTING -i $ext_if -p tcp --syn \
# --dport 5902 -j DNAT --to 192.168.122.112:5900
#-t filter -A FORWARD -p tcp --dport 5900 -d 192.168.122.112 \
# -i $ext_if -o $local_if -j ACCEPT
#
# -- VNC buero3 ---
#
#-t nat -A PREROUTING -i $ext_if -p tcp --syn \
# --dport 5913 -j DNAT --to 192.168.122.113:5900
#-t filter -A FORWARD -p tcp --dport 5900 -d 192.168.122.113 \
# -i $ext_if -o $local_if -j ACCEPT
#
# -- VNC Karsten ---
#
#-t nat -A PREROUTING -i $ext_if -p tcp --syn \
# --dport 5904 -j DNAT --to 192.168.122.110:5900
#-t filter -A FORWARD -p tcp --dport 5900 -d 192.168.122.110 \
# -i $ext_if -o $local_if -j ACCEPT
#
# -- VNC file-km (windows7) ---
#
#-t nat -A PREROUTING -i $ext_if -p tcp --syn \
# --dport 5905 -j DNAT --to 192.168.122.10:5900
#-t filter -A FORWARD -p tcp --dport 5900 -d 192.168.122.10 \
# -i $ext_if -o $local_if -j ACCEPT
#
# -
# -- SSH file-anw ---
#
#-t nat -A PREROUTING -i $ext_if -p tcp --syn \
# --dport 9999 -j DNAT --to 192.168.122.10:22
#-t filter -A FORWARD -p tcp --dport 22 -d 192.168.122.10 \
# -i $ext_if -o $local_if -j ACCEPT
#
# ---------- Ende Portforwarding ---------- #
EOR
# ------------- Loggen -------------
#
if $log_rejected || $log_all ; then
#$ipt -A OUTPUT -j LOG --log-prefix "IPv4: Rejected: " --log-level debug
#$ipt -A INPUT -j LOG --log-prefix "IPv4: Rejected: " --log-level debug
#$ipt -A FORWARD -j LOG --log-prefix "IPv4: Rejected: " --log-level debug
$ipt -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "IPv4: Rejected: " --log-level debug
$ipt -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "IPv4: Rejected: " --log-level debug
$ipt -A FORWARD -m limit --limit-burst 2 -j LOG "IPv4: Rejected: " --log-level debug
fi
#
# ---------- Ende: Loggen ----------
# ------------- DROP -------------
# drop all other for all interfaces..
#
$ipt -A INPUT -j DROP
$ipt -A OUTPUT -j DROP
$ipt -A FORWARD -j DROP
#
# ---------- Ende: DROP ----------
exit 0

14
ANW-KM/ipt-firewall.service.ANW-KM Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=IPv4 Firewall with iptables
After=network.target
[Service]
SyslogIdentifier="ipt-gateway"
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/ipt-firewall-gateway start
ExecStop=/usr/local/sbin/ipt-firewall-gateway stop
User=root
[Install]
WantedBy=multi-user.target

39
ANW-KM/ipt-firewall/default_ports.conf Normal file
View File

@ -0,0 +1,39 @@
#!/usr/bin/env bash
# =============
# --- Define Ports for Services out
# =============
standard_ident_port=113
standard_silc_port=706
standard_irc_port=6667
standard_jabber_port=5222
standard_smtp_port=25
standard_ssh_port=22
standard_http_port=80
standard_https_port=443
standard_ftp_port=21
standard_tftp_udp_port=69
standard_ntp_port=123
standard_snmp_port=161
standard_snmp_trap_port=162
standard_timeserver_port=37
standard_pgp_keyserver_port=11371
standard_telnet_port=23
standard_whois_port=43
standard_cpan_wait_port=1404
standard_xymon_port=1984
standard_hbci_port=3000
standard_mysql_port=3306
standard_ipp_port=631
standard_cups_port=$standard_ipp_port
standard_print_raw_port=515
standard_print_port=9100
standard_remote_console_port=5900
# - Comma separated lists
# -
standard_http_ports="80,443"
standard_mailuser_ports="587,465,110,995,143,993"

113
ANW-KM/ipt-firewall/include_functions.conf Normal file
View File

@ -0,0 +1,113 @@
#!/usr/bin/env bash
# =============
# --- Some functions
# =============
# - Is this script running on terminal ?
# -
if [[ -t 1 ]] ; then
terminal=true
else
terminal=false
fi
echononl(){
echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n "$*\\c" 1>&2
else
echo -e -n "$*" 1>&2
fi
rm /tmp/shprompt$$
}
echo_done() {
if $terminal ; then
echo -e "\033[75G[ \033[32mdone\033[m ]"
else
echo " [ done ]"
fi
}
echo_ok() {
if $terminal ; then
echo -e "\033[75G[ \033[32mok\033[m ]"
else
echo " [ ok ]"
fi
}
echo_warning() {
if $terminal ; then
echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
else
echo " [ warning ]"
fi
}
echo_failed(){
if $terminal ; then
echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
else
echo ' [ failed! ]'
fi
}
echo_skipped() {
if $terminal ; then
echo -e "\033[75G[ \033[37mskipped\033[m ]"
else
echo " [ skipped ]"
fi
}
fatal (){
echo ""
echo ""
if $terminal ; then
echo -e "\t[ \033[31m\033[1mFatal\033[m ]: \033[37m\033[1m$*\033[m"
echo ""
echo -e "\t\033[31m\033[1m Firewall Script will be interrupted..\033[m\033[m"
else
echo "fatal: $*"
echo "Firewall Script will be interrupted.."
fi
echo ""
exit 1
}
error(){
echo ""
if $terminal ; then
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
else
echo "Error: $*"
fi
echo ""
}
warn (){
echo ""
if $terminal ; then
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
else
echo "Warning: $*"
fi
echo ""
}
info (){
echo ""
if $terminal ; then
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
else
echo "Info: $*"
fi
echo ""
}
## - Check if a given array (parameter 2) contains a given string (parameter 1)
## -
containsElement () {
local e
for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
return 1
}

51
ANW-KM/ipt-firewall/interfaces_ipv4.conf Normal file
View File

@ -0,0 +1,51 @@
#!/usr/bin/env bash
# =============
# --- Define Network Interfaces / Ip-Adresses / Ports
# =============
# - Extern Interfaces DSL Lines
# - (blank separated list)
ext_if_dsl_1=""
ext_if_dsl_2=""
ext_if_dsl_3=""
ext_if_dsl_4=""
ext_ifs_dsl="$ext_if_dsl_1 $ext_if_dsl_2 $ext_if_dsl_3 $ext_if_dsl_4"
# - Extern Interfaces Static Lines
# - (blank separated list)
ext_if_static_1="eth2"
ext_if_static_2=""
ext_if_static_3=""
ext_ifs_static="$ext_if_static_1 $ext_if_static_2 $ext_if_static_3"
# - VPN Interfaces
# - (blank separated list)
vpn_ifs="tun+"
# - Local Interfaces
local_if_1="eth1"
local_if_2=""
local_if_3=""
local_if_4=""
local_if_5=""
local_if_6=""
local_if_7=""
local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7"
local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7"
# - Devices given in list "nat_devices" will be natted
# -
# - Notice: Devices "ext_if_dsl_n" will be natted and must not been given here.
# -
# - Blank separated list
# -
nat_devices="eth0"
# - Are local alias interfaces like eth0:0 defined"
# -
local_alias_interfaces=true

36
ANW-KM/ipt-firewall/load_modules_ipv4.conf Normal file
View File

@ -0,0 +1,36 @@
# =============
# - Load Kernel Modules
# =============
# - Note:!
# - Since Kernel 4.7 the automatic conntrack helper assignment
# - is disabled by default (net.netfilter.nf_conntrack_helper = 0).
# - Enable it by setting this variable in file /etc/sysctl.conf:
# -
# - net.netfilter.nf_conntrack_helper = 1
# -
# - Reboot or type "sysctl -p"
ip_tables
iptable_nat
iptable_filter
iptable_mangle
iptable_raw
# - Load base modules for tracking
# -
nf_conntrack
nf_nat
# - Load module for FTP Connection tracking and NAT
# -
nf_conntrack_ftp
nf_nat_ftp
# - Load modules for SIP VOIP
# -
nf_conntrack_sip
nf_nat_sip

9
ANW-KM/ipt-firewall/load_modules_ipv6.conf Normal file
View File

@ -0,0 +1,9 @@
# =============
# - Load Kernel Modules
# =============
ip6_tables
ip6table_filter
ip6t_REJECT
ip6table_mangle

40
ANW-KM/ipt-firewall/logging_ipv4.conf Normal file
View File

@ -0,0 +1,40 @@
#!/usr/bin/env bash
# =============
# --- Logging
# =============
log_all=false
log_syn_flood=false
log_fragments=false
log_new_not_sync=false
log_invalid_state=false
log_invalid_flags=false
log_spoofed=false
log_spoofed_out=false
log_to_lo=false
log_not_wanted=false
log_blocked=false
log_unprotected=false
log_prohibited=false
log_voip=false
log_rejected=true
log_ssh=false
# - Log using the specified syslog level. 7 (debug) is a good choice
# - unless you specifically need something else.
# -
log_level=debug
# - logging messages
# -
log_prefix="IPv4:"
# ---
# - Log all traffic for givven ip address
# ---
log_ips=""

40
ANW-KM/ipt-firewall/logging_ipv6.conf Normal file
View File

@ -0,0 +1,40 @@
#!/usr/bin/env bash
# =============
# --- Logging
# =============
log_all=false
log_syn_flood=false
log_fragments=false
log_new_not_sync=false
log_invalid_state=false
log_invalid_flags=false
log_spoofed=false
log_spoofed_out=false
log_to_lo=false
log_not_wanted=false
log_blocked=false
log_unprotected=false
log_prohibited=false
log_voip=false
log_rejected=false
log_ssh=false
# - Log using the specified syslog level. 7 (debug) is a good choice
# - unless you specifically need something else.
# -
log_level=debug
# - logging messages
# -
log_prefix="IPv6:"
# ---
# - Log all traffic for givven ip address
# ---
log_ips=""

1202
ANW-KM/ipt-firewall/main_ipv4.conf Normal file
View File

File diff suppressed because it is too large Load Diff

454
ANW-KM/ipt-firewall/post_decalrations.conf Normal file
View File

@ -0,0 +1,454 @@
#!/usr/bin/env bash
# -----------
# --- Define Arrays
# -----------
# ---
# - Masquerade TCP Connections
# ---
declare -a masquerade_tcp_con_arr
for _str in $masquerade_tcp_cons ; do
masquerade_tcp_con_arr+=("$_str")
done
# ---
# - Extern Network interfaces (DSL, Staic Lines, All together)
# ---
declare -a nat_device_arr
declare -a dsl_device_arr
declare -a ext_if_arr
for _dev in $ext_ifs_dsl ; do
dsl_device_arr+=("$_dev")
ext_if_arr+=("$_dev")
nat_device_arr+=("$_dev")
done
for _dev in $ext_ifs_static ; do
ext_if_arr+=("$_dev")
done
for _dev in $nat_devices ; do
if ! containsElement $_dev "${nat_device_arr[@]}" ; then
nat_device_arr+=("$_dev")
fi
done
# ---
# - VPN Interfaces
# ---
declare -a vpn_if_arr
for _dev in $vpn_ifs ; do
vpn_if_arr+=("$_dev")
done
# ---
# - Local Network Interfaces
# ---
declare -a local_if_arr
for _dev in $local_ifs ; do
local_if_arr+=("$_dev")
done
# ---
# - Network Interfaces completly blocked
# ---
declare -a blocked_if_arr
for _dev in $blocked_ifs ; do
blocked_if_arr+=("$_dev")
done
# ---
# - Network Interfaces not firewalled
# ---
declare -a unprotected_if_arr
for _dev in $unprotected_ifs ; do
unprotected_if_arr+=("$_dev")
done
# ---
# - Allow these local networks any access to the internet
# ---
declare -a any_access_to_inet_network_arr
for _net in $any_access_to_inet_networks ; do
any_access_to_inet_network_arr+=("$_net")
done
# ---
# - Allow local services from given local networks
# ---
declare -a allow_local_net_to_local_service_arr
for _val in $allow_local_net_to_local_service ; do
allow_local_net_to_local_service_arr+=("$_val")
done
# ---
# - Allow all traffic from local network to local ip-address
# ---
declare -a allow_local_net_to_local_ip_arr
for _val in $allow_local_net_to_local_ip ; do
allow_local_net_to_local_ip_arr+=("$_val")
done
# ---
# - Allow all traffic from local ip-address to local network
# ---
declare -a allow_local_ip_to_local_net_arr
for _val in $allow_local_ip_to_local_net ; do
allow_local_ip_to_local_net_arr+=("$_val")
done
# ---
# - Allow all traffic from (one) local network to (another) local network
# ---
declare -a allow_local_net_to_local_net_arr
for _val in $allow_local_net_to_local_net ; do
allow_local_net_to_local_net_arr+=("$_val")
done
# ---
# - Allow local ip address from given local interface
# ---
declare -a allow_local_if_to_local_ip_arr
for _val in $allow_local_if_to_local_ip ; do
allow_local_if_to_local_ip_arr+=("$_val")
done
# ---
# - Separate local Networks
# ---
declare -a separate_local_network_arr
for _net in $separate_local_networks ; do
separate_local_network_arr+=("$_net")
done
# ---
# - Separate local Interfaces
# ---
declare -a separate_local_if_arr
for _net in $separate_local_ifs ; do
separate_local_if_arr+=("$_net")
done
# ---
# - Generally block ports on extern interfaces
# ---
declare -a block_tcp_port_arr
for _port in $block_tcp_ports ; do
block_tcp_port_arr+=("$_port")
done
declare -a block_udp_port_arr
for _port in $block_udp_ports ; do
block_udp_port_arr+=("$_port")
done
# ---
# - Not wanted on intern interfaces
# ---
declare -a not_wanted_on_gw_tcp_port_arr
for _port in $not_wanted_on_gw_tcp_ports ; do
not_wanted_on_gw_tcp_port_arr+=("$_port")
done
declare -a not_wanted_on_gw_udp_port_arr
for _port in $not_wanted_on_gw_udp_ports ; do
not_wanted_on_gw_udp_port_arr+=("$_port")
done
# ---
# - Private IPs / IP-Ranges allowed to forward
# ---
declare -a forward_private_ip_arr
for _ip in $forward_private_ips ; do
forward_private_ip_arr+=("$_ip")
done
# ---
# - IP Addresses to log
# ---
declare -a log_ip_arr
for _ip in $log_ips ; do
log_ip_arr+=("$_ip")
done
# ---
# - IP Addresses DHCP Failover Server
# ---
declare -a dhcp_failover_server_ip_arr
for _ip in $dhcp_failover_server_ips ; do
dhcp_failover_server_ip_arr+=("$_ip")
done
# ---
# - IP Adresses DNS Server
# ---
declare -a dns_server_ip_arr
for _ip in $dns_server_ips ; do
dns_server_ip_arr+=("$_ip")
done
# ---
# - IP Adresses SSH Server only at ocal Networks
# ---
declare -a ssh_server_only_local_ip_arr
for _ip in $ssh_server_only_local_ips ; do
ssh_server_only_local_ip_arr+=("$_ip")
done
# ---
# - IP Adresses HTTP Server only local Networks
# ---
declare -a http_server_only_local_ip_arr
for _ip in $http_server_only_local_ips ; do
http_server_only_local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Mail Server only local Networks
# ---
declare -a mail_server_only_local_ip_arr
for _ip in $mail_server_only_local_ips ; do
mail_server_only_local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses FTP Server
# ---
declare -a ftp_server_only_local_ip_arr
for _ip in $ftp_server_only_local_ips ; do
ftp_server_only_local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Samba Server
# ---
declare -a samba_server_local_ip_arr
for _ip in $samba_server_local_ips ; do
samba_server_local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses LDAP Server
# ---
declare -a ldap_server_local_ip_arr
for _ip in $ldap_server_local_ips ; do
ldap_server_local_ip_arr+=("$_ip")
done
# ---
# - IP Adresses Telephone Systems
# ---
declare -a tele_sys_ip_arr
for _ip in $tele_sys_ips ; do
tele_sys_ip_arr+=("$_ip")
done
# ---
# - IP Adresses SNMP Server
# ---
declare -a snmp_server_ip_arr
for _ip in $snmp_server_ips ; do
snmp_server_ip_arr+=("$_ip")
done
# ---
# - IP Adresses Munin Service
# ---
declare -a munin_local_server_ip_arr
for _ip in $munin_local_server_ips ; do
munin_local_server_ip_arr+=("$_ip")
done
# ---
# - IP Adresses XyMon
# ---
declare -a xymon_server_ip_arr
for _ip in $xymon_server_ips ; do
xymon_server_ip_arr+=("$_ip")
done
# ---
# - IP Adresses IPMI interface
# ---
declare -a ipmi_server_ip_arr
for _ip in $ipmi_server_ips ; do
ipmi_server_ip_arr+=("$_ip")
done
# ---
# -IP Addresses Ubiquiti Unifi Accesspoints
# ---
declare -a unifi_ap_local_ip_arr
for _ip in $unifi_ap_local_ips ; do
unifi_ap_local_ip_arr+=("$_ip")
done
declare -a unifi_controller_gateway_ip_arr
for _ip in $unifi_controller_gateway_ips ; do
unifi_controller_gateway_ip_arr+=("$_ip")
done
declare -a unify_controller_local_net_ip_arr
for _ip in $unify_controller_local_net_ips ; do
unify_controller_local_net_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Printer
# -
declare -a printer_ip_arr
for _ip in $printer_ips ; do
printer_ip_arr+=("$_ip")
done
# ---
# - IP Adresses Brother Scanner (brscan)
# ---
declare -a brother_scanner_ip_arr
for _ip in $brother_scanner_ips ; do
brother_scanner_ip_arr+=("$_ip")
done
# ---
# - IP Addresses PCNS Server
# ---
declare -a pcns_server_ip_arr
for _ip in $pcns_server_ips ; do
pcns_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses VNC Service
# ---
declare -a rm_server_ip_arr
for _ip in $rm_server_ips ; do
rm_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Rsync Out
# ---
# local
declare -a rsync_out_ip_arr
for _ip in $rsync_out_ips ; do
rsync_out_ip_arr+=("$_ip")
done
# ---
# - Other local Services
# ---
declare -a other_service_arr
for _val in $other_services ; do
other_service_arr+=("$_val")
done
# ---
# - SSH Ports
# ---
declare -a ssh_port_arr
for _port in $ssh_ports ; do
ssh_port_arr+=("$_port")
done
# ---
# - VPN Ports
# ---
declare -a vpn_gw_port_arr
for _port in $vpn_gw_ports ; do
vpn_gw_port_arr+=("$_port")
done
declare -a vpn_local_net_port_arr
for _port in $vpn_local_net_ports ; do
vpn_local_net_port_arr+=("$_port")
done
declare -a vpn_out_port_arr
for _port in $vpn_out_ports ; do
vpn_out_port_arr+=("$_port")
done
# ---
# - Rsync Out Ports
# --
declare -a rsync_port_arr
for _port in $rsync_ports ; do
rsync_port_arr+=("$_port")
done
# ---
# - Samba Ports
# ---
declare -a samba_udp_port_arr
for _port in $samba_udp_ports ; do
samba_udp_port_arr+=("$_port")
done
declare -a samba_tcp_port_arr
for _port in $samba_tcp_ports ; do
samba_tcp_port_arr+=("$_port")
done
# ---
# - LDAP Ports
# ---
declare -a ldap_udp_port_arr
for _port in $ldap_udp_ports ; do
ldap_udp_port_arr+=("$_port")
done
declare -a ldap_tcp_port_arr
for _port in $ldap_tcp_ports ; do
ldap_tcp_port_arr+=("$_port")
done
# ---
# - IPMI
# ---
declare -a ipmi_udp_port_arr
for _port in $ipmi_udp_ports ; do
ipmi_udp_port_arr+=("$_port")
done
declare -a ipmi_tcp_port_arr
for _port in $ipmi_tcp_ports ; do
ipmi_tcp_port_arr+=("$_port")
done
# ---
# - Portforwrds TCP
# ---
declare -a portforward_tcp_arr
for _str in $portforward_tcp ; do
portforward_tcp_arr+=("$_str")
done
# ---
# - Portforwrds UDP
# ---
declare -a portforward_udp_arr
for _str in $portforward_udp ; do
portforward_udp_arr+=("$_str")
done
# ---
# - MAC Address Filtering
# ---
declare -a allow_all_mac_src_address_arr
for _mac in $allow_all_mac_src_addresses ; do
allow_all_mac_src_address_arr+=("$_mac")
done
declare -a allow_local_mac_src_address_arr
for _mac in $allow_local_mac_src_addresses ; do
allow_local_mac_src_address_arr+=("$_mac")
done
declare -a allow_remote_mac_src_address_arr
for _mac in $allow_remote_mac_src_addresses ; do
allow_remote_mac_src_address_arr+=("$_mac")
done

1
ANW-KM/mailname.ANW-KM Normal file
View File

@ -0,0 +1 @@
gw-km.anw-km.netz

268
ANW-KM/main.cf.ANW-KM Normal file
View File

@ -0,0 +1,268 @@
# ============ Basic settings ============
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
html_directory = /usr/share/doc/postfix/html
## - The Internet protocols Postfix will attempt to use when making
## - or accepting connections.
## - DEFAULT: ipv4
inet_protocols = ipv4
#inet_interfaces = all
inet_interfaces =
127.0.0.1
192.168.122.254
myhostname = gw-km.anw-km.netz
mydestination =
gw-km.anw-km.netz
localhost
## - The list of "trusted" SMTP clients that have more
## - privileges than "strangers"
## -
mynetworks =
127.0.0.0/8
192.168.122.254/32
#smtp_bind_address = 192.168.100.254
#smtp_bind_address6 =
## - The method to generate the default value for the mynetworks parameter.
## -
## - mynetworks_style = host" when Postfix should "trust" only the local machine
## - mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP
## - clients in the same IP subnetworks as the local machine.
## - mynetworks_style = class" when Postfix should "trust" SMTP clients in the same
## - IP class A/B/C networks as the local machine.
## -
#mynetworks_style = host
## - The maximal size of any local(8) individual mailbox or maildir file,
## - or zero (no limit). In fact, this limits the size of any file that is
## - written to upon local delivery, including files written by external
## - commands that are executed by the local(8) delivery agent.
## -
mailbox_size_limit = 0
## - The maximal size in bytes of a message, including envelope information.
## -
## - we user 50MB
## -
message_size_limit = 52480000
## - The system-wide recipient address extension delimiter
## -
recipient_delimiter = +
## - The alias databases that are used for local(8) delivery.
## -
alias_maps =
hash:/etc/aliases
## - The alias databases for local(8) delivery that are updated
## - with "newaliases" or with "sendmail -bi".
## -
alias_database =
hash:/etc/aliases
## - The maximal time a message is queued before it is sent back as
## - undeliverable. Defaults to 5d (5 days)
## - Specify 0 when mail delivery should be tried only once.
## -
maximal_queue_lifetime = 3d
bounce_queue_lifetime = $maximal_queue_lifetime
## - delay_warning_time (default: 0h)
## -
## - The time after which the sender receives a copy of the message
## - headers of mail that is still queued. To enable this feature,
## - specify a non-zero time value (an integral value plus an optional
## - one-letter suffix that specifies the time unit).
## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
## - The default time unit is h (hours).
delay_warning_time = 1d
# ============ Relay parameters ============
#relayhost =
# ============ SASL authentication ============
# Enable SASL authentication
smtp_sasl_auth_enable = yes
# Forwarding to the ip-adress of host b.mx.oopen.de
relayhost = [b.mx.oopen.de]
# File including login data
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# Force using a (TLS) security connection
# obsulete - use smtp_tls_security_level instead
#smtp_use_tls = yes
#smtp_tls_enforce_peername = no
smtp_tls_security_level = encrypt
# Disallow methods that allow anonymous authentication.
smtp_sasl_security_options = noanonymous
# ============ TLS parameters ============
## - Aktiviert TLS für den Mailempfang
## -
## - may:
## - Opportunistic TLS. Use TLS if this is supported by the remote
## - SMTP server, otherwise use plaintext
## -
## - This overrides the obsolete parameters smtpd_use_tls and
## - smtpd_enforce_tls. This parameter is ignored with
## - "smtpd_tls_wrappermode = yes".
#smtpd_use_tls=yes
smtp_tls_security_level=encrypt
## - Aktiviert TLS für den Mailversand
## -
## - may:
## - Opportunistic TLS: announce STARTTLS support to SMTP clients,
## - but do not require that clients use TLS encryption.
# smtp_use_tls=yes
smtpd_tls_security_level=may
## - 0 Disable logging of TLS activity.
## - 1 Log TLS handshake and certificate information.
## - 2 Log levels during TLS negotiation.
## - 3 Log hexadecimal and ASCII dump of TLS negotiation process.
## - 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS.
## -
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
smtpd_tls_cert_file = /etc/postfix/ssl/mailserver.crt
smtpd_tls_key_file = /etc/postfix/ssl/mailserver.key
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl gendh -out /etc/postfix/ssl/dh_1024.pem -2 1024
## -
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem
## - also possible to use 2048 key with that parameter
## -
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl gendh -out /etc/postfix/ssl/dh_512.pem -2 512
## -
smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem
## - File containing CA certificates of root CAs trusted to sign either remote SMTP
## - server certificates or intermediate CA certificates. These are loaded into
## - memory !! BEFORE !! the smtp(8) client enters the chroot jail.
## -
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
## - Directory with PEM format certificate authority certificates that the Postfix SMTP
## - client uses to verify a remote SMTP server certificate. Don't forget to create the
## - necessary "hash" links with, for example, "
## - /bin/c_rehash /etc/postfix/certs".
## -
## - !! Note !!
## - To use this option in chroot mode, this directory (or a copy) must be inside
## - the chroot jail.
## -
## - Note that a chrooted daemon resolves all filenames relative to the Postfix
## - queue directory (/var/spool/postfix)
## -
#smtpd_tls_CApath = /etc/postfix/certs
# Disable SSLv2 SSLv3 - Postfix SMTP server
#
# List of TLS protocols that the Postfix SMTP server will exclude or
# include with opportunistic TLS encryption.
smtpd_tls_protocols = !SSLv2, !SSLv3
#
# The SSL/TLS protocols accepted by the Postfix SMTP server
# with mandatory TLS encryption.
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# Disable SSLv2 SSLv3 - Postfix SMTP client
#
# List of TLS protocols that the Postfix SMTP client will exclude or
# include with opportunistic TLS encryption.
smtp_tls_protocols = !SSLv2, !SSLv3
#
# List of SSL/TLS protocols that the Postfix SMTP client will use
# with mandatory TLS encryption
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange
## - openssl > 1.0
## -
smtpd_tls_eecdh_grade = strong
# standard list cryptographic algorithm
tls_preempt_cipherlist = yes
# Disable ciphers which are less than 256-bit:
#
#smtpd_tls_mandatory_ciphers = high
#
# opportunistic
smtpd_tls_ciphers = high
# Exclude ciphers
#smtpd_tls_exclude_ciphers =
# RC4
# aNULL
# SEED-SHA
# EXP
# MD5
smtpd_tls_exclude_ciphers =
aNULL
eNULL
EXPORT
DES
RC4
MD5
PSK
aECDH
EDH-DSS-DES-CBC3-SHA
EDH-RSA-DES-CDC3-SHA
KRB5-DE5, CBC3-SHA
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

6
ANW-KM/openvpn/ccd/server-gw-ckubu/ANW-KM-Vpn-gw-ckubu Normal file
View File

@ -0,0 +1,6 @@
ifconfig-push 10.1.122.2 255.255.255.0
push "route 192.168.122.0 255.255.255.0 10.1.122.1"
push "route 192.168.2.0 255.255.255.0 10.1.122.1"
#push "route 192.168.123.0 255.255.255.0 10.1.122.1"
iroute 192.168.63.0 255.255.255.0
iroute 192.168.64.0 255.255.255.0

2
ANW-KM/openvpn/ccd/server-home/ANW-KM-Vpn-chris Normal file
View File

@ -0,0 +1,2 @@
ifconfig-push 10.0.122.2 10.0.122.1
#push "route 192.168.122.0 255.255.255.0"

2
ANW-KM/openvpn/ccd/server-home/ANW-KM-Vpn-rp Normal file
View File

@ -0,0 +1,2 @@
push "route 192.168.122.0 255.255.255.0"
ifconfig-push 10.0.122.5 10.0.122.1

1
ANW-KM/openvpn/easy-rsa/.externals Normal file
View File

@ -0,0 +1 @@
./2.0 http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/easy-rsa/2.0

13
ANW-KM/openvpn/easy-rsa/2.0/Makefile Normal file
View File

@ -0,0 +1,13 @@
DESTDIR=
PREFIX=
all:
echo "All done."
echo "Run make install DESTDIR=/usr/share/somewhere"
install:
install -c --directory "${DESTDIR}/${PREFIX}"
install -c --mode=0755 build-* "${DESTDIR}/${PREFIX}"
install -c --mode=0755 clean-all list-crl inherit-inter pkitool revoke-full sign-req whichopensslcnf "${DESTDIR}/${PREFIX}"
install -c --mode=0644 openssl-0.9.6.cnf openssl.cnf README vars "${DESTDIR}/${PREFIX}"

BIN
ANW-KM/openvpn/easy-rsa/2.0/README.gz Normal file
View File

Binary file not shown.

8
ANW-KM/openvpn/easy-rsa/2.0/build-ca Executable file
View File

@ -0,0 +1,8 @@
#!/bin/bash
#
# Build a root certificate
#
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --initca $*

11
ANW-KM/openvpn/easy-rsa/2.0/build-dh Executable file
View File

@ -0,0 +1,11 @@
#!/bin/bash
# Build Diffie-Hellman parameters for the server side
# of an SSL/TLS connection.
if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
$OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

7
ANW-KM/openvpn/easy-rsa/2.0/build-inter Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Make an intermediate CA certificate/private key pair using a locally generated
# root certificate.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --inter $*

7
ANW-KM/openvpn/easy-rsa/2.0/build-key Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Make a certificate/private key pair using a locally generated
# root certificate.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact $*

7
ANW-KM/openvpn/easy-rsa/2.0/build-key-pass Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Similar to build-key, but protect the private key
# with a password.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --pass $*

8
ANW-KM/openvpn/easy-rsa/2.0/build-key-pkcs12 Executable file
View File

@ -0,0 +1,8 @@
#!/bin/bash
# Make a certificate/private key pair using a locally generated
# root certificate and convert it to a PKCS #12 file including the
# the CA certificate as well.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --pkcs12 $*

10
ANW-KM/openvpn/easy-rsa/2.0/build-key-server Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
# Make a certificate/private key pair using a locally generated
# root certificate.
#
# Explicitly set nsCertType to server using the "server"
# extension in the openssl.cnf file.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --server $*

7
ANW-KM/openvpn/easy-rsa/2.0/build-req Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Build a certificate signing request and private key. Use this
# when your root certificate and key is not available locally.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --csr $*

7
ANW-KM/openvpn/easy-rsa/2.0/build-req-pass Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Like build-req, but protect your private key
# with a password.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --csr --pass $*

16
ANW-KM/openvpn/easy-rsa/2.0/clean-all Executable file
View File

@ -0,0 +1,16 @@
#!/bin/bash
# Initialize the $KEY_DIR directory.
# Note that this script does a
# rm -rf on $KEY_DIR so be careful!
if [ "$KEY_DIR" ]; then
rm -rf "$KEY_DIR"
mkdir "$KEY_DIR" && \
chmod go-rwx "$KEY_DIR" && \
touch "$KEY_DIR/index.txt" && \
echo 01 >"$KEY_DIR/serial"
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

39
ANW-KM/openvpn/easy-rsa/2.0/inherit-inter Executable file
View File

@ -0,0 +1,39 @@
#!/bin/bash
# Build a new PKI which is rooted on an intermediate certificate generated
# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should
# have independent vars settings, and must use a different KEY_DIR directory
# from the parent. This tool can be used to generate arbitrary depth
# certificate chains.
#
# To build an intermediate CA, follow the same steps for a regular PKI but
# replace ./build-key or ./pkitool --initca with this script.
# The EXPORT_CA file will contain the CA certificate chain and should be
# referenced by the OpenVPN "ca" directive in config files. The ca.crt file
# will only contain the local intermediate CA -- it's needed by the easy-rsa
# scripts but not by OpenVPN directly.
EXPORT_CA="export-ca.crt"
if [ $# -ne 2 ]; then
echo "usage: $0 <parent-key-dir> <common-name>"
echo "parent-key-dir: the KEY_DIR directory of the parent PKI"
echo "common-name: the common name of the intermediate certificate in the parent PKI"
exit 1;
fi
if [ "$KEY_DIR" ]; then
cp "$1/$2.crt" "$KEY_DIR/ca.crt"
cp "$1/$2.key" "$KEY_DIR/ca.key"
if [ -e "$1/$EXPORT_CA" ]; then
PARENT_CA="$1/$EXPORT_CA"
else
PARENT_CA="$1/ca.crt"
fi
cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA"
cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA"
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

13
ANW-KM/openvpn/easy-rsa/2.0/list-crl Executable file
View File

@ -0,0 +1,13 @@
#!/bin/bash
# list revoked certificates
CRL="${1:-crl.pem}"
if [ "$KEY_DIR" ]; then
cd "$KEY_DIR" && \
$OPENSSL crl -text -noout -in "$CRL"
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

BIN
ANW-KM/openvpn/easy-rsa/2.0/openssl-0.9.6.cnf.gz Normal file
View File

Binary file not shown.

285
ANW-KM/openvpn/easy-rsa/2.0/openssl.cnf Executable file
View File

@ -0,0 +1,285 @@
# For use with easy-rsa version 2.0
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
openssl_conf = openssl_init
[ openssl_init ]
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
engines = engine_section
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ engine_section ]
#
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0

353
ANW-KM/openvpn/easy-rsa/2.0/pkitool Executable file
View File

@ -0,0 +1,353 @@
#!/bin/sh
# OpenVPN -- An application to securely tunnel IP networks
# over a single TCP/UDP port, with support for SSL/TLS-based
# session authentication and key exchange,
# packet encryption, packet authentication, and
# packet compression.
#
# Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program (see the file COPYING included with this
# distribution); if not, write to the Free Software Foundation, Inc.,
# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
# pkitool is a front-end for the openssl tool.
# Calling scripts can set the certificate organizational
# unit with the KEY_OU environmental variable.
PROGNAME=pkitool
VERSION=2.0
DEBUG=0
die()
{
local m="$1"
echo "$m" >&2
exit 1
}
need_vars()
{
echo ' Please edit the vars script to reflect your configuration,'
echo ' then source it with "source ./vars".'
echo ' Next, to start with a fresh PKI configuration and to delete any'
echo ' previous certificates and keys, run "./clean-all".'
echo " Finally, you can run this tool ($PROGNAME) to build certificates/keys."
}
usage()
{
echo "$PROGNAME $VERSION"
echo "Usage: $PROGNAME [options...] [common-name]"
echo "Options:"
echo " --batch : batch mode (default)"
echo " --keysize : Set keysize"
echo " size : size (default=1024)"
echo " --interact : interactive mode"
echo " --server : build server cert"
echo " --initca : build root CA"
echo " --inter : build intermediate CA"
echo " --pass : encrypt private key with password"
echo " --csr : only generate a CSR, do not sign"
echo " --sign : sign an existing CSR"
echo " --pkcs12 : generate a combined PKCS#12 file"
echo " --pkcs11 : generate certificate on PKCS#11 token"
echo " lib : PKCS#11 library"
echo " slot : PKCS#11 slot"
echo " id : PKCS#11 object id (hex string)"
echo " label : PKCS#11 object label"
echo "Standalone options:"
echo " --pkcs11-slots : list PKCS#11 slots"
echo " lib : PKCS#11 library"
echo " --pkcs11-objects : list PKCS#11 token objects"
echo " lib : PKCS#11 library"
echo " slot : PKCS#11 slot"
echo " --pkcs11-init : initialize PKCS#11 token DANGEROUS!!!"
echo " lib : PKCS#11 library"
echo " slot : PKCS#11 slot"
echo " label : PKCS#11 token label"
echo "Notes:"
need_vars
echo " In order to use PKCS#11 interface you must have opensc-0.10.0 or higher."
echo "Generated files and corresponding OpenVPN directives:"
echo '(Files will be placed in the $KEY_DIR directory, defined in ./vars)'
echo " ca.crt -> root certificate (--ca)"
echo " ca.key -> root key, keep secure (not directly used by OpenVPN)"
echo " .crt files -> client/server certificates (--cert)"
echo " .key files -> private keys, keep secure (--key)"
echo " .csr files -> certificate signing request (not directly used by OpenVPN)"
echo " dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)"
echo "Examples:"
echo " $PROGNAME --initca -> Build root certificate"
echo " $PROGNAME --initca --pass -> Build root certificate with password-protected key"
echo " $PROGNAME --server server1 -> Build \"server1\" certificate/key"
echo " $PROGNAME client1 -> Build \"client1\" certificate/key"
echo " $PROGNAME --pass client2 -> Build password-protected \"client2\" certificate/key"
echo " $PROGNAME --pkcs12 client3 -> Build \"client3\" certificate/key in PKCS#12 format"
echo " $PROGNAME --csr client4 -> Build \"client4\" CSR to be signed by another CA"
echo " $PROGNAME --sign client4 -> Sign \"client4\" CSR"
echo " $PROGNAME --inter interca -> Build an intermediate key-signing certificate/key"
echo " Also see ./inherit-inter script."
echo " $PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 \"client5 id\" client5"
echo " -> Build \"client5\" certificate/key in PKCS#11 token"
echo "Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys."
echo "Protect client2 key with a password. Build DH parms. Generated files in ./keys :"
echo " [edit vars with your site-specific info]"
echo " source ./vars"
echo " ./clean-all"
echo " ./build-dh -> takes a long time, consider backgrounding"
echo " ./$PROGNAME --initca"
echo " ./$PROGNAME --server myserver"
echo " ./$PROGNAME client1"
echo " ./$PROGNAME --pass client2"
echo "Typical usage for adding client cert to existing PKI:"
echo " source ./vars"
echo " ./$PROGNAME client-new"
}
# Set defaults
DO_REQ="1"
REQ_EXT=""
DO_CA="1"
CA_EXT=""
DO_P12="0"
DO_P11="0"
DO_ROOT="0"
NODES_REQ="-nodes"
NODES_P12=""
BATCH="-batch"
CA="ca"
# must be set or errors of openssl.cnf
PKCS11_MODULE_PATH="dummy"
PKCS11_PIN="dummy"
# Process options
while [ $# -gt 0 ]; do
case "$1" in
--keysize ) KEY_SIZE=$2
shift;;
--server ) REQ_EXT="$REQ_EXT -extensions server"
CA_EXT="$CA_EXT -extensions server" ;;
--batch ) BATCH="-batch" ;;
--interact ) BATCH="" ;;
--inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
--initca ) DO_ROOT="1" ;;
--pass ) NODES_REQ="" ;;
--csr ) DO_CA="0" ;;
--sign ) DO_REQ="0" ;;
--pkcs12 ) DO_P12="1" ;;
--pkcs11 ) DO_P11="1"
PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3"
PKCS11_ID="$4"
PKCS11_LABEL="$5"
shift 4;;
# standalone
--pkcs11-init)
PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3"
PKCS11_LABEL="$4"
if [ -z "$PKCS11_LABEL" ]; then
die "Please specify library name, slot and label"
fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
--label "$PKCS11_LABEL" &&
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
exit $?;;
--pkcs11-slots)
PKCS11_MODULE_PATH="$2"
if [ -z "$PKCS11_MODULE_PATH" ]; then
die "Please specify library name"
fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
exit 0;;
--pkcs11-objects)
PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3"
if [ -z "$PKCS11_SLOT" ]; then
die "Please specify library name and slot"
fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
exit 0;;
# errors
--* ) die "$PROGNAME: unknown option: $1" ;;
* ) break ;;
esac
shift
done
if ! [ -z "$BATCH" ]; then
if $OPENSSL version | grep 0.9.6 > /dev/null; then
die "Batch mode is unsupported in openssl<0.9.7"
fi
fi
if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
die "PKCS#11 and PKCS#12 cannot be specified together"
fi
if [ $DO_P11 -eq 1 ]; then
if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
fi
fi
# If we are generating pkcs12, only encrypt the final step
if [ $DO_P12 -eq 1 ]; then
NODES_P12="$NODES_REQ"
NODES_REQ="-nodes"
fi
if [ $DO_P11 -eq 1 ]; then
if [ -z "$PKCS11_LABEL" ]; then
die "PKCS#11 arguments incomplete"
fi
fi
# If undefined, set default key expiration intervals
if [ -z "$KEY_EXPIRE" ]; then
KEY_EXPIRE=3650
fi
if [ -z "$CA_EXPIRE" ]; then
CA_EXPIRE=3650
fi
# Set organizational unit to empty string if undefined
if [ -z "$KEY_OU" ]; then
KEY_OU=""
fi
# Set KEY_CN
if [ $DO_ROOT -eq 1 ]; then
if [ -z "$KEY_CN" ]; then
if [ "$1" ]; then
KEY_CN="$1"
elif [ "$KEY_ORG" ]; then
KEY_CN="$KEY_ORG CA"
fi
fi
if [ $BATCH ] && [ "$KEY_CN" ]; then
echo "Using CA Common Name:" $KEY_CN
fi
elif [ $BATCH ] && [ "$KEY_CN" ] && [ $# -eq 0 ]; then
echo "Using Common Name:" $KEY_CN
else
if [ $# -ne 1 ]; then
usage
exit 1
else
KEY_CN="$1"
fi
fi
export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_CN PKCS11_MODULE_PATH PKCS11_PIN
# Show parameters (debugging)
if [ $DEBUG -eq 1 ]; then
echo DO_REQ $DO_REQ
echo REQ_EXT $REQ_EXT
echo DO_CA $DO_CA
echo CA_EXT $CA_EXT
echo NODES_REQ $NODES_REQ
echo NODES_P12 $NODES_P12
echo DO_P12 $DO_P12
echo KEY_CN $KEY_CN
echo BATCH $BATCH
echo DO_ROOT $DO_ROOT
echo KEY_EXPIRE $KEY_EXPIRE
echo CA_EXPIRE $CA_EXPIRE
echo KEY_OU $KEY_OU
echo DO_P11 $DO_P11
echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH
echo PKCS11_SLOT $PKCS11_SLOT
echo PKCS11_ID $PKCS11_ID
echo PKCS11_LABEL $PKCS11_LABEL
fi
# Make sure ./vars was sourced beforehand
if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
cd "$KEY_DIR"
# Make sure $KEY_CONFIG points to the correct version
# of openssl.cnf
if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
:
else
echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
echo "version of openssl.cnf: $KEY_CONFIG"
echo "The correct version should have a comment that says: easy-rsa version 2.x";
exit 1;
fi
# Build root CA
if [ $DO_ROOT -eq 1 ]; then
$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
-x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
chmod 0600 "$CA.key"
else
# Make sure CA key/cert is available
if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
echo "Try $PROGNAME --initca to build a root certificate/key."
exit 1
fi
fi
# Generate key for PKCS#11 token
PKCS11_ARGS=
if [ $DO_P11 -eq 1 ]; then
stty -echo
echo -n "User PIN: "
read -r PKCS11_PIN
stty echo
export PKCS11_PIN
echo "Generating key pair on PKCS#11 token..."
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
--login --pin "$PKCS11_PIN" \
--key-type rsa:1024 \
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
fi
# Build cert/key
( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
-keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \
-in "$KEY_CN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \
-in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \
( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$KEY_CN.key" ) && \
( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" )
# Load certificate into PKCS#11 token
if [ $DO_P11 -eq 1 ]; then
$OPENSSL x509 -in "$KEY_CN.crt" -inform PEM -out "$KEY_CN.crt.der" -outform DER && \
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$KEY_CN.crt.der" --type cert \
--login --pin "$PKCS11_PIN" \
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
[ -e "$KEY_CN.crt.der" ]; rm "$KEY_CN.crt.der"
fi
fi
# Need definitions
else
need_vars
fi

39
ANW-KM/openvpn/easy-rsa/2.0/revoke-full Executable file
View File

@ -0,0 +1,39 @@
#!/bin/bash
# revoke a certificate, regenerate CRL,
# and verify revocation
CRL="crl.pem"
RT="revoke-test.pem"
if [ $# -ne 1 ]; then
echo "usage: revoke-full <common-name>";
exit 1
fi
if [ "$KEY_DIR" ]; then
cd "$KEY_DIR"
rm -f "$RT"
# set defaults
export KEY_CN=""
export KEY_OU=""
# revoke key and generate a new CRL
$OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
# generate a new CRL -- try to be compatible with
# intermediate PKIs
$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
if [ -e export-ca.crt ]; then
cat export-ca.crt "$CRL" >"$RT"
else
cat ca.crt "$CRL" >"$RT"
fi
# verify the revocation
$OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

7
ANW-KM/openvpn/easy-rsa/2.0/sign-req Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Sign a certificate signing request (a .csr file)
# with a local root certificate and key.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --sign $*

74
ANW-KM/openvpn/easy-rsa/2.0/vars Executable file
View File

@ -0,0 +1,74 @@
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
#export EASY_RSA="`pwd`"
BASE_DIR=/etc/openvpn
export EASY_RSA="${BASE_DIR}/easy-rsa/2.0"
#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
#export KEY_DIR="$EASY_RSA/keys"
export KEY_DIR="${BASE_DIR}/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024
# In how many days should the root CA key expire?
export CA_EXPIRE=10950
# In how many days should certificates expire?
export KEY_EXPIRE=10950
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
#export KEY_COUNTRY="US"
#export KEY_PROVINCE="CA"
#export KEY_CITY="SanFrancisco"
#export KEY_ORG="Fort-Funston"
#export KEY_EMAIL="me@myhost.mydomain"
export KEY_COUNTRY=DE
export KEY_PROVINCE=Berlin
export KEY_CITY=Berlin
export KEY_ORG="o.open"
export KEY_ORG_UN="network services"
export KEY_EMAIL="argus@oopen.de"

13
ANW-KM/openvpn/easy-rsa/2.0/whichopensslcnf Executable file
View File

@ -0,0 +1,13 @@
#!/bin/sh
if [ "$OPENSSL" ]; then
if $OPENSSL version | grep 0.9.6 > /dev/null; then
echo "$1/openssl-0.9.6.cnf"
else
echo "$1/openssl.cnf"
fi
else
echo "$1/openssl.cnf"
fi
exit 0

BIN
ANW-KM/openvpn/easy-rsa/README.gz Normal file
View File

Binary file not shown.

13
ANW-KM/openvpn/easy-rsa/build-ca Executable file
View File

@ -0,0 +1,13 @@
#!/bin/sh
#
# Build a root certificate
#
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG && \
chmod 0600 ca.key
else
echo you must define KEY_DIR
fi

12
ANW-KM/openvpn/easy-rsa/build-dh Executable file
View File

@ -0,0 +1,12 @@
#!/bin/sh
#
# Build Diffie-Hellman parameters for the server side
# of an SSL/TLS connection.
#
if test $KEY_DIR; then
openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
else
echo you must define KEY_DIR
fi

19
ANW-KM/openvpn/easy-rsa/build-inter Executable file
View File

@ -0,0 +1,19 @@
#!/bin/sh
#
# Make an intermediate CA certificate/private key pair using a locally generated
# root certificate.
#
if test $# -ne 1; then
echo "usage: build-inter <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
openssl ca -extensions v3_ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi

20
ANW-KM/openvpn/easy-rsa/build-key Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
#
# Make a certificate/private key pair using a locally generated
# root certificate.
#
if test $# -ne 1; then
echo "usage: build-key <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
chmod 0600 $1.key
else
echo you must define KEY_DIR
fi

20
ANW-KM/openvpn/easy-rsa/build-key-pass Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
#
# Similar to build-key, but protect the private key
# with a password.
#
if test $# -ne 1; then
echo "usage: build-key-pass <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
chmod 0600 $1.key
else
echo you must define KEY_DIR
fi

21
ANW-KM/openvpn/easy-rsa/build-key-pkcs12 Executable file
View File

@ -0,0 +1,21 @@
#!/bin/sh
#
# Make a certificate/private key pair using a locally generated
# root certificate and convert it to a PKCS #12 file including the
# the CA certificate as well.
if test $# -ne 1; then
echo "usage: build-key-pkcs12 <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \
openssl pkcs12 -export -inkey $1.key -in $1.crt -certfile ca.crt -out $1.p12 && \
chmod 0600 $1.key $1.p12
else
echo you must define KEY_DIR
fi

22
ANW-KM/openvpn/easy-rsa/build-key-server Executable file
View File

@ -0,0 +1,22 @@
#!/bin/sh
#
# Make a certificate/private key pair using a locally generated
# root certificate.
#
# Explicitly set nsCertType to server using the "server"
# extension in the openssl.cnf file.
if test $# -ne 1; then
echo "usage: build-key-server <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -extensions server -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -extensions server -config $KEY_CONFIG && \
chmod 0600 $1.key
else
echo you must define KEY_DIR
fi

18
ANW-KM/openvpn/easy-rsa/build-req Executable file
View File

@ -0,0 +1,18 @@
#!/bin/sh
#
# Build a certificate signing request and private key. Use this
# when your root certificate and key is not available locally.
#
if test $# -ne 1; then
echo "usage: build-req <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi

18
ANW-KM/openvpn/easy-rsa/build-req-pass Executable file
View File

@ -0,0 +1,18 @@
#!/bin/sh
#
# Like build-req, but protect your private key
# with a password.
#
if test $# -ne 1; then
echo "usage: build-req-pass <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi

19
ANW-KM/openvpn/easy-rsa/clean-all Executable file
View File

@ -0,0 +1,19 @@
#!/bin/sh
#
# Initialize the $KEY_DIR directory.
# Note that this script does a
# rm -rf on $KEY_DIR so be careful!
#
d=$KEY_DIR
if test $d; then
rm -rf $d
mkdir $d && \
chmod go-rwx $d && \
touch $d/index.txt && \
echo 01 >$d/serial
else
echo you must define KEY_DIR
fi

18
ANW-KM/openvpn/easy-rsa/list-crl Normal file
View File

@ -0,0 +1,18 @@
#!/bin/sh
#
# list revoked certificates
#
#
if test $# -ne 1; then
echo "usage: list-crl <crlfile.pem>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl crl -text -noout -in $1
else
echo you must define KEY_DIR
fi

18
ANW-KM/openvpn/easy-rsa/make-crl Normal file
View File

@ -0,0 +1,18 @@
#!/bin/sh
#
# generate a CRL
#
#
if test $# -ne 1; then
echo "usage: make-crl <crlfile.pem>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl ca -gencrl -out $1 -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi

255
ANW-KM/openvpn/easy-rsa/openssl.cnf Normal file
View File

@ -0,0 +1,255 @@
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = $ENV::KEY_ORG_UN
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

18
ANW-KM/openvpn/easy-rsa/revoke-crt Normal file
View File

@ -0,0 +1,18 @@
#!/bin/sh
#
# revoke a certificate
#
#
if test $# -ne 1; then
echo "usage: revoke-crt <file.crt>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl ca -revoke $1 -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi

29
ANW-KM/openvpn/easy-rsa/revoke-full Executable file
View File

@ -0,0 +1,29 @@
#!/bin/sh
# revoke a certificate, regenerate CRL,
# and verify revocation
CRL=crl.pem
RT=revoke-test.pem
if test $# -ne 1; then
echo "usage: revoke-full <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR
rm -f $RT
# revoke key and generate a new CRL
openssl ca -revoke $1.crt -config $KEY_CONFIG
# generate a new CRL
openssl ca -gencrl -out $CRL -config $KEY_CONFIG
cat ca.crt $CRL >$RT
# verify the revocation
openssl verify -CAfile $RT -crl_check $1.crt
else
echo you must define KEY_DIR
fi

18
ANW-KM/openvpn/easy-rsa/sign-req Executable file
View File

@ -0,0 +1,18 @@
#!/bin/sh
#
# Sign a certificate signing request (a .csr file)
# with a local root certificate and key.
#
if test $# -ne 1; then
echo "usage: sign-req <name>";
exit 1
fi
if test $KEY_DIR; then
cd $KEY_DIR && \
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG
else
echo you must define KEY_DIR
fi

59
ANW-KM/openvpn/easy-rsa/vars Normal file
View File

@ -0,0 +1,59 @@
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
## export D=`pwd`
BASE_DIR=/etc/openvpn
export D=${BASE_DIR}/easy-rsa
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=$D/openssl.cnf
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
## export KEY_DIR=$D/keys
export KEY_DIR=${BASE_DIR}/keys
# Issue rm -rf warning
echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY=KG
export KEY_PROVINCE=NA
export KEY_CITY=BISHKEK
export KEY_ORG="OpenVPN-TEST"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_COUNTRY=DE
export KEY_PROVINCE=Berlin
export KEY_CITY=Berlin
export KEY_ORG="o.open"
export KEY_ORG_UN="network services"
export KEY_EMAIL="argus@oopen.de"

5
ANW-KM/openvpn/ipaddresses.txt Normal file
View File

@ -0,0 +1,5 @@
10.0.72.1 openvpn server
10.0.72.2 -- frei --
10.0.72.3 chris
10.0.72.4 -- frei --
10.0.72.5 rene

0
ANW-KM/openvpn/ipp.txt Normal file
View File

70
ANW-KM/openvpn/keys/01.pem Normal file
View File

@ -0,0 +1,70 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
Validity
Not Before: May 20 00:02:32 2008 GMT
Not After : May 18 00:02:32 2018 GMT
Subject: C=DE, ST=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-server/emailAddress=argus@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:e8:50:de:da:67:fb:8b:e8:71:1f:3c:da:c8:63:
33:9f:29:41:b1:a5:8f:27:99:91:16:a8:51:3b:a1:
5b:52:c3:6a:26:a2:e7:f3:07:ea:c0:65:a6:60:30:
d8:fb:39:e6:05:19:73:28:fa:0a:2e:4e:82:a0:72:
c1:1b:ca:27:fb:ad:8d:3c:c8:15:36:4c:f6:22:70:
1f:4d:6c:10:88:84:c6:f1:c3:9f:f2:55:58:3d:f2:
10:cb:d5:a7:18:3d:b9:d6:fd:25:e9:9d:ec:6c:0e:
55:f9:2d:64:54:a0:32:58:34:b0:2c:c9:10:55:33:
6c:75:9e:97:29:61:db:c1:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
41:12:64:24:C4:4E:59:A4:C9:B3:A4:8E:A2:E6:5A:9C:27:CF:C6:21
X509v3 Authority Key Identifier:
keyid:68:44:87:6B:F0:FC:89:71:99:CF:32:C8:1C:10:38:EB:52:D8:34:98
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
serial:E3:CC:3A:97:1C:90:24:FD
Signature Algorithm: md5WithRSAEncryption
81:b5:d0:b9:ba:8e:87:ad:48:a7:ce:11:e6:30:b5:e2:6a:20:
19:b4:4d:e2:17:8e:7d:4c:ae:1d:45:a8:38:c2:b9:7d:71:08:
db:b4:a9:96:75:bf:ca:26:5a:d1:0d:80:cf:d8:b3:ce:3d:3a:
76:81:43:90:91:b8:de:45:33:63:cd:56:ed:1a:6b:33:36:e3:
8f:97:3a:15:e4:11:64:e5:bf:ee:98:53:cc:51:d9:fa:ac:76:
2e:2b:c3:dc:a9:7f:e1:8d:44:34:8d:f3:fd:32:26:7b:4d:cf:
9b:b4:43:9a:d2:0d:65:56:2f:4d:78:87:9a:ca:5a:22:5d:08:
68:01
-----BEGIN CERTIFICATE-----
MIID0TCCAzqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1LTS1W
cG4tY2ExHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTA4MDUyMDAw
MDIzMloXDTE4MDUxODAwMDIzMlowgYUxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNl
czEaMBgGA1UEAxMRQU5XLUtNLVZwbi1zZXJ2ZXIxHTAbBgkqhkiG9w0BCQEWDmFy
Z3VzQG9vcGVuLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoUN7aZ/uL
6HEfPNrIYzOfKUGxpY8nmZEWqFE7oVtSw2omoufzB+rAZaZgMNj7OeYFGXMo+gou
ToKgcsEbyif7rY08yBU2TPYicB9NbBCIhMbxw5/yVVg98hDL1acYPbnW/SXpnexs
DlX5LWRUoDJYNLAsyRBVM2x1npcpYdvB0wIDAQABo4IBQDCCATwwCQYDVR0TBAIw
ADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2Vu
ZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUQRJkJMROWaTJs6SO
ouZanCfPxiEwgccGA1UdIwSBvzCBvIAUaESHa/D8iXGZzzLIHBA461LYNJihgZik
gZUwgZIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl
cmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2Vz
MRYwFAYDVQQDEw1BTlctS00tVnBuLWNhMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bv
b3Blbi5kZYIJAOPMOpcckCT9MA0GCSqGSIb3DQEBBAUAA4GBAIG10Lm6joetSKfO
EeYwteJqIBm0TeIXjn1Mrh1FqDjCuX1xCNu0qZZ1v8omWtENgM/Ys849OnaBQ5CR
uN5FM2PNVu0aazM244+XOhXkEWTlv+6YU8xR2fqsdi4rw9ypf+GNRDSN8/0yJntN
z5u0Q5rSDWVWL014h5rKWiJdCGgB
-----END CERTIFICATE-----

67
ANW-KM/openvpn/keys/02.pem Normal file
View File

@ -0,0 +1,67 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
Validity
Not Before: May 20 00:05:06 2008 GMT
Not After : May 18 00:05:06 2018 GMT
Subject: C=DE, ST=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-chris/emailAddress=argus@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c0:17:80:be:42:58:ea:c2:1d:e7:54:4a:98:6d:
31:24:95:d3:ea:aa:84:aa:20:0e:df:18:df:07:64:
2b:53:a5:41:df:55:32:91:d3:38:b4:41:cd:ca:3b:
8d:0f:41:60:01:ed:22:2b:9d:2f:57:7e:6b:f0:a9:
f2:a0:25:f1:a7:67:b8:46:15:c5:75:da:f6:4e:54:
c4:f4:70:c2:74:c1:7f:d3:85:77:28:c6:a5:b2:91:
99:32:1e:d9:bb:4c:76:c9:4e:58:63:dd:49:f3:9b:
4b:5d:91:06:2c:30:b1:ae:5d:ec:d7:13:a4:e4:d6:
9d:c9:db:66:a5:0b:0f:5d:91
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
54:9F:21:B1:38:CD:F5:A8:DF:DB:3C:23:96:D9:FF:B1:C1:43:B2:63
X509v3 Authority Key Identifier:
keyid:68:44:87:6B:F0:FC:89:71:99:CF:32:C8:1C:10:38:EB:52:D8:34:98
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
serial:E3:CC:3A:97:1C:90:24:FD
Signature Algorithm: md5WithRSAEncryption
91:38:89:c3:46:db:82:87:ad:48:ef:dc:63:fe:a4:08:a0:f7:
e6:1c:1d:b0:0b:ca:fc:d0:29:3b:38:a1:a6:66:47:6e:98:26:
45:b9:78:0d:2b:cf:cb:00:f4:5c:4a:51:ab:ca:d7:3a:8f:21:
ef:d7:8b:9e:7f:04:c2:93:71:31:a8:29:bc:d9:70:4b:43:2c:
3e:80:fa:6a:0c:87:d2:08:20:80:06:26:5b:60:07:17:73:5b:
b8:b4:7c:42:1c:18:ce:e1:fc:5a:50:b2:d7:c1:e9:8b:22:b9:
c1:da:34:02:c8:ed:16:cf:99:ed:5c:07:d8:40:46:e7:ca:b4:
f6:f2
-----BEGIN CERTIFICATE-----
MIIDtjCCAx+gAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1LTS1W
cG4tY2ExHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTA4MDUyMDAw
MDUwNloXDTE4MDUxODAwMDUwNlowgYQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNl
czEZMBcGA1UEAxMQQU5XLUtNLVZwbi1jaHJpczEdMBsGCSqGSIb3DQEJARYOYXJn
dXNAb29wZW4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMAXgL5CWOrC
HedUSphtMSSV0+qqhKogDt8Y3wdkK1OlQd9VMpHTOLRBzco7jQ9BYAHtIiudL1d+
a/Cp8qAl8adnuEYVxXXa9k5UxPRwwnTBf9OFdyjGpbKRmTIe2btMdslOWGPdSfOb
S12RBiwwsa5d7NcTpOTWncnbZqULD12RAgMBAAGjggEmMIIBIjAJBgNVHRMEAjAA
MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
BgNVHQ4EFgQUVJ8hsTjN9ajf2zwjltn/scFDsmMwgccGA1UdIwSBvzCBvIAUaESH
a/D8iXGZzzLIHBA461LYNJihgZikgZUwgZIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI
EwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYD
VQQLExBuZXR3b3JrIHNlcnZpY2VzMRYwFAYDVQQDEw1BTlctS00tVnBuLWNhMR0w
GwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZYIJAOPMOpcckCT9MA0GCSqGSIb3
DQEBBAUAA4GBAJE4icNG24KHrUjv3GP+pAig9+YcHbALyvzQKTs4oaZmR26YJkW5
eA0rz8sA9FxKUavK1zqPIe/Xi55/BMKTcTGoKbzZcEtDLD6A+moMh9IIIIAGJltg
BxdzW7i0fEIcGM7h/FpQstfB6YsiucHaNALI7RbPme1cB9hARufKtPby
-----END CERTIFICATE-----

67
ANW-KM/openvpn/keys/03.pem Normal file
View File

@ -0,0 +1,67 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
Validity
Not Before: May 20 01:00:02 2008 GMT
Not After : May 18 01:00:02 2018 GMT
Subject: C=DE, ST=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-rp/emailAddress=argus@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d3:7d:de:5d:20:0d:20:9e:db:2a:93:5d:99:6c:
43:da:5d:f1:09:d8:68:d0:b5:8b:41:7d:79:19:77:
c1:9e:53:22:15:78:83:80:d4:03:10:e6:4b:c4:e9:
15:26:10:cd:28:97:a2:48:82:49:46:c0:0b:6d:c0:
21:ea:87:ad:2d:1f:c3:29:ef:80:49:91:7f:3f:ff:
d0:6d:2c:80:f9:94:2f:e4:88:82:88:74:27:51:26:
68:d8:cd:11:cb:b3:46:6b:e8:b6:c8:81:d1:7c:de:
0b:e5:90:40:c4:50:20:e5:59:4c:fc:30:f3:fa:ee:
72:b2:a2:77:e3:6c:30:6a:fd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0D:C2:77:E9:BD:42:92:03:32:41:6D:10:EE:97:78:54:04:65:0F:3D
X509v3 Authority Key Identifier:
keyid:68:44:87:6B:F0:FC:89:71:99:CF:32:C8:1C:10:38:EB:52:D8:34:98
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
serial:E3:CC:3A:97:1C:90:24:FD
Signature Algorithm: md5WithRSAEncryption
61:cd:a7:35:6b:a7:cb:94:75:2c:5c:d4:7b:cd:be:1a:43:43:
f3:73:ff:22:72:c0:06:c6:ae:40:19:eb:3b:53:56:01:4a:e8:
eb:a6:e2:61:e0:d3:2a:9d:fc:63:ac:38:4f:cd:34:7b:e5:22:
9f:ac:6e:0f:61:f7:b2:7c:f2:50:0c:a6:cc:76:ec:24:60:67:
41:51:54:5f:dc:06:f8:7a:af:ce:80:1f:06:6a:1c:9a:27:13:
05:e7:80:e7:45:34:f5:e9:d0:96:67:7f:2f:15:88:94:63:d5:
fc:e9:cb:ef:93:c2:38:5a:73:28:fa:f3:04:c9:91:01:d9:ab:
a6:96
-----BEGIN CERTIFICATE-----
MIIDszCCAxygAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1LTS1W
cG4tY2ExHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTA4MDUyMDAx
MDAwMloXDTE4MDUxODAxMDAwMlowgYExCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNl
czEWMBQGA1UEAxMNQU5XLUtNLVZwbi1ycDEdMBsGCSqGSIb3DQEJARYOYXJndXNA
b29wZW4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANN93l0gDSCe2yqT
XZlsQ9pd8QnYaNC1i0F9eRl3wZ5TIhV4g4DUAxDmS8TpFSYQzSiXokiCSUbAC23A
IeqHrS0fwynvgEmRfz//0G0sgPmUL+SIgoh0J1EmaNjNEcuzRmvotsiB0XzeC+WQ
QMRQIOVZTPww8/rucrKid+NsMGr9AgMBAAGjggEmMIIBIjAJBgNVHRMEAjAAMCwG
CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
HQ4EFgQUDcJ36b1CkgMyQW0Q7pd4VARlDz0wgccGA1UdIwSBvzCBvIAUaESHa/D8
iXGZzzLIHBA461LYNJihgZikgZUwgZIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
ZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQL
ExBuZXR3b3JrIHNlcnZpY2VzMRYwFAYDVQQDEw1BTlctS00tVnBuLWNhMR0wGwYJ
KoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZYIJAOPMOpcckCT9MA0GCSqGSIb3DQEB
BAUAA4GBAGHNpzVrp8uUdSxc1HvNvhpDQ/Nz/yJywAbGrkAZ6ztTVgFK6Oum4mHg
0yqd/GOsOE/NNHvlIp+sbg9h97J88lAMpsx27CRgZ0FRVF/cBvh6r86AHwZqHJon
EwXngOdFNPXp0JZnfy8ViJRj1fzpy++Twjhacyj68wTJkQHZq6aW
-----END CERTIFICATE-----

67
ANW-KM/openvpn/keys/04.pem Normal file
View File

@ -0,0 +1,67 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
Validity
Not Before: Jun 17 13:39:04 2008 GMT
Not After : Jun 15 13:39:04 2018 GMT
Subject: C=DE, ST=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-berenice/emailAddress=argus@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d3:0e:32:eb:f3:cd:4e:ad:75:fe:2f:03:b0:f8:
4a:44:cd:85:fa:e0:a5:dc:a2:c0:1d:d2:a9:04:e7:
39:8a:dc:cd:47:b3:26:e4:c8:aa:7b:0b:51:20:a0:
bd:db:90:c2:b8:8c:27:59:81:5e:31:33:b1:d7:bf:
e2:d0:15:7c:11:25:98:67:1f:03:e0:a7:11:37:4a:
a0:85:c6:f5:2c:44:f1:4d:45:59:11:bc:e9:d5:77:
98:ca:60:5e:de:b4:3e:13:ac:9a:23:d5:57:78:ff:
10:a6:94:52:c7:98:3b:27:2e:16:ed:42:9d:4c:4e:
df:60:a1:ab:8c:58:5b:60:61
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DA:12:07:04:E1:24:43:1B:40:85:A1:A5:47:2E:83:7B:FA:69:FE:EC
X509v3 Authority Key Identifier:
keyid:68:44:87:6B:F0:FC:89:71:99:CF:32:C8:1C:10:38:EB:52:D8:34:98
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
serial:E3:CC:3A:97:1C:90:24:FD
Signature Algorithm: md5WithRSAEncryption
2a:4a:7e:39:ea:12:a1:36:23:64:92:74:b0:05:a1:98:01:ff:
ea:2d:bf:9a:4d:01:3b:fe:d8:99:dd:77:23:fc:77:f0:8b:f4:
22:a8:eb:e3:de:e4:fd:04:df:17:4c:68:57:aa:79:3a:d3:3a:
02:38:dd:3b:d3:95:f7:f6:3b:87:c9:87:dc:d7:cb:a0:f1:d3:
04:62:48:4c:92:67:5d:70:8b:c5:b1:f8:2e:03:c7:84:a5:57:
e4:c1:14:07:06:0e:12:a6:e5:df:25:f9:e4:81:95:6c:f9:fc:
10:a0:cf:e6:5e:b3:09:83:2a:40:31:e1:e7:83:91:d1:fc:c5:
2c:24
-----BEGIN CERTIFICATE-----
MIIDuTCCAyKgAwIBAgIBBDANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1LTS1W
cG4tY2ExHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTA4MDYxNzEz
MzkwNFoXDTE4MDYxNTEzMzkwNFowgYcxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNl
czEcMBoGA1UEAxMTQU5XLUtNLVZwbi1iZXJlbmljZTEdMBsGCSqGSIb3DQEJARYO
YXJndXNAb29wZW4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANMOMuvz
zU6tdf4vA7D4SkTNhfrgpdyiwB3SqQTnOYrczUezJuTIqnsLUSCgvduQwriMJ1mB
XjEzsde/4tAVfBElmGcfA+CnETdKoIXG9SxE8U1FWRG86dV3mMpgXt60PhOsmiPV
V3j/EKaUUseYOycuFu1CnUxO32Chq4xYW2BhAgMBAAGjggEmMIIBIjAJBgNVHRME
AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQU2hIHBOEkQxtAhaGlRy6De/pp/uwwgccGA1UdIwSBvzCBvIAU
aESHa/D8iXGZzzLIHBA461LYNJihgZikgZUwgZIxCzAJBgNVBAYTAkRFMQ8wDQYD
VQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkw
FwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRYwFAYDVQQDEw1BTlctS00tVnBuLWNh
MR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZYIJAOPMOpcckCT9MA0GCSqG
SIb3DQEBBAUAA4GBACpKfjnqEqE2I2SSdLAFoZgB/+otv5pNATv+2JnddyP8d/CL
9CKo6+Pe5P0E3xdMaFeqeTrTOgI43TvTlff2O4fJh9zXy6Dx0wRiSEySZ11wi8Wx
+C4Dx4SlV+TBFAcGDhKm5d8l+eSBlWz5/BCgz+ZeswmDKkAx4eeDkdH8xSwk
-----END CERTIFICATE-----

73
ANW-KM/openvpn/keys/05.pem Normal file
View File

@ -0,0 +1,73 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
Validity
Not Before: Jan 2 03:39:56 2015 GMT
Not After : Dec 25 03:39:56 2044 GMT
Subject: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-gw-ckubu/emailAddress=argus@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:9d:32:39:db:a9:6d:78:47:e2:78:2a:0e:2d:60:
b9:ee:27:e9:a3:59:cf:5b:90:6c:3a:5a:c9:e8:9c:
72:a9:6a:e7:c2:b2:99:78:94:e2:34:69:af:33:42:
64:51:34:0c:ff:84:59:b5:1a:d8:f7:3b:4a:94:f9:
75:cf:5d:66:23:a3:38:b6:dd:b8:59:e5:1b:be:d5:
5e:91:c8:28:83:90:bd:26:a3:2d:1d:32:1c:bc:98:
aa:4e:99:fc:34:7a:9a:4e:13:9b:aa:f3:e4:c6:e0:
93:1f:5a:ca:f5:56:51:4d:ff:1c:ce:b1:9b:ae:2a:
4c:3d:fd:8e:5f:68:26:b0:13
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
EC:14:0E:00:D3:F8:F9:BB:B3:E1:63:47:96:45:00:C4:7F:00:FC:2E
X509v3 Authority Key Identifier:
keyid:68:44:87:6B:F0:FC:89:71:99:CF:32:C8:1C:10:38:EB:52:D8:34:98
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
serial:E3:CC:3A:97:1C:90:24:FD
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha1WithRSAEncryption
18:00:f8:c3:1d:2a:78:32:56:b8:d8:5d:93:2f:bd:78:8a:71:
c1:ca:48:40:60:f4:e8:cf:52:ef:9f:44:e9:12:20:b6:08:54:
ef:83:9d:00:b3:ab:c3:68:dc:92:ff:71:11:23:40:d1:31:12:
00:8c:65:10:81:96:a8:d3:5a:85:cb:6e:ac:69:4a:86:c7:65:
52:72:f9:50:e6:d8:61:47:27:6e:13:77:59:2f:07:fd:4f:26:
98:7c:bc:b2:b2:14:79:af:78:f8:6e:6b:35:79:59:38:21:87:
b2:30:b9:df:5a:7a:ac:fb:1a:e8:4e:0a:4b:b9:7d:0a:fc:57:
bb:05
-----BEGIN CERTIFICATE-----
MIID7TCCA1agAwIBAgIBBTANBgkqhkiG9w0BAQUFADCBkjELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1LTS1W
cG4tY2ExHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTE1MDEwMjAz
Mzk1NloXDTQ0MTIyNTAzMzk1NlowgZgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
ZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQL
ExBuZXR3b3JrIHNlcnZpY2VzMRwwGgYDVQQDExNBTlctS00tVnBuLWd3LWNrdWJ1
MR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAnTI526lteEfieCoOLWC57ifpo1nPW5BsOlrJ6JxyqWrnwrKZ
eJTiNGmvM0JkUTQM/4RZtRrY9ztKlPl1z11mI6M4tt24WeUbvtVekcgog5C9JqMt
HTIcvJiqTpn8NHqaThObqvPkxuCTH1rK9VZRTf8czrGbripMPf2OX2gmsBMCAwEA
AaOCAUkwggFFMAkGA1UdEwQCMAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdl
bmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU7BQOANP4+buz4WNHlkUAxH8A
/C4wgccGA1UdIwSBvzCBvIAUaESHa/D8iXGZzzLIHBA461LYNJihgZikgZUwgZIx
CzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEP
MA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRYwFAYD
VQQDEw1BTlctS00tVnBuLWNhMR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5k
ZYIJAOPMOpcckCT9MBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAN
BgkqhkiG9w0BAQUFAAOBgQAYAPjDHSp4Mla42F2TL714inHBykhAYPToz1Lvn0Tp
EiC2CFTvg50As6vDaNyS/3ERI0DRMRIAjGUQgZao01qFy26saUqGx2VScvlQ5thh
RyduE3dZLwf9TyaYfLyyshR5r3j4bms1eVk4IYeyMLnfWnqs+xroTgpLuX0K/Fe7
BQ==
-----END CERTIFICATE-----

67
ANW-KM/openvpn/keys/berenice.crt Normal file
View File

@ -0,0 +1,67 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
Validity
Not Before: Jun 17 13:39:04 2008 GMT
Not After : Jun 15 13:39:04 2018 GMT
Subject: C=DE, ST=Berlin, O=o.open, OU=network services, CN=ANW-KM-Vpn-berenice/emailAddress=argus@oopen.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d3:0e:32:eb:f3:cd:4e:ad:75:fe:2f:03:b0:f8:
4a:44:cd:85:fa:e0:a5:dc:a2:c0:1d:d2:a9:04:e7:
39:8a:dc:cd:47:b3:26:e4:c8:aa:7b:0b:51:20:a0:
bd:db:90:c2:b8:8c:27:59:81:5e:31:33:b1:d7:bf:
e2:d0:15:7c:11:25:98:67:1f:03:e0:a7:11:37:4a:
a0:85:c6:f5:2c:44:f1:4d:45:59:11:bc:e9:d5:77:
98:ca:60:5e:de:b4:3e:13:ac:9a:23:d5:57:78:ff:
10:a6:94:52:c7:98:3b:27:2e:16:ed:42:9d:4c:4e:
df:60:a1:ab:8c:58:5b:60:61
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DA:12:07:04:E1:24:43:1B:40:85:A1:A5:47:2E:83:7B:FA:69:FE:EC
X509v3 Authority Key Identifier:
keyid:68:44:87:6B:F0:FC:89:71:99:CF:32:C8:1C:10:38:EB:52:D8:34:98
DirName:/C=DE/ST=Berlin/L=Berlin/O=o.open/OU=network services/CN=ANW-KM-Vpn-ca/emailAddress=argus@oopen.de
serial:E3:CC:3A:97:1C:90:24:FD
Signature Algorithm: md5WithRSAEncryption
2a:4a:7e:39:ea:12:a1:36:23:64:92:74:b0:05:a1:98:01:ff:
ea:2d:bf:9a:4d:01:3b:fe:d8:99:dd:77:23:fc:77:f0:8b:f4:
22:a8:eb:e3:de:e4:fd:04:df:17:4c:68:57:aa:79:3a:d3:3a:
02:38:dd:3b:d3:95:f7:f6:3b:87:c9:87:dc:d7:cb:a0:f1:d3:
04:62:48:4c:92:67:5d:70:8b:c5:b1:f8:2e:03:c7:84:a5:57:
e4:c1:14:07:06:0e:12:a6:e5:df:25:f9:e4:81:95:6c:f9:fc:
10:a0:cf:e6:5e:b3:09:83:2a:40:31:e1:e7:83:91:d1:fc:c5:
2c:24
-----BEGIN CERTIFICATE-----
MIIDuTCCAyKgAwIBAgIBBDANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9w
ZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1LTS1W
cG4tY2ExHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMB4XDTA4MDYxNzEz
MzkwNFoXDTE4MDYxNTEzMzkwNFowgYcxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC
ZXJsaW4xDzANBgNVBAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNl
czEcMBoGA1UEAxMTQU5XLUtNLVZwbi1iZXJlbmljZTEdMBsGCSqGSIb3DQEJARYO
YXJndXNAb29wZW4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANMOMuvz
zU6tdf4vA7D4SkTNhfrgpdyiwB3SqQTnOYrczUezJuTIqnsLUSCgvduQwriMJ1mB
XjEzsde/4tAVfBElmGcfA+CnETdKoIXG9SxE8U1FWRG86dV3mMpgXt60PhOsmiPV
V3j/EKaUUseYOycuFu1CnUxO32Chq4xYW2BhAgMBAAGjggEmMIIBIjAJBgNVHRME
AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQU2hIHBOEkQxtAhaGlRy6De/pp/uwwgccGA1UdIwSBvzCBvIAU
aESHa/D8iXGZzzLIHBA461LYNJihgZikgZUwgZIxCzAJBgNVBAYTAkRFMQ8wDQYD
VQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkw
FwYDVQQLExBuZXR3b3JrIHNlcnZpY2VzMRYwFAYDVQQDEw1BTlctS00tVnBuLWNh
MR0wGwYJKoZIhvcNAQkBFg5hcmd1c0Bvb3Blbi5kZYIJAOPMOpcckCT9MA0GCSqG
SIb3DQEBBAUAA4GBACpKfjnqEqE2I2SSdLAFoZgB/+otv5pNATv+2JnddyP8d/CL
9CKo6+Pe5P0E3xdMaFeqeTrTOgI43TvTlff2O4fJh9zXy6Dx0wRiSEySZ11wi8Wx
+C4Dx4SlV+TBFAcGDhKm5d8l+eSBlWz5/BCgz+ZeswmDKkAx4eeDkdH8xSwk
-----END CERTIFICATE-----

12
ANW-KM/openvpn/keys/berenice.csr Normal file
View File

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIB2TCCAUICAQAwgZgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
BgNVBAcTBkJlcmxpbjEPMA0GA1UEChMGby5vcGVuMRkwFwYDVQQLExBuZXR3b3Jr
IHNlcnZpY2VzMRwwGgYDVQQDExNBTlctS00tVnBuLWJlcmVuaWNlMR0wGwYJKoZI
hvcNAQkBFg5hcmd1c0Bvb3Blbi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA0w4y6/PNTq11/i8DsPhKRM2F+uCl3KLAHdKpBOc5itzNR7Mm5MiqewtRIKC9
25DCuIwnWYFeMTOx17/i0BV8ESWYZx8D4KcRN0qghcb1LETxTUVZEbzp1XeYymBe
3rQ+E6yaI9VXeP8QppRSx5g7Jy4W7UKdTE7fYKGrjFhbYGECAwEAAaAAMA0GCSqG
SIb3DQEBBQUAA4GBAK7tMCQeEbkzjeoCQzKrBm3adXXHkam70RUs9mC+f8VhFkzd
3mwhdvxK1pUnqEBMHHph3EVRA9Szlx/u15Qu5k4VTeCvSFxy6S2f1yPEMHICwpdB
w729DJiY4PMnfl+wmx7HuuOVZ9M5KZaTg1DZHH910qdV6T+hSt07Jaq9x08E
-----END CERTIFICATE REQUEST-----

18
ANW-KM/openvpn/keys/berenice.key Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,A6843353293493DD
pv0oTV5HPsQDluEZLtsiYks5/36BxIXnwxWbIzPh8n1gL7c+rF2GxKorNwEdpvrO
/BdyNIQ3Se5w89NUkN6IobGVvfmL7w0PSw9aITrUQq2h3O6jusJSp6Yi2EvfkDVe
V5nmehb+YG2m3xOxPwceYLSBR/evNwFLMho4vcAE3g9lp+8Le0PpSjbggou8TFrj
Xw3V71sDdJqNn38j2ILcEgWu4FzL+93Sll+ok70TL7XRbczP1V1YLKuY0TwN40Jx
a/FoP+a4rAix5s9D1ml9VUxwLuGWBNzX47pHcoHk/9OpsR1xX92jhXUl3NmNNlUN
MvYFPkMfy8U5aMiL8EXBve7AXLPCv1FcbpeiY+qKXcbA2ljVD04YBfGHDBdcqtA1
H0ULRdqZZPu3PFieneqEXX3n953noLIM0pOCmboYik7gZo8ebu9NPY4Pdgra3qtc
Lsp9UVctGZDFyCHuj/HvymNbn+EJ5QaPF7MhTejBz0aPIKwp/dCqqDMfVVSGq0Ka
NbIdTCZdvqQXOBgOf64ixHWGqKm3bgjm98ECp2X6joRTCl5KeXADe8mv+aQS8UID
4j1jVu/w8IFiqgQYOYYrBGHhPgjSw0rvhT0ujDF4ttwvKWdwItZgb3oVuv0LZGoi
d2F+60LH7dSyfd84Sx/SLg71pUJ4R3TTCHsySYhOImEC14CaZDg8ihdO6pY9JFbT
xPcOQLil1UuOmQWF/qE82Y4BuXFv70iqucq/Y+i0poCXqRY4djs3XtjBgeZ+IWmQ
rhtwNCPf4rjYHevhmaFZWkgM7Ei8NNW4R7SQaKZQSZ6mCLpA/QNtng==
-----END RSA PRIVATE KEY-----

22
ANW-KM/openvpn/keys/ca.crt Normal file
View File

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDnzCCAwigAwIBAgIJAOPMOpcckCT9MA0GCSqGSIb3DQEBBQUAMIGSMQswCQYD
VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
BAoTBm8ub3BlbjEZMBcGA1UECxMQbmV0d29yayBzZXJ2aWNlczEWMBQGA1UEAxMN
QU5XLUtNLVZwbi1jYTEdMBsGCSqGSIb3DQEJARYOYXJndXNAb29wZW4uZGUwHhcN
MDgwNTIwMDAwMTI4WhcNMTgwNTE4MDAwMTI4WjCBkjELMAkGA1UEBhMCREUxDzAN
BgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZvLm9wZW4x
GTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1LTS1WcG4t
Y2ExHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQCz6U29hsY9zm7uv7aG2lnlRKyeVCwQYUw5/BPT9DaSqROz
Kuidjnu/mmwqmwiPQi8ikkEb2sgH+EdxMXig9DSgoVNrXCYCDLlhruyf2Gr6XPXY
q0IzhskqilP3QkjTnrJabBZSdXF6JWVXSVZXiP0tpJZZpCIQAUzkN2aBOk2PrwID
AQABo4H6MIH3MB0GA1UdDgQWBBRoRIdr8PyJcZnPMsgcEDjrUtg0mDCBxwYDVR0j
BIG/MIG8gBRoRIdr8PyJcZnPMsgcEDjrUtg0mKGBmKSBlTCBkjELMAkGA1UEBhMC
REUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZv
Lm9wZW4xGTAXBgNVBAsTEG5ldHdvcmsgc2VydmljZXMxFjAUBgNVBAMTDUFOVy1L
TS1WcG4tY2ExHTAbBgkqhkiG9w0BCQEWDmFyZ3VzQG9vcGVuLmRlggkA48w6lxyQ
JP0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQB/ETqWltrGX7r72NED
4vpdN2ZVYxEMz0A4UI6dCRrqEMmhbN7WbvTN/pYaIEl5C41ANGG8ZZKiSrjFwrXC
wevYMUKtHMFeV9Bn116w3odXdD+/Z6ykGvrX3jk5BNYbekVLxG3XgQt1lurvTWle
La/k2uEdxP0RwOLDm75rVYw8ag==
-----END CERTIFICATE-----

Some files were not shown because too many files have changed in this diff Show More