Add network BLKR.

BLKR/README.txt

@@ -0,0 +1,25 @@
+
+Notice:
+   You have to change some configuration files becaus the because
+   the configuration of network interfaces must not be equal.
+
+   !! Take care, to use the right device names !!
+   Maybe they are called i.e. 'enp0sXX', but you can rename it.
+   See also : README.rename.netdevices
+
+   For the backup gateway host:
+      eth1 --> LAN
+      eth2 --> WAN or ppp0 (DSL device)
+
+      eth0 --> WLAN or second LAN or what ever
+      or
+      br0  --> WLAN or second LAN or what ever
+
+
+   So you have to change the following files
+      dsl-provider.ANW-KM: ppp0 comes over eth2
+      interfaces.ANW-KM: see above
+      default_isc-dhcp-server.ANW-KM
+      ipt-firewall.ANW-KM: LAN device (mostly ) = eth1
+                                second LAN WLAN or what ever (if present) = eth0
+         

BLKR/bin/admin-stuff

@@ -0,0 +1 @@
+Subproject commit 8d81bd8667f74cf7f7cc1c521b52eab0e7c4b034

BLKR/bin/manage-gw-config

@@ -0,0 +1 @@
+Subproject commit b5fb1f7b3a421a24388ba6b25a3e5d58591ae7fe

BLKR/bin/monitoring

@@ -0,0 +1 @@
+Subproject commit f66029fe95ffc2010b0d3e435dbebf9ef7b7f849

BLKR/bind/bind.keys

@@ -0,0 +1,69 @@
+# The bind.keys file is used to override the built-in DNSSEC trust anchors
+# which are included as part of BIND 9.  As of the current release, the only
+# trust anchors it contains are those for the DNS root zone ("."), and for
+# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org").  Trust anchors
+# for any other zones MUST be configured elsewhere; if they are configured
+# here, they will not be recognized or used by named.
+#
+# The built-in trust anchors are provided for convenience of configuration.
+# They are not activated within named.conf unless specifically switched on.
+# To use the built-in root key, set "dnssec-validation auto;" in
+# named.conf options.  To use the built-in DLV key, set
+# "dnssec-lookaside auto;".  Without these options being set,
+# the keys in this file are ignored.
+#
+# This file is NOT expected to be user-configured.
+#
+# These keys are current as of Feburary 2017.  If any key fails to
+# initialize correctly, it may have expired.  In that event you should
+# replace this file with a current version.  The latest version of
+# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
+
+managed-keys {
+        # ISC DLV: See https://www.isc.org/solutions/dlv for details.
+        #
+        # NOTE: The ISC DLV zone is being phased out as of February 2017;
+        # the key will remain in place but the zone will be otherwise empty.
+        # Configuring "dnssec-lookaside auto;" to activate this key is
+        # harmless, but is no longer useful and is not recommended.
+        dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
+                brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
+                1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
+                ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
+                Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
+                QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
+                TDN0YUuWrBNh";
+
+        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
+        # for current trust anchor information.
+        #
+        # These keys are activated by setting "dnssec-validation auto;"
+        # in named.conf.
+        #
+        # This key (19036) is to be phased out starting in 2017. It will
+        # remain in the root zone for some time after its successor key
+        # has been added. It will remain this file until it is removed from
+        # the root zone.
+        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+                FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+                bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+                X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+                W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+                Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+                QxA+Uk1ihz0=";
+
+        # This key (20326) is to be published in the root zone in 2017.
+        # Servers which were already using the old key (19036) should
+        # roll seamlessly to this new one via RFC 5011 rollover. Servers
+        # being set up for the first time can use the contents of this
+        # file as initializing keys; thereafter, the keys in the
+        # managed key database will be trusted and maintained
+        # automatically.
+        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+                R1AkUTV74bU=";
+};

BLKR/bind/db.0

@@ -0,0 +1,12 @@
+;
+; BIND reverse data file for broadcast zone
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

BLKR/bind/db.127

@@ -0,0 +1,13 @@
+;
+; BIND reverse data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.
+1.0.0	IN	PTR	localhost.

BLKR/bind/db.192.168.162.0

@@ -0,0 +1,28 @@
+;
+; BIND reverse data file for local blkr.netz zone
+;
+$TTL  43600
+@  IN SOA   ns.blkr.netz. ckubu.oopen.de. (
+      2018101301     ; Serial
+          604800     ; Refresh
+           86400     ; Retry
+         2419200     ; Expire
+          604800 )   ; Negative Cache TTL
+;
+
+            IN NS     ns-blkr.blkr.netz.
+
+; - Gateway/Firewall
+254         IN PTR    gw-blkr.blkr.netz.
+
+
+; - (Caching ) Nameserver
+1           IN PTR    ns-blkr.blkr.netz.
+
+
+; - Fileserver
+10           IN PTR    file-blkr.blkr.netz.
+
+
+; - IPMI
+15          IN PTR    ipmi-file-blkr.blkr.netz.

BLKR/bind/db.255

@@ -0,0 +1,12 @@
+;
+; BIND reverse data file for broadcast zone
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

BLKR/bind/db.blkr.netz

@@ -0,0 +1,30 @@
+;
+; BIND data file for local blkr.netz zone
+;
+$TTL  43600
+@  IN SOA   ns.anw-blkr.netz. ckubu.oopen.de. (
+      2018101301     ; Serial
+          604800     ; Refresh
+           86400     ; Retry
+         2419200     ; Expire
+          604800 )   ; Negative Cache TTL
+;
+
+
+@                 IN NS    ns-blkr.anw-blkr.netz.
+
+; Gateway/Firewall
+gw-blkr           IN A     192.168.162.254
+gate              IN CNAME gw-blkr
+gw                IN CNAME gw-blkr
+
+; (Caching ) Nameserver
+ns-blkr           IN A     192.168.162.1
+ns                IN CNAME ns-blkr
+nscache           IN CNAME ns-blkr
+resolver          IN CNAME ns-blkr
+
+
+; - Fileserver
+file-blkr         IN A     192.168.162.10
+file              IN CNAME file-blkr

BLKR/bind/db.empty

@@ -0,0 +1,14 @@
+; BIND reverse data file for empty rfc1918 zone
+;
+; DO NOT EDIT THIS FILE - it is used for multiple zones.
+; Instead, copy it, edit named.conf, and use that copy.
+;
+$TTL	86400
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			  86400 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

BLKR/bind/db.local

@@ -0,0 +1,14 @@
+;
+; BIND data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      2		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.
+@	IN	A	127.0.0.1
+@	IN	AAAA	::1

BLKR/bind/db.root

@@ -0,0 +1,88 @@
+;       This file holds the information on root name servers needed to
+;       initialize cache of Internet domain name servers
+;       (e.g. reference this file in the "cache  .  <file>"
+;       configuration file of BIND domain name servers).
+;
+;       This file is made available by InterNIC 
+;       under anonymous FTP as
+;           file                /domain/named.cache
+;           on server           FTP.INTERNIC.NET
+;       -OR-                    RS.INTERNIC.NET
+;
+;       last update:    Jan 3, 2013
+;       related version of root zone:   2013010300
+;
+; formerly NS.INTERNIC.NET
+;
+.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
+A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:BA3E::2:30
+;
+; FORMERLY NS1.ISI.EDU
+;
+.                        3600000      NS    B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
+;
+; FORMERLY C.PSI.NET
+;
+.                        3600000      NS    C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
+;
+; FORMERLY TERP.UMD.EDU
+;
+.                        3600000      NS    D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
+D.ROOT-SERVERS.NET.	 3600000      AAAA  2001:500:2D::D
+;
+; FORMERLY NS.NASA.GOV
+;
+.                        3600000      NS    E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
+;
+; FORMERLY NS.ISC.ORG
+;
+.                        3600000      NS    F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
+F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2F::F
+;
+; FORMERLY NS.NIC.DDN.MIL
+;
+.                        3600000      NS    G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
+;
+; FORMERLY AOS.ARL.ARMY.MIL
+;
+.                        3600000      NS    H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
+H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::803F:235
+;
+; FORMERLY NIC.NORDU.NET
+;
+.                        3600000      NS    I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
+I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7FE::53
+;
+; OPERATED BY VERISIGN, INC.
+;
+.                        3600000      NS    J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
+J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:C27::2:30
+;
+; OPERATED BY RIPE NCC
+;
+.                        3600000      NS    K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
+K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7FD::1
+;
+; OPERATED BY ICANN
+;
+.                        3600000      NS    L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
+L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:3::42
+;
+; OPERATED BY WIDE
+;
+.                        3600000      NS    M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
+M.ROOT-SERVERS.NET.      3600000      AAAA  2001:DC3::35
+; End of File

BLKR/bind/named.conf

@@ -0,0 +1,11 @@
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
+// structure of BIND configuration files in Debian, *BEFORE* you customize 
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+
+include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local";
+include "/etc/bind/named.conf.default-zones";

BLKR/bind/named.conf.default-zones

@@ -0,0 +1,30 @@
+// prime the server with knowledge of the root servers
+zone "." {
+	type hint;
+	file "/etc/bind/db.root";
+};
+
+// be authoritative for the localhost forward and reverse zones, and for
+// broadcast zones as per RFC 1912
+
+zone "localhost" {
+	type master;
+	file "/etc/bind/db.local";
+};
+
+zone "127.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.127";
+};
+
+zone "0.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.0";
+};
+
+zone "255.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.255";
+};
+
+

BLKR/bind/named.conf.local

@@ -0,0 +1,19 @@
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+
+
+zone "blkr.netz" {
+   type master;
+   file "/etc/bind/db.blkr.netz";
+};
+
+zone "162.168.192.in-addr.arpa" {
+   type master;
+   file "/etc/bind/db.192.168.162.0";
+};
+

BLKR/bind/named.conf.local.INSTALL

@@ -0,0 +1,8 @@
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+

BLKR/bind/named.conf.options

@@ -0,0 +1,47 @@
+options {
+	directory "/var/cache/bind";
+
+	// If there is a firewall between you and nameservers you want
+	// to talk to, you may need to fix the firewall to allow multiple
+	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+	// If your ISP provided one or more IP addresses for stable 
+	// nameservers, you probably want to use them as forwarders.  
+	// Uncomment the following block, and insert the addresses replacing 
+	// the all-0's placeholder.
+
+	// forwarders {
+	// 	0.0.0.0;
+	// };
+
+   //========================================================================
+   // If BIND logs error messages about the root key being expired,
+   // you will need to update your keys.  See https://www.isc.org/bind-keys
+   //========================================================================
+   dnssec-validation auto;
+
+   auth-nxdomain no;    # conform to RFC1035
+
+   // Security options
+   listen-on port 53 {
+      127.0.0.1;
+      192.168.162.1;
+   };
+   allow-query {
+      127.0.0.1;
+		172.16.0.0/12;
+      192.168.0.0/16;
+      10.0.0.0/8;
+   };
+   allow-recursion {
+      127.0.0.1;
+		172.16.0.0/12;
+      192.168.0.0/16;
+      10.0.0.0/16;
+   };
+   allow-transfer { none; };
+
+	auth-nxdomain no;    # conform to RFC1035
+	listen-on-v6 { any; };
+};
+

BLKR/bind/named.conf.options.INSTALL

@@ -0,0 +1,20 @@
+options {
+	directory "/var/cache/bind";
+
+	// If there is a firewall between you and nameservers you want
+	// to talk to, you may need to fix the firewall to allow multiple
+	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+	// If your ISP provided one or more IP addresses for stable 
+	// nameservers, you probably want to use them as forwarders.  
+	// Uncomment the following block, and insert the addresses replacing 
+	// the all-0's placeholder.
+
+	// forwarders {
+	// 	0.0.0.0;
+	// };
+
+	auth-nxdomain no;    # conform to RFC1035
+	listen-on-v6 { any; };
+};
+

BLKR/bind/rndc.key

@@ -0,0 +1,4 @@
+key "rndc-key" {
+	algorithm hmac-md5;
+	secret "p8uEoosC6vrcRj73ribYKg==";
+};

BLKR/bind/zones.rfc1918

@@ -0,0 +1,20 @@
+zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
+ 
+zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+
+zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };

BLKR/cron_root.BLKR

@@ -0,0 +1,52 @@
+# DO NOT EDIT THIS FILE - edit the master and reinstall.
+# (/tmp/crontab.kbCNiX/crontab installed on Mon Apr 10 18:45:46 2017)
+# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
+# Edit this file to introduce tasks to be run by cron.
+# 
+# Each task to run has to be defined through a single line
+# indicating with different fields when the task will be run
+# and what command to run for the task
+# 
+# To define the time you can provide concrete values for
+# minute (m), hour (h), day of month (dom), month (mon),
+# and day of week (dow) or use '*' in these fields (for 'any').# 
+# Notice that tasks will be started based on the cron's system
+# daemon's notion of time and timezones.
+# 
+# Output of the crontab jobs (including errors) is sent through
+# email to the user the crontab file belongs to (unless redirected).
+# 
+# For example, you can run a backup of all your user accounts
+# at 5 a.m every week with:
+# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
+# 
+# For more information see the manual pages of crontab(5) and cron(8)
+# 
+# m h  dom mon dow   command
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+## adjust system time
+##
+#23 0-23/4 * * * /usr/sbin/ntpdate ptbtime2.ptb.de  > /dev/null
+
+## check forwarding ( /proc/sys/net/ipv4/ip_forward contains "1" )
+## if not set this entry to "1"
+##
+0-59/2 * * * * /root/bin/monitoring/check_forwarding.sh
+
+## check if pppd is running and internet access works. if
+## not restart it
+##
+#1-59/10 * * * * /root/bin/check_inet.sh
+
+
+1-59/10 * * * * /root/bin/monitoring/check_dns.sh
+
+## check if openvpn is running if not restart the service
+##
+#0-59/30 * * * * /root/bin/monitoring/check_vpn.sh
+
+
+## - copy gateway configuration
+## -
+13 4 * * * /root/bin/manage-gw-config/copy_gateway-config.sh BLKR

BLKR/ddclient.conf.BLKR

@@ -0,0 +1,14 @@
+# Configuration file for ddclient generated by debconf
+#
+# /etc/ddclient.conf
+
+protocol=dyndns2
+use=web, web=checkip.dyndns.com/, web-skip='IP Address'
+server=members.dyndns.org
+login=ckubu
+password=7213b4e6178a11e6ab1362f831f6741e
+blkr.homelinux.org
+
+ssl=yes
+mail=root
+mail-failure=root

BLKR/default_isc-dhcp-server.BLKR

@@ -0,0 +1,21 @@
+# Defaults for isc-dhcp-server initscript
+# sourced by /etc/init.d/isc-dhcp-server
+# installed at /etc/default/isc-dhcp-server by the maintainer scripts
+
+#
+# This is a POSIX shell fragment
+#
+
+# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
+#DHCPD_CONF=/etc/dhcp/dhcpd.conf
+
+# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
+#DHCPD_PID=/var/run/dhcpd.pid
+
+# Additional options to start dhcpd with.
+#  Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
+#OPTIONS=""
+
+# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
+#  Separate multiple interfaces with spaces, e.g. "eth0 eth1".
+INTERFACESv4="eth1"

BLKR/dhcpd.conf.BLKR

@@ -0,0 +1,137 @@
+#
+# Sample configuration file for ISC dhcpd for Debian
+#
+# $Id: dhcpd.conf,v 1.1.1.1 2002/05/21 00:07:44 peloy Exp $
+#
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style none;
+
+# option definitions common to all supported networks...
+option subnet-mask 255.255.255.0;
+option broadcast-address 192.168.162.255;
+
+option domain-name "blkr.netz";
+option domain-name-servers ns.blkr.netz;
+
+option routers 192.168.162.254;
+
+default-lease-time 43200;
+max-lease-time 86400;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+log-facility local7;
+
+# No service will be given on this subnet, but declaring it helps the 
+# DHCP server to understand the network topology.
+
+subnet 192.168.162.0 netmask 255.255.255.0 {
+   # --- 192.168.22.160/27 ---
+   # network address....: 192.168.22.160
+   # Broadcast address..: 192.168.22.191
+   # netmask............: 255.255.255.224
+   # network range......: 192.168.22.160 - 192.168.22.191
+   # Usable range.......: 192.168.22.161 - 192.168.22.190
+   range 192.168.162.161 192.168.162.190;
+   option domain-name "blkr.netz";
+   option subnet-mask 255.255.255.0;
+   option broadcast-address 192.168.162.255;
+   option domain-name-servers ns.blkr.netz;
+   option routers 192.168.162.254;
+   default-lease-time 43200;
+   max-lease-time 86400;
+}
+
+host file-blkr {
+   hardware ethernet ac:1f:6b:94:81:96;
+   fixed-address file-blkr.blkr.netz ;
+}
+
+## host siemens_gigaset_515 {
+##    hardware ethernet 00:01:E3:08:4A:75 ;
+##    fixed-address siemens_gigaset_515.opp.local ;
+## }
+
+# This is a very basic subnet declaration.
+
+#subnet 10.254.239.0 netmask 255.255.255.224 {
+#  range 10.254.239.10 10.254.239.20;
+#  option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
+#}
+
+# This declaration allows BOOTP clients to get dynamic addresses,
+# which we don't really recommend.
+
+#subnet 10.254.239.32 netmask 255.255.255.224 {
+#  range dynamic-bootp 10.254.239.40 10.254.239.60;
+#  option broadcast-address 10.254.239.31;
+#  option routers rtr-239-32-1.example.org;
+#}
+
+# A slightly different configuration for an internal subnet.
+#subnet 10.5.5.0 netmask 255.255.255.224 {
+#  range 10.5.5.26 10.5.5.30;
+#  option domain-name-servers ns1.internal.example.org;
+#  option domain-name "internal.example.org";
+#  option routers 10.5.5.1;
+#  option broadcast-address 10.5.5.31;
+#  default-lease-time 600;
+#  max-lease-time 7200;
+#}
+
+# Hosts which require special configuration options can be listed in
+# host statements.   If no address is specified, the address will be
+# allocated dynamically (if possible), but the host-specific information
+# will still come from the host declaration.
+
+#host passacaglia {
+#  hardware ethernet 0:0:c0:5d:bd:95;
+#  filename "vmunix.passacaglia";
+#  server-name "toccata.fugue.com";
+#}
+
+# Fixed IP addresses can also be specified for hosts.   These addresses
+# should not also be listed as being available for dynamic assignment.
+# Hosts for which fixed IP addresses have been specified can boot using
+# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
+# be booted with DHCP, unless there is an address range on the subnet
+# to which a BOOTP client is connected which has the dynamic-bootp flag
+# set.
+#host fantasia {
+#  hardware ethernet 08:00:07:26:c0:a5;
+#  fixed-address fantasia.fugue.com;
+#}
+
+# You can declare a class of clients and then do address allocation
+# based on that.   The example below shows a case where all clients
+# in a certain class get addresses on the 10.17.224/24 subnet, and all
+# other clients get addresses on the 10.0.29/24 subnet.
+
+#class "foo" {
+#  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
+#}
+
+#shared-network 224-29 {
+#  subnet 10.17.224.0 netmask 255.255.255.0 {
+#    option routers rtr-224.example.org;
+#  }
+#  subnet 10.0.29.0 netmask 255.255.255.0 {
+#    option routers rtr-29.example.org;
+#  }
+#  pool {
+#    allow members of "foo";
+#    range 10.17.224.10 10.17.224.250;
+#  }
+#  pool {
+#    deny members of "foo";
+#    range 10.0.29.10 10.0.29.230;
+#  }
+#}

BLKR/hostapd.conf.BLKR

@@ -0,0 +1,31 @@
+interface=wlan0
+bridge=br0
+ssid=Alix-WLAN-OOPEN
+driver=nl80211
+
+## - D-LINK DWA-552
+## - MicroTIK RouterBOARD R52n-M
+## -
+#wme_enabled=1
+#ieee80211n=1
+#ht_capab=[HT40+][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40]
+
+## - Linksys WMP600N
+## -
+#wme_enabled=1
+#ieee80211n=1
+#ht_capab=[HT40+][SHORT-GI-40][TX-STBC][RX-STBC12]
+
+channel=4
+hw_mode=g
+ignore_broadcast_ssid=0
+auth_algs=1
+macaddr_acl=0
+wpa=2
+wpa_key_mgmt=WPA-PSK
+wpa_passphrase=WoAuchImmer
+wpa_pairwise=TKIP
+rsn_pairwise=CCMP
+wpa_group_rekey=600
+ctrl_interface=/var/run/hostapd
+

BLKR/hostname.BLKR

@@ -0,0 +1 @@
+gw-blkr

BLKR/hosts.BLKR

@@ -0,0 +1,9 @@
+127.0.0.1	localhost
+127.0.1.1	gw-blkr.blkr.netz	gw-blkr
+
+# The following lines are desirable for IPv6 capable hosts
+::1     ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters

BLKR/interfaces.BLKR

@@ -0,0 +1,64 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+
+#-----------------------------
+# lo - loopback interface
+#-----------------------------
+auto lo
+iface lo inet loopback
+
+
+
+#-----------------------------
+# eth2 - WAN
+#-----------------------------
+
+auto eth2
+iface eth2 inet static
+   address 172.16.162.254
+   network 172.16.162.0
+   netmask 255.255.255.0
+   broadcast 172.16.162.255
+   gateway 172.16.162.1
+   dns-nameservers 127.0.0.1
+   dns-search anw-km.netz
+
+
+#-----------------------------
+# eth1 - LAN
+#-----------------------------
+
+auto eth1
+iface eth1 inet static
+   address 192.168.162.254
+   network 192.168.162.0
+   netmask 255.255.255.0
+   broadcast 192.168.162.255
+
+auto eth1:0
+iface eth1:0 inet static
+   address 192.168.162.53
+   network 192.168.162.0
+   netmask 255.255.255.0
+   broadcast 192.168.162.255
+
+
+
+#-----------------------------
+# br0 (bind eth0 + wlan0) - WAN
+#-----------------------------
+
+auto br0
+iface br0 inet static
+   address 192.168.163.254
+   network 192.168.163.0
+   netmask 255.255.255.0
+   broadcast 192.168.163.255
+   bridge_ports eth0 wlan0
+   bridge_stp off
+   bridge_maxwait 1
+
+iface eth0 inet manual
+iface wlan0 inet manual
+

BLKR/ipt-firewall.service.BLKR

@@ -0,0 +1,14 @@
+[Unit]
+Description=IPv4 Firewall with iptables
+After=network.target
+
+[Service]
+SyslogIdentifier="ipt-gateway"
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/ipt-firewall-gateway start
+ExecStop=/usr/local/sbin/ipt-firewall-gateway stop
+User=root
+
+[Install]
+WantedBy=multi-user.target

BLKR/ipt-firewall/default_ports.conf

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Define Ports for Services out
+# =============
+
+standard_ident_port=113
+standard_silc_port=706
+standard_irc_port=6667
+standard_jabber_port=5222
+standard_smtp_port=25
+standard_ssh_port=22
+standard_http_port=80
+standard_https_port=443
+standard_ftp_port=21
+standard_tftp_udp_port=69
+standard_ntp_port=123
+standard_snmp_port=161
+standard_snmp_trap_port=162
+standard_timeserver_port=37
+standard_pgp_keyserver_port=11371
+standard_telnet_port=23
+standard_whois_port=43
+standard_cpan_wait_port=1404
+standard_xymon_port=1984
+standard_hbci_port=3000
+standard_mysql_port=3306
+standard_ipp_port=631
+standard_cups_port=$standard_ipp_port
+standard_print_raw_port=515
+standard_print_port=9100
+standard_remote_console_port=5900
+
+
+# - Comma separated lists
+# -
+standard_http_ports="80,443"
+standard_mailuser_ports="587,465,110,995,143,993"
+

BLKR/ipt-firewall/include_functions.conf

@@ -0,0 +1,113 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Some functions
+# =============
+
+# - Is this script running on terminal ?
+# -
+if [[ -t 1 ]] ; then
+      terminal=true
+else
+   terminal=false
+fi
+
+echononl(){
+   echo X\\c > /tmp/shprompt$$
+   if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
+      echo -e -n "$*\\c" 1>&2
+   else
+       echo -e -n "$*" 1>&2
+   fi
+   rm /tmp/shprompt$$
+}
+echo_done() {
+   if $terminal ; then
+      echo -e "\033[75G[ \033[32mdone\033[m ]"
+   else
+      echo " [ done ]"
+   fi
+}
+echo_ok() {
+   if $terminal ; then
+      echo -e "\033[75G[ \033[32mok\033[m ]"
+   else
+      echo " [ ok ]"
+   fi
+}
+echo_warning() {
+   if $terminal ; then
+      echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
+   else
+      echo " [ warning ]"
+   fi
+}
+echo_failed(){
+   if $terminal ; then
+      echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
+   else
+      echo ' [ failed! ]'
+   fi
+}
+echo_skipped() {
+   if $terminal ; then
+      echo -e "\033[75G[ \033[37mskipped\033[m ]"
+   else
+      echo " [ skipped ]"
+   fi
+}
+
+
+fatal (){
+   echo ""
+   echo ""
+   if $terminal ; then
+      echo -e "\t[ \033[31m\033[1mFatal\033[m ]: \033[37m\033[1m$*\033[m"
+      echo ""
+      echo -e "\t\033[31m\033[1m           Firewall Script will be interrupted..\033[m\033[m"
+   else
+      echo "fatal: $*"
+      echo "Firewall Script will be interrupted.."
+   fi
+   echo ""
+   exit 1
+}
+
+error(){
+   echo ""
+   if $terminal ; then
+      echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
+   else
+      echo "Error: $*"
+   fi
+   echo ""
+}
+
+warn (){
+   echo ""
+   if $terminal ; then
+      echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
+   else
+      echo "Warning: $*"
+   fi
+   echo ""
+}
+
+info (){
+   echo ""
+   if $terminal ; then
+      echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
+   else
+      echo "Info: $*"
+   fi
+   echo ""
+}
+
+## - Check if a given array (parameter 2) contains a given string (parameter 1)
+## -
+containsElement () {
+   local e
+   for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
+   return 1
+}
+

BLKR/ipt-firewall/interfaces_ipv4.conf

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Define Network Interfaces / Ip-Adresses / Ports
+# =============
+
+# - Extern Interfaces DSL Lines
+# -    (blank separated list)
+ext_if_dsl_1=""
+ext_if_dsl_2=""
+ext_if_dsl_3=""
+ext_if_dsl_4=""
+
+ext_ifs_dsl="$ext_if_dsl_1 $ext_if_dsl_2 $ext_if_dsl_3 $ext_if_dsl_4"
+
+# - Extern Interfaces Static Lines
+# -    (blank separated list)
+ext_if_static_1="eth2"
+ext_if_static_2=""
+ext_if_static_3=""
+
+ext_ifs_static="$ext_if_static_1 $ext_if_static_2 $ext_if_static_3"
+
+# - VPN Interfaces
+# -    (blank separated list)
+vpn_ifs="tun+"
+
+# - Local Interfaces
+local_if_1="eth1"
+local_if_2="br0"
+local_if_3=""
+local_if_4=""
+local_if_5=""
+local_if_6=""
+local_if_7=""
+
+local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7"
+
+local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7"
+
+# - Devices given in list "nat_devices" will be natted
+# -
+# - Notice: Devices "ext_if_dsl_n" will be natted and must not been given here.
+# -
+# - Blank separated list
+# -
+nat_devices=""
+
+# - Are local alias interfaces like eth0:0 defined"
+# -
+local_alias_interfaces=true

BLKR/ipt-firewall/load_modules_ipv4.conf

@@ -0,0 +1,36 @@
+# =============
+# -  Load Kernel Modules
+# =============
+
+# - Note:! 
+# -    Since Kernel 4.7 the automatic conntrack helper assignment
+# -    is disabled by default (net.netfilter.nf_conntrack_helper = 0).
+# -    Enable it by setting this variable in file /etc/sysctl.conf:
+# -
+# -       net.netfilter.nf_conntrack_helper = 1
+# -
+# -    Reboot or type "sysctl -p"
+
+
+ip_tables
+
+iptable_nat
+iptable_filter
+iptable_mangle
+iptable_raw
+
+# - Load base modules for tracking
+# -
+nf_conntrack
+nf_nat
+
+# - Load module for FTP Connection tracking and NAT
+# -
+nf_conntrack_ftp
+nf_nat_ftp
+
+# - Load modules for SIP VOIP
+# -
+nf_conntrack_sip
+nf_nat_sip
+

BLKR/ipt-firewall/load_modules_ipv6.conf

@@ -0,0 +1,9 @@
+# =============
+# -  Load Kernel Modules
+# =============
+
+ip6_tables
+ip6table_filter
+ip6t_REJECT
+
+ip6table_mangle

BLKR/ipt-firewall/logging_ipv4.conf

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Logging
+# =============
+
+log_all=false
+
+log_syn_flood=false
+log_fragments=false
+log_new_not_sync=false
+log_invalid_state=false
+log_invalid_flags=false
+log_spoofed=false
+log_spoofed_out=false
+log_to_lo=false
+log_not_wanted=false
+log_blocked=false
+log_unprotected=false
+log_prohibited=false
+log_voip=false
+log_rejected=true
+
+log_ssh=false
+
+# - Log using the specified syslog level. 7 (debug) is a good choice 
+# - unless you specifically need something else. 
+# -
+log_level=debug
+
+# - logging messages
+# -
+log_prefix="IPv4:"
+
+
+# ---
+# - Log all traffic for givven ip address
+# ---
+
+log_ips=""

BLKR/ipt-firewall/logging_ipv6.conf

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# =============
+# --- Logging
+# =============
+
+log_all=false
+
+log_syn_flood=false
+log_fragments=false
+log_new_not_sync=false
+log_invalid_state=false
+log_invalid_flags=false
+log_spoofed=false
+log_spoofed_out=false
+log_to_lo=false
+log_not_wanted=false
+log_blocked=false
+log_unprotected=false
+log_prohibited=false
+log_voip=false
+log_rejected=false
+
+log_ssh=false
+
+# - Log using the specified syslog level. 7 (debug) is a good choice 
+# - unless you specifically need something else. 
+# -
+log_level=debug
+
+# - logging messages
+# -
+log_prefix="IPv6:"
+
+
+# ---
+# - Log all traffic for givven ip address
+# ---
+
+log_ips=""

BLKR/ipt-firewall/post_decalrations.conf

@@ -0,0 +1,454 @@
+#!/usr/bin/env bash
+
+
+# -----------
+# --- Define Arrays
+# -----------
+
+# ---
+# - Masquerade TCP Connections
+# ---
+declare -a masquerade_tcp_con_arr
+for _str in $masquerade_tcp_cons ; do
+   masquerade_tcp_con_arr+=("$_str")
+done
+
+
+# ---
+# - Extern Network interfaces (DSL, Staic Lines, All together)
+# ---
+declare -a nat_device_arr
+declare -a dsl_device_arr
+declare -a ext_if_arr
+for _dev in $ext_ifs_dsl ; do
+   dsl_device_arr+=("$_dev")
+   ext_if_arr+=("$_dev")
+   nat_device_arr+=("$_dev")
+done
+for _dev in $ext_ifs_static ; do
+   ext_if_arr+=("$_dev")
+done
+for _dev in $nat_devices ; do
+   if ! containsElement $_dev "${nat_device_arr[@]}" ; then
+      nat_device_arr+=("$_dev")
+   fi
+done
+
+# ---
+# - VPN Interfaces
+# ---
+declare -a vpn_if_arr
+for _dev in $vpn_ifs ; do
+   vpn_if_arr+=("$_dev")
+done
+
+# ---
+# - Local Network Interfaces
+# ---
+declare -a local_if_arr
+for _dev in $local_ifs ; do
+   local_if_arr+=("$_dev")
+done
+
+# ---
+# - Network Interfaces completly blocked
+# ---
+declare -a blocked_if_arr
+for _dev in $blocked_ifs ; do
+   blocked_if_arr+=("$_dev")
+done
+
+# ---
+# - Network Interfaces not firewalled
+# ---
+declare -a unprotected_if_arr
+for _dev in $unprotected_ifs ; do
+   unprotected_if_arr+=("$_dev")
+done
+
+# ---
+# - Allow these local networks any access to the internet
+# ---
+declare -a any_access_to_inet_network_arr
+for _net in $any_access_to_inet_networks ; do
+   any_access_to_inet_network_arr+=("$_net")
+done
+
+# ---
+# - Allow local services from given local networks
+# ---
+declare -a allow_local_net_to_local_service_arr 
+for _val in $allow_local_net_to_local_service ; do
+   allow_local_net_to_local_service_arr+=("$_val")
+done
+
+# ---
+# - Allow all traffic from local network to local ip-address
+# ---
+declare -a allow_local_net_to_local_ip_arr
+for _val in $allow_local_net_to_local_ip ; do
+   allow_local_net_to_local_ip_arr+=("$_val")
+done
+
+# ---
+# - Allow all traffic from local ip-address to local network
+# ---
+declare -a allow_local_ip_to_local_net_arr
+for _val in $allow_local_ip_to_local_net ; do
+   allow_local_ip_to_local_net_arr+=("$_val")
+done
+
+# ---
+# - Allow all traffic from (one) local network to (another) local network
+# ---
+declare -a allow_local_net_to_local_net_arr
+for _val in $allow_local_net_to_local_net ; do
+   allow_local_net_to_local_net_arr+=("$_val")
+done
+
+# ---
+# - Allow local ip address from given local interface
+# ---
+declare -a allow_local_if_to_local_ip_arr
+for _val in $allow_local_if_to_local_ip ; do
+   allow_local_if_to_local_ip_arr+=("$_val")
+done
+
+# ---
+# - Separate local Networks
+# ---
+declare -a separate_local_network_arr
+for _net in $separate_local_networks ; do
+   separate_local_network_arr+=("$_net")
+done
+
+# ---
+# - Separate local Interfaces
+# ---
+declare -a separate_local_if_arr
+for _net in $separate_local_ifs ; do
+   separate_local_if_arr+=("$_net")
+done
+
+# ---
+# - Generally block ports on extern interfaces
+# ---
+declare -a block_tcp_port_arr
+for _port in $block_tcp_ports ; do
+   block_tcp_port_arr+=("$_port")
+done
+
+declare -a block_udp_port_arr
+for _port in $block_udp_ports ; do
+   block_udp_port_arr+=("$_port")
+done
+
+# ---
+# - Not wanted on intern interfaces
+# ---
+declare -a not_wanted_on_gw_tcp_port_arr
+for _port in $not_wanted_on_gw_tcp_ports ; do
+   not_wanted_on_gw_tcp_port_arr+=("$_port")
+done
+
+declare -a not_wanted_on_gw_udp_port_arr
+for _port in $not_wanted_on_gw_udp_ports ; do
+   not_wanted_on_gw_udp_port_arr+=("$_port")
+done
+
+# ---
+# - Private IPs / IP-Ranges allowed to forward
+# ---
+declare -a forward_private_ip_arr
+for _ip in $forward_private_ips ; do
+   forward_private_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses to log
+# ---
+declare -a log_ip_arr
+for _ip in $log_ips ; do
+   log_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses DHCP Failover Server
+# ---
+declare -a dhcp_failover_server_ip_arr
+for _ip in $dhcp_failover_server_ips ; do
+   dhcp_failover_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses DNS Server
+# ---
+declare -a dns_server_ip_arr
+for _ip in $dns_server_ips ; do
+   dns_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses SSH Server only at ocal Networks
+# ---
+declare -a ssh_server_only_local_ip_arr
+for _ip in $ssh_server_only_local_ips ; do
+   ssh_server_only_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses HTTP Server only local Networks
+# ---
+declare -a http_server_only_local_ip_arr
+for _ip in $http_server_only_local_ips ; do
+   http_server_only_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Mail Server only local Networks
+# ---
+declare -a mail_server_only_local_ip_arr
+for _ip in $mail_server_only_local_ips ; do
+   mail_server_only_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses FTP Server
+# ---
+declare -a ftp_server_only_local_ip_arr
+for _ip in $ftp_server_only_local_ips ; do
+   ftp_server_only_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Samba Server
+# ---
+declare -a samba_server_local_ip_arr
+for _ip in $samba_server_local_ips ; do
+   samba_server_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses LDAP Server
+# ---
+declare -a ldap_server_local_ip_arr
+for _ip in $ldap_server_local_ips ; do
+   ldap_server_local_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses Telephone Systems
+# ---
+declare -a tele_sys_ip_arr
+for _ip in $tele_sys_ips ; do
+   tele_sys_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses SNMP Server
+# ---
+declare -a snmp_server_ip_arr
+for _ip in $snmp_server_ips ; do
+   snmp_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses Munin Service 
+# ---
+declare -a munin_local_server_ip_arr
+for _ip in $munin_local_server_ips ; do
+   munin_local_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses XyMon
+# ---
+declare -a xymon_server_ip_arr
+for _ip in $xymon_server_ips ; do
+   xymon_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Adresses IPMI interface
+# ---
+declare -a ipmi_server_ip_arr
+for _ip in $ipmi_server_ips ; do
+   ipmi_server_ip_arr+=("$_ip")
+done
+
+# ---
+# -IP Addresses Ubiquiti Unifi Accesspoints
+# ---
+declare -a unifi_ap_local_ip_arr
+for _ip in $unifi_ap_local_ips ; do
+   unifi_ap_local_ip_arr+=("$_ip")
+done
+declare -a unifi_controller_gateway_ip_arr
+for _ip in $unifi_controller_gateway_ips ; do
+   unifi_controller_gateway_ip_arr+=("$_ip")
+done
+declare -a unify_controller_local_net_ip_arr
+for _ip in $unify_controller_local_net_ips ; do
+   unify_controller_local_net_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Printer
+# -
+declare -a printer_ip_arr
+for _ip in $printer_ips ; do
+   printer_ip_arr+=("$_ip")
+done
+
+
+# ---
+# - IP Adresses Brother Scanner (brscan)
+# ---
+declare -a brother_scanner_ip_arr
+for _ip in $brother_scanner_ips ; do
+   brother_scanner_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses PCNS Server
+# ---
+declare -a pcns_server_ip_arr
+for _ip in $pcns_server_ips ; do
+   pcns_server_ip_arr+=("$_ip")
+done
+
+
+# ---
+# - IP Addresses VNC Service
+# ---
+declare -a rm_server_ip_arr
+for _ip in $rm_server_ips ; do
+   rm_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Rsync Out
+# ---
+# local
+declare -a rsync_out_ip_arr
+for _ip in $rsync_out_ips ; do
+   rsync_out_ip_arr+=("$_ip")
+done
+
+# ---
+# - Other local Services
+# ---
+declare -a other_service_arr
+for _val in $other_services ; do
+   other_service_arr+=("$_val")
+done
+
+# ---
+# - SSH Ports
+# ---
+declare -a ssh_port_arr
+for _port in $ssh_ports ; do
+   ssh_port_arr+=("$_port")
+done
+
+# ---
+# - VPN Ports
+# ---
+declare -a vpn_gw_port_arr
+for _port in $vpn_gw_ports ; do
+   vpn_gw_port_arr+=("$_port")
+done
+declare -a vpn_local_net_port_arr
+for _port in $vpn_local_net_ports ; do
+   vpn_local_net_port_arr+=("$_port")
+done
+declare -a vpn_out_port_arr
+for _port in $vpn_out_ports ; do
+   vpn_out_port_arr+=("$_port")
+done
+
+# ---
+# - Rsync Out Ports
+# --
+declare -a rsync_port_arr
+for _port in $rsync_ports ; do
+   rsync_port_arr+=("$_port")
+done
+
+# ---
+# - Samba Ports
+# ---
+
+declare -a samba_udp_port_arr
+for _port in $samba_udp_ports ; do
+   samba_udp_port_arr+=("$_port")
+done
+
+declare -a samba_tcp_port_arr
+for _port in $samba_tcp_ports ; do
+   samba_tcp_port_arr+=("$_port")
+done
+
+# ---
+# - LDAP Ports
+# ---
+
+declare -a ldap_udp_port_arr
+for _port in $ldap_udp_ports ; do
+   ldap_udp_port_arr+=("$_port")
+done
+
+declare -a ldap_tcp_port_arr
+for _port in $ldap_tcp_ports ; do
+   ldap_tcp_port_arr+=("$_port")
+done
+
+# ---
+# - IPMI
+# ---
+
+declare -a ipmi_udp_port_arr
+for _port in $ipmi_udp_ports ; do
+   ipmi_udp_port_arr+=("$_port")
+done
+
+declare -a ipmi_tcp_port_arr
+for _port in $ipmi_tcp_ports ; do
+   ipmi_tcp_port_arr+=("$_port")
+done
+
+
+# ---
+# - Portforwrds TCP
+# ---
+declare -a portforward_tcp_arr
+for _str in $portforward_tcp ; do
+   portforward_tcp_arr+=("$_str")
+done
+
+# ---
+# - Portforwrds UDP
+# ---
+declare -a portforward_udp_arr
+for _str in $portforward_udp ; do
+   portforward_udp_arr+=("$_str")
+done
+
+# ---
+# - MAC Address Filtering
+# ---
+declare -a allow_all_mac_src_address_arr
+for _mac in $allow_all_mac_src_addresses ; do
+   allow_all_mac_src_address_arr+=("$_mac")
+done
+
+declare -a allow_local_mac_src_address_arr
+for _mac in $allow_local_mac_src_addresses ; do
+   allow_local_mac_src_address_arr+=("$_mac")
+done
+
+declare -a allow_remote_mac_src_address_arr
+for _mac in $allow_remote_mac_src_addresses ; do
+   allow_remote_mac_src_address_arr+=("$_mac")
+done
+

BLKR/mailname.BLKR

@@ -0,0 +1 @@
+gw-blkr.blkr.netz

BLKR/main.cf.BLKR

@@ -0,0 +1,268 @@
+# ============ Basic settings ============
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = /usr/share/doc/postfix
+html_directory = /usr/share/doc/postfix/html
+
+## - The Internet protocols Postfix will attempt to use when making 
+## - or accepting connections.
+## - DEFAULT: ipv4
+inet_protocols = ipv4
+
+#inet_interfaces = all
+inet_interfaces =
+   127.0.0.1
+   192.168.162.254
+
+myhostname = gw-blkr.blkr.netz
+
+mydestination = 
+   gw-blkr.blkr.netz
+   localhost
+
+## - The list of "trusted" SMTP clients that have more 
+## - privileges than "strangers"
+## -
+mynetworks = 
+   127.0.0.0/8
+   192.168.162.254/32
+
+#smtp_bind_address = 192.168.100.254
+#smtp_bind_address6 = 
+
+
+## - The method to generate the default value for the mynetworks parameter.
+## -
+## -   mynetworks_style = host" when Postfix should "trust" only the local machine
+## -   mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP 
+## -                       clients in the same IP subnetworks as the local machine.
+## -   mynetworks_style = class" when Postfix should "trust" SMTP clients in the same 
+## -                      IP class A/B/C networks as the local machine.
+## -
+#mynetworks_style = host
+
+
+## - The maximal size of any local(8) individual mailbox or maildir file, 
+## - or zero (no limit). In fact, this limits the size of any file that is 
+## - written to upon local delivery, including files written by external 
+## - commands that are executed by the local(8) delivery agent. 
+## -
+mailbox_size_limit = 0
+
+## - The maximal size in bytes of a message, including envelope information.
+## -
+## - we user 50MB
+## -
+message_size_limit = 52480000
+
+## - The system-wide recipient address extension delimiter
+## -
+recipient_delimiter = +
+
+## - The alias databases that are used for local(8) delivery.
+## -
+alias_maps =
+   hash:/etc/aliases
+
+## - The alias databases for local(8) delivery that are updated 
+## - with "newaliases" or with "sendmail -bi". 
+## -
+alias_database =
+   hash:/etc/aliases
+
+
+## - The maximal time a message is queued before it is sent back as 
+## - undeliverable. Defaults to 5d (5 days)
+## - Specify 0 when mail delivery should be tried only once.
+## - 
+maximal_queue_lifetime = 3d
+bounce_queue_lifetime = $maximal_queue_lifetime
+
+## - delay_warning_time (default: 0h)
+## -
+## - The time after which the sender receives a copy of the message 
+## - headers of mail that is still queued. To enable this feature, 
+## - specify a non-zero time value (an integral value plus an optional 
+## - one-letter suffix that specifies the time unit). 
+## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). 
+## - The default time unit is h (hours). 
+delay_warning_time = 1d
+
+
+
+# ============ Relay parameters ============
+
+#relayhost =
+
+
+# ============ SASL authentication ============
+
+# Enable SASL authentication
+smtp_sasl_auth_enable = yes
+
+# Forwarding to the ip-adress of host b.mx.oopen.de
+relayhost = [b.mx.oopen.de]
+
+# File including login data
+smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+
+# Force using a (TLS) security connection
+# obsulete - use smtp_tls_security_level instead
+#smtp_use_tls = yes
+#smtp_tls_enforce_peername = no
+smtp_tls_security_level = encrypt
+
+# Disallow methods that allow anonymous authentication.
+smtp_sasl_security_options = noanonymous
+
+
+
+# ============ TLS parameters ============
+
+## - Aktiviert TLS für den Mailempfang
+## -
+## - may:
+## - Opportunistic TLS. Use TLS if this is supported by the remote 
+## - SMTP server, otherwise use plaintext
+## -
+## - This overrides the obsolete parameters smtpd_use_tls and 
+## - smtpd_enforce_tls. This parameter is ignored with 
+## - "smtpd_tls_wrappermode = yes".
+#smtpd_use_tls=yes
+smtp_tls_security_level=encrypt
+
+## - Aktiviert TLS für den Mailversand
+## -
+## - may:
+## - Opportunistic TLS: announce STARTTLS support to SMTP clients, 
+## - but do not require that clients use TLS encryption.
+# smtp_use_tls=yes
+smtpd_tls_security_level=may
+
+## -    0 Disable logging of TLS activity. 
+## -    1 Log TLS handshake and certificate information. 
+## -    2 Log levels during TLS negotiation. 
+## -    3 Log hexadecimal and ASCII dump of TLS negotiation process. 
+## -    4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS. 
+## -
+smtpd_tls_loglevel = 1
+smtp_tls_loglevel = 1
+
+smtpd_tls_cert_file = /etc/postfix/ssl/mailserver.crt
+smtpd_tls_key_file = /etc/postfix/ssl/mailserver.key
+
+## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
+## - 
+## - Dont't forget to create it, e.g with openssl:
+## -    openssl gendh -out /etc/postfix/ssl/dh_1024.pem -2 1024
+## -
+smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem
+## - also possible to use 2048 key with that parameter
+## -
+#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
+
+## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers. 
+## - 
+## - Dont't forget to create it, e.g with openssl:
+## -    openssl gendh -out /etc/postfix/ssl/dh_512.pem -2 512
+## -
+smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem
+
+
+## - File containing CA certificates of root CAs trusted to sign either remote SMTP 
+## - server certificates or intermediate CA certificates. These are loaded into 
+## - memory !! BEFORE !! the smtp(8) client enters the chroot jail.
+## - 
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+
+## - Directory with PEM format certificate authority certificates that the Postfix SMTP 
+## - client uses to verify a remote SMTP server certificate. Don't forget to create the 
+## - necessary "hash" links with, for example, "
+## - /bin/c_rehash /etc/postfix/certs". 
+## -
+## - !! Note !!
+## - To use this option in chroot mode, this directory (or a copy) must be inside 
+## - the chroot jail. 
+## -
+## - Note that a chrooted daemon resolves all filenames relative to the Postfix 
+## - queue directory (/var/spool/postfix)
+## -
+#smtpd_tls_CApath = /etc/postfix/certs
+
+
+# Disable SSLv2 SSLv3 - Postfix SMTP server 
+# 
+# List of TLS protocols that the Postfix SMTP server will exclude or  
+# include with opportunistic TLS encryption.  
+smtpd_tls_protocols = !SSLv2, !SSLv3
+# 
+# The SSL/TLS protocols accepted by the Postfix SMTP server  
+# with mandatory TLS encryption. 
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+
+
+# Disable SSLv2 SSLv3 - Postfix SMTP client 
+#  
+# List of TLS protocols that the Postfix SMTP client will exclude or  
+# include with opportunistic TLS encryption.  
+smtp_tls_protocols = !SSLv2, !SSLv3
+# 
+# List of SSL/TLS protocols that the Postfix SMTP client will use  
+# with mandatory TLS encryption 
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+
+
+## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange 
+## -    openssl > 1.0
+## -
+smtpd_tls_eecdh_grade = strong
+
+# standard list cryptographic algorithm
+tls_preempt_cipherlist = yes
+
+# Disable ciphers which are less than 256-bit:
+#
+#smtpd_tls_mandatory_ciphers = high
+#
+# opportunistic
+smtpd_tls_ciphers = high
+
+
+# Exclude ciphers
+#smtpd_tls_exclude_ciphers =
+#   RC4
+#   aNULL
+#   SEED-SHA
+#   EXP
+#   MD5
+smtpd_tls_exclude_ciphers =
+   aNULL
+   eNULL
+   EXPORT
+   DES
+   RC4
+   MD5
+   PSK
+   aECDH
+   EDH-DSS-DES-CBC3-SHA
+   EDH-RSA-DES-CDC3-SHA
+   KRB5-DE5, CBC3-SHA
+
+
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+

BLKR/rc.local.BLKR

@@ -0,0 +1,18 @@
+#!/bin/sh -e
+#
+# rc.local
+#
+# This script is executed at the end of each multiuser runlevel.
+# Make sure that the script will "exit 0" on success or any other
+# value on error.
+#
+# In order to enable or disable this script just change the execution
+# bits.
+#
+# By default this script does nothing.
+
+sleep 2
+/etc/init.d/ntp restart || /bin/true
+
+
+exit 0

BLKR/resolv.conf.BLKR

@@ -0,0 +1,4 @@
+# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
+#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
+nameserver 127.0.0.1
+search blkr.netz

BLKR/sasl_passwd.BLKR

@@ -0,0 +1 @@
+[b.mx.oopen.de] blkr@b.mx.oopen.de:CJFtqw4K4TXg

BLKR/src/ipt-gateway

@@ -0,0 +1 @@
+Subproject commit aa6a6aa992674fd0d21c32505550e49e7cb4afca