# and waiting a long time for bash to expand all of $PATH.
shopt -s no_empty_cmd_completion
-# Enable history appending instead of overwriting. #139609
+# Enable history appending instead of overwriting when exiting. #139609
shopt -s histappend
# Save each command to the history file as it's executed. #517342
# Change the window title of X terminals
case ${TERM} in
- xterm*|rxvt*|Eterm*|aterm|kterm|gnome*|interix|konsole*)
+ [aEkx]term*|rxvt*|gnome*|konsole*|interix)
PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\007"'
;;
screen*)
# Set colorful PS1 only on colorful terminals.
# dircolors --print-database uses its own built-in database
# instead of using /etc/DIR_COLORS. Try to use the external file
-# first to take advantage of user additions. Use internal bash
-# globbing instead of external grep binary.
+# first to take advantage of user additions.
+# We run dircolors directly due to its changes in file syntax and
+# terminal name patching.
safe_term=${TERM//[^[:alnum:]]/?} # sanitize TERM
match_lhs=""
[[ -f ~/.dir_colors ]] && match_lhs="${match_lhs}$(<~/.dir_colors)"
# Change the window title of X terminals
case ${TERM} in
- xterm*|rxvt*|Eterm*|aterm|kterm|gnome*|interix|konsole*)
+ [aEkx]term*|rxvt*|gnome*|konsole*|interix)
PS1='\[\033]0;\u@\h:\w\007\]'
;;
screen*)
;;
esac
-use_color=false
-
# Set colorful PS1 only on colorful terminals.
# dircolors --print-database uses its own built-in database
# instead of using /etc/DIR_COLORS. Try to use the external file
-# first to take advantage of user additions. Use internal bash
-# globbing instead of external grep binary.
-safe_term=${TERM//[^[:alnum:]]/?} # sanitize TERM
-match_lhs=""
-[[ -f ~/.dir_colors ]] && match_lhs="${match_lhs}$(<~/.dir_colors)"
-[[ -f /etc/DIR_COLORS ]] && match_lhs="${match_lhs}$(</etc/DIR_COLORS)"
-[[ -z ${match_lhs} ]] \
- && type -P dircolors >/dev/null \
- && match_lhs=$(dircolors --print-database)
-[[ $'\n'${match_lhs} == *$'\n'"TERM "${safe_term}* ]] && use_color=true
-
-if ${use_color} ; then
+# first to take advantage of user additions.
+# We run dircolors directly due to its changes in file syntax and
+# terminal name patching.
+use_color=false
+if type -P dircolors >/dev/null ; then
# Enable colors for ls, etc. Prefer ~/.dir_colors #64489
- if type -P dircolors >/dev/null ; then
- if [[ -f ~/.dir_colors ]] ; then
- eval $(dircolors -b ~/.dir_colors)
- elif [[ -f /etc/DIR_COLORS ]] ; then
- eval $(dircolors -b /etc/DIR_COLORS)
- fi
+ LS_COLORS=
+ if [[ -f ~/.dir_colors ]] ; then
+ eval "$(dircolors -b ~/.dir_colors)"
+ elif [[ -f /etc/DIR_COLORS ]] ; then
+ eval "$(dircolors -b /etc/DIR_COLORS)"
+ else
+ eval "$(dircolors -b)"
fi
+ # Note: We always evaluate the LS_COLORS setting even when it's the
+ # default. If it isn't set, then `ls` will only colorize by default
+ # based on file attributes and ignore extensions (even the compiled
+ # in defaults of dircolors). #583814
+ if [[ -n ${LS_COLORS:+set} ]] ; then
+ use_color=true
+ else
+ # Delete it if it's empty as it's useless in that case.
+ unset LS_COLORS
+ fi
+else
+ # Some systems (e.g. BSD & embedded) don't typically come with
+ # dircolors so we need to hardcode some terminals in here.
+ case ${TERM} in
+ [aEkx]term*|rxvt*|gnome*|konsole*|screen|cons25|*color) use_color=true;;
+ esac
+fi
+if ${use_color} ; then
if [[ ${EUID} == 0 ]] ; then
PS1+='\[\033[01;31m\]\h\[\033[01;34m\] \W \$\[\033[00m\] '
else
done
# Try to keep environment pollution down, EPA loves us.
-unset use_color safe_term match_lhs sh
+unset use_color sh
# http://cnswww.cns.cwru.edu/~chet/bash/FAQ (E11)
shopt -s checkwinsize
-# Enable history appending instead of overwriting. #139609
+# Disable completion when the input buffer is empty. i.e. Hitting tab
+# and waiting a long time for bash to expand all of $PATH.
+shopt -s no_empty_cmd_completion
+
+# Enable history appending instead of overwriting when exiting. #139609
shopt -s histappend
+# Save each command to the history file as it's executed. #517342
+# This does mean sessions get interleaved when reading later on, but this
+# way the history is always up to date. History is not synced across live
+# sessions though; that is what `history -n` does.
+# Disabled by default due to concerns related to system recovery when $HOME
+# is under duress, or lives somewhere flaky (like NFS). Constantly syncing
+# the history will halt the shell prompt until it's finished.
+#PROMPT_COMMAND='history -a'
+
# Change the window title of X terminals
case ${TERM} in
- xterm*|rxvt*|Eterm*|aterm|kterm|gnome*|interix|konsole*)
+ [aEkx]term*|rxvt*|gnome*|konsole*|interix)
PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\007"'
;;
screen*)
# Set colorful PS1 only on colorful terminals.
# dircolors --print-database uses its own built-in database
# instead of using /etc/DIR_COLORS. Try to use the external file
-# first to take advantage of user additions. Use internal bash
-# globbing instead of external grep binary.
+# first to take advantage of user additions.
+# We run dircolors directly due to its changes in file syntax and
+# terminal name patching.
safe_term=${TERM//[^[:alnum:]]/?} # sanitize TERM
match_lhs=""
[[ -f ~/.dir_colors ]] && match_lhs="${match_lhs}$(<~/.dir_colors)"
fi
fi
+for sh in /etc/bash/bashrc.d/* ; do
+ [[ -r ${sh} ]] && source "${sh}"
+done
+
# Try to keep environment pollution down, EPA loves us.
unset use_color safe_term match_lhs
. /usr/share/mc/mc.gentoo
fi
-if [ -e /etc/bash_completion.d/git ] ; then
+if type -t __git_ps1 >/dev/null ; then
if [[ ${EUID} == 0 ]] ; then
PS1='$? \[\033[01;31m\]\h\[\033[01;30m\]:\[\033[01;34m\]\w\[\033[01;31m\]$(__git_ps1)\[\033[01;34m\] \$ \[\033[00m\]'
else
# http://cnswww.cns.cwru.edu/~chet/bash/FAQ (E11)
shopt -s checkwinsize
+# Disable completion when the input buffer is empty. i.e. Hitting tab
+# and waiting a long time for bash to expand all of $PATH.
+shopt -s no_empty_cmd_completion
+
# Enable history appending instead of overwriting. #139609
shopt -s histappend
+# Save each command to the history file as it's executed. #517342
+# This does mean sessions get interleaved when reading later on, but this
+# way the history is always up to date. History is not synced across live
+# sessions though; that is what `history -n` does.
+# Disabled by default due to concerns related to system recovery when $HOME
+# is under duress, or lives somewhere flaky (like NFS). Constantly syncing
+# the history will halt the shell prompt until it's finished.
+#PROMPT_COMMAND='history -a'
+
# Change the window title of X terminals
case ${TERM} in
- xterm*|rxvt*|Eterm*|aterm|kterm|gnome*|interix)
+ xterm*|rxvt*|Eterm*|aterm|kterm|gnome*|interix|konsole*)
PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\007"'
;;
screen*)
fi
fi
+for sh in /etc/bash/bashrc.d/* ; do
+ [[ -r ${sh} ]] && source "${sh}"
+done
+
# Try to keep environment pollution down, EPA loves us.
unset use_color safe_term match_lhs
. /usr/share/mc/mc.gentoo
fi
-if [ -e /etc/bash_completion.d/git ] ; then
+if type -t __git_ps1 >/dev/null ; then
if [[ ${EUID} == 0 ]] ; then
PS1='$? \[\033[01;31m\]\h\[\033[01;30m\]:\[\033[01;34m\]\w\[\033[01;31m\]$(__git_ps1)\[\033[01;34m\] \$ \[\033[00m\]'
else
# Change the window title of X terminals
case ${TERM} in
- xterm*|rxvt*|Eterm|aterm|kterm|gnome*|interix)
+ xterm*|rxvt*|Eterm*|aterm|kterm|gnome*|interix|konsole*)
PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\007"'
;;
- screen)
+ screen*)
PROMPT_COMMAND='echo -ne "\033_${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\033\\"'
;;
esac
fi
alias ls='ls --color=auto'
- #alias grep='grep --colour=auto'
+ alias grep='grep --colour=auto'
+ alias egrep='egrep --colour=auto'
+ alias fgrep='fgrep --colour=auto'
else
if [[ ${EUID} == 0 ]] ; then
# show root@ when we don't have colors
# Change the window title of X terminals
case ${TERM} in
- xterm*|rxvt*|Eterm|aterm|kterm|gnome*|interix)
+ xterm*|rxvt*|Eterm*|aterm|kterm|gnome*|interix)
PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\007"'
;;
- screen)
+ screen*)
PROMPT_COMMAND='echo -ne "\033_${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\033\\"'
;;
esac
fi
alias ls='ls --color=auto'
- #alias grep='grep --colour=auto'
+ alias grep='grep --colour=auto'
+ alias egrep='egrep --colour=auto'
+ alias fgrep='fgrep --colour=auto'
else
if [[ ${EUID} == 0 ]] ; then
# show root@ when we don't have colors
. /usr/share/mc/mc.gentoo
fi
-if [ -f /etc/profile.d/bash-completion ]; then
- . /etc/profile.d/bash-completion
+if [ -e /etc/bash_completion.d/git ] ; then
if [[ ${EUID} == 0 ]] ; then
PS1='$? \[\033[01;31m\]\h\[\033[01;30m\]:\[\033[01;34m\]\w\[\033[01;31m\]$(__git_ps1)\[\033[01;34m\] \$ \[\033[00m\]'
else
fi
fi
-
# vim: ts=4 expandtab
--- /dev/null
+# /etc/bash/bashrc
+#
+# This file is sourced by all *interactive* bash shells on startup,
+# including some apparently interactive shells such as scp and rcp
+# that can't tolerate any output. So make sure this doesn't display
+# anything or bad things will happen !
+
+
+# Test for an interactive shell. There is no need to set anything
+# past this point for scp and rcp, and it's important to refrain from
+# outputting anything in those cases.
+if [[ $- != *i* ]] ; then
+ # Shell is non-interactive. Be done now!
+ return
+fi
+
+# Bash won't get SIGWINCH if another process is in the foreground.
+# Enable checkwinsize so that bash will check the terminal size when
+# it regains control. #65623
+# http://cnswww.cns.cwru.edu/~chet/bash/FAQ (E11)
+shopt -s checkwinsize
+
+# Enable history appending instead of overwriting. #139609
+shopt -s histappend
+
+# Change the window title of X terminals
+case ${TERM} in
+ xterm*|rxvt*|Eterm|aterm|kterm|gnome*|interix)
+ PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\007"'
+ ;;
+ screen)
+ PROMPT_COMMAND='echo -ne "\033_${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\033\\"'
+ ;;
+esac
+
+use_color=false
+
+# Set colorful PS1 only on colorful terminals.
+# dircolors --print-database uses its own built-in database
+# instead of using /etc/DIR_COLORS. Try to use the external file
+# first to take advantage of user additions. Use internal bash
+# globbing instead of external grep binary.
+safe_term=${TERM//[^[:alnum:]]/?} # sanitize TERM
+match_lhs=""
+[[ -f ~/.dir_colors ]] && match_lhs="${match_lhs}$(<~/.dir_colors)"
+[[ -f /etc/DIR_COLORS ]] && match_lhs="${match_lhs}$(</etc/DIR_COLORS)"
+[[ -z ${match_lhs} ]] \
+ && type -P dircolors >/dev/null \
+ && match_lhs=$(dircolors --print-database)
+[[ $'\n'${match_lhs} == *$'\n'"TERM "${safe_term}* ]] && use_color=true
+
+if ${use_color} ; then
+ # Enable colors for ls, etc. Prefer ~/.dir_colors #64489
+ if type -P dircolors >/dev/null ; then
+ if [[ -f ~/.dir_colors ]] ; then
+ eval $(dircolors -b ~/.dir_colors)
+ elif [[ -f /etc/DIR_COLORS ]] ; then
+ eval $(dircolors -b /etc/DIR_COLORS)
+ fi
+ fi
+
+ if [[ ${EUID} == 0 ]] ; then
+ #PS1='\[\033[01;31m\]\h\[\033[01;34m\] \W \$\[\033[00m\] '
+ PS1='$? \[\033[01;31m\]\h\[\033[01;30m\]:\[\033[01;34m\]\w \$ \[\033[00m\]'
+ else
+ #PS1='\[\033[01;32m\]\u@\h\[\033[01;34m\] \w \$\[\033[00m\] '
+ PS1='$? \[\033[01;32m\]\u@\h\[\033[01;30m\]:\[\033[01;34m\]\w > \[\033[00m\]'
+ fi
+
+ alias ls='ls --color=auto'
+ #alias grep='grep --colour=auto'
+else
+ if [[ ${EUID} == 0 ]] ; then
+ # show root@ when we don't have colors
+ PS1='\u@\h \W \$ '
+ else
+ PS1='\u@\h \w \$ '
+ fi
+fi
+
+# Try to keep environment pollution down, EPA loves us.
+unset use_color safe_term match_lhs
+
+if [ -d /usr/scripts ] ; then
+ PATH=/usr/scripts:$PATH
+ export PATH
+fi
+
+if [ -d $HOME/bin ] ; then
+ PATH=$PATH:$HOME/bin
+ export PATH
+fi
+
+if [ -d $HOME/lib ] ; then
+ PERL5LIB=$HOME/lib
+ export PERL5LIB
+fi
+
+#if [[ ${EUID} == 0 ]] ; then
+# alias ll="ls -lA"
+#else
+# alias ll="ls -l"
+#fi
+alias l="ls -l"
+alias ll="ls -lA"
+alias la="ls -la"
+alias md=mkdir
+alias rd=rmdir
+alias ..='cd ..'
+alias ...='cd ../..'
+alias cd..='cd ..'
+alias cd...='cd ../..'
+alias pl="ps -fu $USER"
+
+lcd() {
+ cd $( perl -e '
+use strict;
+use Cwd;
+my $new = shift;
+my $cwd = Cwd::abs_path(getcwd());
+my $newa = $cwd;
+if ($new){
+ $newa = Cwd::abs_path($new);
+ $newa = $cwd unless $newa;
+};
+printf("%s\n", $newa);
+' $1 )
+}
+
+export LESS="-R -M -I --shift 5"
+export LESSCHARSET="utf-8"
+
+HISTCONTROL=ignoreboth
+HISTSIZE=50000
+HISTFILESIZE=50000
+HISTTIMEFORMAT='%Y-%m-%d %H:%M:%S '
+
+if [ -f /usr/share/mc/mc.gentoo ]; then
+ . /usr/share/mc/mc.gentoo
+fi
+
+if [ -e /etc/bash_completion.d/git ] ; then
+ if [[ ${EUID} == 0 ]] ; then
+ PS1='$? \[\033[01;31m\]\h\[\033[01;30m\]:\[\033[01;34m\]\w\[\033[01;31m\]$(__git_ps1)\[\033[01;34m\] \$ \[\033[00m\]'
+ else
+ PS1='$? \[\033[01;32m\]\u@\h\[\033[01;30m\]:\[\033[01;34m\]\w\[\033[01;31m\]$(__git_ps1)\[\033[01;34m\] > \[\033[00m\]'
+ fi
+fi
+
+# vim: ts=4 expandtab
--- /dev/null
+# /etc/bash/bashrc
+#
+# This file is sourced by all *interactive* bash shells on startup,
+# including some apparently interactive shells such as scp and rcp
+# that can't tolerate any output. So make sure this doesn't display
+# anything or bad things will happen !
+
+
+# Test for an interactive shell. There is no need to set anything
+# past this point for scp and rcp, and it's important to refrain from
+# outputting anything in those cases.
+if [[ $- != *i* ]] ; then
+ # Shell is non-interactive. Be done now!
+ return
+fi
+
+# Bash won't get SIGWINCH if another process is in the foreground.
+# Enable checkwinsize so that bash will check the terminal size when
+# it regains control. #65623
+# http://cnswww.cns.cwru.edu/~chet/bash/FAQ (E11)
+shopt -s checkwinsize
+
+# Enable history appending instead of overwriting. #139609
+shopt -s histappend
+
+# Change the window title of X terminals
+case ${TERM} in
+ xterm*|rxvt*|Eterm|aterm|kterm|gnome*|interix)
+ PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\007"'
+ ;;
+ screen)
+ PROMPT_COMMAND='echo -ne "\033_${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\033\\"'
+ ;;
+esac
+
+use_color=false
+
+# Set colorful PS1 only on colorful terminals.
+# dircolors --print-database uses its own built-in database
+# instead of using /etc/DIR_COLORS. Try to use the external file
+# first to take advantage of user additions. Use internal bash
+# globbing instead of external grep binary.
+safe_term=${TERM//[^[:alnum:]]/?} # sanitize TERM
+match_lhs=""
+[[ -f ~/.dir_colors ]] && match_lhs="${match_lhs}$(<~/.dir_colors)"
+[[ -f /etc/DIR_COLORS ]] && match_lhs="${match_lhs}$(</etc/DIR_COLORS)"
+[[ -z ${match_lhs} ]] \
+ && type -P dircolors >/dev/null \
+ && match_lhs=$(dircolors --print-database)
+[[ $'\n'${match_lhs} == *$'\n'"TERM "${safe_term}* ]] && use_color=true
+
+if ${use_color} ; then
+ # Enable colors for ls, etc. Prefer ~/.dir_colors #64489
+ if type -P dircolors >/dev/null ; then
+ if [[ -f ~/.dir_colors ]] ; then
+ eval $(dircolors -b ~/.dir_colors)
+ elif [[ -f /etc/DIR_COLORS ]] ; then
+ eval $(dircolors -b /etc/DIR_COLORS)
+ fi
+ fi
+
+ if [[ ${EUID} == 0 ]] ; then
+ #PS1='\[\033[01;31m\]\h\[\033[01;34m\] \W \$\[\033[00m\] '
+ PS1='$? \[\033[01;31m\]\h\[\033[01;30m\]:\[\033[01;34m\]\w \$ \[\033[00m\]'
+ else
+ #PS1='\[\033[01;32m\]\u@\h\[\033[01;34m\] \w \$\[\033[00m\] '
+ PS1='$? \[\033[01;32m\]\u@\h\[\033[01;30m\]:\[\033[01;34m\]\w > \[\033[00m\]'
+ fi
+
+ alias ls='ls --color=auto'
+ #alias grep='grep --colour=auto'
+else
+ if [[ ${EUID} == 0 ]] ; then
+ # show root@ when we don't have colors
+ PS1='\u@\h \W \$ '
+ else
+ PS1='\u@\h \w \$ '
+ fi
+fi
+
+# Try to keep environment pollution down, EPA loves us.
+unset use_color safe_term match_lhs
+
+if [ -d /usr/scripts ] ; then
+ PATH=/usr/scripts:$PATH
+ export PATH
+fi
+
+if [ -d $HOME/bin ] ; then
+ PATH=$PATH:$HOME/bin
+ export PATH
+fi
+
+if [ -d $HOME/lib ] ; then
+ PERL5LIB=$HOME/lib
+ export PERL5LIB
+fi
+
+#if [[ ${EUID} == 0 ]] ; then
+# alias ll="ls -lA"
+#else
+# alias ll="ls -l"
+#fi
+alias l="ls -l"
+alias ll="ls -lA"
+alias la="ls -la"
+alias md=mkdir
+alias rd=rmdir
+alias ..='cd ..'
+alias ...='cd ../..'
+alias cd..='cd ..'
+alias cd...='cd ../..'
+alias pl="ps -fu $USER"
+
+lcd() {
+ cd $( perl -e '
+use strict;
+use Cwd;
+my $new = shift;
+my $cwd = Cwd::abs_path(getcwd());
+my $newa = $cwd;
+if ($new){
+ $newa = Cwd::abs_path($new);
+ $newa = $cwd unless $newa;
+};
+printf("%s\n", $newa);
+' $1 )
+}
+
+export LESS="-R -M -I --shift 5"
+export LESSCHARSET="utf-8"
+
+HISTCONTROL=ignoreboth
+HISTSIZE=50000
+HISTFILESIZE=50000
+HISTTIMEFORMAT='%Y-%m-%d %H:%M:%S '
+
+if [ -f /usr/share/mc/mc.gentoo ]; then
+ . /usr/share/mc/mc.gentoo
+fi
+
+if [ -f /etc/profile.d/bash-completion ]; then
+ . /etc/profile.d/bash-completion
+ if [[ ${EUID} == 0 ]] ; then
+ PS1='$? \[\033[01;31m\]\h\[\033[01;30m\]:\[\033[01;34m\]\w\[\033[01;31m\]$(__git_ps1)\[\033[01;34m\] \$ \[\033[00m\]'
+ else
+ PS1='$? \[\033[01;32m\]\u@\h\[\033[01;30m\]:\[\033[01;34m\]\w\[\033[01;31m\]$(__git_ps1)\[\033[01;34m\] > \[\033[00m\]'
+ fi
+fi
+
+
+# vim: ts=4 expandtab
# Change the window title of X terminals
case ${TERM} in
- xterm*|rxvt*|Eterm*|aterm|kterm|gnome*|interix|konsole*)
+ [aEkx]term*|rxvt*|gnome*|konsole*|interix)
PS1='\[\033]0;\u@\h:\w\007\]'
;;
screen*)
;;
esac
-use_color=false
-
# Set colorful PS1 only on colorful terminals.
# dircolors --print-database uses its own built-in database
# instead of using /etc/DIR_COLORS. Try to use the external file
-# first to take advantage of user additions. Use internal bash
-# globbing instead of external grep binary.
-safe_term=${TERM//[^[:alnum:]]/?} # sanitize TERM
-match_lhs=""
-[[ -f ~/.dir_colors ]] && match_lhs="${match_lhs}$(<~/.dir_colors)"
-[[ -f /etc/DIR_COLORS ]] && match_lhs="${match_lhs}$(</etc/DIR_COLORS)"
-[[ -z ${match_lhs} ]] \
- && type -P dircolors >/dev/null \
- && match_lhs=$(dircolors --print-database)
-[[ $'\n'${match_lhs} == *$'\n'"TERM "${safe_term}* ]] && use_color=true
-
-if ${use_color} ; then
+# first to take advantage of user additions.
+# We run dircolors directly due to its changes in file syntax and
+# terminal name patching.
+use_color=false
+if type -P dircolors >/dev/null ; then
# Enable colors for ls, etc. Prefer ~/.dir_colors #64489
- if type -P dircolors >/dev/null ; then
- if [[ -f ~/.dir_colors ]] ; then
- eval $(dircolors -b ~/.dir_colors)
- elif [[ -f /etc/DIR_COLORS ]] ; then
- eval $(dircolors -b /etc/DIR_COLORS)
- fi
+ LS_COLORS=
+ if [[ -f ~/.dir_colors ]] ; then
+ eval "$(dircolors -b ~/.dir_colors)"
+ elif [[ -f /etc/DIR_COLORS ]] ; then
+ eval "$(dircolors -b /etc/DIR_COLORS)"
+ else
+ eval "$(dircolors -b)"
fi
+ # Note: We always evaluate the LS_COLORS setting even when it's the
+ # default. If it isn't set, then `ls` will only colorize by default
+ # based on file attributes and ignore extensions (even the compiled
+ # in defaults of dircolors). #583814
+ if [[ -n ${LS_COLORS:+set} ]] ; then
+ use_color=true
+ else
+ # Delete it if it's empty as it's useless in that case.
+ unset LS_COLORS
+ fi
+else
+ # Some systems (e.g. BSD & embedded) don't typically come with
+ # dircolors so we need to hardcode some terminals in here.
+ case ${TERM} in
+ [aEkx]term*|rxvt*|gnome*|konsole*|screen|cons25|*color) use_color=true;;
+ esac
+fi
+if ${use_color} ; then
if [[ ${EUID} == 0 ]] ; then
PS1+='\[\033[01;31m\]\h\[\033[01;34m\] \W \$\[\033[00m\] '
else
done
# Try to keep environment pollution down, EPA loves us.
-unset use_color safe_term match_lhs sh
+unset use_color sh
#!/bin/sh
-/usr/sbin/logrotate /etc/logrotate.conf
+/usr/bin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit allow-arp
+or other application using the libvirt API.
+-->
+
+<filter name='allow-arp' chain='arp' priority='-500'>
+ <uuid>cba5ee05-dfa7-4a27-9c3d-4e18bf826170</uuid>
+ <rule action='accept' direction='inout' priority='500'/>
+</filter>
--- /dev/null
+<filter name='allow-arp' chain='arp'>
+ <rule direction='inout' action='accept'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit allow-dhcp-server
+or other application using the libvirt API.
+-->
+
+<filter name='allow-dhcp-server' chain='ipv4' priority='-700'>
+ <uuid>7c952b52-7cc4-4f0b-8703-7ce4b08e7025</uuid>
+ <rule action='accept' direction='out' priority='100'>
+ <ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/>
+ </rule>
+ <rule action='accept' direction='in' priority='100'>
+ <ip srcipaddr='$DHCPSERVER' protocol='udp' srcportstart='67' dstportstart='68'/>
+ </rule>
+</filter>
--- /dev/null
+<filter name='allow-dhcp-server' chain='ipv4'>
+
+ <!-- accept outgoing DHCP requests -->
+ <!-- note, this rule must be evaluated before general MAC broadcast
+ traffic is discarded since DHCP requests use MAC broadcast -->
+ <rule action='accept' direction='out' priority='100'>
+ <ip srcipaddr='0.0.0.0'
+ dstipaddr='255.255.255.255'
+ protocol='udp'
+ srcportstart='68'
+ dstportstart='67' />
+ </rule>
+
+ <!-- accept incoming DHCP responses from a specific DHCP server
+ parameter DHPCSERVER needs to be passed from where this filter is
+ referenced -->
+ <rule action='accept' direction='in' priority='100' >
+ <ip srcipaddr='$DHCPSERVER'
+ protocol='udp'
+ srcportstart='67'
+ dstportstart='68'/>
+ </rule>
+
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit allow-dhcp
+or other application using the libvirt API.
+-->
+
+<filter name='allow-dhcp' chain='ipv4' priority='-700'>
+ <uuid>5462a023-54da-4611-b98e-96aa600c451b</uuid>
+ <rule action='accept' direction='out' priority='100'>
+ <ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/>
+ </rule>
+ <rule action='accept' direction='in' priority='100'>
+ <ip protocol='udp' srcportstart='67' dstportstart='68'/>
+ </rule>
+</filter>
--- /dev/null
+<filter name='allow-dhcp' chain='ipv4'>
+
+ <!-- accept outgoing DHCP requests -->
+ <!-- not, this rule must be evaluated before general MAC broadcast
+ traffic is discarded since DHCP requests use MAC broadcast -->
+ <rule action='accept' direction='out' priority='100'>
+ <ip srcipaddr='0.0.0.0'
+ dstipaddr='255.255.255.255'
+ protocol='udp'
+ srcportstart='68'
+ dstportstart='67' />
+ </rule>
+
+ <!-- accept incoming DHCP responses from any DHCP server -->
+ <rule action='accept' direction='in' priority='100' >
+ <ip protocol='udp'
+ srcportstart='67'
+ dstportstart='68'/>
+ </rule>
+
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit allow-incoming-ipv4
+or other application using the libvirt API.
+-->
+
+<filter name='allow-incoming-ipv4' chain='ipv4' priority='-700'>
+ <uuid>8cd418be-ad3b-4ac0-87e8-5a49029d4a72</uuid>
+ <rule action='accept' direction='in' priority='500'/>
+</filter>
--- /dev/null
+<filter name='allow-incoming-ipv4' chain='ipv4'>
+ <rule direction='in' action='accept'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit allow-ipv4
+or other application using the libvirt API.
+-->
+
+<filter name='allow-ipv4' chain='ipv4' priority='-700'>
+ <uuid>4ec48445-d431-4917-b632-4fbaa50e1707</uuid>
+ <rule action='accept' direction='inout' priority='500'/>
+</filter>
--- /dev/null
+<filter name='allow-ipv4' chain='ipv4'>
+ <rule direction='inout' action='accept'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit clean-traffic
+or other application using the libvirt API.
+-->
+
+<filter name='clean-traffic' chain='root'>
+ <uuid>65aedbee-e026-4f03-ad32-9d5b8364898b</uuid>
+ <filterref filter='no-mac-spoofing'/>
+ <filterref filter='no-ip-spoofing'/>
+ <rule action='accept' direction='out' priority='-650'>
+ <mac protocolid='ipv4'/>
+ </rule>
+ <filterref filter='allow-incoming-ipv4'/>
+ <filterref filter='no-arp-spoofing'/>
+ <rule action='accept' direction='inout' priority='-500'>
+ <mac protocolid='arp'/>
+ </rule>
+ <filterref filter='no-other-l2-traffic'/>
+ <filterref filter='qemu-announce-self'/>
+</filter>
--- /dev/null
+<filter name='clean-traffic' chain='root'>
+ <!-- An example of a traffic filter enforcing clean traffic
+ from a VM by
+ - preventing MAC spoofing -->
+ <filterref filter='no-mac-spoofing'/>
+
+ <!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming -->
+ <filterref filter='no-ip-spoofing'/>
+
+ <rule direction='out' action='accept' priority='-650'>
+ <mac protocolid='ipv4'/>
+ </rule>
+
+ <filterref filter='allow-incoming-ipv4'/>
+
+ <!-- preventing ARP spoofing/poisoning -->
+ <filterref filter='no-arp-spoofing'/>
+
+ <!-- accept all other incoming and outgoing ARP traffic -->
+ <rule action='accept' direction='inout' priority='-500'>
+ <mac protocolid='arp'/>
+ </rule>
+
+ <!-- preventing any other traffic than IPv4 and ARP -->
+ <filterref filter='no-other-l2-traffic'/>
+
+ <!-- allow qemu to send a self-announce upon migration end -->
+ <filterref filter='qemu-announce-self'/>
+
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-arp-ip-spoofing
+or other application using the libvirt API.
+-->
+
+<filter name='no-arp-ip-spoofing' chain='arp-ip' priority='-510'>
+ <uuid>473cb31d-d866-4693-9a65-4ae26d4a5940</uuid>
+ <rule action='return' direction='out' priority='400'>
+ <arp arpsrcipaddr='$IP'/>
+ </rule>
+ <rule action='drop' direction='out' priority='1000'/>
+</filter>
--- /dev/null
+<filter name='no-arp-ip-spoofing' chain='arp-ip' priority='-510'>
+ <!-- no arp spoofing -->
+ <!-- drop if ipaddr does not belong to guest -->
+ <rule action='return' direction='out' priority='400' >
+ <arp match='yes' arpsrcipaddr='$IP' />
+ </rule>
+ <!-- drop everything else -->
+ <rule action='drop' direction='out' priority='1000' />
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-arp-mac-spoofing
+or other application using the libvirt API.
+-->
+
+<filter name='no-arp-mac-spoofing' chain='arp-mac' priority='-520'>
+ <uuid>86ef4129-25df-4c34-968f-140e25c72bfb</uuid>
+ <rule action='return' direction='out' priority='350'>
+ <arp arpsrcmacaddr='$MAC'/>
+ </rule>
+ <rule action='drop' direction='out' priority='1000'/>
+</filter>
--- /dev/null
+<filter name='no-arp-mac-spoofing' chain='arp-mac' priority='-520'>
+ <rule action='return' direction='out' priority='350' >
+ <arp match='yes' arpsrcmacaddr='$MAC'/>
+ </rule>
+ <!-- drop everything else -->
+ <rule action='drop' direction='out' priority='1000' />
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-arp-spoofing
+or other application using the libvirt API.
+-->
+
+<filter name='no-arp-spoofing' chain='root'>
+ <uuid>58266155-6808-481d-a9d2-483912c8847d</uuid>
+ <filterref filter='no-arp-mac-spoofing'/>
+ <filterref filter='no-arp-ip-spoofing'/>
+</filter>
--- /dev/null
+<filter name='no-arp-spoofing' chain='root'>
+ <filterref filter='no-arp-mac-spoofing'/>
+ <filterref filter='no-arp-ip-spoofing'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-ip-multicast
+or other application using the libvirt API.
+-->
+
+<filter name='no-ip-multicast' chain='ipv4' priority='-700'>
+ <uuid>c5f9e818-0c58-4890-9306-2c74e426f128</uuid>
+ <rule action='drop' direction='out' priority='500'>
+ <ip dstipaddr='224.0.0.0' dstipmask='4'/>
+ </rule>
+</filter>
--- /dev/null
+<filter name='no-ip-multicast' chain='ipv4'>
+
+ <!-- drop if destination IP address is in the 224.0.0.0/4 subnet -->
+ <rule action='drop' direction='out'>
+ <ip dstipaddr='224.0.0.0' dstipmask='4' />
+ </rule>
+
+ <!-- not doing anything with receiving side ... -->
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-ip-spoofing
+or other application using the libvirt API.
+-->
+
+<filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'>
+ <uuid>5b48767b-c7a2-4542-af68-33e1f52da2f3</uuid>
+ <rule action='return' direction='out' priority='100'>
+ <ip srcipaddr='0.0.0.0' protocol='udp'/>
+ </rule>
+ <rule action='return' direction='out' priority='500'>
+ <ip srcipaddr='$IP'/>
+ </rule>
+ <rule action='drop' direction='out' priority='1000'/>
+</filter>
--- /dev/null
+<filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'>
+ <!-- allow UDP sent from 0.0.0.0 (DHCP); filter more exact later -->
+ <rule action='return' direction='out' priority='100'>
+ <ip srcipaddr='0.0.0.0' protocol='udp'/>
+ </rule>
+
+ <!-- allow all known IP addresses -->
+ <rule direction='out' action='return' priority='500'>
+ <ip srcipaddr='$IP'/>
+ </rule>
+
+ <!-- drop everything else -->
+ <rule direction='out' action='drop' priority='1000'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-mac-broadcast
+or other application using the libvirt API.
+-->
+
+<filter name='no-mac-broadcast' chain='ipv4' priority='-700'>
+ <uuid>e13e3fdf-cf39-493b-8fef-63fd732e5e88</uuid>
+ <rule action='drop' direction='out' priority='500'>
+ <mac dstmacaddr='ff:ff:ff:ff:ff:ff'/>
+ </rule>
+</filter>
--- /dev/null
+<filter name='no-mac-broadcast' chain='ipv4'>
+ <!-- drop if destination mac is bcast mac addr. -->
+ <rule action='drop' direction='out'>
+ <mac dstmacaddr='ff:ff:ff:ff:ff:ff' />
+ </rule>
+
+ <!-- not doing anything with receiving side ... -->
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-mac-spoofing
+or other application using the libvirt API.
+-->
+
+<filter name='no-mac-spoofing' chain='mac' priority='-800'>
+ <uuid>ac0d6631-ea39-4ee9-8004-552ae50ba8ab</uuid>
+ <rule action='return' direction='out' priority='500'>
+ <mac srcmacaddr='$MAC'/>
+ </rule>
+ <rule action='drop' direction='out' priority='500'>
+ <mac/>
+ </rule>
+</filter>
--- /dev/null
+<filter name='no-mac-spoofing' chain='mac' priority='-800'>
+ <!-- return packets with VM's MAC address as source address -->
+ <rule direction='out' action='return'>
+ <mac srcmacaddr='$MAC'/>
+ </rule>
+ <!-- drop everything else -->
+ <rule direction='out' action='drop'>
+ <mac/>
+ </rule>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-other-l2-traffic
+or other application using the libvirt API.
+-->
+
+<filter name='no-other-l2-traffic' chain='root'>
+ <uuid>c831aa08-e503-4b2a-a6f7-84647ec9a9c6</uuid>
+ <rule action='drop' direction='inout' priority='1000'/>
+</filter>
--- /dev/null
+<filter name='no-other-l2-traffic'>
+
+ <!-- drop all other l2 traffic than for which rules have been
+ written for; i.e., drop all other than arp and ipv4 traffic -->
+ <rule action='drop' direction='inout' priority='1000'/>
+
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-other-rarp-traffic
+or other application using the libvirt API.
+-->
+
+<filter name='no-other-rarp-traffic' chain='rarp' priority='-400'>
+ <uuid>15155842-ed37-46e4-8bda-8e0017ea65f2</uuid>
+ <rule action='drop' direction='inout' priority='1000'/>
+</filter>
--- /dev/null
+<filter name='no-other-rarp-traffic' chain='rarp'>
+ <rule action='drop' direction='inout' priority='1000'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit qemu-announce-self-rarp
+or other application using the libvirt API.
+-->
+
+<filter name='qemu-announce-self-rarp' chain='rarp' priority='-400'>
+ <uuid>e24f3768-5db4-418e-a0ed-6f8e8bae55ff</uuid>
+ <rule action='accept' direction='out' priority='500'>
+ <rarp srcmacaddr='$MAC' dstmacaddr='ff:ff:ff:ff:ff:ff' opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
+ </rule>
+ <rule action='accept' direction='in' priority='500'>
+ <rarp dstmacaddr='ff:ff:ff:ff:ff:ff' opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
+ </rule>
+</filter>
--- /dev/null
+<filter name='qemu-announce-self-rarp' chain='rarp'>
+ <rule action='accept' direction='out' priority='500'>
+ <rarp opcode='Request_Reverse'
+ srcmacaddr='$MAC' dstmacaddr='ff:ff:ff:ff:ff:ff'
+ arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC'
+ arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
+ </rule>
+ <rule action='accept' direction='in' priority='500'>
+ <rarp opcode='Request_Reverse'
+ dstmacaddr='ff:ff:ff:ff:ff:ff'
+ arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC'
+ arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
+ </rule>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit qemu-announce-self
+or other application using the libvirt API.
+-->
+
+<filter name='qemu-announce-self' chain='root'>
+ <uuid>247832ba-d1ba-4cd7-8988-2d5e51575c88</uuid>
+ <rule action='accept' direction='out' priority='500'>
+ <mac protocolid='0x835'/>
+ </rule>
+ <filterref filter='qemu-announce-self-rarp'/>
+ <filterref filter='no-other-rarp-traffic'/>
+</filter>
--- /dev/null
+<filter name='qemu-announce-self' chain='root'>
+ <!-- as of 4/26/2010 qemu sends out a bogus packet with
+ wrong rarp protocol ID -->
+ <!-- accept what is being sent now -->
+ <rule action='accept' direction='out'>
+ <mac protocolid='0x835'/>
+ </rule>
+
+ <!-- accept if it was changed to rarp -->
+ <filterref filter='qemu-announce-self-rarp'/>
+ <filterref filter='no-other-rarp-traffic'/>
+
+</filter>
-# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $
+# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
PrintLastLog no
#TCPKeepAlive yes
#UseLogin no
-UsePrivilegeSeparation sandbox # Default for new installations.
+#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
# override default of no subsystems
Subsystem sftp /usr/lib64/misc/sftp-server
-# the following are HPN related configuration options
-# tcp receive buffer polling. disable in non autotuning kernels
-#TcpRcvBufPoll yes
-
-# disable hpn performance boosts
-#HPNDisabled no
-
-# buffer size for hpn to non-hpn connections
-#HPNBufferSize 2048
-
-
-# allow the use of the none cipher
-#NoneEnabled no
-
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-# $OpenBSD: sshd_config,v 1.95 2015/04/27 21:42:48 djm Exp $
+# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
#LoginGraceTime 2m
#PermitRootLogin no
+#PermitRootLogin prohibit-password
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
-# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
+# $OpenBSD: sshd_config,v 1.95 2015/04/27 21:42:48 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
-#GSSAPIStrictAcceptorCheck yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
-#UseDNS yes
-#PidFile /var/run/sshd.pid
+#UseDNS no
+#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
-# $OpenBSD$
+# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
-# "key type names" for X.509 certificates with RSA key
-# Note first defined is used in signature operations!
-#X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
-#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
-
-# "key type names" for X.509 certificates with DSA key
-# Note first defined is used in signature operations!
-#X509KeyAlgorithm x509v3-sign-dss,dss-asn1
-#X509KeyAlgorithm x509v3-sign-dss,dss-raw
-
-# The intended use for the X509 client certificate. Without this option
-# no chain verification will be done. Currently accepted uses are case
-# insensitive:
-# - "sslclient", "SSL client", "SSL_client" or "client"
-# - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose"
-# - "skip" or ""(empty): don`t check purpose.
-#AllowedCertPurpose sslclient
-
-# Specifies whether self-issued(self-signed) X.509 certificate can be
-# allowed only by entry in AutorizedKeysFile that contain matching
-# public key or certificate blob.
-#KeyAllowSelfIssued no
-
-# Specifies whether CRL must present in store for all certificates in
-# certificate chain with atribute "cRLDistributionPoints"
-#MandatoryCRL no
-
-# A file with multiple certificates of certificate signers
-# in PEM format concatenated together.
-#CACertificateFile /etc/ssh/ca/ca-bundle.crt
-
-# A directory with certificates of certificate signers.
-# The certificates should have name of the form: [HASH].[NUMBER]
-# or have symbolic links to them of this form.
-#CACertificatePath /etc/ssh/ca/crt
-
-# A file with multiple CRL of certificate signers
-# in PEM format concatenated together.
-#CARevocationFile /etc/ssh/ca/ca-bundle.crl
-
-# A directory with CRL of certificate signers.
-# The CRL should have name of the form: [HASH].r[NUMBER]
-# or have symbolic links to them of this form.
-#CARevocationPath /etc/ssh/ca/crl
-
-# LDAP protocol version.
-# Example:
-# CAldapVersion 2
-
-# Note because of OpenSSH options parser limitation
-# use %3D instead of = !
-# LDAP initialization may require URL to be escaped, i.e.
-# use %2C instead of ,(comma). Escaped URL don't depend from
-# LDAP initialization method.
-# Example:
-# CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom
-
-# SSH can use "Online Certificate Status Protocol"(OCSP)
-# to validate certificate. Set VAType to
-# - none : do not use OCSP to validate certificates;
-# - ocspcert: validate only certificates that specify `OCSP
-# Service Locator' URL;
-# - ocspspec: use specified in the configuration 'OCSP Responder'
-# to validate all certificates.
-#VAType none
-
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
-#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
+# here are the new patched ldap related tokens
+# entries in your LDAP must have posixAccount & ldapPublicKey objectclass
+#UseLPK yes
+#LpkLdapConf /etc/ldap.conf
+#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/
+#LpkUserDN ou=users,dc=phear,dc=org
+#LpkGroupDN ou=groups,dc=phear,dc=org
+#LpkBindDN cn=Manager,dc=phear,dc=org
+#LpkBindPw secret
+#LpkServerGroup mail
+#LpkFilter (hostAccess=master.phear.org)
+#LpkForceTLS no
+#LpkSearchTimelimit 3
+#LpkBindTimelimit 3
+#LpkPubKeyAttr sshPublicKey
+
# override default of no subsystems
Subsystem sftp /usr/lib64/misc/sftp-server
# the following are HPN related configuration options
# tcp receive buffer polling. disable in non autotuning kernels
#TcpRcvBufPoll yes
-
+
# disable hpn performance boosts
#HPNDisabled no
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
# "key type names" for X.509 certificates with RSA key
# Note first defined is used in signature operations!
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
+#PermitTTY yes
PrintMotd no
PrintLastLog no
#TCPKeepAlive yes
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
+# PermitTTY no
# ForceCommand cvs server
# Allow client to pass locale environment variables #367017
# "key type names" for X.509 certificates with RSA key
# Note first defined is used in signature operations!
-#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
#X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
+#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
# "key type names" for X.509 certificates with DSA key
# Note first defined is used in signature operations!
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
+# Ciphers and keying
+#RekeyLimit default none
+
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile .ssh/authorized_keys
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
PrintLastLog no
#TCPKeepAlive yes
#UseLogin no
-#UsePrivilegeSeparation yes
+UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
-#MaxStartups 10
+#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
+#VersionAddendum none
# no default banner path
#Banner none
# tcp receive buffer polling. disable in non autotuning kernels
#TcpRcvBufPoll yes
-# allow the use of the none cipher
-#NoneEnabled no
-
-# disable hpn performance boosts.
+# disable hpn performance boosts
#HPNDisabled no
# buffer size for hpn to non-hpn connections
#HPNBufferSize 2048
+# allow the use of the none cipher
+#NoneEnabled no
+
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
+
+# Allow client to pass locale environment variables #367017
+AcceptEnv LANG LC_*
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
-# possible, but leave them commented. Uncommented options change a
+# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
# Authentication:
#LoginGraceTime 2m
-PermitRootLogin no
+#PermitRootLogin no
+PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# no default banner path
#Banner none
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
# override default of no subsystems
Subsystem sftp /usr/lib64/misc/sftp-server
-# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $
+# $OpenBSD$
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# no default banner path
#Banner none
-# here are the new patched ldap related tokens
-# entries in your LDAP must have posixAccount & ldapPublicKey objectclass
-#UseLPK yes
-#LpkLdapConf /etc/ldap.conf
-#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/
-#LpkUserDN ou=users,dc=phear,dc=org
-#LpkGroupDN ou=groups,dc=phear,dc=org
-#LpkBindDN cn=Manager,dc=phear,dc=org
-#LpkBindPw secret
-#LpkServerGroup mail
-#LpkFilter (hostAccess=master.phear.org)
-#LpkForceTLS no
-#LpkSearchTimelimit 3
-#LpkBindTimelimit 3
-#LpkPubKeyAttr sshPublicKey
-
# override default of no subsystems
Subsystem sftp /usr/lib64/misc/sftp-server
-# $OpenBSD$
+# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# no default banner path
#Banner none
+# here are the new patched ldap related tokens
+# entries in your LDAP must have posixAccount & ldapPublicKey objectclass
+#UseLPK yes
+#LpkLdapConf /etc/ldap.conf
+#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/
+#LpkUserDN ou=users,dc=phear,dc=org
+#LpkGroupDN ou=groups,dc=phear,dc=org
+#LpkBindDN cn=Manager,dc=phear,dc=org
+#LpkBindPw secret
+#LpkServerGroup mail
+#LpkFilter (hostAccess=master.phear.org)
+#LpkForceTLS no
+#LpkSearchTimelimit 3
+#LpkBindTimelimit 3
+#LpkPubKeyAttr sshPublicKey
+
# override default of no subsystems
-Subsystem sftp /usr/lib/misc/sftp-server
+Subsystem sftp /usr/lib64/misc/sftp-server
# the following are HPN related configuration options
# tcp receive buffer polling. disable in non autotuning kernels
--- /dev/null
+# $OpenBSD$
+
+# This is the sshd server system-wide configuration file. See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented. Uncommented options change a
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# The default requires explicit activation of protocol 1
+#Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+
+# "key type names" for X.509 certificates with RSA key
+# Note first defined is used in signature operations!
+#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
+#X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
+
+# "key type names" for X.509 certificates with DSA key
+# Note first defined is used in signature operations!
+#X509KeyAlgorithm x509v3-sign-dss,dss-asn1
+#X509KeyAlgorithm x509v3-sign-dss,dss-raw
+
+# The intended use for the X509 client certificate. Without this option
+# no chain verification will be done. Currently accepted uses are case
+# insensitive:
+# - "sslclient", "SSL client", "SSL_client" or "client"
+# - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose"
+# - "skip" or ""(empty): don`t check purpose.
+#AllowedCertPurpose sslclient
+
+# Specifies whether self-issued(self-signed) X.509 certificate can be
+# allowed only by entry in AutorizedKeysFile that contain matching
+# public key or certificate blob.
+#KeyAllowSelfIssued no
+
+# Specifies whether CRL must present in store for all certificates in
+# certificate chain with atribute "cRLDistributionPoints"
+#MandatoryCRL no
+
+# A file with multiple certificates of certificate signers
+# in PEM format concatenated together.
+#CACertificateFile /etc/ssh/ca/ca-bundle.crt
+
+# A directory with certificates of certificate signers.
+# The certificates should have name of the form: [HASH].[NUMBER]
+# or have symbolic links to them of this form.
+#CACertificatePath /etc/ssh/ca/crt
+
+# A file with multiple CRL of certificate signers
+# in PEM format concatenated together.
+#CARevocationFile /etc/ssh/ca/ca-bundle.crl
+
+# A directory with CRL of certificate signers.
+# The CRL should have name of the form: [HASH].r[NUMBER]
+# or have symbolic links to them of this form.
+#CARevocationPath /etc/ssh/ca/crl
+
+# LDAP protocol version.
+# Example:
+# CAldapVersion 2
+
+# Note because of OpenSSH options parser limitation
+# use %3D instead of = !
+# LDAP initialization may require URL to be escaped, i.e.
+# use %2C instead of ,(comma). Escaped URL don't depend from
+# LDAP initialization method.
+# Example:
+# CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom
+
+# SSH can use "Online Certificate Status Protocol"(OCSP)
+# to validate certificate. Set VAType to
+# - none : do not use OCSP to validate certificates;
+# - ocspcert: validate only certificates that specify `OCSP
+# Service Locator' URL;
+# - ocspspec: use specified in the configuration 'OCSP Responder'
+# to validate all certificates.
+#VAType none
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin no
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+#AuthorizedKeysFile .ssh/authorized_keys
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+PrintMotd no
+PrintLastLog no
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10
+#PermitTunnel no
+#ChrootDirectory none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem sftp /usr/lib/misc/sftp-server
+
+# the following are HPN related configuration options
+# tcp receive buffer polling. disable in non autotuning kernels
+#TcpRcvBufPoll yes
+
+# allow the use of the none cipher
+#NoneEnabled no
+
+# disable hpn performance boosts.
+#HPNDisabled no
+
+# buffer size for hpn to non-hpn connections
+#HPNBufferSize 2048
+
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+# X11Forwarding no
+# AllowTcpForwarding no
+# ForceCommand cvs server
-# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $
+# $OpenBSD: sshd_config,v 1.99 2016/07/11 03:19:44 tedu Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
#RekeyLimit default none
# Logging
-# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# override default of no subsystems
Subsystem sftp /usr/lib64/misc/sftp-server
+# the following are HPN related configuration options
+# tcp receive buffer polling. disable in non autotuning kernels
+#TcpRcvBufPoll yes
+
+# disable hpn performance boosts
+#HPNDisabled no
+
+# buffer size for hpn to non-hpn connections
+#HPNBufferSize 2048
+
+
+# allow the use of the none cipher
+#NoneEnabled no
+
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-<!--
-WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
-OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
- virsh nwfilter-edit allow-arp
-or other application using the libvirt API.
--->
-
-<filter name='allow-arp' chain='arp' priority='-500'>
- <uuid>cba5ee05-dfa7-4a27-9c3d-4e18bf826170</uuid>
- <rule action='accept' direction='inout' priority='500'/>
+<filter name='allow-arp' chain='arp'>
+ <rule direction='inout' action='accept'/>
</filter>
-<!--
-WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
-OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
- virsh nwfilter-edit allow-dhcp-server
-or other application using the libvirt API.
--->
+<filter name='allow-dhcp-server' chain='ipv4'>
+
+ <!-- accept outgoing DHCP requests -->
+ <!-- note, this rule must be evaluated before general MAC broadcast
+ traffic is discarded since DHCP requests use MAC broadcast -->
+ <rule action='accept' direction='out' priority='100'>
+ <ip srcipaddr='0.0.0.0'
+ dstipaddr='255.255.255.255'
+ protocol='udp'
+ srcportstart='68'
+ dstportstart='67' />
+ </rule>
+
+ <!-- accept incoming DHCP responses from a specific DHCP server
+ parameter DHPCSERVER needs to be passed from where this filter is
+ referenced -->
+ <rule action='accept' direction='in' priority='100' >
+ <ip srcipaddr='$DHCPSERVER'
+ protocol='udp'
+ srcportstart='67'
+ dstportstart='68'/>
+ </rule>
-<filter name='allow-dhcp-server' chain='ipv4' priority='-700'>
- <uuid>7c952b52-7cc4-4f0b-8703-7ce4b08e7025</uuid>
- <rule action='accept' direction='out' priority='100'>
- <ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/>
- </rule>
- <rule action='accept' direction='in' priority='100'>
- <ip srcipaddr='$DHCPSERVER' protocol='udp' srcportstart='67' dstportstart='68'/>
- </rule>
</filter>
-<!--
-WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
-OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
- virsh nwfilter-edit allow-dhcp
-or other application using the libvirt API.
--->
+<filter name='allow-dhcp' chain='ipv4'>
+
+ <!-- accept outgoing DHCP requests -->
+ <!-- not, this rule must be evaluated before general MAC broadcast
+ traffic is discarded since DHCP requests use MAC broadcast -->
+ <rule action='accept' direction='out' priority='100'>
+ <ip srcipaddr='0.0.0.0'
+ dstipaddr='255.255.255.255'
+ protocol='udp'
+ srcportstart='68'
+ dstportstart='67' />
+ </rule>
+
+ <!-- accept incoming DHCP responses from any DHCP server -->
+ <rule action='accept' direction='in' priority='100' >
+ <ip protocol='udp'
+ srcportstart='67'
+ dstportstart='68'/>
+ </rule>
-<filter name='allow-dhcp' chain='ipv4' priority='-700'>
- <uuid>5462a023-54da-4611-b98e-96aa600c451b</uuid>
- <rule action='accept' direction='out' priority='100'>
- <ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/>
- </rule>
- <rule action='accept' direction='in' priority='100'>
- <ip protocol='udp' srcportstart='67' dstportstart='68'/>
- </rule>
</filter>
-<!--
-WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
-OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
- virsh nwfilter-edit allow-incoming-ipv4
-or other application using the libvirt API.
--->
-
-<filter name='allow-incoming-ipv4' chain='ipv4' priority='-700'>
- <uuid>8cd418be-ad3b-4ac0-87e8-5a49029d4a72</uuid>
- <rule action='accept' direction='in' priority='500'/>
+<filter name='allow-incoming-ipv4' chain='ipv4'>
+ <rule direction='in' action='accept'/>
</filter>
-<!--
-WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
-OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
- virsh nwfilter-edit allow-ipv4
-or other application using the libvirt API.
--->
-
-<filter name='allow-ipv4' chain='ipv4' priority='-700'>
- <uuid>4ec48445-d431-4917-b632-4fbaa50e1707</uuid>
- <rule action='accept' direction='inout' priority='500'/>
+<filter name='allow-ipv4' chain='ipv4'>
+ <rule direction='inout' action='accept'/>
</filter>
-<!--
-WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
-OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
- virsh nwfilter-edit clean-traffic
-or other application using the libvirt API.
--->
-
<filter name='clean-traffic' chain='root'>
- <uuid>65aedbee-e026-4f03-ad32-9d5b8364898b</uuid>
- <filterref filter='no-mac-spoofing'/>
- <filterref filter='no-ip-spoofing'/>
- <rule action='accept' direction='out' priority='-650'>
- <mac protocolid='ipv4'/>
- </rule>
- <filterref filter='allow-incoming-ipv4'/>
- <filterref filter='no-arp-spoofing'/>
- <rule action='accept' direction='inout' priority='-500'>
- <mac protocolid='arp'/>
- </rule>
- <filterref filter='no-other-l2-traffic'/>
- <filterref filter='qemu-announce-self'/>
+ <!-- An example of a traffic filter enforcing clean traffic
+ from a VM by
+ - preventing MAC spoofing -->
+ <filterref filter='no-mac-spoofing'/>
+
+ <!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming -->
+ <filterref filter='no-ip-spoofing'/>
+
+ <rule direction='out' action='accept' priority='-650'>
+ <mac protocolid='ipv4'/>
+ </rule>
+
+ <filterref filter='allow-incoming-ipv4'/>
+
+ <!-- preventing ARP spoofing/poisoning -->
+ <filterref filter='no-arp-spoofing'/>
+
+ <!-- accept all other incoming and outgoing ARP traffic -->
+ <rule action='accept' direction='inout' priority='-500'>
+ <mac protocolid='arp'/>
+ </rule>
+
+ <!-- preventing any other traffic than IPv4 and ARP -->
+ <filterref filter='no-other-l2-traffic'/>
+
+ <!-- allow qemu to send a self-announce upon migration end -->
+ <filterref filter='qemu-announce-self'/>
+
</filter>
-<!--
-WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
-OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
- virsh nwfilter-edit no-arp-ip-spoofing
-or other application using the libvirt API.
--->
-
<filter name='no-arp-ip-spoofing' chain='arp-ip' priority='-510'>
- <uuid>473cb31d-d866-4693-9a65-4ae26d4a5940</uuid>
- <rule action='return' direction='out' priority='400'>
- <arp arpsrcipaddr='$IP'/>
+ <!-- no arp spoofing -->
+ <!-- drop if ipaddr does not belong to guest -->
+ <rule action='return' direction='out' priority='400' >
+ <arp match='yes' arpsrcipaddr='$IP' />
</rule>
- <rule action='drop' direction='out' priority='1000'/>
+ <!-- drop everything else -->
+ <rule action='drop' direction='out' priority='1000' />
</filter>
-<!--
-WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
-OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
- virsh nwfilter-edit no-arp-mac-spoofing
-or other application using the libvirt API.
--->
-
<filter name='no-arp-mac-spoofing' chain='arp-mac' priority='-520'>
- <uuid>86ef4129-25df-4c34-968f-140e25c72bfb</uuid>
- <rule action='return' direction='out' priority='350'>
- <arp arpsrcmacaddr='$MAC'/>
- </rule>
- <rule action='drop' direction='out' priority='1000'/>
+ <rule action='return' direction='out' priority='350' >
+ <arp match='yes' arpsrcmacaddr='$MAC'/>
+ </rule>
+ <!-- drop everything else -->
+ <rule action='drop' direction='out' priority='1000' />
</filter>
-<!--
-WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
-OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
- virsh nwfilter-edit no-arp-spoofing
-or other application using the libvirt API.
--->
-
<filter name='no-arp-spoofing' chain='root'>
- <uuid>58266155-6808-481d-a9d2-483912c8847d</uuid>
<filterref filter='no-arp-mac-spoofing'/>
<filterref filter='no-arp-ip-spoofing'/>
</filter>
-<!--
-WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
-OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
- virsh nwfilter-edit no-ip-multicast
-or other application using the libvirt API.
--->
+<filter name='no-ip-multicast' chain='ipv4'>
-<filter name='no-ip-multicast' chain='ipv4' priority='-700'>
- <uuid>c5f9e818-0c58-4890-9306-2c74e426f128</uuid>
- <rule action='drop' direction='out' priority='500'>
- <ip dstipaddr='224.0.0.0' dstipmask='4'/>
- </rule>
+ <!-- drop if destination IP address is in the 224.0.0.0/4 subnet -->
+ <rule action='drop' direction='out'>
+ <ip dstipaddr='224.0.0.0' dstipmask='4' />
+ </rule>
+
+ <!-- not doing anything with receiving side ... -->
</filter>
-<!--
-WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
-OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
- virsh nwfilter-edit no-ip-spoofing
-or other application using the libvirt API.
--->
-
<filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'>
- <uuid>5b48767b-c7a2-4542-af68-33e1f52da2f3</uuid>
+ <!-- allow UDP sent from 0.0.0.0 (DHCP); filter more exact later -->
<rule action='return' direction='out' priority='100'>
<ip srcipaddr='0.0.0.0' protocol='udp'/>
</rule>
- <rule action='return' direction='out' priority='500'>
+
+ <!-- allow all known IP addresses -->
+ <rule direction='out' action='return' priority='500'>
<ip srcipaddr='$IP'/>
</rule>
- <rule action='drop' direction='out' priority='1000'/>
+
+ <!-- drop everything else -->
+ <rule direction='out' action='drop' priority='1000'/>
</filter>
-<!--
-WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
-OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
- virsh nwfilter-edit no-mac-broadcast
-or other application using the libvirt API.
--->
+<filter name='no-mac-broadcast' chain='ipv4'>
+ <!-- drop if destination mac is bcast mac addr. -->
+ <rule action='drop' direction='out'>
+ <mac dstmacaddr='ff:ff:ff:ff:ff:ff' />
+ </rule>
-<filter name='no-mac-broadcast' chain='ipv4' priority='-700'>
- <uuid>e13e3fdf-cf39-493b-8fef-63fd732e5e88</uuid>
- <rule action='drop' direction='out' priority='500'>
- <mac dstmacaddr='ff:ff:ff:ff:ff:ff'/>
- </rule>
+ <!-- not doing anything with receiving side ... -->
</filter>
-<!--
-WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
-OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
- virsh nwfilter-edit no-mac-spoofing
-or other application using the libvirt API.
--->
-
<filter name='no-mac-spoofing' chain='mac' priority='-800'>
- <uuid>ac0d6631-ea39-4ee9-8004-552ae50ba8ab</uuid>
- <rule action='return' direction='out' priority='500'>
+ <!-- return packets with VM's MAC address as source address -->
+ <rule direction='out' action='return'>
<mac srcmacaddr='$MAC'/>
</rule>
- <rule action='drop' direction='out' priority='500'>
+ <!-- drop everything else -->
+ <rule direction='out' action='drop'>
<mac/>
</rule>
</filter>
-<!--
-WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
-OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
- virsh nwfilter-edit no-other-l2-traffic
-or other application using the libvirt API.
--->
+<filter name='no-other-l2-traffic'>
+
+ <!-- drop all other l2 traffic than for which rules have been
+ written for; i.e., drop all other than arp and ipv4 traffic -->
+ <rule action='drop' direction='inout' priority='1000'/>
-<filter name='no-other-l2-traffic' chain='root'>
- <uuid>c831aa08-e503-4b2a-a6f7-84647ec9a9c6</uuid>
- <rule action='drop' direction='inout' priority='1000'/>
</filter>
-<!--
-WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
-OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
- virsh nwfilter-edit no-other-rarp-traffic
-or other application using the libvirt API.
--->
-
-<filter name='no-other-rarp-traffic' chain='rarp' priority='-400'>
- <uuid>15155842-ed37-46e4-8bda-8e0017ea65f2</uuid>
- <rule action='drop' direction='inout' priority='1000'/>
+<filter name='no-other-rarp-traffic' chain='rarp'>
+ <rule action='drop' direction='inout' priority='1000'/>
</filter>
-<!--
-WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
-OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
- virsh nwfilter-edit qemu-announce-self-rarp
-or other application using the libvirt API.
--->
-
-<filter name='qemu-announce-self-rarp' chain='rarp' priority='-400'>
- <uuid>e24f3768-5db4-418e-a0ed-6f8e8bae55ff</uuid>
+<filter name='qemu-announce-self-rarp' chain='rarp'>
<rule action='accept' direction='out' priority='500'>
- <rarp srcmacaddr='$MAC' dstmacaddr='ff:ff:ff:ff:ff:ff' opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
+ <rarp opcode='Request_Reverse'
+ srcmacaddr='$MAC' dstmacaddr='ff:ff:ff:ff:ff:ff'
+ arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC'
+ arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
</rule>
<rule action='accept' direction='in' priority='500'>
- <rarp dstmacaddr='ff:ff:ff:ff:ff:ff' opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
+ <rarp opcode='Request_Reverse'
+ dstmacaddr='ff:ff:ff:ff:ff:ff'
+ arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC'
+ arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
</rule>
</filter>
-<!--
-WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
-OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
- virsh nwfilter-edit qemu-announce-self
-or other application using the libvirt API.
--->
-
<filter name='qemu-announce-self' chain='root'>
- <uuid>247832ba-d1ba-4cd7-8988-2d5e51575c88</uuid>
- <rule action='accept' direction='out' priority='500'>
- <mac protocolid='0x835'/>
- </rule>
- <filterref filter='qemu-announce-self-rarp'/>
- <filterref filter='no-other-rarp-traffic'/>
+ <!-- as of 4/26/2010 qemu sends out a bogus packet with
+ wrong rarp protocol ID -->
+ <!-- accept what is being sent now -->
+ <rule action='accept' direction='out'>
+ <mac protocolid='0x835'/>
+ </rule>
+
+ <!-- accept if it was changed to rarp -->
+ <filterref filter='qemu-announce-self-rarp'/>
+ <filterref filter='no-other-rarp-traffic'/>
+
</filter>
-# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $
+# $OpenBSD: sshd_config,v 1.99 2016/07/11 03:19:44 tedu Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
#RekeyLimit default none
# Logging
-# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# override default of no subsystems
Subsystem sftp /usr/lib64/misc/sftp-server
+# the following are HPN related configuration options
+# tcp receive buffer polling. disable in non autotuning kernels
+#TcpRcvBufPoll yes
+
+# disable hpn performance boosts
+#HPNDisabled no
+
+# buffer size for hpn to non-hpn connections
+#HPNBufferSize 2048
+
+
+# allow the use of the none cipher
+#NoneEnabled no
+
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
projects / config / bruni / etc.git / commitdiff