diff --git a/home/.config/doom/config.el b/home/.config/doom/config.el index 3143b49..98297c1 100644 --- a/home/.config/doom/config.el +++ b/home/.config/doom/config.el @@ -363,6 +363,8 @@ :after eshell :hook (eshell-banner-load . eshell-info-banner-update-banner)) +;; (buffer-expose-mode 1) + ;; Here are some additional functions/macros that could help you configure Doom: ;; ;; - `load!' for loading external *.el files relative to this one diff --git a/home/.config/doom/packages.el b/home/.config/doom/packages.el index 95e63a2..a8134e9 100644 --- a/home/.config/doom/packages.el +++ b/home/.config/doom/packages.el @@ -71,6 +71,7 @@ (package! eshell-info-banner :recipe (:host github :repo "Phundrak/eshell-info-banner.el")) (package! org-tree-slide) +;;(package! buffer-expose) ;;(package! gemini-mode) ;;(package! page-break-lines) ;;(package! vlf) diff --git a/setup/zkc.sh b/setup/zkc.sh new file mode 100755 index 0000000..3aecc7f --- /dev/null +++ b/setup/zkc.sh @@ -0,0 +1,9 @@ +#!/bin/sh -e + +# You need sqlite-devel +git clone https://git.sr.ht/~fancycade/zkc +cd zkc +meson build --prefix=$HOME/.local +ninja -C build install + +cd .. diff --git a/system/etc/nftables.conf b/system/etc/nftables.conf index d426cbe..455bede 100644 --- a/system/etc/nftables.conf +++ b/system/etc/nftables.conf @@ -1,11 +1,15 @@ #!/sbin/nft -f -# References +# References: +# https://wiki.nftables.org/wiki-nftables/index.php/Main_Page # https://wiki.gentoo.org/wiki/Nftables/Examples # https://wiki.archlinux.org/title/Nftables # https://github.com/krabelize/nftables-firewall-config/blob/master/nftables.conf # https://github.com/atweiden/archvault/blob/master/resources/etc/nftables.conf +# Libvirt: +# https://libvirt.org/firewall.html + flush ruleset # TCP ports to accept (both IPv4 and IPv6) @@ -15,17 +19,42 @@ flush ruleset #define ACCEPT_UDP_PORTS = {} table inet filter { + chain libvirt_input { + iifname "virbr0" udp dport 53 counter accept + iifname "virbr0" tcp dport 53 counter accept + iifname "virbr0" udp dport 67 counter accept + iifname "virbr0" tcp dport 67 counter accept + } + + chain libvirt_forward { + oifname "virbr0" ip daddr 192.168.122.0/24 ct state { established, related } counter accept + iifname "virbr0" ip saddr 192.168.122.0/24 counter accept + iifname "virbr0" oifname "virbr0" counter accept + oifname "virbr0" counter reject with icmpx type port-unreachable + iifname "virbr0" counter reject with icmpx type port-unreachable + } + + chain libvirt_postrouting { + ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter masquerade + } + # Default to drop all inbound traffic, unless they meet our criteria chain input { type filter hook input priority 0; policy drop; ct state invalid counter drop - ct state {established,related} counter accept + ct state { established, related } counter accept + ct status dnat accept iif lo accept iif != lo ip daddr 127.0.0.1/8 counter drop iif != lo ip6 daddr ::1/128 counter drop + counter jump libvirt_input + + # Reject AUTH to make it fail fast + tcp dport 113 reject with icmpx type port-unreachable + # Accept user-defined ports #tcp dport $ACCEPT_TCP_PORTS counter accept #udp dport $ACCEPT_UDP_PORTS counter accept @@ -34,9 +63,10 @@ table inet filter { #tcp dport ssh ct state new limit rate 6/minute accept # Mitigate ping floods - ip protocol icmp icmp type {echo-reply, echo-request} limit rate over 1/second burst 4 packets drop - ip6 nexthdr icmpv6 icmpv6 type {echo-reply, echo-request} limit rate over 1/second burst 4 packets drop + ip protocol icmp icmp type { echo-reply, echo-request } limit rate over 1/second burst 4 packets drop + ip6 nexthdr icmpv6 icmpv6 type { echo-reply, echo-request } limit rate over 1/second burst 4 packets drop + # Accept ICMPv4 ip protocol icmp icmp type { echo-reply, echo-request, @@ -47,19 +77,32 @@ table inet filter { router-solicitation } counter accept + # Accept basic ICMPv6 functionality ip6 nexthdr icmpv6 icmpv6 type { echo-reply, echo-request, destination-unreachable, - mld-listener-query, - mld-listener-reduction, - mld-listener-report, - mld2-listener-report, packet-too-big, time-exceeded, parameter-problem } counter accept + # Allow ICMPv6 SLAAC + ip6 nexthdr icmpv6 icmpv6 type { + nd-router-solicit, + nd-router-advert, + nd-neighbor-solicit, + nd-neighbor-advert, + } ip6 hoplimit 255 counter accept + + # Allow ICMPv6 multicast listener discovery on link-local + ip6 nexthdr icmpv6 icmpv6 type { + mld-listener-query, + mld-listener-report, + mld-listener-reduction, + mld2-listener-report, + } ip6 saddr fe80::/10 counter accept + counter comment "Count dropped packets" #log prefix "[nftables] Inbound Denied: " flags all counter drop } @@ -68,6 +111,16 @@ table inet filter { # Can be enabled while using VPN (for tunneling) chain forward { type filter hook forward priority 0; policy drop; + + ct state { related, established } accept + ct status dnat accept + + oif lo accept + oif != lo ip daddr 127.0.0.1/8 counter drop + oif != lo ip6 daddr ::1/128 counter drop + + counter jump libvirt_forward + counter comment "Count dropped packets" #log prefix "[nftables] Forward Denied: " flags all counter drop } @@ -76,6 +129,11 @@ table inet filter { chain output { type filter hook output priority 0; policy accept; counter comment "Count accepted packets" - #log prefix "[nftables] Outbound Accepted: " flags all counter accpet + #log prefix "[nftables] Outbound Accepted: " flags all counter accept + } + + chain postrouting { + type nat hook postrouting priority 100; policy accept; + counter jump libvirt_postrouting } }