wakiyamap · February 26, 2019 21:46
diff --git a/nemlog01 b/nemlog01
 java8以上ならOK
 which java
 java -version

 # stunnel インストールのため http://wiki.omniosce.org/Packaging.html 欲しいのがあったらこれ追加して探す
 sudo pkg set-publisher -g http://sfe.opencsw.org/localhostomnios localhostomnios
 sudo pkg refresh --full
 sudo pkg update -v

 # letsencryptのインストール pypaからインストールと探したらあったので直接叩いた方が良いと判断
 which python3
 wget https://bootstrap.pypa.io/get-pip.py
 sudo python3 get-pip.py
 sudo pip3 install letsencrypt
 後はいつも通り

 # stunnel
 sudo vi /etc/stunnel/stunnel.conf
 [nis]
 accept = 0.0.0.0:7891
 connect = 7890
 cert = /etc/letsencrypt/live/sn2.tamami-foundation.org/fullchain.pem
 key = /etc/letsencrypt/live/sn2.tamami-foundation.org/privkey.pem

 [websocket]
 accept = 0.0.0.0:7779
 connect = 7778
 cert = /etc/letsencrypt/live/sn2.tamami-foundation.org/fullchain.pem
 key = /etc/letsencrypt/live/sn2.tamami-foundation.org/privkey.pem

 sudo stunnel /etc/stunnel/stunnel.conf
 ※再起動の度、起動が必要。SMFサービスに入れると良いかもしれない。が面倒

 # ipfileterの設定 http://hiromasaya.web.fc2.com/Solaris10/ipfilter.html より
 {I/F}はnetstat -uで出す。自分のIPアドレスが描いてあるやつを選択
 sudo vi /etc/ipf/ipf.conf

 ####

 # ループバックの許可
 pass out quick on lo0
 pass in quick on lo0

 # 出力パケット許可
 pass out quick on {I/F} proto udp from any to any port = 53 keep state
 pass out quick on {I/F} proto tcp/udp from any to any port = 80 keep state
 pass out quick on {I/F} proto tcp/udp from any to any port = 443 keep state
 pass out quick on {I/F} proto tcp/udp from any to any port = 7890 keep state
 pass out quick on {I/F} proto tcp/udp from any to any port = 7778 keep state

 # 出力パケット:その他全拒否
 block out log quick on {I/F} proto tcp/udp all
 block out log quick on {I/F} proto icmp all

 # 入力パケット許可
 pass in quick on {I/F} proto icmp from any to any keep state
 pass in quick on {I/F} proto udp from any port = 53 to any keep state
 pass in quick on {I/F} proto tcp/udp from any to any port = 80 keep state
 pass in quick on {I/F} proto tcp/udp from any to any port = 443 keep state
 pass in quick on {I/F} proto tcp/udp from any to any port = 7890 keep state
 pass in quick on {I/F} proto tcp/udp from any to any port = 7891 keep state
 pass in quick on {I/F} proto tcp/udp from any to any port = 7778 keep state
 pass in quick on {I/F} proto tcp/udp from any to any port = 7779 keep state

 # 特定IPの拒否
 block in log quick on {I/F} from 0.0.0.0/32 to any
 block in log quick on {I/F} from 127.0.0.0/8 to any
 block in log quick on {I/F} from 10.0.0.0/8 to any 
 block in log quick on {I/F} from 169.254.0.0/16 to any 
 block in log quick on {I/F} from 172.16.0.0/12 to any 
 block in log quick on {I/F} from 192.168.0.0/16 to any 

 # 不正パケットの拒否
 block in log quick on {I/F} all with opt lsrr
 block in log quick on {I/F} all with opt ssrr
 block in log quick from any to any with ipopts 
 block in log quick on {I/F} proto tcp all with short

 # 全入力出力パケットの拒否
 block out log on {I/F} all 
 block in log on {I/F} all
 ####

 # ipfilterの設定反映
 sudo ipf -Fa
 sudo ipf -f /etc/ipf/ipf.conf

 sudo stunnel /etc/stunnel/stunnel.conf
	java8以上ならOK
	which java
	java -version

	# stunnel インストールのため http://wiki.omniosce.org/Packaging.html 欲しいのがあったらこれ追加して探す
	sudo pkg set-publisher -g http://sfe.opencsw.org/localhostomnios localhostomnios
	sudo pkg refresh --full
	sudo pkg update -v

	# letsencryptのインストール pypaからインストールと探したらあったので直接叩いた方が良いと判断
	which python3
	wget https://bootstrap.pypa.io/get-pip.py
	sudo python3 get-pip.py
	sudo pip3 install letsencrypt
	後はいつも通り

	# stunnel
	sudo vi /etc/stunnel/stunnel.conf
	[nis]
	accept = 0.0.0.0:7891
	connect = 7890
	cert = /etc/letsencrypt/live/sn2.tamami-foundation.org/fullchain.pem
	key = /etc/letsencrypt/live/sn2.tamami-foundation.org/privkey.pem

	[websocket]
	accept = 0.0.0.0:7779
	connect = 7778
	cert = /etc/letsencrypt/live/sn2.tamami-foundation.org/fullchain.pem
	key = /etc/letsencrypt/live/sn2.tamami-foundation.org/privkey.pem

	sudo stunnel /etc/stunnel/stunnel.conf
	※再起動の度、起動が必要。SMFサービスに入れると良いかもしれない。が面倒

	# ipfileterの設定 http://hiromasaya.web.fc2.com/Solaris10/ipfilter.html より
	{I/F}はnetstat -uで出す。自分のIPアドレスが描いてあるやつを選択
	sudo vi /etc/ipf/ipf.conf

	####

	# ループバックの許可
	pass out quick on lo0
	pass in quick on lo0

	# 出力パケット許可
	pass out quick on {I/F} proto udp from any to any port = 53 keep state
	pass out quick on {I/F} proto tcp/udp from any to any port = 80 keep state
	pass out quick on {I/F} proto tcp/udp from any to any port = 443 keep state
	pass out quick on {I/F} proto tcp/udp from any to any port = 7890 keep state
	pass out quick on {I/F} proto tcp/udp from any to any port = 7778 keep state

	# 出力パケット:その他全拒否
	block out log quick on {I/F} proto tcp/udp all
	block out log quick on {I/F} proto icmp all

	# 入力パケット許可
	pass in quick on {I/F} proto icmp from any to any keep state
	pass in quick on {I/F} proto udp from any port = 53 to any keep state
	pass in quick on {I/F} proto tcp/udp from any to any port = 80 keep state
	pass in quick on {I/F} proto tcp/udp from any to any port = 443 keep state
	pass in quick on {I/F} proto tcp/udp from any to any port = 7890 keep state
	pass in quick on {I/F} proto tcp/udp from any to any port = 7891 keep state
	pass in quick on {I/F} proto tcp/udp from any to any port = 7778 keep state
	pass in quick on {I/F} proto tcp/udp from any to any port = 7779 keep state

	# 特定IPの拒否
	block in log quick on {I/F} from 0.0.0.0/32 to any
	block in log quick on {I/F} from 127.0.0.0/8 to any
	block in log quick on {I/F} from 10.0.0.0/8 to any
	block in log quick on {I/F} from 169.254.0.0/16 to any
	block in log quick on {I/F} from 172.16.0.0/12 to any
	block in log quick on {I/F} from 192.168.0.0/16 to any

	# 不正パケットの拒否
	block in log quick on {I/F} all with opt lsrr
	block in log quick on {I/F} all with opt ssrr
	block in log quick from any to any with ipopts
	block in log quick on {I/F} proto tcp all with short

	# 全入力出力パケットの拒否
	block out log on {I/F} all
	block in log on {I/F} all
	####

	# ipfilterの設定反映
	sudo ipf -Fa
	sudo ipf -f /etc/ipf/ipf.conf

	sudo stunnel /etc/stunnel/stunnel.conf