blog
Table des matières
- 2026:
- 2025:
1 billet(s) pour avril 2026
| Notes ping ICMP | 2026/04/03 23:01 | Jean-Baptiste |
Firewire IEEE 1394
Brouillon
Canon HDV LEGRIA HV40
Voir
- Kdenlive
#!/bin/bash # # 2013-01-23 # # This script allows the video/audio streaming of the Canon Legria HV40 # connected via 1394/firewire on an Alienware Mx11R3 # It can be started on a Ubuntu Precise Live System # # Dependencies: vlc dvgrab # sudo bash -c "echo ' deb http://archive.ubuntu.com/ubuntu/ precise main restricted universe multiverse deb http://security.ubuntu.com/ubuntu/ precise-security main restricted universe multiverse deb http://archive.ubuntu.com/ubuntu/ precise-updates main restricted universe multiverse ' > /etc/apt/sources.list" sudo apt-get update sudo apt-get install -y dvgrab vlc ffmpeg libavcodec-extra-53 htop openssh-server dvgrab -autosplit -frames 0 -size 0 -format hdv -buffers 1000 - | cvlc - --no-sub-autodetect-file --sout '#transcode {vcodec=theo,vb=800,scale=0.25,acodec=mp3,ab=128,channels=2,samplerate=44100} :http{mux=ogg,dst=:8080/}'
Firewall iptables ICMP
http://www.oregontechsupport.com/articles/icmp.txt
Commande iptables de base
Règles par défaut
/etc/sysctl.conf
kernel.panic=3 net.ipv4.conf.default.arp_ignore=1 net.ipv4.conf.all.arp_ignore=1 net.ipv4.ip_forward=1 net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.icmp_ignore_bogus_error_responses=1 net.ipv4.tcp_ecn=0 net.ipv4.tcp_fin_timeout=30 net.ipv4.tcp_keepalive_time=120 net.ipv4.tcp_syncookies=1 net.ipv4.tcp_timestamps=0 net.netfilter.nf_conntrack_checksum=0 net.ipv4.netfilter.ip_conntrack_checksum=0 net.ipv4.netfilter.ip_conntrack_max=16384 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3600 net.ipv4.netfilter.ip_conntrack_udp_timeout=60 net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180 # net.ipv6.conf.all.forwarding=1 # disable bridge firewalling by default net.bridge.bridge-nf-call-arptables=0 net.bridge.bridge-nf-call-ip6tables=0 net.bridge.bridge-nf-call-iptables=0 ### JIBE # ?? net.netfilter.nf_conntrack_acct=1 # Enable IP spoofing protection, turn on Source Address Verification # Disable routing triangulation. Respond to queries out # the same interface, not another. Helps to maintain state # Also protects against IP spoofing net.ipv4.conf.all.rp_filter=1 # Don't send ICMP redirect messages net.ipv4.conf.all.send_redirects=0 # Don't accept ICMP redirect messages net.ipv4.conf.all.accept_redirects=0 # How may times to retry before killing TCP connection, closed by our side. # Default value 7 corresponds to 50sec-16min depending on RTO. # If your machine is a loaded WEB server, you should think about lowering this value, such sockets may consume significant resources. Cf. tcp_max_orphans. net.ipv4.tcp_orphan_retries=0 # A boolean flag controlling the behaviour under lots of incoming connections. When enabled, this causes the kernel to actively send RST packets when a service is overloaded. net.ipv4.tcp_abort_on_overflow=0 # if true : may give a way to route a packet through a firewall to an unreachable IP by specifying that IP in the route net.ipv4.conf.all.accept_source_route=0 # If set, the TCP stack behaves conforming to RFC1337. If unset (the default), we are not conforming to RFC, but prevent TCP TIME-WAIT assassination. net.ipv4.tcp_rfc1337=0 # Limit the maximal rates for sending ICMP packets whose type matches # icmp_ratemask (see below) to specific targets. # 0 to disable any limiting, otherwise the maximal rate in jiffies(1) net.ipv4.icmp_ratelimit=20 # https://wiki.ubuntu.com/ImprovedNetworking/KernelSecuritySettings net.ipv4.icmp_ratemask = 88089 # This allows reusing sockets in TIME_WAIT state for new connections when it is safe from protocol viewpoint. Default value is 0 (disabled). It is generally a safer alternative to tcp_tw_recycle # It should not be changed without advice/request of technical experts. (default =0) net.ipv4.tcp_tw_reuse=0 # http://pic.dhe.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.base.doc/info/aes/ae/tprf_tunelinux.html # This determines the number of probes before timing out. (default: 9, recommended 5) net.ipv4.tcp_keepalive_probes=5 # This determines the wait time between isAlive interval probes (default: 75 seconds, recommended: 15-30 seconds) net.ipv4.tcp_keepalive_intvl=15 # http://www.symantec.com/connect/articles/linux-firewall-related-proc-entries # Honor ICMP redirects only when they come from a router that is currently set up as a default gateway. Should only be enabled if you have multiple routers on your network. If your network is fairly static and stable, it's better to leave this disabled. net.ipv4.conf.all.secure_redirects=0 # Reply to ARP requests if we have a route to the host in question. This may be necessary in some firewall or VPN/router setups, but is generally a bad idea on hosts. net.ipv4.conf.all.proxy_arp=0 #### net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.default.send_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.default.accept_source_route=0 net.ipv4.conf.default.secure_redirects=0 net.ipv4.conf.default.proxy_arp=0 net.ipv4.conf.lo.rp_filter=1 net.ipv4.conf.lo.send_redirects=0 net.ipv4.conf.lo.accept_redirects=0 net.ipv4.conf.lo.accept_source_route=0 net.ipv4.conf.lo.secure_redirects=0 net.ipv4.conf.lo.proxy_arp=0 net.ipv4.conf.eth0.rp_filter=1 net.ipv4.conf.eth0.send_redirects=0 net.ipv4.conf.eth0.accept_redirects=0 net.ipv4.conf.eth0.accept_source_route=0 net.ipv4.conf.eth0.secure_redirects=0 net.ipv4.conf.eth0.proxy_arp=0 net.ipv4.conf.eth0.0.rp_filter=1 net.ipv4.conf.eth0.0.send_redirects=0 net.ipv4.conf.eth0.0.accept_redirects=0 net.ipv4.conf.eth0.0.accept_source_route=0 net.ipv4.conf.eth0.0.secure_redirects=0 net.ipv4.conf.eth0.0.proxy_arp=0 net.ipv4.conf.eth0.1.rp_filter=1 net.ipv4.conf.eth0.1.send_redirects=0 net.ipv4.conf.eth0.1.accept_redirects=0 net.ipv4.conf.eth0.1.accept_source_route=0 net.ipv4.conf.eth0.1.secure_redirects=0 net.ipv4.conf.eth0.1.proxy_arp=0 net.ipv4.conf.wlan0.rp_filter=1 net.ipv4.conf.wlan0.send_redirects=0 net.ipv4.conf.wlan0.accept_redirects=0 net.ipv4.conf.wlan0.accept_source_route=0 net.ipv4.conf.wlan0.secure_redirects=0 net.ipv4.conf.wlan0.proxy_arp=0 net.ipv4.conf.mon.wlan0.rp_filter=1 net.ipv4.conf.mon.wlan0.send_redirects=0 net.ipv4.conf.mon.wlan0.accept_redirects=0 net.ipv4.conf.mon.wlan0.accept_source_route=0 net.ipv4.conf.mon.wlan0.secure_redirects=0 net.ipv4.conf.mon.wlan0.proxy_arp=0 ####
Firewall nftables iptables shorewall firewalld firewall-cmd ufw ipset
Commun
Voir :
Voir aussi :
- opnsense.org
- VyOS
iptables
Note : iptables est remplacé maintenant par nftables
Persistent
apt-get install iptables-persistent iptables-save -t filter > /etc/iptables/rules.v4 ip6tables-save -t filter > /etc/iptables/rules.v6
shorewall
firewalld / firewall-cmd
ufw
!!! Docker contourne ufw en créant ses propres règles iptables !!!
apt-get install ufw ufw allow ssh ufw allow 7000/tcp ufw allow http ufw allow https ufw allow 143/tcp ufw allow 993/tcp ufw allow 25/tcp ufw allow 465/tcp ufw default allow outgoing ufw default deny incoming ufw enable
rules and default policy
ufw status verbose
ipset
A compléter
Notes Firefox sudo compte dédié
Pourquoi ne pas créer autant de UID que d'applications (comme c'est la cas sous Android) En tout cas, il est pertinent pour des raisons de séurité d'isoler les applications sensibles ou particulièrement exposées.
Nous avons le choix entre :
- un uid / utilisateur dédié
- un chroot
- une VM
Ici nous avons opté pour la 1ere solution.
https://calum.org/posts/running-firefox-as-another-user-using-sudo
chgrp web1 /run/user/$(id -u) chmod 750 /run/user/$(id -u) chgrp web1 -R /run/user/$(id -u)/pulse chmod -R 770 /run/user/$(id -u)/pulse xhost local:web1 sudo -H -u web1 /bin/bash /home/web1/bin/ff.sh
Pour le Dossier Téléchargement voir partage_dossier_acl_umask
sudoers
User_Alias X_USERS = jean Defaults:X_USERS env_reset Defaults:X_USERS env_keep += DISPLAY Defaults:X_USERS env_keep += XAUTHORITY jean ALL=(web1) NOPASSWD: /bin/bash /home/web1/bin/ff.sh
/home/web1/bin/ff.sh
#! /bin/bash umask 007 /usr/bin/iceweasel
iceweasel.desktop
#!/usr/bin/env xdg-open [Desktop Entry] Encoding=UTF-8 Name=Iceweasel1 Comment=PlayOnLinux Type=Application #Exec=bash -c "chgrp web1 /run/user/1001 ; chmod 750 /run/user/1001; chgrp web1 -R /run/user/1001/pulse ; chmod -R 770 /run/user/1001/pulse ; xhost local:web1 ; sudo -H -u web1 /bin/bash /home/web1/bin/ff.sh" Exec=bash -c "xhost local:web1 ; sudo -H -u web1 /bin/bash /home/web1/bin/ff.sh" Icon=/usr/share/icons/hicolor/48x48/apps/iceweasel.png Name[fr_FR]=Iceweasel1 Categories= Terminal=false Icon[fr_FR]=/usr/share/icons/hicolor/48x48/apps/iceweasel.png Comment[fr_FR]=PlayOnLinux
Activation du son (PulseAudio)
http://billauer.co.il/blog/2014/01/pa-multiple-users/
Dans la session de l'utilisateur standard
cp /etc/pulse/default.pa ~/.pulse/ echo "load-module module-native-protocol-unix auth-anonymous=1 socket=/tmp/my-pulse-socket-name" >> ~/.pulse/default.pa
Dans la session dédiée (Web1 dans notre exemple)
~/.config/pulse/client.conf
default-server = unix:/tmp/my-pulse-socket-name
Partage du dossier Téléchargements entre les deux utilisateurs
/etc/fstab
/home/jean/Téléchargements /home/web1/Téléchargements none bind,nodev,nosuid,noexec,acl 0 0
Ajout de jean au groupe web1
adduser jean web1
Téléchargements de web1 pointera vers le dossier Téléchargements de jean
mount /home/web1/Téléchargements
web1 est le groupe propriétaire des fichiers (groupe dont fait partie jean et web1)
chgrp -R web1 /home/web1/Téléchargements
Droits en rwX pour le groupe web1
chmod -R g+rwX /home/web1/Téléchargements
Les nouveaux fichiers crée dans Téléchargements aurons pour groupe web1
chmod g+s /home/web1/Téléchargements
Les nouveaux fichiers créés dans Téléchargements serons en rwX (pour le groupe web1)
setfacl -R -d -m g::rwX /home/web1/Téléchargements
Firefox modules complémentaires sympa
Modules Firefox sympa
https://support.mozilla.org/en-US/kb/containers
http://controledescripts.mozdev.org/
Privacy Badger https://www.eff.org/privacybadger
https://adblockplus.org/fr/ ou uBlock Origin
Surveiller les modifications sur une page web http://www.numerama.com/magazine/32941-comment-surveiller-les-modifications-sur-une-page-web.html
Random Agent Spoofer
Correcteur de grammaire Grammalecte [fr] https://addons.mozilla.org/fr/firefox/addon/grammalecte-fr/
https://addons.mozilla.org/fr/firefox/addon/multi-account-containers/
DuckDuckGo Privacy Essentials
COOKIE EDITOR
Autres
Modules Greasemonkey sympa
Voir :
- TamperMonkey
https://fr.wikipedia.org/wiki/Greasemonkey http://www.greasespot.net/ http://scriptish.org/
Videos Image Link http://userscripts-mirror.org/scripts/source/84291.user.js
ViewTube http://isebaro.com/viewtube/?ln=en
Linterna Mágica
Extentions Firefox / Iceweasel
- Adblock
- Firebug
- Webdevopper
- DownThemAll
- GreaceMonkey / Scriptish : Viewtube http://isebaro.com/viewtube/?ln=fr
- RrequestPolicy
- NoScript
- Certificate Patrol
- Controle de Scripts
- Disconnect
- Lightbeam
- RefControl
- CheckMyHTTPS | Certificate Pinner
- ClearURLs
Moteur de recherche
- youtube
- dailymotion
- pagesjaunes
- duckduckgoHTML
- ixquickHTTPS
- yandex
- debianPackage
- commons.wikimedia.org
Langues - correction orthographe - dictionnaire
Personnalisation
blog.txt · Dernière modification : de 127.0.0.1