Settings after Trisquel 8 installation

4 Antworten [Letzter Beitrag]
znavko
Offline
Beigetreten: 06/11/2018

Hello! I use Trisqule + LXDE + Lightdm on Laptop 1.9 MHz, 8GB Ram. After installation I turn environment like this. I delete unnecessary packages, install necessary packages, disable NetworkManager and create wpa-supplicant unit for systemd, also configure iptables, tor, icecat. numlockx for auto switch on numlock after boot.

# Install and delete packages
2 apt-get install apt-file icecat gimp audacious audacity abrowser thunar geany tor iptables openvpn filezilla evince pdftk libreoffice git numlockx
4 apt-get remove sylpheed pidgin xfburn xsane xscreensaver

# Remove unnecessary units from systemd
# Networkmanager save wifi password so I do not use it
5 systemctl disable NetworkManager

# acpid reacts on events listening own file. systemd does this. so I disable acpid
systemctl disable acpid
systemctl disable acpid.path
systemctl disable acpid.socket

# if have no printers disable cups - print service
252 systemctl disable cups

# friendly recovery mode - what's this?
256 systemctl disable friendly-recovery.service

# if you would like to turn clock manually without system connects to time server disable time synchronization
260 systemctl disable systemd-timesyncd.service
261 systemctl status ureadahead.service

# not having LAN disable remote-fs and avahi
265 systemctl disable remote-fs.target
334 systemctl disable avahi-daemon.service

Internet through wpa_supplicant

# cat /etc/wpa_supplicant/wpa_supplicant.conf
ctrl_interface=/run/wpa_supplicant
ctrl_interface_group=0
update_config=1

network={
ssid="homewifi"
scan_ssid=1
proto=WPA2
key_mgmt=WPA-PSK
psk=hashmyhash
}

# ifconfig wlp2s0 up
# wpa_supplicant -B -i wlp2s0 -c /etc/wpa_supplicant/wpa_supplicant.conf
# dhclient wlp2s0 &
# ping fsf.org
..it goes ok..

# cat wpa2.service
[Unit]
Description=WPA 2
Wants=network.target
After=sys-subsystem-net-devices-wlp2s0.device
Before=network.target
BindsTo=sys-subsystem-net-devices-wlp2s0.device

[Service]
Type=oneshot
RemainAfterExit=yes

ExecStart=/sbin/ifconfig wlp2s0 up
ExecStart=/sbin/wpa_supplicant -B -i wlp2s0 -c /etc/wpa_supplicant/wpa_supplicant.conf
ExecStart=/sbin/dhclient wlp2s0

[Install]
WantedBy=multi-user.target

# systemctl enable wpa2.service

Iptables configuration

nano /etc/iptables-desktop.config
cat /etc/iptables-desktop.config
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state ! --state NEW -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
COMMIT

iptables-restore < /etc/iptables-desktop.config
service iptables save

# installing iptables-persitant for run firewall configurations with systemd after boot
apt-get install iptables-persistant

loldier
Offline
Beigetreten: 02/17/2016

Why go this route, ass-backwards? I mean "install and then remove."

Use netinstall ISO image, install the basic minimum CLI interface and only add software you need.

Magic Banana

I am a member!

I am a translator!

Offline
Beigetreten: 07/24/2010

# friendly recovery mode - what's this?

Currently, if the user selects "recovery mode" from the bootloader menu they end up dropped at a root shell prompt. Ideally, they'd end up at a small ncurses application, one option of which would be "root shell".
Other options can include things like "start system in safe graphics mode" or "forgotten password recovery".

https://blueprints.launchpad.net/ubuntu/+spec/friendly-recovery

andyprough
Offline
Beigetreten: 02/12/2015

This is intriguing.

What is your reasoning for preferring wpa-supplicant over networkmanager? Is it more secure, or a better connection somehow?

And could you talk about what you are accomplishing with that Iptables configuration? Is this primarily for security, or for network speed, or both?

znavko
Offline
Beigetreten: 06/11/2018

NetworkManager does not connect it only controls interfaces using wpa_supplicant for low-level functions. I do not need this buffer so I use only wpa_supplicant. The main reason is that NM saves password as it is. wpa config contains password hash. wpa_supplicant without NM is more secure.

Iptables is that buffer between user and kernel module named Netfilter that gets user commands and relies it to netfilter rules. Just this. I do not use any gui firewall cause I do not think there is any good soft, and "firewalld", "ufw" do not have anything more I need. In Linux there are only command line features like iptables, nmap, netstat for controlling and monitoring network.

My iptables rules for desktop allow any outgoing traffic (`output accept`), decline all forwardings (`forward drop`), cause my pc is not a router, disallow incoming traffic (`input drop`) except established and related connections. As I understand only web-sites that I am requesting may send me answer connecting to open ports. Also ftp, I think.
Also it allows any ethernet connections (but I do not use ethernet, only wifi).
ICMP , I'm not sure I need it, just copied as it was in the example.