add generic support for print version

All presentations can be built in print form if the file .lxformat_print exists in the main directory. If this file does not exist, the regular beamer format will be generated. IMPORTANT: The print version of the files are named the same as the beamer version! Signed-off-by: John Ogness <john.ogness@linutronix.de>
author: John Ogness <john.ogness@linutronix.de> 2018-04-19 16:37:00 +0200
committer: John Ogness <john.ogness@linutronix.de> 2018-04-19 16:37:00 +0200
commit: 5d4433a719284d1b3231a85dd510054c12a43014 (patch)
tree: c613d59411961e11ece2b57096fd1a9af9346b17 /security
parent: 14868ed29a87bbce4198894e530895e318da9fea (diff)
4 files changed, 312 insertions, 315 deletions
diff --git a/security/firewall_ex/Makefile b/security/firewall_ex/Makefile
index 8a30938..d834f36 100644
--- a/security/firewall_ex/Makefile
+++ b/security/firewall_ex/Makefile
@@ -1,2 +1 @@
 obj-$(CONFIG_SECURITY_EX_FW) += pres_ex_firewall.pdf
-obj-$(CONFIG_SECURITY_EX_FW) += print_ex_firewall.pdf
diff --git a/security/firewall_ex/frm_ex_firewall.tex b/security/firewall_ex/frm_ex_firewall.tex
deleted file mode 100644
index 67b3acf..0000000
--- a/security/firewall_ex/frm_ex_firewall.tex
+++ /dev/null
@@ -1,310 +0,0 @@
-% ----------------------------
-\subsection{Firewall Examples}
-
-% ----------------------------
-\title{Example Firewall}
-\maketitle
-
-% ----------------------------
-\subsubsection{Initialization}
-
-\begin{frame}[fragile]
-\frametitle{iptables config}
-\begin{itemize}
-\item Create and change to new directory ex\_ipt
-\item Get root (su)
-\item Print current iptables configuration (iptables)
-\item Save current configuration (iptables-save)
-\item Reset iptables configuration (iptables)
-\end{itemize}
-
-\pause
-
-\begin{beamerboxesrounded}[shadow=true]{Solution:}
-\begin{scriptsize}
-\begin{verbatim}
-mkdir ex_ipt
-cd ex_ipt
-su
-iptables -L
-iptables-save > start.conf
-iptables -X
-iptables -F
-iptables -Z
-\end{verbatim}
-\end{scriptsize}
-\end{beamerboxesrounded}
-\end{frame}
-
-% ----------------------------
-\subsubsection{Policy}
-
-\begin{frame}[fragile]
-\frametitle{Default Policy}
-\begin{itemize}
-\item Drop all incoming, outgoing and forwarding traffic
-\item Save this default policies to file
-\item Reset iptables and restore saved config
-\end{itemize}
-
-\pause
-
-\begin{beamerboxesrounded}[shadow=true]{Solution:}
-\begin{scriptsize}
-\begin{verbatim}
-iptables -P INPUT DROP
-iptables -P OUTPUT DROP
-iptables -P FORWARD DROP
-iptables-save > step1
-iptables -F
-iptables-restore < step1
-\end{verbatim}
-\end{scriptsize}
-\end{beamerboxesrounded}
-\end{frame}
-
-% ----------------------------
-\subsubsection{User-defined Chains}
-
-\begin{frame}[fragile]
-\frametitle{LOGDROP}
-\begin{itemize}
-\item From now on, edit stepX file and load with iptables-restore
-\item Create new Chain LOGDROP
-\item Log and drop INPUT and OUTPUT traffic with new chain
-\item Check with ping
-\end{itemize}
-
-\pause
-
-\begin{beamerboxesrounded}[shadow=true]{Solution:}
-\begin{scriptsize}
-\begin{verbatim}
-# New chain
-:LOGDROP - [0:0]
--A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "LOGDROP: "
--A LOGDROP -j DROP
-
-# Catch all falling through
--A INPUT -i eth0 -j LOGDROP
--A OUTPUT -o eth0 -j LOGDROP
-\end{verbatim}
-\end{scriptsize}
-\end{beamerboxesrounded}
-\end{frame}
-
-% ----------------------------
-\subsubsection{Traffic Filter}
-
-\begin{frame}[fragile]
-\frametitle{Allow loopback traffic}
-\begin{itemize}
-\item Allow INPUT and OUTPUT traffic on interface lo
-\end{itemize}
-
-\pause
-
-\begin{beamerboxesrounded}[shadow=true]{Solution:}
-\begin{scriptsize}
-\begin{verbatim}
-# loopback
--A INPUT -i lo -j ACCEPT
--A OUTPUT -o lo -j ACCEPT
-\end{verbatim}
-\end{scriptsize}
-\end{beamerboxesrounded}
-\end{frame}
-
-% ----------------------------
-\begin{frame}[fragile]
-\frametitle{DNS}
-\begin{itemize}
-\item Allow DNS requests from this machine (UDP, Port 53)
-\item Allow DNS responses
-\end{itemize}
-
-\pause
-
-\begin{beamerboxesrounded}[shadow=true]{Solution:}
-\begin{scriptsize}
-\begin{verbatim}
-# DNS
--A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
--A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
-\end{verbatim}
-\end{scriptsize}
-\end{beamerboxesrounded}
-\end{frame}
-
-% ----------------------------
-\begin{frame}[fragile]
-\frametitle{ICMP}
-\begin{itemize}
-\item Allow simple ping requests (icmp-type 0 and 8)
-\item Limit to 2 requests per second
-\end{itemize}
-
-\pause
-
-\begin{beamerboxesrounded}[shadow=true]{Solution:}
-\begin{scriptsize}
-\begin{verbatim}
-# PING limited accept
--A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
--A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
--A INPUT -p icmp -j DROP
-# Limit outgoing PING as well
--A OUTPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
--A OUTPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
--A OUTPUT -p icmp -j DROP
-\end{verbatim}
-\end{scriptsize}
-\end{beamerboxesrounded}
-\end{frame}
-
-% ----------------------------
-\begin{frame}[fragile]
-\frametitle{Established Connections}
-\begin{itemize}
-\item Allow INPUT and OUTPUT traffic for all ESTABLISHed connections
-\item Remove obsolete rules (DNS)
-\end{itemize}
-
-\pause
-
-\begin{beamerboxesrounded}[shadow=true]{Solution:}
-\begin{scriptsize}
-\begin{verbatim}
-# Allow established connections in and out
--A INPUT -m state --state ESTABLISHED -j ACCEPT
--A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-[...]
-# DNS
--A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-# -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
-\end{verbatim}
-\end{scriptsize}
-\end{beamerboxesrounded}
-\end{frame}
-
-% ----------------------------
-\begin{frame}[fragile]
-\frametitle{Log new connections}
-\begin{itemize}
-\item Create new Chain LOGNEW\_ACCEPT
-\item New Connections should be logged with prefix ''New: ''
-\item Traffic should be accepted
-\end{itemize}
-
-\pause
-
-\begin{beamerboxesrounded}[shadow=true]{Solution:}
-\begin{scriptsize}
-\begin{verbatim}
-# LOGNEW_ACCEPT Chain
-:LOGNEW_ACCEPT - [0:0]
--A LOGNEW_ACCEPT -m state --state NEW -j LOG --log-prefix "New: "
--A LOGNEW_ACCEPT -j ACCEPT
-\end{verbatim}
-\end{scriptsize}
-\end{beamerboxesrounded}
-\end{frame}
-
-% ----------------------------
-\begin{frame}[fragile]
-\frametitle{Log new DNS connections}
-\begin{itemize}
-\item Log new DNS connection with rule LOGNEW\_ACCEPT
-\end{itemize}
-
-\pause
-
-\begin{beamerboxesrounded}[shadow=true]{Solution:}
-\begin{scriptsize}
-\begin{verbatim}
-# DNS
--A OUTPUT -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED \
-          -j LOGNEW_ACCEPT
-\end{verbatim}
-\end{scriptsize}
-\end{beamerboxesrounded}
-\end{frame}
-
-% ----------------------------
-\subsubsection{Summary}
-
-\begin{frame}[fragile]
-\frametitle{Full example with Ping, DNS, and SSH}
-\begin{scriptsize}
-\begin{verbatim}
-# Generated by iptables-save v1.4.14 on Sat Apr  6 19:47:41 2013
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT DROP [0:0]
-
-# New chain
-:LOGDROP - [0:0]
--A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "LOGDROP: "
--A LOGDROP -j DROP
-
-# DNS Chain
-:LOGNEW_ACCEPT - [0:0]
--A LOGNEW_ACCEPT -m state --state NEW -j LOG --log-prefix "New: "
--A LOGNEW_ACCEPT -j ACCEPT
-\end{verbatim}
-\end{scriptsize}
-\end{frame}
-
-% ----------------------------
-\begin{frame}[fragile]
-\frametitle{Full example with Ping, DNS, and SSH}
-\begin{scriptsize}
-\begin{verbatim}
-# loopback
--A INPUT -i lo -j ACCEPT
--A OUTPUT -o lo -j ACCEPT
-
-# PING limited accept
--A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
--A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
--A INPUT -p icmp -j LOGDROP
--A OUTPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
--A OUTPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
--A OUTPUT -p icmp -j LOGDROP
-
-# Allow established connections in and out
--A INPUT -m state --state ESTABLISHED -j ACCEPT
--A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-\end{verbatim}
-\end{scriptsize}
-\end{frame}
-
-% ----------------------------
-\begin{frame}[fragile]
-\frametitle{Full example with Ping, DNS, and SSH}
-\begin{scriptsize}
-\begin{verbatim}
-# DNS
--A OUTPUT -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED \
-          -j LOGNEW_ACCEPT
-
-# Outgoing SSH
--A OUTPUT -p tcp --dport ssh --sport 1024:65535 -m state --state NEW,ESTABLISHED \
-          -j LOGNEW_ACCEPT
-
-# Incoming SSH
--A INPUT -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j LOGNEW_ACCEPT
-
-# Catch all falling through
--A INPUT -i eth0 -j LOGDROP
--A OUTPUT -o eth0 -j LOGDROP
-
-COMMIT
-# Completed on Sat Apr  6 19:47:41 2013
-\end{verbatim}
-\end{scriptsize}
-\end{frame}
-
-% ----------------------------
-\subsection{}
diff --git a/security/firewall_ex/pres_ex_firewall.tex b/security/firewall_ex/pres_ex_firewall.tex
index 521dd6f..3773eba 100644
--- a/security/firewall_ex/pres_ex_firewall.tex
+++ b/security/firewall_ex/pres_ex_firewall.tex
@@ -1,3 +1,314 @@
 \input{configpres}
-\input{frm_ex_firewall}
+
+% ----------------------------
+\subsection{Firewall Examples}
+
+% ----------------------------
+\title{Example Firewall}
+\maketitle
+
+% ----------------------------
+\subsubsection{Initialization}
+
+\begin{frame}[fragile]
+\frametitle{iptables config}
+\begin{itemize}
+\item Create and change to new directory ex\_ipt
+\item Get root (su)
+\item Print current iptables configuration (iptables)
+\item Save current configuration (iptables-save)
+\item Reset iptables configuration (iptables)
+\end{itemize}
+
+\pause
+
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{scriptsize}
+\begin{verbatim}
+mkdir ex_ipt
+cd ex_ipt
+su
+iptables -L
+iptables-save > start.conf
+iptables -X
+iptables -F
+iptables -Z
+\end{verbatim}
+\end{scriptsize}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Policy}
+
+\begin{frame}[fragile]
+\frametitle{Default Policy}
+\begin{itemize}
+\item Drop all incoming, outgoing and forwarding traffic
+\item Save this default policies to file
+\item Reset iptables and restore saved config
+\end{itemize}
+
+\pause
+
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{scriptsize}
+\begin{verbatim}
+iptables -P INPUT DROP
+iptables -P OUTPUT DROP
+iptables -P FORWARD DROP
+iptables-save > step1
+iptables -F
+iptables-restore < step1
+\end{verbatim}
+\end{scriptsize}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsubsection{User-defined Chains}
+
+\begin{frame}[fragile]
+\frametitle{LOGDROP}
+\begin{itemize}
+\item From now on, edit stepX file and load with iptables-restore
+\item Create new Chain LOGDROP
+\item Log and drop INPUT and OUTPUT traffic with new chain
+\item Check with ping
+\end{itemize}
+
+\pause
+
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{scriptsize}
+\begin{verbatim}
+# New chain
+:LOGDROP - [0:0]
+-A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "LOGDROP: "
+-A LOGDROP -j DROP
+
+# Catch all falling through
+-A INPUT -i eth0 -j LOGDROP
+-A OUTPUT -o eth0 -j LOGDROP
+\end{verbatim}
+\end{scriptsize}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Traffic Filter}
+
+\begin{frame}[fragile]
+\frametitle{Allow loopback traffic}
+\begin{itemize}
+\item Allow INPUT and OUTPUT traffic on interface lo
+\end{itemize}
+
+\pause
+
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{scriptsize}
+\begin{verbatim}
+# loopback
+-A INPUT -i lo -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+\end{verbatim}
+\end{scriptsize}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{DNS}
+\begin{itemize}
+\item Allow DNS requests from this machine (UDP, Port 53)
+\item Allow DNS responses
+\end{itemize}
+
+\pause
+
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{scriptsize}
+\begin{verbatim}
+# DNS
+-A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
+\end{verbatim}
+\end{scriptsize}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{ICMP}
+\begin{itemize}
+\item Allow simple ping requests (icmp-type 0 and 8)
+\item Limit to 2 requests per second
+\end{itemize}
+
+\pause
+
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{scriptsize}
+\begin{verbatim}
+# PING limited accept
+-A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
+-A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
+-A INPUT -p icmp -j DROP
+# Limit outgoing PING as well
+-A OUTPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
+-A OUTPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
+-A OUTPUT -p icmp -j DROP
+\end{verbatim}
+\end{scriptsize}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Established Connections}
+\begin{itemize}
+\item Allow INPUT and OUTPUT traffic for all ESTABLISHed connections
+\item Remove obsolete rules (DNS)
+\end{itemize}
+
+\pause
+
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{scriptsize}
+\begin{verbatim}
+# Allow established connections in and out
+-A INPUT -m state --state ESTABLISHED -j ACCEPT
+-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
+[...]
+# DNS
+-A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+# -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
+\end{verbatim}
+\end{scriptsize}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Log new connections}
+\begin{itemize}
+\item Create new Chain LOGNEW\_ACCEPT
+\item New Connections should be logged with prefix ''New: ''
+\item Traffic should be accepted
+\end{itemize}
+
+\pause
+
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{scriptsize}
+\begin{verbatim}
+# LOGNEW_ACCEPT Chain
+:LOGNEW_ACCEPT - [0:0]
+-A LOGNEW_ACCEPT -m state --state NEW -j LOG --log-prefix "New: "
+-A LOGNEW_ACCEPT -j ACCEPT
+\end{verbatim}
+\end{scriptsize}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Log new DNS connections}
+\begin{itemize}
+\item Log new DNS connection with rule LOGNEW\_ACCEPT
+\end{itemize}
+
+\pause
+
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{scriptsize}
+\begin{verbatim}
+# DNS
+-A OUTPUT -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED \
+          -j LOGNEW_ACCEPT
+\end{verbatim}
+\end{scriptsize}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Summary}
+
+\begin{frame}[fragile]
+\frametitle{Full example with Ping, DNS, and SSH}
+\begin{scriptsize}
+\begin{verbatim}
+# Generated by iptables-save v1.4.14 on Sat Apr  6 19:47:41 2013
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+
+# New chain
+:LOGDROP - [0:0]
+-A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "LOGDROP: "
+-A LOGDROP -j DROP
+
+# DNS Chain
+:LOGNEW_ACCEPT - [0:0]
+-A LOGNEW_ACCEPT -m state --state NEW -j LOG --log-prefix "New: "
+-A LOGNEW_ACCEPT -j ACCEPT
+\end{verbatim}
+\end{scriptsize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Full example with Ping, DNS, and SSH}
+\begin{scriptsize}
+\begin{verbatim}
+# loopback
+-A INPUT -i lo -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+
+# PING limited accept
+-A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
+-A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
+-A INPUT -p icmp -j LOGDROP
+-A OUTPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
+-A OUTPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
+-A OUTPUT -p icmp -j LOGDROP
+
+# Allow established connections in and out
+-A INPUT -m state --state ESTABLISHED -j ACCEPT
+-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
+\end{verbatim}
+\end{scriptsize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Full example with Ping, DNS, and SSH}
+\begin{scriptsize}
+\begin{verbatim}
+# DNS
+-A OUTPUT -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED \
+          -j LOGNEW_ACCEPT
+
+# Outgoing SSH
+-A OUTPUT -p tcp --dport ssh --sport 1024:65535 -m state --state NEW,ESTABLISHED \
+          -j LOGNEW_ACCEPT
+
+# Incoming SSH
+-A INPUT -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j LOGNEW_ACCEPT
+
+# Catch all falling through
+-A INPUT -i eth0 -j LOGDROP
+-A OUTPUT -o eth0 -j LOGDROP
+
+COMMIT
+# Completed on Sat Apr  6 19:47:41 2013
+\end{verbatim}
+\end{scriptsize}
+\end{frame}
+
+% ----------------------------
+\subsection{}
+
 \input{tailpres}
diff --git a/security/firewall_ex/print_ex_firewall.tex b/security/firewall_ex/print_ex_firewall.tex
deleted file mode 100644
index 34670a8..0000000
--- a/security/firewall_ex/print_ex_firewall.tex
+++ /dev/null
@@ -1,3 +0,0 @@
-\input{configprint}
-\input{frm_ex_firewall}
-\input{tailprint}
author	John Ogness <john.ogness@linutronix.de>	2018-04-19 16:37:00 +0200
committer	John Ogness <john.ogness@linutronix.de>	2018-04-19 16:37:00 +0200
commit	5d4433a719284d1b3231a85dd510054c12a43014 (patch)
tree	c613d59411961e11ece2b57096fd1a9af9346b17 /security
parent	14868ed29a87bbce4198894e530895e318da9fea (diff)