summaryrefslogtreecommitdiffstats
path: root/config/chroot_local-includes
diff options
context:
space:
mode:
Diffstat (limited to 'config/chroot_local-includes')
-rw-r--r--config/chroot_local-includes/etc/amnesia/version1
-rw-r--r--config/chroot_local-includes/etc/apt/apt.conf.d/00defaultrelease1
-rw-r--r--config/chroot_local-includes/etc/apt/preferences19
-rw-r--r--config/chroot_local-includes/etc/default/pdnsd6
-rw-r--r--config/chroot_local-includes/etc/dhcp3/dhclient.conf55
-rw-r--r--config/chroot_local-includes/etc/environment4
-rw-r--r--config/chroot_local-includes/etc/firewall.conf43
-rwxr-xr-xconfig/chroot_local-includes/etc/network/if-up.d/000firewall12
-rwxr-xr-xconfig/chroot_local-includes/etc/network/if-up.d/600tor4
-rw-r--r--config/chroot_local-includes/etc/pdnsd.conf52
-rw-r--r--config/chroot_local-includes/etc/polipo/config164
-rw-r--r--config/chroot_local-includes/etc/tor/tor-tsocks.conf19
-rw-r--r--config/chroot_local-includes/etc/tor/torrc172
-rwxr-xr-xconfig/chroot_local-includes/usr/local/sbin/do_not_ever_run_me36
-rw-r--r--config/chroot_local-includes/usr/share/doc/amnesia/Changelog119
-rw-r--r--config/chroot_local-includes/usr/share/doc/amnesia/README37
-rw-r--r--config/chroot_local-includes/usr/share/doc/amnesia/README.eCAFE45
-rw-r--r--config/chroot_local-includes/usr/share/doc/amnesia/TODO92
-rwxr-xr-xconfig/chroot_local-includes/usr/share/doc/amnesia/examples/eCAFE/X11_fixup7
-rw-r--r--config/chroot_local-includes/usr/share/doc/amnesia/examples/eCAFE/xorg.conf47
20 files changed, 935 insertions, 0 deletions
diff --git a/config/chroot_local-includes/etc/amnesia/version b/config/chroot_local-includes/etc/amnesia/version
new file mode 100644
index 0000000..5798f6f
--- /dev/null
+++ b/config/chroot_local-includes/etc/amnesia/version
@@ -0,0 +1 @@
+20090620
diff --git a/config/chroot_local-includes/etc/apt/apt.conf.d/00defaultrelease b/config/chroot_local-includes/etc/apt/apt.conf.d/00defaultrelease
new file mode 100644
index 0000000..4143a94
--- /dev/null
+++ b/config/chroot_local-includes/etc/apt/apt.conf.d/00defaultrelease
@@ -0,0 +1 @@
+APT::Default-Release "stable";
diff --git a/config/chroot_local-includes/etc/apt/preferences b/config/chroot_local-includes/etc/apt/preferences
new file mode 100644
index 0000000..574fb56
--- /dev/null
+++ b/config/chroot_local-includes/etc/apt/preferences
@@ -0,0 +1,19 @@
+Package: firmware-linux
+Pin: release a=lenny-backports
+Pin-Priority: 999
+
+Package: kvkbd
+Pin: release a=lenny-backports
+Pin-Priority: 999
+
+Package: *
+Pin: release a=stable
+Pin-Priority: 900
+
+Package: *
+Pin: release a=lenny-backports
+Pin-Priority: 200
+
+Package: *
+Pin: release o=Debian
+Pin-Priority: -10
diff --git a/config/chroot_local-includes/etc/default/pdnsd b/config/chroot_local-includes/etc/default/pdnsd
new file mode 100644
index 0000000..6350dda
--- /dev/null
+++ b/config/chroot_local-includes/etc/default/pdnsd
@@ -0,0 +1,6 @@
+# do we start pdnsd ?
+START_DAEMON=yes
+# auto-mode, overrides /etc/pdsnd.conf if set [see /usr/share/pdnsd/]
+AUTO_MODE=
+# optional CLI options to pass to pdnsd(8)
+START_OPTIONS=
diff --git a/config/chroot_local-includes/etc/dhcp3/dhclient.conf b/config/chroot_local-includes/etc/dhcp3/dhclient.conf
new file mode 100644
index 0000000..dc80d93
--- /dev/null
+++ b/config/chroot_local-includes/etc/dhcp3/dhclient.conf
@@ -0,0 +1,55 @@
+# Configuration file for /sbin/dhclient, which is included in Debian's
+# dhcp3-client package.
+#
+# This is a sample configuration file for dhclient. See dhclient.conf's
+# man page for more information about the syntax of this file
+# and a more comprehensive list of the parameters understood by
+# dhclient.
+#
+# Normally, if the DHCP server provides reasonable information and does
+# not leave anything out (like the domain name, for example), then
+# few changes must be made to this file, if any.
+#
+
+option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
+
+send host-name "titanic";
+#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c;
+#send dhcp-lease-time 3600;
+#supersede domain-name "fugue.com home.vix.com";
+#prepend domain-name-servers 127.0.0.1;
+request subnet-mask, broadcast-address, time-offset, routers,
+ domain-name, domain-name-servers, domain-search, host-name,
+ netbios-name-servers, netbios-scope, interface-mtu,
+ rfc3442-classless-static-routes;
+supersede domain-name-servers 127.0.0.1;
+supersede domain-name "localdomain";
+#require subnet-mask, domain-name-servers;
+#timeout 60;
+#retry 60;
+#reboot 10;
+#select-timeout 5;
+#initial-interval 2;
+#script "/etc/dhcp3/dhclient-script";
+#media "-link0 -link1 -link2", "link0 link1";
+#reject 192.33.137.209;
+
+#alias {
+# interface "eth0";
+# fixed-address 192.5.5.213;
+# option subnet-mask 255.255.255.255;
+#}
+
+#lease {
+# interface "eth0";
+# fixed-address 192.33.137.200;
+# medium "link0 link1";
+# option host-name "andare.swiftmedia.com";
+# option subnet-mask 255.255.255.0;
+# option broadcast-address 192.33.137.255;
+# option routers 192.33.137.250;
+# option domain-name-servers 127.0.0.1;
+# renew 2 2000/1/12 00:00:01;
+# rebind 2 2000/1/12 00:00:01;
+# expire 2 2000/1/12 00:00:01;
+#}
diff --git a/config/chroot_local-includes/etc/environment b/config/chroot_local-includes/etc/environment
new file mode 100644
index 0000000..2460f1e
--- /dev/null
+++ b/config/chroot_local-includes/etc/environment
@@ -0,0 +1,4 @@
+http_proxy=http://localhost:8118
+HTTP_PROXY=http://localhost:8118
+SOCKS_SERVER=localhost:9050
+SOCKS5_SERVER=localhost:9050
diff --git a/config/chroot_local-includes/etc/firewall.conf b/config/chroot_local-includes/etc/firewall.conf
new file mode 100644
index 0000000..f8c9e11
--- /dev/null
+++ b/config/chroot_local-includes/etc/firewall.conf
@@ -0,0 +1,43 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# Established connections are accepted.
+[0:0] -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# Local network connections should not fo through Tor.
+[0:0] -A OUTPUT -d 192.168.0.0/255.255.0.0 -j ACCEPT
+[0:0] -A OUTPUT -d 10.0.0.0/255.0.0.0 -j ACCEPT
+[0:0] -A OUTPUT -d 172.16.0.0/255.240.0.0 -j ACCEPT
+[0:0] -A OUTPUT -d 127.0.0.0/255.0.0.0 -j ACCEPT
+
+# Tor is allowed to do anything it wants to, everything else is dropped.
+[0:0] -A OUTPUT -m owner --uid-owner debian-tor -j ACCEPT
+[0:0] -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
+
+COMMIT
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# Local network connections should not fo through Tor. Note that we
+# exclude the VirtualAddrNetwork used for .onion:s here.
+[0:0] -A OUTPUT -d 192.168.0.0/255.255.0.0 -j RETURN
+[0:0] -A OUTPUT -d 10.0.0.0/255.0.0.0 -j RETURN
+[0:0] -A OUTPUT -d 172.16.0.0/255.240.0.0 -j RETURN
+[0:0] -A OUTPUT -d 127.0.0.0/255.128.0.0 -j RETURN
+[0:0] -A OUTPUT -d 127.128.0.0/255.192.0.0 -j RETURN
+
+# Tor is allowed to do anything it wants to.
+[0:0] -A OUTPUT -m owner --uid-owner debian-tor -j RETURN
+
+# .onion mapped addresses redirection to Tor.
+[0:0] -A OUTPUT -d 127.192.0.0/255.192.0.0 -p tcp -m tcp -j DNAT --to-destination 127.0.0.1:9040
+
+# Redirect all remaining TCP traffic to Tor.
+[0:0] -A OUTPUT -o ! lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DNAT --to-destination 127.0.0.1:9040
+
+COMMIT
diff --git a/config/chroot_local-includes/etc/network/if-up.d/000firewall b/config/chroot_local-includes/etc/network/if-up.d/000firewall
new file mode 100755
index 0000000..f57681e
--- /dev/null
+++ b/config/chroot_local-includes/etc/network/if-up.d/000firewall
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# Exit if lo interface
+[ "$METHOD" = "loopback" ] && exit 0
+
+IPTABLES_RULES=/etc/firewall.conf
+
+[ -x /sbin/iptables-restore ] || exit 2
+[ -n "$IPTABLES_RULES" ] || exit 3
+[ -r "$IPTABLES_RULES" ] || exit 4
+
+/sbin/iptables-restore < "$IPTABLES_RULES"
diff --git a/config/chroot_local-includes/etc/network/if-up.d/600tor b/config/chroot_local-includes/etc/network/if-up.d/600tor
new file mode 100755
index 0000000..6f1341f
--- /dev/null
+++ b/config/chroot_local-includes/etc/network/if-up.d/600tor
@@ -0,0 +1,4 @@
+#! /bin/sh
+
+/etc/init.d/tor restart
+
diff --git a/config/chroot_local-includes/etc/pdnsd.conf b/config/chroot_local-includes/etc/pdnsd.conf
new file mode 100644
index 0000000..19197dd
--- /dev/null
+++ b/config/chroot_local-includes/etc/pdnsd.conf
@@ -0,0 +1,52 @@
+// Read the pdnsd.conf(5) manpage for an explanation of the options.
+
+/* Note: this file is overriden by automatic config files when
+ /etc/default/pdnsd AUTO_MODE is set and that
+ /usr/share/pdnsd/pdnsd-$AUTO_MODE.conf exists
+ */
+
+global {
+ perm_cache=2048;
+ cache_dir="/var/cache/pdnsd";
+ run_as="pdnsd";
+ server_ip = 127.0.0.1; // Use eth0 here if you want to allow other
+ // machines on your network to query pdnsd.
+ status_ctl = on;
+// paranoid=on;
+// query_method=tcp_udp; // pdnsd must be compiled with tcp
+ // query support for this to work.
+ min_ttl=15m; // Retain cached entries at least 15 minutes.
+ max_ttl=1w; // One week.
+ timeout=120; // Global timeout option (10 seconds).
+
+ // Don't enable if you don't recurse yourself, can lead to problems
+ // delegation_only="com","net";
+}
+
+# Tor DNS resolver
+server {
+ label = "tor";
+ ip = 127.0.0.1;
+ port = 8853;
+ uptest = none;
+ exclude=".invalid";
+ policy=included;
+ proxy_only = on;
+ lean_query = on;
+}
+
+source {
+ owner=localhost;
+// serve_aliases=on;
+ file="/etc/hosts";
+}
+
+rr {
+ name=localhost;
+ reverse=on;
+ a=127.0.0.1;
+ owner=localhost;
+ soa=localhost,root.localhost,42,86400,900,86400,86400;
+}
+
+/* vim:set ft=c: */
diff --git a/config/chroot_local-includes/etc/polipo/config b/config/chroot_local-includes/etc/polipo/config
new file mode 100644
index 0000000..883f775
--- /dev/null
+++ b/config/chroot_local-includes/etc/polipo/config
@@ -0,0 +1,164 @@
+# Sample configuration file for Polipo. -*-sh-*-
+
+# You should not need to edit this configuration file; all configuration
+# variables have reasonable defaults.
+
+# This file only contains some of the configuration variables; see the
+# list given by ``polipo -v'' and the manual for more.
+
+
+### Basic configuration
+### *******************
+
+# Uncomment one of these if you want to allow remote clients to
+# connect:
+
+# proxyAddress = "::0" # both IPv4 and IPv6
+# proxyAddress = "0.0.0.0" # IPv4 only
+proxyAddress = "127.0.0.1" # IPv4 only
+proxyPort = 8118
+
+# If you are enabling 'proxyAddress' above, then you want to enable the
+# 'allowedClients' variable to the address of your network, e.g.
+# allowedClients = 127.0.0.1, 192.168.42.0/24
+
+# allowedClients = 127.0.0.1
+
+# Uncomment this if you want your Polipo to identify itself by
+# something else than the host name:
+
+proxyName = "localhost"
+
+# Uncomment this if there's only one user using this instance of Polipo:
+
+cacheIsShared = false
+
+# Uncomment this if you want to use a parent proxy:
+
+# parentProxy = "squid.example.org:3128"
+
+# Uncomment this if you want to use a parent SOCKS proxy:
+
+socksParentProxy = "localhost:9050"
+socksProxyType = socks5
+
+
+### Memory
+### ******
+
+# Uncomment this if you want Polipo to use a ridiculously small amount
+# of memory (a hundred C-64 worth or so):
+
+# chunkHighMark = 819200
+# objectHighMark = 128
+
+# Uncomment this if you've got plenty of memory:
+
+# chunkHighMark = 50331648
+# objectHighMark = 16384
+
+
+### On-disk data
+### ************
+
+# Uncomment this if you want to disable the on-disk cache:
+
+diskCacheRoot = ""
+
+# Uncomment this if you want to put the on-disk cache in a
+# non-standard location:
+
+# diskCacheRoot = "~/.polipo-cache/"
+
+# Uncomment this if you want to disable the local web server:
+
+# localDocumentRoot = ""
+
+# Uncomment this if you want to enable the pages under /polipo/index?
+# and /polipo/servers?. This is a serious privacy leak if your proxy
+# is shared.
+
+# disableIndexing = false
+# disableServersList = false
+
+disableLocalInterface = true
+
+### Domain Name System
+### ******************
+
+# Uncomment this if you want to contact IPv4 hosts only (and make DNS
+# queries somewhat faster):
+
+# dnsQueryIPv6 = no
+
+# Uncomment this if you want Polipo to prefer IPv4 to IPv6 for
+# double-stack hosts:
+
+# dnsQueryIPv6 = reluctantly
+
+# Uncomment this to disable Polipo's DNS resolver and use the system's
+# default resolver instead. If you do that, Polipo will freeze during
+# every DNS query:
+
+# dnsUseGethostbyname = yes
+
+
+### HTTP
+### ****
+
+# Uncomment this if you want to enable detection of proxy loops.
+# This will cause your hostname (or whatever you put into proxyName
+# above) to be included in every request:
+
+disableVia = true
+
+# Uncomment this if you want to slightly reduce the amount of
+# information that you leak about yourself:
+
+censoredHeaders = from, accept-language, x-pad
+censorReferer = maybe
+
+# Uncomment this if you're paranoid. This will break a lot of sites,
+# though:
+
+# censoredHeaders = set-cookie, cookie, cookie2, from, accept-language
+# censorReferer = true
+
+# Uncomment this if you want to use Poor Man's Multiplexing; increase
+# the sizes if you're on a fast line. They should each amount to a few
+# seconds' worth of transfer; if pmmSize is small, you'll want
+# pmmFirstSize to be larger.
+
+# Note that PMM is somewhat unreliable.
+
+# pmmFirstSize = 16384
+# pmmSize = 8192
+
+# Uncomment this if your user-agent does something reasonable with
+# Warning headers (most don't):
+
+# relaxTransparency = maybe
+
+# Uncomment this if you never want to revalidate instances for which
+# data is available (this is not a good idea):
+
+# relaxTransparency = yes
+
+# Uncomment this if you have no network:
+
+# proxyOffline = yes
+
+# Uncomment this if you want to avoid revalidating instances with a
+# Vary header (this is not a good idea):
+
+# mindlesslyCacheVary = true
+
+### Tor-specific configuration
+### **************************
+
+serverSlots = 2
+serverMaxSlots = 8
+allowedPorts = 1-65535
+tunnelAllowedPorts = 1-65535
+maxConnectionAge = 5m
+maxConnectionRequests = 120
diff --git a/config/chroot_local-includes/etc/tor/tor-tsocks.conf b/config/chroot_local-includes/etc/tor/tor-tsocks.conf
new file mode 100644
index 0000000..dd58d8b
--- /dev/null
+++ b/config/chroot_local-includes/etc/tor/tor-tsocks.conf
@@ -0,0 +1,19 @@
+# This is the configuration for libtsocks (transparent socks) for use
+# with tor, which is providing a socks server on port 9050 by default.
+#
+# See tsocks.conf(5) and torify(1) manpages.
+
+server = 127.0.0.1
+server_port = 9050
+
+# We specify local as 127.0.0.0 - 127.191.255.255 because the
+# Tor MAPADDRESS virtual IP range is the rest of net 127.
+local = 127.0.0.0/255.128.0.0
+local = 127.128.0.0/255.192.0.0
+
+
+# My local networks
+local = 10.0.0.0/255.0.0.0
+local = 172.16.0.0/255.255.0.0
+local = 192.168.0.0/255.255.0.0
+
diff --git a/config/chroot_local-includes/etc/tor/torrc b/config/chroot_local-includes/etc/tor/torrc
new file mode 100644
index 0000000..9da08e2
--- /dev/null
+++ b/config/chroot_local-includes/etc/tor/torrc
@@ -0,0 +1,172 @@
+## Configuration file for a typical Tor user
+## Last updated 22 December 2007 for Tor 0.2.0.14-alpha.
+## (May or may not work for much older or much newer versions of Tor.)
+##
+## Lines that begin with "## " try to explain what's going on. Lines
+## that begin with just "#" are disabled commands: you can enable them
+## by removing the "#" symbol.
+##
+## See the man page, or https://www.torproject.org/tor-manual-dev.html,
+## for more options you can use in this file.
+##
+## Tor will look for this file in various places based on your platform:
+## http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#torrc
+
+
+## Replace this with "SocksPort 0" if you plan to run Tor only as a
+## server, and not make any local application connections yourself.
+SocksPort 9050 # what port to open for local application connections
+SocksListenAddress 127.0.0.1 # accept connections only from localhost
+#SocksListenAddress 192.168.0.1:9100 # listen on this IP:port also
+
+## Entry policies to allow/deny SOCKS requests based on IP address.
+## First entry that matches wins. If no SocksPolicy is set, we accept
+## all (and only) requests from SocksListenAddress.
+#SocksPolicy accept 192.168.0.0/16
+#SocksPolicy reject *
+
+## Logs go to stdout at level "notice" unless redirected by something
+## else, like one of the below lines. You can have as many Log lines as
+## you want.
+##
+## We advise using "notice" in most cases, since anything more verbose
+## may provide sensitive information to an attacker who obtains the logs.
+##
+## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
+#Log notice file /var/log/tor/notices.log
+## Send every possible message to /var/log/tor/debug.log
+#Log debug file /var/log/tor/debug.log
+## Use the system log instead of Tor's logfiles
+#Log notice syslog
+## To send all messages to stderr:
+#Log debug stderr
+
+## Uncomment this to start the process in the background... or use
+## --runasdaemon 1 on the command line. This is ignored on Windows;
+## see the FAQ entry if you want Tor to run as an NT service.
+#RunAsDaemon 1
+
+## The directory for keeping all the keys/etc. By default, we store
+## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
+#DataDirectory /var/lib/tor
+
+## The port on which Tor will listen for local connections from Tor
+## controller applications, as documented in control-spec.txt.
+ControlPort 9051
+ControlListenAddress 127.0.0.1
+
+## Tor unconditionnally chmod's DataDirectory (/var/lib/tor) at startup,
+## and the debian-tor group can thus not access it, so we have it put
+## the auth cookie elsewhere.
+CookieAuthentication 1
+CookieAuthFile /tmp/control_auth_cookie
+CookieAuthFileGroupReadable 1
+
+############### This section is just for location-hidden services ###
+
+## Once you have configured a hidden service, you can look at the
+## contents of the file ".../hidden_service/hostname" for the address
+## to tell people.
+##
+## HiddenServicePort x y:z says to redirect requests on port x to the
+## address y:z.
+
+#HiddenServiceDir /var/lib/tor/hidden_service/
+#HiddenServicePort 80 127.0.0.1:80
+
+#HiddenServiceDir /var/lib/tor/other_hidden_service/
+#HiddenServicePort 80 127.0.0.1:80
+#HiddenServicePort 22 127.0.0.1:22
+
+################ This section is just for relays #####################
+#
+## See https://www.torproject.org/docs/tor-doc-relay for details.
+
+## A unique handle for your server.
+#Nickname ididnteditheconfig
+
+## The IP or FQDN for your server. Leave commented out and Tor will guess.
+#Address noname.example.com
+
+## Define these to limit the bandwidth usage of relayed (server)
+## traffic. Your own traffic is still unthrottled.
+## Note that RelayBandwidthRate must be at least 20 KB.
+#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps)
+#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB/s (1600Kbps)
+
+## Contact info to be published in the directory, so we can contact you
+## if your server is misconfigured or something else goes wrong.
+#ContactInfo Random Person <nobody AT example dot com>
+## You might also include your PGP or GPG fingerprint if you have one:
+#ContactInfo 1234D/FFFFFFFF Random Person <nobody AT example dot com>
+
+## Required: what port to advertise for Tor connections.
+#ORPort 9001
+## If you need to listen on a port other than the one advertised
+## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment the
+## line below too. You'll need to do ipchains or other port forwarding
+## yourself to make this work.
+#ORListenAddress 0.0.0.0:9090
+
+## Uncomment this to mirror directory information for others. Please do
+## if you have enough bandwidth.
+#DirPort 9030 # what port to advertise for directory connections
+## If you need to listen on a port other than the one advertised
+## in DirPort (e.g. to advertise 80 but bind to 9091), uncomment the line
+## below too. You'll need to do ipchains or other port forwarding yourself
+## to make this work.
+#DirListenAddress 0.0.0.0:9091
+
+## Uncomment this if you run more than one Tor server, and add the
+## nickname of each Tor server you control, even if they're on different
+## networks. You declare it here so Tor clients can avoid using more than
+## one of your servers in a single circuit. See
+## http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#MultipleServers
+#MyFamily nickname1,nickname2,...
+
+## A comma-separated list of exit policies. They're considered first
+## to last, and the first match wins. If you want to _replace_
+## the default exit policy, end this with either a reject *:* or an
+## accept *:*. Otherwise, you're _augmenting_ (prepending to) the
+## default exit policy. Leave commented to just use the default, which is
+## available in the man page or at https://www.torproject.org/documentation.html
+##
+## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
+## for issues you might encounter if you use the default exit policy.
+##
+## If certain IPs and ports are blocked externally, e.g. by your firewall,
+## you should update your exit policy to reflect this -- otherwise Tor
+## users will be told that those destinations are down.
+##
+#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
+#ExitPolicy accept *:119 # accept nntp as well as default exit policy
+#ExitPolicy reject *:* # no exits allowed
+#
+################ This section is just for bridge relays ##############
+#
+## Bridge relays (or "bridges" ) are Tor relays that aren't listed in the
+## main directory. Since there is no complete public list of them, even if an
+## ISP is filtering connections to all the known Tor relays, they probably
+## won't be able to block all the bridges. Unlike running an exit relay,
+## running a bridge relay just passes data to and from the Tor network --
+## so it shouldn't expose the operator to abuse complaints.
+
+#ORPort 443
+#BridgeRelay 1
+#RelayBandwidthRate 50KBytes
+#ExitPolicy reject *:*
+
+
+################ Local settings ########################################
+
+## Torified DNS
+DNSPort 8853
+AutomapHostsOnResolve 1
+AutomapHostsSuffixes .exit,.onion
+
+## Transparent proxy
+TransPort 9040
+TransListenAddress 127.0.0.1
+
+## Misc
+AvoidDiskWrites 1
diff --git a/config/chroot_local-includes/usr/local/sbin/do_not_ever_run_me b/config/chroot_local-includes/usr/local/sbin/do_not_ever_run_me
new file mode 100755
index 0000000..4a42367
--- /dev/null
+++ b/config/chroot_local-includes/usr/local/sbin/do_not_ever_run_me
@@ -0,0 +1,36 @@
+#!/bin/sh
+#
+# This script fully disables the iptables firewall, and thus the
+# transparent forwarding thru Tor of all non-local network
+# connections... which defeats the whole purpose of this OS, hence
+# this script's name.
+
+IPT=/sbin/iptables
+
+[ -x "$IPT" ] || exit 67
+
+$IPT -P INPUT ACCEPT
+$IPT -P FORWARD ACCEPT
+$IPT -P OUTPUT ACCEPT
+
+$IPT -t nat -P PREROUTING ACCEPT
+$IPT -t nat -P POSTROUTING ACCEPT
+$IPT -t nat -P OUTPUT ACCEPT
+
+$IPT -t mangle -P PREROUTING ACCEPT
+$IPT -t mangle -P INPUT ACCEPT
+$IPT -t mangle -P FORWARD ACCEPT
+$IPT -t mangle -P OUTPUT ACCEPT
+$IPT -t mangle -P POSTROUTING ACCEPT
+
+$IPT -F
+$IPT -t nat -F
+$IPT -t mangle -F
+
+$IPT -X
+$IPT -t nat -X
+$IPT -t mangle -X
+
+echo "You might want to unset http_proxy and HTTP_PROXY environment variables as well:"
+echo " unset http_proxy"
+echo " unset HTTP_PROXY"
diff --git a/config/chroot_local-includes/usr/share/doc/amnesia/Changelog b/config/chroot_local-includes/usr/share/doc/amnesia/Changelog
new file mode 100644
index 0000000..8070c43
--- /dev/null
+++ b/config/chroot_local-includes/usr/share/doc/amnesia/Changelog
@@ -0,0 +1,119 @@
+2009 06 20 - dev
+
+ * hardware support:
+ - install firmware-linux from backports.org
+ - install system-config-printer
+ * APT/pinning: give backports.org priority 200, so that we track
+ upgrades of packages installed from there.
+ * build system: allow building several images at once
+
+2009 06 19 - dev
+
+ * Tor: added a "Restart Tor" launcher to the Gnome panel,
+ that runs "/etc/init.d/tor restart"
+ * APT: re-configure pinning and sources to use squeeze rather than
+ unstable to fetch newer or not-in-Lenny software
+ * hardware support: added instructions in README.eCAFE to support the
+ Hercules eCAFÉ™ EC-800 netbook
+ * release: include the Changelog and TODO in the generated images,
+ in the /usr/share/doc/amnesia/ directory
+ * torbutton: install newer version from Squeeze
+
+2009 06 18 - dev
+
+ * software: install gnomebaker when building Gnome-based live OS, to
+ easily clone myself when running from CD
+
+2009 06 17 - dev
+
+ * Tor vs. Network Manager: added a restart tor hook to if-up.d (used by
+ Network Manager as well), so that Tor does work immediately even if
+ the network cable was plugged late in/after the boot process
+ * build system cleanup
+ - migrated most of lh_config invocations to scripts/config
+ - append "noprompt" so that halting/rebooting work with splashy
+ - moved our own variables to config/amnesia, using the namespace
+ $AMNESIA_*
+ * APT: configure pinning to support installing chosen packages from sid;
+ the APT source for unstable is hardcoded in chroot_sources/sid, since
+ there is no way to use $LH_CHROOT_MIRROR there: the chroot_local-hooks
+ have no access to such configuration variables :/
+ * iceweasel: install NoScript plugin from Debian sid
+
+2009 06 16 - dev
+
+ * iceweasel: delete urlclassifier3.sqlite on $HOME refresh: as we
+ disabled "safebrowsing", this huge file is of no use
+ * build system
+ - rely on standard live-initramfs adduser to do our user setup
+ (including sudo vs. Gnome/KDE, etc.)
+ - stop "supporting" KDE
+ * linux: removed non-686 kernel flavours when building i386 images
+ * compatibility: append "live-media=removable live-media-timeout=15", to
+ prevent blindly booting another debian-live installed on the hard disk
+ * software: install scribus
+
+2009 XX XX - dev
+
+ * Forked Privatix 9.03.15, by Markus Mandalka:
+ http://mandalka.name/privatix/index.html.en
+ Everything has since been rewritten or so heavily changed that nothing
+ remains from the original code... apart of a bunch of Gnome settings.
+ * iceweasel
+ - default search engine is now Scroogle SSL, configured to search pages
+ in French language; the English one is also installed
+ - never ask to save passwords or forms content
+ - configured the torbutton extension to use polipo
+ - installed the CACert root certificate
+ - installed the SSL Blacklist extension and the blacklist data
+ - installed the FireGPG extension
+ - installed the CS Lite extension
+ - installed the NoScript extension
+ - NoScript, CS Lite: replaced the default whitelists with a list of
+ trusted, non-commercial Internet Service Providers
+ - configure extensions (add to prefs.js):
+ user_pref("extensions.torbutton.startup", true);
+ user_pref("extensions.torbutton.startup_state", 1);
+ user_pref("extensions.torbutton.tor_enabled", true);
+ user_pref("noscript.notify.hide", true);
+ user_pref("capability.policy.maonoscript.sites", "about:
+ about:blank about:certerror about:config about:credits
+ about:neterror about:plugins about:privatebrowsing
+ about:sessionrestore chrome: resource:");
+ user_pref("extensions.firegpg.no_updates", true);
+ * Tor
+ - enable the transparent proxy, the DNS resolver, and the control port
+ - save authentication cookie to /tmp/control_auth_cookie, so that the
+ live user can use Tork and co.
+ - autostart Tork with Gnome
+ - Tork: installed, disabled most notifications and startup tips
+ * build system
+ - build i386 images when the build host is amd64
+ - added a version file: /etc/amnesia/version
+ - use snapshot live-* packages inside the images
+ - setup timezone depending on the chosen build locale
+ * $HOME
+ - added a nautilus-script to wipe files and directories
+ - bash with working completion for the live user
+ * software: added
+ - gnome-app-install
+ - iwconfig
+ - cryptkeeper: Gnome system tray applet to encrypt files with EncFS
+ - kvkbd: virtual keyboard (installed from backports.org)
+ - sshfs (and added live user to the fuse group)
+ - less, secure-delete, wipe, seahorse, sshfs, ntfs-3g
+ * polipo: install and configure this HTTP proxy to forward requests
+ through Tor
+ * DNS: install and configure pdnsd to forward any DNS request through
+ the Tor resolver
+ * firewall: force every outgoing TCP connection through the Tor
+ transparent proxy, discard any outgoing UDP connection
+ * hardware support
+ - install a bunch of non-free wifi firmwares
+ - install xsane and add the live user to the scanner group
+ - install aircrack-ng
+ - install xserver-xorg-video-geode on i386 (eCafe support)
+ - install xserver-xorg-video-all
+ * misc
+ - set syslinux timeout to 4 seconds
+ - use splashy for more user-friendly boot/halt sequences
diff --git a/config/chroot_local-includes/usr/share/doc/amnesia/README b/config/chroot_local-includes/usr/share/doc/amnesia/README
new file mode 100644
index 0000000..79a79df
--- /dev/null
+++ b/config/chroot_local-includes/usr/share/doc/amnesia/README
@@ -0,0 +1,37 @@
+-*- mode: markdown; -*-
+
+Building an image
+=================
+
+Customization
+-------------
+
+The settings that can be customized can be found in `config/amnesia`;
+e.g. images types to build, desktop environment.
+
+You'd better never directly edit this file: rather put your custom
+variable assignments in a new `config/amnesia.local` file. The values
+found in the `.local` file will override the ones from the
+upstream one.
+
+These configuration files are actually shell scripts, and are sourced
+by various other scripts.
+
+How to build
+------------
+
+All following commands must be run as `root`, at the root of the
+source directory: a Git checkout, an extracted tarball.
+
+Initialize the Live system's configuration with `lh_config`:
+
+ lh_config
+
+Optionally set your preferred language for the generated images; only
+"fr" is currently fully supported, but other languages are still worth
+trying:
+
+ lh_config --language fr
+
+You can then use the standard live-helper commands to build the chosen
+images (`lh build`) and to cleanup the build directory (`lh clean`).
diff --git a/config/chroot_local-includes/usr/share/doc/amnesia/README.eCAFE b/config/chroot_local-includes/usr/share/doc/amnesia/README.eCAFE
new file mode 100644
index 0000000..f1592a3
--- /dev/null
+++ b/config/chroot_local-includes/usr/share/doc/amnesia/README.eCAFE
@@ -0,0 +1,45 @@
+-*- mode: markdown; -*-
+
+Hercules eCAFÉ™ EC-800
+======================
+
+Linux kernel
+------------
+
+`lh_config --linux-flavours 486`
+
+X.Org
+-----
+
+### Custom configuration file
+
+- copy, and optionally adapt, the custom `./examples/eCAFE/xorg.conf`
+ to `config/chroot_local-includes/etc/X11/` ; beware of the
+ permissions, non-root users must have read access to the including
+ X11 directory and to the `xorg.conf` file
+
+### Disable automatic X.Org configuration
+
+In `config/privatix`, add `noxautoconfig` to the `PRIVATIX_APPEND`
+boot parameters list.
+
+### Weird bugfix
+
+Probably due to a bug in `live-helper` or `live-initramfs`, one also has
+to create in the chroot:
+- the `/etc/X11` directory
+- the `/etc/X11/X` symbolic link.
+
+This can be easily achieved by copying `./examples/eCAFE/X11_fixup` to
+`config/chroot_local-hooks`. The copied file must have executable
+permissions set.
+
+Console frame buffer
+--------------------
+
+In `config/privatix`, edit the `PRIVATIX_APPEND` boot parameters list
+to:
+- remove `vga=791`
+- add `video=lxfb:800x480@60`
+
+
diff --git a/config/chroot_local-includes/usr/share/doc/amnesia/TODO b/config/chroot_local-includes/usr/share/doc/amnesia/TODO
new file mode 100644
index 0000000..6ade95c
--- /dev/null
+++ b/config/chroot_local-includes/usr/share/doc/amnesia/TODO
@@ -0,0 +1,92 @@
+-*- mode: markdown; -*-
+
+release
+=======
+
+- add copyright
+- setup Git repository
+- setup web site
+
+build system
+============
+
+- bundle (and maybe adapt) home-refresh in the generated images
+
+hardware support
+================
+
+PowerPC
+-------
+
+- http://machine-cycle.blogspot.com/2009/05/running-debian-on-qemu-powerpc.html
+- /usr/share/doc/qemu/README.Debian
+- http://mac-on-linux.svn.sourceforge.net/viewvc/mac-on-linux/trunk/mollib/drivers/
+
+install/upgrade
+===============
+
+- install on (optionally encrypted) USB from CD
+- install on CD from USB?
+- clone the source directory to /usr/local/src/, and allow easy
+ remastering from the live system itself?
+- add 2nd encrypted data partition
+- USB: allow upgrading only the live system, not touching the other
+ partitions (use the iso + grub trick ? tar image + cp?)
+
+documentation
+=============
+
+- copy and adapt the privatix documentation
+- write documentation for install/upgrade
+
+iceweasel
+=========
+
+- do *not* ask to remember passwords
+- install some trusted, non-commercial SSL certificates (e.g.
+ Autistici/Inventati)
+- easily build a live system with a custom JavaScript/cookies
+ whitelist
+- remove *.sqlite *.db ?
+
+switch to Debian-packaged extensions
+------------------------------------
+
+- mozilla-noscript: done, deinstall + remove from $HOME
+- torbutton: done, deinstall + remove from $HOME
+- CS Lite: is another nice cookie manager already packaged?
+- SSL Blacklist: serious licensing problem, see thread on
+ pkg-mozext-maintainers@lists.alioth.debian.org, could be solved
+
+FireGPG
+-------
+
+- disable the buggy auto-detection feature
+- disable link to firegpg's homepage in generated pgp messages
+
+Pidgin
+======
+
+- base config?
+- add irc.indymedia.org + SSL certificate
+
+usecases
+========
+
+switch between use cases in syslinux menu
+- Tor enforcement
+- persistence
+
+steal some Incognito tricks
+===========================
+
+- look at `fsscript.sh` (Tor auth cookie, Tork user config, etc.)
+- smem
+- macchanger
+
+Misc.
+=====
+
+- fix TorK iconify on startup
+- is `allow-user-other` necessary for sshfs? (`/etc/fuse.conf`)
+- install seahorse-plugins (e.g. for Gedit) which is not in Lenny
diff --git a/config/chroot_local-includes/usr/share/doc/amnesia/examples/eCAFE/X11_fixup b/config/chroot_local-includes/usr/share/doc/amnesia/examples/eCAFE/X11_fixup
new file mode 100755
index 0000000..52b9a3b
--- /dev/null
+++ b/config/chroot_local-includes/usr/share/doc/amnesia/examples/eCAFE/X11_fixup
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+if [ ! -d /etc/X11 ]; then
+ mkdir /etc/X11
+ chmod 755 /etc/X11
+fi
+ln -s --force /usr/bin/Xorg /etc/X11/X
diff --git a/config/chroot_local-includes/usr/share/doc/amnesia/examples/eCAFE/xorg.conf b/config/chroot_local-includes/usr/share/doc/amnesia/examples/eCAFE/xorg.conf
new file mode 100644
index 0000000..37e2f6d
--- /dev/null
+++ b/config/chroot_local-includes/usr/share/doc/amnesia/examples/eCAFE/xorg.conf
@@ -0,0 +1,47 @@
+# xorg.conf (X.Org X Window System server configuration file)
+
+Section "InputDevice"
+ Identifier "Generic Keyboard"
+ Driver "kbd"
+ Option "XkbRules" "xorg"
+ Option "XkbModel" "pc105"
+ Option "XkbLayout" "fr"
+EndSection
+
+Section "InputDevice"
+ Identifier "Configured Mouse"
+ Driver "mouse"
+EndSection
+
+Section "Device"
+ Identifier "Configured Video Device"
+ Driver "geode"
+ BusID "PCI:0:1:1"
+ Option "UseFBDev" "true"
+ Option "PanelGeometry" "800x480"
+EndSection
+
+Section "Monitor"
+ Identifier "Configured Monitor"
+ Option "DPMS"
+ HorizSync 25 - 50
+ VertRefresh 50.0 - 75.0
+ Modeline "800x480" 33.45 800 840 968 1056 480 490 492 525 -hsync -vsync
+ Modeline "1024x600" 48.96 1024 1064 1168 1312 600 601 604 622 -hsync +vsync
+ Modeline "1024x768" 64.56 1024 1056 1296 1328 768 783 791 807 -hsync +vsync
+ DisplaySize 255 150
+EndSection
+
+Section "Screen"
+ Identifier "Default Screen"
+ Monitor "Configured Monitor"
+ Device "Configured Video Device"
+ DefaultDepth 16
+ SubSection "Display"
+ Depth 16
+ Modes "800x480"
+ Viewport 0 0
+ EndSubSection
+ #Virtual 1024 768
+EndSection
+