doc: update container documentation a bit

Signed-off-by: Joachim Wiberg <[email protected]>

Author: troglobit

README.md

@@ -20,20 +20,34 @@ compatible runtime.
 
 The [KernelKit AppStore][2] on GHCR provides the following pre-built images.
 
+
 ### [curiOS system][3]
 
-A system container, example of how to run multiple services.  Comes with the
-following services and tools:
+An example system container, shows how to run multiple services.  Comes with
+the following services and tools:
 
+ - BusyBox (full configuration)
  - Dropbear SSH daemon
  - mini-snmpd
  - netopeer-cli
  - nftables
  - ntpd
 
+See this blog post on how to use this container with Infix:
+
+ - [Infix Advanced Container Networking](https://kernelkit.org/posts/advanced-containers/)
+
+
 ### [curiOS ntpd][4]
 
-ISC ntpd supports [multicasting NTP][10] to a subnet.
+This container is only `ntpd`, started by `tini` with `-n -g` flags.  The
+default configuration file is `/etc/ntp.conf`, see `doc/` for a sample.  To
+override use a mount or volume, and remember to also set up a volume for the
+`/var` or `/var/lib` directory to let the daemon save drift data.
+
+ISC ntpd supports [multicasting NTP][10] to a subnet.  For more information
+see the [official ntpd site](https://www.ntp.org/).
+
 
 ### [curiOS nftables][5]
 
@@ -44,12 +58,28 @@ At shutdown `nft flush ruleset` is called.
 This container comes with a minimal set of BusyBox tools, including a shell,
 so the `nftables.conf` file can be modified from inside the container (vi).
 Although the most common use-case is to mount a file from the host system.
+See `doc/` for two samples: end-device and home router.
+
+See this blog post on how to use this container with Infix:
+
+ - [Infix w/ WAN+LAN firewall setup](https://kernelkit.org/posts/firewall-container/)
+
 
 ### [curiOS httpd][6]
 
 Tiny web server container based on BusyBox httpd, suitable for embedding in a
 firmware image as an example container.
 
+The server looks for `/var/www/index.html`, so use a volume on `/var/www` to
+change the default web page.
+
+With a custom command you can also change the default command line, e.g, to
+run in foreground, with verbose mode, on port 8080:
+
+ - `/usr/sbin/httpd -f -v -p 8080`
+
+For more help, see the [BusyBox docs](https://busybox.net/downloads/BusyBox.html#httpd)
+
 
 ## Origin & References
 

doc/nftables-router.conf.sample

@@ -0,0 +1,79 @@
+#!/usr/sbin/nft -f
+# Simple home router ruleset with NAT, LAN access, and limited WAN exposure
+define WAN = eth0
+define LAN = br0
+define NET = 192.168.0.0/24
+
+# Clear existing rules to avoid duplication or conflicts
+flush ruleset
+
+table ip filter {
+    chain wan {
+        # Accept ping for diagnostics, with rate limit
+        icmp type echo-request limit rate 5/second accept
+
+        # allow SSH connections from some well-known internet host
+        #ip saddr 81.209.165.42 tcp dport ssh accept
+    }
+
+    chain lan {
+        icmp type echo-request accept
+
+        # allow DHCP, DNS and SSH from the private network
+        ip protocol . th dport vmap {
+            tcp . 22 : accept,
+            udp . 53 : accept,
+            tcp . 53 : accept,
+            udp . 67 : accept,
+            udp . 68 : accept
+        }
+
+        # allow anything else from trusted subnet
+        ip saddr $NET accept
+    }
+
+    chain input {
+        type filter hook input priority 0; policy drop;
+
+        # Allow traffic from established and related packets, drop invalid
+        ct state vmap {
+            established : accept,
+            related     : accept,
+            invalid     : drop
+        }
+
+        # allow loopback traffic, anything else jump to chain for further evaluation
+        iifname vmap {
+            lo   : accept,
+            $WAN : jump wan,
+            $LAN : jump lan
+        }
+
+        # the rest is dropped by the above policy
+    }
+
+    chain forward {
+        type filter hook forward priority 0; policy drop;
+
+        # allow new connections from LAN
+        iifname $LAN accept
+
+        # Allow traffic from established and related packets, drop invalid
+        ct state vmap {
+            established : accept,
+            related     : accept,
+            invalid     : drop
+        }
+    }
+}
+
+table ip nat {
+    chain prerouting {
+        type nat hook prerouting priority filter; policy accept;
+    }
+
+    chain postrouting {
+        type nat hook postrouting priority srcnat; policy accept;
+        ip saddr $NET oif $WAN masquerade
+    }
+}

doc/nftables.conf.sample

@@ -0,0 +1,29 @@
+#!/usr/sbin/nft -f
+# Simple firewall for end devices, allows SSH, HTTPS, NETCONF (SSH), and ICMP
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0;
+
+    ct state {established, related} accept
+    ct state invalid drop
+
+    iifname lo accept
+
+    ip protocol icmp accept
+    ip6 nexthdr icmpv6 accept
+
+    tcp dport {ssh, https, netconf} accept
+
+    reject with icmp type port-unreachable
+  }
+
+  chain forward {
+    type filter hook forward priority 0;
+    drop
+  }
+
+  chain output {
+    type filter hook output priority 0;
+  }
+}

doc/ntp.conf.sample

@@ -0,0 +1,10 @@
+server 0.pool.ntp.org iburst
+server 1.pool.ntp.org iburst
+server 2.pool.ntp.org iburst
+server 3.pool.ntp.org iburst
+
+# Allow only time queries, at a limited rate, sending KoD when in excess.
+# Allow all local queries (IPv4, IPv6)
+restrict default nomodify nopeer noquery limited kod
+restrict 127.0.0.1
+restrict [::1]