Index: /trunk/nanobsd/files/boot/loader.conf =================================================================== --- /trunk/nanobsd/files/boot/loader.conf (revision 10132) +++ /trunk/nanobsd/files/boot/loader.conf (revision 10136) @@ -20,9 +20,2 @@ # Force output to run trough the comconsole, no exceptions console="comconsole" - -# moduleis for usb-lan adapters -if_mos_load="YES" -if_axe_load="YES" -if_aue_load="YES" - - Index: /trunk/nanobsd/files/etc/crontab =================================================================== --- /trunk/nanobsd/files/etc/crontab (revision 10132) +++ /trunk/nanobsd/files/etc/crontab (revision 10136) @@ -28,2 +28,6 @@ # Write updates for ntp.drift to flash 0 12 * * * root /usr/local/bin/write_ntpdrift +# +# Nagios checks +30 * * * * root /usr/local/dense/dense.sh +*/15 * * * * root /usr/local/sbin/check-inet-alive Index: /trunk/nanobsd/files/etc/dhclient.conf =================================================================== --- /trunk/nanobsd/files/etc/dhclient.conf (revision 10136) +++ /trunk/nanobsd/files/etc/dhclient.conf (revision 10136) @@ -0,0 +1,11 @@ +# $FreeBSD: src/etc/dhclient.conf,v 1.3.36.1.2.1 2009/10/25 01:10:29 kensmith Exp $ +# +# This file is required by the ISC DHCP client. +# See ``man 5 dhclient.conf'' for details. +# +# In most cases an empty file is sufficient for most people as the +# defaults are usually fine. + +# If a proxy get his IP via DHCP it's resolv.conf should keep the relevant entries +prepend domain-name "wleiden.net "; +prepend domain-name-servers 127.0.0.1; Index: /trunk/nanobsd/files/etc/ipfw.sh =================================================================== --- /trunk/nanobsd/files/etc/ipfw.sh (revision 10132) +++ /trunk/nanobsd/files/etc/ipfw.sh (revision 10136) @@ -1,5 +1,13 @@ #!/bin/sh - +# Based on /etc/rc.firewall +# +# Credits: Richard van Mansom, Rick van der Zwet -# Based on /etc/rc.firewall + +allowed2internet="80,443" +maxconnections="10" + +RFC1918_nets="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" +WLNET='172.16.0.0/12' # Suck in the configuration variables. @@ -34,4 +42,21 @@ esac +########### +# Set Internal/External Interface +# +driver=`echo ${internalif} | sed 's/[0-9]*//g'` +seq=`echo ${internalif} | sed 's/[a-zA-Z]*//g'` + +if [ ${seq} = 0 ]; then + seq=`expr ${seq} \+ 1` +else + seq=`expr ${seq} \- 1` +fi + +externalif="$driver$seq" + +# Get interface Addresses +externalip=`ifconfig $externalif | awk '/inet/ { print $2 }'` +internalip=`ifconfig $internalif | awk '/inet/ { print $2 }'` ############ # Flush out the list before we begin. @@ -41,28 +66,61 @@ setup_loopback -############ - -# By default no firewalling -${fwcmd} add 65000 pass all from any to any - -# Transproxy/WLportal/Captive portal -${fwcmd} add 10000 allow tcp from any to localhost 80 -${fwcmd} add 10001 allow tcp from any to me 80 ############ -# Reserved: Whitelist rule numbers -# 10002 - 10009 -NR=10002 - for IP in $captive_portal_whitelist; do - ${fwcmd} add $NR allow tcp from $IP to not 172.16.0.0/12 dst-port 80 - NR=`expr $NR + 1` +# Block the hosters network (and maybe others) +for IP in ${firewall_block} +do + ${fwcmd} add deny ip from any to ${IP} in via $internalif done ############ -# Reserved: WLPortal rule numbers -# 10010 - 10099 +# Statefull filewall in use +${fwcmd} add check-state -# Forward rules work without a base address, so needed a loop over all inet4 adresses -for INF in $captive_portal_interfaces; do - ${fwcmd} add 10100 fwd 172.31.255.1,8081 tcp from any to not 172.16.0.0/12 80 in via ${INF} -done +# Allow anything originating from me +${fwcmd} add allow ip from me to any keep-state + + +############# +# Outbound NAT setup +# WL Net -> Internet +${fwcmd} add nat 100 all from $WLNET to any out recv $internalif xmit $externalif +${fwcmd} add nat 100 all from any to $externalip in recv $externalif +${fwcmd} nat 100 config if $externalif + +# Subnet Internet is allowed +${fwcmd} add allow tcp from $WLNET to any $allowed2internet in via $internalif setup limit src-addr $maxconnections + + +############# +# Internal Network -> WL Net +# Inbound NAT setup, to allow proxy device to be used gateway from Internal Network to WL +${fwcmd} add nat 200 all from $RFC1918_nets to $WLNET out recv $externalif xmit $internalif +${fwcmd} add nat 200 all from $WLNET to $internalip in recv $internalif +${fwcmd} nat 200 config if $internalif + +# Allow all traffic inbound +${fwcmd} add allow all from $RFC1918_nets to $WLNET in recv $externalif keep-state + + +############# +## Services in use +## Allow on external interface +external_allow_tcp="ssh" +${fwcmd} add allow tcp from any to me $external_allow_tcp via $externalif setup keep-state + +## Allow on internal interface +internal_allow_tcp="ssh,domain,3128" +internal_allow_udp="ntp,domain,snmp,12345" +${fwcmd} add allow udp from $WLNET to me ${internal_allow_udp} via $internalif keep-state +${fwcmd} add allow tcp from $WLNET to me ${internal_allow_tcp} via $internalif setup keep-state + +# Basic ICMP managment traffic +${fwcmd} add allow icmp from any to me icmptype 8 +${fwcmd} add allow icmp from me to any icmptype 3,4,11 + + +############# +# Block anything else +${fwcmd} add 65000 deny log logamount 500 ip from any to any + Index: /trunk/nanobsd/files/etc/ntp.conf =================================================================== --- /trunk/nanobsd/files/etc/ntp.conf (revision 10132) +++ /trunk/nanobsd/files/etc/ntp.conf (revision 10136) @@ -1,17 +1,22 @@ #XXX: Might need to be dynamic -server 172.17.8.68 # proxy1 -server 172.17.143.4 # proxy2 -server 172.20.128.98 # proxy3 -server 172.16.2.254 # proxy4 -server 172.19.168.66 # proxy5 -server 172.16.3.146 # proxy6 -server 172.17.16.66 # proxy62 -server 172.17.0.1 # proxy7 -server 172.16.4.54 # proxy9 -server 172.22.0.66 # proxy10 -server 172.23.25.66 # proxy11 -server 172.16.3.98 # proxy13 -server 172.17.169.66 # proxy97 +# server 172.17.8.68 # proxy1 +# server 172.17.143.4 # proxy2 +# server 172.20.128.98 # proxy3 +# server 172.19.137.67 # proxy4 +# server 172.19.168.66 # proxy5 + +#XXX: All it's local nighboor addresses + +# server proxy1.wleiden.net # autokey +# server proxy2.wleiden.net # autokey +# server proxy3.wleiden.net # autokey +server 0.nl.pool.ntp.org +server 1.nl.pool.ntp.org +server 2.nl.pool.ntp.org +server 3.nl.pool.ntp.org + # In case machine get hooked to internet (and got working dns) + + # and if all failes - use our local crummy clock Index: /trunk/nanobsd/files/etc/rc.conf =================================================================== --- /trunk/nanobsd/files/etc/rc.conf (revision 10132) +++ /trunk/nanobsd/files/etc/rc.conf (revision 10136) @@ -2,10 +2,6 @@ dumpdev="NO" # No kernel dumps as we don't have a place to # store them -gateway_enable="YES" # Act like a gateway please +gateway_enable="NO" # Do NOT act like a gateway ipv6_enable="NO" # No IPv6 support for now, near feature... ;-) - -# Firewall needed for port redirection (captive portal, splash screen) -firewall_enable="YES" -firewall_script="/etc/ipfw.sh" # NTP server needs working config with WL network or internet on boot @@ -21,5 +17,5 @@ # Don't let syslog accept input from other remote hosts syslogd_enable="YES" -syslogd_flags="-s -A -c" +syslogd_flags="-s -A -c -b 127.0.0.1" # Remote login without DNS checking as it might not also be functionable @@ -34,9 +30,4 @@ update_nanobsd_motd="YES" -## Port extentions -# Serve our clients some pretty cool IP address to at least get connected -# Also some low-memory footprint dns resolver -dnsmasq_enable="YES" - # Monitoring deamons nrpe2_enable="YES" @@ -44,27 +35,13 @@ snmpd_flags="-a -LF w /var/log/snmpd.log" -# Some nodes will serve as HTTP(S) proxy server -tinyproxy_enable="NO" +# HTTP(S) proxy server +tinyproxy_enable="YES" -## WL ports extentions -thttpd_enable="YES" -http302_enable="YES" - -lvrouted_enable="YES" -lvrouted_flags="-u -s s00p3rs3kr3t -m 28 -z 172.16.2.254,172.17.0.1,172.23.25.66,172.17.169.66" +# Nameserver for internet and wleiden.net +maradns_enable="YES" +dnsmasq_enable="NO" +fetchzone_enable="YES" # Make sure generated ssh keys are saved nanobsd_save_sshkeys_enable="YES" -# Do some cool stuff with pen, like checking on best connections and reload, so -# need a wrapper instead of the conventional startup script -pen_wrapper_enable="YES" - -## Initial (network) configuration -# -hostname="ChangeMe.example.org" -# XXX: Maybe something cool (zero config) as initial configuration - -## Iperf server mode -# -iperf_enable="YES" Index: /trunk/nanobsd/files/etc/resolv.conf =================================================================== --- /trunk/nanobsd/files/etc/resolv.conf (revision 10136) +++ /trunk/nanobsd/files/etc/resolv.conf (revision 10136) @@ -0,0 +1,4 @@ +nameserver 127.0.0.1 +nameserver 8.8.8.8 +nameserver 8.8.4.4 +search wleiden.net Index: /trunk/nanobsd/files/etc/sysctl.conf =================================================================== --- /trunk/nanobsd/files/etc/sysctl.conf (revision 10132) +++ /trunk/nanobsd/files/etc/sysctl.conf (revision 10136) @@ -1,8 +1,5 @@ -# Value depends on link radio with estimated range of 500m, which seems to be a -# maximum usage of our Omni Antenna's. Calculation used: -# (remember radio signals travel with 300m/s) -# acktimeout = 23 + (link_length * 2 / 300) -dev.ath.0.slottime=23 -dev.ath.0.acktimeout=27 -dev.ath.0.ctstimeout=27 -net.link.ether.inet.max_age=300 +#XXX: Might needs to be dynamic as value depends on link length +# Turned of since it is highly unlikely that a proxy will use a wlan interface +# dev.ath.0.acktimeout=35 +# dev.ath.1.acktimeout=35 +# dev.ath.2.acktimeout=35 Index: /trunk/nanobsd/files/tools/nsdc-rebuild.sh =================================================================== --- /trunk/nanobsd/files/tools/nsdc-rebuild.sh (revision 10136) +++ /trunk/nanobsd/files/tools/nsdc-rebuild.sh (revision 10136) @@ -0,0 +1,6 @@ +#!/bin/sh + +if [ ! -f /var/db/nsd/ixfr.db ]; then + nsdc rebuild + nsdc start +fi Index: /trunk/nanobsd/files/tools/update-file =================================================================== --- /trunk/nanobsd/files/tools/update-file (revision 10136) +++ /trunk/nanobsd/files/tools/update-file (revision 10136) @@ -0,0 +1,60 @@ +#!/bin/sh +# +# Update an single file (content via stdin) on the flash disk if the md5 does +# not match. This script tries to be on the safe side by checking md5 at +# various stages. +# +# TODO: Maybe rsync is also able to perform the mount and umount before and +# after, this will eliminate all the hacking with md5 checks. +# +# Rick van der Zwet +# + +if [ -z "$1" ]; then + echo "Usage: $0 [ [ []]]" 1>&2 + exit 128 +fi + +FILE=$1 +NEW_MD5=${2:-""} +MODE_BITS=${3:-""} +OWNERSHIP=${4:-""} + +if [ ! -f "$FILE" ]; then + echo "# ERROR: File $FILE does not exists" 1>&2 + exit 1 +fi + +# First try to transfer file to local system +# this restricts the filesize to the maximum size of the /tmp system +TMPFILE=`mktemp -t $(basename $0)` || exit 1 +cat > $TMPFILE || exit 1 +TMP_MD5="`md5 -q $TMPFILE`" || exit 1 + +# Check which md5 to use, the given one or the calculated one +if [ -n "$NEW_MD5" ]; then + TARGET_MD5="$NEW_MD5" + if [ "$TMP_MD5" != "$TARGET_MD5" ]; then + echo "# ERROR: File transfer failed" 1>&2 + exit 2 + fi +else + TARGET_MD5="$TMP_MD5" +fi + +# Actually check whether we need to copy the file +CURRENT_MD5=`md5 -q $FILE` || exit 1 +if [ "$CURRENT_MD5" != "$TARGET_MD5" ]; then + echo "# INFO: Updating $FILE; old MD5 $CURRENT_MD5" + mount -uwo noatime / || exit 1 + cp -f $TMPFILE $FILE + [ -n "$MODE_BITS" ] && chmod $MODE_BITS $FILE + [ -n "$OWNERSHIP" ] && chown $OWNERSHIP $FILE + mount -ur / + + # Make sure to recheck the md5 alter write to make sure all went ok + RECHECK_MD5=`md5 -q $FILE` + echo "# INFO: Updated $FILE; new MD5 $RECHECK_MD5" +else + echo "# INFO: File $FILE already has md5 $CURRENT_MD5" +fi Index: /trunk/nanobsd/files/tools/wl-config =================================================================== --- /trunk/nanobsd/files/tools/wl-config (revision 10132) +++ /trunk/nanobsd/files/tools/wl-config (revision 10136) @@ -1,37 +1,16 @@ #!/bin/sh -# Wireless Leiden config-update script for FreeBSD 8.0 (nanobsd) +# Wireless Leiden proxy config-update script for FreeBSD 8.0 (nanobsd) # Based on the 'API' of Jasper -# Rick van der Zwet +# Rick van der Zwet ; Richard van Mansom # XXX: TODO, some proper error checking for fetch - -# Slow connection = no connection -export HTTP_TIMEOUT=3 - - -check_access() { - # Direct Access - Internal IP - BASEURL="http://172.16.4.46/wleiden/config/" - echo "# INFO: Trying to fetch via internal WL $BASEURL" - fetch -o /dev/null -q $BASEURL > /dev/null && return - echo "# WARN: Fetch via internal $BASEURL failed" - - # Direct Access - External DNS - BASEURL="http://132.229.112.21/wleiden/config/" - echo "# INFO: Trying to fetch via external $BASEURL" - fetch -o /dev/null -q $BASEURL > /dev/null && return - echo "# CRIT: Fetch via external $BASEURL failed" - - exit 1 -} -check_access - +BASEURL="http://132.229.112.21/config/iris/proxy/FreeBSD/8.0-RELEASE/g_list.pl" # Default config to fetch -CONFIG=`hostname -s` +CONFIG=`hostname -s | tr '[A-Z]' '[a-z]'` # Determine it's statup and running location and some other hints # Skip named.conf as it not planned in current release -FILES="authorized_keys dnsmasq.conf rc.conf.local resolv.conf motd wleiden.yaml" +FILES="authorized_keys rc.conf.local resolv.conf" file_details() { case "$1" in @@ -40,19 +19,4 @@ RUNNING_LOC="/etc/dot_ssh/${FILE}" FILE_HINT="" - ;; - 'motd') - STARTUP_LOC="/cfg/$1" - RUNNING_LOC="/etc/$1" - FILE_HINT="" - ;; - 'dnsmasq.conf') - STARTUP_LOC="/cfg/local/${FILE}" - RUNNING_LOC="/etc/local/${FILE}" - FILE_HINT="/usr/local/etc/rc.d/dnsmasq restart" - ;; - 'named.conf') - STARTUP_LOC="/cfg/namedb/${FILE}" - RUNNING_LOC="/etc/namedb/${FILE}" - FILE_HINT="/etc/rc.d/named restart" ;; 'rc.conf.local') @@ -66,9 +30,4 @@ FILE_HINT="" ;; - 'wleiden.yaml') - STARTUP_LOC="/cfg/local/${FILE}" - RUNNING_LOC="/etc/local/${FILE}" - FILE_HINT="" - ;; esac } @@ -77,12 +36,12 @@ ( echo "Usage: $0 [-bn] [-c ] [-m ]" - echo " -b = batch mode, no user input" - echo " -c = default configuration to fetch" - echo " -n = do not mount config partition" - echo " -m all = copy config files to running & config partition [default]" - echo " -m startup = copy config files to config partition" - echo " -m testing = do not copy config files" - echo " -m running = copy config files to running partition" - echo " -m hack = copy running files to config partition" + echo " -b batch mode, no user input" + echo " -c default configuration to fetch" + echo " -n do not mount config partition" + echo " -m all copy config files to running & config partition [default]" + echo " -m startup copy config files to config partition" + echo " -m testing do not copy config files" + echo " -m running copy config files to running partition" + echo " -m hack copy running files to config partition" ) 1>&2 exit 2 @@ -121,14 +80,14 @@ if [ "${OPT_RUNNING}" -eq 1 ]; then - echo "# INFO: Storing new config files in running configuration" + echo "INFO: Storing new config files in running configuration" fi if [ "${OPT_STARTUP}" -eq 1 ]; then - echo "# INFO: Storing new config files in startup configuration" + echo "INFO: Storing new config files in startup configuration" fi if [ "${OPT_HACK}" -eq 1 ]; then - echo "# WARN: Copy running configuration to startup configuration" - echo "# WARN: Please do mind to document/mention this changes somewhere" + echo "WARN: Copy running configuration to startup configuration" + echo "WARN: Please do mind to document/mention this changes somewhere" fi @@ -148,5 +107,5 @@ else echo "WARNING: Input '${INPUT}' is not valid, some hints..." - grep -i "${INPUT}" ${TMPDIR}/node_list.txt + grep "${INPUT}" ${TMPDIR}/node_list.txt return 1 fi @@ -197,10 +156,10 @@ # Copy file, saving some bits if no change needed copy_file() { - NEWFILE=$1 + SOURCE=$1 TARGET=$2 - diff -I '^# Generated at ' ${TARGET} ${NEWFILE} 2>/dev/null + diff -q ${SOURCE} ${TARGET} >/dev/null 2>/dev/null if [ $? -ne 0 ]; then mkdir -p `dirname ${TARGET}` || exit 1 - cp ${NEWFILE} ${TARGET} || exit 1 + cp ${SOURCE} ${TARGET} || exit 1 return $? fi @@ -241,5 +200,5 @@ file_details ${FILE} - echo "# INFO: Working on file: '${FILE}'" + echo "INFO: Working on file: '${FILE}'" # Copy file boot location if [ ${OPT_STARTUP} -eq 1 ]; then @@ -251,7 +210,7 @@ copy_file ${FRESH_LOC} ${RUNNING_LOC} if [ $? -eq 0 ]; then - echo "# INFO: '${FILE}' changed" + echo "INFO: '${FILE}' changed" if [ -n "${FILE_HINT}" ]; then - echo "# INFO: For instant activate: ${FILE_HINT}" + echo "INFO: For instant activate: ${FILE_HINT}" echo "" fi Index: /trunk/nanobsd/files/usr/local/bin/pen_wrapper =================================================================== --- /trunk/nanobsd/files/usr/local/bin/pen_wrapper (revision 10132) +++ /trunk/nanobsd/files/usr/local/bin/pen_wrapper (revision 10136) @@ -9,16 +9,5 @@ #XXX: Really static list, some dynamic alternative prefered -PROXY_LIST="${3-172.17.8.68:3128 \ - 172.17.143.4:3128 \ - 172.20.128.98:3128 \ - 172.16.2.254:3128 \ - 172.19.168.66:3128 \ - 172.16.3.146:3128 \ - 172.17.16.66:3128 \ - 172.17.0.1:3128 \ - 172.16.4.54:3128 \ - 172.22.0.66:3128 \ - 172.23.25.66:3128 \ - 172.17.169.66:3128}" +PROXY_LIST="${3-172.17.8.68:3128 172.17.143.4:3128 172.20.128.98:3128 172.16.2.254:3128 172.19.168.66:3128}" Index: /trunk/nanobsd/files/usr/local/etc/mararc =================================================================== --- /trunk/nanobsd/files/usr/local/etc/mararc (revision 10136) +++ /trunk/nanobsd/files/usr/local/etc/mararc (revision 10136) @@ -0,0 +1,238 @@ +# Example mararc file (unabridged version) + +# The various zones we support + +# We must initialize the csv2 hash, or MaraDNS will be unable to +# load any csv2 zone files +csv2 = {} + +# This is just to show the format of the file +#csv2["example.com."] = "db.example.com" + +csv2["wleiden.net."] = "db.wleiden.net." +csv2["16.172.in-addr.arpa."] = "db.16.172.in-addr.arpa." +csv2["17.172.in-addr.arpa."] = "db.17.172.in-addr.arpa." +csv2["18.172.in-addr.arpa."] = "db.18.172.in-addr.arpa." +csv2["19.172.in-addr.arpa."] = "db.19.172.in-addr.arpa." +csv2["20.172.in-addr.arpa."] = "db.20.172.in-addr.arpa." +csv2["21.172.in-addr.arpa."] = "db.21.172.in-addr.arpa." +csv2["22.172.in-addr.arpa."] = "db.22.172.in-addr.arpa." +csv2["23.172.in-addr.arpa."] = "db.23.172.in-addr.arpa." +csv2["24.172.in-addr.arpa."] = "db.24.172.in-addr.arpa." +csv2["25.172.in-addr.arpa."] = "db.25.172.in-addr.arpa." +csv2["26.172.in-addr.arpa."] = "db.26.172.in-addr.arpa." +csv2["27.172.in-addr.arpa."] = "db.27.172.in-addr.arpa." +csv2["28.172.in-addr.arpa."] = "db.28.172.in-addr.arpa." +csv2["29.172.in-addr.arpa."] = "db.29.172.in-addr.arpa." +csv2["30.172.in-addr.arpa."] = "db.30.172.in-addr.arpa." +csv2["31.172.in-addr.arpa."] = "db.31.172.in-addr.arpa." + +# The address this DNS server runs on. If you want to bind +# to multiple addresses, separate them with a comma like this: +ipv4_bind_addresses = "127.0.0.1" +# The directory with all of the zone files +chroot_dir = "/usr/local/etc/maradns" +# The numeric UID MaraDNS will run as +maradns_uid = 53 +# The (optional) numeric GID MaraDNS will run as +maradns_gid = 53 +# The maximum number of threads (or processes, with the zone server) +# MaraDNS is allowed to run +maxprocs = 96 +# It is possible to specify a different maximum number of processes that +# the zone server can run. If this is not set, the maximum number of +# processes that the zone server can have defaults to the 'maxprocs' value +# above +# max_tcp_procs = 64 + +# Normally, MaraDNS has some MaraDNS-specific features, such as DDIP +# synthesizing, a special DNS query ("erre-con-erre-cigarro.maradns.org." +# with a TXT query returns the version of MaraDNS that a server is +# running), unique handling of multiple QDCOUNTs, etc. Some people +# might not like these features, so I have added a switch that lets +# a sys admin disable all these features. Just give "no_fingerprint" +# a value of one here, and MaraDNS should be more or less +# indistinguishable from a tinydns server. +no_fingerprint = 0 + +# Normally, MaraDNS only returns A and MX records when given a +# QTYPE=* (all RR types) query. Changing the value of default_rrany_set +# to 15 causes MaraDNS to also return the NS and SOA records, which +# some registrars require. The default value of this is 3 +default_rrany_set = 3 + +# These constants limit the number of records we will display, in order +# to help keep packets 512 bytes or smaller. This, combined with round_robin +# record rotation, help to use DNS as a crude load-balancer. + +# The maximum number of records to display in a chain of records (list +# of records) for a given host name +max_chain = 8 +# The maximum number of records to display in a list of records in the +# additional section of a query. If this is any value besides one, +# round robin rotation is disabled (due to limitations in the current +# data structure MaraDNS uses) +max_ar_chain = 1 +# The maximum number of records to show total for a given question +max_total = 20 + +# The number of messages we log to stdout +# 0: No messages except for fatal parsing errors and the legal disclaimer +# 1: Only startup messages logged (default) +# 2: Error queries logged +# 3: All queries logged (but not very verbosely right now) +verbose_level = 1 + +# Initialize the IP aliases, which are used by the list of root name servers, +# the ACL for zone transfers, and the ACL of who gets to perform recursive +# queries +ipv4_alias = {} + +# Various sets of root name servers +# Note: Netmasks can exist, but are ignored when specifying root name server + +# ICANN: the most common and most controversial root name server +# http://www.icann.org +# This list can be seen at http://www.root-servers.org/ +ipv4_alias["icann"] = "198.41.0.4, 192.228.79.201, 192.33.4.12, 128.8.10.90," +ipv4_alias["icann"] += "192.203.230.10, 192.5.5.241, 192.112.36.4," +ipv4_alias["icann"] += "128.63.2.53, 192.36.148.17, 192.58.128.30," +ipv4_alias["icann"] += "193.0.14.129, 199.7.83.42, 202.12.27.33" + +# OpenNIC: http://www.opennic.unrated.net/ +# Current as of 2005/11/30; these servers change frequently so please +# look at their web page +ipv4_alias["opennic"] = "157.238.46.24, 209.104.33.250, 209.104.63.249," +ipv4_alias["opennic"] += "130.94.168.216, 209.21.75.53, 64.114.34.119," +ipv4_alias["opennic"] += "207.6.128.246, 167.216.255.199, 62.208.181.95," +ipv4_alias["opennic"] += "216.87.153.98, 216.178.136.116" + +# End of list of root name server lists + +# Here is a ACL which restricts who is allowed to perform zone transfer from +# the zoneserver program + +# Simplest form: 10.1.1.1/24 (IP: 10.1.1.1, 24 left bits in IP need to match) +# and 10.100.100.100/255.255.255.224 (IP: 10.100.100.100, netmask +# 255.255.255.224) are allowed to connect to the zone server +# NOTE: The "maradns" program does not serve zones. Zones are served +# by the "zoneserver" program. +#zone_transfer_acl = "10.1.1.1/24, 10.100.100.100/255.255.255.224" + +# More complex: We create two aliases: One called "office" and another +# called "home". We allow anyone in the office or at home to perform zone +# transfers +#ipv4_alias["office"] = "10.1.1.1/24" +#ipv4_alias["home"] = "10.100.100.100/255.255.255.224" +#zone_transfer_acl = "office, home" + +# More complex then the last example. We have three employees, +# Susan, Becca, and Mia, whose computers we give zone transfer rights to. +# Susan and Becca are system administrators, and Mia is a developer. +# They are all part of the company. We give the entire company zone +# transfer access +#ipv4_alias["susan"] = "10.6.7.8/32" # Single IP allowed +#ipv4_alias["becca"] = "10.7.8.9" # also a single IP +#ipv4_alias["mia"] = "10.8.9.10/255.255.255.255" # Also a single IP +#ipv4_alias["sysadmins"] = "susan, becca" +#ipv4_alias["devel"] = "mia" +#ipv4_alias["company"] = "sysadmins, devel" +# This is equivalent to the above line +#ipv4_alias["company"] = "susan, becca, mia" +#zone_transfer_acl = "company" + +# If you want to enable recursion on the loopback interface, uncomment +# the relevant lines in the following section + +# Recursive ACL: Who is allowed to perform recursive queries. The format +# is identical to that of "zone_transfer_acl", including ipv4_alias support + +ipv4_alias["wleiden"] = "172.16.0.0/12" +ipv4_alias["localhost"] = "127.0.0.0/8" +recursive_acl = "localhost, wleiden" + +# Random seed file: The file from which we read 16 bytes from to get the +# 128-bit random Rijndael key. This is ideally a file which is a good source +# of random numbers, but can also be a fixed file if your OS does not have +# a decent random number generator (make sure the contents of that file is +# random and with 600 perms, owned by root, since we read the file *before* +# dropping root privileges) + +#random_seed_file = "/dev/urandom" + +# The maximum number of elements we can have in the cache. If we have more +# elements in the cache than this amount, the "custodian" kicks in to effect, +# removing elements not recently accessed from the cache (8 elements removed +# per query) until we are at the 99% level or so again. + +#maximum_cache_elements = 1024 + +# It is possible to change the minimal "time to live" for entries in the +# cache; this is the minimum time that an entry will stay in the cache. +# Value is in seconds; default is 300 (5 minutes) +#min_ttl = 300 +# CNAME records generally take more effort to resolve in MaraDNS than +# non-CNAME records; it is a good idea to make this higher then min_ttl +# default value is to be the same as min_ttl +#min_ttl_cname = 900 + +# The root servers which we use when making recursive queries. + +# The following line must be uncommented to enable custom root servers +# for recursive queries +# root_servers = {} + +# You can choose which set of root servers to use. Current values (set above) +# are: icann, osrc, alternic, opennic, pacificroot, irsc, tinc, and +# superroot. +# root_servers["."] = "icann" + +upstream_servers = {} + +# If you prefer to contact other recursive DNS servers instead of the ICANN +# root servers, this is done with the upstream_servers mararc variable: +upstream_servers["."] = "8.8.8.8, 8.8.4.4" + +# You can tell MaraDNS to *not* query certain DNS servers when in recursive +# mode. This is mainly used to not allow spam-friendly domains to resolve, +# since spammers are starting to get in the habit of using spam-friendly +# DNS servers to resolve their domains, allowing them to hop from ISP to +# ISP. The format of this is the same as for zone_transfer_acl and +# recursive_acl + +# For example, at the time of this document (August 12, 2001), azmalink.net +# is a known spam-friendly DNS provider (see doc/detailed/spammers/azmalink.net +# for details.) Note that this is based on IPs, and azmalink.net constantly +# changes IPs (as they constantly have to change ISPs) +# 2002/10/12: Azmalink changed ISP again, this reflect their current ISP +ipv4_alias["azmalink"] = "12.164.194.0/24" + +# As of September 20, 2001, hiddenonline.net is a known spam-friendly +# DNS provider (see doc/detailed/spammers/hiddenonline for details). +ipv4_alias["hiddenonline"] = "65.107.225.0/24" +spammers = "azmalink,hiddenonline" + +# It is also possible to change the maximum number of times MaraDNS will +# follow a CNAME record or a NS record with a glue A record. The default +# value for this is ten. +#max_glueless_level = 10 +# In addition, one can change the maximum number of total queries that +# MaraDNS will perform to look up a host name. The default value is 32. +#max_queries_total = 32 +# In addition, one can change the amount of time that MaraDNS will wait +# for a DNS server to respond before giving up and trying the next DNS +# server on a list. Note that, the larger this value is, the slower +# MaraDNS will process recursive queries when a DNS server is not +# responding to DNS queries. The default value is two seconds. +#timeout_seconds = 2 + + +# And that does it for the caching at this point + +# I have read the bloody disclaimer, stop nagging about it and printing it to +# message buffer +hide_disclaimer = "YES" + + + + Index: /trunk/nanobsd/files/usr/local/etc/nrpe.cfg =================================================================== --- /trunk/nanobsd/files/usr/local/etc/nrpe.cfg (revision 10132) +++ /trunk/nanobsd/files/usr/local/etc/nrpe.cfg (revision 10136) @@ -7,8 +7,6 @@ command[check_users]=/usr/local/libexec/nagios/check_users -w 5 -c 10 command[check_load]=/usr/local/libexec/nagios/check_load -w 15,10,5 -c 30,25,20 -command[check_disk1]=/usr/local/libexec/nagios/check_disk -w 15% -c 10% -p / +command[check_disk1]=/usr/local/libexec/nagios/check_disk -w 20% -c 10% -p / command[check_disk2]=/usr/local/libexec/nagios/check_disk -w 20% -c 10% -p /var command[check_procs]=/usr/local/libexec/nagios/check_procs -w 55 -c 70 -command[check_inet]=/usr/local/libexec/nagios/check_inet -command[check_inet2]=/usr/local/libexec/nagios/check_inet2 -command[check_lv]=/usr/local/libexec/nagios/check_lv + Index: /trunk/nanobsd/files/usr/local/etc/rc.d/fetchzone =================================================================== --- /trunk/nanobsd/files/usr/local/etc/rc.d/fetchzone (revision 10136) +++ /trunk/nanobsd/files/usr/local/etc/rc.d/fetchzone (revision 10136) @@ -0,0 +1,26 @@ +#!/bin/sh +# +# PROVIDE: fetchzone +# BEFORE: maradns +# KEYWORD: shutdown +# +# Add the following line to /etc/rc.conf to enable fetchzone: +# +# fetchzone_enable="YES" +# +. /etc/rc.subr + +name=fetchzone +rcvar=`set_rcvar` + +command_interpreter=/bin/sh +command=/usr/local/sbin/fetchzone.sh +command_args="&" + +load_rc_config ${name} + +fetchzone_enable=${fetchzone_enable-"NO"} +fetchzone_pidfile=${fetchzone_pidfile-"/var/run/fetchzone.pid"} +pidfile="${fetchzone_pidfile}" + +run_rc_command "$1" Index: /trunk/nanobsd/files/usr/local/etc/rc.d/inet =================================================================== --- /trunk/nanobsd/files/usr/local/etc/rc.d/inet (revision 10136) +++ /trunk/nanobsd/files/usr/local/etc/rc.d/inet (revision 10136) @@ -0,0 +1,29 @@ +#!/bin/sh +# +# PROVIDE: inet +# BEFORE: LOGIN +# KEYWORD: shutdown +# +# Add the following line to /etc/rc.conf to enable inet/lvrouted: +# +# Don't enable lvrouted yet +# +# inet_enable="YES" +# +. /etc/rc.subr + +name=inet +rcvar=`set_rcvar` + +command_interpreter=/bin/sh +command=/usr/local/sbin/inet +command_args="&" + +load_rc_config ${name} + +inet_enable=${inet_enable-"NO"} +inet_pidfile=${inet_pidfile-"/var/run/inet.pid"} +pidfile="${inet_pidfile}" + +run_rc_command "$1" + Index: /trunk/nanobsd/files/usr/local/etc/rc.d/maradns =================================================================== --- /trunk/nanobsd/files/usr/local/etc/rc.d/maradns (revision 10136) +++ /trunk/nanobsd/files/usr/local/etc/rc.d/maradns (revision 10136) @@ -0,0 +1,33 @@ +#!/bin/sh +# +# $FreeBSD: ports/dns/maradns/files/maradns.in,v 1.3 2010/02/08 15:08:44 miwi Exp $ +# + +# PROVIDE: maradns +# REQUIRE: SERVERS +# BEFORE: DAEMON +# KEYWORD: shutdown +# + +. /etc/rc.subr + +: ${maradns_enable="NO"} +: ${maradns_conf="/usr/local/etc/mararc"} + + +# Nastly hack to allow the MaraDNS bind to the proper variable IP address +mara_pre() { + IP=`ifconfig ${internalif} | awk '/inet/ { print $2 }'` + sed -i .orig 's/^\(ipv4_bind_addresses[\ \t=]*"\).*$/\1'${IP}',127.0.0.1"/g' ${maradns_conf} +} + +name="maradns" +rcvar=`set_rcvar` +command="/usr/local/bin/duende" +command_args="/usr/local/sbin/maradns -f ${maradns_conf}" +pidfile="/var/run/${name}.pid" +start_precmd=mara_pre +load_rc_config $name + +run_rc_command "$1" + Index: /trunk/nanobsd/files/usr/local/etc/rc.d/nsd =================================================================== --- /trunk/nanobsd/files/usr/local/etc/rc.d/nsd (revision 10136) +++ /trunk/nanobsd/files/usr/local/etc/rc.d/nsd (revision 10136) @@ -0,0 +1,53 @@ +#!/bin/sh +# +# $FreeBSD: ports/dns/nsd/files/nsd.in,v 1.4 2009/01/16 00:30:07 miwi Exp $ +# +# PROVIDE: nsd +# REQUIRE: DAEMON +# +# Add the following line to /etc/rc.conf to enable nsd: +# +# nsd_enable="YES" +# +# Added the start command since rebuilding is required at first boot (richardvm@wirelessleiden.nl) + +. /etc/rc.subr + +name=nsd +rcvar=`set_rcvar` + +required_files=/usr/local/etc/nsd/nsd.conf + +command=/usr/local/sbin/${name} +pidfile=/var/run/${name}.pid + +load_rc_config ${name} + +nsd_enable=${nsd_enable-"NO"} + +stop_cmd="nsd_stop" +start_cmd="nsd_start" + +nsd_start() +{ + echo "Rebuilding zone files..." + /usr/local/sbin/nsdc rebuild + + echo "Starting nsd." + /usr/local/sbin/nsdc start +} + +nsd_stop() +{ + echo "Merging nsd zone transfer changes to zone files." + /usr/local/sbin/nsdc patch + + sleep 5 + + echo "Stopping nsd." + /usr/local/sbin/nsdc stop +} + + +run_rc_command "$1" + Index: /trunk/nanobsd/files/usr/local/etc/rc.d/wlportal =================================================================== --- /trunk/nanobsd/files/usr/local/etc/rc.d/wlportal (revision 10136) +++ /trunk/nanobsd/files/usr/local/etc/rc.d/wlportal (revision 10136) @@ -0,0 +1,23 @@ +#!/bin/sh +# +# $Id$ +# + +# PROVIDE: wlportal +# REQUIRE: LOGIN cleanvar +# KEYWORD: shutdown + +wlportal_enable=${wlportal_enable:-"NO"} +wlportal_flags=${wlportal_flags:-} + +. /etc/rc.subr + +name="wlportal" +rcvar=`set_rcvar` +load_rc_config $name + +command="/usr/local/wlportal/wlportal" +command_interpreter="/usr/local/bin/python" +pid_file="/var/run/${name}.pid" + +run_rc_command "$1" Index: /trunk/nanobsd/files/usr/local/etc/tinyproxy.conf =================================================================== --- /trunk/nanobsd/files/usr/local/etc/tinyproxy.conf (revision 10132) +++ /trunk/nanobsd/files/usr/local/etc/tinyproxy.conf (revision 10136) @@ -80,5 +80,5 @@ # output, but Notice and below would be suppressed. # -LogLevel Info +LogLevel Warning # @@ -181,5 +181,5 @@ # The location of the filter file. # -#Filter "/etc/tinyproxy/filter" +Filter "/usr/local/etc/tinyproxy.filter" # @@ -206,5 +206,5 @@ # deny everything which is _not_ specifically allowed by the filter file. # -#FilterDefaultDeny Yes +FilterDefaultDeny No # Index: /trunk/nanobsd/files/usr/local/etc/tinyproxy.filter =================================================================== --- /trunk/nanobsd/files/usr/local/etc/tinyproxy.filter (revision 10136) +++ /trunk/nanobsd/files/usr/local/etc/tinyproxy.filter (revision 10136) @@ -0,0 +1,2 @@ +192.168.*.* +10.*.*.* Index: /trunk/nanobsd/files/usr/local/sbin/check-inet-alive =================================================================== --- /trunk/nanobsd/files/usr/local/sbin/check-inet-alive (revision 10136) +++ /trunk/nanobsd/files/usr/local/sbin/check-inet-alive (revision 10136) @@ -0,0 +1,31 @@ +#!/bin/sh +# +# Internet Connection Wrapper From Cron +# +# a) Disable lvrouted if the internet is down. +# b) Re-enable lvrouted if the internet is back up. +# +# XXX: Do we need build an fail-save for flapping states? +# XXX: Do we need to manage state, like DHCP here? +# XXX: Check if page output is actually the output expected and not some weird captive portal somewhere. +# +# Rick van der Zwet +# + +TAG=`basename $0` +INET_STATUS=down +service lvrouted onestatus > /dev/null && LVROUTED_STATUS="running" || LVROUTED_STATUS="stopped" + +# Main I-net check +fetch -o /dev/null -q http://proxy-test.wirelessleiden.nl && INET_STATUS=up + +if [ $INET_STATUS = "down" ]; then + # Failback internet check + fetch -o /dev/null http://ams-ix.net && INET_STATUS=up +fi + +if [ $LVROUTED_STATUS = "stopped" ] && [ $INET_STATUS = "up" ]; then + service lvrouted start | logger -t "$TAG" +elif [ $LVROUTED_STATUS = "running" ] && [ $INET_STATUS = "down" ]; then + service lvrouted stop | logger -t "$TAG" +fi Index: /trunk/nanobsd/files/usr/local/sbin/fetchzone.sh =================================================================== --- /trunk/nanobsd/files/usr/local/sbin/fetchzone.sh (revision 10136) +++ /trunk/nanobsd/files/usr/local/sbin/fetchzone.sh (revision 10136) @@ -0,0 +1,77 @@ +#!/bin/sh +# $Id: fetchzone.sh 9970 2012-02-15 18:04:47Z rick $ +# +# Wireless Leiden specific configuration to fetch DNS zones +# used by MaraDNS +# + +# Script is running in deamon mode to discriptors available, so make sure to +# close them to avoid 'hanging' scripts. +exec <&- +exec 1>/dev/null +exec 2>/dev/null + + +# Updates of $ZONES we are going to fetch from the $SERVER every $IDLE seconds +ZONES="wleiden.net. 16.172.in-addr.arpa. 17.172.in-addr.arpa. +18.172.in-addr.arpa. 19.172.in-addr.arpa. 20.172.in-addr.arpa. +21.172.in-addr.arpa. 22.172.in-addr.arpa. 23.172.in-addr.arpa. +24.172.in-addr.arpa. 25.172.in-addr.arpa. 26.172.in-addr.arpa. +27.172.in-addr.arpa. 28.172.in-addr.arpa. 29.172.in-addr.arpa. +30.172.in-addr.arpa. 31.172.in-addr.arpa." +SERVER=172.16.4.46 +IDLE=3600 + +LOGFILE=/var/log/fetchzone.log +PIDFILE=/var/run/fetchzone.pid +### END OF USER CONFIGURABLE VARIABLES ### + +TAGNAME=`basename $0 .sh` +# Create logging service +log() { + echo `date "+%b %e %T"`":" $* >> ${LOGFILE} + echo $* | logger -t "$TAGNAME" +} + +# Register PID +PID=$$ +echo ${PID} > ${PIDFILE} +log "[INFO] Fetchzone starting with PID: $PID" + +# Make me a deamon script +while [ true ]; do + + CHANGED_ZONES="" + # Run through multiple zones + for ZONE in ${ZONES}; do + # (re) Set some extra vars + TMPFILE=/tmp/dns-tmp-${ZONE} + REALFILE=/usr/local/etc/maradns/db.${ZONE} + # Execute Fetchzone + /usr/local/bin/fetchzone ${ZONE} ${SERVER} > ${TMPFILE} + + # Did Fetchzone exit unhappy + if [ $? -ne 0 ]; then + # Something went wrong lets log it + log "[ERROR] [$ZONE] Errors found in fetchzone query" + continue + fi + + # Are there any changes, we need to put active? + cmp -s ${TMPFILE} ${REALFILE} + if [ $? -ne 0 ]; then + log "[INFO] [$ZONE] Changes found" + cp ${TMPFILE} ${REALFILE} + CHANGED_ZONES="$CHANGED_ZONES $ZONE" + fi + done + + # Maradns requires a restart to load new zonefile + if [ -n "$CHANGED_ZONES" ]; then + log "[INFO] `/usr/local/etc/rc.d/maradns restart`" + fi + + # Next run in $IDLE seconds + sleep ${IDLE} +done + Index: /trunk/nanobsd/files/usr/local/sbin/inet =================================================================== --- /trunk/nanobsd/files/usr/local/sbin/inet (revision 10136) +++ /trunk/nanobsd/files/usr/local/sbin/inet (revision 10136) @@ -0,0 +1,97 @@ +#!/bin/sh + +PATH=$PATH:/bin:/usr/bin +export PATH + +# Test page to query +PROXY_TEST='http://www.ams-ix.net/' + +# Log file +LOGFILE='/var/log/inet.log' +PIDFILE='/var/run/inet.pid' + +# Speed periods +SLEEP_OK='900' +SLEEP_NOK='60' + +# Write pid file +echo $$ > ${PIDFILE} + +# Logging +log() +{ + _datestamp=`date "+%Y-%m-%d %H:%M:%S"` + _msg="[${_datestamp}] $*" + echo "${_msg}" >> ${LOGFILE} +} + +# Start/stop lvrouted +lvrouted() +{ + script=/usr/local/etc/rc.d/lvrouted + + case $1 in + + enable) + ${script} onestart + ;; + + disable) + ${script} onestop + ;; + + esac + +} + +# Make sure I never die +while [ true ]; +do + + # Query the webpage + fetch -o /dev/null ${PROXY_TEST} > /dev/null 2>/dev/null + + # What is the Exit code of fetch? + EXIT=$? + + # Did the status change? + if [ "$STATUS" != "$EXIT" ]; then + STATUS=${EXIT} + + # New status: + case ${STATUS} in + + # Internet is present, let's enable lvrouted + 0) + lvrouted enable + log "INET OK: Enabled lvrouted" + ;; + + # Internet is not present, let's disabled lvrouted + 1) + lvrouted disable + log "INET CRITICAL: Disabled lvrouted" + ;; + + esac + fi + + # Did my magic, lets sleep + case ${STATUS} in + + # I am in ok state, I will wake up in ... + 0) + sleep ${SLEEP_OK} + ;; + + + # I am in nok state, I will wake up in ... + 1) + sleep ${SLEEP_NOK} + ;; + + esac + + +done + Index: /trunk/nanobsd/files/usr/local/share/snmp/snmpd.conf =================================================================== --- /trunk/nanobsd/files/usr/local/share/snmp/snmpd.conf (revision 10132) +++ /trunk/nanobsd/files/usr/local/share/snmp/snmpd.conf (revision 10136) @@ -47,13 +47,9 @@ # name max min -proc lvrouted.opt 1 1 proc sshd 8 1 proc syslogd 1 1 proc ntpd 1 1 proc snmpd 1 1 -proc dhcpd 1 1 -proc pen 1 1 proc cron 2 1 -proc named 1 1 @@ -80,13 +76,2 @@ pass_persist .1.3.6.1.4.1.21695.1.2 /usr/local/sbin/dhcpd-snmp /usr/local/etc/dhcpd-snmp.conf - -extend .1.3.6.1.4.1.2021.61 nagios-www /usr/local/sbin/proxy-test.sh -extend .1.3.6.1.4.1.2021.62 nagios-routing /usr/local/sbin/lvrouted-test.sh - -extend .1.3.6.1.4.1.2021.70 dhcp-users /bin/sh -c "/bin/cat /var/db/dnsmasq.leases \| awk '{ print $1,$2,$3 }'" -extend .1.3.6.1.4.1.2021.71 portal-users /bin/sh -c "/bin/cat /var/db/clients \| awk '{ print $1,$2,$3 }'" -extend .1.3.6.1.4.1.2021.72 arp-users /bin/sh -c "/bin/cat /var/db/connect.gone \| awk '{ print $1,$2,$3 }'" - -extend wl-release /bin/cat /tools/wl-release.txt -extend wl-version /usr/bin/awk 'BEGIN{FS=": "}/^URL:/ {u=$2}; /^Last Changed Rev:/ {r=$2}; END{print u"@"r}' /tools/wl-release.txt -