Changeset 10185 in hybrid for branches/releng-9.0/nanobsd

Timestamp:

Mar 17, 2012, 11:51:28 AM (13 years ago)

Author:

richardvm

Message:

firewall and portal fixes

Location:

branches/releng-9.0/nanobsd/files

Files:

• etc/ipfw.sh (modified) (1 diff)
• tools/wl-config (modified) (9 diffs)
• usr/local/etc/wlportal/login.tmpl (modified) (3 diffs)

branches/releng-9.0/nanobsd/files/etc/ipfw.sh

@@ -1 @@
-#!/bin/sh -
-# Based on /etc/rc.firewall
-#
-# Credits: Richard van Mansom, Rick van der Zwet
+## Building options
+dumpdev="NO"                    # No kernel dumps as we don't have a place to
+                                # store them 
+ipv6_enable="NO"                # No IPv6 support for now, near feature... ;-)
 
+# NTP server needs working config with WL network or internet on boot
+# so some warnings might pop up, but no harm
+ntpdate_enable="YES"
+ntpd_enable="YES"
+ntpd_sync_on_start="YES"
+ntpd_flags="-p /var/run/ntpd.pid -f /var/db/ntp.drift"
 
-allowed2internet="80,443"
-maxconnections="10"
+# We need no running mail server
+sendmail_enable="NONE"
 
-RFC1918_nets="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
-WLNET='172.16.0.0/12'
+# Don't let syslog accept input from other remote hosts
+syslogd_enable="YES"
+syslogd_flags="-s -A -c"
 
-# Suck in the configuration variables.
-if [ -z "${source_rc_confs_defined}" ]; then
-        if [ -r /etc/defaults/rc.conf ]; then
-                . /etc/defaults/rc.conf
-                source_rc_confs
-        elif [ -r /etc/rc.conf ]; then
-                . /etc/rc.conf
-        fi
-fi
+# Remote login without DNS checking as it might not also be functionable
+# -u0 prevent sshd from making DNS requests unless the authentication mechanism
+# or configuration requires it.
+sshd_enable="YES"
+sshd_flags="-u0"
 
-setup_loopback () {
-        ############
-        # Only in rare cases do you want to change these rules
-        #
-        ${fwcmd} add 100 pass all from any to any via lo0
-        ${fwcmd} add 200 deny all from any to 127.0.0.0/8
-        ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
-}
+# Don't update the motd as it not writeable, the update_nanobsd_motd is a
+# simple wrapper found at /usr/local/etc/rc.d supporting this featureg
+update_motd="NO"
+update_nanobsd_motd="YES"
 
-############
-# Set quiet mode if requested
-#
-case ${firewall_quiet} in
-[Yy][Ee][Ss])
-        fwcmd="/sbin/ipfw -q"
-        ;;
-*)
-        fwcmd="/sbin/ipfw"
-        ;;
-esac
+# Monitoring deamons
+nrpe2_enable="YES"
+snmpd_enable="YES"
+snmpd_flags="-a -LF w /var/log/snmpd.log"
 
-###########
-# Set Internal/External Interface
-#
-driver=`echo ${internalif} | sed 's/[0-9]*//g'`
-seq=`echo ${internalif} | sed 's/[a-zA-Z]*//g'`
+# HTTP(S) proxy server
+tinyproxy_enable="YES"
 
-if [ ${seq} = 0 ]; then
-  seq=`expr ${seq} \+ 1`
-else
-  seq=`expr ${seq} \- 1`
-fi
+# Make sure generated ssh keys are saved 
+nanobsd_save_sshkeys_enable="YES"
 
-externalif="$driver$seq"
+## Port extentions
+# Serve our clients some pretty cool IP address to at least get connected
+# Also some low-memory footprint dns resolver
+dnsmasq_enable="YES"
 
-# Get interface Addresses
-externalip=`ifconfig $externalif | awk '/inet/ { print $2 }'`
-internalip=`ifconfig $internalif | awk '/inet/ { print $2 }'`
-############
-# Flush out the list before we begin.
-#
-${fwcmd} -f flush
+## WL ports extentions
+thttpd_enable="YES"
+http302_enable="YES"
 
-setup_loopback
+# Make sure generated ssh keys are saved 
+nanobsd_save_sshkeys_enable="YES"
 
-
-############
-# Block the hosters network (and maybe others)
-for IP in ${firewall_block}
-do
-  ${fwcmd} add deny ip from any to ${IP} in via $internalif
-done
-
-############
-# Statefull filewall in use
-${fwcmd} add check-state
-
-# Allow anything originating from me
-${fwcmd} add allow ip from me to any keep-state
-
-
-#############
-# Outbound NAT setup
-# WL Net -> Internet
-${fwcmd} add nat 100 all from $WLNET to any out recv $internalif xmit $externalif
-${fwcmd} add nat 100 all from any to $externalip in recv $externalif
-${fwcmd} nat 100 config if $externalif
-
-# Subnet Internet is allowed
-${fwcmd} add allow tcp from $WLNET to any $allowed2internet in via $internalif setup limit src-addr $maxconnections
-
-
-#############
-# Internal Network -> WL Net
-# Inbound NAT setup, to allow proxy device to be used gateway from Internal Network to WL
-${fwcmd} add nat 200 all from $RFC1918_nets to $WLNET out recv $externalif xmit $internalif
-${fwcmd} add nat 200 all from $WLNET to $internalip in recv $internalif
-${fwcmd} nat 200 config if $internalif
-
-# Allow all traffic inbound
-${fwcmd} add allow all from $RFC1918_nets to $WLNET in recv $externalif keep-state
-
-
-#############
-## Services in use
-## Allow on external interface
-external_allow_tcp="ssh"
-${fwcmd} add allow tcp from any to me $external_allow_tcp via $externalif setup keep-state
-
-## Allow on internal interface
-internal_allow_tcp="ssh,domain,3128"
-internal_allow_udp="ntp,domain,snmp,12345"
-${fwcmd} add allow udp from $WLNET to me ${internal_allow_udp} via $internalif keep-state
-${fwcmd} add allow tcp from $WLNET to me ${internal_allow_tcp} via $internalif setup keep-state
-
-# Basic ICMP managment traffic
-${fwcmd} add allow icmp from any to me icmptype 8
-${fwcmd} add allow icmp from me to any icmptype 3,4,11
-
-
-#############
-# Block anything else
-${fwcmd} add 65000 deny log logamount 500 ip from any to any
-
+#Hybrid
+openvpn_enable="YES"
+openvpn_if="tap"
+cloned_interfaces="bridge0"
+gateway_enable="YES"
+pf_enable="YES"
+pf_rules="/etc/pf.conf.ileiden"
+pf_flags=""
+pf2_enable="YES"

branches/releng-9.0/nanobsd/files/tools/wl-config

@@ -1 +1 @@
 #!/bin/sh
-# Wireless Leiden proxy config-update script for FreeBSD 8.0 (nanobsd)
+# Wireless Leiden config-update script for FreeBSD 8.0 (nanobsd)
 # Based on the 'API' of Jasper
-# Rick van der Zwet ; Richard van Mansom
+# Rick van der Zwet
 # XXX: TODO, some proper error checking for fetch
 
-BASEURL="http://132.229.112.21/config/iris/proxy/FreeBSD/8.0-RELEASE/g_list.pl"
+
+# Slow connection = no connection
+HTTP_TIMEOUT=3
+
+
+check_access() {
+  # Direct Access - Internal IP 
+  BASEURL="http://172.16.4.46/wleiden/config/"
+  # Connectivity check
+  fetch -o /dev/null -q $BASEURL > /dev/null && return
+  echo "# WARN: Fetch via internal $BASEURL failed"
+  
+  # Direct Access - External DNS
+  BASEURL="http://132.229.112.21/wleiden/config/"
+  fetch -o /dev/null -q $BASEURL > /dev/null && return
+  echo "# CRIT: Fetch via external $BASEURL failed"
+
+  exit 1
+}
+check_access
+
 
 # Default config to fetch
-CONFIG=`hostname -s | tr '[A-Z]' '[a-z]'`
+CONFIG=`hostname -s`
 
 # Determine it's statup and running location and some other hints
 # Skip named.conf as it not planned in current release
-FILES="authorized_keys rc.conf.local resolv.conf"
+FILES="authorized_keys dnsmasq.conf rc.conf.local resolv.conf wleiden.yaml"
 file_details() {
   case "$1" in 
@@ -20 +40 @@
      FILE_HINT=""
    ;;
+  'dnsmasq.conf')
+     STARTUP_LOC="/cfg/local/${FILE}"
+     RUNNING_LOC="/etc/local/${FILE}"
+     FILE_HINT="/usr/local/etc/rc.d/dnsmasq restart"
+   ;;
+  'named.conf')
+     STARTUP_LOC="/cfg/namedb/${FILE}"
+     RUNNING_LOC="/etc/namedb/${FILE}"
+     FILE_HINT="/etc/rc.d/named restart"
+   ;;
   'rc.conf.local')
      STARTUP_LOC="/cfg/${FILE}"
@@ -30 +60 @@
      FILE_HINT=""
    ;;
+   'wleiden.yaml')
+     STARTUP_LOC="/cfg/local/${FILE}"
+     RUNNING_LOC="/etc/local/${FILE}"
+     FILE_HINT=""
+   ;;
   esac
 }
@@ -36 +71 @@
         (
         echo "Usage: $0 [-bn] [-c <config>] [-m <all|startup|testing|running>]"
-        echo "  -b              batch mode, no user input"
-        echo "  -c <config>     default configuration to fetch"
-        echo "  -n              do not mount config partition"
-        echo "  -m all          copy config files to running & config partition [default]"
-        echo "  -m startup      copy config files to config partition"
-        echo "  -m testing      do not copy config files"
-        echo "  -m running      copy config files to running partition"
-        echo "  -m hack         copy  running files to config partition"
+        echo "  -b          = batch mode, no user input"
+        echo "  -c <config> = default configuration to fetch"
+        echo "  -n          = do not mount config partition"
+        echo "  -m all      = copy config files to running & config partition [default]"
+        echo "  -m startup  = copy config files to config partition"
+        echo "  -m testing  = do not copy config files"
+        echo "  -m running  = copy config files to running partition"
+        echo "  -m hack     = copy running files to config partition"
         ) 1>&2
         exit 2
@@ -80 +115 @@
   
   if [ "${OPT_RUNNING}" -eq 1 ]; then
-    echo "INFO: Storing new config files in running configuration"
+    echo "# INFO: Storing new config files in running configuration"
   fi
   
   if [ "${OPT_STARTUP}" -eq 1 ]; then
-    echo "INFO: Storing new config files in startup configuration"
+    echo "# INFO: Storing new config files in startup configuration"
   fi
   
   if [ "${OPT_HACK}" -eq 1 ]; then
-    echo "WARN: Copy running configuration to startup configuration"
-    echo "WARN: Please do mind to document/mention this changes somewhere"
+    echo "# WARN: Copy running configuration to startup configuration"
+    echo "# WARN: Please do mind to document/mention this changes somewhere"
   fi
 
@@ -107 +142 @@
   else 
      echo "WARNING: Input '${INPUT}' is not valid, some hints..."
-     grep "${INPUT}" ${TMPDIR}/node_list.txt
+     grep -i "${INPUT}" ${TMPDIR}/node_list.txt
      return 1
   fi  
@@ -158 +193 @@
   SOURCE=$1
   TARGET=$2
-  diff -q ${SOURCE} ${TARGET} >/dev/null 2>/dev/null
+  diff -I '^# Generated at ' ${SOURCE} ${TARGET} 2>/dev/null
   if [ $? -ne 0 ]; then
     mkdir -p `dirname ${TARGET}` || exit 1
@@ -200 +235 @@
     file_details ${FILE}
   
-    echo "INFO: Working on file: '${FILE}'"
+    echo "# INFO: Working on file: '${FILE}'"
     # Copy file boot location
     if [ ${OPT_STARTUP} -eq 1 ]; then
@@ -210 +245 @@
       copy_file ${FRESH_LOC} ${RUNNING_LOC}
       if [ $? -eq 0 ]; then
-        echo "INFO: '${FILE}' changed"  
+        echo "# INFO: '${FILE}' changed"  
         if [ -n "${FILE_HINT}" ]; then
-          echo "INFO: For instant activate: ${FILE_HINT}"
+          echo "# INFO: For instant activate: ${FILE_HINT}"
           echo ""
         fi

branches/releng-9.0/nanobsd/files/usr/local/etc/wlportal/login.tmpl

@@ -4 +4 @@
   </head>
   <body>
-<table width="100%"><tr>
-  <td><img src="/static/wl-logo.png"></td>
-  <td><h2>%(status_msg)s</h2></td>
-</tr></table>
-<hr />
-   <small><i><a href="#english">For English see bottom of this page</a></i></small>
-   <h3>Eerlijk gebruikmaken van Wireless Leiden</h3>
-   <pre>
-   A) Het gebruik van het Wireless Leiden netwerk en de internettoegang zijn kostenloos en u hoeft zich niet aan te melden. 
-   B) U dient zich te houden aan de Nederlandse wetgeving en geen schade toe te brengen of ongemak te veroorzaken voor anderen.
-   C) De Stichting Wireless Leiden accepteert geen enkele aansprakelijkheid voor schade in welke vorm dan ook die is ontstaan door of verband houdt met het gebruik van het netwerk.</pre>
-   <h3>Internet Toegang</h3> 
-   <p>Internetten op het Wireless Leiden netwerk kan op twee manieren:<br />
-   <small>N.B. U kunt alleen internetten via uw webbrowser, andere toepassingen zoals Microsoft Outlook zijn niet mogelijk. Gebruik webmail om te e-mailen.</small>
-   <ol>
-   <li>In uw browser een 'proxy' instellen. (in het algemeen sneller internet).</li>
-   <li>Gebruik maken van de iLeiden service (gemakkelijk voor mobiele apparaten).</li>
-   </ol>
+<img src="/static/wl-logo.png">
+<h2>%(status_msg)s</h2>
+    <h1>Welkom bij Wireless Leiden</h1>
+<i>For English see bottom of this page</i>
+   <h3>Internettoegang</h3> 
+   <p>U bent verbonden met het lokale Wireless Leiden network. Om te internetten moet u in uw browser een 'proxy' instellen en hieronder op 'accoord' klikken. Afhankelijk van de locatie kan het ook zonder proxy-instelling, maar de snelheid zal in het algemeen lager zijn.
+<h3>Instellen proxy in browser</h3>
+    In Firefox: ga naar Edit->Preferences->Advanced->Network->Settings.<br>
+    Handmatige proxy-configuratie: vul in HTTP proxy: proxy.wleiden.net port 3128.<br>
+    Gedetailleerde instructies kunt u vinden op onze <a href="http://www.wirelessleiden.nl">website</a>.
+    <p>
+N.B. U kunt alleen internetten via uw webbrowser, andere toepassingen zoals Microsoft Outlook zijn niet mogelijk. Gebruik webmail om te e-mailen.
 
+    <h3>Eerlijk gebruikmaken van Wireless Leiden</h3>
+    Het gebruik van het Wireless Leiden netwerk en de internettoegang zijn kostenloos en u hoeft zich niet aan te melden. Maar u dient zich te houden aan de Nederlandse wetgeving en geen schade toe te brengen of ongemak te veroorzaken voor anderen.<br>
+    De Stichting Wireless Leiden accepteert geen enkele aansprakelijkheid voor schade in welke vorm dan ook die is ontstaan door of verband houdt met het gebruik van het netwerk.<br>
+<b>Geef hieronder aan of u accoord gaat met deze voorwaarden:
  <form action="http://%(portalroot)s/wlportal/" method="POST">
 <input name="action" type="hidden" value="login" />
-<input type="submit" value="I wil gebruik maken van iLeiden" style="color:#000000; background: green; font-weight: bold"/>
+<input type="submit" value="OK, accoord" style="color:#000000; background: #FF3300; font-weight: bold"/>
 </form>
 
-    <h4>Instellen proxy in browser</h4>
-    In Firefox: ga naar <em>Edit->Preferences-&gt;Advanced-&gt;Network-&gt;Settings.</em><br />
-    Handmatige proxy-configuratie: vul in HTTP proxy: proxy.wleiden.net port 3128.<br>
-    <p>
-    <small>N.B. Haal na gebruik de instellingen weer weg</small>
+</b>
 <hr>
-<a name="english"></a>
     <h1>Welcome to Wireless Leiden</h1>
    <h3>Internet access</h3> 
-   <p>You are connected to the local Wireless Leiden network. To use one of the gateways (proxies) to Internet you have to specify a proxy in your web browser OR click on the button bellow.<br>
-    To set the proxy for instance in Firefox go to Edit->Preferences->Advanced->Network->Settings.<br>
+   <p>You are connected to the local Wireless Leiden network. To use one of the gateways (proxies) to Internet you have to specify a proxy in your web browser.<br>
+    For instance in Firefox go to Edit->Preferences->Advanced->Network->Settings.<br>
     Manual proxy configuration: specify HTTP proxy: proxy.wleiden.net port 3128.<br>
     Detailed instructions can be downloaded from our <a href="http://www.wirelessleiden.nl">website</a>.
@@ -51 +44 @@
 <form action="http://%(portalroot)s/wlportal/" method="POST">
 <input name="action" type="hidden" value="login" />
-<input type="submit" value="OK, agreed" style="color:#000000; background: green; font-weight: bold" />
+<input type="submit" value="OK, agreed" style="color:#000000; background: #FF3300; font-weight: bold" />
 </form>
 
@@ -63 +56 @@
 <form action="http://%(portalroot)s/wlportal/" method="POST">
 <input name="action" type="hidden" value="logout" />
-<input type="submit" value="Cancel and/or Logout" style="color:#000000; background: red; font-weight: bold"/>
+<input type="submit" value="Cancel and/or Logout" style="color:#000000; background: #FF3300; font-weight: bold"/>
 </form>
 <hr /><em>Technical Details:</em><pre>