Index: /branches/releng-9.0/nanobsd/files/etc/ipfw.sh =================================================================== --- /branches/releng-9.0/nanobsd/files/etc/ipfw.sh (revision 10181) +++ /branches/releng-9.0/nanobsd/files/etc/ipfw.sh (revision 10185) @@ -1,126 +1,62 @@ -#!/bin/sh - -# Based on /etc/rc.firewall -# -# Credits: Richard van Mansom, Rick van der Zwet +## Building options +dumpdev="NO" # No kernel dumps as we don't have a place to + # store them +ipv6_enable="NO" # No IPv6 support for now, near feature... ;-) +# NTP server needs working config with WL network or internet on boot +# so some warnings might pop up, but no harm +ntpdate_enable="YES" +ntpd_enable="YES" +ntpd_sync_on_start="YES" +ntpd_flags="-p /var/run/ntpd.pid -f /var/db/ntp.drift" -allowed2internet="80,443" -maxconnections="10" +# We need no running mail server +sendmail_enable="NONE" -RFC1918_nets="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" -WLNET='172.16.0.0/12' +# Don't let syslog accept input from other remote hosts +syslogd_enable="YES" +syslogd_flags="-s -A -c" -# Suck in the configuration variables. -if [ -z "${source_rc_confs_defined}" ]; then - if [ -r /etc/defaults/rc.conf ]; then - . /etc/defaults/rc.conf - source_rc_confs - elif [ -r /etc/rc.conf ]; then - . /etc/rc.conf - fi -fi +# Remote login without DNS checking as it might not also be functionable +# -u0 prevent sshd from making DNS requests unless the authentication mechanism +# or configuration requires it. +sshd_enable="YES" +sshd_flags="-u0" -setup_loopback () { - ############ - # Only in rare cases do you want to change these rules - # - ${fwcmd} add 100 pass all from any to any via lo0 - ${fwcmd} add 200 deny all from any to 127.0.0.0/8 - ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any -} +# Don't update the motd as it not writeable, the update_nanobsd_motd is a +# simple wrapper found at /usr/local/etc/rc.d supporting this featureg +update_motd="NO" +update_nanobsd_motd="YES" -############ -# Set quiet mode if requested -# -case ${firewall_quiet} in -[Yy][Ee][Ss]) - fwcmd="/sbin/ipfw -q" - ;; -*) - fwcmd="/sbin/ipfw" - ;; -esac +# Monitoring deamons +nrpe2_enable="YES" +snmpd_enable="YES" +snmpd_flags="-a -LF w /var/log/snmpd.log" -########### -# Set Internal/External Interface -# -driver=`echo ${internalif} | sed 's/[0-9]*//g'` -seq=`echo ${internalif} | sed 's/[a-zA-Z]*//g'` +# HTTP(S) proxy server +tinyproxy_enable="YES" -if [ ${seq} = 0 ]; then - seq=`expr ${seq} \+ 1` -else - seq=`expr ${seq} \- 1` -fi +# Make sure generated ssh keys are saved +nanobsd_save_sshkeys_enable="YES" -externalif="$driver$seq" +## Port extentions +# Serve our clients some pretty cool IP address to at least get connected +# Also some low-memory footprint dns resolver +dnsmasq_enable="YES" -# Get interface Addresses -externalip=`ifconfig $externalif | awk '/inet/ { print $2 }'` -internalip=`ifconfig $internalif | awk '/inet/ { print $2 }'` -############ -# Flush out the list before we begin. -# -${fwcmd} -f flush +## WL ports extentions +thttpd_enable="YES" +http302_enable="YES" -setup_loopback +# Make sure generated ssh keys are saved +nanobsd_save_sshkeys_enable="YES" - -############ -# Block the hosters network (and maybe others) -for IP in ${firewall_block} -do - ${fwcmd} add deny ip from any to ${IP} in via $internalif -done - -############ -# Statefull filewall in use -${fwcmd} add check-state - -# Allow anything originating from me -${fwcmd} add allow ip from me to any keep-state - - -############# -# Outbound NAT setup -# WL Net -> Internet -${fwcmd} add nat 100 all from $WLNET to any out recv $internalif xmit $externalif -${fwcmd} add nat 100 all from any to $externalip in recv $externalif -${fwcmd} nat 100 config if $externalif - -# Subnet Internet is allowed -${fwcmd} add allow tcp from $WLNET to any $allowed2internet in via $internalif setup limit src-addr $maxconnections - - -############# -# Internal Network -> WL Net -# Inbound NAT setup, to allow proxy device to be used gateway from Internal Network to WL -${fwcmd} add nat 200 all from $RFC1918_nets to $WLNET out recv $externalif xmit $internalif -${fwcmd} add nat 200 all from $WLNET to $internalip in recv $internalif -${fwcmd} nat 200 config if $internalif - -# Allow all traffic inbound -${fwcmd} add allow all from $RFC1918_nets to $WLNET in recv $externalif keep-state - - -############# -## Services in use -## Allow on external interface -external_allow_tcp="ssh" -${fwcmd} add allow tcp from any to me $external_allow_tcp via $externalif setup keep-state - -## Allow on internal interface -internal_allow_tcp="ssh,domain,3128" -internal_allow_udp="ntp,domain,snmp,12345" -${fwcmd} add allow udp from $WLNET to me ${internal_allow_udp} via $internalif keep-state -${fwcmd} add allow tcp from $WLNET to me ${internal_allow_tcp} via $internalif setup keep-state - -# Basic ICMP managment traffic -${fwcmd} add allow icmp from any to me icmptype 8 -${fwcmd} add allow icmp from me to any icmptype 3,4,11 - - -############# -# Block anything else -${fwcmd} add 65000 deny log logamount 500 ip from any to any - +#Hybrid +openvpn_enable="YES" +openvpn_if="tap" +cloned_interfaces="bridge0" +gateway_enable="YES" +pf_enable="YES" +pf_rules="/etc/pf.conf.ileiden" +pf_flags="" +pf2_enable="YES" Index: /branches/releng-9.0/nanobsd/files/tools/wl-config =================================================================== --- /branches/releng-9.0/nanobsd/files/tools/wl-config (revision 10181) +++ /branches/releng-9.0/nanobsd/files/tools/wl-config (revision 10185) @@ -1,16 +1,36 @@ #!/bin/sh -# Wireless Leiden proxy config-update script for FreeBSD 8.0 (nanobsd) +# Wireless Leiden config-update script for FreeBSD 8.0 (nanobsd) # Based on the 'API' of Jasper -# Rick van der Zwet ; Richard van Mansom +# Rick van der Zwet # XXX: TODO, some proper error checking for fetch -BASEURL="http://132.229.112.21/config/iris/proxy/FreeBSD/8.0-RELEASE/g_list.pl" + +# Slow connection = no connection +HTTP_TIMEOUT=3 + + +check_access() { + # Direct Access - Internal IP + BASEURL="http://172.16.4.46/wleiden/config/" + # Connectivity check + fetch -o /dev/null -q $BASEURL > /dev/null && return + echo "# WARN: Fetch via internal $BASEURL failed" + + # Direct Access - External DNS + BASEURL="http://132.229.112.21/wleiden/config/" + fetch -o /dev/null -q $BASEURL > /dev/null && return + echo "# CRIT: Fetch via external $BASEURL failed" + + exit 1 +} +check_access + # Default config to fetch -CONFIG=`hostname -s | tr '[A-Z]' '[a-z]'` +CONFIG=`hostname -s` # Determine it's statup and running location and some other hints # Skip named.conf as it not planned in current release -FILES="authorized_keys rc.conf.local resolv.conf" +FILES="authorized_keys dnsmasq.conf rc.conf.local resolv.conf wleiden.yaml" file_details() { case "$1" in @@ -20,4 +40,14 @@ FILE_HINT="" ;; + 'dnsmasq.conf') + STARTUP_LOC="/cfg/local/${FILE}" + RUNNING_LOC="/etc/local/${FILE}" + FILE_HINT="/usr/local/etc/rc.d/dnsmasq restart" + ;; + 'named.conf') + STARTUP_LOC="/cfg/namedb/${FILE}" + RUNNING_LOC="/etc/namedb/${FILE}" + FILE_HINT="/etc/rc.d/named restart" + ;; 'rc.conf.local') STARTUP_LOC="/cfg/${FILE}" @@ -30,4 +60,9 @@ FILE_HINT="" ;; + 'wleiden.yaml') + STARTUP_LOC="/cfg/local/${FILE}" + RUNNING_LOC="/etc/local/${FILE}" + FILE_HINT="" + ;; esac } @@ -36,12 +71,12 @@ ( echo "Usage: $0 [-bn] [-c ] [-m ]" - echo " -b batch mode, no user input" - echo " -c default configuration to fetch" - echo " -n do not mount config partition" - echo " -m all copy config files to running & config partition [default]" - echo " -m startup copy config files to config partition" - echo " -m testing do not copy config files" - echo " -m running copy config files to running partition" - echo " -m hack copy running files to config partition" + echo " -b = batch mode, no user input" + echo " -c = default configuration to fetch" + echo " -n = do not mount config partition" + echo " -m all = copy config files to running & config partition [default]" + echo " -m startup = copy config files to config partition" + echo " -m testing = do not copy config files" + echo " -m running = copy config files to running partition" + echo " -m hack = copy running files to config partition" ) 1>&2 exit 2 @@ -80,14 +115,14 @@ if [ "${OPT_RUNNING}" -eq 1 ]; then - echo "INFO: Storing new config files in running configuration" + echo "# INFO: Storing new config files in running configuration" fi if [ "${OPT_STARTUP}" -eq 1 ]; then - echo "INFO: Storing new config files in startup configuration" + echo "# INFO: Storing new config files in startup configuration" fi if [ "${OPT_HACK}" -eq 1 ]; then - echo "WARN: Copy running configuration to startup configuration" - echo "WARN: Please do mind to document/mention this changes somewhere" + echo "# WARN: Copy running configuration to startup configuration" + echo "# WARN: Please do mind to document/mention this changes somewhere" fi @@ -107,5 +142,5 @@ else echo "WARNING: Input '${INPUT}' is not valid, some hints..." - grep "${INPUT}" ${TMPDIR}/node_list.txt + grep -i "${INPUT}" ${TMPDIR}/node_list.txt return 1 fi @@ -158,5 +193,5 @@ SOURCE=$1 TARGET=$2 - diff -q ${SOURCE} ${TARGET} >/dev/null 2>/dev/null + diff -I '^# Generated at ' ${SOURCE} ${TARGET} 2>/dev/null if [ $? -ne 0 ]; then mkdir -p `dirname ${TARGET}` || exit 1 @@ -200,5 +235,5 @@ file_details ${FILE} - echo "INFO: Working on file: '${FILE}'" + echo "# INFO: Working on file: '${FILE}'" # Copy file boot location if [ ${OPT_STARTUP} -eq 1 ]; then @@ -210,7 +245,7 @@ copy_file ${FRESH_LOC} ${RUNNING_LOC} if [ $? -eq 0 ]; then - echo "INFO: '${FILE}' changed" + echo "# INFO: '${FILE}' changed" if [ -n "${FILE_HINT}" ]; then - echo "INFO: For instant activate: ${FILE_HINT}" + echo "# INFO: For instant activate: ${FILE_HINT}" echo "" fi Index: /branches/releng-9.0/nanobsd/files/usr/local/etc/wlportal/login.tmpl =================================================================== --- /branches/releng-9.0/nanobsd/files/usr/local/etc/wlportal/login.tmpl (revision 10181) +++ /branches/releng-9.0/nanobsd/files/usr/local/etc/wlportal/login.tmpl (revision 10185) @@ -4,39 +4,32 @@ - - - -

%(status_msg)s

-
- For English see bottom of this page -

Eerlijk gebruikmaken van Wireless Leiden

- 
-   A) Het gebruik van het Wireless Leiden netwerk en de internettoegang zijn kostenloos en u hoeft zich niet aan te melden. 
-   B) U dient zich te houden aan de Nederlandse wetgeving en geen schade toe te brengen of ongemak te veroorzaken voor anderen.
-   C) De Stichting Wireless Leiden accepteert geen enkele aansprakelijkheid voor schade in welke vorm dan ook die is ontstaan door of verband houdt met het gebruik van het netwerk.
-

Internet Toegang

-

Internetten op het Wireless Leiden netwerk kan op twee manieren:
- N.B. U kunt alleen internetten via uw webbrowser, andere toepassingen zoals Microsoft Outlook zijn niet mogelijk. Gebruik webmail om te e-mailen. -

    -
  1. In uw browser een 'proxy' instellen. (in het algemeen sneller internet).
    2. -
  2. Gebruik maken van de iLeiden service (gemakkelijk voor mobiele apparaten).
    3. -
+ +

%(status_msg)s

+

Welkom bij Wireless Leiden

+For English see bottom of this page +

Internettoegang

+

U bent verbonden met het lokale Wireless Leiden network. Om te internetten moet u in uw browser een 'proxy' instellen en hieronder op 'accoord' klikken. Afhankelijk van de locatie kan het ook zonder proxy-instelling, maar de snelheid zal in het algemeen lager zijn. +

Instellen proxy in browser

+ In Firefox: ga naar Edit->Preferences->Advanced->Network->Settings.
+ Handmatige proxy-configuratie: vul in HTTP proxy: proxy.wleiden.net port 3128.
+ Gedetailleerde instructies kunt u vinden op onze website. +

+N.B. U kunt alleen internetten via uw webbrowser, andere toepassingen zoals Microsoft Outlook zijn niet mogelijk. Gebruik webmail om te e-mailen. +

Eerlijk gebruikmaken van Wireless Leiden

+ Het gebruik van het Wireless Leiden netwerk en de internettoegang zijn kostenloos en u hoeft zich niet aan te melden. Maar u dient zich te houden aan de Nederlandse wetgeving en geen schade toe te brengen of ongemak te veroorzaken voor anderen.
+ De Stichting Wireless Leiden accepteert geen enkele aansprakelijkheid voor schade in welke vorm dan ook die is ontstaan door of verband houdt met het gebruik van het netwerk.
+Geef hieronder aan of u accoord gaat met deze voorwaarden:
- +
-

Instellen proxy in browser

- In Firefox: ga naar Edit->Preferences->Advanced->Network->Settings.
- Handmatige proxy-configuratie: vul in HTTP proxy: proxy.wleiden.net port 3128.
-

- N.B. Haal na gebruik de instellingen weer weg +

-

Welcome to Wireless Leiden

Internet access

-

You are connected to the local Wireless Leiden network. To use one of the gateways (proxies) to Internet you have to specify a proxy in your web browser OR click on the button bellow.
- To set the proxy for instance in Firefox go to Edit->Preferences->Advanced->Network->Settings.
+

You are connected to the local Wireless Leiden network. To use one of the gateways (proxies) to Internet you have to specify a proxy in your web browser.
+ For instance in Firefox go to Edit->Preferences->Advanced->Network->Settings.
Manual proxy configuration: specify HTTP proxy: proxy.wleiden.net port 3128.
Detailed instructions can be downloaded from our website. @@ -51,5 +44,5 @@

- +
@@ -63,5 +56,5 @@
- +
Technical Details: