Changeset 10136 in hybrid

Timestamp:

Mar 12, 2012, 6:32:43 AM (13 years ago)

Author:

richardvm

Message:

domme toevoeging van proxy files

Location:

trunk/nanobsd/files

Files:

• boot/loader.conf (modified) (1 diff)
• etc/crontab (modified) (1 diff)
• etc/dhclient.conf (added)
• etc/ipfw.sh (modified) (3 diffs)
• etc/ntp.conf (modified) (1 diff)
• etc/rc.conf (modified) (4 diffs)
• etc/resolv.conf (added)
• etc/sysctl.conf (modified) (1 diff)
• tools/nsdc-rebuild.sh (added)
• tools/update-file (added)
• tools/wl-config (modified) (9 diffs)
• usr/local/bin/fetchzone (added)
• usr/local/bin/pen_wrapper (modified) (1 diff)
• usr/local/etc/mararc (added)
• usr/local/etc/nrpe.cfg (modified) (1 diff)
• usr/local/etc/rc.d/fetchzone (added)
• usr/local/etc/rc.d/inet (added)
• usr/local/etc/rc.d/maradns (added)
• usr/local/etc/rc.d/nsd (added)
• usr/local/etc/rc.d/wlportal (added)
• usr/local/etc/tinyproxy.conf (modified) (3 diffs)
• usr/local/etc/tinyproxy.filter (added)
• usr/local/sbin/check-inet-alive (added)
• usr/local/sbin/fetchzone.sh (added)
• usr/local/sbin/inet (added)
• usr/local/share/snmp/snmpd.conf (modified) (2 diffs)

trunk/nanobsd/files/boot/loader.conf

@@ -20 +20 @@
 # Force output to run trough the comconsole, no exceptions
 console="comconsole"
-
-# moduleis for usb-lan adapters
-if_mos_load="YES"
-if_axe_load="YES"
-if_aue_load="YES"
-
-

trunk/nanobsd/files/etc/crontab

@@ -28 +28 @@
 # Write updates for ntp.drift to flash
 0       12      *       *       *       root    /usr/local/bin/write_ntpdrift
+#
+# Nagios checks
+30      *       *       *       *       root    /usr/local/dense/dense.sh
+*/15    *       *       *       *       root    /usr/local/sbin/check-inet-alive

trunk/nanobsd/files/etc/ipfw.sh

@@ -1 +1 @@
 #!/bin/sh -
+# Based on /etc/rc.firewall
+#
+# Credits: Richard van Mansom, Rick van der Zwet
 
-# Based on /etc/rc.firewall
+
+allowed2internet="80,443"
+maxconnections="10"
+
+RFC1918_nets="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
+WLNET='172.16.0.0/12'
 
 # Suck in the configuration variables.
@@ -34 +42 @@
 esac
 
+###########
+# Set Internal/External Interface
+#
+driver=`echo ${internalif} | sed 's/[0-9]*//g'`
+seq=`echo ${internalif} | sed 's/[a-zA-Z]*//g'`
+
+if [ ${seq} = 0 ]; then
+  seq=`expr ${seq} \+ 1`
+else
+  seq=`expr ${seq} \- 1`
+fi
+
+externalif="$driver$seq"
+
+# Get interface Addresses
+externalip=`ifconfig $externalif | awk '/inet/ { print $2 }'`
+internalip=`ifconfig $internalif | awk '/inet/ { print $2 }'`
 ############
 # Flush out the list before we begin.
@@ -41 +66 @@
 setup_loopback
 
-############
-
-# By default no firewalling
-${fwcmd} add 65000 pass all from any to any
-
-# Transproxy/WLportal/Captive portal
-${fwcmd} add 10000 allow tcp from any to localhost 80
-${fwcmd} add 10001 allow tcp from any to me 80
 
 ############
-# Reserved: Whitelist rule numbers
-# 10002 - 10009
-NR=10002
-  for IP in $captive_portal_whitelist; do
-  ${fwcmd} add $NR allow tcp from $IP to not 172.16.0.0/12 dst-port 80
-  NR=`expr $NR + 1`
+# Block the hosters network (and maybe others)
+for IP in ${firewall_block}
+do
+  ${fwcmd} add deny ip from any to ${IP} in via $internalif
 done
 
 ############
-# Reserved: WLPortal rule numbers
-# 10010 - 10099
+# Statefull filewall in use
+${fwcmd} add check-state
 
-# Forward rules work without a base address, so needed a loop over all inet4 adresses
-for INF in $captive_portal_interfaces; do
-  ${fwcmd} add 10100 fwd 172.31.255.1,8081 tcp from any to not 172.16.0.0/12 80 in via ${INF}
-done
+# Allow anything originating from me
+${fwcmd} add allow ip from me to any keep-state
+
+
+#############
+# Outbound NAT setup
+# WL Net -> Internet
+${fwcmd} add nat 100 all from $WLNET to any out recv $internalif xmit $externalif
+${fwcmd} add nat 100 all from any to $externalip in recv $externalif
+${fwcmd} nat 100 config if $externalif
+
+# Subnet Internet is allowed
+${fwcmd} add allow tcp from $WLNET to any $allowed2internet in via $internalif setup limit src-addr $maxconnections
+
+
+#############
+# Internal Network -> WL Net
+# Inbound NAT setup, to allow proxy device to be used gateway from Internal Network to WL
+${fwcmd} add nat 200 all from $RFC1918_nets to $WLNET out recv $externalif xmit $internalif
+${fwcmd} add nat 200 all from $WLNET to $internalip in recv $internalif
+${fwcmd} nat 200 config if $internalif
+
+# Allow all traffic inbound
+${fwcmd} add allow all from $RFC1918_nets to $WLNET in recv $externalif keep-state
+
+
+#############
+## Services in use
+## Allow on external interface
+external_allow_tcp="ssh"
+${fwcmd} add allow tcp from any to me $external_allow_tcp via $externalif setup keep-state
+
+## Allow on internal interface
+internal_allow_tcp="ssh,domain,3128"
+internal_allow_udp="ntp,domain,snmp,12345"
+${fwcmd} add allow udp from $WLNET to me ${internal_allow_udp} via $internalif keep-state
+${fwcmd} add allow tcp from $WLNET to me ${internal_allow_tcp} via $internalif setup keep-state
+
+# Basic ICMP managment traffic
+${fwcmd} add allow icmp from any to me icmptype 8
+${fwcmd} add allow icmp from me to any icmptype 3,4,11
+
+
+#############
+# Block anything else
+${fwcmd} add 65000 deny log logamount 500 ip from any to any
+

trunk/nanobsd/files/etc/ntp.conf

@@ -1 +1 @@
 #XXX: Might need to be dynamic
 
-server 172.17.8.68    # proxy1
-server 172.17.143.4   # proxy2
-server 172.20.128.98  # proxy3
-server 172.16.2.254   # proxy4
-server 172.19.168.66  # proxy5
-server 172.16.3.146   # proxy6
-server 172.17.16.66   # proxy62
-server 172.17.0.1     # proxy7
-server 172.16.4.54    # proxy9
-server 172.22.0.66    # proxy10
-server 172.23.25.66   # proxy11
-server 172.16.3.98    # proxy13
-server 172.17.169.66  # proxy97
+# server 172.17.8.68    # proxy1
+# server 172.17.143.4   # proxy2
+# server 172.20.128.98  # proxy3
+# server 172.19.137.67  # proxy4
+# server 172.19.168.66  # proxy5
+
+#XXX: All it's local nighboor addresses
+
+# server proxy1.wleiden.net #   autokey
+# server proxy2.wleiden.net #   autokey
+# server proxy3.wleiden.net #   autokey
+server 0.nl.pool.ntp.org
+server 1.nl.pool.ntp.org
+server 2.nl.pool.ntp.org
+server 3.nl.pool.ntp.org
+  #     In case machine get hooked to internet (and got working dns)
+
+
 
 # and if all failes - use our local crummy clock

trunk/nanobsd/files/etc/rc.conf

@@ -2 +2 @@
 dumpdev="NO"                    # No kernel dumps as we don't have a place to
                                 # store them 
-gateway_enable="YES"            # Act like a gateway please
+gateway_enable="NO"             # Do NOT act like a gateway 
 ipv6_enable="NO"                # No IPv6 support for now, near feature... ;-)
-
-# Firewall needed for port redirection (captive portal, splash screen)
-firewall_enable="YES"
-firewall_script="/etc/ipfw.sh"
 
 # NTP server needs working config with WL network or internet on boot
@@ -21 +17 @@
 # Don't let syslog accept input from other remote hosts
 syslogd_enable="YES"
-syslogd_flags="-s -A -c"
+syslogd_flags="-s -A -c -b 127.0.0.1"
 
 # Remote login without DNS checking as it might not also be functionable
@@ -34 +30 @@
 update_nanobsd_motd="YES"
 
-## Port extentions
-# Serve our clients some pretty cool IP address to at least get connected
-# Also some low-memory footprint dns resolver
-dnsmasq_enable="YES"
-
 # Monitoring deamons
 nrpe2_enable="YES"
@@ -44 +35 @@
 snmpd_flags="-a -LF w /var/log/snmpd.log"
 
-# Some nodes will serve as HTTP(S) proxy server
-tinyproxy_enable="NO"
+# HTTP(S) proxy server
+tinyproxy_enable="YES"
 
-## WL ports extentions
-thttpd_enable="YES"
-http302_enable="YES"
-
-lvrouted_enable="YES"
-lvrouted_flags="-u -s s00p3rs3kr3t -m 28 -z 172.16.2.254,172.17.0.1,172.23.25.66,172.17.169.66"
+# Nameserver for internet and wleiden.net
+maradns_enable="YES"
+dnsmasq_enable="NO"
+fetchzone_enable="YES"
 
 # Make sure generated ssh keys are saved 
 nanobsd_save_sshkeys_enable="YES"
 
-# Do some cool stuff with pen, like checking on best connections and reload, so
-# need a wrapper instead of the conventional startup script
-pen_wrapper_enable="YES"
-
-## Initial (network) configuration
-#
-hostname="ChangeMe.example.org"
-# XXX: Maybe something cool (zero config) as initial configuration
-
-## Iperf server mode
-#
-iperf_enable="YES"

trunk/nanobsd/files/etc/sysctl.conf

@@ -1 @@
-# Value depends on link radio with estimated range of 500m, which seems to be a
-# maximum usage of our Omni Antenna's. Calculation used: 
-#   (remember radio signals travel with 300m/s)
-#   acktimeout = 23 + (link_length * 2 / 300)
-dev.ath.0.slottime=23
-dev.ath.0.acktimeout=27
-dev.ath.0.ctstimeout=27
-net.link.ether.inet.max_age=300
+#XXX: Might needs to be dynamic as value depends on link length
+# Turned of since it is highly unlikely that a proxy will use a wlan interface
+# dev.ath.0.acktimeout=35
+# dev.ath.1.acktimeout=35
+# dev.ath.2.acktimeout=35

trunk/nanobsd/files/tools/wl-config

@@ -1 +1 @@
 #!/bin/sh
-# Wireless Leiden config-update script for FreeBSD 8.0 (nanobsd)
+# Wireless Leiden proxy config-update script for FreeBSD 8.0 (nanobsd)
 # Based on the 'API' of Jasper
-# Rick van der Zwet
+# Rick van der Zwet ; Richard van Mansom
 # XXX: TODO, some proper error checking for fetch
 
-
-# Slow connection = no connection
-export HTTP_TIMEOUT=3
-
-
-check_access() {
-  # Direct Access - Internal IP 
-  BASEURL="http://172.16.4.46/wleiden/config/"
-  echo "# INFO: Trying to fetch via internal WL $BASEURL"
-  fetch -o /dev/null -q $BASEURL > /dev/null && return
-  echo "# WARN: Fetch via internal $BASEURL failed"
-  
-  # Direct Access - External DNS
-  BASEURL="http://132.229.112.21/wleiden/config/"
-  echo "# INFO: Trying to fetch via external $BASEURL"
-  fetch -o /dev/null -q $BASEURL > /dev/null && return
-  echo "# CRIT: Fetch via external $BASEURL failed"
-
-  exit 1
-}
-check_access
-
+BASEURL="http://132.229.112.21/config/iris/proxy/FreeBSD/8.0-RELEASE/g_list.pl"
 
 # Default config to fetch
-CONFIG=`hostname -s`
+CONFIG=`hostname -s | tr '[A-Z]' '[a-z]'`
 
 # Determine it's statup and running location and some other hints
 # Skip named.conf as it not planned in current release
-FILES="authorized_keys dnsmasq.conf rc.conf.local resolv.conf motd wleiden.yaml"
+FILES="authorized_keys rc.conf.local resolv.conf"
 file_details() {
   case "$1" in 
@@ -40 +19 @@
      RUNNING_LOC="/etc/dot_ssh/${FILE}"
      FILE_HINT=""
-   ;;
-  'motd')
-     STARTUP_LOC="/cfg/$1"
-     RUNNING_LOC="/etc/$1"
-     FILE_HINT=""
-   ;;
-  'dnsmasq.conf')
-     STARTUP_LOC="/cfg/local/${FILE}"
-     RUNNING_LOC="/etc/local/${FILE}"
-     FILE_HINT="/usr/local/etc/rc.d/dnsmasq restart"
-   ;;
-  'named.conf')
-     STARTUP_LOC="/cfg/namedb/${FILE}"
-     RUNNING_LOC="/etc/namedb/${FILE}"
-     FILE_HINT="/etc/rc.d/named restart"
    ;;
   'rc.conf.local')
@@ -66 +30 @@
      FILE_HINT=""
    ;;
-   'wleiden.yaml')
-     STARTUP_LOC="/cfg/local/${FILE}"
-     RUNNING_LOC="/etc/local/${FILE}"
-     FILE_HINT=""
-   ;;
   esac
 }
@@ -77 +36 @@
         (
         echo "Usage: $0 [-bn] [-c <config>] [-m <all|startup|testing|running>]"
-        echo "  -b          = batch mode, no user input"
-        echo "  -c <config> = default configuration to fetch"
-        echo "  -n          = do not mount config partition"
-        echo "  -m all      = copy config files to running & config partition [default]"
-        echo "  -m startup  = copy config files to config partition"
-        echo "  -m testing  = do not copy config files"
-        echo "  -m running  = copy config files to running partition"
-        echo "  -m hack     = copy running files to config partition"
+        echo "  -b              batch mode, no user input"
+        echo "  -c <config>     default configuration to fetch"
+        echo "  -n              do not mount config partition"
+        echo "  -m all          copy config files to running & config partition [default]"
+        echo "  -m startup      copy config files to config partition"
+        echo "  -m testing      do not copy config files"
+        echo "  -m running      copy config files to running partition"
+        echo "  -m hack         copy  running files to config partition"
         ) 1>&2
         exit 2
@@ -121 +80 @@
   
   if [ "${OPT_RUNNING}" -eq 1 ]; then
-    echo "# INFO: Storing new config files in running configuration"
+    echo "INFO: Storing new config files in running configuration"
   fi
   
   if [ "${OPT_STARTUP}" -eq 1 ]; then
-    echo "# INFO: Storing new config files in startup configuration"
+    echo "INFO: Storing new config files in startup configuration"
   fi
   
   if [ "${OPT_HACK}" -eq 1 ]; then
-    echo "# WARN: Copy running configuration to startup configuration"
-    echo "# WARN: Please do mind to document/mention this changes somewhere"
+    echo "WARN: Copy running configuration to startup configuration"
+    echo "WARN: Please do mind to document/mention this changes somewhere"
   fi
 
@@ -148 +107 @@
   else 
      echo "WARNING: Input '${INPUT}' is not valid, some hints..."
-     grep -i "${INPUT}" ${TMPDIR}/node_list.txt
+     grep "${INPUT}" ${TMPDIR}/node_list.txt
      return 1
   fi  
@@ -197 +156 @@
 # Copy file, saving some bits if no change needed
 copy_file() {
-  NEWFILE=$1
+  SOURCE=$1
   TARGET=$2
-  diff -I '^# Generated at ' ${TARGET} ${NEWFILE} 2>/dev/null
+  diff -q ${SOURCE} ${TARGET} >/dev/null 2>/dev/null
   if [ $? -ne 0 ]; then
     mkdir -p `dirname ${TARGET}` || exit 1
-    cp ${NEWFILE} ${TARGET} || exit 1
+    cp ${SOURCE} ${TARGET} || exit 1
     return $?
   fi
@@ -241 +200 @@
     file_details ${FILE}
   
-    echo "# INFO: Working on file: '${FILE}'"
+    echo "INFO: Working on file: '${FILE}'"
     # Copy file boot location
     if [ ${OPT_STARTUP} -eq 1 ]; then
@@ -251 +210 @@
       copy_file ${FRESH_LOC} ${RUNNING_LOC}
       if [ $? -eq 0 ]; then
-        echo "# INFO: '${FILE}' changed"  
+        echo "INFO: '${FILE}' changed"  
         if [ -n "${FILE_HINT}" ]; then
-          echo "# INFO: For instant activate: ${FILE_HINT}"
+          echo "INFO: For instant activate: ${FILE_HINT}"
           echo ""
         fi

trunk/nanobsd/files/usr/local/bin/pen_wrapper

@@ -9 +9 @@
 
 #XXX: Really static list, some dynamic alternative prefered
-PROXY_LIST="${3-172.17.8.68:3128   \
-                172.17.143.4:3128  \
-                172.20.128.98:3128 \
-                172.16.2.254:3128  \
-                172.19.168.66:3128 \
-                172.16.3.146:3128  \
-                172.17.16.66:3128  \
-                172.17.0.1:3128    \
-                172.16.4.54:3128   \
-                172.22.0.66:3128   \
-                172.23.25.66:3128  \
-                172.17.169.66:3128}"
+PROXY_LIST="${3-172.17.8.68:3128 172.17.143.4:3128 172.20.128.98:3128 172.16.2.254:3128 172.19.168.66:3128}"
 
 

trunk/nanobsd/files/usr/local/etc/nrpe.cfg

@@ -7 +7 @@
 command[check_users]=/usr/local/libexec/nagios/check_users -w 5 -c 10
 command[check_load]=/usr/local/libexec/nagios/check_load -w 15,10,5 -c 30,25,20
-command[check_disk1]=/usr/local/libexec/nagios/check_disk -w 15% -c 10% -p /
+command[check_disk1]=/usr/local/libexec/nagios/check_disk -w 20% -c 10% -p /
 command[check_disk2]=/usr/local/libexec/nagios/check_disk -w 20% -c 10% -p /var
 command[check_procs]=/usr/local/libexec/nagios/check_procs -w 55 -c 70
-command[check_inet]=/usr/local/libexec/nagios/check_inet
-command[check_inet2]=/usr/local/libexec/nagios/check_inet2
-command[check_lv]=/usr/local/libexec/nagios/check_lv
+

trunk/nanobsd/files/usr/local/etc/tinyproxy.conf

@@ -80 +80 @@
 # output, but Notice and below would be suppressed.
 #
-LogLevel Info
+LogLevel Warning
 
 #
@@ -181 +181 @@
 # The location of the filter file.
 #
-#Filter "/etc/tinyproxy/filter"
+Filter "/usr/local/etc/tinyproxy.filter"
 
 #
@@ -206 +206 @@
 # deny everything which is _not_ specifically allowed by the filter file.
 #
-#FilterDefaultDeny Yes
+FilterDefaultDeny No
 
 #

trunk/nanobsd/files/usr/local/share/snmp/snmpd.conf

@@ -47 +47 @@
 
 #    name         max min
-proc lvrouted.opt 1   1
 proc sshd         8   1
 proc syslogd      1   1
 proc ntpd         1   1
 proc snmpd        1   1
-proc dhcpd        1   1
-proc pen          1   1
 proc cron         2   1
-proc named        1   1
 
 
@@ -80 +76 @@
 
 pass_persist .1.3.6.1.4.1.21695.1.2 /usr/local/sbin/dhcpd-snmp /usr/local/etc/dhcpd-snmp.conf
-
-extend .1.3.6.1.4.1.2021.61 nagios-www /usr/local/sbin/proxy-test.sh
-extend .1.3.6.1.4.1.2021.62 nagios-routing /usr/local/sbin/lvrouted-test.sh
-
-extend .1.3.6.1.4.1.2021.70 dhcp-users /bin/sh -c "/bin/cat /var/db/dnsmasq.leases \| awk '{ print $1,$2,$3 }'"
-extend .1.3.6.1.4.1.2021.71 portal-users /bin/sh -c "/bin/cat /var/db/clients \| awk '{ print $1,$2,$3 }'"
-extend .1.3.6.1.4.1.2021.72 arp-users /bin/sh -c "/bin/cat /var/db/connect.gone \| awk '{ print $1,$2,$3 }'"
-
-extend wl-release /bin/cat /tools/wl-release.txt
-extend wl-version /usr/bin/awk 'BEGIN{FS=": "}/^URL:/ {u=$2}; /^Last Changed Rev:/ {r=$2}; END{print u"@"r}' /tools/wl-release.txt
-