Context Navigation

← Previous Change
Next Change →

Changeset 10136 in hybrid for trunk/nanobsd/files/etc

Timestamp:

Mar 12, 2012, 6:32:43 AM (13 years ago)

Author:

richardvm

Message:

domme toevoeging van proxy files

Location:

trunk/nanobsd/files/etc

Files:

: 2 added
: 5 edited

crontab (modified) (1 diff)
dhclient.conf (added)
ipfw.sh (modified) (3 diffs)
ntp.conf (modified) (1 diff)
rc.conf (modified) (4 diffs)
resolv.conf (added)
sysctl.conf (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

TabularUnified trunk/nanobsd/files/etc/crontab ¶

r10135	r10136
28	28	# Write updates for ntp.drift to flash
29	29	0 12 * * * root /usr/local/bin/write_ntpdrift
	30	#
	31	# Nagios checks
	32	30 * * * * root /usr/local/dense/dense.sh
	33	/15 * * * root /usr/local/sbin/check-inet-alive

TabularUnified trunk/nanobsd/files/etc/ipfw.sh ¶

-              r10135
+              r10136
 #!/bin/sh -
+# Based on /etc/rc.firewall
+#
+# Credits: Richard van Mansom, Rick van der Zwet
+# Based on /etc/rc.firewall
+allowed2internet="80,443"
+maxconnections="10"
+RFC1918_nets="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
+WLNET='172.16.0.0/12'
 # Suck in the configuration variables.
 …
 esac
+###########
+# Set Internal/External Interface
+#
+driver=`echo ${internalif} | sed 's/[0-9]*//g'`
+seq=`echo ${internalif} | sed 's/[a-zA-Z]*//g'`
+if [ ${seq} = 0 ]; then
+  seq=`expr ${seq} \+ 1`
+else
+  seq=`expr ${seq} \- 1`
+fi
+externalif="$driver$seq"
+# Get interface Addresses
+externalip=`ifconfig $externalif | awk '/inet/ { print $2 }'`
+internalip=`ifconfig $internalif | awk '/inet/ { print $2 }'`
 ############
 # Flush out the list before we begin.
 …
 setup_loopback
-############
-# By default no firewalling
-${fwcmd} add 65000 pass all from any to any
-# Transproxy/WLportal/Captive portal
-${fwcmd} add 10000 allow tcp from any to localhost 80
-${fwcmd} add 10001 allow tcp from any to me 80
 ############
+# Reserved: Whitelist rule numbers
+# 10002 - 10009
+NR=10002
+  for IP in $captive_portal_whitelist; do
+  ${fwcmd} add $NR allow tcp from $IP to not 172.16.0.0/12 dst-port 80
+  NR=`expr $NR + 1`
+# Block the hosters network (and maybe others)
+for IP in ${firewall_block}
+do
+  ${fwcmd} add deny ip from any to ${IP} in via $internalif
 done
 ############
 # Reserved: WLPortal rule numbers
+# 10010 - 10099
+# Statefull filewall in use
+${fwcmd} add check-state
+# Forward rules work without a base address, so needed a loop over all inet4 adresses
+for INF in $captive_portal_interfaces; do
+  ${fwcmd} add 10100 fwd 172.31.255.1,8081 tcp from any to not 172.16.0.0/12 80 in via ${INF}
+done
+# Allow anything originating from me
+${fwcmd} add allow ip from me to any keep-state
+#############
+# Outbound NAT setup
+# WL Net -> Internet
+${fwcmd} add nat 100 all from $WLNET to any out recv $internalif xmit $externalif
+${fwcmd} add nat 100 all from any to $externalip in recv $externalif
+${fwcmd} nat 100 config if $externalif
+# Subnet Internet is allowed
+${fwcmd} add allow tcp from $WLNET to any $allowed2internet in via $internalif setup limit src-addr $maxconnections
+#############
+# Internal Network -> WL Net
+# Inbound NAT setup, to allow proxy device to be used gateway from Internal Network to WL
+${fwcmd} add nat 200 all from $RFC1918_nets to $WLNET out recv $externalif xmit $internalif
+${fwcmd} add nat 200 all from $WLNET to $internalip in recv $internalif
+${fwcmd} nat 200 config if $internalif
+# Allow all traffic inbound
+${fwcmd} add allow all from $RFC1918_nets to $WLNET in recv $externalif keep-state
+#############
+## Services in use
+## Allow on external interface
+external_allow_tcp="ssh"
+${fwcmd} add allow tcp from any to me $external_allow_tcp via $externalif setup keep-state
+## Allow on internal interface
+internal_allow_tcp="ssh,domain,3128"
+internal_allow_udp="ntp,domain,snmp,12345"
+${fwcmd} add allow udp from $WLNET to me ${internal_allow_udp} via $internalif keep-state
+${fwcmd} add allow tcp from $WLNET to me ${internal_allow_tcp} via $internalif setup keep-state
+# Basic ICMP managment traffic
+${fwcmd} add allow icmp from any to me icmptype 8
+${fwcmd} add allow icmp from me to any icmptype 3,4,11
+#############
+# Block anything else
+${fwcmd} add 65000 deny log logamount 500 ip from any to any

TabularUnified trunk/nanobsd/files/etc/ntp.conf ¶

-              r10135
+              r10136
 #XXX: Might need to be dynamic
+server 172.17.8.68    # proxy1
+server 172.17.143.4   # proxy2
+server 172.20.128.98  # proxy3
+server 172.16.2.254   # proxy4
+server 172.19.168.66  # proxy5
+server 172.16.3.146   # proxy6
+server 172.17.16.66   # proxy62
+server 172.17.0.1     # proxy7
+server 172.16.4.54    # proxy9
+server 172.22.0.66    # proxy10
+server 172.23.25.66   # proxy11
+server 172.16.3.98    # proxy13
+server 172.17.169.66  # proxy97
+# server 172.17.8.68    # proxy1
+# server 172.17.143.4   # proxy2
+# server 172.20.128.98  # proxy3
+# server 172.19.137.67  # proxy4
+# server 172.19.168.66  # proxy5
+#XXX: All it's local nighboor addresses
+# server proxy1.wleiden.net #   autokey
+# server proxy2.wleiden.net #   autokey
+# server proxy3.wleiden.net #   autokey
+server 0.nl.pool.ntp.org
+server 1.nl.pool.ntp.org
+server 2.nl.pool.ntp.org
+server 3.nl.pool.ntp.org
+  #     In case machine get hooked to internet (and got working dns)
 # and if all failes - use our local crummy clock

TabularUnified trunk/nanobsd/files/etc/rc.conf ¶

-              r10135
+              r10136
 dumpdev="NO"                    # No kernel dumps as we don't have a place to
                                 # store them
 gateway_enable="YES"            # Act like a gateway please
+gateway_enable="NO"             # Do NOT act like a gateway
 ipv6_enable="NO"                # No IPv6 support for now, near feature... ;-)
-# Firewall needed for port redirection (captive portal, splash screen)
-firewall_enable="YES"
-firewall_script="/etc/ipfw.sh"
 # NTP server needs working config with WL network or internet on boot
 …
 # Don't let syslog accept input from other remote hosts
 syslogd_enable="YES"
 syslogd_flags="-s -A -c"
+syslogd_flags="-s -A -c -b 127.0.0.1"
 # Remote login without DNS checking as it might not also be functionable
 …
 update_nanobsd_motd="YES"
-## Port extentions
-# Serve our clients some pretty cool IP address to at least get connected
-# Also some low-memory footprint dns resolver
-dnsmasq_enable="YES"
 # Monitoring deamons
 nrpe2_enable="YES"
 …
 snmpd_flags="-a -LF w /var/log/snmpd.log"
 # Some nodes will serve as HTTP(S) proxy server
 tinyproxy_enable="NO"
+# HTTP(S) proxy server
+tinyproxy_enable="YES"
+## WL ports extentions
+thttpd_enable="YES"
+http302_enable="YES"
+lvrouted_enable="YES"
+lvrouted_flags="-u -s s00p3rs3kr3t -m 28 -z 172.16.2.254,172.17.0.1,172.23.25.66,172.17.169.66"
+# Nameserver for internet and wleiden.net
+maradns_enable="YES"
+dnsmasq_enable="NO"
+fetchzone_enable="YES"
 # Make sure generated ssh keys are saved
 nanobsd_save_sshkeys_enable="YES"
-# Do some cool stuff with pen, like checking on best connections and reload, so
-# need a wrapper instead of the conventional startup script
-pen_wrapper_enable="YES"
-## Initial (network) configuration
+#
-hostname="ChangeMe.example.org"
-# XXX: Maybe something cool (zero config) as initial configuration
-## Iperf server mode
+#
-iperf_enable="YES"

TabularUnified trunk/nanobsd/files/etc/sysctl.conf ¶

-              r10135
+              r10136
+# Value depends on link radio with estimated range of 500m, which seems to be a
+# maximum usage of our Omni Antenna's. Calculation used:
+#   (remember radio signals travel with 300m/s)
+#   acktimeout = 23 + (link_length * 2 / 300)
+dev.ath.0.slottime=23
+dev.ath.0.acktimeout=27
+dev.ath.0.ctstimeout=27
+net.link.ether.inet.max_age=300
+#XXX: Might needs to be dynamic as value depends on link length
+# Turned of since it is highly unlikely that a proxy will use a wlan interface
+# dev.ath.0.acktimeout=35
+# dev.ath.1.acktimeout=35
+# dev.ath.2.acktimeout=35

Note: See TracChangeset for help on using the changeset viewer.