~/wibsd.conf.html

#!/bin/sh
#
# This is wibsd.conf - a file full of useful variables that you can
# set to change the default startup behavior of your WiBSD system. You
# should never edit this file! Put any overrides into /etc/rc.conf
# file instead and you will be able to update these defaults later
# without spamming your local configuration information.
#
# IMPORTANT: this file sets reasonable default values for WiBSD system
# and that system only. IT HAS NOTHING TO DO WITH PROJECTS LIKE MyNet,
# Backup-box OR WHATEVER ELSE.
#
# A few variables here are not new to FreeBSD but they just change
# default values set in /etc/defaults/rc.conf; example of such
# variables are 'sshd_enable' or 'gateway_enable'.
#
# All arguments must be in double or single quotes.
#
# $Id: wibsd.conf.html,v 1.1.1.1 2005/08/11 12:58:42 cdave Exp $
#
#

#===========================================================================
# common_stuff plugin for all FreeBSD releases; to be appended.
#
# $Id: wibsd.conf.html,v 1.1.1.1 2005/08/11 12:58:42 cdave Exp $
#===========================================================================
#
#---------------------------------------------------------------------------
# various settings considered common for all WiBSD images which
# are just overrides of those in /etc/defaults/rc.conf.
#---------------------------------------------------------------------------
gateway_enable="YES"
sshd_enable="YES"
sshd_flags="-u0"
nfs_reserved_port_only="YES"
sendmail_enable="NONE"
usbd_enable="NO"
inetd_enable="NO"
portmap_enable="NO"
update_motd="NO"
# if set to YES, you automatically use WiBSD's /etc/pccard.conf which is
# full of various wi-fi card definitions not found in system wide
# /etc/defaults/pccard.conf
pccard_enable="NO"
# do not start syslog daemon from /etc/rc script because we do not have
# syslog.conf yet, it's to be generated yet (and patching rc script to do it
# is a bad idea). See syslog section below for more information.
syslogd_enable="NO"
# WiBSD is tuned for SBC computers that mostly have no VGA output, so set
# blanktime to NO to get rid of annoying "cannot open /dev/ttyv0" error
# message during the boot
blanktime="NO"
# always log with priority and mark the log file every day so that
# we can
# see that remote logging really works
syslogd_flags="-svv -m 1440"
#
#---------------------------------------------------------------------------
# various system stuff
#---------------------------------------------------------------------------
# create more bpf interfaces since FreeBSD's default number of 4 as in
# 4.10-RELEASE may not be enough for specificic situations like dhcp on
# multiple vlans. Note that number less then FreeBSD's default value doesn't
# mean that existing bpf interfaces will be removed - you can only increase
# number of bpf interfaces in the system.
bpf_interfaces="8"
#
# create memory disks. Note that we use vn(4) driver on 4.x systems, not
# obsolete mfs(8).
memory_disks=""
#memory_disks="logs test"
# size is always in KiloBytes
#memory_disk_size_logs="2048"
#memory_disk_mount_point_logs="/mnt/logs"
#memory_disk_size_test="512"
#memory_disk_mount_point_test="/mnt/test"
#
#---------------------------------------------------------------------------
# /etc/hosts configuration
#---------------------------------------------------------------------------
etc_hosts_enable="YES"
etc_hosts_lines="localhost"
etc_hosts_line_localhost="127.0.0.1     localhost"
#
#
#---------------------------------------------------------------------------
# resolv.conf section
#---------------------------------------------------------------------------
# /etc/resolv.conf configuration. We use free public DNS service as a
# reasonable default. Be ready that those nameservers may not operate at
# all, it's just a free public service... For more information see
# http://www.opennic.unrated.net/public_servers.html.
resolv_conf_enable="YES"
resolv_conf_nameservers="199.5.157.128 219.127.89.34"
resolv_conf_search="wibsd.cz"
#
#
#---------------------------------------------------------------------------
# syslog section
#---------------------------------------------------------------------------
# create syslog.conf and than start syslogd
syslogd_wibsd_enable="YES"
# if set to NO, you can use you own cooked config file typically stored on a
# flashcard; you must use FreeBSD's variable 'syslogd_flags' to force
# syslogd to use that config file.
syslogd_generate_config_file="YES"
# print some messages on console (it's standard in FreeBSD) and print all
# messages to /var/log/messages. This configuration relies on a reasonable
# newsyslog default configuration also defined in this file.
syslogd_conf_lines="console messages"
syslogd_conf_line_console="*.err;kern.debug;auth.notice;mail.crit       /dev/console"
syslogd_conf_line_messages="*.*                                 /var/log/messages"
#
#
#---------------------------------------------------------------------------
# newsyslog section
#---------------------------------------------------------------------------
# it's good not to completely rely on a remote syslog server. So by default
# we keep a small amount of log messages on the box itself. We rely on the
# fact that default crontab section (or at least the newsyslog line) is
# present, which is default in this file. See below.
#
# NOTE: following fields can't be set in generated newsyslog.conf (used
# value is in parentheses): owner:group (root:wheel), mode (600), when (*),
# flags (Z)
#
# if you use standard default crontab section (which is a default behaviour,
# see 'crontab_add_default_section' and rc.d/02.crontab.sh script),
# newsyslog is run every 5 minutes. This should hopefuly prevent exhausting
# of all memory due to some erroneously running program filling up the
# message log.
newsyslog_conf_enable="YES"
newsyslog_conf_lines="messages"
# 100KB is a reasonable default that can hold aprox. 1000 lines and doesn't
# consume much memory. One rotation is sustainable.
newsyslog_conf_line_messages="/var/log/messages 1 100"
#
#
#---------------------------------------------------------------------------
# crontab section
#---------------------------------------------------------------------------
# make /etc/crontab file during system start up; probably you will never
# need change this to "NO"; if you do that, YOU BETTER KNOW WHAT YOU ARE
# DOING SINCE WiBSD USES /etc/crontab FOR SOME SYSTEM SPECIFIC STUFF.
crontab_enable="YES"
# stuff like atrun, adjkerntz, newsyslog etc.; see rc.d/02.crontab.sh for
# more information; I cannot imagine a situation where setting this to "NO"
# would be any good.
crontab_add_default_section="YES"
#
# you can add how many crontab lines you want. AND ALWAYS USE THIS:
#
# crontab_lines="$crontab_lines <your_stuff>"
#
# IN YOUR /etc/rc.conf IF YOU WANT TO CHANGE /etc/crontab !!! THIS
# wibsd.conf FILE CAN SET THIS VARIABLE SEVERAL TIMES FOR WiBSD SYSTEM
# SPECIFIC STUFF AND OMITTING THAT MAY GET YOU INTO SERIOUS TROUBLE.
#
#crontab_lines="ntp xxx"
crontab_lines="ntp"
crontab_line_ntp_comment="time synchronization via NTP protocol"
crontab_line_ntp="1 * * * * root /usr/sbin/ntpdate -su ntp.vol.cz"
#
#
#---------------------------------------------------------------------------
# motd section
#---------------------------------------------------------------------------
# make /etc/motd file. Our default motd file consists of three parts, you
# can redefine each of them independently.
etc_motd_enable="YES"
etc_motd_banner="`uname -wsrpn`\n\n^[[0;32mThis is WiBSD Project (http://www.wibsd.cz).^[[1;0m\n"
etc_motd_version="`build=/etc/builddate.txt; [ -r $build ] && echo -n 'build date: ' && cat $build`\nsee /etc/imagename.txt for exact image configuration.\n"
etc_motd_news="WiBSD specifics: upgrade, ver, (ro|rw)remount, (check-|)reboot,
                        srmgmt(d|)
3rd party sw:           bash, dhcpd, iftop, links, nmap, pptp(d|), snmpd,
                        thttpd, ttcp, vim, openvpn
configuration system:   /etc/defaults/wibsd.conf
documentation:          see /home/wibsd/doc/"
#
#
#---------------------------------------------------------------------------
# some system executables (FBSD uses "xxx_program" for this stuff so keep it
# that way)
#---------------------------------------------------------------------------
ipfw_program="/sbin/ipfw"
ifconfig_program="/sbin/ifconfig"
arp_program="/usr/sbin/arp"
wicontrol_program="/usr/sbin/wicontrol"
reboot_program="/sbin/reboot"
#
#
#---------------------------------------------------------------------------
# generic firewall section (prefix "fw_")
#---------------------------------------------------------------------------
# generate WiBSD firewall during the boot phase; the firewall covers all
# common things any router can need. All other applications generating its
# own firewall rules (eg. srmgmtd) must support this template. They should
# use its own ruleset if possible.
fw_enable="NO"
#
# so far, we have only one supported template firewall, but we are ready
# that another firewall will come (probable PF). Based on this fact we
# require 'fw_type' to be always set in /etc/rc.conf. Note that generic ipfw
# firewall uses ruleset 0 for its rules and it cannot be changed other way
# than changing the script itself.
fw_type=""
#fw_type="ipfw"
#
# include comment sections into the firewall (GOOD!); note that warning
# comments are ALWAYS injected into the firewall
fw_comments="YES"
#
# do not be verbose during fw processing; setting this is for debugging the
# firewall startup script and useful probably for developers only
fw_verbose="NO"
#
# WAN interface for natd and other services, use space as separators
fw_wan_interface=""
#
# IP address for various administrative tasks (servers like Cisco loopback
# IP) for billing, monitoring etc. If not set, WAN IP will be used.
fw_admin_ip=""
#
# if firewall script encounters any problems with configuration, it can
# (depending on firewall system) install warning comment rules so that those
# errors become evident. You can define if those messages should have some
# easy to spot label.
fw_warning_label="  [WARN]"
#
#
# client LAN interfaces for dhcp and other services, use space as
# separators. NOTE: this variable is for routers ONLY since we permit
# everything going through those LAN interfaces as opposed to smart-routers,
# where we install pipes; for smart routers use
# 'srmgmt_fw_client_interfaces'
fw_client_interfaces=""
#
# blocks for client interfaces for fixed lines and translated via NAT. You
# can use block definition like '10.0.0.0/24' (aka ,,simple'' block) or you
# can define name for blocks and used those names instead of dot notation
# (so called ,,feature'' blocks). See definition of feature blocks below
# about how you can make use of those blocks.
fw_private_client_blocks=""
#
# blocks for client interfaces - typically for fixed lines, not translated
# via NAT. Those blocks are automatically skipped after the NAT divert rule
# (see firewall docs in /home/wibsd/doc and variables
# 'ipfw_fw_section_skip_public_client_traffic_*' for more info). You can use
# simple or feature blocks; see variable 'fw_private_client_blocks' for
# explanation of existing types of blocks.
fw_public_client_blocks=""
#
# definition of ,,feature'' blocks. Feature block is just a common address
# block (IP address of network and mask) PLUS some additional options. Those
# options are extendable and needn't be present at all. Basic rule is that
# whereever you could use normal block in dot notation (,,simple'' block),
# you can use a feature block. Additional options for that block are used
# according to the context within which the block is used.
fw_block_evil="6.6.6.0/24"
# for pipe definitions and usage, see "pipes" section below
fw_block_evil_pipe="big"
#
#
# generic way to allow access to the box. Define various services via
# 'fw_allowed_access' and then define particular variable for each of such
# service. Format of those particular service variables is as follows:
#
# use ':' to separate fields
# use space to separate words inside a field
#
# --> 1st field is a host(s)/block(s)
# --> 2nd is ONE protocol (tcp/udp/gre are supported at this time and it
# must of course make sense with other fields, eg. I don't check if you set
# port for ip protocol)
# --> 3rd is a port (ports)
# --> 4rd is a possible option (meant for setup/keep-state only, but you can
# experiment)
# --> 5th field (if nonempty) says whether the rule should be limited for
# WAN interface only ("via $fw_wan_interface")
# --> 6th field (if nonempty) says whether all IP addresses can be used to
# connect to the box (otherwise access is limited to the WAN IP only)
fw_allowed_access=""
#
# the best is to explain this on a working example:
#
#fw_allowed_access="http ssh snmp pptp gre srmgmt xxx"
#fw_allowed_http_access="any:tcp:80:setup::"
#fw_allowed_snmp_access="1.1.1.1:udp:161::x:"
#fw_allowed_pptp_access="1.1.1.0/24 2.2.2.2:tcp:1723:setup:x:"
#fw_allowed_gre_access="1.1.1.0/24 2.2.2.2:gre::keep-state:x:"
# yes, we want to be able to connect to all IP addresses through all
# network interfaces
#fw_allowed_ssh_access="5.5.5.0/24 6.6.6.6 7.7.7.7:tcp:22:setup::y"
#fw_allowed_srmgmt_access="5.5.5.5 8.8.8.0/24:tcp:4000:setup:x:"
#fw_allowed_xxx_access="....define here"
#
#
# define blocks or individual hosts that are permitted to access all
# connected devices on this box (granularity per device block is not allowed
# for now). Use space as separators. It is a more general replacement for
# 'fw_remote_access_via_pptp_vpn_block'.
fw_allowed_access_to_connected_devices=""
#
# this variable is DISCOURAGED and won't be supported in future releases;
# use more general variable 'fw_allowed_access_to_connected_devices' 
#fw_remote_access_via_pptp_vpn_block="g.g.g.0/24"
#
# define remote nets accessible via VPN connection. Useful if you have
# limited access to remote networks from typically your office network only.
# You can make use of VPN connection to access those restricted remote
# networks if you specify those remote blocks here.
fw_remote_networks_accessible_via_vpn=""
#
#
# management of connected devices. Each variable specifies an interface,
# gateway on the interface and a device block. That means that you don't
# specify one variable per device, but per different blocks only.
#
# example: h.h.h.1 is my IP address (and therefor a gateway for managed
# devices on the particular interface) and h.h.h.0/24 is the block used to
# assign IP addresses for managed devices. As you can see you can use more
# management blocks on the same interface (breeze/ovislink)
#
# Gateway IP and interface should be probably learned from ifconfig output
# according to the correct block/mask...
fw_connected_devices=""
#fw_connected_devices="compex breeze ovislink"
#fw_connected_device_compex="sis1 h.h.h.1 h.h.h.0/24"
#fw_connected_device_breeze="sis2 i.i.i.1 i.i.i.0/24"
#fw_connected_device_ovislink="sis3 k.k.k.1 k.k.k.0/24"
#
# define blocks that should be routed through this box without any further
# filtering. These blocks are typically public blocks for routers located
# behind this box. If you want to add some filtering options (pipes,
# allow/deny for other blocks, ...) look above for 'fw_public_client_blocks'
# variable and feature blocks.
fw_routed_through_blocks=""
#
# in case you don't want to bother with address blocks (eg. have many of
# them on that interface), you can permit everything going through those
# interfaces without any unnecessary configuration overhead. Note that
# traffic over those interfaces will NOT be translated via NAT even if you
# had any private blocks in there !!!
fw_routed_through_interfaces=""
#
# some for example VPN tools use privileged source ports. If using NAT, we
# would skipped this ,,established'' traffic which must go through NAT. So
# use this variable to define a list of ports (separated by spaces) that
# could be used like that.
fw_permit_nated_udp_privileged_ports=""
#
#---------------------------------------------------------------------------
# pipes (definitions should be ,,pipe-system'' independent, so we do not use
# "ipfw_" prefix)
#---------------------------------------------------------------------------
# create pipes. A ,,pipe'' technically means two dummynet pipes, one for
# INcoming traffic, 2nd for OUTgoing traffic
fw_pipes=""
#fw_pipes="small big"
#fw_pipe_small="128/64"
#fw_pipe_big="512/128"
#
#
#---------------------------------------------------------------------------
# ipfw specific firewall section (prefix "ipfw_fw_")
#---------------------------------------------------------------------------
# we must be careful not to compete with other applications like srmgmtd
ipfw_fw_first_pipe_number="1000"
#
# this is better than standard default step 100
ipfw_fw_rule_step="20"
# rule numbers starting various sections + their respective firewall
# comments; those numbers below are defaults. I think there will never be a
# reason to change those.
ipfw_fw_section_loopback_comment="loopback rules"
ipfw_fw_section_loopback_rule="100"
ipfw_fw_section_permit_privileged_udp_nated_traffic_comment="let some privileged UDP ports go through NAT"
ipfw_fw_section_permit_privileged_udp_nated_traffic_rule="500"
ipfw_fw_section_skip_comment="skip privileged traffic"
ipfw_fw_section_skip_rule="1000"
ipfw_fw_section_skip_public_client_traffic_comment="no NAT for public client traffic"
ipfw_fw_section_skip_public_client_traffic_rule="2000"
ipfw_fw_section_routed_through_comment="routed through blocks/interfaces go unfiltered"
ipfw_fw_section_routed_through_rule="3000"
ipfw_fw_section_natd_divert_comment="main natd divert rule"
ipfw_fw_section_natd_divert_rule="8000"
ipfw_fw_section_wan_traffic_comment="established/non-privileged traffic to me"
ipfw_fw_section_wan_traffic_rule="9000"
ipfw_fw_section_private_client_traffic_comment="generic private client traffic"
ipfw_fw_section_private_client_traffic_rule="10000"
ipfw_fw_section_public_client_traffic_comment="generic public client traffic"
# XXX
#ipfw_fw_section_public_client_traffic_rule="20000"
ipfw_fw_section_public_client_traffic_rule="15000"
ipfw_fw_section_connected_devices_management_comment="connected devices management"
ipfw_fw_section_connected_devices_management_rule="30000"
ipfw_fw_section_remote_networks_accessible_via_vpn_comment="remote nets accessible via vpn"
ipfw_fw_section_remote_networks_accessible_via_vpn_rule="40000"
ipfw_fw_section_icmp_comment="icmp traffic"
ipfw_fw_section_icmp_rule="50000"
ipfw_fw_section_tcp_setup_skipped_comment="tcp syn traffic processing"
ipfw_fw_section_tcp_setup_skipped_rule="55000"
ipfw_fw_section_udp_privileged_skipped_comment="privileged udp traffic processing"
ipfw_fw_section_udp_privileged_skipped_rule="56000"
ipfw_fw_section_gre_comment="gre traffic processing"
ipfw_fw_section_gre_rule="57000"
ipfw_fw_section_deny_comment="catch-up rule"
ipfw_fw_section_deny_rule="65500"
#
# these rules will be statically added to firewall configuration. If you
# really need to use this feature, I WOULD LIKE TO KNOW ABOUT THAT PLEASE!!!
# Using static rules can mean there is something missing in this firewall
# system which could be generalized and then usable for other users too.
ipfw_fw_static_rules=""
#ipfw_fw_static_rules="my_deny xxx"
#ipfw_fw_static_rule_my_deny="add 65400 deny all from any to any"
#ipfw_fw_static_rule_xxx="add 65401 deny all from any to any"
#
#
# WiBSD version; NEVER CHANGE THAT !
wibsd_version="1.0.0-BETA_20050613"
#
#
#=====================================================================
# smart_router plugin for all FreeBSD releases; to be appended.
#
# $Id: wibsd.conf.html,v 1.1.1.1 2005/08/11 12:58:42 cdave Exp $
#=====================================================================
# enable emergency pipe system if login portal is not accessible. If
# enabled, every user that tries to login will get a pipe no matter
# whether he is a valid user or not. No login/password check is
# performed. We then periodically from crontab check the login portal
# and when it begins accessible again, all these temporary pipes are
# deleted which effectively force all users to login via portal as
# usual.
sr_ap_temporary_pipes_enable="NO"
# if login portal is not accessible, use this bandwidth for temporary
# pipes; bw is in kilobytes
sr_ap_temporary_pipes_bw="64"
# change this for your network and your customers if you need that.
# Value of this variable is placed after '<p>' tag so you can use
# simple tags like <font color=\"red\"> etc. (BEWARE of shell
# quoting!!!). Charset used for the value is set in
# $sr_ap_temporary_pipes_user_note_charset.
sr_ap_temporary_pipes_user_note="Váš přístup byl právě aktivován
systémem pro řešení nenadálých situací z důvodu dočasné nedostupnosti
login portálu.<br><b>Nyní prosím zavřete okno svého prohlížeče a
zkuste to znovu.</b><br><br>"
sr_ap_temporary_pipes_user_note="${sr_ap_temporary_pipes_user_note}
Your access was activated via emergency system since login portal is
temporary unreachable.<br><b>Please close your browser window now and
then try again.</b>"
# probably no need to change this. This is a default charset for user
# note in 'sr_ap_temporary_pipes_user_note' variable.
sr_ap_temporary_pipes_user_note_charset="iso-8859-2"
# you can change this if you run into name collision problem
sr_ap_temporary_pipes_user_prefix="emerg_user-"
# probably you will never need change this; if you do, remember that
# CGI scripts are run under user 'nobody'
sr_ap_temporary_pipes_db="/tmp/.tmp_pipes.db"
#
# we need /etc/crontab for this
crontab_lines="${crontab_lines} tmp_pipes"
crontab_line_tmp_pipes_comment="(wibsd.conf) check temporary pipes in srmgmtd"
crontab_line_tmp_pipes="*/2 * * * * root /usr/local/bin/wdog_temp_pipes_system.sh"
#
#
#=====================================================================
# diskless_router plugin for RELENG_4; to be appended.
#
# $Id: wibsd.conf.html,v 1.1.1.1 2005/08/11 12:58:42 cdave Exp $
#=====================================================================
# we need to spawn /var/run during the boot phase. Probably we could
# do that during the image creation...
diskless_mount="/etc/rc.diskless2"
#
#
#===========================================================================
# srmgmt plugin for all FreeBSD releases; to be appended.
#
# many values (eg. for executables, first rule numbers) are even
# defaults in the very srmgmtd binary. Those variables could have been
# commented, but they are left intentionally uncommented so that this
# file could be easily readable with ViM editor with syntax
# highlighting switched on.
#
# $Id: wibsd.conf.html,v 1.1.1.1 2005/08/11 12:58:42 cdave Exp $
#===========================================================================
#
#---------------------------------------------------------------------------
# generic srmgmt settings
#---------------------------------------------------------------------------
# enable srmgmtd daemon
srmgmt_enable="NO"
# default location and command line options
srmgmt_binary="/usr/local/sbin/srmgmtd"
srmgmt_flags="-c -p 4 -f /etc/defaults/rc.conf -f /etc/defaults/wibsd.conf -f /etc/rc.conf"
# port where srmgmtd terminal mamagement is running
srmgmt_server_port="4000"
# serve session thread stack size in kilobytes. DO NOT CHANGE UNLESS YOU
# REALLY KNOW WHAT YOU ARE DOING.
srmgmt_session_thread_stack_size="128"
# how many connected users at the same time you are willing to have if the
# box is AP; be careful if you don't have enough memory. This number is also
# used when running as proxy for counting some max table sizes. You can
# increase the number and reload (-HUP) the daemon, but you cannot decrease
# it without complete restart.
srmgmt_ap_max_users="64"
# you can secure the communication via encryption
srmgmt_encryption_enable="NO"
# just a placeholder for now, which MUST NOT BE CHANGED. blowfish is
# the only one encryption algorithm available. Future release will
# support anything that OpenSSL supports.
srmgmt_encryption_type="blowfish"
# just a placeholder for now; see 'srmgmt_encryption_type' for
# explanation; length is in bytes
srmgmt_encryption_shared_key_length="16"
# shorter key is padded with binary zeroes
srmgmt_encryption_shared_key=""
#
# by default, run as AP and disable proxy functionality
srmgmt_ap_enable="YES"
srmgmt_ap_proxy_enable="NO"
# for now, we support external config file for proxy and there is
# intentionally no default value
srmgmt_ap_proxy_config_file=""
# how many AP's can be accessed through the proxy; targets exceeding
# this number are discarded and warning is logged
srmgmt_ap_proxy_max_targets="128"
# every this number of seconds, resolve all DNS names again
srmgmt_ap_proxy_resolver_interval="600"
# upper limit in seconds that srmgmtd is willing to wait for finishing
# of one connection taking part in a group command. Group command is a
# command that is proxied to all targets and the output is then
# grouped together. Typical example is "show users".
srmgmt_ap_proxy_group_command_time_limit="5"
#
# use this bandwidth if login portal is not accessible
srmgmt_ap_default_user_pipe_bw="64"
#
# interfaces that host any clients. Do not include interfaces hosting
# only management devices. Use space for separator.
srmgmt_ap_fw_client_interfaces=""
#srmgmt_fw_client_interfaces="sis1 sis2"
#
# which ipfw ruleset should srmgmt use. Do NOT change unless you know
# what you are doing !!!
srmgmt_ipfw_fw_ruleset="2"
#
# define in seconds how ofter srmgmtd should update its statistics
# about traffic transmitted over client pipes
srmgmt_ap_accounting_interval="60"
#
#---------------------------------------------------------------------------
# special setting in use with ipfw wibsd firewall template. Apmgmtd is
# participating in the ipfw template firewall. See 'fw_enable' section
# for more information.
#---------------------------------------------------------------------------
srmgmt_ap_ipfw_fw_section_public_sips_rule="2500"
# (jp) XXX
#srmgmt_ap_ipfw_fw_section_private_traffic_pipes_rule_comment="srmgmt private pipes"
#srmgmt_ap_ipfw_fw_section_private_traffic_pipes_rule="15000"
#srmgmt_ap_ipfw_fw_section_public_traffic_pipes_rule_comment="srmgmt public pipes"
#srmgmt_ap_ipfw_fw_section_public_traffic_pipes_rule="25000"
# use one firewall section for both private and public traffic pipes
srmgmt_ap_ipfw_fw_section_pipes_rule_comment="srmgmt pipes"
srmgmt_ap_ipfw_fw_section_pipes_rule="20000"
srmgmt_ap_ipfw_fw_section_captive_portal_comment="captive portal"
srmgmt_ap_ipfw_fw_section_captive_portal_rule="45000"
#
#---------------------------------------------------------------------------
# allow various access to the srmgmtd terminal
#---------------------------------------------------------------------------
# authentication servers are not the same as boxes allowed to access
# srmgmt (srmgmt_allowed_srmgmt_access). Authentication servers are
# those who implement a login portal. Allowed srmgmt access is
# for boxes from which we wanna need telnet access to srmgmtd CLI
# interface (one of those boxes must be an autherntication server(s)).
#
# multiple boxes are separated by white characters (space, tab)
#
srmgmt_ap_fw_authentication_servers=""
# other services
srmgmt_ap_fw_allowed_nameservers=""
# eg. srmgmt_ap_fw_public_sip_blocks="a.a.a.0/24 z.z.z.0/28"
srmgmt_ap_fw_public_sip_blocks=""
#
#
#---------------------------------------------------------------------------
# wi-fi power management
#---------------------------------------------------------------------------
# set TX power of a wifi card (eg. 'wicontrol -i wi0 -B 150')
srmgmt_ap_set_tx_power=""
#srmgmt_ap_set_tx_power="wi0 wi1"
srmgmt_ap_set_tx_wi0="wi0 150"
srmgmt_ap_set_tx_wi1="wi1 140"
#
# delay interval for setting TxPower. This number is multiplied by
# srmgmt_ap_accounting_interval and that is the actual delay interval in
# seconds.
#
# 0 disables setting power completely
#
srmgmt_ap_tx_power_interval="0"
# 1440 x 60s = 24hod
#srmgmt_tx_power_interval="1440"
#
#---------------------------------------------------------------------------
# srmgmt commands
#---------------------------------------------------------------------------
# time limit in seconds for executed commands through srmgmtd terminal
srmgmt_command_limit="20"
#
# define allowed user commands. Wildcards are %ip and %# (number), but
# you can use normal regular expression, too. 
#
# ping1 and ping2 could be written in one regular expression, but
# that would be more unreadable.
srmgmt_user_defined_commands="ping1 ping2 traceroute"
srmgmt_user_defined_ping1="ping (-c %#)? (-s %#)? (-i %#(\.%#)?)? %ip"
srmgmt_user_defined_ping2="ping (-c %#)? (-i %#(\.%#)?)? (-s %#)? %ip"
srmgmt_user_defined_traceroute="traceroute (-P icmp)? %ip"
#
#---------------------------------------------------------------------------
# login portal
#---------------------------------------------------------------------------
# set this to the address of login portal. Redirect page will use this
# address when implementing a captive portal.
www_config_inc_enable="YES"
www_config_inc_redirect="login.wibsd.cz"
#
#---------------------------------------------------------------------------
# web server for captive portal
#---------------------------------------------------------------------------
# make these variables generic so that we can change the webserver
# without changing variable names or etc/rc.d starting script
srmgmt_webserver_program="/usr/local/sbin/thttpd"
srmgmt_webserver_program_pidfile="/var/run/thttpd.pid"
# be sure to have $srmgmt_webserver_program_pidfile defined; you may
# consider to add '-l /dev/null' to disable logging via syslog; may be
# dangerous though --> if thttpd ends up in an infinite loop than root
# filesystem won't fill up, everything will be working BUT badly (100%
# CPU bound). With full root filesystem, dhcpd will stop working so we
# will be notified from users that something happened.
srmgmt_webserver_program_flags="-d /usr/local/www_redirect/ -c *.cgi -i $srmgmt_webserver_program_pidfile"
#
#---------------------------------------------------------------------------
# srmgmtd watchdog
#---------------------------------------------------------------------------
# probably there is not need to set it to NO
srmgmtd_watchdog_enable="YES"
crontab_lines="$crontab_lines wdog_srmgmtd"
crontab_line_wdog_srmgmtd_comment="(wibsd.conf) watch the srmgmtd daemon"
# check it every 2 minutes
crontab_line_wdog_srmgmtd="*/2 * * * * root /usr/local/bin/wdog_srmgmtd.sh"
#
#
#---------------------------------------------------------------------------
# obsoleted
#---------------------------------------------------------------------------
# obsoleted wi-fi reference section; sometimes may be useful
#ifconfig_wi0="inet 10.0.0.1/24 stationname ap1 ssid mynet.ssid1 channel 3 media DS/11Mbps mediaopt hostap up"
#ifconfig_wi1="inet 10.0.1.1/24 stationname ap2 ssid mynet.ssid2 channel 9 media DS/11Mbps mediaopt hostap up"
#
#
#=====================================================================
# ppp plugin for all FreeBSD releases; to be appended.
#
# $Id: wibsd.conf.html,v 1.1.1.1 2005/08/11 12:58:42 cdave Exp $
#=====================================================================
#
ppp_conf_enable="NO"
ppp_conf_include_default_section="NO"
# we define two example sections; 'pptp' is for dial-in connections
# and is used by pptp daemon, 'vpn' can be used for dial-out
# connections via pptpclient
ppp_conf_sections="pptp"
#ppp_conf_sections="pptp vpn"
#
#---------------------------------------------------------------------
# reference section 'pptp'; this section is for VPN access via pptpd
# server; do not change unless you know what you are doing
#---------------------------------------------------------------------
ppp_conf_section_pptp_sets="timeout login dial ifaddr server"
ppp_conf_section_pptp_set_timeout="0"
# even empty, 'set login' must be present
ppp_conf_section_pptp_set_login=""
ppp_conf_section_pptp_set_dial=""
# convention is to use x.x.x.64/26 for clients, x.x.x.32/27 for
# static IP's, x.x.x.0/27 is reserved (gw, ...)
ppp_conf_section_pptp_set_ifaddr="9.9.9.1 9.9.9.65-9.9.9.126 255.255.255.255"
ppp_conf_section_pptp_set_server="/var/run/pptp_ppp_%d \"\" 0700"
ppp_conf_section_pptp_set_log="Phase Chat LCP IPCP CCP tun command cbcp connect sync tcp/ip"
# this is very important for enabling encryption
ppp_conf_section_pptp_enables="mschapv2 mppe chap81"
ppp_conf_section_pptp_disables="chap pap utmp passwdauth"
# answer queries for DNS servers using local /etc/resolv.conf
ppp_conf_section_pptp_accepts="dns"
# set routes after establishing the link
ppp_conf_section_pptp_routes=""
#ppp_conf_section_pptp_routes="default"
#ppp_conf_section_pptp_route_default="default HISADDR"
#
#---------------------------------------------------------------------
# reference section 'vpn'; note that we can define authname/authkey
# and even routes
#---------------------------------------------------------------------
ppp_conf_section_vpn_sets="authname authkey timeout"
ppp_conf_section_vpn_set_authname="client"
ppp_conf_section_vpn_set_authkey="wriCyeDidgEcyax"
ppp_conf_section_vpn_set_timeout="0"
ppp_conf_section_vpn_routes="office office2"
ppp_conf_section_vpn_route_office="10.66.66.0/24 HISADDR"
ppp_conf_section_vpn_route_office2="10.55.55.0/24 HISADDR"
#
#
#=====================================================================
# users plugin for all FreeBSD releases; to be appended.
#
# users plugin creates login accounts during the boot. Since we have
# no default users except of standard FreeBSD users, we must define
# some basic accounts here so that you can boot and configure a new
# WiBSD box. You should definitely redefine those users' passwords in
# your rc.conf file !!! Toor user has intentionally /bin/sh as his
# login shell, that serves as an emergency case if bash went
# corrupted.
#
# if this plugin fails (eg. not enough memory?), root will have an
# empty password, because that is default in FreeBSD. You can then log
# in via console and solve the problem.
#
# WARNIN: use single quotes, NOT double quotes to define MD5 hashes
# since those hashes typicaly contain '$' characters.
# 
# $Id: wibsd.conf.html,v 1.1.1.1 2005/08/11 12:58:42 cdave Exp $
#=====================================================================
#
make_accounts_enable="YES"
make_accounts_groups="wibsd"
make_accounts_users="root toor admin wibsd"
#
#---------------------------------------------------------------------
# group wibsd
#---------------------------------------------------------------------
make_accounts_group_wibsd_gid="333"
#
#---------------------------------------------------------------------
# user root
#---------------------------------------------------------------------
make_accounts_user_root_password_hash='$1$9WJBjeCP$9ctO2LIRiyLYbjJ0pDfG0/'
make_accounts_user_root_uid="0"
make_accounts_user_root_gid="0"
make_accounts_user_root_comment="Charlie &"
make_accounts_user_root_home="/root"
make_accounts_user_root_shell="/usr/local/bin/bash"
#
#---------------------------------------------------------------------
# user toor
#---------------------------------------------------------------------
make_accounts_user_toor_password_hash='$1$QXYVVPLQ$VmmKWsumeeB7EvTBAQKCK0'
make_accounts_user_toor_uid="0"
make_accounts_user_toor_gid="0"
make_accounts_user_toor_wheel="YES"
make_accounts_user_toor_comment="Bourne-again Superuser"
make_accounts_user_toor_home="/root"
make_accounts_user_toor_shell="/bin/sh"
#
#---------------------------------------------------------------------
# user admin - this user will guide any remote hands through the
# initial configuration so that the new box could be connected to the
# network and you can later log in and finish the configuration.
#---------------------------------------------------------------------
make_accounts_user_admin_password_hash='$1$NmGT5HhQ$eRBbK/ajarycZ0hvz6SGM/'
make_accounts_user_admin_uid="0"
make_accounts_user_admin_gid="0"
make_accounts_user_admin_wheel="YES"
make_accounts_user_admin_comment="WiBSD Remote Hands Superuser"
make_accounts_user_admin_home="/root"
# special script shell to do basic IP settings
make_accounts_user_admin_shell="/bin/wsh"
#
#---------------------------------------------------------------------
# user wibsd
#---------------------------------------------------------------------
make_accounts_user_wibsd_password_hash='$1$399cjMoR$NNZIX.8EYWN5qOmJg/YQS0'
make_accounts_user_wibsd_uid="333"
make_accounts_user_wibsd_gid="333"
make_accounts_user_wibsd_wheel="YES"
make_accounts_user_wibsd_comment="WiBSD Standard User"
make_accounts_user_wibsd_home="/home/wibsd"
make_accounts_user_wibsd_shell="/usr/local/bin/bash"
#
#
#=====================================================================
# compex plugin for all FreeBSD releases; to be appended.
#
# $Id: wibsd.conf.html,v 1.1.1.1 2005/08/11 12:58:42 cdave Exp $
#=====================================================================
#
# set Compex media to 10baseT/UTP half-duplex. This can be a
# little tricky, so use a special script to do it for these
# particular interfaces. See the script for more information.
compex_nics=""
#compex_nics="sis1 sis2"
#
#
#==========================================================================
# port_net_snmp plugin for all FreeBSD releases; to be appended.
#
# $Id: wibsd.conf.html,v 1.1.1.1 2005/08/11 12:58:42 cdave Exp $
#==========================================================================
#
net_snmpd_enable="NO"
net_snmpd_program="/usr/local/sbin/snmpd"
# if NO, you can use cooked snmpd config file stored typically on the
# flashcard
net_snmpd_generate_config_file="YES"
net_snmpd_config_file="/etc/snmpd.conf"
# send a copy of all log messages to syslog and then dump all these messages
# to /dev/null (apparently one can't prohibit default filesystem log output
# other than redirect it to /dev/null). Do not include '-c xxx' here, use
# 'net_snmpd_config_file' variable for that.
net_snmpd_flags="-S d -s -l /dev/null"
#
# flags below trigger a complain when snmpd is starting up, it says that
# those flags are obsolete. Unfortunately net-snmpd is a shitty program and
# what should work doesn't work - eg. '-Lf /dev/null' won't supress logging,
# instead /var/log/snmpd.log is used instead.
#net_snmpd_flags="-Ls d -Lf /dev/null"
#
# set allowed access and communities
net_snmpd_rocommunity=""
# you can use DNS name or IP address
net_snmpd_rocommunity_permit_from=""
#net_snmpd_rwcommunity="do_not_use_me_for_christ_sake_and_set_your_own!!!"
#net_snmpd_rwcommunity_permit_from="watchdog.wibsd.cz"
#
#net_snmpd_syscontact="IDC-softwarehouse"
#net_snmpd_syslocation="Czech Republic"
#net_snmpd_sysservices="76"
#
net_snmpd_load="3       3       3"
#
# use this to define your own SNMP subtrees; see example below
net_snmpd_pass=""
#net_snmpd_pass="snmpall wiusers"
net_snmpd_pass_oid_snmpall=".1.3.6.1.4.1.2021.8.1.200"
net_snmpd_pass_command_snmpall="/usr/local/bin/snmpall.sh"
net_snmpd_pass_oid_wiusers="x.x.x"
net_snmpd_pass_command_wiusers="y.y.y"
#
# NOTE: DISK MONITORING IS OBSOLETE. We can now monitor all disks without
# specific help of net-snmp daemon. Kept for reference only.
#
# specify filesystem you want to monitor. 5% means that warning could be
# issued if percentage of free space goes below this mark.
#net_snmpd_disks="root"
#net_snmpd_disk_root="/                 5%"
#
# NOT IMPLEMENTED YET
#net_snmpd_processes="sshd sh"
#net_snmpd_process_sshd="5 1"
#net_snmpd_process_sh="10 0"
#
#
#=====================================================================
# port_isc_dhcp3 plugin configuration, to be appended.
#
# $Id: wibsd.conf.html,v 1.1.1.1 2005/08/11 12:58:42 cdave Exp $
#=====================================================================
#
dhcpd_enable="NO"
# if NO, you can use cooked config file from flashcard
dhcpd_generate_config_file="YES"
# use space as separators, eg.:
#dhcpd_ifaces="sis1 wi0"
dhcpd_ifaces=""
dhcpd_options=""
# see also 'dhcpd_generate_config_file'
dhcpd_config_file="/etc/dhcpd.conf"
# if your lease file could grow too large to fit in the root fs, you
# can configure a memory disk and set lease file's path here.
dhcpd_leases="/var/db/dhcpd.leases"
#
dhcpd_default_lease_time="600"
dhcpd_max_lease_time="7200"
dhcpd_domain_name="wibsd.cz"
# use public DNS server as a default
dhcpd_domain_name_servers="69.67.108.10,205.166.226.38"
#
# example NIC sections:
#
# sis1
#dhcpd_subnet_sis1_address="10.0.99.0"
#dhcpd_subnet_sis1_netmask="255.255.255.0"
#dhcpd_subnet_sis1_gateway="10.0.99.1"
#dhcpd_subnet_sis1_range_start="10.0.99.100"
#dhcpd_subnet_sis1_range_end="10.0.99.200"
# wi0
#dhcpd_subnet_wi0_address="10.0.0.0"
#dhcpd_subnet_wi0_netmask="255.255.255.0"
#dhcpd_subnet_wi0_gateway="10.0.0.1"
#dhcpd_subnet_wi0_range_start="10.0.0.100"
#dhcpd_subnet_wi0_range_end="10.0.0.200"
#
# use this to define static entries; number in dhcpd_max_static_hosts
# is a real number, you must count from 1 to this number when creating
# host entries
#dhcpd_max_static_hosts="1"
#dhcpd_host_1_hostname="pink-fox"
#dhcpd_host_1_hw="1c:40:ac:34:3a:83"
#dhcpd_host_1_ip="6.7.8.9"
#
#
#=====================================================================
# port_poptop plugin configuration, to be appended.
#
# $Id: wibsd.conf.html,v 1.1.1.1 2005/08/11 12:58:42 cdave Exp $
#=====================================================================
#
# run pptpd or not
pptpd_enable="NO"
pptpd_program="/usr/local/sbin/pptpd"
pptpd_flags=""
#
#---------------------------------------------------------------------
# pptpd.conf
#---------------------------------------------------------------------
pptpd_config_file="/usr/local/etc/pptpd.conf"
# if NO, you can use cooked config file stored on flashcard
pptpd_generate_config_file="YES"
pptpd_conf_commands="option localip remoteip pidfile"
pptpd_conf_command_option="/etc/ppp/ppp.conf"
pptpd_conf_command_localip="9.9.9.1"
# convention is to use x.x.x.64/26 for dynamic IP's
pptpd_conf_command_remoteip="9.9.9.65-126"
pptpd_conf_command_pidfile="/var/run/pptpd.pid"
#
#---------------------------------------------------------------------
# /etc/ppp/ppp.secret
#---------------------------------------------------------------------
ppp_secret_enable="NO"
ppp_secret_users=""
#ppp_secret_users="wibsd"
ppp_secret_user_wibsd_password="CarAnvagmemchiddUnd:orotIvyek"
# convention is to use x.x.x.32/27 for static IP's
ppp_secret_user_wibsd_ip="9.9.9.33"
#
#
#===========================================================================
# port_openvpn plugin for all FreeBSD releases; to be appended.
#
# $Id: wibsd.conf.html,v 1.1.1.1 2005/08/11 12:58:42 cdave Exp $
#===========================================================================
#
openvpn_enable="NO"
# I think there is no reason to change this one
openvpn_config="/usr/local/etc/openvpn.conf"
#
# now you can specify one of 'client', 'server' or 'secret'. Consult manpage
# and openvpn.net if unsure. If you use shared secret, you must specify
# 'openvpn_secret_key' variable, too. If you use TLS method, you must
# specify CA certificate and client's/server's certificate and key. Note
# that TLS method has higher priority than shared secret method so
# 'openvpn_secret' option will be ignored if you specify 'openvpn_client' or
# 'openvpn_server'.
#
# # CLIENT
# openvpn_client="YES"
# openvpn_ns_cert_type="YES"
#
# # SERVER
# # you must specify IP range for PTP links
# openvpn_server="a.b.c.d 255.255.x.y"
# openvpn_dh="/mnt/flashcard/wibsd/<DHFILE>.pem"
# # and probably this (see http://openvpn.net/howto.html#scope for more
# information)
# openvpn_client_config_dir=/mnt/flashcard/wibsd/openvpn/ccd"
#
# # MANDATORY FOR BOTH (client and server)
# openvpn_ca="/mnt/flashcard/wibsd/ca.crt"
# openvpn_cert="/mnt/flashcard/wibsd/<HOSTNAME>.crt"
# openvpn_key="/mnt/flashcard/wibsd/<HOSTNAME>.key"
#
openvpn_secret="/usr/local/etc/openvpn.key"
#
# for secret key method, just paste here what you get from 'openvpn --genkey
# --secret xxx'. This variable definition should look like this:
#
# openvpn_secret_key="#
# # 2048 bit OpenVPN static key
# #
# -----BEGIN OpenVPN Static key V1-----
# c0c3ef48eefccb8a19c8131702e3ca79
# bla bla bla....................."
#
#
# use non-daemon mode just for debugging
openvpn_daemon="YES"
# this compress library is very fast, probably we can use compression
# by default
openvpn_comp_lzo="YES"
#
# recomended options
openvpn_persist_key="YES"
openvpn_persist_tun="YES"
#
# there are no other fixed openvpn variables. You can use any variable name
# like "openvpn_<OPTION>" where <OPTION> is a valid openvpn option (see man)
# without leading '--' and replacing '_' for '-'. So for example use
# 'openvpn_route_gateway" for '--route-gateway' option. Variables for
# options with no value must be set with 'YES'. You can use 'NO' for
# disabling them.
# 
#
#---------------------------------------------------------------------------
# creation of Certification Authority and server's/client's certificates and
# modification of system/OpenVPN routing tables
#
# I honour OpenVPN's process of doing that so see documentation section
# http://openvpn.net/howto.html#pki for more information, otherwise below is
# a short list of actions and that should be everything you will need.
#---------------------------------------------------------------------------
#
# basically, if you want to create a CA, you will do this:
#
# (A) create a public key pair for certification authority:
#
#   rwremount
#   . /etc/defaults/wibsd.conf
#   . /etc/rc.conf
#   cd $openvpn_x_easy_rsa_root
#   . ./vars
#   ./clean-all
#   ./build-ca
#
# (B) then you must generate server's certificate and DH pair (NOTE: DH pair
# generation can take VERY LONG time on slow boxes):
#
#   ./build-key-server server
#   ./build-dh                  # on soekris 45xx it takes about 15 minutes
#
# (C) and now you can generate client's certificates:
#
#   ./build-key <client-hostname-1>
#   ./build-key <client-hostname-2>
#   ...
#
# (D) set OpenVPN internal routing if needed (see variable
#     'openvpn_client_config_dir' for more information)
#
#   mkdir $openvpn_client_config_dir
#   cd $openvpn_client_config_dir
#   cat > <client-hostname-1> <<SHIT
#   iroute 10.77.10.0 255.255.255.0
#   SHIT
#
# (E) set global routing for OpenVPN - include eg. this in your rc.conf:
#
#   openvpn_route="10.0.0.0 255.0.0.0"
#
# (F) read-only remount the flashcard after you finish
#
#   roremount
#
#
# in variables below there is '_x_' used there to distinguish between real
# openvpn options and auxiliary variables like those.
#
# if you don't know what is 'vars' file, see the http link above; 'vars'
# file creation doesn't depend on value of 'openvpn_enable'
openvpn_x_create_vars_file="YES"
# change this as you like; nothing is permitted to be empty !!!
openvpn_x_easy_rsa_root="/usr/local/share/doc/openvpn/easy-rsa"
openvpn_x_key_config="${openvpn_x_easy_rsa_root}/openssl.cnf"
openvpn_x_key_dir="/mnt/flashcard/wibsd/openvpn"
openvpn_x_key_size="1024"
openvpn_x_key_country="CZ"
openvpn_x_key_province="Czech Republic"
openvpn_x_key_city="Prague"
openvpn_x_key_org="TSGCom"
openvpn_x_key_email="jp@devnull.cz"
#
#
#=====================================================================
# remote_upgrade plugin for all FreeBSD releases; to be appended.
#
# $Id: wibsd.conf.html,v 1.1.1.1 2005/08/11 12:58:42 cdave Exp $
#=====================================================================
#
# for safe-reboot plugin -> test image files in /mnt/flashcard/boot
remote_upgrade_plugin="YES"
# for safe-reboot plugin -> test the UFS filesystem
image_ufs="YES"
#
#