Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #configured
- #configured
- #configured
- #configured
- #
- # Nodogsplash Configuration File
- #
- # Parameter: GatewayInterface
- # Default: NONE
- #
- # GatewayInterface is not autodetected, has no default, and must be set here.
- # Set GatewayInterface to the interface on your router
- # that is to be managed by Nodogsplash.
- # Typically br-lan for the wired and wireless lan on OpenWrt White Russian.
- # May be br-lan on OpenWrt Kamikaze.
- #
- GatewayInterface br-lan
- # FirewallRuleSet: authenticated-users
- #
- # Control access for users after authentication.
- # These rules are inserted at the beginning of the
- # FORWARD chain of the router's filter table, and
- # apply to packets that have come in to the router
- # over the GatewayInterface from MAC addresses that
- # have authenticated with Nodogsplash, and that are
- # destined to be routed through the router. The rules are
- # considered in order, and the first rule that matches
- # a packet applies to it.
- # If there are any rules in this ruleset, an authenticated
- # packet that does not match any rule is rejected.
- # N.B.: This ruleset is completely independent of
- # the preauthenticated-users ruleset.
- #
- FirewallRuleSet authenticated-users {
- # You may want to open access to a machine on a local
- # subnet that is otherwise blocked (for example, to
- # serve a redirect page; see RedirectURL). If so,
- # allow that explicitly here, e.g:
- #FirewallRule allow tcp port 80 to 172.16.42.1
- # Your router may have several interfaces, and you
- # probably want to keep them private from the GatewayInterface.
- # If so, you should block the entire subnets on those interfaces, e.g.:
- FirewallRule block to 192.168.0.0/16
- FirewallRule block to 10.0.0.0/8
- # Typical ports you will probably want to open up include
- # 53 udp and tcp for DNS,
- # 80 for http,
- # 443 for https,
- # 22 for ssh:
- FirewallRule allow tcp port 53
- FirewallRule allow udp port 53
- FirewallRule allow tcp port 80
- FirewallRule allow tcp port 443
- FirewallRule allow tcp port 22
- }
- # end FirewallRuleSet authenticated-users
- # FirewallRuleSet: preauthenticated-users
- #
- # Control access for users before authentication.
- # These rules are inserted in the PREROUTING chain
- # of the router's nat table, and in the
- # FORWARD chain of the router's filter table.
- # These rules apply to packets that have come in to the
- # router over the GatewayInterface from MAC addresses that
- # are not on the BlockedMACList or TrustedMACList,
- # are *not* authenticated with Nodogsplash. The rules are
- # considered in order, and the first rule that matches
- # a packet applies to it. A packet that does not match
- # any rule here is rejected.
- # N.B.: This ruleset is completely independent of
- # the authenticated-users and users-to-router rulesets.
- #
- FirewallRuleSet preauthenticated-users {
- # For preauthenticated users to resolve IP addresses in their initial
- # request not using the router itself as a DNS server,
- # you probably want to allow port 53 udp and tcp for DNS.
- FirewallRule allow tcp port 53
- FirewallRule allow udp port 53
- # For splash page content not hosted on the router, you
- # will want to allow port 80 tcp to the remote host here.
- # Doing so circumvents the usual capture and redirect of
- # any port 80 request to this remote host.
- # Note that the remote host's numerical IP address must be known
- # and used here.
- FirewallRule allow tcp port 80 to 172.16.42.1
- }
- # end FirewallRuleSet preauthenticated-users
- # FirewallRuleSet: users-to-router
- #
- # Control access to the router itself from the GatewayInterface.
- # These rules are inserted at the beginning of the
- # INPUT chain of the router's filter table, and
- # apply to packets that have come in to the router
- # over the GatewayInterface from MAC addresses that
- # are not on the TrustedMACList, and are destined for
- # the router itself. The rules are
- # considered in order, and the first rule that matches
- # a packet applies to it.
- # If there are any rules in this ruleset, a
- # packet that does not match any rule is rejected.
- #
- FirewallRuleSet users-to-router {
- # Nodogsplash automatically allows tcp to GatewayPort,
- # at GatewayAddress, to serve the splash page.
- # However you may want to open up other ports, e.g.
- # 53 for DNS and 67 for DHCP if the router itself is
- # providing these services.
- FirewallRule allow udp port 53
- FirewallRule allow tcp port 53
- FirewallRule allow udp port 67
- # You may want to allow ssh, http, and https to the router
- # for administration from the GatewayInterface. If not,
- # comment these out.
- FirewallRule allow tcp port 22
- FirewallRule allow tcp port 80
- FirewallRule allow tcp port 443
- FirewallRule allow tcp port 1471
- FirewallRule allow tcp port 1471
- }
- # end FirewallRuleSet users-to-router
- # EmptyRuleSetPolicy directives
- # The FirewallRuleSets that NoDogSplash permits are:
- #
- # authenticated-users
- # preauthenticated-users
- # users-to-router
- # trusted-users
- # trusted-users-to-router
- #
- # For each of these, an EmptyRuleSetPolicy can be specified.
- # An EmptyRuleSet policy applies to a FirewallRuleSet if the
- # FirewallRuleSet is missing from this configuration file,
- # or if it exists but contains no FirewallRules.
- #
- # The possible values of an EmptyRuleSetPolicy are:
- # allow -- packets are accepted
- # block -- packets are rejected
- # passthrough -- packets are passed through to pre-existing firewall rules
- #
- # Default EmptyRuleSetPolicies are set as follows:
- # EmptyRuleSetPolicy authenticated-users passthrough
- # EmptyRuleSetPolicy preauthenticated-users block
- # EmptyRuleSetPolicy users-to-router block
- # EmptyRuleSetPolicy trusted-users allow
- # EmptyRuleSetPolicy trusted-users-to-router allow
- # Parameter: GatewayName
- # Default: NoDogSplash
- #
- # Set GatewayName to the name of your gateway. This value
- # will be available as variable $gatewayname in the splash page source
- # and in status output from ndsctl, but otherwise doesn't matter.
- # If none is supplied, the value "NoDogSplash" is used.
- #
- # GatewayName NoDogSplash
- # Parameter: GatewayAddress
- # Default: Discovered from GatewayInterface
- #
- # This should be autodetected on an OpenWRT system, but if not:
- # Set GatewayAddress to the IP address of the router on
- # the GatewayInterface. This is the address that the Nodogsplash
- # server listens on.
- #
- # GatewayAddress 192.168.1.1
- # Parameter: ExternalInterface
- # Default: Autodetected from /proc/net/route
- #
- # This should be autodetected on a OpenWRT system, but if not:
- # Set ExtrnalInterface to the 'external' interface on your router,
- # i.e. the one which provides the default route to the internet.
- # Typically vlan1 for OpenWRT.
- #
- # ExternalInterface vlan1
- # Parameter: RedirectURL
- # Default: none
- #
- # After authentication, normally a user is redirected
- # to their initially requested page.
- # If RedirectURL is set, the user is redirected to this URL instead.
- #
- # RedirectURL http://www.ilesansfil.org/
- # Parameter: GatewayPort
- # Default: 2050
- #
- # Nodogsplash's own http server uses GatewayAddress as its IP address.
- # The port it listens to at that IP can be set here; default is 2050.
- #
- GatewayPort 2050
- # Parameter: MaxClients
- # Default: 20
- #
- # Set MaxClients to the maximum number of users allowed to
- # connect at any time. (Does not include users on the TrustedMACList,
- # who do not authenticate.)
- #
- # MaxClients 20
- # ClientIdleTimeout
- # Parameter: ClientIdleTimeout
- # Default: 10
- #
- # Set ClientIdleTimeout to the desired of number of minutes
- # of inactivity before a user is automatically 'deauthenticated'.
- #
- # ClientIdleTimeout 10
- # Parameter: ClientForceTimeout
- # Default: 360
- #
- # Set ClientForceTimeout to the desired number of minutes before
- # a user is automatically 'deauthenticated', whether active or not
- #
- # ClientForceTimeout 360
- # Parameter: AuthenticateImmediately
- # Default: no
- #
- # Set to yes (or true or 1), to immediately authenticate users
- # who make a http port 80 request on the GatewayInterface (that is,
- # do not serve a splash page, just redirect to the user's request,
- # or to RedirectURL if set).
- #
- # AuthenticateImmediately no
- # Parameter: MACMechanism
- # Default: block
- #
- # Either block or allow.
- # If 'block', MAC addresses on BlockedMACList are blocked from
- # authenticating, and all others are allowed.
- # If 'allow', MAC addresses on AllowedMACList are allowed to
- # authenticate, and all other (non-trusted) MAC's are blocked.
- #
- # MACMechanism block
- # Parameter: BlockedMACList
- # Default: none
- #
- # Comma-separated list of MAC addresses who will be completely blocked
- # from the GatewayInterface. Ignored if MACMechanism is allow.
- # N.B.: weak security, since MAC addresses are easy to spoof.
- #
- # BlockedMACList 00:00:DE:AD:BE:EF,00:00:C0:1D:F0:0D
- # Parameter: AllowedMACList
- # Default: none
- #
- # Comma-separated list of MAC addresses who will not be completely
- # blocked from the GatewayInterface. Ignored if MACMechanism is block.
- # N.B.: weak security, since MAC addresses are easy to spoof.
- #
- # AllowedMACList 00:00:12:34:56:78
- # Parameter: TrustedMACList
- # Default: none
- #
- # Comma-separated list of MAC addresses who are not subject to
- # authentication, and are not restricted by any FirewallRuleSet.
- # N.B.: weak security, since MAC addresses are easy to spoof.
- #
- # TrustedMACList 00:00:CA:FE:BA:BE, 00:00:C0:01:D0:0D
- # Parameter: PasswordAuthentication
- # Default: no
- # Set to yes (or true or 1), to require a password matching
- # the Password parameter to be supplied when authenticating.
- #
- #
- # PasswordAuthentication no
- # Parameter: Password
- # Default: none
- # Whitespace delimited string that is compared to user-supplied
- # password when authenticating.
- #
- #
- # Password nodog
- # Parameter: UsernameAuthentication
- # Default: no
- # Set to yes (or true or 1), to require a username matching
- # the Username parameter to be supplied when authenticating.
- #
- #
- # UsernameAuthentication no
- # Parameter: Username
- # Default: none
- # Whitespace delimited string that is compared to user-supplied
- # username when authenticating.
- #
- #
- # Username guest
- # Parameter: PasswordAttempts
- # Default: 5
- # Integer number of failed password/username entries before
- # a user is forced to reauthenticate.
- #
- #
- # PasswordAttempts 5
- # Parameter: TrafficControl
- # Default: no
- #
- # Set to yes (or true or 1), to enable traffic control in Nodogsplash.
- #
- # TrafficControl no
- # Parameter: DownloadLimit
- # Default: 0
- #
- # If TrafficControl is enabled, this sets the maximum download
- # speed to the GatewayInterface, in kilobits per second.
- # For example if you have an ADSL connection with 768 kbit
- # download speed, and you want to allow about half of that
- # bandwidth for the GatewayInterface, set this to 384.
- # A value of 0 means no download limiting is done.
- #
- # DownloadLimit 384
- # Parameter: UploadLimit
- # Default: 0
- #
- # If TrafficControl is enabled, this sets the maximum upload
- # speed from the GatewayInterface, in kilobits per second.
- # For example if you have an ADSL connection with 128 kbit
- # upload speed, and you want to allow about half of that
- # bandwidth for the GatewayInterface, set this to 64.
- # A value of 0 means no upload limiting is done.
- #
- # UploadLimit 64
- # Paramter: GatewayIPRange
- # Default: 0.0.0.0/0
- #
- # By setting this parameter, you can specify a range of IP addresses
- # on the GatewayInterface that will be responded to and managed by
- # Nodogsplash. Addresses outside this range do not have their packets
- # touched by Nodogsplash at all.
- # Defaults to 0.0.0.0/0, that is, all addresses.
- #
- # GatewayIPRange 0.0.0.0/0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement