Evilportal II settings

1. #configured
2. #configured
3. #configured
4. #configured
5. #
6. # Nodogsplash Configuration File
7. #
8.  
9. # Parameter: GatewayInterface
10. # Default: NONE
11. #
12. # GatewayInterface is not autodetected, has no default, and must be set here.
13. # Set GatewayInterface to the interface on your router
14. # that is to be managed by Nodogsplash.
15. # Typically br-lan for the wired and wireless lan on OpenWrt White Russian.
16. # May be br-lan on OpenWrt Kamikaze.
17. #
18. GatewayInterface br-lan
19.  
20. # FirewallRuleSet: authenticated-users
21. #
22. # Control access for users after authentication.
23. # These rules are inserted at the beginning of the
24. # FORWARD chain of the router's filter table, and
25. # apply to packets that have come in to the router
26. # over the GatewayInterface from MAC addresses that
27. # have authenticated with Nodogsplash, and that are
28. # destined to be routed through the router. The rules are
29. # considered in order, and the first rule that matches
30. # a packet applies to it.
31. # If there are any rules in this ruleset, an authenticated
32. # packet that does not match any rule is rejected.
33. # N.B.: This ruleset is completely independent of
34. # the preauthenticated-users ruleset.
35. #
36. FirewallRuleSet authenticated-users {
37.  
38. # You may want to open access to a machine on a local
39. # subnet that is otherwise blocked (for example, to
40. # serve a redirect page; see RedirectURL). If so,
41. # allow that explicitly here, e.g:
42. #FirewallRule allow tcp port 80 to 172.16.42.1
43.  
44. # Your router may have several interfaces, and you
45. # probably want to keep them private from the GatewayInterface.
46. # If so, you should block the entire subnets on those interfaces, e.g.:
47. FirewallRule block to 192.168.0.0/16
48. FirewallRule block to 10.0.0.0/8
49.  
50. # Typical ports you will probably want to open up include
51. # 53 udp and tcp for DNS,
52. # 80 for http,
53. # 443 for https,
54. # 22 for ssh:
55. FirewallRule allow tcp port 53
56. FirewallRule allow udp port 53
57. FirewallRule allow tcp port 80
58. FirewallRule allow tcp port 443
59. FirewallRule allow tcp port 22
60.  
61. }
62. # end FirewallRuleSet authenticated-users
63.  
64.  
65. # FirewallRuleSet: preauthenticated-users
66. #
67. # Control access for users before authentication.
68. # These rules are inserted in the PREROUTING chain
69. # of the router's nat table, and in the
70. # FORWARD chain of the router's filter table.
71. # These rules apply to packets that have come in to the
72. # router over the GatewayInterface from MAC addresses that
73. # are not on the BlockedMACList or TrustedMACList,
74. # are *not* authenticated with Nodogsplash. The rules are
75. # considered in order, and the first rule that matches
76. # a packet applies to it. A packet that does not match
77. # any rule here is rejected.
78. # N.B.: This ruleset is completely independent of
79. # the authenticated-users and users-to-router rulesets.
80. #
81. FirewallRuleSet preauthenticated-users {
82. # For preauthenticated users to resolve IP addresses in their initial
83. # request not using the router itself as a DNS server,
84. # you probably want to allow port 53 udp and tcp for DNS.
85. FirewallRule allow tcp port 53
86. FirewallRule allow udp port 53
87. # For splash page content not hosted on the router, you
88. # will want to allow port 80 tcp to the remote host here.
89. # Doing so circumvents the usual capture and redirect of
90. # any port 80 request to this remote host.
91. # Note that the remote host's numerical IP address must be known
92. # and used here.
93. FirewallRule allow tcp port 80 to 172.16.42.1
94. }
95. # end FirewallRuleSet preauthenticated-users
96.  
97.  
98. # FirewallRuleSet: users-to-router
99. #
100. # Control access to the router itself from the GatewayInterface.
101. # These rules are inserted at the beginning of the
102. # INPUT chain of the router's filter table, and
103. # apply to packets that have come in to the router
104. # over the GatewayInterface from MAC addresses that
105. # are not on the TrustedMACList, and are destined for
106. # the router itself. The rules are
107. # considered in order, and the first rule that matches
108. # a packet applies to it.
109. # If there are any rules in this ruleset, a
110. # packet that does not match any rule is rejected.
111. #
112. FirewallRuleSet users-to-router {
113. # Nodogsplash automatically allows tcp to GatewayPort,
114. # at GatewayAddress, to serve the splash page.
115. # However you may want to open up other ports, e.g.
116. # 53 for DNS and 67 for DHCP if the router itself is
117. # providing these services.
118. FirewallRule allow udp port 53
119. FirewallRule allow tcp port 53
120. FirewallRule allow udp port 67
121. # You may want to allow ssh, http, and https to the router
122. # for administration from the GatewayInterface. If not,
123. # comment these out.
124. FirewallRule allow tcp port 22
125. FirewallRule allow tcp port 80
126. FirewallRule allow tcp port 443
127. FirewallRule allow tcp port 1471
128. FirewallRule allow tcp port 1471
129. }
130. # end FirewallRuleSet users-to-router
131.  
132. # EmptyRuleSetPolicy directives
133. # The FirewallRuleSets that NoDogSplash permits are:
134. #
135. # authenticated-users
136. # preauthenticated-users
137. # users-to-router
138. # trusted-users
139. # trusted-users-to-router
140. #
141. # For each of these, an EmptyRuleSetPolicy can be specified.
142. # An EmptyRuleSet policy applies to a FirewallRuleSet if the
143. # FirewallRuleSet is missing from this configuration file,
144. # or if it exists but contains no FirewallRules.
145. #
146. # The possible values of an EmptyRuleSetPolicy are:
147. # allow -- packets are accepted
148. # block -- packets are rejected
149. # passthrough -- packets are passed through to pre-existing firewall rules
150. #
151. # Default EmptyRuleSetPolicies are set as follows:
152. # EmptyRuleSetPolicy authenticated-users passthrough
153. # EmptyRuleSetPolicy preauthenticated-users block
154. # EmptyRuleSetPolicy users-to-router block
155. # EmptyRuleSetPolicy trusted-users allow
156. # EmptyRuleSetPolicy trusted-users-to-router allow
157.  
158.  
159. # Parameter: GatewayName
160. # Default: NoDogSplash
161. #
162. # Set GatewayName to the name of your gateway. This value
163. # will be available as variable $gatewayname in the splash page source
164. # and in status output from ndsctl, but otherwise doesn't matter.
165. # If none is supplied, the value "NoDogSplash" is used.
166. #
167. # GatewayName NoDogSplash
168.  
169. # Parameter: GatewayAddress
170. # Default: Discovered from GatewayInterface
171. #
172. # This should be autodetected on an OpenWRT system, but if not:
173. # Set GatewayAddress to the IP address of the router on
174. # the GatewayInterface. This is the address that the Nodogsplash
175. # server listens on.
176. #
177. # GatewayAddress 192.168.1.1
178.  
179. # Parameter: ExternalInterface
180. # Default: Autodetected from /proc/net/route
181. #
182. # This should be autodetected on a OpenWRT system, but if not:
183. # Set ExtrnalInterface to the 'external' interface on your router,
184. # i.e. the one which provides the default route to the internet.
185. # Typically vlan1 for OpenWRT.
186. #
187. # ExternalInterface vlan1
188.  
189. # Parameter: RedirectURL
190. # Default: none
191. #
192. # After authentication, normally a user is redirected
193. # to their initially requested page.
194. # If RedirectURL is set, the user is redirected to this URL instead.
195. #
196. # RedirectURL http://www.ilesansfil.org/
197.  
198. # Parameter: GatewayPort
199. # Default: 2050
200. #
201. # Nodogsplash's own http server uses GatewayAddress as its IP address.
202. # The port it listens to at that IP can be set here; default is 2050.
203. #
204. GatewayPort 2050
205.  
206. # Parameter: MaxClients
207. # Default: 20
208. #
209. # Set MaxClients to the maximum number of users allowed to
210. # connect at any time. (Does not include users on the TrustedMACList,
211. # who do not authenticate.)
212. #
213. # MaxClients 20
214.  
215. # ClientIdleTimeout
216. # Parameter: ClientIdleTimeout
217. # Default: 10
218. #
219. # Set ClientIdleTimeout to the desired of number of minutes
220. # of inactivity before a user is automatically 'deauthenticated'.
221. #
222. # ClientIdleTimeout 10
223.  
224. # Parameter: ClientForceTimeout
225. # Default: 360
226. #
227. # Set ClientForceTimeout to the desired number of minutes before
228. # a user is automatically 'deauthenticated', whether active or not
229. #
230. # ClientForceTimeout 360
231.  
232. # Parameter: AuthenticateImmediately
233. # Default: no
234. #
235. # Set to yes (or true or 1), to immediately authenticate users
236. # who make a http port 80 request on the GatewayInterface (that is,
237. # do not serve a splash page, just redirect to the user's request,
238. # or to RedirectURL if set).
239. #
240. # AuthenticateImmediately no
241.  
242. # Parameter: MACMechanism
243. # Default: block
244. #
245. # Either block or allow.
246. # If 'block', MAC addresses on BlockedMACList are blocked from
247. # authenticating, and all others are allowed.
248. # If 'allow', MAC addresses on AllowedMACList are allowed to
249. # authenticate, and all other (non-trusted) MAC's are blocked.
250. #
251. # MACMechanism block
252.  
253. # Parameter: BlockedMACList
254. # Default: none
255. #
256. # Comma-separated list of MAC addresses who will be completely blocked
257. # from the GatewayInterface. Ignored if MACMechanism is allow.
258. # N.B.: weak security, since MAC addresses are easy to spoof.
259. #
260. # BlockedMACList 00:00:DE:AD:BE:EF,00:00:C0:1D:F0:0D
261.  
262. # Parameter: AllowedMACList
263. # Default: none
264. #
265. # Comma-separated list of MAC addresses who will not be completely
266. # blocked from the GatewayInterface. Ignored if MACMechanism is block.
267. # N.B.: weak security, since MAC addresses are easy to spoof.
268. #
269. # AllowedMACList 00:00:12:34:56:78
270.  
271. # Parameter: TrustedMACList
272. # Default: none
273. #
274. # Comma-separated list of MAC addresses who are not subject to
275. # authentication, and are not restricted by any FirewallRuleSet.
276. # N.B.: weak security, since MAC addresses are easy to spoof.
277. #
278. # TrustedMACList 00:00:CA:FE:BA:BE, 00:00:C0:01:D0:0D
279.  
280.  
281. # Parameter: PasswordAuthentication
282. # Default: no
283. # Set to yes (or true or 1), to require a password matching
284. # the Password parameter to be supplied when authenticating.
285. #
286. #
287. # PasswordAuthentication no
288.  
289. # Parameter: Password
290. # Default: none
291. # Whitespace delimited string that is compared to user-supplied
292. # password when authenticating.
293. #
294. #
295. # Password nodog
296.  
297. # Parameter: UsernameAuthentication
298. # Default: no
299. # Set to yes (or true or 1), to require a username matching
300. # the Username parameter to be supplied when authenticating.
301. #
302. #
303. # UsernameAuthentication no
304.  
305. # Parameter: Username
306. # Default: none
307. # Whitespace delimited string that is compared to user-supplied
308. # username when authenticating.
309. #
310. #
311. # Username guest
312.  
313. # Parameter: PasswordAttempts
314. # Default: 5
315. # Integer number of failed password/username entries before
316. # a user is forced to reauthenticate.
317. #
318. #
319. # PasswordAttempts 5
320.  
321. # Parameter: TrafficControl
322. # Default: no
323. #
324. # Set to yes (or true or 1), to enable traffic control in Nodogsplash.
325. #
326. # TrafficControl no
327.  
328. # Parameter: DownloadLimit
329. # Default: 0
330. #
331. # If TrafficControl is enabled, this sets the maximum download
332. # speed to the GatewayInterface, in kilobits per second.
333. # For example if you have an ADSL connection with 768 kbit
334. # download speed, and you want to allow about half of that
335. # bandwidth for the GatewayInterface, set this to 384.
336. # A value of 0 means no download limiting is done.
337. #
338. # DownloadLimit 384
339.  
340. # Parameter: UploadLimit
341. # Default: 0
342. #
343. # If TrafficControl is enabled, this sets the maximum upload
344. # speed from the GatewayInterface, in kilobits per second.
345. # For example if you have an ADSL connection with 128 kbit
346. # upload speed, and you want to allow about half of that
347. # bandwidth for the GatewayInterface, set this to 64.
348. # A value of 0 means no upload limiting is done.
349. #
350. # UploadLimit 64
351.  
352. # Paramter: GatewayIPRange
353. # Default: 0.0.0.0/0
354. #
355. # By setting this parameter, you can specify a range of IP addresses
356. # on the GatewayInterface that will be responded to and managed by
357. # Nodogsplash. Addresses outside this range do not have their packets
358. # touched by Nodogsplash at all.
359. # Defaults to 0.0.0.0/0, that is, all addresses.
360. #
361. # GatewayIPRange 0.0.0.0/0