mirror of
https://github.com/openNDS/openNDS.git
synced 2026-05-04 03:01:32 -04:00
220 lines
6.8 KiB
Plaintext
220 lines
6.8 KiB
Plaintext
#
|
|
# Nodogsplash Configuration File
|
|
#
|
|
|
|
# Parameter: GatewayInterface
|
|
# Default: NONE
|
|
#
|
|
# This is not autodetected, has no default, and must be set here.
|
|
# Set GatewayInterface to the interface on your router
|
|
# that is to be managed by Nodogsplash.
|
|
# Typically br0 for the wired and wireless lan on OpenWrt White Russian.
|
|
# May be br-lan on OpenWrt Kamikaze.
|
|
|
|
GatewayInterface br0
|
|
|
|
# FirewallRuleSet: authenticated-users
|
|
#
|
|
# Control forwarding for users after authentication.
|
|
# These rules are inserted at the beginning of the
|
|
# FORWARD chain of the router's filter table, and
|
|
# apply to packets that have come in to the router
|
|
# over the GatewayInterface from MAC addresses that
|
|
# have authenticated with Nodogsplash, and that are
|
|
# destined to be routed through the router. The rules are
|
|
# considered in order, and the first rule that matches
|
|
# a packet applies to it. A packet that does not match
|
|
# any rule here is REJECTed.
|
|
|
|
FirewallRuleSet authenticated-users {
|
|
|
|
# You may want to open access to a machine on a local
|
|
# subnet that is otherwise blocked (for example, to
|
|
# serve a redirect page; see RedirectURL). If so,
|
|
# allow that explicitly here, e.g:
|
|
# FirewallRule allow tcp port 80 to 192.168.254.254
|
|
|
|
# Your router may have several interfaces, and you
|
|
# probably want to keep them private from the GatewayInterface.
|
|
# If so, you should block the entire subnets on those interfaces, e.g.:
|
|
FirewallRule block to 192.168.0.0/16
|
|
FirewallRule block to 10.0.0.0/8
|
|
|
|
# Nodogsplash automatically allows port 53 udp and tcp for DNS.
|
|
# However you will probably want to open up other ports for
|
|
# authenticated users; e.g. http, https, ssh:
|
|
FirewallRule allow tcp port 80
|
|
FirewallRule allow tcp port 443
|
|
FirewallRule allow tcp port 22
|
|
|
|
}
|
|
# end FirewallRuleSet authenticated-users
|
|
|
|
# FirewallRuleSet: users-to-router
|
|
#
|
|
# Control access to the router itself from the GatewayInterface.
|
|
# These rules are inserted at the beginning of the
|
|
# INPUT chain of the router's filter table, and
|
|
# apply to packets that have come in to the router
|
|
# over the GatewayInterface from MAC addresses that
|
|
# are not on the TrustedMACList, and are destined for
|
|
# the router itself. The rules are
|
|
# considered in order, and the first rule that matches
|
|
# a packet applies to it. A packet that does not match
|
|
# any rule here is REJECTed.
|
|
|
|
FirewallRuleSet users-to-router {
|
|
# Nodogsplash automatically allows tcp to GatewayPort,
|
|
# at GatewayAddress, to serve the splash page.
|
|
# However you probably want to open up other ports, e.g.
|
|
# 53 for DNS and 67 for DHCP.
|
|
FirewallRule allow udp port 53
|
|
FirewallRule allow tcp port 53
|
|
FirewallRule allow udp port 67
|
|
# You may want to allow ssh, http, and https to the router
|
|
# for administration from the GatewayInterface. If not,
|
|
# comment these out.
|
|
FirewallRule allow tcp port 22
|
|
FirewallRule allow tcp port 80
|
|
FirewallRule allow tcp port 443
|
|
}
|
|
# end FirewallRuleSet users-to-router
|
|
|
|
|
|
|
|
# Parameter: GatewayName
|
|
# Default: NoDogSplash
|
|
#
|
|
# Set GatewayName to the name of your gateway. This value
|
|
# will be available as variable $gatewayname in the splash page source
|
|
# and in status output from ndsctl, but otherwise doesn't matter.
|
|
# If none is supplied, the value "NoDogSplash" is used.
|
|
|
|
# GatewayName NoDogSplash
|
|
|
|
# Parameter: GatewayAddress
|
|
# Default: Discovered from GatewayInterface
|
|
#
|
|
# This should be autodetected on an OpenWRT system, but if not:
|
|
# Set GatewayAddress to the IP address of the router on
|
|
# the GatewayInterface. This is the address that the Nodogsplash
|
|
# server listens on.
|
|
|
|
# GatewayAddress 192.168.1.1
|
|
|
|
# Parameter: ExternalInterface
|
|
# Default: Autodetected from /proc/net/route
|
|
#
|
|
# This should be autodetected on a OpenWRT system, but if not:
|
|
# Set ExtrnalInterface to the 'external' interface on your router,
|
|
# i.e. the one which provides the default route to the internet.
|
|
# Typically vlan1 for OpenWRT.
|
|
|
|
# ExternalInterface vlan1
|
|
|
|
# Parameter: RedirectURL
|
|
# Default: none
|
|
#
|
|
# After authentication, normally a user is redirected
|
|
# to their initially requested page.
|
|
# If RedirectURL is set, the user is redirected to this URL instead.
|
|
#
|
|
# RedirectURL http://www.ilesansfil.org/
|
|
|
|
# Parameter: GatewayPort
|
|
# Default: 2050
|
|
#
|
|
# Nodogsplash's own http server uses GatewayAddress as its IP address.
|
|
# The port it listens to at that IP can be set here; default is 2050.
|
|
|
|
# GatewayPort 2050
|
|
|
|
# Parameter: MaxClients
|
|
# Default: 20
|
|
#
|
|
# Set MaxClients to the maximum number of users allowed to
|
|
# connect at any time. (Does not include users on the TrustedMACList,
|
|
# who do not authenticate.)
|
|
|
|
# MaxClients 20
|
|
|
|
# ClientIdleTimeout
|
|
# Parameter: ClientIdleTimeout
|
|
# Default: 10
|
|
#
|
|
# Set ClientIdleTimeout to the desired of number of minutes
|
|
# of inactivity before a user is automatically 'deauthenticated'.
|
|
|
|
# ClientIdleTimeout 10
|
|
|
|
# Parameter: ClientForceTimeout
|
|
# Default: 360
|
|
#
|
|
# Set ClientForceTimeout to the desired number of minutes before
|
|
# a user is automatically 'deauthenticated', whether active or not
|
|
|
|
# ClientForceTimeout 360
|
|
|
|
# Parameter: AuthenticateImmediately
|
|
# Default: no
|
|
#
|
|
# Set to yes (or true or 1), to immediately authenticate users
|
|
# who make a http port 80 request on the GatewayInterface (i.e.
|
|
# do not serve a splash page or redirect to any remote authenticator;
|
|
# just redirect to the user's request, or to RedirectURL if set).
|
|
|
|
# AuthenticateImmediately no
|
|
|
|
# Parameter: BlockedMACList
|
|
# Default: none
|
|
#
|
|
# Comma-separated list of MAC addresses who will be completely blocked
|
|
# from the GatewayInterface.
|
|
# N.B.: weak security, since MAC addresses are easy to spoof.
|
|
|
|
# BlockedMACList 00:00:DE:AD:BE:EF,00:00:C0:1D:F0:0D
|
|
|
|
# Parameter: TrustedMACList
|
|
# Default: none
|
|
#
|
|
# Comma-separated list of MAC addresses who are not subject to
|
|
# authentication, and are not restricted by the authenticated-users
|
|
# FirewallRuleSet.
|
|
# N.B.: weak security, since MAC addresses are easy to spoof.
|
|
|
|
# TrustedMACList 00:00:CA:FE:BA:BE, 00:00:C0:01:D0:0D
|
|
|
|
|
|
# Parameter: TrafficControl
|
|
# Default: no
|
|
#
|
|
# Set to yes (or true or 1), to enable traffic control in Nodogsplash
|
|
|
|
# TrafficControl no
|
|
|
|
# Parameter: DownloadLimit
|
|
# Default: 0
|
|
#
|
|
# If TrafficControl is enabled, this sets the maximum download
|
|
# speed to the GatewayInterface, in kilobits per second.
|
|
# For example if you have an ADSL connection with 768 kbit
|
|
# download speed, and you want to allow about half of that
|
|
# bandwidth for the GatewayInterface, set this to 384.
|
|
# A value of 0 means no download limiting is done.
|
|
|
|
# DownloadLimit 384
|
|
|
|
# Parameter: UploadLimit
|
|
# Default: 0
|
|
#
|
|
# If TrafficControl is enabled, this sets the maximum upload
|
|
# speed from the GatewayInterface, in kilobits per second.
|
|
# For example if you have an ADSL connection with 128 kbit
|
|
# upload speed, and you want to allow about half of that
|
|
# bandwidth for the GatewayInterface, set this to 64.
|
|
# A value of 0 means no upload limiting is done.
|
|
|
|
# UploadLimit 64
|
|
|
|
|