diff options
| author | Scott Ullrich <sullrich@pfsense.org> | 2004-11-07 03:06:49 +0000 |
|---|---|---|
| committer | Scott Ullrich <sullrich@pfsense.org> | 2004-11-07 03:06:49 +0000 |
| commit | 5b237745003431d487de361ca0980a467ee2f5d5 (patch) | |
| tree | 0a29f0237f9e8e536112f9fc816e7a52bbc19691 /etc | |
| download | pfsense-5b237745003431d487de361ca0980a467ee2f5d5.zip pfsense-5b237745003431d487de361ca0980a467ee2f5d5.tar.gz | |
Initial revision
Diffstat (limited to 'etc')
50 files changed, 11088 insertions, 0 deletions
diff --git a/etc/auth.conf b/etc/auth.conf new file mode 100644 index 0000000..3062d37 --- /dev/null +++ b/etc/auth.conf @@ -0,0 +1,10 @@ +# +# $FreeBSD: src/etc/auth.conf,v 1.4.2.1 2001/07/13 14:37:26 dd Exp $ +# +# This file contains information on what types of authentication to use. +# It is just the beginnings of a greater scheme. + +# crypt_default = md5 des +# auth_list = passwd kerberos + +auth_list = passwd diff --git a/etc/disktab b/etc/disktab new file mode 100644 index 0000000..43ebdf9 --- /dev/null +++ b/etc/disktab @@ -0,0 +1,235 @@ +# $FreeBSD: src/etc/etc.i386/disktab,v 1.20.2.2 2002/04/15 00:44:15 dougb Exp $ +# +# Disk geometry and partition layout tables. +# Key: +# dt controller type +# ty type of disk (fixed, removeable, simulated) +# d[0-4] drive-type-dependent parameters +# ns #sectors/track +# nt #tracks/cylinder +# nc #cylinders/disk +# sc #sectors/cylinder, ns*nt default +# su #sectors/unit, sc*nc default +# se sector size, DEV_BSIZE default +# rm rpm, 3600 default +# sf supports bad144-style bad sector forwarding +# sk sector skew per track, default 0 +# cs sector skew per cylinder, default 0 +# hs headswitch time, default 0 +# ts one-cylinder seek time, default 0 +# il sector interleave (n:1), 1 default +# bs boot block size, default BBSIZE +# sb superblock size, default SBSIZE +# o[a-h] partition offsets in sectors +# p[a-h] partition sizes in sectors +# b[a-h] partition block sizes in bytes +# f[a-h] partition fragment sizes in bytes +# t[a-h] partition types (filesystem, swap, etc) +# +# All partition sizes reserve space for bad sector tables. +# (5 cylinders needed for maintenance + replacement sectors) +# + +# +# Floppy formats: +# +# To make a filesystem on a floppy: +# fdformat [-f <size>] fd<drive>[.<size>] +# disklabel -B -r -w fd<drive>[.<size>] fd<size> +# newfs <opts> fd<drive>[.<size>] +# +# with <opts>: +# -t 2 - two heads +# -u 9|15|18 - sectors per track +# (using the default value of 1/4096 is not much useful for floppies) +# -l 1 - interleave 1 (for most floppies) +# -i 65536 - bytes of data per i-node +# (the default -i value will render you with a floppy wasting way +# too much space in i-node areas) +# + +fd360:\ + :ty=floppy:se#512:nt#2:rm#300:ns#9:nc#40:\ + :pa#720:oa#0:ba#4096:fa#512:\ + :pb#720:ob#0:bb#4096:fb#512:\ + :pc#720:oc#0:bc#4096:fc#512: + +fd720:\ + :ty=floppy:se#512:nt#2:rm#300:ns#9:nc#80:\ + :pa#1440:oa#0:ba#4096:fa#512:\ + :pb#1440:ob#0:bb#4096:fb#512:\ + :pc#1440:oc#0:bc#4096:fc#512: + +fd1200|floppy5|5in|5.25in High Density Floppy:\ + :ty=floppy:se#512:nt#2:rm#360:ns#15:nc#80:\ + :pa#2400:oa#0:ba#4096:fa#512:\ + :pb#2400:ob#0:bb#4096:fb#512:\ + :pc#2400:oc#0:bc#4096:fc#512: + +fd1440|floppy|floppy3|3in|3.5in High Density Floppy:\ + :ty=floppy:se#512:nt#2:rm#300:ns#18:nc#80:\ + :pa#2880:oa#0:ba#4096:fa#512:\ + :pb#2880:ob#0:bb#4096:fb#512:\ + :pc#2880:oc#0:bc#4096:fc#512: + +# +# Stressed floppy-formats. No guarantees given. +# + +fd800:\ + :ty=floppy:se#512:nt#2:rm#300:ns#10:nc#80:\ + :pa#1600:oa#0:ba#4096:fa#512:\ + :pb#1600:ob#0:bb#4096:fb#512:\ + :pc#1600:oc#0:bc#4096:fc#512: + +fd820:\ + :ty=floppy:se#512:nt#2:rm#300:ns#10:nc#82:\ + :pa#1640:oa#0:ba#4096:fa#512:\ + :pb#1640:ob#0:bb#4096:fb#512:\ + :pc#1640:oc#0:bc#4096:fc#512: + +fd1480:\ + :ty=floppy:se#512:nt#2:rm#300:ns#18:nc#82:\ + :pa#2952:oa#0:ba#4096:fa#512:\ + :pb#2952:ob#0:bb#4096:fb#512:\ + :pc#2952:oc#0:bc#4096:fc#512: + +fd1720:\ + :ty=floppy:se#512:nt#2:rm#300:ns#21:nc#82:\ + :pa#3444:oa#0:ba#4096:fa#512:\ + :pb#3444:ob#0:bb#4096:fb#512:\ + :pc#3444:oc#0:bc#4096:fc#512: + +# +# LS-120 floppy-format. +# +fd120m|floppy120|floppy120m|3.5in LS-120 Floppy:\ + :ty=floppy:se#512:nt#8:rm#300:ns#32:nc#963:\ + :pa#246528:oa#0:ba#4096:fa#512:\ + :pb#246528:ob#0:bb#4096:fb#512:\ + :pc#246528:oc#0:bc#4096:fc#512: + +# +# Harddisk formats +# +qp120at|Quantum Peripherals 120MB IDE:\ + :dt=ESDI:ty=winchester:se#512:nt#9:ns#32:nc#813:sf: \ + :pa#13824:oa#0:ta=4.2BSD:ba#4096:fa#512: \ + :pb#13824:ob#13824:tb=swap: \ + :pc#234144:oc#0: \ + :ph#206496:oh#27648:th=4.2BSD:bh#4096:fh#512: + +pan60|Panasonic Laptop's 60MB IDE:\ + :dt=ST506:ty=winchester:se#512:nt#13:ns#17:nc#565:\ + :pa#13260:oa#0:ta=4.2BSD:ba#4096:fa#512:\ + :pb#13260:ob#13260:tb=swap: \ + :pc#124865:oc#0: \ + :ph#97682:oh#26520:th=4.2BSD:bh#4096:fh#512: + +mk156|toshiba156|Toshiba MK156 156Mb:\ + :dt=SCSI:ty=winchester:se#512:nt#10:ns#35:nc#825:\ + :pa#15748:oa#0:ba#4096:fa#512:ta=4.2BSD:\ + :pb#15748:ob#15748:tb=swap:\ + :pc#288750:oc#0:\ + :ph#257250:oh#31500:bh#4096:fh#512:th=4.2BSD: + +cp3100|Connor Peripherals 100MB IDE:\ + :dt=ST506:ty=winchester:se#512:nt#8:ns#33:nc#766: \ + :pa#12144:oa#0:ta=4.2BSD:ba#4096:fa#512: \ + :pb#12144:ob#12144:tb=swap: \ + :pc#202224:oc#0: \ + :ph#177936:oh#24288:th=4.2BSD:bh#4096:fh#512: + +# a == root +# b == swap +# c == d == whole disk +# e == /var +# f == scratch +# h == /usr + +cp3100new|Connor Peripherals 100MB IDE, with a different configuration:\ + :dt=ST506:ty=winchester:se#512:nt#8:ns#33:nc#766: \ + :pa#15840:oa#0:ta=4.2BSD:ba#4096:fa#512: \ + :pb#24288:ob#15840:tb=swap: \ + :pc#202224:oc#0: \ + :pd#202224:od#0: \ + :pe#15840:oe#40128:te=4.2BSD:be#4096:fe#512: \ + :pg#15840:og#55968:tg=4.2BSD:bg#4096:fg#512: \ + :ph#130416:oh#71808:th=4.2BSD:bh#4096:fh#512: + +maxtor4380|Maxtor XT4380E ESDI :\ + :dt=ESDI:ty=winchester:se#512:nt#15:ns#36:nc#1222:sf: \ + :pa#21600:oa#0:ta=4.2BSD:ba#4096:fa#512:\ + :pb#21600:ob#21600:tb=swap: \ + :pc#659880:oc#0: \ + :pd#216000:od#53200:td=4.2BSD:bd#4096:fd#512: \ + :ph#398520:oh#269200:th=4.2BSD:bh#4096:fh#512: + +miniscribe9380|compaq38|Miniscribe 9380 ESDI :\ + :ty=winchester:dt=ESDI:se#512:nt#15:ns#35:nc#1223:rm#3600:sf: \ + :pa#21000:oa#0:ba#8192:fa#1024:ta=4.2BSD: \ + :pb#42000:ob#21000:tb=swap: \ + :pc#642075:oc#0: \ + :pd#21000:od#63000:bd#8192:fd#1024:td=4.2BSD: \ + :ph#556500:oh#84000:bh#8192:fh#1024:th=4.2BSD: + +ida4|compaq88|Compaq IDA (4 drives) :\ + :ty=winchester:dt=IDA:se#512:nt#16:ns#63:nc#1644:rm#3600:\ + :pa#20160:oa#0:ba#8192:fa#1024:ta=4.2BSD: \ + :pb#80640:ob#20160:tb=swap: \ + :pc#1659168:oc#0: \ + :pd#201600:od#100800:bd#8192:fd#1024:td=4.2BSD: \ + :pe#20160:oe#1310400:be#8192:fe#1024:te=4.2BSD: \ + :ph#1008000:oh#302400:bh#8192:fh#1024:th=4.2BSD: \ + :pg#302400:og#1330560:bg#4096:fg#512:tg=4.2BSD: + +fuji513|Fujitsu M22XXXX: \ + :ty=winchester:dt=ESDI:se#512:nt#16:ns#63:nc#954:rm#3600:\ + :pa#20160:oa#82656:ba#4096:fa#512:ta=4.2BSD: \ + :pb#40320:ob#102816:tb=swap: \ + :pc#961632:oc#0: \ + :ph#656208:oh#143136:bh#4096:fh#512:th=4.2BSD: + +sony650|Sony 650 MB MOD|\ + :ty=removable:dt=SCSI:se#512:nt#1:ns#31:nc#18600:ts#1:rm#4800:\ + :pc#576600:oc#0:\ + :pa#576600:oa#0:ta=4.2BSD:ba#8192:fa#1024: + +mta3230|mo230|IBM MTA-3230 230 Meg 3.5inch Magneto-Optical:\ + :ty=removeable:dt=SCSI:rm#3600:\ + :se#512:nt#64:ns#32:nc#216:sc#2048:su#444384:\ + :pa#444384:oa#0:ba#4096:fa#0:ta=4.2BSD:\ + :pc#444384:oc#0: + +minimum:ty=mfs:se#512:nt#1:rm#300:\ + :ns#2880:nc#1:\ + :pa#2880:oa#0:ba#4096:fa#512:\ + :pc#2880:oc#0:bc#4096:fc#512: + +minimum2:ty=mfs:se#512:nt#1:rm#300:\ + :ns#5760:nc#1:\ + :pa#5760:oa#0:ba#4096:fa#512:\ + :pc#5760:oc#0:bc#4096:fc#512: + +minimum3:ty=mfs:se#512:nt#1:rm#300:\ + :ns#8640:nc#1:\ + :pa#8640:oa#0:ba#4096:fa#512:\ + :pc#8640:oc#0:bc#4096:fc#512: + +zip100|zip 100:\ + :ty=removable:se#512:nc#96:nt#64:ns#32:\ + :pa#196608:oa#0:ba#4096:fa#512:\ + :pb#196608:ob#0:bb#4096:fb#512:\ + :pc#196608:oc#0:bc#4096:fc#512: + +zip250|zip 250:\ + :ty=removable:se#512:nc#239:nt#64:ns#32:\ + :pa#489472:oa#0:ba#4096:fa#512:\ + :pb#489472:ob#0:bb#4096:fb#512:\ + :pc#489472:oc#0:bc#4096:fc#512: + +orb2200|orb22|orb:\ + :ty=removable:ns#63:nt#128:nc#4273:sc#1008:su#4307184:se#512:\ + :pa#4307184:oa#0:ba#8192:fa#1024:\ + :pc#4307184:oc#0:bc#8192:fc#1024: + diff --git a/etc/fbtab b/etc/fbtab new file mode 100644 index 0000000..06d2d61 --- /dev/null +++ b/etc/fbtab @@ -0,0 +1,4 @@ +# $FreeBSD: src/etc/fbtab,v 1.3 1999/09/13 17:09:07 peter Exp $ +# +#/dev/ttyv0 0600 /dev/console +#/dev/ttyv0 0600 /dev/pcaudio:/dev/pcaudioctl diff --git a/etc/group b/etc/group new file mode 100644 index 0000000..cac3e1e --- /dev/null +++ b/etc/group @@ -0,0 +1,15 @@ +wheel:*:0:root,admin +daemon:*:1:daemon +kmem:*:2:root +sys:*:3:root +tty:*:4:root +operator:*:5:root +bin:*:7: +staff:*:20:root +guest:*:31:root +dialer:*:68: +network:*:69: +www:*:80: +nogroup:*:65533: +nobody:*:65534: +admin:*:101: diff --git a/etc/host.conf b/etc/host.conf new file mode 100644 index 0000000..6643c7f --- /dev/null +++ b/etc/host.conf @@ -0,0 +1,7 @@ +# $FreeBSD: src/etc/host.conf,v 1.6 1999/08/27 23:23:41 peter Exp $ +# First try the /etc/hosts file +hosts +# Now try the nameserver next. +bind +# If you have YP/NIS configured, uncomment the next line +# nis diff --git a/etc/hosts.allow b/etc/hosts.allow new file mode 100644 index 0000000..ab11cc0 --- /dev/null +++ b/etc/hosts.allow @@ -0,0 +1,5 @@ +# +# hosts.allow access control file for "tcp wrapped" applications. +# +ALL : ALL : allow + diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc new file mode 100644 index 0000000..d5d78b1 --- /dev/null +++ b/etc/inc/captiveportal.inc @@ -0,0 +1,642 @@ +<?php +/* + captiveportal.inc + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include all configuration functions */ +require_once("functions.inc"); +require_once("radius_accounting.inc") ; + +function captiveportal_configure() { + global $config, $g; + + if (isset($config['captiveportal']['enable']) && + (($config['captiveportal']['interface'] == "lan") || + isset($config['interfaces'][$config['captiveportal']['interface']]['enable']))) { + + if ($g['booting']) + echo "Starting captive portal... "; + + /* kill any running mini_httpd */ + killbypid("{$g['varrun_path']}/mini_httpd.cp.pid"); + killbypid("{$g['varrun_path']}/mini_httpd.cps.pid"); + + /* kill any running minicron */ + killbypid("{$g['varrun_path']}/minicron.pid"); + + /* generate ipfw rules */ + $cprules = captiveportal_rules_generate(); + + /* make sure ipfw is loaded */ + mwexec("/sbin/kldload ipfw"); + + /* stop accounting on all clients */ + captiveportal_radius_stop_all() ; + + /* remove old information */ + unlink_if_exists("{$g['vardb_path']}/captiveportal.nextrule"); + unlink_if_exists("{$g['vardb_path']}/captiveportal.db"); + unlink_if_exists("{$g['vardb_path']}/captiveportal_mac.db"); + unlink_if_exists("{$g['vardb_path']}/captiveportal_ip.db"); + unlink_if_exists("{$g['vardb_path']}/captiveportal_radius.db"); + + /* write portal page */ + if ($config['captiveportal']['page']['htmltext']) + $htmltext = base64_decode($config['captiveportal']['page']['htmltext']); + else { + /* example/template page */ + $htmltext = <<<EOD +<html> +<head> +<title>m0n0wall captive portal</title> +</head> +<body> +<h2>m0n0wall captive portal</h2> +<p>This is the default captive portal page. Please upload your own custom HTML file on the <em>Services: Captive portal</em> screen in the m0n0wall webGUI.</p> +<form method="post" action=""> + <input name="accept" type="submit" value="Continue"> +</form> +</body> +</html> + +EOD; + } + + $fd = @fopen("{$g['varetc_path']}/captiveportal.html", "w"); + if ($fd) { + fwrite($fd, $htmltext); + fclose($fd); + } + + /* write error page */ + if ($config['captiveportal']['page']['errtext']) + $errtext = base64_decode($config['captiveportal']['page']['errtext']); + else { + /* example page */ + $errtext = <<<EOD +<html> +<head> +<title>Authentication error</title> +</head> +<body> +<font color="#cc0000"><h2>Authentication error</h2></font> +<b> +Username and/or password invalid. +<br><br> +<a href="javascript:history.back()">Go back</a> +</b> +</body> +</html> + +EOD; + } + + $fd = @fopen("{$g['varetc_path']}/captiveportal-error.html", "w"); + if ($fd) { + fwrite($fd, $errtext); + fclose($fd); + } + + /* load rules */ + mwexec("/sbin/ipfw -f delete set 1"); + mwexec("/sbin/ipfw -f delete set 2"); + mwexec("/sbin/ipfw -f delete set 3"); + + /* XXX - seems like ipfw cannot accept rules directly on stdin, + so we have to write them to a temporary file first */ + $fd = @fopen("{$g['tmp_path']}/ipfw.cp.rules", "w"); + if (!$fd) { + printf("Cannot open ipfw.cp.rules in captiveportal_configure()\n"); + return 1; + } + + fwrite($fd, $cprules); + fclose($fd); + + mwexec("/sbin/ipfw {$g['tmp_path']}/ipfw.cp.rules"); + + unlink("{$g['tmp_path']}/ipfw.cp.rules"); + + /* filter on layer2 as well so we can check MAC addresses */ + mwexec("/sbin/sysctl net.link.ether.ipfw=1"); + + chdir($g['captiveportal_path']); + + /* start web server */ + mwexec("/usr/local/sbin/mini_httpd -a -M 0 -u root -maxproc 16" . + " -p 8000 -i {$g['varrun_path']}/mini_httpd.cp.pid"); + + /* fire up another one for HTTPS if requested */ + if (isset($config['captiveportal']['httpslogin']) && + $config['captiveportal']['certificate'] && $config['captiveportal']['private-key']) { + + $cert = base64_decode($config['captiveportal']['certificate']); + $key = base64_decode($config['captiveportal']['private-key']); + + $fd = fopen("{$g['varetc_path']}/cert-portal.pem", "w"); + if (!$fd) { + printf("Error: cannot open cert-portal.pem in system_webgui_start().\n"); + return 1; + } + chmod("{$g['varetc_path']}/cert-portal.pem", 0600); + fwrite($fd, $cert); + fwrite($fd, "\n"); + fwrite($fd, $key); + fclose($fd); + + mwexec("/usr/local/sbin/mini_httpd -S -a -M 0 -E {$g['varetc_path']}/cert-portal.pem" . + " -u root -maxproc 16 -p 8001" . + " -i {$g['varrun_path']}/mini_httpd.cps.pid"); + } + + /* start pruning process (interval = 60 seconds) */ + mwexec("/usr/local/bin/minicron 60 {$g['varrun_path']}/minicron.pid " . + "/etc/rc.prunecaptiveportal"); + + /* generate passthru mac database */ + captiveportal_passthrumac_configure() ; + /* create allowed ip database and insert ipfw rules to make it so */ + captiveportal_allowedip_configure() ; + + /* generate radius server database */ + if($config['captiveportal']['radiusip']) { + $radiusip = $config['captiveportal']['radiusip'] ; + + if($config['captiveportal']['radiusport']) + $radiusport = $config['captiveportal']['radiusport'] ; + else + $radiusport = 1812; + + if($config['captiveportal']['radiusacctport']) + $radiusacctport = $config['captiveportal']['radiusacctport'] ; + else + $radiusacctport = 1813; + + $radiuskey = $config['captiveportal']['radiuskey']; + + $fd = @fopen("{$g['vardb_path']}/captiveportal_radius.db", "w"); + if (!$fd) { + printf("Error: cannot open radius DB file in captiveportal_configure().\n"); + return 1; + } else { + fwrite($fd,$radiusip . "," . $radiusport . "," . $radiusacctport . "," . $radiuskey) ; + } + fclose($fd) ; + } + + + if ($g['booting']) + echo "done\n"; + + } else { + killbypid("{$g['varrun_path']}/mini_httpd.cp.pid"); + killbypid("{$g['varrun_path']}/minicron.pid"); + captiveportal_radius_stop_all() ; + mwexec("/sbin/sysctl net.link.ether.ipfw=0"); + if (!isset($config['shaper']['enable'])) { + /* unload ipfw */ + mwexec("/sbin/kldunload ipfw"); + } else { + /* shaper is on - just remove our rules */ + mwexec("/sbin/ipfw -f delete set 1"); + mwexec("/sbin/ipfw -f delete set 2"); + mwexec("/sbin/ipfw -f delete set 3"); + } + } + + return 0; +} + +function captiveportal_rules_generate() { + global $config, $g; + + $cpifn = $config['captiveportal']['interface']; + $cpif = $config['interfaces'][$cpifn]['if']; + $cpip = $config['interfaces'][$cpifn]['ipaddr']; + + /* note: the captive portal daemon inserts all pass rules for authenticated + clients as skipto 50000 rules to make traffic shaping work */ + + $cprules = ""; + + /* captive portal on LAN interface? */ + if ($cpifn == "lan") { + /* add anti-lockout rules */ + $cprules .= <<<EOD +add 500 set 1 pass all from $cpip to any out via $cpif +add 501 set 1 pass all from any to $cpip in via $cpif + +EOD; + } + + $cprules .= <<<EOD +# skip to traffic shaper if not on captive portal interface +add 1000 set 1 skipto 50000 all from any to any not layer2 not via $cpif +# pass all layer2 traffic on other interfaces +add 1001 set 1 pass layer2 not via $cpif + +# layer 2: pass ARP +add 1100 set 1 pass layer2 mac-type arp +# layer 2: block anything else non-IP +add 1101 set 1 deny layer2 not mac-type ip +# layer 2: check if MAC addresses of authenticated clients are correct +add 1102 set 1 skipto 20000 layer2 + +# allow access to our DHCP server (which needs to be able to ping clients as well) +add 1200 set 1 pass udp from any 68 to 255.255.255.255 67 in +add 1201 set 1 pass udp from any 68 to $cpip 67 in +add 1202 set 1 pass udp from $cpip 67 to any 68 out +add 1203 set 1 pass icmp from $cpip to any out icmptype 8 +add 1204 set 1 pass icmp from any to $cpip in icmptype 0 + +# allow access to our DNS forwarder +add 1300 set 1 pass udp from any to $cpip 53 in +add 1301 set 1 pass udp from $cpip 53 to any out + +# allow access to our web server +add 1302 set 1 pass tcp from any to $cpip 8000 in +add 1303 set 1 pass tcp from $cpip 8000 to any out + +EOD; + + if (isset($config['captiveportal']['httpslogin'])) { + $cprules .= <<<EOD +add 1304 set 1 pass tcp from any to $cpip 8001 in +add 1305 set 1 pass tcp from $cpip 8001 to any out + +EOD; + } + + $cprules .= <<<EOD + +# ... 10000-19899: rules per authenticated client go here... + +# redirect non-authenticated clients to captive portal +add 19900 set 1 fwd 127.0.0.1,8000 tcp from any to any 80 in +# let the responses from the captive portal web server back out +add 19901 set 1 pass tcp from any 80 to any out +# block everything else +add 19902 set 1 deny all from any to any + +# ... 20000-29899: layer2 block rules per authenticated client go here... + +# pass everything else on layer2 +add 29900 set 1 pass all from any to any layer2 + +EOD; + + return $cprules; +} + +/* remove clients that have been around for longer than the specified amount of time */ +/* db file structure: timestamp,ipfw_rule_no,clientip,clientmac,username,sessionid */ +function captiveportal_prune_old() { + + global $g, $config; + + /* check for expired entries */ + if ($config['captiveportal']['timeout']) + $timeout = $config['captiveportal']['timeout'] * 60; + else + $timeout = 0; + + if ($config['captiveportal']['idletimeout']) + $idletimeout = $config['captiveportal']['idletimeout'] * 60; + else + $idletimeout = 0; + + if (!$timeout && !$idletimeout) + return; + + captiveportal_lock(); + + /* read database */ + $cpdb = captiveportal_read_db(); + + $radiusservers = captiveportal_get_radius_servers(); + + for ($i = 0; $i < count($cpdb); $i++) { + + $timedout = false; + + /* hard timeout? */ + if ($timeout) { + if ((time() - $cpdb[$i][0]) >= $timeout) + $timedout = true; + } + + /* if an idle timeout is specified, get last activity timestamp from ipfw */ + if (!$timedout && $idletimeout) { + $lastact = captiveportal_get_last_activity($cpdb[$i][1]); + if ($lastact && ((time() - $lastact) >= $idletimeout)) + $timedout = true; + } + + if ($timedout) { + /* this client needs to be deleted - remove ipfw rules */ + if (isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) { + RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno + $cpdb[$i][4], // username + $cpdb[$i][5], // sessionid + $cpdb[$i][0], // start time + $radiusservers[0]['ipaddr'], + $radiusservers[0]['acctport'], + $radiusservers[0]['key']); + } + mwexec("/sbin/ipfw delete " . $cpdb[$i][1] . " " . ($cpdb[$i][1]+10000)); + unset($cpdb[$i]); + } + } + + /* write database */ + captiveportal_write_db($cpdb); + + captiveportal_unlock(); +} + +/* remove a single client by ipfw rule number */ +function captiveportal_disconnect_client($id) { + + global $g, $config; + + captiveportal_lock(); + + /* read database */ + $cpdb = captiveportal_read_db(); + $radiusservers = captiveportal_get_radius_servers(); + + /* find entry */ + for ($i = 0; $i < count($cpdb); $i++) { + if ($cpdb[$i][1] == $id) { + /* this client needs to be deleted - remove ipfw rules */ + if (isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) { + RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno + $cpdb[$i][4], // username + $cpdb[$i][5], // sessionid + $cpdb[$i][0], // start time + $radiusservers[0]['ipaddr'], + $radiusservers[0]['acctport'], + $radiusservers[0]['key']); + } + mwexec("/sbin/ipfw delete " . $cpdb[$i][1] . " " . ($cpdb[$i][1]+10000)); + unset($cpdb[$i]); + break; + } + } + + /* write database */ + captiveportal_write_db($cpdb); + + captiveportal_unlock(); +} + +/* send RADIUS acct stop for all current clients */ +function captiveportal_radius_stop_all() { + global $g, $config; + + captiveportal_lock() ; + $cpdb = captiveportal_read_db() ; + + $radiusservers = captiveportal_get_radius_servers(); + + if (isset($radiusservers[0])) { + for ($i = 0; $i < count($cpdb); $i++) { + RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno + $cpdb[$i][4], // username + $cpdb[$i][5], // sessionid + $cpdb[$i][0], // start time + $radiusservers[0]['ipaddr'], + $radiusservers[0]['acctport'], + $radiusservers[0]['key']); + } + } + captiveportal_unlock() ; +} + +function captiveportal_passthrumac_configure() { + global $config, $g; + + /* clear out passthru macs, if necessary */ + if (file_exists("{$g['vardb_path']}/captiveportal_mac.db")) { + unlink("{$g['vardb_path']}/captiveportal_mac.db"); + } + + if (is_array($config['captiveportal']['passthrumac'])) { + + $fd = @fopen("{$g['vardb_path']}/captiveportal_mac.db", "w"); + if (!$fd) { + printf("Error: cannot open passthru mac DB file in captiveportal_passthrumac_configure().\n"); + return 1; + } + + foreach ($config['captiveportal']['passthrumac'] as $macent) { + /* record passthru mac so it can be recognized and let thru */ + fwrite($fd, $macent['mac'] . "\n"); + } + + fclose($fd); + } + + return 0; +} + +function captiveportal_allowedip_configure() { + global $config, $g; + + captiveportal_lock() ; + + /* clear out existing allowed ips, if necessary */ + if (file_exists("{$g['vardb_path']}/captiveportal_ip.db")) { + $fd = @fopen("{$g['vardb_path']}/captiveportal_ip.db", "r"); + if ($fd) { + while (!feof($fd)) { + $line = trim(fgets($fd)); + if($line) { + list($ip,$rule) = explode(",",$line); + mwexec("/sbin/ipfw delete $rule") ; + } + } + } + fclose($fd) ; + unlink("{$g['vardb_path']}/captiveportal_ip.db"); + } + + /* get next ipfw rule number */ + if (file_exists("{$g['vardb_path']}/captiveportal.nextrule")) + $ruleno = trim(file_get_contents("{$g['vardb_path']}/captiveportal.nextrule")); + if (!$ruleno) + $ruleno = 10000; /* first rule number */ + + if (is_array($config['captiveportal']['allowedip'])) { + + $fd = @fopen("{$g['vardb_path']}/captiveportal_ip.db", "w"); + if (!$fd) { + printf("Error: cannot open allowed ip DB file in captiveportal_allowedip_configure().\n"); + captiveportal_unlock() ; + return 1; + } + + foreach ($config['captiveportal']['allowedip'] as $ipent) { + /* record allowed ip so it can be recognized and removed later */ + fwrite($fd, $ipent['ip'] . "," . $ruleno ."\n"); + /* insert ipfw rule to allow ip thru */ + if($ipent['dir'] == "from") { + mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from ".$ipent['ip']." to any in") ; + mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to ".$ipent['ip']." out") ; + } else { + mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to ".$ipent['ip']." in") ; + mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from ".$ipent['ip']." to any out") ; + } + $ruleno++ ; + if ($ruleno > 19899) + $ruleno = 10000; + } + + fclose($fd); + + /* write next rule number */ + $fd = @fopen("{$g['vardb_path']}/captiveportal.nextrule", "w"); + if ($fd) { + fwrite($fd, $ruleno); + fclose($fd); + } + } + + captiveportal_unlock() ; + return 0; +} + +/* get last activity timestamp given ipfw rule number */ +function captiveportal_get_last_activity($ruleno) { + + exec("/sbin/ipfw -T list {$ruleno} 2>/dev/null", $ipfwoutput); + + /* in */ + if ($ipfwoutput[0]) { + $ri = explode(" ", $ipfwoutput[0]); + if ($ri[1]) + return $ri[1]; + } + + return 0; +} + +/* read captive portal DB into array */ +function captiveportal_read_db() { + + global $g; + + $cpdb = array(); + $fd = @fopen("{$g['vardb_path']}/captiveportal.db", "r"); + if ($fd) { + while (!feof($fd)) { + $line = trim(fgets($fd)); + if ($line) { + $cpdb[] = explode(",", $line); + } + } + fclose($fd); + } + return $cpdb; +} + +/* write captive portal DB */ +function captiveportal_write_db($cpdb) { + + global $g; + + $fd = @fopen("{$g['vardb_path']}/captiveportal.db", "w"); + if ($fd) { + foreach ($cpdb as $cpent) { + fwrite($fd, join(",", $cpent) . "\n"); + } + fclose($fd); + } +} + +/* read RADIUS servers into array */ +function captiveportal_get_radius_servers() { + + global $g; + + if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { + $fd = @fopen("{$g['vardb_path']}/captiveportal_radius.db","r"); + if ($fd) { + $radiusservers = array(); + while (!feof($fd)) { + $line = trim(fgets($fd)); + if ($line) { + $radsrv = array(); + list($radsrv['ipaddr'],$radsrv['port'],$radsrv['acctport'],$radsrv['key']) = explode(",",$line); + $radiusservers[] = $radsrv; + } + } + fclose($fd); + + return $radiusservers; + } + } + + return false; +} + +/* lock captive portal information, decide that the lock file is stale after + 10 seconds */ +function captiveportal_lock() { + + global $g; + + $lockfile = "{$g['varrun_path']}/captiveportal.lock"; + + $n = 0; + while ($n < 10) { + /* open the lock file in append mode to avoid race condition */ + if ($fd = @fopen($lockfile, "x")) { + /* succeeded */ + fclose($fd); + return; + } else { + /* file locked, wait and try again */ + sleep(1); + $n++; + } + } +} + +/* unlock configuration file */ +function captiveportal_unlock() { + + global $g; + + $lockfile = "{$g['varrun_path']}/captiveportal.lock"; + + if (file_exists($lockfile)) + unlink($lockfile); +} + +?> diff --git a/etc/inc/config.inc b/etc/inc/config.inc new file mode 100644 index 0000000..58202aa --- /dev/null +++ b/etc/inc/config.inc @@ -0,0 +1,551 @@ +<?php +/* + config.inc + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include globals/utility/XML parser files */ +require_once("globals.inc"); +require_once("util.inc"); +require_once("xmlparse.inc"); + +/* read platform */ +if (file_exists("{$g['etc_path']}/platform")) { + $g['platform'] = chop(file_get_contents("{$g['etc_path']}/platform")); +} else { + $g['platform'] = "unknown"; +} + +if ($g['booting']) { + /* find the device where config.xml resides and write out an fstab */ + unset($cfgdevice); + + /* check if there's already an fstab (NFS booting?) */ + if (!file_exists("{$g['etc_path']}/fstab")) { + + if (strstr($g['platform'], "cdrom")) { + /* config is on floppy disk for CD-ROM version */ + $cfgdevice = $cfgpartition = "fd0"; + $cfgfstype = "msdos"; + } else { + /* probe kernel known disks until we find one with config.xml */ + $disks = explode(" ", trim(preg_replace("/kern.disks: /", "", exec("/sbin/sysctl kern.disks")))); + foreach ($disks as $mountdisk) { + /* skip mfs mounted filesystems */ + if (strstr($mountdisk, "md")) + continue; + if (mwexec("/sbin/mount -r /dev/{$mountdisk}a {$g['cf_path']}") == 0) { + if (file_exists("{$g['cf_conf_path']}/config.xml")) { + /* found it */ + $cfgdevice = $mountdisk; + $cfgpartition = $cfgdevice . "a"; + $cfgfstype = "ufs"; + echo "Found configuration on $cfgdevice.\n"; + } + + mwexec("/sbin/umount -f {$g['cf_path']}"); + + if ($cfgdevice) + break; + } + } + } + + if (!$cfgdevice) { + /* no device found, print an error and die */ + echo <<<EOD + + +******************************************************************************* +* FATAL ERROR * +* The device that contains the configuration file (config.xml) could not be * +* found. m0n0wall cannot continue booting. * +******************************************************************************* + + +EOD; + + mwexec("/sbin/halt"); + exit; + } + + /* write device name to a file for rc.firmware */ + $fd = fopen("{$g['varetc_path']}/cfdevice", "w"); + fwrite($fd, $cfgdevice . "\n"); + fclose($fd); + + /* write out an fstab */ + $fd = fopen("{$g['etc_path']}/fstab", "w"); + + $fstab = "/dev/{$cfgpartition} {$g['cf_path']} {$cfgfstype} ro 1 1\n"; + $fstab .= "proc /proc procfs rw 0 0\n"; + + fwrite($fd, $fstab); + fclose($fd); + } + + /* mount all filesystems */ + mwexec("/sbin/mount -a"); +} + +/* parse configuration */ +if (!$noparseconfig) { + + config_lock(); + + /* see if there's a newer cache file */ + if (file_exists("{$g['tmp_path']}/config.cache") && + (filemtime("{$g['tmp_path']}/config.cache") >= + filemtime("{$g['conf_path']}/config.xml"))) { + + /* read cache */ + $config = unserialize(file_get_contents("{$g['tmp_path']}/config.cache")); + } else { + + if (!file_exists("{$g['conf_path']}/config.xml")) { + if ($g['booting']) { + if (strstr($g['platform'], "cdrom")) { + /* try copying the default config. to the floppy */ + reset_factory_defaults(); + + echo "No XML configuration file found - using factory defaults.\n"; + echo "Make sure that the configuration floppy disk with the conf/config.xml\n"; + echo "file is inserted. If it isn't, your configuration changes will be lost\n"; + echo "on reboot.\n"; + } else { + echo "XML configuration file not found. m0n0wall cannot continue booting.\n"; + mwexec("/sbin/halt"); + exit; + } + } else { + config_unlock(); + exit(0); + } + } + + $config = parse_xml_config("{$g['conf_path']}/config.xml", $g['xml_rootobj']); + + if ((float)$config['version'] > (float)$g['latest_config']) { + if ($g['booting']) { + echo <<<EOD + + +******************************************************************************* +* WARNING! * +* The current configuration has been created with a newer version of m0n0wall * +* than this one! This can lead to serious misbehavior and even security * +* holes! You are urged to either upgrade to a newer version of m0n0wall or * +* revert to the default configuration immediately! * +******************************************************************************* + + +EOD; + } + } + + /* write config cache */ + $fd = @fopen("{$g['tmp_path']}/config.cache", "wb"); + if ($fd) { + fwrite($fd, serialize($config)); + fclose($fd); + } + } + + config_unlock(); + + /* make alias table (for faster lookups) */ + alias_make_table(); +} + +/* mount flash card read/write */ +function conf_mount_rw() { + global $g; + + /* don't use mount -u anymore + (doesn't sync the files properly and /bin/sync won't help either) */ + mwexec("/sbin/umount -f {$g['cf_path']}"); + mwexec("/sbin/mount -w -o noatime {$g['cf_path']}"); +} + +/* mount flash card read only */ +function conf_mount_ro() { + global $g; + + mwexec("/sbin/umount -f {$g['cf_path']}"); + mwexec("/sbin/mount -r {$g['cf_path']}"); +} + +/* convert configuration, if necessary */ +function convert_config() { + global $config, $g; + + if ($config['version'] == $g['latest_config']) + return; /* already at latest version */ + + if ($g['booting']) + echo "Converting configuration... "; + + /* convert 1.0 -> 1.1 */ + if ($config['version'] == "1.0") { + $opti = 1; + $ifmap = array('lan' => 'lan', 'wan' => 'wan', 'pptp' => 'pptp'); + + /* convert DMZ to optional, if necessary */ + if (isset($config['interfaces']['dmz'])) { + + $dmzcfg = &$config['interfaces']['dmz']; + + if ($dmzcfg['if']) { + $config['interfaces']['opt' . $opti] = array(); + $optcfg = &$config['interfaces']['opt' . $opti]; + + $optcfg['enable'] = $dmzcfg['enable']; + $optcfg['descr'] = "DMZ"; + $optcfg['if'] = $dmzcfg['if']; + $optcfg['ipaddr'] = $dmzcfg['ipaddr']; + $optcfg['subnet'] = $dmzcfg['subnet']; + + $ifmap['dmz'] = "opt" . $opti; + $opti++; + } + + unset($config['interfaces']['dmz']); + } + + /* convert WLAN1/2 to optional, if necessary */ + for ($i = 1; isset($config['interfaces']['wlan' . $i]); $i++) { + + if (!$config['interfaces']['wlan' . $i]['if']) { + unset($config['interfaces']['wlan' . $i]); + continue; + } + + $wlancfg = &$config['interfaces']['wlan' . $i]; + $config['interfaces']['opt' . $opti] = array(); + $optcfg = &$config['interfaces']['opt' . $opti]; + + $optcfg['enable'] = $wlancfg['enable']; + $optcfg['descr'] = "WLAN" . $i; + $optcfg['if'] = $wlancfg['if']; + $optcfg['ipaddr'] = $wlancfg['ipaddr']; + $optcfg['subnet'] = $wlancfg['subnet']; + $optcfg['bridge'] = $wlancfg['bridge']; + + $optcfg['wireless'] = array(); + $optcfg['wireless']['mode'] = $wlancfg['mode']; + $optcfg['wireless']['ssid'] = $wlancfg['ssid']; + $optcfg['wireless']['channel'] = $wlancfg['channel']; + $optcfg['wireless']['wep'] = $wlancfg['wep']; + + $ifmap['wlan' . $i] = "opt" . $opti; + + unset($config['interfaces']['wlan' . $i]); + $opti++; + } + + /* convert filter rules */ + $n = count($config['filter']['rule']); + for ($i = 0; $i < $n; $i++) { + + $fr = &$config['filter']['rule'][$i]; + + /* remap interface */ + if (array_key_exists($fr['interface'], $ifmap)) + $fr['interface'] = $ifmap[$fr['interface']]; + else { + /* remove the rule */ + echo "\nWarning: filter rule removed " . + "(interface '{$fr['interface']}' does not exist anymore)."; + unset($config['filter']['rule'][$i]); + continue; + } + + /* remap source network */ + if (isset($fr['source']['network'])) { + if (array_key_exists($fr['source']['network'], $ifmap)) + $fr['source']['network'] = $ifmap[$fr['source']['network']]; + else { + /* remove the rule */ + echo "\nWarning: filter rule removed " . + "(source network '{$fr['source']['network']}' does not exist anymore)."; + unset($config['filter']['rule'][$i]); + continue; + } + } + + /* remap destination network */ + if (isset($fr['destination']['network'])) { + if (array_key_exists($fr['destination']['network'], $ifmap)) + $fr['destination']['network'] = $ifmap[$fr['destination']['network']]; + else { + /* remove the rule */ + echo "\nWarning: filter rule removed " . + "(destination network '{$fr['destination']['network']}' does not exist anymore)."; + unset($config['filter']['rule'][$i]); + continue; + } + } + } + + /* convert shaper rules */ + $n = count($config['pfqueueing']['rule']); + if (is_array($config['pfqueueing']['rule'])) + for ($i = 0; $i < $n; $i++) { + + $fr = &$config['pfqueueing']['rule'][$i]; + + /* remap interface */ + if (array_key_exists($fr['interface'], $ifmap)) + $fr['interface'] = $ifmap[$fr['interface']]; + else { + /* remove the rule */ + echo "\nWarning: traffic shaper rule removed " . + "(interface '{$fr['interface']}' does not exist anymore)."; + unset($config['pfqueueing']['rule'][$i]); + continue; + } + + /* remap source network */ + if (isset($fr['source']['network'])) { + if (array_key_exists($fr['source']['network'], $ifmap)) + $fr['source']['network'] = $ifmap[$fr['source']['network']]; + else { + /* remove the rule */ + echo "\nWarning: traffic shaper rule removed " . + "(source network '{$fr['source']['network']}' does not exist anymore)."; + unset($config['pfqueueing']['rule'][$i]); + continue; + } + } + + /* remap destination network */ + if (isset($fr['destination']['network'])) { + if (array_key_exists($fr['destination']['network'], $ifmap)) + $fr['destination']['network'] = $ifmap[$fr['destination']['network']]; + else { + /* remove the rule */ + echo "\nWarning: traffic shaper rule removed " . + "(destination network '{$fr['destination']['network']}' does not exist anymore)."; + unset($config['pfqueueing']['rule'][$i]); + continue; + } + } + } + + $config['version'] = "1.1"; + } + + /* convert 1.1 -> 1.2 */ + if ($config['version'] == "1.1") { + /* move LAN DHCP server config */ + $tmp = $config['dhcpd']; + $config['dhcpd'] = array(); + $config['dhcpd']['lan'] = $tmp; + + /* encrypt password */ + $config['system']['password'] = crypt($config['system']['password']); + + $config['version'] = "1.2"; + } + + /* convert 1.2 -> 1.3 */ + if ($config['version'] == "1.2") { + /* convert advanced outbound NAT config */ + for ($i = 0; isset($config['nat']['advancedoutbound']['rule'][$i]); $i++) { + $curent = &$config['nat']['advancedoutbound']['rule'][$i]; + $src = $curent['source']; + $curent['source'] = array(); + $curent['source']['network'] = $src; + $curent['destination'] = array(); + $curent['destination']['any'] = true; + } + + /* add an explicit type="pass" to all filter rules to make things consistent */ + for ($i = 0; isset($config['filter']['rule'][$i]); $i++) { + $config['filter']['rule'][$i]['type'] = "pass"; + } + + $config['version'] = "1.3"; + } + + /* convert 1.3 -> 1.4 */ + if ($config['version'] == "1.3") { + /* convert shaper rules (make pipes) */ + if (is_array($config['pfqueueing']['rule'])) { + $config['pfqueueing']['pipe'] = array(); + + for ($i = 0; isset($config['pfqueueing']['rule'][$i]); $i++) { + $curent = &$config['pfqueueing']['rule'][$i]; + + /* make new pipe and associate with this rule */ + $newpipe = array(); + $newpipe['descr'] = $curent['descr']; + $newpipe['bandwidth'] = $curent['bandwidth']; + $newpipe['delay'] = $curent['delay']; + $newpipe['mask'] = $curent['mask']; + $config['pfqueueing']['pipe'][$i] = $newpipe; + + $curent['targetpipe'] = $i; + + unset($curent['bandwidth']); + unset($curent['delay']); + unset($curent['mask']); + } + } + + $config['version'] = "1.4"; + } + + write_config(); + + if ($g['booting']) + echo "done\n"; +} + +/* save the system configuration */ +function write_config() { + + global $config, $g; + + config_lock(); + + conf_mount_rw(); + + if (time() > mktime(0, 0, 0, 9, 1, 2004)) /* make sure the clock settings is plausible */ + $config['lastchange'] = time(); + + /* generate configuration XML */ + $xmlconfig = dump_xml_config($config, $g['xml_rootobj']); + + /* write configuration */ + $fd = fopen("{$g['cf_conf_path']}/config.xml", "w"); + + if (!$fd) + die("Unable to open config.xml for writing in write_config()\n"); + + fwrite($fd, $xmlconfig); + fclose($fd); + + conf_mount_ro(); + + /* re-read configuration */ + $config = parse_xml_config("{$g['conf_path']}/config.xml", $g['xml_rootobj']); + + /* write config cache */ + $fd = @fopen("{$g['tmp_path']}/config.cache", "wb"); + if ($fd) { + fwrite($fd, serialize($config)); + fclose($fd); + } + + config_unlock(); +} + +function reset_factory_defaults() { + + global $g; + + config_lock(); + + conf_mount_rw(); + + /* create conf directory, if necessary */ + if (!file_exists("{$g['cf_conf_path']}")) + @mkdir("{$g['cf_conf_path']}"); + + /* clear out /conf */ + $dh = opendir($g['conf_path']); + while ($filename = readdir($dh)) { + if (($filename != ".") && ($filename != "..")) { + unlink($g['conf_path'] . "/" . $filename); + } + } + closedir($dh); + + /* copy default configuration */ + @copy("{$g['conf_default_path']}/config.xml", "{$g['conf_path']}/config.xml"); + + conf_mount_ro(); + + config_unlock(); + + return 0; +} + +function config_install($conffile) { + + global $config, $g; + + if (!file_exists($conffile)) + return 1; + + config_lock(); + conf_mount_rw(); + + copy($conffile, "{$g['conf_path']}/config.xml"); + + conf_mount_ro(); + config_unlock(); + + return 0; +} + +/* lock configuration file, decide that the lock file is stale after + 10 seconds */ +function config_lock() { + + global $g; + + $lockfile = "{$g['varrun_path']}/config.lock"; + + $n = 0; + while ($n < 10) { + /* open the lock file in append mode to avoid race condition */ + if ($fd = @fopen($lockfile, "x")) { + /* succeeded */ + fclose($fd); + return; + } else { + /* file locked, wait and try again */ + sleep(1); + $n++; + } + } +} + +/* unlock configuration file */ +function config_unlock() { + + global $g; + + $lockfile = "{$g['varrun_path']}/config.lock"; + + if (file_exists($lockfile)) + unlink($lockfile); +} + +?> diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc new file mode 100644 index 0000000..1b409f8 --- /dev/null +++ b/etc/inc/filter.inc @@ -0,0 +1,946 @@ +<?php +/* + filter.inc + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include all configuration functions */ +require_once("functions.inc"); + +function filter_resync() { + global $config, $g; + + mwexec("/sbin/pfctl -y"); /* XXX */ +} + +function filter_ipmon_start() { + global $config, $g; + + mwexec("/pflogd -sD"); +} + +function filter_configure() { + global $config, $g; + + if ($g['booting']) + echo "Configuring firewall... "; + + /* set TCP timeouts */ + $tcpidletimeout = 9000; + if ($config['filter']['tcpidletimeout']) + $tcpidletimeout = $config['filter']['tcpidletimeout']; + mwexec("/sbin/sysctl net.inet.ipf.fr_tcpidletimeout={$tcpidletimeout}"); + mwexec("/sbin/sysctl net.inet.ipf.fr_tcphalfclosed=480"); + + /* generate pfctl rules */ + $natrules = filter_nat_rules_generate(); + /* generate pfctl rules */ + $pfrules = filter_rules_generate(); + /* generate altq interface setup parms */ + $altq_ints = filter_setup_altq_interfaces(); + /* generate altq queues */ + $altq_queues = filter_generate_altq_queues(); + + mwexec("/sbin/pfctl -e"); + mwexec("/sbin/pfctl -F nat"); + mwexec("/sbin/pfctl -F rules"); + + /* get our wan interface? */ + $wanif = get_real_wan_interface(); + + $fd = fopen("/tmp/rules.debug", "w"); + fwrite($fd, "set loginterface $wanif \n"); + fwrite($fd, "set optimization aggressive\n"); + fwrite($fd, $altq_ints); + fwrite($fd, $altq_queues); + fwrite($fd, $natrules); + fwrite($fd, $pfrules); + fclose($fd); + + mwexec("chmod a+x /tmp/rules.debug"); + mwexec("/sbin/pfctl -f /tmp/rules.debug"); + + /* set up MSS clamping */ + if ($config['interfaces']['wan']['mtu']) + $mssclamp = $config['interfaces']['wan']['mtu'] - 40; + else if ($config['interfaces']['wan']['ipaddr'] == "pppoe") + $mssclamp = 1452; + else + $mssclamp = 0; + + mwexec("/sbin/sysctl net.inet.ipf.fr_mssif={$wanif}"); + mwexec("/sbin/sysctl net.inet.ipf.fr_mssclamp={$mssclamp}"); + + if ($g['booting']) + echo "done\n"; + + return 0; +} + +function filter_generate_altq_queues() { + global $config; + $altq_rules = ""; + if (is_array($config['pfqueueing']['queue'])) { + foreach ($config['pfqueueing']['queue'] as $rule) { + $altq_rules .= "queue " . $rule['name'] . " "; + if (isset($rule['bandwidth'])) + $altq_rules .= "bandwidth " . $rule['bandwidth'] . " "; + if (isset($rule['priority'])) + $altq_rules .= "priority " . $rule['priority'] . " "; + if (isset($rule['options'])) /* XXX turn options into an xml array */ + $altq_rules .= $rule['schedulertype'] . "(". $rule['options'] . ")"; + if (isset($rule['subqueue'])) { + $altq_rules .= "{ "; + $fsq = ""; + foreach ($rule['subqueue'] as $sq) { + if($fsq) $altq_rules .= ","; + $altq_rules .= $sq['name']; + $fsq = "1"; + } + $altq_rules .= " }"; + } + $altq_rules .= "\n"; + } + } + return $altq_rules; +} + +function filter_setup_altq_interfaces() { + global $config; + $altq_rules = ""; + $queue_names = ""; + $is_first = ""; + if (is_array($config['pfqueueing']['queue'])) { + foreach ($config['pfqueueing']['queue'] as $queue) { + if(is_subqueue($queue['name']) == 0) { + if($is_first) $queue_names .= ", "; + $queue_names .= $queue['name']; + $is_first = "1"; + } + } + } + if (is_array($config['interfaces'])) { + foreach ($config['interfaces'] as $ifname) { + if(isset($ifname['bandwidth'])) { + $subnet = $ifname['ipaddr'] . "/" . $ifname['subnet']; + $altq_rules .= "altq on " . $ifname['if'] . " "; + $altq_rules .= $ifname['schedulertype'] . " bandwidth " . $ifname['bandwidth'] . " "; + if($queue_names <> "") + $altq_rules .= "queue { " . $queue_names . " }"; + $altq_rules .= "\n"; + } + } + } + return $altq_rules; +} + +function is_subqueue($name) { + global $config; + $status = ""; + if (is_array($config['pfqueueing']['queue'])) { + foreach ($config['pfqueueing']['queue'] as $queue) { + if(is_array($queue['subqueue'])) { + foreach ($queue['subqueue'] as $sq) { + if($sq['name'] == $name) return 1; + } + } + } + } + return 0; +} + +function filter_flush_nat_table() { + global $config, $g; + + return mwexec("/sbin/pfctl -F nat"); +} + +function filter_flush_state_table() { + global $config, $g; + + return mwexec("/sbin/pfctl -F state"); +} + +function filter_nat_rules_generate_if($if, $src, $dst, $target) { + + if ($target) + $tgt = $target . "/32"; + else + $tgt = "0/32"; + + $natrule = <<<EOD +nat on $if from $src to any -> $if + +EOD; + + return $natrule; +} + +function filter_nat_rules_generate() { + global $config, $g; + + $wancfg = $config['interfaces']['wan']; + $lancfg = $config['interfaces']['lan']; + + $pptpdcfg = $config['pptpd']; + $wanif = get_real_wan_interface(); + + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + + $natrules = ""; + + /* any 1:1 mappings? */ + if (is_array($config['nat']['onetoone'])) { + foreach ($config['nat']['onetoone'] as $natent) { + if (!is_numeric($natent['subnet'])) + $sn = 32; + else + $sn = $natent['subnet']; + + if (!$natent['interface'] || ($natent['interface'] == "wan")) + $natif = $wanif; + else + $natif = $config['interfaces'][$natent['interface']]['if']; + + $natrules .= "binat on {$natif} from {$natent['internal']}/{$sn} to any -> {$natent['external']}\n"; + } + } + + /* outbound rules - advanced or standard */ + if (isset($config['nat']['advancedoutbound']['enable'])) { + /* advanced outbound rules */ + if (is_array($config['nat']['advancedoutbound']['rule'])) { + foreach ($config['nat']['advancedoutbound']['rule'] as $obent) { + $dst = ""; + $src = ""; + if (!isset($obent['destination']['any'])) { + $src = "from "; + if (isset($obent['destination']['not'])) + $dst = "! to "; + else + $dst = "to "; + $dst .= $obent['destination']['network']; + } + $src .= $obent['source']['network']; + + if (!$obent['interface'] || ($obent['interface'] == "wan")) + $natif = $wanif; + else + $natif = $config['interfaces'][$obent['interface']]['if']; + + $natrules .= filter_nat_rules_generate_if($natif, $src, $dst, + $obent['target']); + } + } + } else { + /* standard outbound rules (one for each interface) */ + $natrules .= filter_nat_rules_generate_if($wanif, + $lansa . "/" . $lancfg['subnet'], "", null); + + /* optional interfaces */ + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + $optcfg = $config['interfaces']['opt' . $i]; + + if (isset($optcfg['enable']) && !$optcfg['bridge']) { + $optsa = gen_subnet($optcfg['ipaddr'], $optcfg['subnet']); + $natrules .= filter_nat_rules_generate_if($wanif, + $optsa . "/" . $optcfg['subnet'], "", null); + } + } + + /* PPTP subnet */ + if ($pptpdcfg['mode'] == "server") { + $natrules .= filter_nat_rules_generate_if($wanif, + $pptpdcfg['remoteip'] . "/" . $g['pptp_subnet'], "", null); + } + + /* static routes */ + if (is_array($config['staticroutes']['route'])) { + foreach ($config['staticroutes']['route'] as $route) { + if ($route['interface'] != "wan") + $natrules .= filter_nat_rules_generate_if($wanif, + $route['network'], "", null); + } + } + } + + /* DIAG: add ipv6 NAT, if requested */ + if (isset($config['diag']['ipv6nat']['enable'])) { + $natrules .= "rdr on $wanif proto ipv6 from any to any port 0 -> " . + "{$config['diag']['ipv6nat']['ipaddr']}\n"; + } + + if (isset($config['nat']['rule'])) { + foreach ($config['nat']['rule'] as $rule) { + + $extport = explode("-", $rule['external-port']); + $target = alias_expand_host($rule['target']); + + if (!$target) + continue; /* unresolvable alias */ + + if ($rule['external-address']) + $extaddr = $rule['external-address'] . "/32"; + else + $extaddr = "0/0"; + + if (!$rule['interface'] || ($rule['interface'] == "wan")) + $natif = $wanif; + else + $natif = $config['interfaces'][$rule['interface']]['if']; + + $lanif = $lancfg['if']; + + if ((!$extport[1]) || ($extport[0] == $extport[1])) { + $natrules .= + "rdr on $natif proto " . $rule['protocol'] . " from any to any port {$extport[0]} -> {$target} \n"; + } else { + $natrules .= + "rdr on $natif proto " . $rule['protocol']. " from any to any port {$extport[0]}:{$extport[1]} " . + "-> {$target} \n"; + } + + $natrules .= "\n"; + } + } + + if ($pptpdcfg['mode'] && $pptpdcfg['mode'] != "off") { + + if ($pptpdcfg['mode'] == "server") + $pptpdtarget = "127.0.0.1"; + else if ($pptpdcfg['mode'] == "redir") + $pptpdtarget = $pptpdcfg['redir']; + + if ($pptpdtarget) { + + $natrules .= <<<EOD + +# PPTP +rdr on $wanif proto gre from any to any port 0 -> $pptpdtarget +rdr on $wanif proto tcp from any to any port 1723 -> $pptpdtarget + +EOD; + } + } + + return $natrules; +} + +function filter_rules_generate() { + global $config, $g; + + $wancfg = $config['interfaces']['wan']; + $lancfg = $config['interfaces']['lan']; + $pptpdcfg = $config['pptpd']; + + $lanif = $lancfg['if']; + $wanif = get_real_wan_interface(); + + /* rule groups (optional interfaces: see below) */ + $ifgroups = array("lan" => 100, "wan" => 200); + + $lanip = $lancfg['ipaddr']; + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + $lansn = $lancfg['subnet']; + + /* optional interfaces */ + $optcfg = array(); + + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + $oc = $config['interfaces']['opt' . $i]; + + if (isset($oc['enable']) && $oc['if']) { + $oic = array(); + $oic['if'] = $oc['if']; + + if ($oc['bridge']) { + if (!strstr($oc['bridge'], "opt") || + isset($config['interfaces'][$oc['bridge']]['enable'])) { + if (is_ipaddr($config['interfaces'][$oc['bridge']]['ipaddr'])) { + $oic['ip'] = $config['interfaces'][$oc['bridge']]['ipaddr']; + $oic['sn'] = $config['interfaces'][$oc['bridge']]['subnet']; + $oic['sa'] = gen_subnet($oic['ip'], $oic['sn']); + } + } + $oic['bridge'] = 1; + } else { + $oic['ip'] = $oc['ipaddr']; + $oic['sn'] = $oc['subnet']; + $oic['sa'] = gen_subnet($oic['ip'], $oic['sn']); + } + + $optcfg['opt' . $i] = $oic; + $ifgroups['opt' . $i] = ($i * 100) + 200; + } + } + + if ($pptpdcfg['mode'] == "server") { + $pptpip = $pptpdcfg['localip']; + $pptpsa = $pptpdcfg['remoteip']; + $pptpsn = $g['pptp_subnet']; + } + + /* default block logging? */ + if (!isset($config['syslog']['nologdefaultblock'])) + $log = "log"; + else + $log = ""; + + $ipfrules = <<<EOD + +# loopback +pass in quick on lo0 all +pass out quick on lo0 all + +# allow access to DHCP server on LAN +pass in quick on $lanif proto udp from any port = 68 to 255.255.255.255 port = 67 +pass in quick on $lanif proto udp from any port = 68 to $lanip port = 67 +pass out quick on $lanif proto udp from $lanip port = 67 to any port = 68 + +EOD; + + /* allow access to DHCP server on optional interfaces */ + foreach ($optcfg as $on => $oc) { + if (isset($config['dhcpd'][$on]['enable']) && (!$oc['bridge'])) { + $ipfrules .= <<<EOD + +# allow access to DHCP server on {$on} +pass in quick on {$oc['if']} proto udp from any port = 68 to 255.255.255.255 port = 67 +pass in quick on {$oc['if']} proto udp from any port = 68 to {$oc['ip']} port = 67 +pass out quick on {$oc['if']} proto udp from {$oc['ip']} port = 67 to any port = 68 + +EOD; + } + } + + /* pass traffic between statically routed subnets and the subnet on the + interface in question to avoid problems with complicated routing + topologies */ + if (is_array($config['staticroutes']['route']) && count($config['staticroutes']['route'])) { + foreach ($config['staticroutes']['route'] as $route) { + unset($sa); + + if ($route['interface'] == "lan") { + $sa = $lansa; + $sn = $lansn; + $if = $lanif; + } else if (strstr($route['interface'], "opt")) { + $oc = $optcfg[$route['interface']]; + if ($oc['ip']) { + $sa = $oc['sa']; + $sn = $oc['sn']; + $if = $oc['if']; + } + } + + if ($sa) { + $ipfrules .= <<<EOD +pass in quick on {$if} from {$sa}/{$sn} to {$route['network']} +pass in quick on {$if} from {$route['network']} to {$sa}/{$sn} +pass out quick on {$if} from {$sa}/{$sn} to {$route['network']} +pass out quick on {$if} from {$route['network']} to {$sa}/{$sn} + +EOD; + } + } + } + + $ipfrules .= <<<EOD + +# WAN spoof check +block in $log quick on $wanif from $lansa/$lansn to any + +EOD; + + foreach ($optcfg as $oc) { + if (!$oc['bridge']) + $ipfrules .= "block in $log quick on $wanif from {$oc['sa']}/{$oc['sn']} to any\n"; + } + + /* allow PPTP traffic if PPTP client is enabled on WAN */ + if ($wancfg['ipaddr'] == "pptp") { + $ipfrules .= <<<EOD + +# allow PPTP client +pass in quick on {$wancfg['if']} proto gre from any to any +pass out quick on {$wancfg['if']} proto gre from any to any +pass in quick on {$wancfg['if']} proto tcp from any port = 1723 to any +pass out quick on {$wancfg['if']} proto tcp from any to any port = 1723 + +EOD; + } + + $ipfrules .= <<<EOD + +# allow our DHCP client out to the WAN +# XXX - should be more restrictive +# (not possible at the moment - need 'me' like in ipfw) +pass out quick on $wanif proto udp from any port = 68 to any port = 67 +block in $log quick on $wanif proto udp from any port = 67 to $lansa/$lansn port = 68 +pass in quick on $wanif proto udp from any port = 67 to any port = 68 + +# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses) + +EOD; + + /* LAN spoof check */ + $ipfrules .= filter_rules_spoofcheck_generate('lan', $lanif, $lansa, $lansn, $log); + + /* OPT spoof check */ + foreach ($optcfg as $on => $oc) { + if ($oc['ip']) + $ipfrules .= filter_rules_spoofcheck_generate($on, $oc['if'], $oc['sa'], $oc['sn'], $log); + } + + /* block private networks on WAN? */ + if (isset($config['interfaces']['wan']['blockpriv'])) { + $ipfrules .= <<<EOD + +# block anything from private networks on WAN interface +block in $log quick on $wanif from 10.0.0.0/8 to any +block in $log quick on $wanif from 127.0.0.0/8 to any +block in $log quick on $wanif from 172.16.0.0/12 to any +block in $log quick on $wanif from 192.168.0.0/16 to any + +EOD; + } + + /* IPsec enabled? */ + if (isset($config['ipsec']['enable']) && + ((is_array($config['ipsec']['tunnel']) && + count($config['ipsec']['tunnel'])) || + isset($config['ipsec']['mobileclients']['enable']))) { + + $curwanip = get_current_wan_address(); + + if ($curwanip) + $ipfrules .= filter_rules_ipsec_generate($wanif, $curwanip); + + $ipfrules .= filter_rules_ipsec_generate($lanif, $lanip); + + foreach ($optcfg as $on => $oc) { + if ($oc['ip']) + $ipfrules .= filter_rules_ipsec_generate($oc['if'], $oc['ip']); + } + } + + /* XXX - the first section is only needed because pfctl refuses to + parse rules that have "flags S/SAFR" and proto "tcp/udp" set because + UDP does not have flags, but we still want to offer the TCP/UDP protocol + option to the user */ + + $ipfrules .= <<<EOD + + +# let out anything from the firewall host itself and decrypted IPsec traffic +pass out quick on $wanif all keep state + +EOD; + + /* group heads for optional interfaces */ + foreach ($optcfg as $on => $oc) { + + $ingroup = $ifgroups[$on]; + + $ipfrules .= <<<EOD + + +# let out anything from the firewall host itself and decrypted IPsec traffic +pass out quick on {$oc['if']} all keep state + +EOD; + + } + + if (!isset($config['system']['webgui']['noantilockout'])) { + + $ipfrules .= <<<EOD + +# make sure the user cannot lock himself out of the webGUI +pass in quick from $lansa/$lansn to $lanip keep state +# group 100 + +EOD; + } + + /* PPTPd enabled? */ + if ($pptpdcfg['mode'] && ($pptpdcfg['mode'] != "off")) { + + if ($pptpdcfg['mode'] == "server") + $pptpdtarget = "127.0.0.1"; + else + $pptpdtarget = $pptpdcfg['redir']; + + $ipfrules .= <<<EOD + +# PPTP rules +pass in quick proto gre from any to $pptpdtarget keep state +# group 200 +pass in quick proto tcp from any to $pptpdtarget port = 1723 keep state +# group 200 + +EOD; + } + + /* BigPond client enabled? */ + if ($wancfg['ipaddr'] == "bigpond") { + + $ipfrules .= <<<EOD + +# BigPond heartbeat rules +pass in quick proto udp from any to any port = 5050 keep state +# group 200 + +EOD; + } + + $i = 0; + + $ipfrules .= "\n# User-defined rules follow\n"; + + if (isset($config['filter']['rule'])) + foreach ($config['filter']['rule'] as $rule) { + + /* don't include disabled rules */ + if (isset($rule['disabled'])) { + $i++; + continue; + } + + /* does the rule deal with a PPTP interface? */ + if ($rule['interface'] == "pptp") { + + if ($pptpdcfg['mode'] != "server") { + $i++; + continue; + } + + $nif = $g['n_pptp_units']; + $ispptp = true; + } else { + + if (strstr($rule['interface'], "opt")) { + if (!array_key_exists($rule['interface'], $optcfg)) { + $i++; + continue; + } + } + + $nif = 1; + $ispptp = false; + } + + if ($pptpdcfg['mode'] != "server") { + if (($rule['source']['network'] == "pptp") || + ($rule['destination']['network'] == "pptp")) { + $i++; + continue; + } + } + + if ($rule['source']['network'] && strstr($rule['source']['network'], "opt")) { + if (!array_key_exists($rule['source']['network'], $optcfg)) { + $i++; + continue; + } + } + if ($rule['destination']['network'] && strstr($rule['destination']['network'], "opt")) { + if (!array_key_exists($rule['destination']['network'], $optcfg)) { + $i++; + continue; + } + } + + /* check for unresolvable aliases */ + if ($rule['source']['address'] && !alias_expand($rule['source']['address'])) { + $i++; + continue; + } + if ($rule['destination']['address'] && !alias_expand($rule['destination']['address'])) { + $i++; + continue; + } + + for ($iif = 0; $iif < $nif; $iif++) { + + if (!$ispptp) { + + $groupnum = $ifgroups[$rule['interface']]; + + if (!$groupnum) { + printf("Invalid interface name in rule $i\n"); + break; + } + } + + $type = $rule['type']; + if ($type != "pass" && $type != "block" && $type != "reject") { + /* default (for older rules) is pass */ + $type = "pass"; + } + + if ($type == "reject") { + /* special reject packet */ + if ($rule['protocol'] == "tcp") { + $line = "block return-rst"; + } else if ($rule['protocol'] == "udp") { + $line = "block return-icmp"; + } else { + $line = "block"; + } + } else { + $line = $type; + } + + if(!isset($rule['direction'])) { + $line .= " in "; + } else { + $line .= " " . $rule['direction'] . " "; + } + + if (isset($rule['log'])) + $line .= "log "; + + $line .= "quick "; + + if ($ispptp) { + $line .= "on ng" . ($iif+1) . " "; + } + + if (isset($rule['protocol'])) { + $line .= "proto {$rule['protocol']} "; + } + + /* source address */ + if (isset($rule['source']['any'])) { + $src = "any"; + } else if ($rule['source']['network']) { + + if (strstr($rule['source']['network'], "opt")) { + $src = $optcfg[$rule['source']['network']]['sa'] . "/" . + $optcfg[$rule['source']['network']]['sn']; + } else { + switch ($rule['source']['network']) { + case 'lan': + $src = "$lansa/$lansn"; + break; + case 'pptp': + $src = "$pptpsa/$pptpsn"; + break; + } + } + } else if ($rule['source']['address']) { + $src = alias_expand($rule['source']['address']); + } + + if (!$src || ($src == "/")) { + //printf("No source address found in rule $i\n"); + break; + } + + if (isset($rule['source']['not'])) { + $line .= "from !$src "; + } else { + $line .= "from $src "; + } + + if (in_array($rule['protocol'], array("tcp","udp","tcp/udp"))) { + + if ($rule['source']['port']) { + $srcport = explode("-", $rule['source']['port']); + + if ((!$srcport[1]) || ($srcport[0] == $srcport[1])) { + $line .= "port = {$srcport[0]} "; + } else if (($srcport[0] == 1) && ($srcport[1] == 65535)) { + /* no need for a port statement here */ + } else if ($srcport[1] == 65535) { + $line .= "port >= {$srcport[0]} "; + } else if ($srcport[0] == 1) { + $line .= "port <= {$srcport[1]} "; + } else { + $srcport[0]--; + $srcport[1]++; + $line .= "port {$srcport[0]} >< {$srcport[1]} "; + } + } + } + + /* destination address */ + if (isset($rule['destination']['any'])) { + $dst = "any"; + } else if ($rule['destination']['network']) { + + if (strstr($rule['destination']['network'], "opt")) { + $dst = $optcfg[$rule['destination']['network']]['sa'] . "/" . + $optcfg[$rule['destination']['network']]['sn']; + } else { + switch ($rule['destination']['network']) { + case 'lan': + $dst = "$lansa/$lansn"; + break; + case 'pptp': + $dst = "$pptpsa/$pptpsn"; + break; + } + } + } else if ($rule['destination']['address']) { + $dst = alias_expand($rule['destination']['address']); + } + + if (!$dst || ($dst == "/")) { + //printf("No destination address found in rule $i\n"); + break; + } + + if (isset($rule['destination']['not'])) { + $line .= "to !$dst "; + } else { + $line .= "to $dst "; + } + + if (in_array($rule['protocol'], array("tcp","udp","tcp/udp"))) { + + if ($rule['destination']['port']) { + $dstport = explode("-", $rule['destination']['port']); + + if ((!$dstport[1]) || ($dstport[0] == $dstport[1])) { + $line .= "port = {$dstport[0]} "; + } else if (($dstport[0] == 1) && ($dstport[1] == 65535)) { + /* no need for a port statement here */ + } else if ($dstport[1] == 65535) { + $line .= "port >= {$dstport[0]} "; + } else if ($dstport[0] == 1) { + $line .= "port <= {$dstport[1]} "; + } else { + $dstport[0]--; + $dstport[1]++; + $line .= "port {$dstport[0]} >< {$dstport[1]} "; + } + } + } + + if (($rule['protocol'] == "icmp") && $rule['icmptype']) { + $line .= "icmp-type {$rule['icmptype']} "; + } + + if ($type == "pass") { + $line .= "keep state "; + + if (isset($rule['frags'])) + $line .= "keep frags "; + } + + if ($type == "reject" && $rule['protocol'] == "tcp") { + /* special reject packet */ + $line .= "flags S/SA "; + } + + if (isset($rule['flags'])) { + $line .= "flags " . $rule['flags'] . " "; + } + + if (!$ispptp) { + #$line .= "group $groupnum "; + } + + if (isset($rule['queuename'])) { + $line .= "queue " . $rule['queuename']; + } + + $line .= "\n"; + + $ipfrules .= $line; + } + + $i++; + } + + $ipfrules .= <<<EOD + +#--------------------------------------------------------------------------- +# default rules (just to be sure) +#--------------------------------------------------------------------------- +block in $log quick all +block out $log quick all + +EOD; + + return $ipfrules; +} + +function filter_rules_spoofcheck_generate($ifname, $if, $sa, $sn, $log) { + + global $g, $config; + + $ipfrules = ""; + + if (is_array($config['staticroutes']['route']) && count($config['staticroutes']['route'])) { + /* count rules */ + $n = 1; + foreach ($config['staticroutes']['route'] as $route) { + if ($route['interface'] == $ifname) + $n++; + } + + /* output skip rules */ + foreach ($config['staticroutes']['route'] as $route) { + if ($route['interface'] == $ifname) { + $ipfrules .= "skip $n in on $if from {$route['network']} to any\n"; + $n--; + } + } + $ipfrules .= "skip 1 in on $if from $sa/$sn to any\n"; + $ipfrules .= "#block in $log quick on $if all\n"; + } else { + $ipfrules .= "#block in $log quick on $if from ! $sa/$sn to any\n"; + } + + return $ipfrules; +} + +function filter_rules_ipsec_generate($ifname, $ip) { + + $ipfrules = <<<EOD + +# Pass IKE packets +pass in quick on {$ifname} proto udp from any to {$ip} port = 500 +pass out quick on {$ifname} proto udp from {$ip} port = 500 to any + +# Pass ESP packets +pass in quick on {$ifname} proto esp from any to {$ip} +pass out quick on {$ifname} proto esp from {$ip} to any + +# Pass AH packets +pass in quick on {$ifname} proto ah from any to {$ip} +pass out quick on {$ifname} proto ah from {$ip} to any + +EOD; + + return $ipfrules; +} + +?> diff --git a/etc/inc/functions.inc b/etc/inc/functions.inc new file mode 100644 index 0000000..eab4b82 --- /dev/null +++ b/etc/inc/functions.inc @@ -0,0 +1,41 @@ +<?php +/* + functions.inc + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include all configuration functions */ +require_once("system.inc"); +require_once("interfaces.inc"); +require_once("services.inc"); +require_once("filter.inc"); +require_once("shaper.inc"); +require_once("vpn.inc"); +require_once("captiveportal.inc"); +require_once("openvpn.inc"); + +?> diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc new file mode 100644 index 0000000..eef6cff --- /dev/null +++ b/etc/inc/globals.inc @@ -0,0 +1,54 @@ +<?php +/* + globals.inc + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +$g = array( + "varrun_path" => "/var/run", + "varetc_path" => "/var/etc", + "vardb_path" => "/var/db", + "varlog_path" => "/var/log", + "etc_path" => "/etc", + "tmp_path" => "/tmp", + "conf_path" => "/conf", + "ftmp_path" => "/ftmp", + "conf_default_path" => "/conf.default", + "cf_path" => "/cf", + "cf_conf_path" => "/cf/conf", + "www_path" => "/usr/local/www", + "captiveportal_path" => "/usr/local/captiveportal", + "xml_rootobj" => "m0n0wall", + "pppoe_interface" => "ng0", + "n_pptp_units" => 16, + "pptp_subnet" => 28, + "debug" => false, + "latest_config" => "1.4", + "nopccard_platforms" => array("wrap", "net48xx") +); + +?> diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc new file mode 100644 index 0000000..00331c1 --- /dev/null +++ b/etc/inc/interfaces.inc @@ -0,0 +1,740 @@ +<?php +/* + interfaces.inc + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include all configuration functions */ +require_once("functions.inc"); + +function interfaces_loopback_configure() { + global $config, $g; + + mwexec("/sbin/ifconfig lo0 127.0.0.1"); + + return 0; +} + +function interfaces_vlan_configure() { + global $config, $g; + + if (is_array($config['vlans']['vlan']) && count($config['vlans']['vlan'])) { + + /* load the VLAN module */ + mwexec("/sbin/kldload if_vlan"); + + /* devices with native VLAN support */ + $vlan_native_supp = explode(" ", "bge em gx nge ti txp"); + + /* devices with long frame support */ + $vlan_long_supp = explode(" ", "dc fxp sis ste tl tx xl"); + + $i = 0; + + foreach ($config['vlans']['vlan'] as $vlan) { + + $cmd = "/sbin/ifconfig vlan{$i} create vlan " . + escapeshellarg($vlan['tag']) . " vlandev " . + escapeshellarg($vlan['if']); + + /* get driver name */ + for ($j = 0; $j < strlen($vlan['if']); $j++) { + if ($vlan['if'][$j] >= '0' && $vlan['if'][$j] <= '9') + break; + } + $drvname = substr($vlan['if'], 0, $j); + + if (in_array($drvname, $vlan_native_supp)) + $cmd .= " link0"; + else if (in_array($drvname, $vlan_long_supp)) + $cmd .= " mtu 1500"; + + mwexec($cmd); + + /* make sure the parent interface is up */ + mwexec("/sbin/ifconfig " . escapeshellarg($vlan['if']) . " up"); + + $i++; + } + } + + return 0; +} + +function interfaces_lan_configure() { + global $config, $g; + + if ($g['booting']) + echo "Configuring LAN interface... "; + + $lancfg = $config['interfaces']['lan']; + + /* wireless configuration? */ + if (is_array($lancfg['wireless'])) + interfaces_wireless_configure($lancfg['if'], $lancfg['wireless']); + + /* MAC spoofing? */ + if ($lancfg['spoofmac']) + mwexec("/sbin/ifconfig " . escapeshellarg($lancfg['if']) . + " link " . escapeshellarg($lancfg['spoofmac'])); + + /* media */ + if ($lancfg['media'] || $lancfg['mediaopt']) { + $cmd = "/sbin/ifconfig " . escapeshellarg($lancfg['if']); + if ($lancfg['media']) + $cmd .= " media " . escapeshellarg($lancfg['media']); + if ($lancfg['mediaopt']) + $cmd .= " mediaopt " . escapeshellarg($lancfg['mediaopt']); + mwexec($cmd); + } + + mwexec("/sbin/ifconfig " . escapeshellarg($lancfg['if']) . " " . + escapeshellarg($lancfg['ipaddr'] . "/" . $lancfg['subnet'])); + + if (!$g['booting']) { + /* make new hosts file */ + system_hosts_generate(); + + /* reconfigure static routes (kernel may have deleted them) */ + system_routing_configure(); + + /* reload ipfilter (address may have changed) */ + filter_configure(); + + /* reload shaper (subnet may have changed) */ + shaper_configure(); + + /* reload IPsec tunnels */ + vpn_ipsec_configure(); + + /* reload dhcpd (gateway may have changed) */ + services_dhcpd_configure(); + + /* reload dnsmasq */ + services_dnsmasq_configure(); + + /* reload webgui */ + system_webgui_start(); + + /* reload captive portal */ + captiveportal_configure(); + } + + if ($g['booting']) + echo "done\n"; + + return 0; +} + +function interfaces_optional_configure() { + global $config, $g; + global $bridgeconfig; + + /* Reset bridge configuration. Interfaces will add to it. */ + $bridgeconfig = ""; + + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + interfaces_optional_configure_if($i); + } + + if ($bridgeconfig) { + /* Set the system bridge configuration and enable bridging. */ + mwexec("/sbin/sysctl net.link.ether.bridge_cfg=" . $bridgeconfig); + + if (isset($config['bridge']['filteringbridge'])) + mwexec("/sbin/sysctl net.link.ether.bridge_ipf=1"); + + mwexec("/sbin/sysctl net.link.ether.bridge=1"); + } else { + mwexec("/sbin/sysctl net.link.ether.bridge_ipf=0"); + mwexec("/sbin/sysctl net.link.ether.bridge=0"); + } + + if (!$g['booting']) { + /* reconfigure static routes (kernel may have deleted them) */ + system_routing_configure(); + + /* reload ipfilter (address may have changed) */ + filter_configure(); + + /* reload shaper (address may have changed) */ + shaper_configure(); + + /* reload IPsec tunnels */ + vpn_ipsec_configure(); + + /* reload dhcpd (interface enabled/disabled/bridged status may have changed) */ + services_dhcpd_configure(); + + /* restart dnsmasq */ + services_dnsmasq_configure(); + } + + return 0; +} + +function interfaces_optional_configure_if($opti) { + global $config, $g; + global $bridgeconfig; + + $optcfg = $config['interfaces']['opt' . $opti]; + + if ($g['booting']) { + $optdescr = ""; + if ($optcfg['descr']) + $optdescr = " ({$optcfg['descr']})"; + echo "Configuring OPT{$opti}{$optdescr} interface... "; + } + + if (isset($optcfg['enable'])) { + /* wireless configuration? */ + if (is_array($optcfg['wireless'])) + interfaces_wireless_configure($optcfg['if'], $optcfg['wireless']); + + /* MAC spoofing? */ + if ($optcfg['spoofmac']) + mwexec("/sbin/ifconfig " . escapeshellarg($optcfg['if']) . + " link " . escapeshellarg($optcfg['spoofmac'])); + + /* media */ + if ($optcfg['media'] || $optcfg['mediaopt']) { + $cmd = "/sbin/ifconfig " . escapeshellarg($optcfg['if']); + if ($optcfg['media']) + $cmd .= " media " . escapeshellarg($optcfg['media']); + if ($optcfg['mediaopt']) + $cmd .= " mediaopt " . escapeshellarg($optcfg['mediaopt']); + mwexec($cmd); + } + + /* OpenVPN configuration? */ + if (isset($optcfg['ovpn'])) { + if (strstr($if, "tap")) + ovpn_link_tap(); + } + + /* bridged? */ + if ($optcfg['bridge']) { + mwexec("/sbin/ifconfig " . escapeshellarg($optcfg['if']) . + " delete up"); + + if ($bridgeconfig != "") + $bridgeconfig .= ","; + + $bridgeconfig .= $optcfg['if'] . ":" . $opti . "," . + $config['interfaces'][$optcfg['bridge']]['if'] . + ":" . $opti; + } else { + mwexec("/sbin/ifconfig " . escapeshellarg($optcfg['if']) . " " . + escapeshellarg($optcfg['ipaddr'] . "/" . $optcfg['subnet'])); + } + } else { + mwexec("/sbin/ifconfig " . escapeshellarg($optcfg['if']) . + " delete down"); + } + + if ($g['booting']) + echo "done\n"; + + return 0; +} + +function interfaces_wireless_configure($if, $wlcfg) { + global $config, $g; + + /* wireless configuration */ + $ifcargs = escapeshellarg($if) . + " ssid " . escapeshellarg($wlcfg['ssid']) . " channel " . + escapeshellarg($wlcfg['channel']) . " "; + + if ($wlcfg['stationname']) + $ifcargs .= "stationname " . escapeshellarg($wlcfg['stationname']) . " "; + + if (isset($wlcfg['wep']['enable']) && is_array($wlcfg['wep']['key'])) { + $ifcargs .= "wepmode on "; + + $i = 1; + foreach ($wlcfg['wep']['key'] as $wepkey) { + $ifcargs .= "wepkey " . escapeshellarg("{$i}:{$wepkey['value']}") . " "; + if (isset($wepkey['txkey'])) { + $ifcargs .= "weptxkey {$i} "; + } + $i++; + } + } else { + $ifcargs .= "wepmode off "; + } + + switch ($wlcfg['mode']) { + case 'hostap': + if (strstr($if, "wi")) + $ifcargs .= "-mediaopt ibss mediaopt hostap "; + break; + case 'ibss': + case 'IBSS': + if (strstr($if, "wi")) + $ifcargs .= "-mediaopt hostap mediaopt ibss "; + else if (strstr($if, "an")) + $ifcargs .= "mediaopt adhoc "; + break; + case 'bss': + case 'BSS': + if (strstr($if, "wi")) + $ifcargs .= "-mediaopt hostap -mediaopt ibss "; + else if (strstr($if, "an")) + $ifcargs .= "-mediaopt adhoc "; + break; + } + + $ifcargs .= "up"; + + mwexec("/sbin/ifconfig " . $ifcargs); + + return 0; +} + +function interfaces_wan_configure() { + global $config, $g; + + $wancfg = $config['interfaces']['wan']; + + if ($g['booting']) + echo "Configuring WAN interface... "; + else { + /* kill dhclient */ + killbypid("{$g['varrun_path']}/dhclient.pid"); + + /* kill PPPoE client (mpd) */ + killbypid("{$g['varrun_path']}/mpd.pid"); + + /* wait for processes to die */ + sleep(2); + + /* remove dhclient.conf, if it exists */ + if (file_exists("{$g['varetc_path']}/dhclient.conf")) { + unlink("{$g['varetc_path']}/dhclient.conf"); + } + /* remove mpd.conf, if it exists */ + if (file_exists("{$g['varetc_path']}/mpd.conf")) { + unlink("{$g['varetc_path']}/mpd.conf"); + } + /* remove mpd.links, if it exists */ + if (file_exists("{$g['varetc_path']}/mpd.links")) { + unlink("{$g['varetc_path']}/mpd.links"); + } + /* remove wanip, if it exists */ + if (file_exists("{$g['vardb_path']}/wanip")) { + unlink("{$g['vardb_path']}/wanip"); + } + } + + /* remove all addresses first */ + while (mwexec("/sbin/ifconfig " . escapeshellarg($wancfg['if']) . " -alias") == 0); + mwexec("/sbin/ifconfig " . escapeshellarg($wancfg['if']) . " down"); + + /* wireless configuration? */ + if (is_array($wancfg['wireless'])) + interfaces_wireless_configure($wancfg['if'], $wancfg['wireless']); + + if ($wancfg['spoofmac']) + mwexec("/sbin/ifconfig " . escapeshellarg($wancfg['if']) . + " link " . escapeshellarg($wancfg['spoofmac'])); + + /* media */ + if ($wancfg['media'] || $wancfg['mediaopt']) { + $cmd = "/sbin/ifconfig " . escapeshellarg($wancfg['if']); + if ($wancfg['media']) + $cmd .= " media " . escapeshellarg($wancfg['media']); + if ($wancfg['mediaopt']) + $cmd .= " mediaopt " . escapeshellarg($wancfg['mediaopt']); + mwexec($cmd); + } + + switch ($wancfg['ipaddr']) { + + case 'dhcp': + interfaces_wan_dhcp_configure(); + break; + + case 'pppoe': + interfaces_wan_pppoe_configure(); + break; + + case 'pptp': + interfaces_wan_pptp_configure(); + break; + + case 'bigpond': + /* just configure DHCP for now; fire up bpalogin when we've got the lease */ + interfaces_wan_dhcp_configure(); + break; + + default: + mwexec("/sbin/ifconfig " . escapeshellarg($wancfg['if']) . " " . + escapeshellarg($wancfg['ipaddr'] . "/" . $wancfg['subnet'])); + + /* install default route */ + mwexec("/sbin/route delete default"); + mwexec("/sbin/route add default " . escapeshellarg($wancfg['gateway'])); + + /* resync ipfilter (done automatically for DHCP/PPPoE/PPTP) */ + filter_resync(); + } + + if (!$g['booting']) { + /* reconfigure static routes (kernel may have deleted them) */ + system_routing_configure(); + + /* reload ipfilter */ + filter_configure(); + + /* reload shaper */ + shaper_configure(); + + /* reload ipsec tunnels */ + vpn_ipsec_configure(); + + /* restart ez-ipupdate */ + services_dyndns_configure(); + + /* restart dnsmasq */ + services_dnsmasq_configure(); + } + + if ($g['booting']) + echo "done\n"; + + return 0; +} + +function interfaces_wan_dhcp_configure() { + global $config, $g; + + $wancfg = $config['interfaces']['wan']; + + /* generate dhclient.conf */ + $fd = fopen("{$g['varetc_path']}/dhclient.conf", "w"); + if (!$fd) { + printf("Error: cannot open dhclient.conf in interfaces_wan_dhcp_configure().\n"); + return 1; + } + + $dhclientconf = ""; + + if ($wancfg['dhcphostname']) { + $dhclientconf .= <<<EOD +send dhcp-client-identifier "{$wancfg['dhcphostname']}"; +interface "{$wancfg['if']}" { + send host-name "{$wancfg['dhcphostname']}"; +} + +EOD; + } + + fwrite($fd, $dhclientconf); + fclose($fd); + + /* fire up dhclient - don't wait for the lease (-nw) */ + mwexec("/sbin/dhclient -nw -cf {$g['varetc_path']}/dhclient.conf " . + escapeshellarg($wancfg['if']) . " &"); + + return 0; +} + +function interfaces_wan_pppoe_configure() { + global $config, $g; + + $wancfg = $config['interfaces']['wan']; + $pppoecfg = $config['pppoe']; + + /* generate mpd.conf */ + $fd = fopen("{$g['varetc_path']}/mpd.conf", "w"); + if (!$fd) { + printf("Error: cannot open mpd.conf in interfaces_wan_pppoe_configure().\n"); + return 1; + } + + $idle = 0; + + if (isset($pppoecfg['ondemand'])) { + $ondemand = "enable"; + if ($pppoecfg['timeout']) + $idle = $pppoecfg['timeout']; + } else { + $ondemand = "disable"; + } + + $mpdconf = <<<EOD +pppoe: + new -i ng0 pppoe pppoe + set iface route default + set iface {$ondemand} on-demand + set iface idle {$idle} + set iface up-script /usr/local/sbin/ppp-linkup + +EOD; + + if (isset($pppoecfg['ondemand'])) { + $mpdconf .= <<<EOD + set iface addrs 10.0.0.1 10.0.0.2 + +EOD; + } + + $mpdconf .= <<<EOD + set bundle disable multilink + set bundle authname "{$pppoecfg['username']}" + set bundle password "{$pppoecfg['password']}" + set link keep-alive 10 60 + set link max-redial 0 + set link no acfcomp protocomp + set link disable pap chap + set link accept chap + set link mtu 1492 + set ipcp yes vjcomp + set ipcp ranges 0.0.0.0/0 0.0.0.0/0 + set ipcp enable req-pri-dns + set ipcp enable req-sec-dns + open iface + +EOD; + + fwrite($fd, $mpdconf); + fclose($fd); + + /* generate mpd.links */ + $fd = fopen("{$g['varetc_path']}/mpd.links", "w"); + if (!$fd) { + printf("Error: cannot open mpd.links in interfaces_wan_pppoe_configure().\n"); + return 1; + } + + $mpdconf = <<<EOD +pppoe: + set link type pppoe + set pppoe iface {$wancfg['if']} + set pppoe service "{$pppoecfg['provider']}" + set pppoe enable originate + set pppoe disable incoming + +EOD; + + fwrite($fd, $mpdconf); + fclose($fd); + + /* fire up mpd */ + mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']} -p {$g['varrun_path']}/mpd.pid pppoe"); + + return 0; +} + +function interfaces_wan_pptp_configure() { + global $config, $g; + + $wancfg = $config['interfaces']['wan']; + $pptpcfg = $config['pptp']; + + /* generate mpd.conf */ + $fd = fopen("{$g['varetc_path']}/mpd.conf", "w"); + if (!$fd) { + printf("Error: cannot open mpd.conf in interfaces_wan_pptp_configure().\n"); + return 1; + } + + $idle = 0; + + if (isset($pptpcfg['ondemand'])) { + $ondemand = "enable"; + if ($pptpcfg['timeout']) + $idle = $pptpcfg['timeout']; + } else { + $ondemand = "disable"; + } + + $mpdconf = <<<EOD +pptp: + new -i ng0 pptp pptp + set iface route default + set iface {$ondemand} on-demand + set iface idle {$idle} + set iface up-script /usr/local/sbin/ppp-linkup + +EOD; + + if (isset($pptpcfg['ondemand'])) { + $mpdconf .= <<<EOD + set iface addrs {$pptpcfg['local']} {$pptpcfg['remote']} + +EOD; + } + + $mpdconf .= <<<EOD + set bundle disable multilink + set bundle authname "{$pptpcfg['username']}" + set bundle password "{$pptpcfg['password']}" + set link keep-alive 10 60 + set link max-redial 0 + set link no acfcomp protocomp + set link disable pap chap + set link accept chap + set ipcp no vjcomp + set ipcp ranges 0.0.0.0/0 0.0.0.0/0 + set ipcp enable req-pri-dns + set ipcp enable req-sec-dns + open + +EOD; + + fwrite($fd, $mpdconf); + fclose($fd); + + /* generate mpd.links */ + $fd = fopen("{$g['varetc_path']}/mpd.links", "w"); + if (!$fd) { + printf("Error: cannot open mpd.links in interfaces_wan_pptp_configure().\n"); + return 1; + } + + $mpdconf = <<<EOD +pptp: + set link type pptp + set pptp enable originate outcall + set pptp disable windowing + set pptp self {$pptpcfg['local']} + set pptp peer {$pptpcfg['remote']} + +EOD; + + fwrite($fd, $mpdconf); + fclose($fd); + + /* configure interface */ + mwexec("/sbin/ifconfig " . escapeshellarg($wancfg['if']) . " " . + escapeshellarg($pptpcfg['local'] . "/" . $pptpcfg['subnet'])); + + /* fire up mpd */ + mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']} -p {$g['varrun_path']}/mpd.pid pptp"); + + return 0; +} + +function interfaces_wan_bigpond_configure($curwanip) { + global $config, $g; + + $bpcfg = $config['bigpond']; + + if (!$curwanip) { + /* IP address not configured yet, exit */ + return 0; + } + + /* kill bpalogin */ + killbyname("bpalogin"); + + /* wait a moment */ + sleep(1); + + /* get the default domain */ + $nfd = @fopen("{$g['varetc_path']}/defaultdomain.conf", "r"); + if ($nfd) { + $defaultdomain = trim(fgets($nfd)); + fclose($nfd); + } + + /* generate bpalogin.conf */ + $fd = fopen("{$g['varetc_path']}/bpalogin.conf", "w"); + if (!$fd) { + printf("Error: cannot open bpalogin.conf in interfaces_wan_bigpond_configure().\n"); + return 1; + } + + if (!$bpcfg['authserver']) + $bpcfg['authserver'] = "dce-server"; + if (!$bpcfg['authdomain']) + $bpcfg['authdomain'] = $defaultdomain; + + $bpconf = <<<EOD +username {$bpcfg['username']} +password {$bpcfg['password']} +authserver {$bpcfg['authserver']} +authdomain {$bpcfg['authdomain']} +localport 5050 + +EOD; + + if ($bpcfg['minheartbeatinterval']) + $bpconf .= "minheartbeatinterval {$bpcfg['minheartbeatinterval']}\n"; + + fwrite($fd, $bpconf); + fclose($fd); + + /* fire up bpalogin */ + mwexec("/usr/local/sbin/bpalogin -c {$g['varetc_path']}/bpalogin.conf"); + + return 0; +} + +function get_real_wan_interface() { + global $config, $g; + + $wancfg = $config['interfaces']['wan']; + + $wanif = $wancfg['if']; + if (($wancfg['ipaddr'] == "pppoe") || ($wancfg['ipaddr'] == "pptp")) { + $wanif = $g['pppoe_interface']; + } + + return $wanif; +} + +function get_current_wan_address() { + global $config, $g; + + $wancfg = $config['interfaces']['wan']; + + if (in_array($wancfg['ipaddr'], array('pppoe','dhcp','pptp','bigpond'))) { + /* dynamic WAN IP address, find out which one */ + $wanif = get_real_wan_interface(); + + /* get interface info with netstat */ + exec("/usr/bin/netstat -nWI " . escapeshellarg($wanif) . " -f inet", $ifinfo); + + if (isset($ifinfo[1])) { + $aif = preg_split("/\s+/", $ifinfo[1]); + $curwanip = chop($aif[3]); + + if ($curwanip && is_ipaddr($curwanip) && ($curwanip != "0.0.0.0")) + return $curwanip; + } + + return null; + } else { + /* static WAN IP address */ + return $wancfg['ipaddr']; + } +} + +?> diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc new file mode 100644 index 0000000..2414ae0 --- /dev/null +++ b/etc/inc/openvpn.inc @@ -0,0 +1,559 @@ +<?php +/* + openvpn.inc + + Copyright (C) 2004 Peter Curran (peter@closeconsultants.com). + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include all configuration functions */ +require_once("globals.inc"); +require_once("config.inc"); +require_once("functions.inc"); + +function ovpn_configure() { + global $config; + if (is_array($config['ovpn']['server'])) + ovpn_config_server(); + if (is_array($config['ovpn']['client'])) + ovpn_config_client(); + return; +} + +function ovpn_link_tap() { + /* Add a reference to the tap KLM. If ref count = 1, load it */ + global $g; + + if (!is_file($g['vardb_path'] ."/ovpn_tap_link")){ + $link_count = 1; + mwexec("/sbin/kldload if_tap"); + $fd = fopen($g['vardb_path'] ."/ovpn_tap_link", 'w'); + } + else { + $fd = fopen($g['vardb_path'] ."/ovpn_tap_link", 'r+'); + $link_count = fread($fd); + $link_count ++; + } + fwrite($fd, $link_count); + fclose($fd); + return true; +} + +function ovpn_unlink_tap() { + /* Remove a reference to the tap KLM. If ref count = 0, unload it */ + global $g; + + if (!is_file($g['vardb_path'] ."/ovpn_tap_link")) + return false; //no file, no links so why are we called? + + $fd = fopen($g['vardb_path'] ."/ovpn_tap_link", 'r+'); + $link_count = fread($fd); + $link_count --; + fwrite($fd, $link_count); + fclose($fd); + + if ($link_count == 0) + mwexec("/sbin/kldunload if_tap"); + return true; +} + +/*****************************/ +/* Server-related functions */ + +/* Configure the server */ +function ovpn_config_server() { + global $config, $g; + + if (isset($config['ovpn']['server']['enable'])) { + + if ($g['booting']) + echo "Starting OpenVPN server... "; + + /* kill any running openvpn daemon */ + killbypid($g['varrun_path']."/ovpn_srv.pid"); + + /* Remove old certs & keys */ + unlink_if_exists("{$g['vardb_path']}/ovpn_ca_cert.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_srv_cert.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_srv_key.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_dh.pem"); + + /* Copy the TLS-Server certs & keys to disk */ + $fd = @fopen("{$g['vardb_path']}/ovpn_ca_cert.pem", "w"); + if ($fd) { + fwrite($fd, base64_decode($config['ovpn']['server']['ca_cert'])."\n"); + fclose($fd); + } + $fd = @fopen("{$g['vardb_path']}/ovpn_srv_cert.pem", "w"); + if ($fd) { + fwrite($fd, base64_decode($config['ovpn']['server']['srv_cert'])."\n"); + fclose($fd); + } + $fd = @fopen("{$g['vardb_path']}/ovpn_srv_key.pem", "w"); + if ($fd) { + fwrite($fd, base64_decode($config['ovpn']['server']['srv_key'])."\n"); + fclose($fd); + } + $fd = @fopen("{$g['vardb_path']}/ovpn_dh.pem", "w"); + if ($fd) { + fwrite($fd, base64_decode($config['ovpn']['server']['dh_param'])."\n"); + fclose($fd); + } + + /* Start the openvpn daemon */ + mwexec("/usr/local/sbin/openvpn " . ovpn_srv_config_generate()); + + if ($g['booting']) + /* Send the boot message */ + echo "done\n"; + } + else { + if (!$g['booting']){ + /* stop any processes, unload the tap module */ + /* Remove old certs & keys */ + unlink_if_exists("{$g['vardb_path']}/ovpn_ca_cert.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_srv_cert.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_srv_key.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_dh.pem"); + killbypid("{$g['varrun_path']}/ovpn_srv.pid"); + if ($config['ovpn']['server']['tun_iface'] == 'tap0') + ovpn_unlink_tap(); + } + } + return 0; +} + +/* Generate the config for a OpenVPN server */ +function ovpn_srv_config_generate() { + global $config, $g; + $server = $config['ovpn']['server']; + + /* First the generic stuff: + - We are a server + - We are a TLS Server (for authentication) + - We will run without privilege + */ + $ovpn_config = "--daemon --user nobody --group nobody --verb {$server['verb']} "; + + /* pid file */ + $ovpn_config .= "--writepid {$g['varrun_path']}/ovpn_srv.pid "; + + /* interface */ + $ovpn_config .= "--dev {$server['tun_iface']} "; + + /* port */ + $ovpn_config .= "--port {$server['port']} "; + + /* Interface binding - 1 or all */ + if ($server['bind_iface'] != 'all') { + if ($ipaddr = ovpn_get_ip($server['bind_iface'])) + $ovpn_config .= "--local $ipaddr "; + else + return "Interface bridged"; + + } + + /* Client to client routing (off by default) */ + if (isset($server['cli2cli'])) + $ovpn_config .= "--client-to-client "; + + /* Set maximum simultaneous clients */ + $ovpn_config .= "--max-clients {$server['maxcli']} "; + + /* New --server macro simplifies config */ + $mask = ovpn_calc_mask($server['prefix']); + $ovpn_config .= "--server {$server['ipblock']} {$mask} "; + + /* TLS-Server params */ + $ovpn_config .= "--ca {$g['vardb_path']}/ovpn_ca_cert.pem "; + $ovpn_config .= "--cert {$g['vardb_path']}/ovpn_srv_cert.pem "; + $ovpn_config .= "--key {$g['vardb_path']}/ovpn_srv_key.pem "; + $ovpn_config .= "--dh {$g['vardb_path']}/ovpn_dh.pem "; + + /* Data channel encryption cipher*/ + $ovpn_config .= "--cipher {$server['crypto']} "; + + /* Duplicate CNs */ + if (isset($server['dupcn'])) + $ovpn_config .= "--duplicate-cn "; + + /* Client push - redirect gateway */ + if (isset($server['psh_options']['redir'])){ + if (isset($server['psh_options']['redir_loc'])) + $ovpn_config .= "--push \"redirect-gateway 'local'\" "; + else + $ovpn_config .= "--push \"redirect-gateway\" "; + } + + /* Client push - route delay */ + if (isset($server['psh_options']['rte_delay'])) + $ovpn_config .= "--push \"route-delay {$server['psh_options']['rte_delay']}\" "; + + /* Client push - ping (note we set both server and client) */ + if (isset ($server['psh_options']['ping'])){ + $ovpn_config .= "--ping {$server['psh_options']['ping']} "; + $ovpn_config .= "--push \"ping {$server['psh_options']['ping']}\" "; + } + + /* Client push - ping-restart (note server uses 2 x client interval) */ + if (isset ($server['psh_options']['pingrst'])){ + $interval = $server['psh_options']['pingrst']; + $ovpn_config .= "--ping-restart " . ($interval * 2) . " "; + $ovpn_config .= "--push \"ping-restart $interval\" "; + } + + /* Client push - ping-exit (set on client) */ + if (isset ($server['psh_options']['pingexit'])){ + $ovpn_config .= "--ping-exit {$server['psh_options']['pingexit']} "; + $ovpn_config .= "--push \"ping-exit {$server['psh_options']['pingexit']}\" "; + } + + /* Client push - inactive (set on client) */ + if (isset ($server['psh_options']['inact'])){ + $ovpn_config .= "--inactive {$server['psh_options']['pingexit']} "; + $ovpn_config .= "--push \"inactive {$server['psh_options']['inact']}\" "; + } + + //trigger_error("OVPN: $ovpn_config", E_USER_NOTICE); + return $ovpn_config; +} + +/* Define an OVPN Server tunnel interface in the interfaces array and assign a name */ +function ovpn_server_iface(){ + global $config, $g; + + $i = 1; + while (true) { + $ifname = 'opt' . $i; + if (is_array($config['interfaces'][$ifname])) { + if ((isset($config['interfaces'][$ifname]['ovpn'])) + && ($config['interfaces'][$ifname]['ovpn'] == 'server')) + /* Already an interface defined - overwrite */ + break; + } + else { + /* No existing entry, this is first unused */ + $config['interfaces'][$ifname] = array(); + break; + } + $i++; + } + $config['interfaces'][$ifname]['descr'] = "OVPN server"; + $config['interfaces'][$ifname]['if'] = $config['ovpn']['server']['tun_iface']; + $config['interfaces'][$ifname]['ipaddr'] = long2ip( ip2long($config['ovpn']['server']['ipblock']) + 1); + $config['interfaces'][$ifname]['subnet'] = $config['ovpn']['server']['prefix']; + $config['interfaces'][$ifname]['enable'] = isset($config['ovpn']['server']['enable']) ? true : false; + $config['interfaces'][$ifname]['ovpn'] = 'server'; + + write_config(); + + return "OpenVPN server interface defined"; +} + +/********************************************************/ +/* Client related functions */ +function ovpn_config_client() { + /* Boot time configuration */ + global $config, $g; + + foreach ($config['ovpn']['client']['tunnel'] as $id => $client) { + if (isset($client['enable'])) { + + if ($g['booting']) + echo "Starting OpenVPN client $id... "; + + /* kill any running openvpn daemon */ + killbypid("{$g['varrun_path']}/ovpn_client{$id}.pid"); + + /* Remove old certs & keys */ + unlink_if_exists("{$g['vardb_path']}/ovpn_ca_cert_{$id}.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_cli_cert_{$id}.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_cli_key_{$id}.pem"); + + /* Copy the TLS-Client certs & keys to disk */ + /*$fd = @fopen("{$g['vardb_path']}/ovpn_ca_cert_{$id}.pem", "w");*/ + $fd = fopen("{$g['vardb_path']}/ovpn_ca_cert_{$id}.pem", "w"); + if ($fd) { + fwrite($fd, base64_decode($client['ca_cert'])."\n"); + fclose($fd); + } + else + trigger_error("OVPN: No open for CA", E_USER_NOTICE); + $fd = fopen($g['vardb_path']."/ovpn_cli_cert_".$id.".pem", "w"); + if ($fd) { + fwrite($fd, base64_decode($client['cli_cert'])."\n"); + fclose($fd); + } + $fd = fopen($g['vardb_path']."/ovpn_cli_key_".$id.".pem", "w"); + if ($fd) { + fwrite($fd, base64_decode($client['cli_key'])."\n"); + fclose($fd); + } + + /* Start openvpn for this client */ + mwexec("/usr/local/sbin/openvpn " . ovpn_cli_config_generate($id)); + + if ($g['booting']) + /* Send the boot message */ + echo "done\n"; + } + else { + if (!$g['booting']){ + /* stop any processes, unload the tap module */ + /* Remove old certs & keys */ + unlink_if_exists("{$g['vardb_path']}/ovpn_ca_cert_{$id}.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_cli_cert_{$id}.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_cli_key_{$id}.pem"); + killbypid("{$g['varrun_path']}/ovpn_client{$id}.pid"); + if ($client['type'] == "tap") + ovpn_unlink_tap(); + } + } + } + return 0; + +} + +/* Kill off a running client process */ +function ovpn_client_kill($id) { + global $g; + + killbypid("{$g['varrun_path']}/ovpn_client{$id}.pid"); + return 0; +} + +function ovpn_cli_config_generate($id) { + /* configure the named client */ + global $config, $g; + $client = $config['ovpn']['client']['tunnel']; + + /* Client support in 2.0 is very simple */ + + $ovpn_config = "--client --daemon --verb 1 "; + + /* pid file */ + $ovpn_config .= "--writepid {$g['varrun_path']}/ovpn_client{$id}.pid "; + + /* interface */ + $ovpn_config .= "--dev {$client[$id]['if']} "; + + /* protocol */ + $ovpn_config .= "--proto {$client[$id]['proto']} "; + + /* port */ + $ovpn_config .= "--lport {$client[$id]['cport']} "; + + /* server location */ + $ovpn_config .= "--remote {$client[$id]['saddr']} {$client[$id]['sport']} "; + + /* TLS-Server params */ + $ovpn_config .= "--ca {$g['vardb_path']}/ovpn_ca_cert_{$id}.pem "; + $ovpn_config .= "--cert {$g['vardb_path']}/ovpn_cli_cert_{$id}.pem "; + $ovpn_config .= "--key {$g['vardb_path']}/ovpn_cli_key_{$id}.pem "; + + /* Data channel encryption cipher*/ + $ovpn_config .= "--cipher {$client[$id]['crypto']} "; + + //trigger_error("OVPN: $ovpn_config", E_USER_NOTICE); + return $ovpn_config; +} + +/* Define an OVPN tunnel interface in the interfaces array for each client */ +function ovpn_client_iface(){ + global $config; + + foreach ($config['ovpn']['client']['tunnel'] as $id => $client) { + if (isset($client['enable'])) { + $i = 1; + while (true) { + $ifname = 'opt' . $i; + if (is_array($config['interfaces'][$ifname])) { + if ((isset($config['interfaces'][$ifname]['ovpn'])) + && ($config['interfaces'][$ifname]['ovpn'] == "client{$id}")) + /* Already an interface defined - overwrite */ + break; + } + else { + /* No existing entry, this is first unused */ + $config['interfaces'][$ifname] = array(); + break; + } + $i++; + } + if (isset($client['descr'])) + $config['interfaces'][$ifname]['descr'] = $client['descr']; + else + $config['interfaces'][$ifname]['descr'] = "OVPN client-{$id}"; + $config['interfaces'][$ifname]['if'] = $client['if']; + $config['interfaces'][$ifname]['ipaddr'] = "0.0.0.0"; + $config['interfaces'][$ifname]['subnet'] = "0"; + $config['interfaces'][$ifname]['enable'] = isset($client['enable']) ? true : false; + $config['interfaces'][$ifname]['ovpn'] = "client{$id}"; + write_config(); + } + } + return "OpenVPN client interfaces defined"; +} + +/* Delete a client interface definition */ +function ovpn_client_iface_del($id) { + global $config; + + $i = 1; + while (true) { + $ifname = 'opt' . $i; + if (is_array($config['interfaces'][$ifname])) { + if ((isset($config['interfaces'][$ifname]['ovpn'])) + && ($config['interfaces'][$ifname]['ovpn'] == "client{$id}")) + unset($config['interfaces'][$ifname]); + } + } +} + +/******************/ +/* Misc functions */ + +/* Calculate the last address in a range given the start and /prefix */ +function ovpn_calc_end($start, $prefix){ + + $first = ip2long($start); + $last = pow(2,(32 - $prefix)) - 1 + $first; + return long2ip($last); +} + +/* Calculate a mask given a /prefix */ +function ovpn_calc_mask($prefix){ + + return long2ip(ip2long("255.255.255.255") - (pow( 2, (32 - $prefix)) - 1)); +} + +/* Read in a file from the $_FILES array */ +function ovpn_get_file($file){ + global $g; + + if (!is_uploaded_file($_FILES[$file]['tmp_name'])){ + trigger_error("Bad file upload".$_FILES[$file]['error'], E_USER_NOTICE); + return NULL; + } + $contents = file_get_contents($_FILES[$file]['tmp_name']); + return $contents; +} + + +/* Get the IP address of a specified interface */ +function ovpn_get_ip($iface){ + global $config; + + if ($iface == 'wan') + return get_current_wan_address(); + + if ($config['interfaces'][$iface]['bridge']) + /* No bridging (yet) */ + return false; + return $config['interfaces'][$iface]['ipaddr']; +} + +/* Get a list of the cipher options supported by OpenVPN */ +function ovpn_get_cipher_list(){ + +/* exec("/usr/local/sbin/openvpn --show-ciphers", $raw); + print_r ($raw); + + $ciphers = preg_grep('/ bit default key /', $raw); + + for($i = 0; $i <count($ciphers); $i++){ + $tmp = explode(' ',$ciphers[$i]); + $cipher_list["$tmp[0]"] = "{$tmp[0]} ({$tmp[1]} {$tmp[2]})"; + } +*/ + $cipher_list = array('DES-CBC' => 'DES-CBC (64 bit)', + 'RC2-CBC' => 'RC2-CBC (128 bit)', + 'DES-EDE-CBC' => 'DES-EDE-CBC (128 bit)', + 'DES-EDE3-CBC' => 'DES-EDE3-CBC (192 bit)', + 'DESX-CBC' => 'DESX-CBC (192 bit)', + 'BF-CBC' => 'BF-CBC (128 bit)', + 'RC2-40-CBC' => 'RC2-40-CBC (40 bit)', + 'CAST5-CBC' => 'CAST5-CBC (128 bit)', + 'RC5-CBC' => 'RC5-CBC (128 bit)', + 'RC2-64-CBC' => 'RC2-64-CBC (64 bit)', + 'AES-128-CBC' => 'AES-128-CBC (128 bit)', + 'AES-192-CBC' => 'AES-192-CBC (192 bit)', + 'AES-256-CBC' => 'AES-256-CBC (256 bit)'); + return $cipher_list; +} + + +/* Build a list of the current real interfaces */ +function ovpn_real_interface_list(){ + global $config; + + $interfaces = array('all' => 'ALL', + 'lan' => 'LAN', + 'wan' => 'WAN'); + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + if (isset($config['interfaces']['opt' . $i]['ovpn'])) + /* Hide our own interface */ + break; + if (isset($config['interfaces']['opt' . $i]['enable'])) + $interfaces['opt' . $i] = $config['interfaces']['opt' . $i]['descr']; + } + return $interfaces; +} + + +/* lock openvpn information, decide that the lock file is stale after + 10 seconds */ +function ovpn_lock() { + + global $g; + + $lockfile = "{$g['varrun_path']}/ovpn.lock"; + + $n = 0; + while ($n < 10) { + /* open the lock file in append mode to avoid race condition */ + if ($fd = @fopen($lockfile, "x")) { + /* succeeded */ + fclose($fd); + return; + } else { + /* file locked, wait and try again */ + sleep(1); + $n++; + } + } +} + +/* unlock configuration file */ +function ovpn_unlock() { + + global $g; + + $lockfile = "{$g['varrun_path']}/ovpn.lock"; + + if (file_exists($lockfile)) + unlink($lockfile); +} + +?> diff --git a/etc/inc/services.inc b/etc/inc/services.inc new file mode 100644 index 0000000..17bc959 --- /dev/null +++ b/etc/inc/services.inc @@ -0,0 +1,440 @@ +<?php +/* + services.inc + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include all configuration functions */ +require_once("functions.inc"); + +function services_dhcpd_configure() { + global $config, $g; + + /* kill any running dhcpd */ + killbypid("{$g['varrun_path']}/dhcpd.pid"); + + $syscfg = $config['system']; + $dhcpdcfg = $config['dhcpd']; + + /* DHCP enabled on any interfaces? */ + $dhcpdenable = false; + foreach ($dhcpdcfg as $dhcpif => $dhcpifconf) { + if (isset($dhcpifconf['enable']) && + (($dhcpif == "lan") || + (isset($config['interfaces'][$dhcpif]['enable']) && + $config['interfaces'][$dhcpif]['if'] && (!$config['interfaces'][$dhcpif]['bridge'])))) + $dhcpdenable = true; + } + + if (!$dhcpdenable) + return 0; + + if ($g['booting']) + echo "Starting DHCP service... "; + else + sleep(1); + + /* write dhcpd.conf */ + $fd = fopen("{$g['varetc_path']}/dhcpd.conf", "w"); + if (!$fd) { + printf("Error: cannot open dhcpd.conf in services_dhcpd_configure().\n"); + return 1; + } + + $dhcpdconf = <<<EOD +option domain-name "{$syscfg['domain']}"; +default-lease-time 7200; +max-lease-time 86400; +authoritative; +log-facility local7; +ddns-update-style none; + +EOD; + + $dhcpdifs = array(); + foreach ($dhcpdcfg as $dhcpif => $dhcpifconf) { + + $ifcfg = $config['interfaces'][$dhcpif]; + + if (!isset($dhcpifconf['enable']) || + (($dhcpif != "lan") && + (!isset($ifcfg['enable']) || !$ifcfg['if'] || $ifcfg['bridge']))) + continue; + + $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']); + $subnetmask = gen_subnet_mask($ifcfg['subnet']); + + $dnscfg = ""; + + if ($dhcpifconf['domain']) { + $dnscfg .= " option domain-name \"{$dhcpifconf['domain']}\";\n"; + } + + if (is_array($dhcpifconf['dnsserver']) && ($dhcpifconf['dnsserver'][0])) { + $dnscfg .= " option domain-name-servers " . join(",", $dhcpifconf['dnsserver']) . ";"; + } else if (isset($config['dnsmasq']['enable'])) { + $dnscfg .= " option domain-name-servers " . $ifcfg['ipaddr'] . ";"; + } else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { + $dnscfg .= " option domain-name-servers " . join(",", $syscfg['dnsserver']) . ";"; + } + + $dhcpdconf .= "subnet $subnet netmask $subnetmask {\n"; + $dhcpdconf .= " pool {\n"; + if (isset($dhcpifconf['denyunknown'])) + $dhcpdconf .= " deny unknown clients;\n"; + + if ($dhcpifconf['gateway']) + $routers = $dhcpifconf['gateway']; + else + $routers = $ifcfg['ipaddr']; + + $dhcpdconf .= <<<EOD + range {$dhcpifconf['range']['from']} {$dhcpifconf['range']['to']}; + } + option routers {$routers}; +$dnscfg + +EOD; + + if ($dhcpifconf['defaultleasetime']) + $dhcpdconf .= " default-lease-time {$dhcpifconf['defaultleasetime']};\n"; + if ($dhcpifconf['maxleasetime']) + $dhcpdconf .= " max-lease-time {$dhcpifconf['maxleasetime']};\n"; + + if (is_array($dhcpifconf['winsserver']) && $dhcpifconf['winsserver'][0]) { + $dhcpdconf .= " option netbios-name-servers " . join(",", $dhcpifconf['winsserver']) . ";\n"; + $dhcpdconf .= " option netbios-node-type 8;\n"; + } + + if ($dhcpifconf['next-server']) + $dhcpdconf .= " next-server {$dhcpifconf['next-server']};\n"; + if ($dhcpifconf['filename']) + $dhcpdconf .= " filename \"{$dhcpifconf['filename']}\";\n"; + + $dhcpdconf .= <<<EOD +} + +EOD; + + /* add static mappings */ + if (is_array($dhcpifconf['staticmap'])) { + + $i = 0; + foreach ($dhcpifconf['staticmap'] as $sm) { + $dhcpdconf .= <<<EOD +host s_{$dhcpif}_{$i} { + hardware ethernet {$sm['mac']}; + +EOD; + if ($sm['ipaddr']) + $dhcpdconf .= " fixed-address {$sm['ipaddr']};\n"; + + $dhcpdconf .= "}\n"; + $i++; + } + } + + $dhcpdifs[] = $ifcfg['if']; + } + + fwrite($fd, $dhcpdconf); + fclose($fd); + + /* create an empty leases database */ + touch("{$g['vardb_path']}/dhcpd.leases"); + + /* fire up dhcpd */ + mwexec("/usr/local/sbin/dhcpd -cf {$g['varetc_path']}/dhcpd.conf " . + join(" ", $dhcpdifs)); + + if (!$g['booting']) { + filter_configure(); + } else + echo "done\n"; + + return 0; +} + +function services_dhcrelay_configure() { + global $config, $g; + + /* kill any running dhcrelay */ + killbypid("{$g['varrun_path']}/dhcrelay.pid"); + + $dhcrelaycfg = $config['dhcrelay']; + + /* DHCPRelay enabled on any interfaces? */ + $dhcrelayenable = false; + foreach ($dhcrelaycfg as $dhcrelayif => $dhcrelayifconf) { + if (isset($dhcrelayifconf['enable']) && + (($dhcrelayif == "lan") || + (isset($config['interfaces'][$dhcrelayif]['enable']) && + $config['interfaces'][$dhcrelayif]['if'] && (!$config['interfaces'][$dhcrelayif]['bridge'])))) + $dhcrelayenable = true; + } + + if (!$dhcrelayenable) + return 0; + + if ($g['booting']) + echo "Starting DHCP relay service... "; + else + sleep(1); + + $dhcrelayifs = array(); + foreach ($dhcrelaycfg as $dhcrelayif => $dhcrelayifconf) { + + $ifcfg = $config['interfaces'][$dhcrelayif]; + + if (!isset($dhcrelayifconf['enable']) || + (($dhcrelayif != "lan") && + (!isset($ifcfg['enable']) || !$ifcfg['if'] || $ifcfg['bridge']))) + continue; + + $dhcrelayifs[] = $ifcfg['if']; + } + + /* In order for the relay to work, it needs to be active on the + interface in which the destination server sits */ + foreach ($config['interfaces'] as $ifname) { + $subnet = $ifname['ipaddr'] . "/" . $ifname['subnet']; + if (ip_in_subnet($dhcrelaycfg['server'],$subnet)) + $destif = $ifname['if']; + } + + if (!isset($destif)) + $destif = $config['interfaces']['wan']['if']; + + $dhcrelayifs[] = $destif; + $dhcrelayifs = array_unique($dhcrelayifs); + + /* fire up dhcrelay */ + $cmd = "/usr/local/sbin/dhcrelay -i " . join(" -i ", $dhcrelayifs); + + if (isset($dhcrelaycfg['agentoption'])) + $cmd .= " -a -m replace"; + + $cmd .= " {$dhcrelaycfg['server']}"; + mwexec($cmd); + + if (!$g['booting']) { + filter_configure(); + } else + echo "done\n"; + + return 0; +} + +function services_dyndns_reset() { + global $config, $g; + + if (file_exists("{$g['vardb_path']}/ez-ipupdate.cache")) { + unlink("{$g['vardb_path']}/ez-ipupdate.cache"); + } + + if (file_exists("{$g['conf_path']}/ez-ipupdate.cache")) { + conf_mount_rw(); + unlink("{$g['conf_path']}/ez-ipupdate.cache"); + conf_mount_ro(); + } + + return 0; +} + +function services_dyndns_configure() { + global $config, $g; + + /* kill any running ez-ipupdate */ + /* ez-ipupdate needs SIGQUIT instead of SIGTERM */ + sigkillbypid("{$g['varrun_path']}/ez-ipupdate.pid", "QUIT"); + + $dyndnscfg = $config['dyndns']; + $wancfg = $config['interfaces']['wan']; + + if (isset($dyndnscfg['enable'])) { + + if ($g['booting']) + echo "Starting DynDNS client... "; + else + sleep(1); + + /* determine WAN interface name */ + $wanif = get_real_wan_interface(); + + /* write ez-ipupdate.conf */ + $fd = fopen("{$g['varetc_path']}/ez-ipupdate.conf", "w"); + if (!$fd) { + printf("Error: cannot open ez-ipupdate.conf in services_dyndns_configure().\n"); + return 1; + } + + $ezipupdateconf = <<<EOD +service-type={$dyndnscfg['type']} +user={$dyndnscfg['username']}:{$dyndnscfg['password']} +host={$dyndnscfg['host']} +interface=$wanif +max-interval=2073600 +pid-file={$g['varrun_path']}/ez-ipupdate.pid +cache-file={$g['vardb_path']}/ez-ipupdate.cache +execute=/etc/rc.dyndns.storecache +daemon + +EOD; + + /* enable MX? */ + if ($dyndnscfg['mx']) { + $ezipupdateconf .= "mx={$dyndnscfg['mx']}\n"; + } + + /* enable wildcards? */ + if (isset($dyndnscfg['wildcard'])) { + $ezipupdateconf .= "wildcard\n"; + } + + fwrite($fd, $ezipupdateconf); + fclose($fd); + + /* if we're booting, copy the cache file from /conf */ + if ($g['booting']) { + if (file_exists("{$g['conf_path']}/ez-ipupdate.cache")) { + copy("{$g['conf_path']}/ez-ipupdate.cache", "{$g['vardb_path']}/ez-ipupdate.cache"); + } + } + + /* run ez-ipupdate */ + mwexec("/usr/local/bin/ez-ipupdate -c {$g['varetc_path']}/ez-ipupdate.conf"); + + if ($g['booting']) + echo "done\n"; + } + + return 0; +} + +function services_dnsmasq_configure() { + global $config, $g; + + /* kill any running dnsmasq */ + sigkillbypid("{$g['varrun_path']}/dnsmasq.pid", "TERM"); + + if (isset($config['dnsmasq']['enable'])) { + + if ($g['booting']) + echo "Starting DNS forwarder... "; + else + sleep(1); + + /* generate hosts file */ + system_hosts_generate(); + + $args = ""; + + if (isset($config['dnsmasq']['regdhcp'])) { + + $args .= " -l {$g['vardb_path']}/dhcpd.leases" . + " -s {$config['system']['domain']}"; + } + + /* run dnsmasq */ + mwexec("/usr/local/sbin/dnsmasq {$args}"); + + if ($g['booting']) + echo "done\n"; + } + + if (!$g['booting']) { + services_dhcpd_configure(); + } + + return 0; +} + +function services_snmpd_configure() { + global $config, $g; + + /* kill any running snmpd */ + sigkillbypid("{$g['varrun_path']}/snmpd.pid", "TERM"); + + if (isset($config['snmpd']['enable'])) { + + if ($g['booting']) + echo "Starting SNMP agent... "; + + /* generate snmpd.conf */ + $fd = fopen("{$g['varetc_path']}/snmpd.conf", "w"); + if (!$fd) { + printf("Error: cannot open snmpd.conf in services_snmpd_configure().\n"); + return 1; + } + + $snmpdconf = <<<EOD +syslocation "{$config['snmpd']['syslocation']}" +syscontact "{$config['snmpd']['syscontact']}" +rocommunity "{$config['snmpd']['rocommunity']}" + +EOD; + + fwrite($fd, $snmpdconf); + fclose($fd); + + /* run snmpd */ + mwexec("/usr/local/sbin/snmpd -c {$g['varetc_path']}/snmpd.conf" . + " -P {$g['varrun_path']}/snmpd.pid"); + + if ($g['booting']) + echo "done\n"; + } + + return 0; +} + +function services_proxyarp_configure() { + global $config, $g; + + /* kill any running choparp */ + killbyname("choparp"); + + if (is_array($config['proxyarp']) && count($config['proxyarp']) && + (is_ipaddr($config['interfaces']['wan']['ipaddr']) || + ($config['interfaces']['wan']['ipaddr'] == "dhcp") || + ($config['interfaces']['wan']['ipaddr'] == "bigpond"))) { + + $args = $config['interfaces']['wan']['if'] . " auto"; + + foreach ($config['proxyarp']['proxyarpnet'] as $paent) { + if (isset($paent['network'])) + $args .= " " . escapeshellarg($paent['network']); + else if (isset($paent['range'])) + $args .= " " . escapeshellarg($paent['range']['from'] . "-" . + $paent['range']['to']); + } + + mwexec_bg("/usr/local/sbin/choparp " . $args); + } +} + +?> diff --git a/etc/inc/shaper.inc b/etc/inc/shaper.inc new file mode 100644 index 0000000..71e0575 --- /dev/null +++ b/etc/inc/shaper.inc @@ -0,0 +1,403 @@ +<?php +/* + shaper.inc + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include all configuration functions */ +require_once("functions.inc"); + +function shaper_configure() { + global $config, $g; + + if (isset($config['pfqueueing']['enable'])) { + + if ($g['booting']) + echo "Starting traffic shaper... "; + + /* generate shaper rules */ + $shaperrules = shaper_rules_generate(); + + /* make sure ipfw and dummynet are loaded */ + mwexec("/sbin/kldload ipfw"); + mwexec("/sbin/kldload dummynet"); + + /* change one_pass to 1 so ipfw stops checking after + a rule has matched */ + mwexec("/sbin/sysctl net.inet.ip.fw.one_pass=1"); + + /* load shaper rules */ + mwexec("/sbin/ipfw -f delete set 4"); + mwexec("/sbin/ipfw -f pipe flush"); + + /* XXX - seems like ipfw cannot accept rules directly on stdin, + so we have to write them to a temporary file first */ + $fd = fopen("{$g['tmp_path']}/ipfw.rules", "w"); + if (!$fd) { + printf("Cannot open ipfw.rules in shaper_configure()\n"); + return 1; + } + + fwrite($fd, $shaperrules); + fclose($fd); + + mwexec("/sbin/ipfw {$g['tmp_path']}/ipfw.rules"); + + unlink("{$g['tmp_path']}/ipfw.rules"); + + /* make sure bridged packets are shaped as well */ + mwexec("/sbin/sysctl net.link.ether.bridge_ipfw=1"); + + if ($g['booting']) + echo "done\n"; + + } else { + mwexec("/sbin/sysctl net.link.ether.bridge_ipfw=0"); + if (!isset($config['captiveportal']['enable'])) { + /* unload ipfw and dummynet */ + #mwexec("/sbin/kldunload dummynet"); + #mwexec("/sbin/kldunload ipfw"); + } else { + /* captive portal is on - just remove our rules */ + mwexec("/sbin/ipfw -f delete set 4"); + mwexec("/sbin/ipfw -f pipe flush"); + } + } + + return 0; +} + +function shaper_rules_generate() { + global $config, $g; + + $wancfg = $config['interfaces']['wan']; + $lancfg = $config['interfaces']['lan']; + $pptpdcfg = $config['pptpd']; + + $lanif = $lancfg['if']; + $wanif = get_real_wan_interface(); + + $lanip = $lancfg['ipaddr']; + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + $lansn = $lancfg['subnet']; + + /* optional interfaces */ + $optcfg = array(); + + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + $oc = $config['interfaces']['opt' . $i]; + + if (isset($oc['enable']) && $oc['if']) { + $oic = array(); + $oic['ip'] = $oc['ipaddr']; + $oic['if'] = $oc['if']; + $oic['sa'] = gen_subnet($oc['ipaddr'], $oc['subnet']); + $oic['sn'] = $oc['subnet']; + + $optcfg['opt' . $i] = $oic; + } + } + + if ($pptpdcfg['mode'] == "server") { + $pptpip = $pptpdcfg['localip']; + $pptpsa = $pptpdcfg['remoteip']; + $pptpsn = $g['pptp_subnet']; + } + + $rulei = 50000; + + /* add a rule to pass all traffic from/to the firewall, + so the user cannot lock himself out of the webGUI */ + $shaperrules = "add $rulei set 4 pass all from $lanip to any\n"; $rulei++; + $shaperrules .= "add $rulei set 4 pass all from any to $lanip\n"; $rulei++; + + /* generate rules */ + if (isset($config['pfqueueing']['rule'])) + foreach ($config['pfqueueing']['rule'] as $rule) { + + /* don't include disabled rules */ + if (isset($rule['disabled'])) { + $i++; + continue; + } + + /* does the rule deal with a PPTP interface? */ + if ($rule['interface'] == "pptp") { + + if ($pptpdcfg['mode'] != "server") { + $i++; + continue; + } + + $nif = $g['n_pptp_units']; + $ispptp = true; + } else { + + if (strstr($rule['interface'], "opt")) { + if (!array_key_exists($rule['interface'], $optcfg)) { + $i++; + continue; + } + } + + $nif = 1; + $ispptp = false; + } + + if ($pptpdcfg['mode'] != "server") { + if (($rule['source']['network'] == "pptp") || + ($rule['destination']['network'] == "pptp")) { + $i++; + continue; + } + } + + if (strstr($rule['source']['network'], "opt")) { + if (!array_key_exists($rule['source']['network'], $optcfg)) { + $i++; + continue; + } + } + if (strstr($rule['destination']['network'], "opt")) { + if (!array_key_exists($rule['destination']['network'], $optcfg)) { + $i++; + continue; + } + } + + /* check for unresolvable aliases */ + if ($rule['source']['address'] && !alias_expand($rule['source']['address'])) { + $i++; + continue; + } + if ($rule['destination']['address'] && !alias_expand($rule['destination']['address'])) { + $i++; + continue; + } + + for ($iif = 0; $iif < $nif; $iif++) { + + /* pipe or queue? */ + if (isset($rule['targetpipe']) && isset($config['pfqueueing']['pipe'][$rule['targetpipe']])) { + $pipen = $rule['targetpipe'] + 1; + $line = "add $rulei set 4 pipe $pipen "; $rulei++; + } else if (isset($rule['targetqueue']) && isset($config['pfqueueing']['queue'][$rule['targetqueue']])) { + $queuen = $rule['targetqueue'] + 1; + $line = "add $rulei set 4 queue $queuen "; $rulei++; + } else { + printf("Neither existing pipe nor queue found in rule $i\n"); + break; + } + + if (isset($rule['protocol'])) { + $line .= "{$rule['protocol']} "; + } else { + $line .= "all "; + } + + /* source address */ + if (isset($rule['source']['any'])) { + $src = "any"; + } else if ($rule['source']['network']) { + + if (strstr($rule['source']['network'], "opt")) { + $src = $optcfg[$rule['source']['network']]['sa'] . "/" . + $optcfg[$rule['source']['network']]['sn']; + } else { + switch ($rule['source']['network']) { + case 'lan': + $src = "$lansa/$lansn"; + break; + case 'pptp': + $src = "$pptpsa/$pptpsn"; + break; + } + } + } else if ($rule['source']['address']) { + $src = alias_expand($rule['source']['address']); + } + + if (!$src) { + printf("No source address found in rule $i\n"); + break; + } + + if (isset($rule['source']['not'])) { + $line .= "from not $src "; + } else { + $line .= "from $src "; + } + + if (!isset($rule['protocol']) || in_array($rule['protocol'], array("tcp","udp"))) { + + if ($rule['source']['port']) { + $srcport = explode("-", $rule['source']['port']); + + if ((!$srcport[1]) || ($srcport[0] == $srcport[1])) { + $line .= "{$srcport[0]} "; + } else { + $line .= "{$srcport[0]}-{$srcport[1]} "; + } + } + } + + /* destination address */ + if (isset($rule['destination']['any'])) { + $dst = "any"; + } else if ($rule['destination']['network']) { + + if (strstr($rule['destination']['network'], "opt")) { + $dst = $optcfg[$rule['destination']['network']]['sa'] . "/" . + $optcfg[$rule['destination']['network']]['sn']; + } else { + switch ($rule['destination']['network']) { + case 'lan': + $dst = "$lansa/$lansn"; + break; + case 'pptp': + $dst = "$pptpsa/$pptpsn"; + break; + } + } + } else if ($rule['destination']['address']) { + $dst = alias_expand($rule['destination']['address']); + } + + if (!$dst) { + printf("No destination address found in rule $i\n"); + break; + } + + if (isset($rule['destination']['not'])) { + $line .= "to not $dst "; + } else { + $line .= "to $dst "; + } + + if (!isset($rule['protocol']) || in_array($rule['protocol'], array("tcp","udp"))) { + + if ($rule['destination']['port']) { + $dstport = explode("-", $rule['destination']['port']); + + if ((!$dstport[1]) || ($dstport[0] == $dstport[1])) { + $line .= "{$dstport[0]} "; + } else { + $line .= "{$dstport[0]}-{$dstport[1]} "; + } + } + } + + if ($rule['iplen']) + $line .= "iplen {$rule['iplen']} "; + + if ($rule['iptos']) + $line .= "iptos {$rule['iptos']} "; + + if ($rule['tcpflags']) + $line .= "tcpflags {$rule['tcpflags']} "; + + if ($rule['direction'] == "in") + $line .= "in "; + else if ($rule['direction'] == "out") + $line .= "out "; + + if ($ispptp) { + $line .= "via ng" . ($iif+1); + } else { + if ($rule['interface'] == "wan") + $if = $wanif; + else + $if = $config['interfaces'][$rule['interface']]['if']; + + $line .= "via {$if}"; + } + + $line .= "\n"; + $shaperrules .= $line; + } + + $i++; + } + + /* generate pipes */ + if (isset($config['pfqueueing']['pipe'])) { + $pipei = 1; + foreach ($config['pfqueueing']['pipe'] as $pipe) { + $line = "pipe $pipei config bw {$pipe['bandwidth']}Kbit/s "; + + if ($pipe['delay']) { + $line .= "delay {$pipe['delay']} "; + } + + switch ($pipe['mask']) { + case 'source': + $line .= "mask src-ip 0xffffffff "; + break; + case 'destination': + $line .= "mask dst-ip 0xffffffff "; + break; + } + + $line .= "\n"; + $shaperrules .= $line; + $pipei++; + } + } + + /* generate queues */ + if (isset($config['pfqueueing']['queue'])) { + $queuei = 1; + foreach ($config['pfqueueing']['queue'] as $queue) { + + $pipen = $queue['targetpipe'] + 1; + if (!isset($queue['targetpipe']) || !isset($config['pfqueueing']['pipe'][$queue['targetpipe']])) { + printf("Pipe $pipen for queue $queuei not found!\n"); + continue; + } + + $line = "queue $queuei config pipe {$pipen}"; + $line .= " weight {$queue['weight']}"; + + switch ($queue['mask']) { + case 'source': + $line .= " mask src-ip 0xffffffff "; + break; + case 'destination': + $line .= " mask dst-ip 0xffffffff "; + break; + } + + $line .= "\n"; + $shaperrules .= $line; + $queuei++; + } + } + + return $shaperrules; +} + +?> diff --git a/etc/inc/system.inc b/etc/inc/system.inc new file mode 100644 index 0000000..d2c0b33 --- /dev/null +++ b/etc/inc/system.inc @@ -0,0 +1,563 @@ +<?php +/* + system.inc + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include all configuration functions */ +require_once("functions.inc"); + +function system_resolvconf_generate($dynupdate = false) { + global $config, $g; + + $syscfg = $config['system']; + + $fd = fopen("{$g['varetc_path']}/resolv.conf", "w"); + if (!$fd) { + printf("Error: cannot open resolv.conf in system_resolvconf_generate().\n"); + return 1; + } + + $resolvconf = "domain {$syscfg['domain']}\n"; + + $havedns = false; + + if (isset($syscfg['dnsallowoverride'])) { + /* get dynamically assigned DNS servers (if any) */ + $nfd = @fopen("{$g['varetc_path']}/nameservers.conf", "r"); + if ($nfd) { + while (!feof($nfd)) { + $dnss = trim(fgets($nfd)); + if ($dnss) { + $resolvconf .= "nameserver $dnss\n"; + $havedns = true; + } + } + fclose($nfd); + } + } + if (!$havedns && is_array($syscfg['dnsserver'])) { + foreach ($syscfg['dnsserver'] as $ns) { + if ($ns) + $resolvconf .= "nameserver $ns\n"; + $havedns = true; + } + } + + fwrite($fd, $resolvconf); + fclose($fd); + + if (!$g['booting']) { + /* restart dhcpd (nameservers may have changed) */ + if (!$dynupdate) + services_dhcpd_configure(); + } + + return 0; +} + +function system_hosts_generate() { + global $config, $g; + + $syscfg = $config['system']; + $lancfg = $config['interfaces']['lan']; + $dnsmasqcfg = $config['dnsmasq']; + + if (!is_array($dnsmasqcfg['hosts'])) { + $dnsmasqcfg['hosts'] = array(); + } + $hostscfg = $dnsmasqcfg['hosts']; + + $fd = fopen("{$g['varetc_path']}/hosts", "w"); + if (!$fd) { + printf("Error: cannot open hosts file in system_hosts_generate().\n"); + return 1; + } + + $hosts = <<<EOD +127.0.0.1 localhost localhost.{$syscfg['domain']} +{$lancfg['ipaddr']} {$syscfg['hostname']}.{$syscfg['domain']} {$syscfg['hostname']} + +EOD; + + foreach ($hostscfg as $host) { + if ($host['host']) + $hosts .= "{$host['ip']} {$host['host']}.{$host['domain']} {$host['host']}\n"; + else + $hosts .= "{$host['ip']} {$host['domain']}\n"; + } + fwrite($fd, $hosts); + fclose($fd); + + return 0; +} + +function system_hostname_configure() { + global $config, $g; + + $syscfg = $config['system']; + + /* set hostname */ + return mwexec("/bin/hostname " . + escapeshellarg("{$syscfg['hostname']}.{$syscfg['domain']}")); +} + +function system_routing_configure() { + global $config, $g; + + /* clear out old routes, if necessary */ + if (file_exists("{$g['vardb_path']}/routes.db")) { + $fd = fopen("{$g['vardb_path']}/routes.db", "r"); + if (!$fd) { + printf("Error: cannot open routes DB file in system_routing_configure().\n"); + return 1; + } + while (!feof($fd)) { + $oldrt = fgets($fd); + if ($oldrt) + mwexec("/sbin/route delete " . escapeshellarg($oldrt)); + } + fclose($fd); + unlink("{$g['vardb_path']}/routes.db"); + } + + if (is_array($config['staticroutes']['route'])) { + + $fd = fopen("{$g['vardb_path']}/routes.db", "w"); + if (!$fd) { + printf("Error: cannot open routes DB file in system_routing_configure().\n"); + return 1; + } + + foreach ($config['staticroutes']['route'] as $rtent) { + mwexec("/sbin/route add " . escapeshellarg($rtent['network']) . + " " . escapeshellarg($rtent['gateway'])); + + /* record route so it can be easily removed later (if necessary) */ + fwrite($fd, $rtent['network'] . "\n"); + } + + fclose($fd); + } + + return 0; +} + +function system_routing_enable() { + global $config, $g; + + return mwexec("/sbin/sysctl net.inet.ip.forwarding=1"); +} + +function system_syslogd_start() { + global $config, $g; + + $syslogcfg = $config['syslog']; + + if ($g['booting']) + echo "Starting syslog service... "; + else + killbypid("{$g['varrun_path']}/syslog.pid"); + + if (isset($syslogcfg['enable'])) { + + /* write syslog.conf */ + $fd = fopen("{$g['varetc_path']}/syslog.conf", "w"); + if (!$fd) { + printf("Error: cannot open syslog.conf in system_syslogd_start().\n"); + return 1; + } + + $syslogconf = <<<EOD +local0.* %/var/log/filter.log +local3.* %/var/log/vpn.log +local7.* %/var/log/dhcpd.log +*.notice;kern.debug;lpr.info;mail.crit;news.err;local0.none;local3.none;local7.none %/var/log/system.log +security.* %/var/log/system.log +auth.info;authpriv.info;daemon.info %/var/log/system.log +*.emerg * + +EOD; + + if (isset($syslogcfg['filter'])) { + $syslogconf .= <<<EOD +local0.* @{$syslogcfg['remoteserver']} + +EOD; + } + + if (isset($syslogcfg['vpn'])) { + $syslogconf .= <<<EOD +local3.* @{$syslogcfg['remoteserver']} + +EOD; + } + + if (isset($syslogcfg['dhcp'])) { + $syslogconf .= <<<EOD +local7.* @{$syslogcfg['remoteserver']} + +EOD; + } + + if (isset($syslogcfg['system'])) { + $syslogconf .= <<<EOD +*.notice;kern.debug;lpr.info;mail.crit;news.err;local0.none;local7.none @{$syslogcfg['remoteserver']} +security.* @{$syslogcfg['remoteserver']} +auth.info;authpriv.info;daemon.info @{$syslogcfg['remoteserver']} +*.emerg @{$syslogcfg['remoteserver']} + +EOD; + } + + fwrite($fd, $syslogconf); + fclose($fd); + + $retval = mwexec("/usr/sbin/syslogd -s -f {$g['varetc_path']}/syslog.conf"); + + } else { + $retval = mwexec("/usr/sbin/syslogd -ss"); + } + + if ($g['booting']) + echo "done\n"; + + return $retval; +} + +function system_pccard_start() { + global $config, $g; + + if ($g['booting']) + echo "Initializing PC cards... "; + + /* kill any running pccardd */ + killbypid("{$g['varrun_path']}/pccardd.pid"); + + /* fire up pccardd */ + $res = mwexec("/usr/sbin/pccardd -z -f {$g['etc_path']}/pccard.conf"); + + if ($g['booting']) { + if ($res == 0) + echo "done\n"; + else + echo "failed (probably no PC card controller present)\n"; + } + + return $res; +} + +function system_webgui_start() { + global $config, $g; + + if ($g['booting']) + echo "Starting webGUI... "; + + /* kill any running mini_httpd */ + killbypid("{$g['varrun_path']}/mini_httpd.pid"); + + /* generate password file */ + system_password_configure(); + + chdir($g['www_path']); + + /* non-standard port? */ + if ($config['system']['webgui']['port']) + $portarg = "-p {$config['system']['webgui']['port']}"; + else + $portarg = ""; + + if ($config['system']['webgui']['protocol'] == "https") { + + if ($config['system']['webgui']['certificate'] && $config['system']['webgui']['private-key']) { + $cert = base64_decode($config['system']['webgui']['certificate']); + $key = base64_decode($config['system']['webgui']['private-key']); + } else { + /* default certificate/key */ + $cert = <<<EOD +-----BEGIN CERTIFICATE----- +MIIBlDCB/gIBADANBgkqhkiG9w0BAQQFADATMREwDwYDVQQKEwhtMG4wd2FsbDAe +Fw0wMzA5MDgxNzAzNDZaFw0wNDA5MDcxNzAzNDZaMBMxETAPBgNVBAoTCG0wbjB3 +YWxsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAShszhFz+o8lsMWTGgTxs +TMPR+v4+qL5jXDyY97MLTGFK7aqQOtpIQc+TcTc4jklgOVlHoR7oBXrsi8YrbCd+ +83LPQmQoSPC0VqhfU3uYf3NzxiK8r97aPCsmWgwT2pQ6TcESTm6sF7nLprOf/zFP +C4jE2fvjkbzyVolPywBuewIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAK2D8NqQSlUs +pFCe5J9ue1LrjfGHHy4HE9zA9avgrz3Qju+1JOshEwy/1BJjZ93tQUbiRS7RwvDO +4crGG4IejjhFczzA2CIX3rd2rYM2oGpojKgm5YuuhV5lYPwAHUOLbBaLOVqlLhzw +VqjD7R2DkXUIfhJ5ZekqK5ZwzqJXta8U +-----END CERTIFICATE----- + +EOD; + + $key = <<<EOD +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQDAShszhFz+o8lsMWTGgTxsTMPR+v4+qL5jXDyY97MLTGFK7aqQ +OtpIQc+TcTc4jklgOVlHoR7oBXrsi8YrbCd+83LPQmQoSPC0VqhfU3uYf3NzxiK8 +r97aPCsmWgwT2pQ6TcESTm6sF7nLprOf/zFPC4jE2fvjkbzyVolPywBuewIDAQAB +AoGAbJJrQW9fQrggJuLMz/hwsYW2m31oyOBmf5u463YQtjRuSuxe/gj87weZuNqY +H2rXq2k2K+ehl8hgW+egASyUL3L7kCkEAsVREujKTEyhSqqIRDPWTxo9S/YA9Gvn +2ZnJvkrcKjqCO9aHX3rvJOK/ErYI6akctgI3KmgkYw5XNmECQQDuZU97RTWH9rmP +aQr57ysNXxgFsyhetOOqeYkPtIVwpOiNbfwE1zi5RGdtO4Ku3fG1lV4J2UoWJ9yD +awdoyYIHAkEAzn0xJ90IjPsHk+8SODEj5JGdHSZPNu1tgtrbjEi9sfGWg4K7XTxr +QW90pWb1bKKU1uh5FzW6OhnFfuQXt1kC7QJAPSthqY+onKqCEnoxhtAHi/bKgyvl +P+fKQwPMV2tKkgy+XwvJjrRqqZ8TqsOKVLQ+QQmCh6RpjiXMPyxHSmvqIQJBAKLR +HF1ucDuaBROkwx0DwmWMW/KMLpIFDQDNSaiIAuu4rxHrl4mhBoGGPNffI04RtILw +s+qVNs5xW8T+XaT4ztECQQDFHPnZeoPWE5z+AX/UUQIUWaDExz3XRzmIxRbOrlFi +CsF1s0TdJLi/wzNQRAL37A8vqCeVFR/ng3Xpg96Yg+8Z +-----END RSA PRIVATE KEY----- + +EOD; + } + + $fd = fopen("{$g['varetc_path']}/cert.pem", "w"); + if (!$fd) { + printf("Error: cannot open cert.pem in system_webgui_start().\n"); + return 1; + } + chmod("{$g['varetc_path']}/cert.pem", 0600); + fwrite($fd, $cert); + fwrite($fd, "\n"); + fwrite($fd, $key); + fclose($fd); + + $res = mwexec("/usr/local/sbin/mini_httpd -S -E {$g['varetc_path']}/cert.pem" . + " -c \"**.php|**.cgi\" -u root -maxproc 16 $portarg" . + " -i {$g['varrun_path']}/mini_httpd.pid"); + } else { + $res = mwexec("/usr/local/sbin/mini_httpd -c \"**.php|**.cgi\" -u root" . + " -maxproc 16 $portarg -i {$g['varrun_path']}/mini_httpd.pid"); + } + + if ($g['booting']) { + if ($res == 0) + echo "done\n"; + else + echo "failed\n"; + } + + return $res; +} + +function system_password_configure() { + global $config, $g; + + $fd = fopen("{$g['varrun_path']}/htpasswd", "w"); + if (!$fd) { + printf("Error: cannot open htpasswd in system_password_configure().\n"); + return 1; + } + + if ($config['system']['username']) + $username = $config['system']['username']; + else + $username = "admin"; + + fwrite($fd, $username . ":" . $config['system']['password'] . "\n"); + fclose($fd); + chmod("{$g['varrun_path']}/htpasswd", 0600); + + return 0; +} + +function system_timezone_configure() { + global $config, $g; + + $syscfg = $config['system']; + + if ($g['booting']) + echo "Initializing timezone... "; + + /* extract appropriate timezone file */ + $timezone = $syscfg['timezone']; + if (!$timezone) + $timezone = "Etc/UTC"; + + exec("/usr/bin/tar xzfO /usr/share/zoneinfo.tgz " . + escapeshellarg($timezone) . " > /etc/localtime"); + + if ($g['booting']) + echo "done\n"; +} + +function system_ntp_configure() { + global $config, $g; + + $syscfg = $config['system']; + + if ($g['booting']) + echo "Starting NTP client... "; + else { + killbypid("{$g['varrun_path']}/runmsntp.pid"); + killbypid("{$g['varrun_path']}/msntp.pid"); + } + + /* start ntp client if needed - needs to be forced into background */ + $updateinterval = $syscfg['time-update-interval']; + + if ($updateinterval > 0) { + if ($updateinterval < 6) + $updateinterval = 6; + + $timeservers = ""; + foreach (explode(' ', $syscfg['timeservers']) as $ts) + $timeservers .= " " . $ts; + + mwexec_bg("/usr/local/bin/runmsntp.sh " . + escapeshellarg("{$g['varrun_path']}/runmsntp.pid") . " " . + escapeshellarg("{$g['varrun_path']}/msntp.pid") . " " . + escapeshellarg($updateinterval) . " " . + escapeshellarg($timeservers)); + } + + if ($g['booting']) + echo "done\n"; +} + +function system_reboot() { + global $g; + + system_reboot_cleanup(); + + mwexec("nohup /etc/rc.reboot > /dev/null 2>&1 &"); +} + +function system_reboot_sync() { + global $g; + + system_reboot_cleanup(); + + mwexec("/etc/rc.reboot > /dev/null 2>&1"); +} + +function system_reboot_cleanup() { + captiveportal_radius_stop_all(); +} + +function system_do_shell_commands($early = 0) { + global $config, $g; + + if ($early) + $cmdn = "earlyshellcmd"; + else + $cmdn = "shellcmd"; + + if (is_array($config['system'][$cmdn])) { + + foreach ($config['system'][$cmdn] as $cmd) { + exec($cmd); + } + } +} + +function system_do_extensions() { + global $config, $g; + + if (!is_dir("{$g['etc_path']}/inc/ext")) + return; + + $dh = @opendir("{$g['etc_path']}/inc/ext"); + if ($dh) { + while (($extd = readdir($dh)) !== false) { + if (($extd === ".") || ($extd === "..")) + continue; + $rcfile = "{$g['etc_path']}/inc/ext/" . $extd . "/rc"; + if (file_exists($rcfile)) + passthru($rcfile); + } + closedir($dh); + } +} + +function system_console_configure() { + global $config, $g; + + if (isset($config['system']['disableconsolemenu'])) { + touch("{$g['varetc_path']}/disableconsole"); + } else { + unlink_if_exists("{$g['varetc_path']}/disableconsole"); + } +} + +function system_dmesg_save() { + global $g; + + exec("/sbin/dmesg", $dmesg); + + /* find last copyright line (output from previous boots may be present) */ + $lastcpline = 0; + + for ($i = 0; $i < count($dmesg); $i++) { + if (strstr($dmesg[$i], "Copyright (c) 1992-")) + $lastcpline = $i; + } + + $fd = fopen("{$g['varlog_path']}/dmesg.boot", "w"); + if (!$fd) { + printf("Error: cannot open dmesg.boot in system_dmesg_save().\n"); + return 1; + } + + for ($i = $lastcpline; $i < count($dmesg); $i++) + fwrite($fd, $dmesg[$i] . "\n"); + + fclose($fd); + + return 0; +} + +function system_set_harddisk_standby() { + global $g, $config; + + if ($g['platform'] != "generic-pc") + return; + + if (isset($config['system']['harddiskstandby'])) { + if ($g['booting']) { + echo 'Setting harddisk standby time... '; + } + + $standby = $config['system']['harddiskstandby']; + // Check for a numeric value + if (is_numeric($standby)) { + // Sync the disk(s) + mwexec('/bin/sync'); + if (!mwexec('/sbin/sysctl hw.ata.standby=' . ((int)$standby))) { + // Reinitialize ATA-drives + mwexec('/usr/local/sbin/atareinit'); + if ($g['booting']) { + echo "done\n"; + } + } else if ($g['booting']) { + echo "failed\n"; + } + } else if ($g['booting']) { + echo "failed\n"; + } + } +} + +?> diff --git a/etc/inc/util.inc b/etc/inc/util.inc new file mode 100644 index 0000000..2b3fa67 --- /dev/null +++ b/etc/inc/util.inc @@ -0,0 +1,421 @@ +<?php +/* + util.inc + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* kill a process by pid file */ +function killbypid($pidfile) { + sigkillbypid($pidfile, "TERM"); +} + +/* sigkill a process by pid file */ +function sigkillbypid($pidfile, $sig) { + if (file_exists($pidfile)) { + mwexec("/bin/kill -s $sig `/bin/cat " . $pidfile . "`"); + } +} + +/* kill a process by name */ +function killbyname($procname) { + mwexec("/usr/bin/killall " . escapeshellarg($procname)); +} + +/* return the subnet address given a host address and a subnet bit count */ +function gen_subnet($ipaddr, $bits) { + if (!is_ipaddr($ipaddr) || !is_numeric($bits)) + return ""; + + return long2ip(ip2long($ipaddr) & gen_subnet_mask_long($bits)); +} + +/* return the highest (broadcast) address in the subnet given a host address and a subnet bit count */ +function gen_subnet_max($ipaddr, $bits) { + if (!is_ipaddr($ipaddr) || !is_numeric($bits)) + return ""; + + return long2ip(ip2long($ipaddr) | ~gen_subnet_mask_long($bits)); +} + +/* returns a subnet mask (long given a bit count) */ +function gen_subnet_mask_long($bits) { + $sm = 0; + for ($i = 0; $i < $bits; $i++) { + $sm >>= 1; + $sm |= 0x80000000; + } + return $sm; +} + +/* same as above but returns a string */ +function gen_subnet_mask($bits) { + return long2ip(gen_subnet_mask_long($bits)); +} + +function is_numericint($arg) { + return (preg_match("/[^0-9]/", $arg) ? false : true); +} + +/* returns true if $ipaddr is a valid dotted IPv4 address */ +function is_ipaddr($ipaddr) { + if (!is_string($ipaddr)) + return false; + + $ip_long = ip2long($ipaddr); + $ip_reverse = long2ip($ip_long); + + if ($ipaddr == $ip_reverse) + return true; + else + return false; +} + +/* returns true if $ipaddr is a valid dotted IPv4 address or an alias thereof */ +function is_ipaddroralias($ipaddr) { + + global $aliastable; + + if (isset($aliastable[$ipaddr]) && is_ipaddr($aliastable[$ipaddr])) + return true; + else + return is_ipaddr($ipaddr); +} + +/* returns true if $ipaddr is a valid dotted IPv4 address or any alias */ +function is_ipaddroranyalias($ipaddr) { + + global $aliastable; + + if (isset($aliastable[$ipaddr])) + return true; + else + return is_ipaddr($ipaddr); +} + +/* returns true if $subnet is a valid subnet in CIDR format */ +function is_subnet($subnet) { + if (!is_string($subnet)) + return false; + + list($hp,$np) = explode('/', $subnet); + + if (!is_ipaddr($hp)) + return false; + + if (!is_numeric($np) || ($np < 1) || ($np > 32)) + return false; + + return true; +} + +/* returns true if $subnet is a valid subnet in CIDR format or an alias thereof */ +function is_subnetoralias($subnet) { + + global $aliastable; + + if (isset($aliastable[$subnet]) && is_subnet($aliastable[$subnet])) + return true; + else + return is_subnet($subnet); +} + +/* returns true if $hostname is a valid hostname */ +function is_hostname($hostname) { + if (!is_string($hostname)) + return false; + + if (preg_match("/^[a-z0-9\-]+$/i", $hostname)) + return true; + else + return false; +} + +/* returns true if $domain is a valid domain name */ +function is_domain($domain) { + if (!is_string($domain)) + return false; + + if (preg_match("/^([a-z0-9\-]+\.?)*$/i", $domain)) + return true; + else + return false; +} + +/* returns true if $uname is a valid DynDNS username */ +function is_dyndns_username($uname) { + if (!is_string($uname)) + return false; + + if (preg_match("/[^a-z0-9\-.@_]/i", $uname)) + return false; + else + return true; +} + +/* returns true if $macaddr is a valid MAC address */ +function is_macaddr($macaddr) { + if (!is_string($macaddr)) + return false; + + $maca = explode(":", $macaddr); + if (count($maca) != 6) + return false; + + foreach ($maca as $macel) { + if (($macel === "") || (strlen($macel) > 2)) + return false; + if (preg_match("/[^0-9a-f]/i", $macel)) + return false; + } + + return true; +} + +/* returns true if $name is a valid name for an alias */ +function is_validaliasname($name) { + if (!preg_match("/[^a-zA-Z0-9]/", $name)) + return true; + else + return false; +} + +/* returns true if $port is a valid TCP/UDP port */ +function is_port($port) { + if (!is_numericint($port)) + return false; + + if (($port < 1) || ($port > 65535)) + return false; + else + return true; +} + +/* returns a list of interfaces with MAC addresses + (skips VLAN and other virtual interfaces) */ +function get_interface_list() { + + global $g; + + /* build interface list with netstat */ + exec("/usr/bin/netstat -inW -f link", $linkinfo); + array_shift($linkinfo); + + $iflist = array(); + + foreach ($linkinfo as $link) { + $alink = preg_split("/\s+/", $link); + $ifname = chop($alink[0]); + + if (substr($ifname, -1) == "*") + $ifname = substr($ifname, 0, strlen($ifname) - 1); + + if (!preg_match("/^(ppp|sl|gif|faith|lo|ng|vlan)/", $ifname)) { + $iflist[$ifname] = array(); + + $iflist[$ifname]['mac'] = chop($alink[3]); + $iflist[$ifname]['up'] = false; + + /* find out if the link on this interface is up */ + unset($ifinfo); + exec("/sbin/ifconfig {$ifname}", $ifinfo); + + foreach ($ifinfo as $ifil) { + if (preg_match("/status: (.*)$/", $ifil, $matches)) { + if ($matches[1] == "active") + $iflist[$ifname]['up'] = true; + break; + } + } + } + } + + return $iflist; +} + +/* wrapper for exec() */ +function mwexec($command) { + + global $g; + + if ($g['debug']) { + if (!$_SERVER['REMOTE_ADDR']) + echo "mwexec(): $command\n"; + passthru($command, $retval); + } else { + exec("$command > /dev/null 2>&1", $oarr, $retval); + } + + return $retval; +} + +/* wrapper for exec() in background */ +function mwexec_bg($command) { + + global $g; + + if ($g['debug']) { + if (!$_SERVER['REMOTE_ADDR']) + echo "mwexec(): $command\n"; + } + + exec("nohup $command > /dev/null 2>&1 &"); +} + +/* unlink a file, if it exists */ +function unlink_if_exists($fn) { + if (file_exists($fn)) + unlink($fn); +} + +/* make a global alias table (for faster lookups) */ +function alias_make_table() { + + global $config, $g, $aliastable; + + $aliastable = array(); + + if (is_array($config['aliases']['alias'])) { + foreach ($config['aliases']['alias'] as $alias) { + if ($alias['name']) + $aliastable[$alias['name']] = $alias['address']; + } + } +} + +/* check if an alias exists */ +function is_alias($name) { + + global $aliastable; + + return isset($aliastable[$name]); +} + +/* expand a host or network alias, if necessary */ +function alias_expand($name) { + + global $aliastable; + + if (isset($aliastable[$name])) + return $aliastable[$name]; + else if (is_ipaddr($name) || is_subnet($name)) + return $name; + else + return null; +} + +/* expand a host alias, if necessary */ +function alias_expand_host($name) { + + global $aliastable; + + if (isset($aliastable[$name]) && is_ipaddr($aliastable[$name])) + return $aliastable[$name]; + else if (is_ipaddr($name)) + return $name; + else + return null; +} + +/* expand a network alias, if necessary */ +function alias_expand_net($name) { + + global $aliastable; + + if (isset($aliastable[$name]) && is_subnet($aliastable[$name])) + return $aliastable[$name]; + else if (is_subnet($name)) + return $name; + else + return null; +} + +/* find out whether two subnets overlap */ +function check_subnets_overlap($subnet1, $bits1, $subnet2, $bits2) { + + if (!is_numeric($bits1)) + $bits1 = 32; + if (!is_numeric($bits2)) + $bits2 = 32; + + if ($bits1 < $bits2) + $relbits = $bits1; + else + $relbits = $bits2; + + $sn1 = gen_subnet_mask_long($relbits) & ip2long($subnet1); + $sn2 = gen_subnet_mask_long($relbits) & ip2long($subnet2); + + if ($sn1 == $sn2) + return true; + else + return false; +} + +/* compare two IP addresses */ +function ipcmp($a, $b) { + if (ip2long($a) < ip2long($b)) + return -1; + else if (ip2long($a) > ip2long($b)) + return 1; + else + return 0; +} + +/* return true if $addr is in $subnet, false if not */ +function ip_in_subnet($addr,$subnet) { + list($ip, $mask) = explode('/', $subnet); + $mask = 0xffffffff << (32 - $mask); + return ((ip2long($addr) & $mask) == (ip2long($ip) & $mask)); +} + +/* verify (and remove) the digital signature on a file - returns 0 if OK */ +function verify_digital_signature($fname) { + + global $g; + + return mwexec("/usr/local/bin/verifysig " . + escapeshellarg("{$g['etc_path']}/pubkey.pem") . " " . + escapeshellarg($fname)); +} + +/* obtain MAC address given an IP address by looking at the ARP table */ +function arp_get_mac_by_ip($ip) { + exec("/usr/sbin/arp -n {$ip}", $arpoutput); + + if ($arpoutput[0]) { + $arpi = explode(" ", $arpoutput[0]); + $macaddr = $arpi[3]; + if (is_macaddr($macaddr)) + return $macaddr; + else + return false; + } + + return false; +} + +?> diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc new file mode 100644 index 0000000..b73af46 --- /dev/null +++ b/etc/inc/vpn.inc @@ -0,0 +1,559 @@ +<?php +/* + vpn.inc + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include all configuration functions */ +require_once("functions.inc"); + +function vpn_ipsec_configure($ipchg = false) { + global $config, $g; + + $curwanip = get_current_wan_address(); + + $syscfg = $config['system']; + $ipseccfg = $config['ipsec']; + $lancfg = $config['interfaces']['lan']; + $lanip = $lancfg['ipaddr']; + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + $lansn = $lancfg['subnet']; + + if ($g['booting']) { + if (!isset($ipseccfg['enable'])) + return 0; + + echo "Configuring IPsec VPN... "; + } else { + /* kill racoon */ + killbypid("{$g['varrun_path']}/racoon.pid"); + + /* wait for process to die */ + sleep(2); + + /* send a SIGKILL to be sure */ + sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL"); + } + + /* flush SPD and SAD */ + mwexec("/usr/sbin/setkey -FP"); + mwexec("/usr/sbin/setkey -F"); + + /* prefer old SAs only for 30 seconds, then use the new one */ + mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30"); + + if (isset($ipseccfg['enable'])) { + + if (!$curwanip) { + /* IP address not configured yet, exit */ + if ($g['booting']) + echo "done\n"; + return 0; + } + + if ((is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) || + isset($ipseccfg['mobileclients']['enable'])) { + + if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) { + + /* generate spd.conf */ + $fd = fopen("{$g['varetc_path']}/spd.conf", "w"); + if (!$fd) { + printf("Error: cannot open spd.conf in vpn_ipsec_configure().\n"); + return 1; + } + + $spdconf = ""; + + $spdconf .= "spdadd {$lansa}/{$lansn} {$lanip}/32 any -P in none;\n"; + $spdconf .= "spdadd {$lanip}/32 {$lansa}/{$lansn} any -P out none;\n"; + + foreach ($ipseccfg['tunnel'] as $tunnel) { + + if (isset($tunnel['disabled'])) + continue; + + $ep = vpn_endpoint_determine($tunnel, $curwanip); + if (!$ep) + continue; + + vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn); + + $spdconf .= "spdadd {$sa}/{$sn} " . + "{$tunnel['remote-subnet']} any -P out ipsec " . + "{$tunnel['p2']['protocol']}/tunnel/{$ep}-" . + "{$tunnel['remote-gateway']}/unique;\n"; + + $spdconf .= "spdadd {$tunnel['remote-subnet']} " . + "{$sa}/{$sn} any -P in ipsec " . + "{$tunnel['p2']['protocol']}/tunnel/{$tunnel['remote-gateway']}-" . + "{$ep}/unique;\n"; + } + + fwrite($fd, $spdconf); + fclose($fd); + + /* load SPD */ + mwexec("/usr/sbin/setkey -c < {$g['varetc_path']}/spd.conf"); + } + + /* generate racoon.conf */ + $fd = fopen("{$g['varetc_path']}/racoon.conf", "w"); + if (!$fd) { + printf("Error: cannot open racoon.conf in vpn_ipsec_configure().\n"); + return 1; + } + + $racoonconf = "path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n"; + + if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) + foreach ($ipseccfg['tunnel'] as $tunnel) { + + if (isset($tunnel['disabled'])) + continue; + + $ep = vpn_endpoint_determine($tunnel, $curwanip); + if (!$ep) + continue; + + vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn); + + if (isset($tunnel['p1']['myident']['myaddress'])) { + $myidentt = "address"; + $myident = $ep; + } else if (isset($tunnel['p1']['myident']['address'])) { + $myidentt = "address"; + $myident = $tunnel['p1']['myident']['address']; + } else if (isset($tunnel['p1']['myident']['fqdn'])) { + $myidentt = "fqdn"; + $myident = $tunnel['p1']['myident']['fqdn']; + } else if (isset($tunnel['p1']['myident']['ufqdn'])) { + $myidentt = "user_fqdn"; + $myident = $tunnel['p1']['myident']['ufqdn']; + } + + $racoonconf .= <<<EOD +remote {$tunnel['remote-gateway']} \{ + exchange_mode {$tunnel['p1']['mode']}; + my_identifier {$myidentt} "{$myident}"; + peers_identifier address {$tunnel['remote-gateway']}; + initial_contact on; + support_proxy on; + proposal_check obey; + + proposal \{ + encryption_algorithm {$tunnel['p1']['encryption-algorithm']}; + hash_algorithm {$tunnel['p1']['hash-algorithm']}; + authentication_method pre_shared_key; + dh_group {$tunnel['p1']['dhgroup']}; + +EOD; + if ($tunnel['p1']['lifetime']) + $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; + + $racoonconf .= " }\n"; + + if ($tunnel['p1']['lifetime']) + $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; + + $racoonconf .= "}\n\n"; + + $p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']); + $p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']); + + $racoonconf .= <<<EOD +sainfo address {$sa}/{$sn} any address {$tunnel['remote-subnet']} any \{ + encryption_algorithm {$p2ealgos}; + authentication_algorithm {$p2halgos}; + compression_algorithm deflate; + +EOD; + + if ($tunnel['p2']['pfsgroup']) + $racoonconf .= " pfs_group {$tunnel['p2']['pfsgroup']};\n"; + + if ($tunnel['p2']['lifetime']) + $racoonconf .= " lifetime time {$tunnel['p2']['lifetime']} secs;\n"; + + $racoonconf .= "}\n\n"; + } + + /* mobile clients? */ + if (isset($ipseccfg['mobileclients']['enable'])) { + + $tunnel = $ipseccfg['mobileclients']; + + if (isset($tunnel['p1']['myident']['myaddress'])) { + $myidentt = "address"; + $myident = $curwanip; + } else if (isset($tunnel['p1']['myident']['address'])) { + $myidentt = "address"; + $myident = $tunnel['p1']['myident']['address']; + } else if (isset($tunnel['p1']['myident']['fqdn'])) { + $myidentt = "fqdn"; + $myident = $tunnel['p1']['myident']['fqdn']; + } else if (isset($tunnel['p1']['myident']['ufqdn'])) { + $myidentt = "user_fqdn"; + $myident = $tunnel['p1']['myident']['ufqdn']; + } + + $racoonconf .= <<<EOD +remote anonymous \{ + exchange_mode {$tunnel['p1']['mode']}; + my_identifier {$myidentt} "{$myident}"; + initial_contact on; + passive on; + generate_policy on; + support_proxy on; + proposal_check obey; + + proposal \{ + encryption_algorithm {$tunnel['p1']['encryption-algorithm']}; + hash_algorithm {$tunnel['p1']['hash-algorithm']}; + authentication_method pre_shared_key; + dh_group {$tunnel['p1']['dhgroup']}; + +EOD; + if ($tunnel['p1']['lifetime']) + $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; + + $racoonconf .= " }\n"; + + if ($tunnel['p1']['lifetime']) + $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; + + $racoonconf .= "}\n\n"; + + $p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']); + $p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']); + + $racoonconf .= <<<EOD +sainfo anonymous \{ + encryption_algorithm {$p2ealgos}; + authentication_algorithm {$p2halgos}; + compression_algorithm deflate; + +EOD; + + if ($tunnel['p2']['pfsgroup']) + $racoonconf .= " pfs_group {$tunnel['p2']['pfsgroup']};\n"; + + if ($tunnel['p2']['lifetime']) + $racoonconf .= " lifetime time {$tunnel['p2']['lifetime']} secs;\n"; + + $racoonconf .= "}\n\n"; + } + + fwrite($fd, $racoonconf); + fclose($fd); + + /* generate psk.txt */ + $fd = fopen("{$g['varetc_path']}/psk.txt", "w"); + if (!$fd) { + printf("Error: cannot open psk.txt in vpn_ipsec_configure().\n"); + return 1; + } + + $pskconf = ""; + + if (is_array($ipseccfg['tunnel'])) { + foreach ($ipseccfg['tunnel'] as $tunnel) { + if (isset($tunnel['disabled'])) + continue; + $pskconf .= "{$tunnel['remote-gateway']} {$tunnel['p1']['pre-shared-key']}\n"; + } + } + + /* add PSKs for mobile clients */ + if (is_array($ipseccfg['mobilekey'])) { + foreach ($ipseccfg['mobilekey'] as $key) { + $pskconf .= "{$key['ident']} {$key['pre-shared-key']}\n"; + } + } + + fwrite($fd, $pskconf); + fclose($fd); + chmod("{$g['varetc_path']}/psk.txt", 0600); + + /* start racoon */ + mwexec("/usr/local/sbin/racoon -d -f {$g['varetc_path']}/racoon.conf"); + + foreach ($ipseccfg['tunnel'] as $tunnel) { + if (isset($tunnel['auto'])) { + $remotehost = substr($tunnel['remote-subnet'],0,strpos($tunnel['remote-subnet'],"/")); + $srchost = vpn_endpoint_determine($tunnel, $curwanip); + if ($srchost) + mwexec_bg("/sbin/ping -c 1 -S {$srchost} {$remotehost}"); + } + } + } + } + + if (!$g['booting']) { + /* reload the filter */ + filter_configure(); + } + + if ($g['booting']) + echo "done\n"; + + return 0; +} + +function vpn_pptpd_configure() { + global $config, $g; + + $syscfg = $config['system']; + $pptpdcfg = $config['pptpd']; + + if ($g['booting']) { + if (!$pptpdcfg['mode'] || ($pptpdcfg['mode'] == "off")) + return 0; + + echo "Configuring PPTP VPN service... "; + } else { + /* kill mpd */ + killbypid("{$g['varrun_path']}/mpd-vpn.pid"); + + /* wait for process to die */ + sleep(2); + + /* remove mpd.conf, if it exists */ + unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.conf"); + unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.links"); + unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.secret"); + } + + /* make sure mpd-vpn directory exists */ + if (!file_exists("{$g['varetc_path']}/mpd-vpn")) + mkdir("{$g['varetc_path']}/mpd-vpn"); + + switch ($pptpdcfg['mode']) { + + case 'server': + + /* write mpd.conf */ + $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "w"); + if (!$fd) { + printf("Error: cannot open mpd.conf in vpn_pptpd_configure().\n"); + return 1; + } + + $mpdconf = <<<EOD +pptpd: + +EOD; + + for ($i = 0; $i < $g['n_pptp_units']; $i++) { + $mpdconf .= " load pt{$i}\n"; + } + + for ($i = 0; $i < $g['n_pptp_units']; $i++) { + + $clientip = long2ip(ip2long($pptpdcfg['remoteip']) + $i); + $ngif = "ng" . ($i+1); + + $mpdconf .= <<<EOD + +pt{$i}: + new -i {$ngif} pt{$i} pt{$i} + set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32 + load pts + +EOD; + } + + $mpdconf .= <<<EOD + +pts: + set iface disable on-demand + set iface enable proxy-arp + set iface enable tcpmssfix + set iface idle 1800 + set iface up-script /usr/local/sbin/vpn-linkup + set iface down-script /usr/local/sbin/vpn-linkdown + set bundle enable multilink + set bundle enable crypt-reqd + set link yes acfcomp protocomp + set link no pap chap + set link enable chap-msv2 + set link mtu 1460 + set link keep-alive 10 60 + set ipcp yes vjcomp + set bundle enable compression + set ccp yes mppc + set ccp yes mpp-e128 + set ccp yes mpp-stateless + +EOD; + + if (!isset($pptpdcfg['req128'])) { + $mpdconf .= <<<EOD + set ccp yes mpp-e40 + set ccp yes mpp-e56 + +EOD; + } + + if (isset($config['dnsmasq']['enable'])) { + $mpdconf .= " set ipcp dns " . $config['interfaces']['lan']['ipaddr']; + if ($syscfg['dnsserver'][0]) + $mpdconf .= " " . $syscfg['dnsserver'][0]; + $mpdconf .= "\n"; + } else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { + $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; + } + + if (isset($pptpdcfg['radius']['enable'])) { + $mpdconf .= <<<EOD + set radius server {$pptpdcfg['radius']['server']} "{$pptpdcfg['radius']['secret']}" + set radius retries 3 + set radius timeout 10 + set bundle enable radius-auth + set bundle disable radius-fallback + +EOD; + + if (isset($pptpdcfg['radius']['accounting'])) { + $mpdconf .= <<<EOD + set bundle enable radius-acct + +EOD; + } + } + + fwrite($fd, $mpdconf); + fclose($fd); + + /* write mpd.links */ + $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "w"); + if (!$fd) { + printf("Error: cannot open mpd.links in vpn_pptpd_configure().\n"); + return 1; + } + + $mpdlinks = ""; + + for ($i = 0; $i < $g['n_pptp_units']; $i++) { + $mpdlinks .= <<<EOD + +pt{$i}: + set link type pptp + set pptp enable incoming + set pptp disable originate + set pptp disable windowing + set pptp self 127.0.0.1 + +EOD; + } + + fwrite($fd, $mpdlinks); + fclose($fd); + + /* write mpd.secret */ + $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "w"); + if (!$fd) { + printf("Error: cannot open mpd.secret in vpn_pptpd_configure().\n"); + return 1; + } + + $mpdsecret = ""; + + if (is_array($pptpdcfg['user'])) { + foreach ($pptpdcfg['user'] as $user) + $mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n"; + } + + fwrite($fd, $mpdsecret); + fclose($fd); + chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600); + + /* fire up mpd */ + mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid pptpd"); + + break; + + case 'redir': + break; + } + + if (!$g['booting']) { + /* reload the filter */ + filter_configure(); + } + + if ($g['booting']) + echo "done\n"; + + return 0; +} + +function vpn_localnet_determine($adr, &$sa, &$sn) { + global $config, $g; + + if (isset($adr)) { + if ($adr['network']) { + switch ($adr['network']) { + case 'lan': + $sn = $config['interfaces']['lan']['subnet']; + $sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn); + break; + } + } else if ($adr['address']) { + list($sa,$sn) = explode("/", $adr['address']); + if (is_null($sn)) + $sn = 32; + } + } else { + $sn = $config['interfaces']['lan']['subnet']; + $sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn); + } +} + +function vpn_endpoint_determine($tunnel, $curwanip) { + + global $g, $config; + + if ((!$tunnel['interface']) || ($tunnel['interface'] == "wan")) { + if ($curwanip) + return $curwanip; + else + return null; + } else if ($tunnel['interface'] == "lan") { + return $config['interfaces']['lan']['ipaddr']; + } else { + $oc = $config['interfaces'][$tunnel['interface']]; + + if (isset($oc['enable']) && $oc['if']) { + return $oc['ipaddr']; + } + } + + return null; +} + +?> diff --git a/etc/inc/xmlparse.inc b/etc/inc/xmlparse.inc new file mode 100644 index 0000000..1fdadac --- /dev/null +++ b/etc/inc/xmlparse.inc @@ -0,0 +1,205 @@ +<?php +/* + xmlparse.inc + functions to parse/dump configuration files in XML format + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* tags that are always to be handled as lists */ +$listtags = explode(" ", "rule user key subqueue dnsserver winsserver " . + "encryption-algorithm-option hash-algorithm-option hosts tunnel onetoone " . + "staticmap route alias pipe queue shellcmd earlyshellcmd mobilekey " . + "servernat proxyarpnet passthrumac allowedip wolentry vlan"); + +function startElement($parser, $name, $attrs) { + global $depth, $curpath, $config, $havedata, $listtags; + + array_push($curpath, strtolower($name)); + + $ptr =& $config; + foreach ($curpath as $path) { + $ptr =& $ptr[$path]; + } + + /* is it an element that belongs to a list? */ + if (in_array(strtolower($name), $listtags)) { + + /* is there an array already? */ + if (!is_array($ptr)) { + /* make an array */ + $ptr = array(); + } + + array_push($curpath, count($ptr)); + + } else if (isset($ptr)) { + /* multiple entries not allowed for this element, bail out */ + die(sprintf("XML error: %s at line %d cannot occur more than once\n", + $name, + xml_get_current_line_number($parser))); + } + + $depth++; + $havedata = $depth; +} + +function endElement($parser, $name) { + global $depth, $curpath, $config, $havedata, $listtags; + + if ($havedata == $depth) { + $ptr =& $config; + foreach ($curpath as $path) { + $ptr =& $ptr[$path]; + } + $ptr = ""; + } + + array_pop($curpath); + + if (in_array(strtolower($name), $listtags)) + array_pop($curpath); + + $depth--; +} + +function cData($parser, $data) { + global $depth, $curpath, $config, $havedata; + + $data = trim($data, "\t\n\r"); + + if ($data != "") { + $ptr =& $config; + foreach ($curpath as $path) { + $ptr =& $ptr[$path]; + } + + if (is_string($ptr)) { + $ptr .= $data; + } else { + if (trim($data, " ") != "") { + $ptr = $data; + $havedata++; + } + } + } +} + +function parse_xml_config($cffile, $rootobj) { + + global $depth, $curpath, $config, $havedata, $listtags; + + $config = array(); + $curpath = array(); + $depth = 0; + $havedata = 0; + + $xml_parser = xml_parser_create(); + + xml_set_element_handler($xml_parser, "startElement", "endElement"); + xml_set_character_data_handler($xml_parser, "cdata"); + + if (!($fp = fopen($cffile, "r"))) { + die("Error: could not open XML input\n"); + } + + while ($data = fread($fp, 4096)) { + if (!xml_parse($xml_parser, $data, feof($fp))) { + die(sprintf("XML error: %s at line %d\n", + xml_error_string(xml_get_error_code($xml_parser)), + xml_get_current_line_number($xml_parser))); + } + } + xml_parser_free($xml_parser); + + if (!$config[$rootobj]) { + die("XML error: no $rootobj object found!\n"); + } + + return $config[$rootobj]; +} + +function dump_xml_config_sub($arr, $indent) { + + global $listtags; + + $xmlconfig = ""; + + foreach ($arr as $ent => $val) { + if (is_array($val)) { + /* is it just a list of multiple values? */ + if (in_array(strtolower($ent), $listtags)) { + foreach ($val as $cval) { + if (is_array($cval)) { + $xmlconfig .= str_repeat("\t", $indent); + $xmlconfig .= "<$ent>\n"; + $xmlconfig .= dump_xml_config_sub($cval, $indent + 1); + $xmlconfig .= str_repeat("\t", $indent); + $xmlconfig .= "</$ent>\n"; + } else { + $xmlconfig .= str_repeat("\t", $indent); + if ((is_bool($cval) && ($cval == true)) || + ($cval === "")) + $xmlconfig .= "<$ent/>\n"; + else if (!is_bool($cval)) + $xmlconfig .= "<$ent>" . htmlspecialchars($cval) . "</$ent>\n"; + } + } + } else { + /* it's an array */ + $xmlconfig .= str_repeat("\t", $indent); + $xmlconfig .= "<$ent>\n"; + $xmlconfig .= dump_xml_config_sub($val, $indent + 1); + $xmlconfig .= str_repeat("\t", $indent); + $xmlconfig .= "</$ent>\n"; + } + } else { + if ((is_bool($val) && ($val == true)) || ($val === "")) { + $xmlconfig .= str_repeat("\t", $indent); + $xmlconfig .= "<$ent/>\n"; + } else if (!is_bool($val)) { + $xmlconfig .= str_repeat("\t", $indent); + $xmlconfig .= "<$ent>" . htmlspecialchars($val) . "</$ent>\n"; + } + } + } + + return $xmlconfig; +} + +function dump_xml_config($arr, $rootobj) { + + $xmlconfig = "<?xml version=\"1.0\"?" . ">\n"; + $xmlconfig .= "<$rootobj>\n"; + + $xmlconfig .= dump_xml_config_sub($arr, 1); + + $xmlconfig .= "</$rootobj>\n"; + + return $xmlconfig; +} + +?> diff --git a/etc/login.conf b/etc/login.conf new file mode 100644 index 0000000..fc6b37c --- /dev/null +++ b/etc/login.conf @@ -0,0 +1,316 @@ +# login.conf - login class capabilities database. +# +# Remember to rebuild the database after each change to this file: +# +# cap_mkdb /etc/login.conf +# +# This file controls resource limits, accounting limits and +# default user environment settings. +# +# $FreeBSD: src/etc/login.conf,v 1.34.2.6 2002/07/02 20:06:18 dillon Exp $ +# + +# Default settings effectively disable resource limits, see the +# examples below for a starting point to enable them. + +# defaults +# These settings are used by login(1) by default for classless users +# Note that entries like "cputime" set both "cputime-cur" and "cputime-max" + +default:\ + :passwd_format=md5:\ + :copyright=/etc/COPYRIGHT:\ + :welcome=/etc/motd:\ + :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\ + :path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin /usr/X11R6/bin ~/bin:\ + :nologin=/var/run/nologin:\ + :cputime=unlimited:\ + :datasize=unlimited:\ + :stacksize=unlimited:\ + :memorylocked=unlimited:\ + :memoryuse=unlimited:\ + :filesize=unlimited:\ + :coredumpsize=unlimited:\ + :openfiles=unlimited:\ + :maxproc=unlimited:\ + :sbsize=unlimited:\ + :vmemoryuse=unlimited:\ + :priority=0:\ + :ignoretime@:\ + :umask=022: + + +# +# A collection of common class names - forward them all to 'default' +# (login would normally do this anyway, but having a class name +# here suppresses the diagnostic) +# +standard:\ + :tc=default: +xuser:\ + :tc=default: +staff:\ + :tc=default: +daemon:\ + :tc=default: +news:\ + :tc=default: +dialer:\ + :tc=default: + +# +# Root can always login +# +# N.B. login_getpwclass(3) will use this entry for the root account, +# in preference to 'default'. +root:\ + :ignorenologin:\ + :tc=default: + +# +# Russian Users Accounts. Setup proper environment variables. +# +russian|Russian Users Accounts:\ + :charset=KOI8-R:\ + :lang=ru_RU.KOI8-R:\ + :tc=default: + + +###################################################################### +###################################################################### +## +## Example entries +## +###################################################################### +###################################################################### + +## Example defaults +## These settings are used by login(1) by default for classless users +## Note that entries like "cputime" set both "cputime-cur" and "cputime-max" +# +#default:\ +# :cputime=infinity:\ +# :datasize-cur=22M:\ +# :stacksize-cur=8M:\ +# :memorylocked-cur=10M:\ +# :memoryuse-cur=30M:\ +# :filesize=infinity:\ +# :coredumpsize=infinity:\ +# :maxproc-cur=64:\ +# :openfiles-cur=64:\ +# :priority=0:\ +# :requirehome@:\ +# :umask=022:\ +# :tc=auth-defaults: +# +# +## +## standard - standard user defaults +## +#standard:\ +# :copyright=/etc/COPYRIGHT:\ +# :welcome=/etc/motd:\ +# :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\ +# :path=~/bin /bin /usr/bin /usr/local/bin:\ +# :manpath=/usr/share/man /usr/local/man:\ +# :nologin=/var/run/nologin:\ +# :cputime=1h30m:\ +# :datasize=8M:\ +# :vmemoryuse=100M:\ +# :stacksize=2M:\ +# :memorylocked=4M:\ +# :memoryuse=8M:\ +# :filesize=8M:\ +# :coredumpsize=8M:\ +# :openfiles=24:\ +# :maxproc=32:\ +# :priority=0:\ +# :requirehome:\ +# :passwordtime=90d:\ +# :umask=002:\ +# :ignoretime@:\ +# :tc=default: +# +# +## +## users of X (needs more resources!) +## +#xuser:\ +# :manpath=/usr/share/man /usr/X11R6/man /usr/local/man:\ +# :cputime=4h:\ +# :datasize=12M:\ +# :vmemoryuse=infinity:\ +# :stacksize=4M:\ +# :filesize=8M:\ +# :memoryuse=16M:\ +# :openfiles=32:\ +# :maxproc=48:\ +# :tc=standard: +# +# +## +## Staff users - few restrictions and allow login anytime +## +#staff:\ +# :ignorenologin:\ +# :ignoretime:\ +# :requirehome@:\ +# :accounted@:\ +# :path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\ +# :umask=022:\ +# :tc=standard: +# +# +## +## root - fallback for root logins +## +#root:\ +# :path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\ +# :cputime=infinity:\ +# :datasize=infinity:\ +# :stacksize=infinity:\ +# :memorylocked=infinity:\ +# :memoryuse=infinity:\ +# :filesize=infinity:\ +# :coredumpsize=infinity:\ +# :openfiles=infinity:\ +# :maxproc=infinity:\ +# :memoryuse-cur=32M:\ +# :maxproc-cur=64:\ +# :openfiles-cur=1024:\ +# :priority=0:\ +# :requirehome@:\ +# :umask=022:\ +# :tc=auth-root-defaults: +# +# +## +## Settings used by /etc/rc +## +#daemon:\ +# :coredumpsize@:\ +# :coredumpsize-cur=0:\ +# :datasize=infinity:\ +# :datasize-cur@:\ +# :maxproc=512:\ +# :maxproc-cur@:\ +# :memoryuse-cur=64M:\ +# :memorylocked-cur=64M:\ +# :openfiles=1024:\ +# :openfiles-cur@:\ +# :stacksize=16M:\ +# :stacksize-cur@:\ +# :tc=default: +# +# +## +## Settings used by news subsystem +## +#news:\ +# :path=/usr/local/news/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\ +# :cputime=infinity:\ +# :filesize=128M:\ +# :datasize-cur=64M:\ +# :stacksize-cur=32M:\ +# :coredumpsize-cur=0:\ +# :maxmemorysize-cur=128M:\ +# :memorylocked=32M:\ +# :maxproc=128:\ +# :openfiles=256:\ +# :tc=default: +# +# +## +## The dialer class should be used for a dialup PPP/SLIP accounts +## Welcome messages/news suppressed +## +#dialer:\ +# :hushlogin:\ +# :requirehome@:\ +# :cputime=unlimited:\ +# :filesize=2M:\ +# :datasize=2M:\ +# :stacksize=4M:\ +# :coredumpsize=0:\ +# :memoryuse=4M:\ +# :memorylocked=1M:\ +# :maxproc=16:\ +# :openfiles=32:\ +# :tc=standard: +# +# +## +## Site full-time 24/7 PPP/SLIP connections +## - no time accounting, restricted to access via dialin lines +## +#site:\ +# :ignoretime:\ +# :passwordtime@:\ +# :refreshtime@:\ +# :refreshperiod@:\ +# :sessionlimit@:\ +# :autodelete@:\ +# :expireperiod@:\ +# :graceexpire@:\ +# :gracetime@:\ +# :warnexpire@:\ +# :warnpassword@:\ +# :idletime@:\ +# :sessiontime@:\ +# :daytime@:\ +# :weektime@:\ +# :monthtime@:\ +# :warntime@:\ +# :accounted@:\ +# :tc=dialer:\ +# :tc=staff: +# +# +## +## Example standard accounting entries for subscriber levels +## +# +#subscriber|Subscribers:\ +# :accounted:\ +# :refreshtime=180d:\ +# :refreshperiod@:\ +# :sessionlimit@:\ +# :autodelete=30d:\ +# :expireperiod=180d:\ +# :graceexpire=7d:\ +# :gracetime=10m:\ +# :warnexpire=7d:\ +# :warnpassword=7d:\ +# :idletime=30m:\ +# :sessiontime=4h:\ +# :daytime=6h:\ +# :weektime=40h:\ +# :monthtime=120h:\ +# :warntime=4h:\ +# :tc=standard: +# +# +## +## Subscriber accounts. These accounts have their login times +## accounted and have access limits applied. +## +#subppp|PPP Subscriber Accounts:\ +# :tc=dialer:\ +# :tc=subscriber: +# +# +#subslip|SLIP Subscriber Accounts:\ +# :tc=dialer:\ +# :tc=subscriber: +# +# +#subshell|Shell Subscriber Accounts:\ +# :tc=subscriber: +# +## +## If you want some of the accounts to use traditional UNIX DES based +## password hashes. +## +#des_users:\ +# :passwd_format=des:\ +# :tc=default: diff --git a/etc/master.passwd b/etc/master.passwd new file mode 100644 index 0000000..88b0dd1 --- /dev/null +++ b/etc/master.passwd @@ -0,0 +1,26 @@ +# $FreeBSD: src/etc/master.passwd,v 1.39 2004/08/01 21:33:47 markm Exp $ +# +root::0:0::0:0:Charlie &:/root:/etc/rc.initial +toor:*:0:0::0:0:Bourne-again Superuser:/root: +daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin +operator:*:2:5::0:0:System &:/:/usr/sbin/nologin +bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin +tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin +kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin +games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin +news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin +man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin +sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin +smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin +mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin +bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin +proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin +_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin +uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico +pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin +www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin +nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin +distcc:*:1001:1001::0:0:Distcc:/home/distcc:/sbin/nologin +dhcpd:*:1002:1002::0:0:DHCP Daemon:/nonexistent:/sbin/nologin +admin:*:101:101::0:0:Admin User:/home/admin:/etc/rc.initial + diff --git a/etc/networks b/etc/networks new file mode 100644 index 0000000..92982b5 --- /dev/null +++ b/etc/networks @@ -0,0 +1,17 @@ +# $FreeBSD: src/etc/networks,v 1.3 1999/08/27 23:23:42 peter Exp $ +# @(#)networks 5.1 (Berkeley) 6/30/90 +# +# Your Local Networks Database +# +your-net 127 # your comment +your-netmask 255.255.255 # subnet mask for your-net + +# +# Your subnets +# +subnet1 127.0.1 alias1 # comment 1 +subnet2 127.0.2 alias2 # comment 2 + +# +# Internet networks (from nic.ddn.mil) +# diff --git a/etc/pamd.conf b/etc/pamd.conf new file mode 100644 index 0000000..78df63d --- /dev/null +++ b/etc/pamd.conf @@ -0,0 +1,55 @@ +# Configuration file for Pluggable Authentication Modules (PAM). +# +# This file controls the authentication methods that login and other +# utilities use. See pam(8) for a description of its format. +# +# $FreeBSD: src/etc/pam.conf,v 1.6.2.18 2003/02/15 17:20:27 des Exp $ +# +# service-name module-type control-flag module-path arguments +# +# module-type: +# auth: prompt for a password to authenticate that the user is +# who they say they are, and set any credentials. +# account: non-authentication based authorization, based on time, +# resources, etc. +# session: housekeeping before and/or after login. +# password: update authentication tokens. +# +# control-flag: How libpam handles success or failure of the module. +# required: success is required, and on failure all remaining +# modules are run. +# requisite: success is required, and on failure no remaining +# modules are run. +# sufficient: success is sufficient, and if no previous required +# module failed, no remaining modules are run. +# optional: ignored unless the other modules return PAM_IGNORE. +# +# arguments: +# Passed to the module; module-specific plus some generic ones: +# debug: syslog debug info. +# no_warn: return no warning messages to the application. +# use_first_pass: try authentication using password from the +# preceding auth module. +# try_first_pass: first try authentication using password from +# the preceding auth module, and if that fails +# prompt for a new password. +# use_mapped_pass: convert cleartext password to a crypto key. +# expose_account: allow printing more info about the user when +# prompting. +# +# Each final entry must say "required" -- otherwise, things don't +# work quite right. If you delete a final entry, be sure to change +# "sufficient" to "required" in the entry before it. +# +## OpenSSH with PAM support requires similar modules. The session one is +## a bit strange, though... +sshd auth sufficient pam_skey.so +sshd auth sufficient pam_opie.so no_fake_prompts +#sshd auth requisite pam_opieaccess.so +#sshd auth sufficient pam_kerberosIV.so try_first_pass +#sshd auth sufficient pam_krb5.so try_first_pass +sshd auth required pam_unix.so try_first_pass +sshd account required pam_unix.so +sshd password required pam_permit.so +sshd session required pam_permit.so + diff --git a/etc/passwd b/etc/passwd new file mode 100644 index 0000000..86c9b58 --- /dev/null +++ b/etc/passwd @@ -0,0 +1,10 @@ +root:*:0:0:Charlie &:/root:/etc/rc.initial +toor:*:0:0:Bourne-again Superuser:/root: +daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin +operator:*:2:5:System &:/:/sbin/nologin +bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin +tty:*:4:65533:Tty Sandbox:/:/sbin/nologin +kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin +www:*:80:80:World Wide Web Owner:/nonexistent:/sbin/nologin +nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin +admin:*:101:101:Admin Account:/home/admin:/bin/sh diff --git a/etc/pccard.conf b/etc/pccard.conf new file mode 100644 index 0000000..75fa24a --- /dev/null +++ b/etc/pccard.conf @@ -0,0 +1,435 @@ + +# Generally available IO ports +io 0x240-0x360 +# on i386 IRQs can be any of 3 4 5 7 9 10 11 12 14 15 +# on pc98 IRQs can be any of 3 5 6 9 10 11 12 13 +# but *MUST* *NOT* be used by anything else, unless you are using current +# and a PCI cardbus bridge that allows sharing. Even then, the rules +# for interrupt sharing can be tricky. +# Generally available IRQs (Built-in sound-card owners remove 5) +irq 3 5 10 11 15 +# Available memory slots +memory 0xd4000 96k +# Debug level, so you know how to get more info for maintainers. Put it +# in /etc/pccard.conf +#debuglevel 4 + +########## an ########## + +# Aironet PC4500 2Mbps 802.11 wireless NIC +card "Aironet" "PC4500" + config 0x5 "an0" ? + config 0x5 "an1" ? + config 0x5 "an2" ? + +# Aironet PC4800 11Mbps 802.11 wireless NIC +card "Aironet" "PC4800" + config 0x5 "an0" ? + config 0x5 "an1" ? + config 0x5 "an2" ? + +# Aironet 340 Series 11Mbps 802.11 wireless NIC +card "Cisco Systems" "340 Series Wireless LAN Adapter" + config auto "an0" ? + config auto "an1" ? + config auto "an2" ? + +# Aironet 350 Series 11Mbps 802.11 wireless NIC +card "Cisco Systems" "350 Series Wireless LAN Adapter" + config auto "an0" ? + config auto "an1" ? + config auto "an2" ? + +# Xircom sells a rebaded unit +card "Xircom" "Wireless Ethernet Adapter" + config 0x5 "an0" ? + config 0x5 "an1" ? + config 0x5 "an2" ? + +########## wi ########## + +# OEM ID 0x5 unlabelled PRISM2.5 card +card " " "IEEE 802.11 Wireless LAN/PC Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# 3com 3crwe737A AirConnect Wireless LAN PC Card +card "3Com" "3CRWE737A AirConnect Wireless LAN PC Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Accton airDirect WN3301 +card "Accton" "IEEE802.11 PC Card Adapter" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Actiontec PRISM wireless +card "ACTIONTEC" "PRISM Wireless LAN PC Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Addtron AWP-100 +card "Addtron" "AWP-100 Wireless PCMCIA" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# ADLINK340APC +card "ADTEC" "ADLINK/340C" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Home Wireless Networks +card "AirWay" "802.11 Adapter (PCMCIA)" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Allied Telesis WR211PCM +card "Allied Telesis K.K." "WR211PCM" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Avaya Wireless PC Card +card "Avaya Communication" "Avaya Wireless PC Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Belkin wireless card +card "Belkin" "11Mbps Wireless Notebook Network Adapter" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# BreezeNET +card "BreezeNET" "PC-DS.11" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Buffalo WLI-CF-S11G +card "BUFFALO" "WLI-CF-S11G" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Melco Airconnect 3.3V version +card "BUFFALO" "WLI-PCM-S11" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Melco Airconnect (128bit WEP) +card "BUFFALO" "WLI-PCM-L11G" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Cabletron RoamAbout, WaveLAN/IEEE clone +card "Cabletron" "RoamAbout 802.11 DS" + config 0x1 "wi0" ? + config 0x1 "wi1" ? + config 0x1 "wi2" ? + +# Compaq WL100 +card "Compaq" "WL100_11Mbps_Wireless_PC_Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Compaq WL110 +card "Compaq" "Compaq WL110 PC Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Compaq WL200 +card "Compaq" "WL200_11Mbps_Wireless_PCI_Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Compaq WL200 (might be wrong) +card "Compaq" "Compaq WL200_11Mbps_Wireless_PCI_Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Corega KK Wireless LAN PCC-11 +card "corega K.K." "Wireless LAN PCC-11" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Corega KK Wireless LAN PCCA-11 +card "corega K.K." "Wireless LAN PCCA-11" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Corega KK Wireless LAN PCCB-11 +card "corega_K.K." "Wireless_LAN_PCCB-11" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Corega KK Wireless LAN PCCL-11 +card "corega" "WL PCCL-11" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# D Link DWL-650 11Mbps WLAN Card +card "D" "Link DWL-650 11Mbps WLAN Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# DLink Air DWL-660 Wireless PC Card +card "D-Link" "D-Link Air DWL-660 Wireless PC Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Dell TrueMobile (OEMed Lucent WaveLAN/IEEE) +card "Dell" "TrueMobile 1150 Series PC Card" + config 0x1 "wi0" ? + config 0x1 "wi1" ? + config 0x1 "wi2" ? + +# ELECOM Air@Hawk/LD-WL11/PCC (0.7.5) +card "ELECOM" "Air@Hark/LD-WL11/PCC" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# ELECOM Air@Hawk/LD-WL11/PCC (0.7.6 and later) +card "ELECOM" "Air@Hawk/LD-WL11/PCC" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# ELSA Air Lancer +card "ELSA" "AirLancer MC-11" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Fujitsu Siemens CONNECT2AIR WLAN C-1100 CF-Card +card "Fujitsu Siemens Computers" "CONNECT2AIR WLAN C-1100 CF-Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# PLANEX GeoWave/GW-NS11S +card "Geowave" "GW-NS11S" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Linksys Instant Wireless WPC11 +card "/Instant Wireless */" " Network PC CARD" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Intel PRO/Wireless 2011 LAN PC Card +card "Intel" "PRO/Wireless 2011 LAN PC Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# ICOM SL-1100 +card "ICOM" "SL-1100" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# OEM PRISM cards +card "INTERSIL" "HFA384x/IEEE" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# IO Data WN-B11/PCM +card "IO DATA" "WNB11PCM" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# IBM's rebadged Lucent WaveLAN/IEEE. The FCC IDs are identical to +# those for the Lucent card, so presumably everything else is as well. +card "IBM Corporation" "IBM High Rate Wireless LAN PC Card" + config 0x1 "wi0" ? + config 0x1 "wi1" ? + config 0x1 "wi2" ? + +# Lucent WaveLAN/IEEE +card "Lucent Technologies" "WaveLAN/IEEE" + config 0x1 "wi0" ? + config 0x1 "wi1" ? + config 0x1 "wi2" ? + +# Melco Airconnect +card "MELCO" "WLI-PCM-L11" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# nanospeed card of some flavor. +card "NANOSPEED" "HFA384x/IEEE" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# NCR WaveLAN/IEEE +card "NCR" "WaveLAN/IEEE" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# NEC Wireless Card CMZ-RT-WP +card "NEC" "Wireless Card CMZ-RT-WP" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# NEC WL11C (PC-WL/11C) +card "NEC Aterm" "WL11C (PC-WL/11C)" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# NEC Corporation PK-WL001 +card "NEC Corporation" "Wireless PC Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Netgear MA401 +card "NETGEAR MA401 Wireless PC" "Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Netgear MA401RA +card "NETGEAR MA401RA Wireless PC" "Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Nortel eMobility +card "Nortel Networks" "emobility 802.11 Wireless LAN PC Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Generic PRISM2.5 card +card "PCMCIA" "11M WLAN Card v2.5" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# PLANEX GeoWave/GW-NS110 +card "PLANEX" "GeoWave/GW-NS110" + config 0x1 "wi0" ? + config 0x1 "wi1" ? + config 0x1 "wi2" ? + +# PLANEX GW-NS11H +card "PLANEX" "GW-NS11H Wireless LAN PC Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Proxim Harmony +card "PROXIM" "Harmony 802.11b/LAN PC CARD" + config 0x1 "wi0" ? + config 0x1 "wi1" ? + config 0x1 "wi2" ? + +# Proxim RangeLAN-DS (OEM of Zcommax - Prism2 card) +card "PROXIM" "RangeLAN-DS/LAN PC CARD" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# SAMSUNG SWL-2000P PCI Card +card "SAMSUNG" "11Mbps WLAN PCI Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# SMC's SMC2632W (also matches the 3.3V SMC2602W) +card "SMC" "SMC2632W" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Sony PCWA-C100 WaveLAN +card "Sony Corporation" "PCWA-C100" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# German Telekom T-Sinus 130card, unknown original manufactor +card "T-Sinus" "130card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# TDK LAK-CD011WL +card "TDK" "LAK-CD011WL for Wireless LAN" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Linksys Instant Wireless WPC11 v2.5 +card "The Linksys Group, Inc." "Instant Wireless Network PC Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Toshibas wireless lan card +card "TOSHIBA" "Wireless LAN Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# U.S. Robotics Wireless Card 2410 +card "U.S. Robotics" "IEEE 802.11b PC-CARD" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Taiwanese Blue Concentric Circle CF Wireless LAN Model WL-379F +# This is a card sold in Taiwan. +card "Wireless LAN" "11Mbps PC Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# Wisecom WS-WP100W +card "OEM" "PRISM25 IEEE 802.11 PC-Card" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# YIS YWL-11B +card "YIS Corp." "YWL-11b" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? + +# ZoomAir 802.11 +card "ZoomAir 11Mbps High" "Rate wireless Networking" + config auto "wi0" ? + config auto "wi1" ? + config auto "wi2" ? diff --git a/etc/platform b/etc/platform new file mode 100644 index 0000000..f964569 --- /dev/null +++ b/etc/platform @@ -0,0 +1 @@ +net45xx diff --git a/etc/protocols b/etc/protocols new file mode 100644 index 0000000..20e2741 --- /dev/null +++ b/etc/protocols @@ -0,0 +1,146 @@ +# +# Internet protocols +# +# $FreeBSD: src/etc/protocols,v 1.13.2.3 2002/02/27 03:39:00 dd Exp $ +# from: @(#)protocols 5.1 (Berkeley) 4/17/89 +# +# See also http://www.iana.org/assignments/protocol-numbers +# +ip 0 IP # internet protocol, pseudo protocol number +#hopopt 0 HOPOPT # hop-by-hop options for ipv6 +icmp 1 ICMP # internet control message protocol +igmp 2 IGMP # internet group management protocol +ggp 3 GGP # gateway-gateway protocol +ipencap 4 IP-ENCAP # IP encapsulated in IP (officially ``IP'') +st2 5 ST2 # ST2 datagram mode (RFC 1819) +tcp 6 TCP # transmission control protocol +cbt 7 CBT # CBT, Tony Ballardie <A.Ballardie@cs.ucl.ac.uk> +egp 8 EGP # exterior gateway protocol +igp 9 IGP # any private interior gateway (Cisco: for IGRP) +bbn-rcc 10 BBN-RCC-MON # BBN RCC Monitoring +nvp 11 NVP-II # Network Voice Protocol +pup 12 PUP # PARC universal packet protocol +argus 13 ARGUS # ARGUS +emcon 14 EMCON # EMCON +xnet 15 XNET # Cross Net Debugger +chaos 16 CHAOS # Chaos +udp 17 UDP # user datagram protocol +mux 18 MUX # Multiplexing protocol +dcn 19 DCN-MEAS # DCN Measurement Subsystems +hmp 20 HMP # host monitoring protocol +prm 21 PRM # packet radio measurement protocol +xns-idp 22 XNS-IDP # Xerox NS IDP +trunk-1 23 TRUNK-1 # Trunk-1 +trunk-2 24 TRUNK-2 # Trunk-2 +leaf-1 25 LEAF-1 # Leaf-1 +leaf-2 26 LEAF-2 # Leaf-2 +rdp 27 RDP # "reliable datagram" protocol +irtp 28 IRTP # Internet Reliable Transaction Protocol +iso-tp4 29 ISO-TP4 # ISO Transport Protocol Class 4 +netblt 30 NETBLT # Bulk Data Transfer Protocol +mfe-nsp 31 MFE-NSP # MFE Network Services Protocol +merit-inp 32 MERIT-INP # MERIT Internodal Protocol +sep 33 SEP # Sequential Exchange Protocol +3pc 34 3PC # Third Party Connect Protocol +idpr 35 IDPR # Inter-Domain Policy Routing Protocol +xtp 36 XTP # Xpress Tranfer Protocol +ddp 37 DDP # Datagram Delivery Protocol +idpr-cmtp 38 IDPR-CMTP # IDPR Control Message Transport Proto +tp++ 39 TP++ # TP++ Transport Protocol +il 40 IL # IL Transport Protocol +ipv6 41 IPV6 # ipv6 +sdrp 42 SDRP # Source Demand Routing Protocol +ipv6-route 43 IPV6-ROUTE # routing header for ipv6 +ipv6-frag 44 IPV6-FRAG # fragment header for ipv6 +idrp 45 IDRP # Inter-Domain Routing Protocol +rsvp 46 RSVP # Resource ReSerVation Protocol +gre 47 GRE # Generic Routing Encapsulation +mhrp 48 MHRP # Mobile Host Routing Protocol +bna 49 BNA # BNA +esp 50 ESP # encapsulating security payload +ah 51 AH # authentication header +i-nlsp 52 I-NLSP # Integrated Net Layer Security TUBA +swipe 53 SWIPE # IP with Encryption +narp 54 NARP # NBMA Address Resolution Protocol +mobile 55 MOBILE # IP Mobility +tlsp 56 TLSP # Transport Layer Security Protocol +skip 57 SKIP # SKIP +ipv6-icmp 58 IPV6-ICMP # ICMP for IPv6 +ipv6-nonxt 59 IPV6-NONXT # no next header for ipv6 +ipv6-opts 60 IPV6-OPTS # destination options for ipv6 +# 61 # any host internal protocol +cftp 62 CFTP # CFTP +# 63 # any local network +sat-expak 64 SAT-EXPAK # SATNET and Backroom EXPAK +kryptolan 65 KRYPTOLAN # Kryptolan +rvd 66 RVD # MIT Remote Virtual Disk Protocol +ippc 67 IPPC # Internet Pluribus Packet Core +# 68 # any distributed file system +sat-mon 69 SAT-MON # SATNET Monitoring +visa 70 VISA # VISA Protocol +ipcv 71 IPCV # Internet Packet Core Utility +cpnx 72 CPNX # Computer Protocol Network Executive +cphb 73 CPHB # Computer Protocol Heart Beat +wsn 74 WSN # Wang Span Network +pvp 75 PVP # Packet Video Protocol +br-sat-mon 76 BR-SAT-MON # Backroom SATNET Monitoring +sun-nd 77 SUN-ND # SUN ND PROTOCOL-Temporary +wb-mon 78 WB-MON # WIDEBAND Monitoring +wb-expak 79 WB-EXPAK # WIDEBAND EXPAK +iso-ip 80 ISO-IP # ISO Internet Protocol +vmtp 81 VMTP # Versatile Message Transport +secure-vmtp 82 SECURE-VMTP # SECURE-VMTP +vines 83 VINES # VINES +ttp 84 TTP # TTP +nsfnet-igp 85 NSFNET-IGP # NSFNET-IGP +dgp 86 DGP # Dissimilar Gateway Protocol +tcf 87 TCF # TCF +eigrp 88 EIGRP # Enhanced Interior Routing Protocol (Cisco) +ospf 89 OSPFIGP # Open Shortest Path First IGP +sprite-rpc 90 Sprite-RPC # Sprite RPC Protocol +larp 91 LARP # Locus Address Resolution Protocol +mtp 92 MTP # Multicast Transport Protocol +ax.25 93 AX.25 # AX.25 Frames +ipip 94 IPIP # Yet Another IP encapsulation +micp 95 MICP # Mobile Internetworking Control Pro. +scc-sp 96 SCC-SP # Semaphore Communications Sec. Pro. +etherip 97 ETHERIP # Ethernet-within-IP Encapsulation +encap 98 ENCAP # Yet Another IP encapsulation +# 99 # any private encryption scheme +gmtp 100 GMTP # GMTP +ifmp 101 IFMP # Ipsilon Flow Management Protocol +pnni 102 PNNI # PNNI over IP +pim 103 PIM # Protocol Independent Multicast +aris 104 ARIS # ARIS +scps 105 SCPS # SCPS +qnx 106 QNX # QNX +a/n 107 A/N # Active Networks +ipcomp 108 IPComp # IP Payload Compression Protocol +snp 109 SNP # Sitara Networks Protocol +compaq-peer 110 Compaq-Peer # Compaq Peer Protocol +ipx-in-ip 111 IPX-in-IP # IPX in IP +vrrp 112 VRRP # Virtual Router Redundancy Protocol +pgm 113 PGM # PGM Reliable Transport Protocol +# 114 # any 0-hop protocol +l2tp 115 L2TP # Layer Two Tunneling Protocol +ddx 116 DDX # D-II Data Exchange +iatp 117 IATP # Interactive Agent Transfer Protocol +st 118 ST # Schedule Transfer +srp 119 SRP # SpectraLink Radio Protocol +uti 120 UTI # UTI +smp 121 SMP # Simple Message Protocol +sm 122 SM # SM +ptp 123 PTP # Performance Transparency Protocol +isis 124 ISIS # ISIS over IPv4 +fire 125 FIRE +crtp 126 CRTP # Combat Radio Transport Protocol +crudp 127 CRUDP # Combat Radio User Datagram +sscopmce 128 SSCOPMCE +iplt 129 IPLT +sps 130 SPS # Secure Packet Shield +pipe 131 PIPE # Private IP Encapsulation within IP +sctp 132 SCTP # Stream Control Transmission Protocol +fc 133 FC # Fibre Channel +# 134-254 # Unassigned +divert 254 DIVERT # Divert pseudo-protocol [non IANA] +# 255 # Reserved diff --git a/etc/pubkey.pem b/etc/pubkey.pem new file mode 100644 index 0000000..f935cb5 --- /dev/null +++ b/etc/pubkey.pem @@ -0,0 +1,6 @@ +-----BEGIN PUBLIC KEY----- +MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDH/03JimtLfN8ggkf26hOCdAaE +5Ha+c9cqoms2/AXPMWjapkalizztGhvffTk5v1Y/mDwgkI09kqArnXqRCGFSyRDB +utGizQ4OghmsBgWzBKw/biLiXZcfXpaZxfAsJ2aSDOy+ezIoPblRfqnVBzg49RPM +Pe9HoJqCn1GxIhHrKwIDAQAB +-----END PUBLIC KEY----- @@ -0,0 +1,62 @@ +#!/bin/sh + +# /etc/rc +# part of m0n0wall (http://neon1.net/m0n0wall) +# +# Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. +# All rights reserved. + +stty status '^T' + +trap : 2 +trap : 3 + +HOME=/ +PATH=/sbin:/bin:/usr/sbin:/usr/bin +export HOME PATH + +/sbin/mount -a || fsck -y && mount -a + +set -T +trap "echo 'Reboot interrupted'; exit 1" 3 + +# make some directories in /var +mkdir /var/run /var/log /var/etc /var/db/ipf 2>/dev/null +chmod 0755 /var/db/ipf +rm -rf /var/log/* + +# generate circular logfiles +clog -i -s 262144 /var/log/system.log +clog -i -s 262144 /var/log/filter.log +clog -i -s 32768 /var/log/dhcpd.log +clog -i -s 32768 /var/log/vpn.log +chmod 0600 /var/log/system.log /var/log/filter.log /var/log/dhcpd.log /var/log/vpn.log + +adjkerntz -i + +#mount_devfs devfs /dev + +# Create an initial utmp file +cd /var/run && cp /dev/null utmp && chmod 644 utmp + +# Build devices database +#dev_mkdb + +# Run ldconfig +/sbin/ldconfig -elf /usr/lib + +echo +echo "Starting LiveBSD.com's m0n0wall 1.2b2 PF ..." +echo + +# let the PHP-based configuration subsystem set up the system now +/etc/rc.bootup + +/usr/sbin/pfctl -f /tmp/rules.debug +/usr/sbin/pfctl -e + +echo Starting Secure Shell Services ... +/etc/sshd + +exit 0 + diff --git a/etc/rc.banner b/etc/rc.banner new file mode 100755 index 0000000..0f5b8e5 --- /dev/null +++ b/etc/rc.banner @@ -0,0 +1,59 @@ +#!/usr/local/bin/php -f +<?php +/* + rc.banner + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + + /* parse the configuration and include all functions used below */ + require_once("config.inc"); + require_once("functions.inc"); + + $version = chop(file_get_contents("{$g['etc_path']}/version")); + $buildtime = chop(file_get_contents("{$g['etc_path']}/version.buildtime")); + + echo <<<EOD + +*** This is LiveBSD.com's m0n0wall version {$version} + Copyright 2004 Scott Ullrich. All rights reserved. + Originally based on m0n0wall, version 1.2b1 + m0n0wall is Copyright 2002-2004 by Manuel Kasper. All rights reserved + + LAN IP address: {$config['interfaces']['lan']['ipaddr']} + + Port configurations: + + LAN -> {$config['interfaces']['lan']['if']} + WAN -> {$config['interfaces']['wan']['if']} +EOD; + + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) + echo " OPT{$i} -> {$config['interfaces']['opt' . $i]['if']} " . + "({$config['interfaces']['opt' . $i]['descr']})\n"; +?> + + diff --git a/etc/rc.bootup b/etc/rc.bootup new file mode 100755 index 0000000..04f8266 --- /dev/null +++ b/etc/rc.bootup @@ -0,0 +1,147 @@ +#!/usr/local/bin/php -f +<?php +/* + rc.bootup + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + + require_once("globals.inc"); + + /* let the other functions know we're booting */ + $g['booting'] = TRUE; + touch("{$g['varrun_path']}/booting"); + + /* parse the configuration and include all functions used below */ + require_once("config.inc"); + require_once("functions.inc"); + + /* convert configuration, if necessary */ + convert_config(); + + /* run any early shell commands specified in config.xml */ + system_do_shell_commands(1); + + /* save dmesg output to file */ + system_dmesg_save(); + + /* set up our timezone */ + system_timezone_configure(); + + /* set up our hostname */ + system_hostname_configure(); + + /* make hosts file */ + system_hosts_generate(); + + /* generate resolv.conf */ + system_resolvconf_generate(); + + /* start pccardd */ + if (!in_array($g['platform'], $g['nopccard_platforms'])) + system_pccard_start(); + + /* establish ipfilter ruleset */ + filter_configure(); + + /* configure loopback interface */ + interfaces_loopback_configure(); + + /* set up VLAN virtual interfaces */ + interfaces_vlan_configure(); + + /* set up LAN interface */ + interfaces_lan_configure(); + + /* set up WAN interface */ + interfaces_wan_configure(); + + /* set up Optional interfaces */ + interfaces_optional_configure(); + + /* start OpenVPN server & clients */ + ovpn_configure(); + + /* resync ipfilter */ + filter_resync(); + + /* start ipmon */ + filter_ipmon_start(); + + /* set up static routes */ + system_routing_configure(); + + /* enable routing */ + system_routing_enable(); + + /* start syslogd */ + system_syslogd_start(); + + /* start web server */ + system_webgui_start(); + + /* configure console menu */ + system_console_configure(); + + /* start dnsmasq service */ + services_dnsmasq_configure(); + + /* start dyndns service */ + services_dyndns_configure(); + + /* start DHCP service */ + services_dhcpd_configure(); + + /* start SNMP service */ + services_snmpd_configure(); + + /* start proxy ARP service */ + services_proxyarp_configure(); + + /* start the NTP client */ + system_ntp_configure(); + + /* start pptpd */ + vpn_pptpd_configure(); + + /* start traffic shaper */ + shaper_configure(); + + /* start IPsec tunnels */ + vpn_ipsec_configure(); + + /* start the captive portal */ + captiveportal_configure(); + + /* execute the rc scripts of extensions */ + system_do_extensions(); + + /* run any shell commands specified in config.xml */ + system_do_shell_commands(); + + /* done */ + unlink("{$g['varrun_path']}/booting"); +?> diff --git a/etc/rc.dyndns.storecache b/etc/rc.dyndns.storecache new file mode 100755 index 0000000..180662e --- /dev/null +++ b/etc/rc.dyndns.storecache @@ -0,0 +1,8 @@ +#!/bin/sh + +# copy cache file to /conf for permanent storage +/sbin/umount -f /cf +/sbin/mount -w -o noatime /cf +/bin/cp /var/db/ez-ipupdate.cache /conf +/sbin/umount -f /cf +/sbin/mount -r /cf diff --git a/etc/rc.firmware b/etc/rc.firmware new file mode 100755 index 0000000..56fc7a4 --- /dev/null +++ b/etc/rc.firmware @@ -0,0 +1,55 @@ +#!/bin/sh + +# /etc/rc.firmware +# part of m0n0wall (http://neon1.net/m0n0wall) +# +# Copyright (C) 2003 Manuel Kasper <mk@neon1.net>. +# All rights reserved. + +CFDEVICE=`cat /var/etc/cfdevice` + +if [ $1 != "upgrade" ]; then + /sbin/umount -f /ftmp > /dev/null 2>&1 +fi + +case $1 in +enable) + /sbin/mount_mfs -s 15360 -T qp120at -b 8192 -f 1024 dummy /ftmp \ + > /dev/null 2>&1 + ;; +upgrade) + # wait 5 seconds before beginning + sleep 5 + + exec </dev/console >/dev/console 2>/dev/console + + echo + echo "Firmware upgrade in progress..." + + # backup config + mkdir /tmp/configbak + cp -p /conf/* /tmp/configbak + + # unmount /cf + /sbin/umount -f /cf + + # dd image onto card + if [ -r $2 ]; then + /usr/bin/gunzip -S "" -c $2 | dd of=/dev/r$CFDEVICE bs=16k > /dev/null 2>&1 + echo "Image installed." + fi + + # mount /cf + /sbin/mount -w -o noatime /cf + + # restore config + cp -p /tmp/configbak/* /conf + + # remount /cf ro + /sbin/umount -f /cf + /sbin/mount -r /cf + + echo "Done - rebooting system..." + /sbin/reboot + ;; +esac diff --git a/etc/rc.initial b/etc/rc.initial new file mode 100755 index 0000000..bece644 --- /dev/null +++ b/etc/rc.initial @@ -0,0 +1,76 @@ +#!/bin/sh + +# /etc/rc.initial +# part of m0n0wall (http://neon1.net/m0n0wall) +# +# Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. +# All rights reserved. + +# make sure the user can't kill us by pressing Ctrl-C +trap : 2 +trap : 3 +trap : 4 + +if [ -r /var/etc/disableconsole ]; then + +while : ; do + +echo +echo +echo "*** Console menu disabled. ***" +echo + +read tmp + +done + +else + +# endless loop +while : ; do + +/etc/rc.banner + +# display a cheap menu +echo "m0n0wall console setup" +echo "**********************" +echo "1) Interfaces: assign network ports" +echo "2) Set up LAN IP address" +echo "3) Reset webGUI password" +echo "4) Reset to factory defaults" +echo "5) Reboot system" +echo "6) Ping host" +echo "7) Shell" +echo + +read -p "Enter a number: " opmode + +# see what the user has chosen +case ${opmode} in +1) + /etc/rc.initial.setports + ;; +2) + /etc/rc.initial.setlanip + ;; +3) + /etc/rc.initial.password + ;; +4) + /etc/rc.initial.defaults + ;; +5) + /etc/rc.initial.reboot + ;; +6) + /etc/rc.initial.ping + ;; +7) + set prompt = "\n`/bin/hostname -s`# " + /bin/sh + ;; +esac + +done + +fi diff --git a/etc/rc.initial.defaults b/etc/rc.initial.defaults new file mode 100755 index 0000000..8e33fd2 --- /dev/null +++ b/etc/rc.initial.defaults @@ -0,0 +1,61 @@ +#!/usr/local/bin/php -f +<?php +/* + rc.initial.defaults + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + + /* don't parse the config so we can restore in case it's broken */ + $noparseconfig = 1; + + /* parse the configuration and include all functions used below */ + require_once("config.inc"); + require_once("functions.inc"); + + $fp = fopen('php://stdin', 'r'); + + echo <<<EOD + +You are about to reset the firewall to factory defaults. +The firewall will reboot after resetting the configuration. + +Do you want to proceed? (y/n) +EOD; + + if (strcasecmp(chop(fgets($fp)), "y") == 0) { + + reset_factory_defaults(); + + echo <<<EOD + +The firewall is rebooting now. + +EOD; + + system_reboot_sync(); + } +?> diff --git a/etc/rc.initial.password b/etc/rc.initial.password new file mode 100755 index 0000000..7859e2c --- /dev/null +++ b/etc/rc.initial.password @@ -0,0 +1,65 @@ +#!/usr/local/bin/php -f +<?php +/* + rc.initial.password + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + + /* parse the configuration and include all functions used below */ + require_once("config.inc"); + require_once("functions.inc"); + + $fp = fopen('php://stdin', 'r'); + + echo <<<EOD + +The webGUI password will be reset to the default (which is 'mono'). + +Do you want to proceed? (y/n) +EOD; + + if (strcasecmp(chop(fgets($fp)), "y") == 0) { + + $config['system']['password'] = crypt("mono"); + + write_config(); + system_password_configure(); + + echo <<<EOD + +The password for the webGUI has been reset. + +Remember to set the password to something else than +the default as soon as you have logged into the webGUI. + +Press ENTER to continue. + +EOD; + + fgets($fp); + } +?> diff --git a/etc/rc.initial.ping b/etc/rc.initial.ping new file mode 100755 index 0000000..d069566 --- /dev/null +++ b/etc/rc.initial.ping @@ -0,0 +1,47 @@ +#!/usr/local/bin/php -f +<?php +/* + rc.initial.ping + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + + /* parse the configuration and include all functions used below */ + require_once("config.inc"); + require_once("functions.inc"); + + $fp = fopen('php://stdin', 'r'); + + echo "\nEnter a host name or IP address: "; + + $pinghost = chop(fgets($fp)); + if ($pinghost) { + echo "\n"; + passthru("/sbin/ping -c 3 -n " . escapeshellarg($pinghost)); + echo "\nPress ENTER to continue.\n"; + fgets($fp); + } +?> diff --git a/etc/rc.initial.reboot b/etc/rc.initial.reboot new file mode 100755 index 0000000..053d492 --- /dev/null +++ b/etc/rc.initial.reboot @@ -0,0 +1,55 @@ +#!/usr/local/bin/php -f +<?php +/* + rc.initial.reboot + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + + /* parse the configuration and include all functions used below */ + require_once("config.inc"); + require_once("functions.inc"); + + $fp = fopen('php://stdin', 'r'); + + echo <<<EOD + +The firewall will reboot. This may take one minute. + +Do you want to proceed? (y/n) +EOD; + + if (strcasecmp(chop(fgets($fp)), "y") == 0) { + + echo <<<EOD + +The firewall is rebooting now. + +EOD; + + system_reboot_sync(); + } +?> diff --git a/etc/rc.initial.setlanip b/etc/rc.initial.setlanip new file mode 100755 index 0000000..99fd922 --- /dev/null +++ b/etc/rc.initial.setlanip @@ -0,0 +1,117 @@ +#!/usr/local/bin/php -f +<?php +/* + rc.initial.setlanip + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + + /* parse the configuration and include all functions used below */ + require_once("config.inc"); + require_once("functions.inc"); + + $fp = fopen('php://stdin', 'r'); + + do { + echo "\nEnter the new LAN IP address: "; + $lanip = chop(fgets($fp)); + if ($lanip === "") { + exit(0); + } + } while (!is_ipaddr($lanip)); + + echo "\nSubnet masks are entered as bit counts (as in CIDR notation) in m0n0wall.\n"; + echo "e.g. 255.255.255.0 = 24\n"; + echo " 255.255.0.0 = 16\n"; + echo " 255.0.0.0 = 8\n\n"; + + do { + echo "Enter the new LAN subnet bit count: "; + $lanbits = chop(fgets($fp)); + if ($lanbits === "") { + exit(0); + } + } while (!is_numeric($lanbits) || ($lanbits < 1) || ($lanbits > 31)); + + $config['interfaces']['lan']['ipaddr'] = $lanip; + $config['interfaces']['lan']['subnet'] = $lanbits; + + echo "\nDo you want to enable the DHCP server on LAN? (y/n) "; + + if (strcasecmp(chop(fgets($fp)), "y") == 0) { + do { + echo "Enter the start address of the client address range: "; + $dhcpstartip = chop(fgets($fp)); + if ($dhcpstartip === "") { + exit(0); + } + } while (!is_ipaddr($dhcpstartip)); + + do { + echo "Enter the end address of the client address range: "; + $dhcpendip = chop(fgets($fp)); + if ($dhcpendip === "") { + exit(0); + } + } while (!is_ipaddr($dhcpendip)); + + $config['dhcpd']['lan']['enable'] = true; + $config['dhcpd']['lan']['range']['from'] = $dhcpstartip; + $config['dhcpd']['lan']['range']['to'] = $dhcpendip; + } else { + unset($config['dhcpd']['lan']['enable']); + } + + if ($config['system']['webgui']['protocol'] == "https") { + + echo "\nDo you want to revert to HTTP as the webGUI protocol? (y/n) "; + + if (strcasecmp(chop(fgets($fp)), "y") == 0) + $config['system']['webgui']['protocol'] = "http"; + } + + if (isset($config['system']['webgui']['noantilockout'])) { + echo "\nNote: the anti-lockout rule on LAN has been re-enabled.\n"; + unset($config['system']['webgui']['noantilockout']); + } + + write_config(); + interfaces_lan_configure(); + + echo <<<EOD + +The LAN IP address has been set to $lanip/$lanbits. +You can now access the webGUI by opening the following URL +in your browser: + +http://$lanip/ + +Press ENTER to continue. + +EOD; + + fgets($fp); +?> diff --git a/etc/rc.initial.setports b/etc/rc.initial.setports new file mode 100755 index 0000000..049879a --- /dev/null +++ b/etc/rc.initial.setports @@ -0,0 +1,303 @@ +#!/usr/local/bin/php -f +<?php +/* + rc.initial.setports + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + + /* parse the configuration and include all functions used below */ + require_once("config.inc"); + require_once("functions.inc"); + + $fp = fopen('php://stdin', 'r'); + + $iflist = get_interface_list(); + + echo <<<EOD + +Valid interfaces are: + + +EOD; + + foreach ($iflist as $iface => $ifa) { + echo sprintf("% -8s%s%s\n", $iface, $ifa['mac'], + $ifa['up'] ? " (up)" : ""); + } + + echo <<<EOD + +Do you want to set up VLANs first? +If you're not going to use VLANs, or only for optional interfaces, you +should say no here and use the webGUI to configure VLANs later, if required. + +Do you want to set up VLANs now? (y/n) +EOD; + + if (strcasecmp(chop(fgets($fp)), "y") == 0) + vlan_setup(); + + if (is_array($config['vlans']['vlan']) && count($config['vlans']['vlan'])) { + + echo "\n\nVLAN interfaces:\n\n"; + $i = 0; + foreach ($config['vlans']['vlan'] as $vlan) { + + echo sprintf("% -8s%s\n", "vlan{$i}", + "VLAN tag {$vlan['tag']}, interface {$vlan['if']}"); + + $iflist['vlan' . $i] = array(); + $i++; + } + } + + echo <<<EOD + +If you don't know the names of your interfaces, you may choose to use +auto-detection. In that case, disconnect all interfaces before you begin, +and reconnect each one when prompted to do so. + +EOD; + + do { + echo "\nEnter the LAN interface name or 'a' for auto-detection: "; + $lanif = chop(fgets($fp)); + if ($lanif === "") { + exit(0); + } + + if ($lanif === "a") + $lanif = autodetect_interface("LAN", $fp); + else if (!array_key_exists($lanif, $iflist)) { + echo "\nInvalid interface name '{$lanif}'\n"; + unset($lanif); + continue; + } + } while (!$lanif); + + do { + echo "\nEnter the WAN interface name or 'a' for auto-detection: "; + $wanif = chop(fgets($fp)); + if ($wanif === "") { + exit(0); + } + if ($wanif === "a") + $wanif = autodetect_interface("WAN", $fp); + else if (!array_key_exists($wanif, $iflist)) { + echo "\nInvalid interface name '{$wanif}'\n"; + unset($wanif); + continue; + } + } while (!$wanif); + + /* optional interfaces */ + $i = 0; + $optif = array(); + + while (1) { + if ($optif[$i]) + $i++; + $i1 = $i + 1; + echo "\nEnter the Optional {$i1} interface name or 'a' for auto-detection\n" . + "(or nothing if finished): "; + $optif[$i] = chop(fgets($fp)); + + if ($optif[$i]) { + if ($optif[$i] === "a") { + $ad = autodetect_interface("Optional " . $i1, $fp); + if ($ad) + $optif[$i] = $ad; + else + unset($optif[$i]); + } else if (!array_key_exists($optif[$i], $iflist)) { + echo "\nInvalid interface name '{$optif[$i]}'\n"; + unset($optif[$i]); + continue; + } + } else { + unset($optif[$i]); + break; + } + } + + /* check for double assignments */ + $ifarr = array_merge(array($lanif, $wanif), $optif); + + for ($i = 0; $i < (count($ifarr)-1); $i++) { + for ($j = ($i+1); $j < count($ifarr); $j++) { + if ($ifarr[$i] == $ifarr[$j]) { + echo <<<EOD + +Error: you can't assign the same interface name twice! + +EOD; + + exit(0); + } + } + } + + echo <<<EOD + +The interfaces will be assigned as follows: + +LAN -> {$lanif} +WAN -> {$wanif} + +EOD; + + for ($i = 0; $i < count($optif); $i++) { + echo "OPT" . ($i+1) . " -> " . $optif[$i] . "\n"; + } + +echo <<<EOD + +The firewall will reboot after saving the changes. + +Do you want to proceed? (y/n) +EOD; + + if (strcasecmp(chop(fgets($fp)), "y") == 0) { + + $config['interfaces']['lan']['if'] = $lanif; + if (preg_match("/^(wi|awi|an)/", $lanif)) { + if (!is_array($config['interfaces']['lan']['wireless'])) + $config['interfaces']['lan']['wireless'] = array(); + } else { + unset($config['interfaces']['lan']['wireless']); + } + + $config['interfaces']['wan']['if'] = $wanif; + if (preg_match("/^(wi|awi|an)/", $wanif)) { + if (!is_array($config['interfaces']['wan']['wireless'])) + $config['interfaces']['wan']['wireless'] = array(); + } else { + unset($config['interfaces']['wan']['wireless']); + } + + for ($i = 0; $i < count($optif); $i++) { + if (!is_array($config['interfaces']['opt' . ($i+1)])) + $config['interfaces']['opt' . ($i+1)] = array(); + + $config['interfaces']['opt' . ($i+1)]['if'] = $optif[$i]; + + /* wireless interface? */ + if (preg_match("/^(wi|awi|an)/", $optif[$i])) { + if (!is_array($config['interfaces']['opt' . ($i+1)]['wireless'])) + $config['interfaces']['opt' . ($i+1)]['wireless'] = array(); + } else { + unset($config['interfaces']['opt' . ($i+1)]['wireless']); + } + + unset($config['interfaces']['opt' . ($i+1)]['enable']); + $config['interfaces']['opt' . ($i+1)]['descr'] = "OPT" . ($i+1); + } + + /* remove all other (old) optional interfaces */ + for (; isset($config['interfaces']['opt' . ($i+1)]); $i++) + unset($config['interfaces']['opt' . ($i+1)]); + + write_config(); + + echo <<<EOD + +The firewall is rebooting now. + +EOD; + + system_reboot_sync(); + } + + function autodetect_interface($ifname, $fp) { + $iflist_prev = get_interface_list(); + echo <<<EOD + +Connect the {$ifname} interface now and make sure that the link is up. +Then press ENTER to continue. + +EOD; + fgets($fp); + $iflist = get_interface_list(); + + foreach ($iflist_prev as $ifn => $ifa) { + if (!$ifa['up'] && $iflist[$ifn]['up']) { + echo "Detected link-up on interface {$ifn}.\n"; + return $ifn; + } + } + + echo "No link-up detected.\n"; + + return null; + } + + function vlan_setup() { + global $iflist, $config, $g, $fp; + + if (is_array($config['vlans']['vlan']) && count($config['vlans']['vlan'])) { + + echo <<<EOD + +WARNING: all existing VLANs will be cleared if you proceed! + +Do you want to proceed? (y/n) +EOD; + + if (strcasecmp(chop(fgets($fp)), "y") != 0) + return; + } + + $config['vlans']['vlan'] = array(); + echo "\n"; + + while (1) { + $vlan = array(); + + echo "\nEnter the parent interface name for the new VLAN (or nothing if finished): "; + $vlan['if'] = chop(fgets($fp)); + + if ($vlan['if']) { + if (!array_key_exists($vlan['if'], $iflist)) { + echo "\nInvalid interface name '{$vlan['if']}'\n"; + continue; + } + } else { + break; + } + + echo "Enter the VLAN tag (1-4094): "; + $vlan['tag'] = chop(fgets($fp)); + + if (!is_numericint($vlan['tag']) || ($vlan['tag'] < 1) || ($vlan['tag'] > 4094)) { + echo "\nInvalid VLAN tag '{$vlan['tag']}'\n"; + continue; + } + + $config['vlans']['vlan'][] = $vlan; + } + } +?> diff --git a/etc/rc.newwanip b/etc/rc.newwanip new file mode 100755 index 0000000..5328028 --- /dev/null +++ b/etc/rc.newwanip @@ -0,0 +1,83 @@ +#!/usr/local/bin/php -f +<?php +/* + rc.newwanip + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + + /* parse the configuration and include all functions used below */ + require_once("config.inc"); + require_once("functions.inc"); + + /* WAN IP address has changed */ + + /* make sure to wait until the boot scripts have finished + while (file_exists("{$g['varrun_path']}/booting")) { + sleep(1); + } + */ + + $curwanip = get_current_wan_address(); + + /* dhclient or MPD told us that the IP address has changed; + let's see if that's really true to avoid reloading things + when it's not really necessary (dhclient likes to + execute its dhclient-exit-hooks also on renewals) + */ + if (file_exists("{$g['vardb_path']}/wanip")) { + $oldwanip = chop(file_get_contents("{$g['vardb_path']}/wanip")); + + if ($curwanip == $oldwanip) + return 0; /* nothing to do */ + } + + /* resync ipfilter */ + filter_resync(); + + /* flush NAT table */ + filter_flush_nat_table(); + + /* reconfigure IPsec tunnels */ + vpn_ipsec_configure(true); + + /* regenerate resolv.conf if DNS overrides are allowed or the BigPond + client is enabled */ + if (isset($config['system']['dnsallowoverride']) || + ($config['interfaces']['wan']['ipaddr'] == "bigpond")) + system_resolvconf_generate(true); + + /* fire up the BigPond client, if necessary */ + if ($config['interfaces']['wan']['ipaddr'] == "bigpond") + interfaces_wan_bigpond_configure($curwanip); + + /* write current WAN IP to file */ + $fd = @fopen("{$g['vardb_path']}/wanip", "w"); + if ($fd) { + fwrite($fd, $curwanip); + fclose($fd); + } +?> diff --git a/etc/rc.prunecaptiveportal b/etc/rc.prunecaptiveportal new file mode 100755 index 0000000..108b029 --- /dev/null +++ b/etc/rc.prunecaptiveportal @@ -0,0 +1,37 @@ +#!/usr/local/bin/php -f +<?php +/* + rc.prunecaptiveportal + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + + /* parse the configuration and include all functions used below */ + require_once("config.inc"); + require_once("functions.inc"); + + captiveportal_prune_old(); +?> diff --git a/etc/rc.reboot b/etc/rc.reboot new file mode 100755 index 0000000..2b3eb08 --- /dev/null +++ b/etc/rc.reboot @@ -0,0 +1,5 @@ +#!/bin/sh + +sleep 1 + +/sbin/reboot diff --git a/etc/rc.shutdown b/etc/rc.shutdown new file mode 100755 index 0000000..1deb79a --- /dev/null +++ b/etc/rc.shutdown @@ -0,0 +1,17 @@ +#!/bin/sh + +stty status '^T' + +# Set shell to ignore SIGINT (2), but not children; +# shell catches SIGQUIT (3) and returns to single user after fsck. +trap : 2 +trap : 3 # shouldn't be needed + +HOME=/ +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin +export HOME PATH + +# Insert other shutdown procedures here + +exit 0 + diff --git a/etc/services b/etc/services new file mode 100644 index 0000000..c583eac --- /dev/null +++ b/etc/services @@ -0,0 +1,2106 @@ +# +# Network services, Internet style +# +# Note that it is presently the policy of IANA to assign a single well-known +# port number for both TCP and UDP; hence, most entries here have two entries +# even if the protocol doesn't support UDP operations. +# +# The latest IANA port assignments can be gotten from +# +# http://www.iana.org/assignments/port-numbers +# +# The Well Known Ports are those from 0 through 1023. +# The Registered Ports are those from 1024 through 49151 +# The Dynamic and/or Private Ports are those from 49152 through 65535 +# +# Kerberos services are for Kerberos v4, and are unofficial. Sites running +# v5 should uncomment v5 entries and comment v4 entries. +# +# $FreeBSD: src/etc/services,v 1.62.2.12 2003/02/01 16:48:17 schweikh Exp $ +# From: @(#)services 5.8 (Berkeley) 5/9/91 +# +# WELL KNOWN PORT NUMBERS +# +rtmp 1/ddp #Routing Table Maintenance Protocol +tcpmux 1/tcp #TCP Port Service Multiplexer +tcpmux 1/udp #TCP Port Service Multiplexer +nbp 2/ddp #Name Binding Protocol +compressnet 2/tcp #Management Utility +compressnet 2/udp #Management Utility +compressnet 3/tcp #Compression Process +compressnet 3/udp #Compression Process +echo 4/ddp #AppleTalk Echo Protocol +rje 5/tcp #Remote Job Entry +rje 5/udp #Remote Job Entry +zip 6/ddp #Zone Information Protocol +echo 7/tcp +echo 7/udp +discard 9/tcp sink null +discard 9/udp sink null +systat 11/tcp users #Active Users +systat 11/udp users #Active Users +daytime 13/tcp +daytime 13/udp +qotd 17/tcp quote #Quote of the Day +qotd 17/udp quote #Quote of the Day +msp 18/tcp #Message Send Protocol +msp 18/udp #Message Send Protocol +chargen 19/tcp ttytst source #Character Generator +chargen 19/udp ttytst source #Character Generator +ftp-data 20/tcp #File Transfer [Default Data] +ftp-data 20/udp #File Transfer [Default Data] +ftp 21/tcp #File Transfer [Control] +ftp 21/udp #File Transfer [Control] +ssh 22/tcp #Secure Shell Login +ssh 22/udp #Secure Shell Login +telnet 23/tcp +telnet 23/udp +# 24/tcp any private mail system +# 24/udp any private mail system +smtp 25/tcp mail #Simple Mail Transfer +smtp 25/udp mail #Simple Mail Transfer +nsw-fe 27/tcp #NSW User System FE +nsw-fe 27/udp #NSW User System FE +msg-icp 29/tcp #MSG ICP +msg-icp 29/udp #MSG ICP +msg-auth 31/tcp #MSG Authentication +msg-auth 31/udp #MSG Authentication +dsp 33/tcp #Display Support Protocol +dsp 33/udp #Display Support Protocol +# 35/tcp any private printer server +# 35/udp any private printer server +time 37/tcp timserver +time 37/udp timserver +rap 38/tcp #Route Access Protocol +rap 38/udp #Route Access Protocol +rlp 39/tcp resource #Resource Location Protocol +rlp 39/udp resource #Resource Location Protocol +graphics 41/tcp +graphics 41/udp +nameserver 42/tcp name #Host Name Server +nameserver 42/udp name #Host Name Server +nicname 43/tcp whois +nicname 43/udp whois +mpm-flags 44/tcp #MPM FLAGS Protocol +mpm-flags 44/udp #MPM FLAGS Protocol +mpm 45/tcp #Message Processing Module [recv] +mpm 45/udp #Message Processing Module [recv] +mpm-snd 46/tcp #MPM [default send] +mpm-snd 46/udp #MPM [default send] +ni-ftp 47/tcp #NI FTP +ni-ftp 47/udp #NI FTP +auditd 48/tcp #Digital Audit Daemon +auditd 48/udp #Digital Audit Daemon +tacacs 49/tcp #Login Host Protocol (TACACS) +tacacs 49/udp #Login Host Protocol (TACACS) +re-mail-ck 50/tcp #Remote Mail Checking Protocol +re-mail-ck 50/udp #Remote Mail Checking Protocol +la-maint 51/tcp #IMP Logical Address Maintenance +la-maint 51/udp #IMP Logical Address Maintenance +xns-time 52/tcp #XNS Time Protocol +xns-time 52/udp #XNS Time Protocol +domain 53/tcp #Domain Name Server +domain 53/udp #Domain Name Server +xns-ch 54/tcp #XNS Clearinghouse +xns-ch 54/udp #XNS Clearinghouse +isi-gl 55/tcp #ISI Graphics Language +isi-gl 55/udp #ISI Graphics Language +xns-auth 56/tcp #XNS Authentication +xns-auth 56/udp #XNS Authentication +mtp 57/tcp # deprecated +#PROBLEMS!============================================================== +# 57/tcp any private terminal access +#PROBLEMS!============================================================== +# 57/udp any private terminal access +xns-mail 58/tcp #XNS Mail +xns-mail 58/udp #XNS Mail +# 59/tcp any private file service +# 59/udp any private file service +ni-mail 61/tcp #NI MAIL +ni-mail 61/udp #NI MAIL +acas 62/tcp #ACA Services +acas 62/udp #ACA Services +whois++ 63/tcp +whois++ 63/udp +covia 64/tcp #Communications Integrator (CI) +covia 64/udp #Communications Integrator (CI) +tacacs-ds 65/tcp #TACACS-Database Service +tacacs-ds 65/udp #TACACS-Database Service +sql*net 66/tcp #Oracle SQL*NET +sql*net 66/udp #Oracle SQL*NET +bootps 67/tcp dhcps #Bootstrap Protocol Server +bootps 67/udp dhcps #Bootstrap Protocol Server +bootpc 68/tcp dhcpc #Bootstrap Protocol Client +bootpc 68/udp dhcpc #Bootstrap Protocol Client +tftp 69/tcp #Trivial File Transfer +tftp 69/udp #Trivial File Transfer +gopher 70/tcp +gopher 70/udp +netrjs-1 71/tcp #Remote Job Service +netrjs-1 71/udp #Remote Job Service +netrjs-2 72/tcp #Remote Job Service +netrjs-2 72/udp #Remote Job Service +netrjs-3 73/tcp #Remote Job Service +netrjs-3 73/udp #Remote Job Service +netrjs-4 74/tcp #Remote Job Service +netrjs-4 74/udp #Remote Job Service +# 75/tcp any private dial out service +# 75/udp any private dial out service +deos 76/tcp #Distributed External Object Store +deos 76/udp #Distributed External Object Store +netrjs 77/tcp +#PROBLEMS!============================================================== +# 77/tcp any private RJE service +#PROBLEMS!============================================================== +# 77/udp any private RJE service +vettcp 78/tcp +vettcp 78/udp +finger 79/tcp +finger 79/udp +http 80/tcp www www-http #World Wide Web HTTP +http 80/udp www www-http #World Wide Web HTTP +hosts2-ns 81/tcp #HOSTS2 Name Server +hosts2-ns 81/udp #HOSTS2 Name Server +xfer 82/tcp #XFER Utility +xfer 82/udp #XFER Utility +mit-ml-dev 83/tcp #MIT ML Device +mit-ml-dev 83/udp #MIT ML Device +ctf 84/tcp #Common Trace Facility +ctf 84/udp #Common Trace Facility +mit-ml-dev 85/tcp #MIT ML Device +mit-ml-dev 85/udp #MIT ML Device +mfcobol 86/tcp #Micro Focus Cobol +mfcobol 86/udp #Micro Focus Cobol +ttylink 87/tcp +#PROBLEMS!=========================================================== +# 87/tcp any private terminal link +#PROBLEMS!=========================================================== +# 87/udp any private terminal link +kerberos-sec 88/tcp kerberos # krb5 # Kerberos (v5) +kerberos-sec 88/udp kerberos # krb5 # Kerberos (v5) +su-mit-tg 89/tcp #SU/MIT Telnet Gateway +su-mit-tg 89/udp #SU/MIT Telnet Gateway +dnsix 90/tcp #DNSIX Securit Attribute Token Map +dnsix 90/udp #DNSIX Securit Attribute Token Map +mit-dov 91/tcp #MIT Dover Spooler +mit-dov 91/udp #MIT Dover Spooler +npp 92/tcp #Network Printing Protocol +npp 92/udp #Network Printing Protocol +dcp 93/tcp #Device Control Protocol +dcp 93/udp #Device Control Protocol +objcall 94/tcp #Tivoli Object Dispatcher +objcall 94/udp #Tivoli Object Dispatcher +supdup 95/tcp +supdup 95/udp +dixie 96/tcp #DIXIE Protocol Specification +dixie 96/udp #DIXIE Protocol Specification +swift-rvf 97/tcp #Swift Remote Virtural File Protocol +swift-rvf 97/udp #Swift Remote Virtural File Protocol +tacnews 98/tcp #TAC News, Unofficial: Red Hat linuxconf +tacnews 98/udp #TAC News, Unofficial: Red Hat linuxconf +metagram 99/tcp #Metagram Relay +metagram 99/udp #Metagram Relay +newacct 100/tcp #[unauthorized use] +hostname 101/tcp hostnames #NIC Host Name Server +hostname 101/udp hostnames #NIC Host Name Server +iso-tsap 102/tcp tsap #ISO-TSAP Class 0 +iso-tsap 102/udp tsap #ISO-TSAP Class 0 +gppitnp 103/tcp #Genesis Point-to-Point Trans Net +gppitnp 103/udp #Genesis Point-to-Point Trans Net +acr-nema 104/tcp #ACR-NEMA Digital Imag. & Comm. 300 +acr-nema 104/udp #ACR-NEMA Digital Imag. & Comm. 300 +csnet-ns 105/tcp cso-ns cso #Mailbox Name Nameserver +csnet-ns 105/udp cso-ns cso #Mailbox Name Nameserver +pop3pw 106/tcp 3com-tsmux #Eudora compatible PW changer +3com-tsmux 106/udp +rtelnet 107/tcp #Remote Telnet Service +rtelnet 107/udp #Remote Telnet Service +snagas 108/tcp #SNA Gateway Access Server +snagas 108/udp #SNA Gateway Access Server +pop2 109/tcp postoffice #Post Office Protocol - Version 2 +pop2 109/udp postoffice #Post Office Protocol - Version 2 +pop3 110/tcp #Post Office Protocol - Version 3 +pop3 110/udp #Post Office Protocol - Version 3 +sunrpc 111/tcp rpcbind #SUN Remote Procedure Call +sunrpc 111/udp rpcbind #SUN Remote Procedure Call +mcidas 112/tcp #McIDAS Data Transmission Protocol +mcidas 112/udp #McIDAS Data Transmission Protocol +auth 113/tcp ident tap #Authentication Service +auth 113/udp ident tap #Authentication Service +audionews 114/tcp #Audio News Multicast +audionews 114/udp #Audio News Multicast +sftp 115/tcp #Simple File Transfer Protocol +sftp 115/udp #Simple File Transfer Protocol +ansanotify 116/tcp #ANSA REX Notify +ansanotify 116/udp #ANSA REX Notify +uucp-path 117/tcp #UUCP Path Service +uucp-path 117/udp #UUCP Path Service +sqlserv 118/tcp #SQL Services +sqlserv 118/udp #SQL Services +nntp 119/tcp usenet #Network News Transfer Protocol +nntp 119/udp usenet #Network News Transfer Protocol +cfdptkt 120/tcp +cfdptkt 120/udp +erpc 121/tcp #Encore Expedited Remote Pro.Call +erpc 121/udp #Encore Expedited Remote Pro.Call +smakynet 122/tcp +smakynet 122/udp +ntp 123/tcp #Network Time Protocol +ntp 123/udp #Network Time Protocol +ansatrader 124/tcp #ANSA REX Trader +ansatrader 124/udp #ANSA REX Trader +locus-map 125/tcp #Locus PC-Interface Net Map Ser +locus-map 125/udp #Locus PC-Interface Net Map Ser +unitary 126/tcp #Unisys Unitary Login +unitary 126/udp #Unisys Unitary Login +locus-con 127/tcp #Locus PC-Interface Conn Server +locus-con 127/udp #Locus PC-Interface Conn Server +gss-xlicen 128/tcp #GSS X License Verification +gss-xlicen 128/udp #GSS X License Verification +pwdgen 129/tcp #Password Generator Protocol +pwdgen 129/udp #Password Generator Protocol +cisco-fna 130/tcp #cisco FNATIVE +cisco-fna 130/udp #cisco FNATIVE +cisco-tna 131/tcp #cisco TNATIVE +cisco-tna 131/udp #cisco TNATIVE +cisco-sys 132/tcp #cisco SYSMAINT +cisco-sys 132/udp #cisco SYSMAINT +statsrv 133/tcp #Statistics Service +statsrv 133/udp #Statistics Service +ingres-net 134/tcp #INGRES-NET Service +ingres-net 134/udp #INGRES-NET Service +loc-srv 135/tcp epmap #Location Service +loc-srv 135/udp epmap #Location Service +profile 136/tcp #PROFILE Naming System +profile 136/udp #PROFILE Naming System +netbios-ns 137/tcp #NETBIOS Name Service +netbios-ns 137/udp #NETBIOS Name Service +netbios-dgm 138/tcp #NETBIOS Datagram Service +netbios-dgm 138/udp #NETBIOS Datagram Service +netbios-ssn 139/tcp #NETBIOS Session Service +netbios-ssn 139/udp #NETBIOS Session Service +emfis-data 140/tcp #EMFIS Data Service +emfis-data 140/udp #EMFIS Data Service +emfis-cntl 141/tcp #EMFIS Control Service +emfis-cntl 141/udp #EMFIS Control Service +bl-idm 142/tcp #Britton-Lee IDM +bl-idm 142/udp #Britton-Lee IDM +imap 143/tcp imap2 imap4 #Interim Mail Access Protocol v2 +imap 143/udp imap2 imap4 #Interim Mail Access Protocol v2 +NeWS 144/tcp # Window System +NeWS 144/udp # Window System +#PROBLEMS!============================================================== +#uma 144/tcp #Universal Management Architecture +#uma 144/udp #Universal Management Architecture +#PROBLEMS!============================================================== +uaac 145/tcp #UAAC Protocol +uaac 145/udp #UAAC Protocol +iso-tp0 146/tcp +iso-tp0 146/udp +iso-ip 147/tcp +iso-ip 147/udp +cronus 148/tcp jargon #CRONUS-SUPPORT +cronus 148/udp jargon #CRONUS-SUPPORT +aed-512 149/tcp #AED 512 Emulation Service +aed-512 149/udp #AED 512 Emulation Service +sql-net 150/tcp +sql-net 150/udp +hems 151/tcp +hems 151/udp +bftp 152/tcp #Background File Transfer Program +bftp 152/udp #Background File Transfer Program +sgmp 153/tcp +sgmp 153/udp +netsc-prod 154/tcp +netsc-prod 154/udp +netsc-dev 155/tcp +netsc-dev 155/udp +sqlsrv 156/tcp #SQL Service +sqlsrv 156/udp #SQL Service +knet-cmp 157/tcp #KNET/VM Command/Message Protocol +knet-cmp 157/udp #KNET/VM Command/Message Protocol +pcmail-srv 158/tcp #PCMail Server +pcmail-srv 158/udp #PCMail Server +nss-routing 159/tcp +nss-routing 159/udp +sgmp-traps 160/tcp +sgmp-traps 160/udp +snmp 161/tcp +snmp 161/udp +snmptrap 162/tcp snmp-trap +snmptrap 162/udp snmp-trap +cmip-man 163/tcp #CMIP/TCP Manager +cmip-man 163/udp #CMIP/TCP Manager +cmip-agent 164/tcp #CMIP/TCP Agent +smip-agent 164/udp #CMIP/TCP Agent +xns-courier 165/tcp #Xerox +xns-courier 165/udp #Xerox +s-net 166/tcp #Sirius Systems +s-net 166/udp #Sirius Systems +namp 167/tcp +namp 167/udp +rsvd 168/tcp +rsvd 168/udp +send 169/tcp +send 169/udp +print-srv 170/tcp #Network PostScript +print-srv 170/udp #Network PostScript +multiplex 171/tcp #Network Innovations Multiplex +multiplex 171/udp #Network Innovations Multiplex +cl/1 172/tcp #Network Innovations CL/1 +cl/1 172/udp #Network Innovations CL/1 +xyplex-mux 173/tcp +xyplex-mux 173/udp +mailq 174/tcp +mailq 174/udp +vmnet 175/tcp +vmnet 175/udp +genrad-mux 176/tcp +genrad-mux 176/udp +xdmcp 177/tcp #X Display Manager Control Protocol +xdmcp 177/udp #X Display Manager Control Protocol +NextStep 178/tcp nextstep NeXTStep #NextStep Window Server +NextStep 178/udp nextstep NeXTStep #NextStep Window Server +bgp 179/tcp #Border Gateway Protocol +bgp 179/udp #Border Gateway Protocol +ris 180/tcp #Intergraph +ris 180/udp #Intergraph +unify 181/tcp +unify 181/udp +audit 182/tcp #Unisys Audit SITP +audit 182/udp #Unisys Audit SITP +ocbinder 183/tcp +ocbinder 183/udp +ocserver 184/tcp +ocserver 184/udp +remote-kis 185/tcp +remote-kis 185/udp +kis 186/tcp #KIS Protocol +kis 186/udp #KIS Protocol +aci 187/tcp #Application Communication Interface +aci 187/udp #Application Communication Interface +mumps 188/tcp #Plus Five's MUMPS +mumps 188/udp #Plus Five's MUMPS +qft 189/tcp #Queued File Transport +qft 189/udp #Queued File Transport +gacp 190/tcp #Gateway Access Control Protocol +gacp 190/udp cacp #Gateway Access Control Protocol +prospero 191/tcp #Prospero Directory Service +prospero 191/udp #Prospero Directory Service +osu-nms 192/tcp #OSU Network Monitoring System +osu-nms 192/udp #OSU Network Monitoring System +srmp 193/tcp #Spider Remote Monitoring Protocol +srmp 193/udp #Spider Remote Monitoring Protocol +irc 194/tcp #Internet Relay Chat Protocol +irc 194/udp #Internet Relay Chat Protocol +dn6-nlm-aud 195/tcp #DNSIX Network Level Module Audit +dn6-nlm-aud 195/udp #DNSIX Network Level Module Audit +dn6-smm-red 196/tcp #DNSIX Session Mgt Module Audit Redir +dn6-smm-red 196/udp #DNSIX Session Mgt Module Audit Redir +dls 197/tcp #Directory Location Service +dls 197/udp #Directory Location Service +dls-mon 198/tcp #Directory Location Service Monitor +dls-mon 198/udp #Directory Location Service Monitor +smux 199/tcp +smux 199/udp +src 200/tcp #IBM System Resource Controller +src 200/udp #IBM System Resource Controller +at-rtmp 201/tcp #AppleTalk Routing Maintenance +at-rtmp 201/udp #AppleTalk Routing Maintenance +at-nbp 202/tcp #AppleTalk Name Binding +at-nbp 202/udp #AppleTalk Name Binding +at-3 203/tcp #AppleTalk Unused +at-3 203/udp #AppleTalk Unused +at-echo 204/tcp #AppleTalk Echo +at-echo 204/udp #AppleTalk Echo +at-5 205/tcp #AppleTalk Unused +at-5 205/udp #AppleTalk Unused +at-zis 206/tcp #AppleTalk Zone Information +at-zis 206/udp #AppleTalk Zone Information +at-7 207/tcp #AppleTalk Unused +at-7 207/udp #AppleTalk Unused +at-8 208/tcp #AppleTalk Unused +at-8 208/udp #AppleTalk Unused +qmtp 209/tcp #The Quick Mail Transfer Protocol +qmtp 209/udp #The Quick Mail Transfer Protocol +#PROBLEMS!============================================================== +#tam 209/tcp #Trivial Authenticated Mail Protocol +#tam 209/udp #Trivial Authenticated Mail Protocol +#PROBLEMS!============================================================== +z39.50 210/tcp wais #ANSI Z39.50 +z39.50 210/udp wais #ANSI Z39.50 +914c/g 211/tcp #Texas Instruments 914C/G Terminal +914c/g 211/udp #Texas Instruments 914C/G Terminal +anet 212/tcp #ATEXSSTR +anet 212/udp #ATEXSSTR +ipx 213/tcp +ipx 213/udp +vmpwscs 214/tcp +vmpwscs 214/udp +softpc 215/tcp #Insignia Solutions +softpc 215/udp #Insignia Solutions +CAIlic 216/tcp atls #Computer Associates Int'l License Server +CAIlic 216/udp atls #Computer Associates Int'l License Server +dbase 217/tcp #dBASE Unix +dbase 217/udp #dBASE Unix +mpp 218/tcp #Netix Message Posting Protocol +mpp 218/udp #Netix Message Posting Protocol +uarps 219/tcp #Unisys ARPs +uarps 219/udp #Unisys ARPs +#imap3@220 was never used and never should have been allocated. See PR 46294. +#imap3 220/tcp #Interactive Mail Access Protocol v3 +#imap3 220/udp #Interactive Mail Access Protocol v3 +fln-spx 221/tcp #Berkeley rlogind with SPX auth +fln-spx 221/udp #Berkeley rlogind with SPX auth +rsh-spx 222/tcp #Berkeley rshd with SPX auth +rsh-spx 222/udp #Berkeley rshd with SPX auth +cdc 223/tcp #Certificate Distribution Center +cdc 223/udp #Certificate Distribution Center +direct 242/tcp +direct 242/udp +sur-meas 243/tcp #Survey Measurement +sur-meas 243/udp #Survey Measurement +dayna 244/tcp +dayna 244/udp +link 245/tcp +link 245/udp +dsp3270 246/tcp #Display Systems Protocol +dsp3270 246/udp #Display Systems Protocol +subntbcst_tftp 247/tcp #subntbcst_tftp +subntbcst_tftp 247/udp #subntbcst_tftp +bhfhs 248/tcp +bhfhs 248/udp +# 249-255 reserved +rap 256/tcp +rap 256/udp +set 257/tcp #secure electronic transaction +set 257/udp #secure electronic transaction +yak-chat 258/tcp #yak winsock personal chat +yak-chat 258/udp #yak winsock personal chat +esro-gen 259/tcp #efficient short remote operations +esro-gen 259/udp #efficient short remote operations +openport 260/tcp +openport 260/udp +nsiiops 261/tcp #iiop name service over tls/ssl +nsiiops 261/udp #iiop name service over tls/ssl +arcisdms 262/tcp +arcisdms 262/udp +hdap 263/tcp +hdap 263/udp +bgmp 264/tcp +bgmp 264/udp +# 265-279 unassigned +http-mgmt 280/tcp +http-mgmt 280/udp +personal-link 281/tcp +personal-link 281/udp +cableport-ax 282/tcp #cable port a/x +cableport-ax 282/udp #cable port a/x +# 283-307 unassigned +novastorbakcup 308/tcp #novastor backup +novastorbakcup 308/udp #novastor backup +entrusttime 309/tcp +entrusttime 309/udp +bhmds 310/tcp +bhmds 310/udp +asip-webadmin 311/tcp #appleshare ip webadmin +asip-webadmin 311/udp #appleshare ip webadmin +vslmp 312/tcp +vslmp 312/udp +magenta-logic 313/tcp +magenta-logic 313/udp +opalis-robot 314/tcp +opalis-robot 314/udp +dpsi 315/tcp +dpsi 315/udp +decauth 316/tcp +decauth 316/udp +zannet 317/tcp +zannet 317/udp +# 318-320 #unassigned +pip 321/tcp +pip 321/udp +# 322-343 #unassigned +pdap 344/tcp #Prospero Data Access Protocol +pdap 344/udp #Prospero Data Access Protocol +pawserv 345/tcp #Perf Analysis Workbench +pawserv 345/udp #Perf Analysis Workbench +zserv 346/tcp #Zebra server +zserv 346/udp #Zebra server +fatserv 347/tcp #Fatmen Server +fatserv 347/udp #Fatmen Server +csi-sgwp 348/tcp #Cabletron Management Protocol +csi-sgwp 348/udp #Cabletron Management Protocol +mftp 349/tcp +mftp 349/udp +matip-type-a 350/tcp #MATIP Type A +matip-type-a 350/udp +matip-type-b 351/tcp #MATIP Type B +matip-type-b 351/udp +bhoetty 351/tcp #unassigned but widespread use +bhoetty 351/udp #unassigned but widespread use +dtag-ste-sb 352/tcp #DTAG +dtag-ste-sb 352/udp #DTAG +bhoedap4 352/tcp #unassigned but widespread use +bhoedap4 352/udp #unassigned but widespread use +ndsauth 353/tcp +ndsauth 353/udp +bh611 354/tcp +bh611 354/udp +datex-asn 355/tcp +datex-asn 355/udp +cloanto-net-1 356/tcp #Cloanto Net 1 +cloanto-net-1 356/udp +bhevent 357/tcp +bhevent 357/udp +shrinkwrap 358/tcp +shrinkwrap 358/udp +tenebris_nts 359/tcp #Tenebris Network Trace Service +tenebris_nts 359/udp #Tenebris Network Trace Service +scoi2odialog 360/tcp +scoi2odialog 360/udp +semantix 361/tcp +semantix 361/udp +srssend 362/tcp #SRS Send +srssend 362/udp #SRS Send +rsvp_tunnel 363/tcp +rsvp_tunnel 363/udp +aurora-cmgr 364/tcp +aurora-cmgr 364/udp +dtk 365/tcp #Deception Tool Kit - Fred Cohen <fc@all.net> +dtk 365/udp #Deception Tool Kit - Fred Cohen <fc@all.net> +odmr 366/tcp +odmr 366/udp +mortgageware 367/tcp +mortgageware 367/udp +qbikgdp 368/tcp #QbikGDP +qbikgdp 368/udp +rpc2portmap 369/tcp +rpc2portmap 369/udp +codaauth2 370/tcp +codaauth2 370/udp +clearcase 371/tcp +clearcase 371/udp +ulistserv 372/tcp ulistproc #Unix Listserv +ulistserv 372/udp ulistproc #Unix Listserv +legent-1 373/tcp #Legent Corporation (now Computer Associates Intl.) +legent-1 373/udp #Legent Corporation (now Computer Associates Intl.) +legent-2 374/tcp #Legent Corporation (now Computer Associates Intl.) +legent-2 374/udp #Legent Corporation (now Computer Associates Intl.) +hassle 375/tcp +hassle 375/udp +nip 376/tcp #Amiga Envoy Network Inquiry Proto +nip 376/udp #Amiga Envoy Network Inquiry Proto +tnETOS 377/tcp #NEC Corporation +tnETOS 377/udp #NEC Corporation +dsETOS 378/tcp #NEC Corporation +dsETOS 378/udp #NEC Corporation +is99c 379/tcp #TIA/EIA/IS-99 modem client +is99c 379/udp #TIA/EIA/IS-99 modem client +is99s 380/tcp #TIA/EIA/IS-99 modem server +is99s 380/udp #TIA/EIA/IS-99 modem server +hp-collector 381/tcp #hp performance data collector +hp-collector 381/udp #hp performance data collector +hp-managed-node 382/tcp #hp performance data managed node +hp-managed-node 382/udp #hp performance data managed node +hp-alarm-mgr 383/tcp #hp performance data alarm manager +hp-alarm-mgr 383/udp #hp performance data alarm manager +arns 384/tcp #A Remote Network Server System +arns 384/udp #A Remote Network Server System +ibm-app 385/tcp #IBM Application +ibm-app 385/udp #IBM Application +asa 386/tcp #ASA Message Router Object Def. +asa 386/udp #ASA Message Router Object Def. +aurp 387/tcp #Appletalk Update-Based Routing Pro. +aurp 387/udp #Appletalk Update-Based Routing Pro. +unidata-ldm 388/tcp #Unidata LDM Version 4 +unidata-ldm 388/udp #Unidata LDM Version 4 +ldap 389/tcp #Lightweight Directory Access Protocol +ldap 389/udp #Lightweight Directory Access Protocol +uis 390/tcp +uis 390/udp +synotics-relay 391/tcp #SynOptics SNMP Relay Port +synotics-relay 391/udp #SynOptics SNMP Relay Port +synotics-broker 392/tcp #SynOptics Port Broker Port +synotics-broker 392/udp #SynOptics Port Broker Port +dis 393/tcp #Data Interpretation System +dis 393/udp #Data Interpretation System +embl-ndt 394/tcp #EMBL Nucleic Data Transfer +embl-ndt 394/udp #EMBL Nucleic Data Transfer +netcp 395/tcp #NETscout Control Protocol +netcp 395/udp #NETscout Control Protocol +netware-ip 396/tcp #Novell Netware over IP +netware-ip 396/udp #Novell Netware over IP +mptn 397/tcp #Multi Protocol Trans. Net. +mptn 397/udp #Multi Protocol Trans. Net. +kryptolan 398/tcp +kryptolan 398/udp +iso-tsap-c2 399/tcp #ISO-TSAP Class 2 +iso-tsap-c2 399/udp #ISO-TSAP Class 2 +work-sol 400/tcp #Workstation Solutions +work-sol 400/udp #Workstation Solutions +ups 401/tcp #Uninterruptible Power Supply +ups 401/udp #Uninterruptible Power Supply +genie 402/tcp #Genie Protocol +genie 402/udp #Genie Protocol +decap 403/tcp +decap 403/udp +nced 404/tcp +nced 404/udp +ncld 405/tcp +ncld 405/udp +imsp 406/tcp #Interactive Mail Support Protocol +imsp 406/udp #Interactive Mail Support Protocol +timbuktu 407/tcp +timbuktu 407/udp +prm-sm 408/tcp #Prospero Resource Manager Sys. Man. +prm-sm 408/udp #Prospero Resource Manager Sys. Man. +prm-nm 409/tcp #Prospero Resource Manager Node Man. +prm-nm 409/udp #Prospero Resource Manager Node Man. +decladebug 410/tcp #DECLadebug Remote Debug Protocol +decladebug 410/udp #DECLadebug Remote Debug Protocol +rmt 411/tcp #Remote MT Protocol +rmt 411/udp #Remote MT Protocol +synoptics-trap 412/tcp #Trap Convention Port +synoptics-trap 412/udp #Trap Convention Port +smsp 413/tcp +smsp 413/udp +infoseek 414/tcp +infoseek 414/udp +bnet 415/tcp +bnet 415/udp +silverplatter 416/tcp +silverplatter 416/udp +onmux 417/tcp +onmux 417/udp +hyper-g 418/tcp +hyper-g 418/udp +ariel1 419/tcp +ariel1 419/udp +smpte 420/tcp +smpte 420/udp +ariel2 421/tcp +ariel2 421/udp +ariel3 422/tcp +ariel3 422/udp +opc-job-start 423/tcp #IBM Operations Planning and Control Start +opc-job-start 423/udp #IBM Operations Planning and Control Start +opc-job-track 424/tcp #IBM Operations Planning and Control Track +opc-job-track 424/udp #IBM Operations Planning and Control Track +icad-el 425/tcp +icad-el 425/udp +smartsdp 426/tcp +smartsdp 426/udp +svrloc 427/tcp #Server Location +svrloc 427/udp #Server Location +ocs_cmu 428/tcp +ocs_cmu 428/udp +ocs_amu 429/tcp +ocs_amu 429/udp +utmpsd 430/tcp +utmpsd 430/udp +utmpcd 431/tcp +utmpcd 431/udp +iasd 432/tcp +iasd 432/udp +nnsp 433/tcp +nnsp 433/udp +mobileip-agent 434/tcp +mobileip-agent 434/udp +mobilip-mn 435/tcp +mobilip-mn 435/udp +dna-cml 436/tcp +dna-cml 436/udp +comscm 437/tcp +comscm 437/udp +dsfgw 438/tcp +dsfgw 438/udp +dasp 439/tcp +dasp 439/udp +sgcp 440/tcp +sgcp 440/udp +decvms-sysmgt 441/tcp +decvms-sysmgt 441/udp +cvc_hostd 442/tcp +cvc_hostd 442/udp +https 443/tcp +https 443/udp +snpp 444/tcp #Simple Network Paging Protocol +snpp 444/udp #Simple Network Paging Protocol +# [RFC1568] +microsoft-ds 445/tcp +microsoft-ds 445/udp +ddm-rdb 446/tcp +ddm-rdb 446/udp +ddm-dfm 447/tcp +ddm-dfm 447/udp +ddm-ssl 448/tcp ddm-byte +ddm-ssl 448/udp ddm-byte +as-servermap 449/tcp #AS Server Mapper +as-servermap 449/udp #AS Server Mapper +tserver 450/tcp +tserver 450/udp +sfs-smp-net 451/tcp #Cray Network Semaphore server +sfs-smp-net 451/udp #Cray Network Semaphore server +sfs-config 452/tcp #Cray SFS config server +sfs-config 452/udp #Cray SFS config server +creativeserver 453/tcp #CreativeServer +creativeserver 453/udp #CreativeServer +contentserver 454/tcp #ContentServer +contentserver 454/udp #ContentServer +creativepartnr 455/tcp #CreativePartnr +creativepartnr 455/udp #CreativePartnr +macon-tcp 456/tcp +macon-udp 456/udp +scohelp 457/tcp +scohelp 457/udp +appleqtc 458/tcp #apple quick time +appleqtc 458/udp #apple quick time +ampr-rcmd 459/tcp +ampr-rcmd 459/udp +skronk 460/tcp +skronk 460/udp +datasurfsrv 461/tcp +datasurfsrv 461/udp +datasurfsrvsec 462/tcp +datasurfsrvsec 462/udp +alpes 463/tcp +alpes 463/udp +# +kpasswd5 464/tcp # Kerberos (v5) +kpasswd5 464/udp # Kerberos (v5) +#PROBLEMS!============================================================== +# IANA has offically assigned these two ports as ``kpasswd'' +#kpasswd 464/tcp # Kerberos (v5) +#kpasswd 464/udp # Kerberos (v5) +#PROBLEMS!============================================================== +smtps 465/tcp #smtp protocol over TLS/SSL (was ssmtp) +smtps 465/udp #smtp protocol over TLS/SSL (was ssmtp) +digital-vrc 466/tcp +digital-vrc 466/udp +mylex-mapd 467/tcp +mylex-mapd 467/udp +photuris 468/tcp +photuris 468/udp +rcp 469/tcp #Radio Control Protocol +rcp 469/udp #Radio Control Protocol +scx-proxy 470/tcp +scx-proxy 470/udp +mondex 471/tcp +mondex 471/udp +ljk-login 472/tcp +ljk-login 472/udp +hybrid-pop 473/tcp +hybrid-pop 473/udp +tn-tl-w1 474/tcp +tn-tl-w2 474/udp +tcpnethaspsrv 475/tcp +tcpnethaspsrv 475/udp +tn-tl-fd1 476/tcp +tn-tl-fd1 476/udp +ss7ns 477/tcp +ss7ns 477/udp +spsc 478/tcp +spsc 478/udp +iafserver 479/tcp +iafserver 479/udp +iafdbase 480/tcp +iafdbase 480/udp +ph 481/tcp +ph 481/udp +bgs-nsi 482/tcp +bgs-nsi 482/udp +ulpnet 483/tcp +ulpnet 483/udp +integra-sme 484/tcp #Integra Software Management Environment +integra-sme 484/udp #Integra Software Management Environment +powerburst 485/tcp #Air Soft Power Burst +powerburst 485/udp #Air Soft Power Burst +avian 486/tcp +avian 486/udp +saft 487/tcp #saft Simple Asynchronous File Transfer +saft 487/udp #saft Simple Asynchronous File Transfer +gss-http 488/tcp +gss-http 488/udp +nest-protocol 489/tcp +nest-protocol 489/udp +micom-pfs 490/tcp +micom-pfs 490/udp +go-login 491/tcp +go-login 491/udp +ticf-1 492/tcp #Transport Independent Convergence for FNA +ticf-1 492/udp #Transport Independent Convergence for FNA +ticf-2 493/tcp #Transport Independent Convergence for FNA +ticf-2 493/udp #Transport Independent Convergence for FNA +pov-ray 494/tcp +pov-ray 494/udp +intecourier 495/tcp +intecourier 495/udp +pim-rp-disc 496/tcp +pim-rp-disc 496/udp +dantz 497/tcp +dantz 497/udp +siam 498/tcp +siam 498/udp +iso-ill 499/tcp #ISO ILL Protocol +iso-ill 499/udp #ISO ILL Protocol +isakmp 500/tcp +isakmp 500/udp +stmf 501/tcp +stmf 501/udp +asa-appl-proto 502/tcp +asa-appl-proto 502/udp +intrinsa 503/tcp +intrinsa 503/udp +citadel 504/tcp +citadel 504/udp +mailbox-lm 505/tcp +mailbox-lm 505/udp +ohimsrv 506/tcp +ohimsrv 506/udp +crs 507/tcp +crs 507/udp +xvttp 508/tcp +xvttp 508/udp +snare 509/tcp +snare 509/udp +fcp 510/tcp #FirstClass Protocol +fcp 510/udp #FirstClass Protocol +passgo 511/tcp +passgo 511/udp +# +# Berkeley-specific services +# +exec 512/tcp #remote process execution; +# authentication performed using +# passwords and UNIX login names +biff 512/udp comsat #used by mail system to notify users +# of new mail received; currently +# receives messages only from +# processes on the same machine +login 513/tcp #remote login a la telnet; +# automatic authentication performed +# based on priviledged port numbers +# and distributed data bases which +# identify "authentication domains" +who 513/udp whod #maintains data bases showing who's +# logged in to machines on a local +# net and the load average of the +# machine +shell 514/tcp cmd #like exec, but automatic +# authentication is performed as for +# login server +syslog 514/udp +printer 515/tcp spooler +printer 515/udp spooler +videotex 516/tcp +videotex 516/udp +talk 517/tcp #like tenex link, but across +# machine - unfortunately, doesn't +# use link protocol (this is actually +# just a rendezvous port from which a +# tcp connection is established) +talk 517/udp #like tenex link, but across +# machine - unfortunately, doesn't +# use link protocol (this is actually +# just a rendezvous port from which a +# tcp connection is established) +ntalk 518/tcp +ntalk 518/udp +utime 519/tcp unixtime +utime 519/udp unixtime +efs 520/tcp #extended file name server +router 520/udp route routed #local routing process (on site); +# uses variant of Xerox NS routing +# information protocol +ripng 521/tcp +ripng 521/udp +ulp 522/tcp +ulp 522/udp +ibm-db2 523/tcp +ibm-db2 523/udp +ncp 524/tcp +ncp 524/udp +timed 525/tcp timeserver +timed 525/udp timeserver +tempo 526/tcp newdate +tempo 526/udp newdate +stx 527/tcp #Stock IXChange +stx 527/udp #Stock IXChange +custix 528/tcp #Customer IXChange +custix 528/udp #Customer IXChange +irc-serv 529/tcp +irc-serv 529/udp +courier 530/tcp rpc +courier 530/udp rpc +conference 531/tcp chat +conference 531/udp chat +netnews 532/tcp readnews +netnews 532/udp readnews +netwall 533/tcp #for emergency broadcasts +netwall 533/udp #for emergency broadcasts +mm-admin 534/tcp #MegaMedia Admin +mm-admin 534/udp #MegaMedia Admin +iiop 535/tcp +iiop 535/udp +opalis-rdv 536/tcp +opalis-rdv 536/udp +nmsp 537/tcp #Networked Media Streaming Protocol +nmsp 537/udp #Networked Media Streaming Protocol +gdomap 538/tcp +gdomap 538/udp +apertus-ldp 539/tcp #Apertus Technologies Load Determination +apertus-ldp 539/udp #Apertus Technologies Load Determination +uucp 540/tcp uucpd +uucp 540/udp uucpd +uucp-rlogin 541/tcp +uucp-rlogin 541/udp +commerce 542/tcp +commerce 542/udp +klogin 543/tcp # Kerberos (v4/v5) +klogin 543/udp # Kerberos (v4/v5) +kshell 544/tcp krcmd # Kerberos (v4/v5) +kshell 544/udp krcmd # Kerberos (v4/v5) +appleqtcsrvr 545/tcp +appleqtcsrvr 545/udp +dhcpv6-client 546/tcp #DHCPv6 Client +dhcpv6-client 546/udp #DHCPv6 Client +dhcpv6-server 547/tcp #DHCPv6 Server +dhcpv6-server 547/udp #DHCPv6 Server +afpovertcp 548/tcp #AFP over TCP +afpovertcp 548/udp #AFP over TCP +idfp 549/tcp +idfp 549/udp +new-rwho 550/tcp new-who +new-rwho 550/udp new-who +cybercash 551/tcp +cybercash 551/udp +deviceshare 552/tcp +deviceshare 552/udp +pirp 553/tcp +pirp 553/udp +rtsp 554/tcp #Real Time Stream Control Protocol +rtsp 554/udp #Real Time Stream Control Protocol +dsf 555/tcp +dsf 555/udp +remotefs 556/tcp rfs rfs_server # Brunhoff remote filesystem +remotefs 556/udp rfs rfs_server # Brunhoff remote filesystem +openvms-sysipc 557/tcp +openvms-sysipc 557/udp +sdnskmp 558/tcp +sdnskmp 558/udp +teedtap 559/tcp +teedtap 559/udp +rmonitor 560/tcp rmonitord +rmonitor 560/udp rmonitord +monitor 561/tcp +monitor 561/udp +chshell 562/tcp chcmd +chshell 562/udp chcmd +nntps 563/tcp snntp #nntp protocol over TLS/SSL +nntps 563/udp snntp #nntp protocol over TLS/SSL +9pfs 564/tcp #plan 9 file service +9pfs 564/udp #plan 9 file service +whoami 565/tcp +whoami 565/udp +streettalk 566/tcp +banyan-rpc 567/tcp +banyan-rpc 567/udp +ms-shuttle 568/tcp #Microsoft shuttle +ms-shuttle 568/udp #Microsoft shuttle +ms-rome 569/tcp #Microsoft rome +ms-rome 569/udp #Microsoft rome +meter 570/tcp #demon +meter 570/udp #demon +umeter 571/tcp #udemon +umeter 571/udp #udemon +sonar 572/tcp +sonar 572/udp +banyan-vip 573/tcp +banyan-vip 573/udp +ftp-agent 574/tcp #FTP Software Agent System +ftp-agent 574/udp #FTP Software Agent System +vemmi 575/tcp +vemmi 575/udp +ipcd 576/tcp +ipcd 576/udp +vnas 577/tcp +vnas 577/udp +ipdd 578/tcp +ipdd 578/udp +decbsrv 579/tcp +decbsrv 579/udp +sntp-heartbeat 580/tcp +sntp-heartbeat 580/udp +bdp 581/tcp #Bundle Discovery Protocol +bdp 581/udp #Bundle Discovery Protocol +scc-security 582/tcp +scc-security 582/udp +philips-vc 583/tcp #Philips Video-Conferencing +philips-vc 583/udp #Philips Video-Conferencing +keyserver 584/tcp +keyserver 584/udp +#imap4-ssl@585 never should have been allocated. See PR 46294. +#imap4-ssl 585/tcp #IMAP4+SSL (use of 585 is not recommended, +#imap4-ssl 585/udp # use 993 instead) +password-chg 586/tcp +password-chg 586/udp +submission 587/tcp +submission 587/udp +cal 588/tcp +cal 588/udp +eyelink 589/tcp +eyelink 589/udp +tns-cml 590/tcp +tns-cml 590/udp +http-alt 591/tcp #FileMaker, Inc. - HTTP Alternate (see Port 80) +http-alt 591/udp #FileMaker, Inc. - HTTP Alternate (see Port 80) +eudora-set 592/tcp +eudora-set 592/udp +http-rpc-epmap 593/tcp #HTTP RPC Ep Map +http-rpc-epmap 593/udp #HTTP RPC Ep Map +tpip 594/tcp +tpip 594/udp +cab-protocol 595/tcp +cab-protocol 595/udp +smsd 596/tcp +smsd 596/udp +ptcnameservice 597/tcp #PTC Name Service +ptcnameservice 597/udp #PTC Name Service +sco-websrvrmg3 598/tcp #SCO Web Server Manager 3 +sco-websrvrmg3 598/udp #SCO Web Server Manager 3 +acp 599/tcp #Aeolon Core Protocol +acp 599/udp #Aeolon Core Protocol +ipcserver 600/tcp #Sun IPC server +ipcserver 600/udp #Sun IPC server +nqs 607/tcp +nqs 607/udp +urm 606/tcp #Cray Unified Resource Manager +urm 606/udp #Cray Unified Resource Manager +sift-uft 608/tcp #Sender-Initiated/Unsolicited File Transfer +sift-uft 608/udp #Sender-Initiated/Unsolicited File Transfer +npmp-trap 609/tcp +npmp-trap 609/udp +npmp-local 610/tcp +npmp-local 610/udp +npmp-gui 611/tcp +npmp-gui 611/udp +sshell 614/tcp #SSLshell +sshell 614/udp +ipp 631/tcp #IPP (Internet Printing Protocol) +ipp 631/udp #IPP (Internet Printing Protocol) +ginad 634/tcp +ginad 634/udp +ldaps 636/tcp sldap #ldap protocol over TLS/SSL +ldaps 636/udp sldap +mdqs 666/tcp +mdqs 666/udp +#PROBLEMS!=============================================== +doom 666/tcp #doom Id Software +doom 666/udp #doom Id Software +#PROBLEMS!=============================================== +acap 674/tcp #Application Configuration Access Protocol +acap 674/udp #Application Configuration Access Protocol +elcsd 704/tcp #errlog copy/server daemon +elcsd 704/udp #errlog copy/server daemon +entrustmanager 709/tcp #EntrustManager +entrustmanager 709/udp #EntrustManager +netviewdm1 729/tcp #IBM NetView DM/6000 Server/Client +netviewdm1 729/udp #IBM NetView DM/6000 Server/Client +netviewdm2 730/tcp #IBM NetView DM/6000 send/tcp +netviewdm2 730/udp #IBM NetView DM/6000 send/tcp +netviewdm3 731/tcp #IBM NetView DM/6000 receive/tcp +netviewdm3 731/udp #IBM NetView DM/6000 receive/tcp +netgw 741/tcp +netgw 741/udp +netrcs 742/tcp #Network based Rev. Cont. Sys. +netrcs 742/udp #Network based Rev. Cont. Sys. +flexlm 744/tcp #Flexible License Manager +flexlm 744/udp #Flexible License Manager +fujitsu-dev 747/tcp #Fujitsu Device Control +fujitsu-dev 747/udp #Fujitsu Device Control +ris-cm 748/tcp #Russell Info Sci Calendar Manager +ris-cm 748/udp #Russell Info Sci Calendar Manager +kerberos-adm 749/tcp #Kerberos administration (v5) +kerberos-adm 749/udp #Kerberos administration (v5) +kerberos-iv 750/udp kdc # Kerberos (v4) +kerberos-iv 750/tcp kdc # Kerberos (v4) +#PROBLEMS!======================================================== +#rfile 750/tcp +#loadav 750/udp +#PROBLEMS!======================================================== +kerberos_master 751/tcp # Kerberos `kadmin' (v4) +kerberos_master 751/udp # Kerberos `kadmin' (v4) +#PROBLEMS!======================================================== +pump 751/tcp +pump 751/udp +#PROBLEMS!======================================================== +qrh 752/tcp +qrh 752/udp +rrh 753/tcp +rrh 753/udp +krb_prop 754/tcp krb5_prop # kerberos/v5 server propagation +#PROBLEMS!======================================================== +tell 754/tcp #send +#PROBLEMS!======================================================== +tell 754/udp #send +nlogin 758/tcp +nlogin 758/udp +con 759/tcp +con 759/udp +krbupdate 760/tcp kreg # Kerberos (v4) registration +#PROBLEMS!======================================================== +ns 760/tcp +#PROBLEMS!======================================================== +ns 760/udp +kpasswd 761/tcp kpwd # Kerberos (v4) "passwd" +#PROBLEMS!======================================================== +rxe 761/tcp +#PROBLEMS!======================================================== +rxe 761/udp +quotad 762/tcp +quotad 762/udp +cycleserv 763/tcp +cycleserv 763/udp +omserv 764/tcp +omserv 764/udp +webster 765/tcp +webster 765/udp +phonebook 767/tcp #phone +phonebook 767/udp #phone +vid 769/tcp +vid 769/udp +cadlock 770/tcp +cadlock 770/udp +rtip 771/tcp +rtip 771/udp +cycleserv2 772/tcp +cycleserv2 772/udp +submit 773/tcp +notify 773/udp +rpasswd 774/tcp +acmaint_dbd 774/udp +entomb 775/tcp +acmaint_transd 775/udp +wpages 776/tcp +wpages 776/udp +wpgs 780/tcp +wpgs 780/udp +concert 786/tcp +concert 786/udp +mdbs_daemon 800/tcp +mdbs_daemon 800/udp +device 801/tcp +device 801/udp +supfilesrv 871/tcp # for SUP +rsync 873/tcp +rsync 873/udp +accessbuilder 888/tcp +accessbuilder 888/udp +swat 901/tcp # samba web configuration tool +ftps-data 989/tcp # ftp protocol, data, over TLS/SSL +ftps-data 989/udp +ftps 990/tcp # ftp protocol, control, over TLS/SSL +ftps 990/udp +telnets 992/tcp # telnet protocol over TLS/SSL +telnets 992/udp +imaps 993/tcp # imap4 protocol over TLS/SSL +imaps 993/udp +ircs 994/tcp # irc protocol over TLS/SSL +ircs 994/udp +pop3s 995/tcp spop3 # pop3 protocol over TLS/SSL +pop3s 995/udp spop3 +vsinet 996/tcp +vsinet 996/udp +maitrd 997/tcp +maitrd 997/udp +busboy 998/tcp +puparp 998/udp +garcon 999/tcp +applix 999/udp #Applix ac +puprouter 999/tcp +puprouter 999/udp +cadlock 1000/tcp +ock 1000/udp +# +# REGISTERED PORT NUMBERS +# +blackjack 1025/tcp #network blackjack +blackjack 1025/udp #network blackjack +iad1 1030/tcp #BBN IAD +iad1 1030/udp #BBN IAD +iad2 1031/tcp #BBN IAD +iad2 1031/udp #BBN IAD +iad3 1032/tcp #BBN IAD +iad3 1032/udp #BBN IAD +nim 1058/tcp +nim 1058/udp +nimreg 1059/tcp +nimreg 1059/udp +instl_boots 1067/tcp #Installation Bootstrap Proto. Serv. +instl_boots 1067/udp #Installation Bootstrap Proto. Serv. +instl_bootc 1068/tcp #Installation Bootstrap Proto. Cli. +instl_bootc 1068/udp #Installation Bootstrap Proto. Cli. +socks 1080/tcp +socks 1080/udp +ansoft-lm-1 1083/tcp #Anasoft License Manager +ansoft-lm-1 1083/udp #Anasoft License Manager +ansoft-lm-2 1084/tcp #Anasoft License Manager +ansoft-lm-2 1084/udp #Anasoft License Manager +webobjects 1085/tcp #Web Objects +webobjects 1085/udp #Web Objects +kpop 1109/tcp #Unofficial +kpop 1109/udp #Unofficial +nfsd-status 1110/tcp #Cluster status info +nfsd-keepalive 1110/udp #Client status info +supfiledbg 1127/tcp # for SUP +nfa 1155/tcp #Network File Access +nfa 1155/udp #Network File Access +phone 1167/udp #conference calling +skkserv 1178/tcp #SKK (kanji input) +lupa 1212/tcp +lupa 1212/udp +nerv 1222/tcp #SNI R&D network +nerv 1222/udp #SNI R&D network +hermes 1248/tcp +hermes 1248/udp +healthd 1281/tcp #healthd +healthd 1281/udp #healthd +alta-ana-lm 1346/tcp #Alta Analytics License Manager +alta-ana-lm 1346/udp #Alta Analytics License Manager +bbn-mmc 1347/tcp #multi media conferencing +bbn-mmc 1347/udp #multi media conferencing +bbn-mmx 1348/tcp #multi media conferencing +bbn-mmx 1348/udp #multi media conferencing +sbook 1349/tcp #Registration Network Protocol +sbook 1349/udp #Registration Network Protocol +editbench 1350/tcp #Registration Network Protocol +editbench 1350/udp #Registration Network Protocol +equationbuilder 1351/tcp #Digital Tool Works (MIT) +equationbuilder 1351/udp #Digital Tool Works (MIT) +lotusnote 1352/tcp #Lotus Note +lotusnote 1352/udp #Lotus Note +relief 1353/tcp #Relief Consulting +relief 1353/udp #Relief Consulting +rightbrain 1354/tcp #RightBrain Software +rightbrain 1354/udp #RightBrain Software +intuitive-edge 1355/tcp #Intuitive Edge +intuitive-edge 1355/udp #Intuitive Edge +cuillamartin 1356/tcp #CuillaMartin Company +cuillamartin 1356/udp #CuillaMartin Company +pegboard 1357/tcp #Electronic PegBoard +pegboard 1357/udp #Electronic PegBoard +connlcli 1358/tcp +connlcli 1358/udp +ftsrv 1359/tcp +ftsrv 1359/udp +mimer 1360/tcp +mimer 1360/udp +linx 1361/tcp +linx 1361/udp +timeflies 1362/tcp +timeflies 1362/udp +ndm-requester 1363/tcp #Network DataMover Requester +ndm-requester 1363/udp #Network DataMover Requester +ndm-server 1364/tcp #Network DataMover Server +ndm-server 1364/udp #Network DataMover Server +adapt-sna 1365/tcp #Network Software Associates +adapt-sna 1365/udp #Network Software Associates +netware-csp 1366/tcp #Novell NetWare Comm Service Platform +netware-csp 1366/udp #Novell NetWare Comm Service Platform +dcs 1367/tcp +dcs 1367/udp +screencast 1368/tcp +screencast 1368/udp +gv-us 1369/tcp #GlobalView to Unix Shell +gv-us 1369/udp #GlobalView to Unix Shell +us-gv 1370/tcp #Unix Shell to GlobalView +us-gv 1370/udp #Unix Shell to GlobalView +fc-cli 1371/tcp #Fujitsu Config Protocol +fc-cli 1371/udp #Fujitsu Config Protocol +fc-ser 1372/tcp #Fujitsu Config Protocol +fc-ser 1372/udp #Fujitsu Config Protocol +chromagrafx 1373/tcp +chromagrafx 1373/udp +molly 1374/tcp #EPI Software Systems +molly 1374/udp #EPI Software Systems +bytex 1375/tcp +bytex 1375/udp +ibm-pps 1376/tcp #IBM Person to Person Software +ibm-pps 1376/udp #IBM Person to Person Software +cichlid 1377/tcp #Cichlid License Manager +cichlid 1377/udp #Cichlid License Manager +elan 1378/tcp #Elan License Manager +elan 1378/udp #Elan License Manager +dbreporter 1379/tcp #Integrity Solutions +dbreporter 1379/udp #Integrity Solutions +telesis-licman 1380/tcp #Telesis Network License Manager +telesis-licman 1380/udp #Telesis Network License Manager +apple-licman 1381/tcp #Apple Network License Manager +apple-licman 1381/udp #Apple Network License Manager +#udt_os 1382/tcp +#udt_os 1382/udp +gwha 1383/tcp #GW Hannaway Network License Manager +gwha 1383/udp #GW Hannaway Network License Manager +os-licman 1384/tcp #Objective Solutions License Manager +os-licman 1384/udp #Objective Solutions License Manager +atex_elmd 1385/tcp #Atex Publishing License Manager +atex_elmd 1385/udp #Atex Publishing License Manager +checksum 1386/tcp #CheckSum License Manager +checksum 1386/udp #CheckSum License Manager +cadsi-lm 1387/tcp #Computer Aided Design Software Inc LM +cadsi-lm 1387/udp #Computer Aided Design Software Inc LM +objective-dbc 1388/tcp #Objective Solutions DataBase Cache +objective-dbc 1388/udp #Objective Solutions DataBase Cache +iclpv-dm 1389/tcp #Document Manager +iclpv-dm 1389/udp #Document Manager +iclpv-sc 1390/tcp #Storage Controller +iclpv-sc 1390/udp #Storage Controller +iclpv-sas 1391/tcp #Storage Access Server +iclpv-sas 1391/udp #Storage Access Server +iclpv-pm 1392/tcp #Print Manager +iclpv-pm 1392/udp #Print Manager +iclpv-nls 1393/tcp #Network Log Server +iclpv-nls 1393/udp #Network Log Server +iclpv-nlc 1394/tcp #Network Log Client +iclpv-nlc 1394/udp #Network Log Client +iclpv-wsm 1395/tcp #PC Workstation Manager software +iclpv-wsm 1395/udp #PC Workstation Manager software +dvl-activemail 1396/tcp #DVL Active Mail +dvl-activemail 1396/udp #DVL Active Mail +audio-activmail 1397/tcp #Audio Active Mail +audio-activmail 1397/udp #Audio Active Mail +video-activmail 1398/tcp #Video Active Mail +video-activmail 1398/udp #Video Active Mail +cadkey-licman 1399/tcp #Cadkey License Manager +cadkey-licman 1399/udp #Cadkey License Manager +cadkey-tablet 1400/tcp #Cadkey Tablet Daemon +cadkey-tablet 1400/udp #Cadkey Tablet Daemon +goldleaf-licman 1401/tcp #Goldleaf License Manager +goldleaf-licman 1401/udp #Goldleaf License Manager +prm-sm-np 1402/tcp #Prospero Resource Manager +prm-sm-np 1402/udp #Prospero Resource Manager +prm-nm-np 1403/tcp #Prospero Resource Manager +prm-nm-np 1403/udp #Prospero Resource Manager +igi-lm 1404/tcp #Infinite Graphics License Manager +igi-lm 1404/udp #Infinite Graphics License Manager +ibm-res 1405/tcp #IBM Remote Execution Starter +ibm-res 1405/udp #IBM Remote Execution Starter +netlabs-lm 1406/tcp #NetLabs License Manager +netlabs-lm 1406/udp #NetLabs License Manager +dbsa-lm 1407/tcp #DBSA License Manager +dbsa-lm 1407/udp #DBSA License Manager +sophia-lm 1408/tcp #Sophia License Manager +sophia-lm 1408/udp #Sophia License Manager +here-lm 1409/tcp #Here License Manager +here-lm 1409/udp #Here License Manager +hiq 1410/tcp #HiQ License Manager +hiq 1410/udp #HiQ License Manager +af 1411/tcp #AudioFile +af 1411/udp #AudioFile +innosys 1412/tcp +innosys 1412/udp +innosys-acl 1413/tcp +innosys-acl 1413/udp +ibm-mqseries 1414/tcp #IBM MQSeries +ibm-mqseries 1414/udp #IBM MQSeries +dbstar 1415/tcp +dbstar 1415/udp +novell-lu6.2 1416/tcp #Novell LU6.2 +novell-lu6.2 1416/udp #Novell LU6.2 +timbuktu-srv1 1417/tcp #Timbuktu Service 1 Port +timbuktu-srv1 1417/udp #Timbuktu Service 1 Port +timbuktu-srv2 1418/tcp #Timbuktu Service 2 Port +timbuktu-srv2 1418/udp #Timbuktu Service 2 Port +timbuktu-srv3 1419/tcp #Timbuktu Service 3 Port +timbuktu-srv3 1419/udp #Timbuktu Service 3 Port +timbuktu-srv4 1420/tcp #Timbuktu Service 4 Port +timbuktu-srv4 1420/udp #Timbuktu Service 4 Port +gandalf-lm 1421/tcp #Gandalf License Manager +gandalf-lm 1421/udp #Gandalf License Manager +autodesk-lm 1422/tcp #Autodesk License Manager +autodesk-lm 1422/udp #Autodesk License Manager +essbase 1423/tcp #Essbase Arbor Software +essbase 1423/udp #Essbase Arbor Software +hybrid 1424/tcp #Hybrid Encryption Protocol +hybrid 1424/udp #Hybrid Encryption Protocol +zion-lm 1425/tcp #Zion Software License Manager +zion-lm 1425/udp #Zion Software License Manager +sas-1 1426/tcp #Satellite-data Acquisition System 1 +sas-1 1426/udp #Satellite-data Acquisition System 1 +mloadd 1427/tcp #mloadd monitoring tool +mloadd 1427/udp #mloadd monitoring tool +informatik-lm 1428/tcp #Informatik License Manager +informatik-lm 1428/udp #Informatik License Manager +nms 1429/tcp #Hypercom NMS +nms 1429/udp #Hypercom NMS +tpdu 1430/tcp #Hypercom TPDU +tpdu 1430/udp #Hypercom TPDU +rgtp 1431/tcp #Reverse Gossip Transport +rgtp 1431/udp #Reverse Gossip Transport +blueberry-lm 1432/tcp #Blueberry Software License Manager +blueberry-lm 1432/udp #Blueberry Software License Manager +ms-sql-s 1433/tcp #Microsoft-SQL-Server +ms-sql-s 1433/udp #Microsoft-SQL-Server +ms-sql-m 1434/tcp #Microsoft-SQL-Monitor +ms-sql-m 1434/udp #Microsoft-SQL-Monitor +ibm-cics 1435/tcp +ibm-cics 1435/udp +sas-2 1436/tcp #Satellite-data Acquisition System 2 +sas-2 1436/udp #Satellite-data Acquisition System 2 +tabula 1437/tcp +tabula 1437/udp +eicon-server 1438/tcp #Eicon Security Agent/Server +eicon-server 1438/udp #Eicon Security Agent/Server +eicon-x25 1439/tcp #Eicon X25/SNA Gateway +eicon-x25 1439/udp #Eicon X25/SNA Gateway +eicon-slp 1440/tcp #Eicon Service Location Protocol +eicon-slp 1440/udp #Eicon Service Location Protocol +cadis-1 1441/tcp #Cadis License Management +cadis-1 1441/udp #Cadis License Management +cadis-2 1442/tcp #Cadis License Management +cadis-2 1442/udp #Cadis License Management +ies-lm 1443/tcp #Integrated Engineering Software +ies-lm 1443/udp #Integrated Engineering Software +marcam-lm 1444/tcp #Marcam License Management +marcam-lm 1444/udp #Marcam License Management +proxima-lm 1445/tcp #Proxima License Manager +proxima-lm 1445/udp #Proxima License Manager +ora-lm 1446/tcp #Optical Research Associates License Manager +ora-lm 1446/udp #Optical Research Associates License Manager +apri-lm 1447/tcp #Applied Parallel Research LM +apri-lm 1447/udp #Applied Parallel Research LM +oc-lm 1448/tcp #OpenConnect License Manager +oc-lm 1448/udp #OpenConnect License Manager +peport 1449/tcp +peport 1449/udp +dwf 1450/tcp #Tandem Distributed Workbench Facility +dwf 1450/udp #Tandem Distributed Workbench Facility +infoman 1451/tcp #IBM Information Management +infoman 1451/udp #IBM Information Management +gtegsc-lm 1452/tcp #GTE Government Systems License Man +gtegsc-lm 1452/udp #GTE Government Systems License Man +genie-lm 1453/tcp #Genie License Manager +genie-lm 1453/udp #Genie License Manager +interhdl_elmd 1454/tcp #interHDL License Manager +interhdl_elmd 1454/udp #interHDL License Manager +esl-lm 1455/tcp #ESL License Manager +esl-lm 1455/udp #ESL License Manager +dca 1456/tcp +dca 1456/udp +valisys-lm 1457/tcp #Valisys License Manager +valisys-lm 1457/udp #Valisys License Manager +nrcabq-lm 1458/tcp #Nichols Research Corp. +nrcabq-lm 1458/udp #Nichols Research Corp. +proshare1 1459/tcp #Proshare Notebook Application +proshare1 1459/udp #Proshare Notebook Application +proshare2 1460/tcp #Proshare Notebook Application +proshare2 1460/udp #Proshare Notebook Application +ibm_wrless_lan 1461/tcp #IBM Wireless LAN +ibm_wrless_lan 1461/udp #IBM Wireless LAN +world-lm 1462/tcp #World License Manager +world-lm 1462/udp #World License Manager +nucleus 1463/tcp +nucleus 1463/udp +msl_lmd 1464/tcp #MSL License Manager +msl_lmd 1464/udp #MSL License Manager +pipes 1465/tcp #Pipes Platform +pipes 1465/udp #Pipes Platform mfarlin@peerlogic.com +oceansoft-lm 1466/tcp #Ocean Software License Manager +oceansoft-lm 1466/udp #Ocean Software License Manager +csdmbase 1467/tcp +csdmbase 1467/udp +csdm 1468/tcp +csdm 1468/udp +aal-lm 1469/tcp #Active Analysis Limited License Manager +aal-lm 1469/udp #Active Analysis Limited License Manager +uaiact 1470/tcp #Universal Analytics +uaiact 1470/udp #Universal Analytics +csdmbase 1471/tcp +csdmbase 1471/udp +csdm 1472/tcp +csdm 1472/udp +openmath 1473/tcp +openmath 1473/udp +telefinder 1474/tcp +telefinder 1474/udp +taligent-lm 1475/tcp #Taligent License Manager +taligent-lm 1475/udp #Taligent License Manager +clvm-cfg 1476/tcp +clvm-cfg 1476/udp +ms-sna-server 1477/tcp +ms-sna-server 1477/udp +ms-sna-base 1478/tcp +ms-sna-base 1478/udp +dberegister 1479/tcp +dberegister 1479/udp +pacerforum 1480/tcp +pacerforum 1480/udp +airs 1481/tcp +airs 1481/udp +miteksys-lm 1482/tcp #Miteksys License Manager +miteksys-lm 1482/udp #Miteksys License Manager +afs 1483/tcp #AFS License Manager +afs 1483/udp #AFS License Manager +confluent 1484/tcp #Confluent License Manager +confluent 1484/udp #Confluent License Manager +lansource 1485/tcp +lansource 1485/udp +nms_topo_serv 1486/tcp +nms_topo_serv 1486/udp +localinfosrvr 1487/tcp +localinfosrvr 1487/udp +docstor 1488/tcp +docstor 1488/udp +dmdocbroker 1489/tcp +dmdocbroker 1489/udp +insitu-conf 1490/tcp +insitu-conf 1490/udp +anynetgateway 1491/tcp +anynetgateway 1491/udp +stone-design-1 1492/tcp +stone-design-1 1492/udp +netmap_lm 1493/tcp +netmap_lm 1493/udp +ica 1494/tcp +ica 1494/udp +cvc 1495/tcp +cvc 1495/udp +liberty-lm 1496/tcp +liberty-lm 1496/udp +rfx-lm 1497/tcp +rfx-lm 1497/udp +watcom-sql 1498/tcp +watcom-sql 1498/udp +fhc 1499/tcp #Federico Heinz Consultora +fhc 1499/udp #Federico Heinz Consultora +vlsi-lm 1500/tcp #VLSI License Manager +vlsi-lm 1500/udp #VLSI License Manager +sas-3 1501/tcp #Satellite-data Acquisition System 3 +sas-3 1501/udp #Satellite-data Acquisition System 3 +shivadiscovery 1502/tcp #Shiva +shivadiscovery 1502/udp #Shiva +imtc-mcs 1503/tcp #Databeam +imtc-mcs 1503/udp #Databeam +evb-elm 1504/tcp #EVB Software Engineering License Manager +evb-elm 1504/udp #EVB Software Engineering License Manager +funkproxy 1505/tcp #Funk Software, Inc. +funkproxy 1505/udp #Funk Software, Inc. +utcd 1506/tcp #Universal Time daemon (utcd) +utcd 1506/udp #Universal Time daemon (utcd) +symplex 1507/tcp +symplex 1507/udp +diagmond 1508/tcp +diagmond 1508/udp +robcad-lm 1509/tcp #Robcad, Ltd. License Manager +robcad-lm 1509/udp #Robcad, Ltd. License Manager +mvx-lm 1510/tcp #Midland Valley Exploration Ltd. Lic. Man. +mvx-lm 1510/udp #Midland Valley Exploration Ltd. Lic. Man. +3l-l1 1511/tcp +3l-l1 1511/udp +wins 1512/tcp #Microsoft's Windows Internet Name Service +wins 1512/udp #Microsoft's Windows Internet Name Service +fujitsu-dtc 1513/tcp #Fujitsu Systems Business of America, Inc +fujitsu-dtc 1513/udp #Fujitsu Systems Business of America, Inc +fujitsu-dtcns 1514/tcp #Fujitsu Systems Business of America, Inc +fujitsu-dtcns 1514/udp #Fujitsu Systems Business of America, Inc +ifor-protocol 1515/tcp +ifor-protocol 1515/udp +vpad 1516/tcp #Virtual Places Audio data +vpad 1516/udp #Virtual Places Audio data +vpac 1517/tcp #Virtual Places Audio control +vpac 1517/udp #Virtual Places Audio control +vpvd 1518/tcp #Virtual Places Video data +vpvd 1518/udp #Virtual Places Video data +vpvc 1519/tcp #Virtual Places Video control +vpvc 1519/udp #Virtual Places Video control +atm-zip-office 1520/tcp #atm zip office +atm-zip-office 1520/udp #atm zip office +ncube-lm 1521/tcp #nCube License Manager +ncube-lm 1521/udp #nCube License Manager +rna-lm 1522/tcp #Ricardo North America License Manager +rna-lm 1522/udp #Ricardo North America License Manager +cichild-lm 1523/tcp +cichild-lm 1523/udp +ingreslock 1524/tcp #ingres +ingreslock 1524/udp #ingres +prospero-np 1525/tcp #Prospero Directory Service non-priv +prospero-np 1525/udp #Prospero Directory Service non-priv +#PROBLEMS!======================================================== +orasrv 1525/tcp #oracle +orasrv 1525/udp #oracle +#PROBLEMS!======================================================== +pdap-np 1526/tcp #Prospero Data Access Prot non-priv +pdap-np 1526/udp #Prospero Data Access Prot non-priv +tlisrv 1527/tcp #oracle +tlisrv 1527/udp #oracle +mciautoreg 1528/tcp +mciautoreg 1528/udp +support 1529/tcp prmsd gnatsd # cygnus bug tracker +coauthor 1529/tcp #oracle +coauthor 1529/udp #oracle +rap-service 1530/tcp +rap-service 1530/udp +rap-listen 1531/tcp +rap-listen 1531/udp +miroconnect 1532/tcp +miroconnect 1532/udp +virtual-places 1533/tcp #Virtual Places Software +virtual-places 1533/udp #Virtual Places Software +micromuse-lm 1534/tcp +micromuse-lm 1534/udp +ampr-info 1535/tcp +ampr-info 1535/udp +ampr-inter 1536/tcp +ampr-inter 1536/udp +sdsc-lm 1537/tcp +sdsc-lm 1537/udp +3ds-lm 1538/tcp +3ds-lm 1538/udp +intellistor-lm 1539/tcp #Intellistor License Manager +intellistor-lm 1539/udp #Intellistor License Manager +rds 1540/tcp +rds 1540/udp +rds2 1541/tcp +rds2 1541/udp +gridgen-elmd 1542/tcp +gridgen-elmd 1542/udp +simba-cs 1543/tcp +simba-cs 1543/udp +aspeclmd 1544/tcp +aspeclmd 1544/udp +vistium-share 1545/tcp +vistium-share 1545/udp +abbaccuray 1546/tcp +abbaccuray 1546/udp +laplink 1547/tcp +laplink 1547/udp +axon-lm 1548/tcp #Axon License Manager +axon-lm 1548/udp #Axon License Manager +shivahose 1549/tcp #Shiva Hose +shivasound 1549/udp #Shiva Sound +3m-image-lm 1550/tcp #Image Storage license manager 3M Company +3m-image-lm 1550/udp #Image Storage license manager 3M Company +hecmtl-db 1551/tcp +hecmtl-db 1551/udp +pciarray 1552/tcp +pciarray 1552/udp +issd 1600/tcp +issd 1600/udp +# IMPORTANT NOTE: Ports 1645/1646 are the traditional radius ports used by +# many vendors without obtaining official IANA assignment. The official +# assignment is now ports 1812/1813 and users are encouraged to migrate +# when possible to these new ports. +#radius 1645/udp #RADIUS authentication protocol (old) +#radacct 1646/udp #RADIUS accounting protocol (old) +nkd 1650/tcp +nkd 1650/udp +shiva_confsrvr 1651/tcp +shiva_confsrvr 1651/udp +xnmp 1652/tcp +xnmp 1652/udp +netview-aix-1 1661/tcp +netview-aix-1 1661/udp +netview-aix-2 1662/tcp +netview-aix-2 1662/udp +netview-aix-3 1663/tcp +netview-aix-3 1663/udp +netview-aix-4 1664/tcp +netview-aix-4 1664/udp +netview-aix-5 1665/tcp +netview-aix-5 1665/udp +netview-aix-6 1666/tcp +netview-aix-6 1666/udp +netview-aix-7 1667/tcp +netview-aix-7 1667/udp +netview-aix-8 1668/tcp +netview-aix-8 1668/udp +netview-aix-9 1669/tcp +netview-aix-9 1669/udp +netview-aix-10 1670/tcp +netview-aix-10 1670/udp +netview-aix-11 1671/tcp +netview-aix-11 1671/udp +netview-aix-12 1672/tcp +netview-aix-12 1672/udp +l2f 1701/tcp #l2f +l2f 1701/udp #l2f +l2tp 1701/tcp #Layer 2 Tunnelling Protocol +l2tp 1701/udp #Layer 2 Tunnelling Protocol +pptp 1723/tcp #Point-to-point tunnelling protocol +# IMPORTANT NOTE: See comments for ports 1645/1646 when using older equipment +radius 1812/udp #RADIUS authentication protocol (IANA sanctioned) +radacct 1813/udp #RADIUS accounting protocol (IANA sanctioned) +licensedaemon 1986/tcp #cisco license management +licensedaemon 1986/udp #cisco license management +tr-rsrb-p1 1987/tcp #cisco RSRB Priority 1 port +tr-rsrb-p1 1987/udp #cisco RSRB Priority 1 port +tr-rsrb-p2 1988/tcp #cisco RSRB Priority 2 port +tr-rsrb-p2 1988/udp #cisco RSRB Priority 2 port +tr-rsrb-p3 1989/tcp #cisco RSRB Priority 3 port +tr-rsrb-p3 1989/udp #cisco RSRB Priority 3 port +#PROBLEMS!=================================================== +mshnet 1989/tcp #MHSnet system +mshnet 1989/udp #MHSnet system +#PROBLEMS!=================================================== +stun-p1 1990/tcp #cisco STUN Priority 1 port +stun-p1 1990/udp #cisco STUN Priority 1 port +stun-p2 1991/tcp #cisco STUN Priority 2 port +stun-p2 1991/udp #cisco STUN Priority 2 port +stun-p3 1992/tcp #cisco STUN Priority 3 port +stun-p3 1992/udp #cisco STUN Priority 3 port +#PROBLEMS!=================================================== +ipsendmsg 1992/tcp +ipsendmsg 1992/udp +#PROBLEMS!=================================================== +snmp-tcp-port 1993/tcp #cisco SNMP TCP port +snmp-tcp-port 1993/udp #cisco SNMP TCP port +stun-port 1994/tcp #cisco serial tunnel port +stun-port 1994/udp #cisco serial tunnel port +perf-port 1995/tcp #cisco perf port +perf-port 1995/udp #cisco perf port +tr-rsrb-port 1996/tcp #cisco Remote SRB port +tr-rsrb-port 1996/udp #cisco Remote SRB port +gdp-port 1997/tcp #cisco Gateway Discovery Protocol +gdp-port 1997/udp #cisco Gateway Discovery Protocol +x25-svc-port 1998/tcp #cisco X.25 service (XOT) +x25-svc-port 1998/udp #cisco X.25 service (XOT) +tcp-id-port 1999/tcp #cisco identification port +tcp-id-port 1999/udp #cisco identification port +callbook 2000/tcp +callbook 2000/udp +dc 2001/tcp +wizard 2001/udp #curry +globe 2002/tcp +globe 2002/udp +cfingerd 2003/tcp #GNU finger +mailbox 2004/tcp +emce 2004/udp #CCWS mm conf +berknet 2005/tcp +oracle 2005/udp +invokator 2006/tcp +raid-cc 2006/udp #raid +dectalk 2007/tcp +raid-am 2007/udp +conf 2008/tcp +terminaldb 2008/udp +news 2009/tcp +whosockami 2009/udp +search 2010/tcp +pipe_server 2010/udp +raid-cc 2011/tcp #raid +servserv 2011/udp +ttyinfo 2012/tcp +raid-ac 2012/udp +raid-am 2013/tcp +raid-cd 2013/udp +troff 2014/tcp +raid-sf 2014/udp +cypress 2015/tcp +raid-cs 2015/udp +bootserver 2016/tcp +bootserver 2016/udp +cypress-stat 2017/tcp +bootclient 2017/udp +terminaldb 2018/tcp +rellpack 2018/udp +whosockami 2019/tcp +about 2019/udp +xinupageserver 2020/tcp +xinupageserver 2020/udp +servexec 2021/tcp +xinuexpansion1 2021/udp +down 2022/tcp +xinuexpansion2 2022/udp +xinuexpansion3 2023/tcp +xinuexpansion3 2023/udp +xinuexpansion4 2024/tcp +xinuexpansion4 2024/udp +ellpack 2025/tcp +xribs 2025/udp +scrabble 2026/tcp +scrabble 2026/udp +shadowserver 2027/tcp +shadowserver 2027/udp +submitserver 2028/tcp +submitserver 2028/udp +device2 2030/tcp +device2 2030/udp +blackboard 2032/tcp +blackboard 2032/udp +glogger 2033/tcp +glogger 2033/udp +scoremgr 2034/tcp +scoremgr 2034/udp +imsldoc 2035/tcp +imsldoc 2035/udp +objectmanager 2038/tcp +objectmanager 2038/udp +lam 2040/tcp +lam 2040/udp +interbase 2041/tcp +interbase 2041/udp +isis 2042/tcp +isis 2042/udp +isis-bcast 2043/tcp +isis-bcast 2043/udp +rimsl 2044/tcp +rimsl 2044/udp +cdfunc 2045/tcp +cdfunc 2045/udp +sdfunc 2046/tcp +sdfunc 2046/udp +#dls 2047/tcp +#dls 2047/udp +dls-monitor 2048/tcp +dls-monitor 2048/udp +nfsd 2049/tcp nfs # NFS server daemon +nfsd 2049/udp nfs # NFS server daemon +#PROBLEMS!============================================================= +#shilp 2049/tcp +#shilp 2049/udp +#PROBLEMS!============================================================= +dlsrpn 2065/tcp #Data Link Switch Read Port Number +dlsrpn 2065/udp #Data Link Switch Read Port Number +dlswpn 2067/tcp #Data Link Switch Write Port Number +dlswpn 2067/udp #Data Link Switch Write Port Number +zephyr-clt 2103/udp #Zephyr serv-hm connection +zephyr-hm 2104/udp #Zephyr hostmanager +#PROBLEMS!============================================================= +#zephyr-hm-srv 2105/udp #Zephyr hm-serv connection +#PROBLEMS!============================================================= +eklogin 2105/tcp #Kerberos (v4) encrypted rlogin +eklogin 2105/udp #Kerberos (v4) encrypted rlogin +ekshell 2106/tcp #Kerberos (v4) encrypted rshell +ekshell 2106/udp #Kerberos (v4) encrypted rshell +rkinit 2108/tcp #Kerberos (v4) remote initialization +rkinit 2108/udp #Kerberos (v4) remote initialization +ats 2201/tcp #Advanced Training System Program +ats 2201/udp #Advanced Training System Program +ivs-video 2232/tcp #IVS Video default +ivs-video 2232/udp #IVS Video default +ivsd 2241/tcp #IVS Daemon +ivsd 2241/udp #IVS Daemon +pehelp 2307/tcp +pehelp 2307/udp +cvspserver 2401/tcp #CVS network server +cvspserver 2401/udp #CVS network server +venus 2430/tcp #venus +venus 2430/udp #venus +venus-se 2431/tcp #venus-se +venus-se 2431/udp #venus-se +codasrv 2432/tcp #codasrv +codasrv 2432/udp #codasrv +codasrv-se 2433/tcp #codasrv-se +codasrv-se 2433/udp #codasrv-se +rtsserv 2500/tcp #Resource Tracking system server +rtsserv 2500/udp #Resource Tracking system server +rtsclient 2501/tcp #Resource Tracking system client +rtsclient 2501/udp #Resource Tracking system client +hp-3000-telnet 2564/tcp #HP 3000 NS/VT block mode telnet +zebrasrv 2600/tcp #zebra service +zebra 2601/tcp #zebra vty +ripd 2602/tcp #RIPd vty +ripngd 2603/tcp #RIPngd vty +ospfd 2604/tcp #OSPFd vty +bgpd 2605/tcp #BGPd vty +ospf6d 2606/tcp #OSPF6d vty +listen 2766/tcp #System V listener port +www-dev 2784/tcp #world wide web - development +www-dev 2784/udp #world wide web - development +dict 2628/tcp #RFC 2229 +dict 2628/udp #RFC 2229 +eppc 3031/tcp #Remote AppleEvents/PPC Toolbox +eppc 3031/udp #Remote AppleEvents/PPC Toolbox +NSWS 3049/tcp +NSWS 3049/udp +sj3 3086/tcp #SJ3 (kanji input) +vmodem 3141/tcp +vmodem 3141/udp +ccmail 3264/tcp #cc:mail/lotus +ccmail 3264/udp #cc:mail/lotus +dec-notes 3333/tcp #DEC Notes +dec-notes 3333/udp #DEC Notes +rsvp-encap 3455/udp #RSVP encapsulated in UDP +mapper-nodemgr 3984/tcp #MAPPER network node manager +mapper-nodemgr 3984/udp #MAPPER network node manager +mapper-mapethd 3985/tcp #MAPPER TCP/IP server +mapper-mapethd 3985/udp #MAPPER TCP/IP server +mapper-ws_ethd 3986/tcp #MAPPER workstation server +mapper-ws_ethd 3986/udp #MAPPER workstation server +bmap 3421/tcp #Bull Apprise portmapper +bmap 3421/udp #Bull Apprise portmapper +prsvp 3455/tcp #RSVP Port +prsvp 3455/udp #RSVP Port +vat 3456/tcp #VAT default data +vat 3456/udp #VAT default data +vat-control 3457/tcp #VAT default control +vat-control 3457/udp #VAT default control +udt_os 3900/tcp #Unidata UDT OS +udt_os 3900/udp #Unidata UDT OS +netcheque 4008/tcp #NetCheque accounting +netcheque 4008/udp #NetCheque accounting +lockd 4045/udp # NFS lock daemon/manager +lockd 4045/tcp +nuts_dem 4132/tcp #NUTS Daemon +nuts_dem 4132/udp #NUTS Daemon +nuts_bootp 4133/tcp #NUTS Bootp Server +nuts_bootp 4133/udp #NUTS Bootp Server +rwhois 4321/tcp #Remote Who Is +rwhois 4321/udp #Remote Who Is +unicall 4343/tcp +unicall 4343/udp +krb524 4444/tcp +krb524 4444/udp +# PROBLEM krb524 assigned the port, +# PROBLEM nv used it without an assignment +nv-video 4444/tcp #NV Video default +nv-video 4444/udp #NV Video default +sae-urn 4500/tcp +sae-urn 4500/udp +fax 4557/tcp #FAX transmission service +hylafax 4559/tcp #HylaFAX client-server protocol +rfa 4672/tcp #remote file access server +rfa 4672/udp #remote file access server +commplex-main 5000/tcp +commplex-main 5000/udp +commplex-link 5001/tcp +commplex-link 5001/udp +rfe 5002/tcp #radio free ethernet +rfe 5002/udp #radio free ethernet +telelpathstart 5010/tcp +telelpathstart 5010/udp +telelpathattack 5011/tcp +telelpathattack 5011/udp +mmcc 5050/tcp #multimedia conference control tool +mmcc 5050/udp #multimedia conference control tool +rmonitor_secure 5145/tcp +rmonitor_secure 5145/udp +aol 5190/tcp #America-Online +aol 5190/udp #America-Online +aol-1 5191/tcp #AmericaOnline1 +aol-1 5191/udp #AmericaOnline1 +aol-2 5192/tcp #AmericaOnline2 +aol-2 5192/udp #AmericaOnline2 +aol-3 5193/tcp #AmericaOnline3 +aol-3 5193/udp #AmericaOnline3 +jabber-client 5222/tcp #Jabber Client Connection +jabber-client 5222/udp #Jabber Client Connection +padl2sim 5236/tcp +padl2sim 5236/udp +jabber-server 5269/tcp #Jabber Server Connection +jabber-server 5269/udp #Jabber Server Connection +hacl-hb 5300/tcp # HA cluster heartbeat +hacl-hb 5300/udp # HA cluster heartbeat +hacl-gs 5301/tcp # HA cluster general services +hacl-gs 5301/udp # HA cluster general services +hacl-cfg 5302/tcp # HA cluster configuration +hacl-cfg 5302/udp # HA cluster configuration +hacl-probe 5303/tcp # HA cluster probing +hacl-probe 5303/udp # HA cluster probing +hacl-local 5304/tcp +hacl-local 5304/udp +hacl-test 5305/tcp +hacl-test 5305/udp +cfengine 5308/tcp +cfengine 5308/udp +postgresql 5432/tcp #PostgreSQL Database +postgresql 5432/udp #PostgreSQL Database +rplay 5555/udp +canna 5680/tcp #Canna (Japanese Input) +proshareaudio 5713/tcp #proshare conf audio +proshareaudio 5713/udp #proshare conf audio +prosharevideo 5714/tcp #proshare conf video +prosharevideo 5714/udp #proshare conf video +prosharedata 5715/tcp #proshare conf data +prosharedata 5715/udp #proshare conf data +prosharerequest 5716/tcp #proshare conf request +prosharerequest 5716/udp #proshare conf request +prosharenotify 5717/tcp #proshare conf notify +prosharenotify 5717/udp #proshare conf notify +cvsup 5999/tcp #CVSup file transfer/John Polstra/FreeBSD +x11 6000/tcp #6000-6063 are assigned to X Window System +x11 6000/udp +x11-ssh 6010/tcp #Unofficial name, for convenience +x11-ssh 6010/udp +softcm 6110/tcp #HP SoftBench CM +softcm 6110/udp #HP SoftBench CM +spc 6111/tcp #HP SoftBench Sub-Process Control +spc 6111/udp #HP SoftBench Sub-Process Control +meta-corp 6141/tcp #Meta Corporation License Manager +meta-corp 6141/udp #Meta Corporation License Manager +aspentec-lm 6142/tcp #Aspen Technology License Manager +aspentec-lm 6142/udp #Aspen Technology License Manager +watershed-lm 6143/tcp #Watershed License Manager +watershed-lm 6143/udp #Watershed License Manager +statsci1-lm 6144/tcp #StatSci License Manager - 1 +statsci1-lm 6144/udp #StatSci License Manager - 1 +statsci2-lm 6145/tcp #StatSci License Manager - 2 +statsci2-lm 6145/udp #StatSci License Manager - 2 +lonewolf-lm 6146/tcp #Lone Wolf Systems License Manager +lonewolf-lm 6146/udp #Lone Wolf Systems License Manager +montage-lm 6147/tcp #Montage License Manager +montage-lm 6147/udp #Montage License Manager +ricardo-lm 6148/tcp #Ricardo North America License Manager +ricardo-lm 6148/udp #Ricardo North America License Manager +xdsxdm 6558/tcp +xdsxdm 6558/udp +ircd 6667/tcp #Internet Relay Chat (unoffical) +acmsoda 6969/tcp +acmsoda 6969/udp +afs3-fileserver 7000/tcp #file server itself +afs3-fileserver 7000/udp #file server itself +afs3-callback 7001/tcp #callbacks to cache managers +afs3-callback 7001/udp #callbacks to cache managers +afs3-prserver 7002/tcp #users & groups database +afs3-prserver 7002/udp #users & groups database +afs3-vlserver 7003/tcp #volume location database +afs3-vlserver 7003/udp #volume location database +afs3-kaserver 7004/tcp #AFS/Kerberos authentication service +afs3-kaserver 7004/udp #AFS/Kerberos authentication service +afs3-volser 7005/tcp #volume management server +afs3-volser 7005/udp #volume management server +afs3-errors 7006/tcp #error interpretation service +afs3-errors 7006/udp #error interpretation service +afs3-bos 7007/tcp #basic overseer process +afs3-bos 7007/udp #basic overseer process +afs3-update 7008/tcp #server-to-server updater +afs3-update 7008/udp #server-to-server updater +afs3-rmtsys 7009/tcp #remote cache manager service +afs3-rmtsys 7009/udp #remote cache manager service +afs3-resserver 7010/tcp #MR-AFS residence server +afs3-resserver 7010/udp #MR-AFS residence server +afs3-remio 7011/tcp #MR-AFS remote IO server +afs3-remio 7011/udp #MR-AFS remote IO server +ups-onlinet 7010/tcp #onlinet uninterruptable power supplies +ups-onlinet 7010/udp #onlinet uninterruptable power supplies +font-service 7100/tcp #X Font Service +font-service 7100/udp #X Font Service +fodms 7200/tcp #FODMS FLIP +fodms 7200/udp #FODMS FLIP +dlip 7201/tcp +dlip 7201/udp +natd 8668/divert # Network Address Translation +jetdirect 9100/tcp #HP JetDirect card +man 9535/tcp +man 9535/udp +sd 9876/tcp #Session Director +sd 9876/udp #Session Director +amanda 10080/udp #Dump server control +amandaidx 10082/tcp #Amanda indexing +amidxtape 10083/tcp #Amanda tape indexing +isode-dua 17007/tcp +isode-dua 17007/udp +biimenu 18000/tcp #Beckman Instruments, Inc. +biimenu 18000/udp #Beckman Instruments, Inc. +dbbrowse 47557/tcp #Databeam Corporation +dbbrowse 47557/udp #Databeam Corporation +wnn4 22273/tcp #Wnn4 (Japanese input) +wnn4_Cn 22289/tcp #Wnn4 (Chinese input) +wnn4_Tw 22321/tcp #Wnn4 (Taiwanse input) +wnn4_Kr 22305/tcp #Wnn4 (Korean input) +wnn6 22273/tcp #Wnn6 (Japanese input) +wnn6_Cn 22289/tcp #Wnn6 (Chinese input) +wnn6_Tw 22321/tcp #Wnn6 (Taiwanse input) +wnn6_Kr 22305/tcp #Wnn6 (Korean input) +wnn6_DS 26208/tcp #Wnn6 (Dserver) diff --git a/etc/shells b/etc/shells new file mode 100644 index 0000000..ae7f33c --- /dev/null +++ b/etc/shells @@ -0,0 +1,12 @@ +# $FreeBSD: src/etc/shells,v 1.5 2000/04/27 21:58:46 ache Exp $ +# +# List of acceptable shells for chpass(1). +# Ftpd will not allow users to connect who are not using +# one of these shells. + +/bin/sh +/bin/csh +/bin/tcsh +/usr/local/bin/bash +/etc/rc.initial + diff --git a/etc/sshd b/etc/sshd new file mode 100755 index 0000000..58c3dbe --- /dev/null +++ b/etc/sshd @@ -0,0 +1,62 @@ +#! /usr/local/bin/php -f +<?php +/* + sshd - Modified to work on disk based system + Copyright 2004 Scott K Ullrich + + Original Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + require_once("config.inc"); + + $stderr = fopen("php://stderr", "w"); + fwrite($stderr, "Initializing module ssh...\n"); + + if (!is_dir("/var/empty")) { + // Home directory of sshd. + mkdir("/var/empty", 0555); + } + + if(!file_exists("")) { + // Login related files. + touch("/var/log/lastlog"); + } + + // Make the root password the same as the admin password of m0n0. + $fd = popen("/usr/sbin/pw usermod -n root -H 0", "w"); + fwrite($fd, $config['system']['password']); + pclose($fd); + + $sshConfigDir = "/etc/ssh"; + if (!file_exists("$sshConfigDir/ssh_host_key")) { + system("/usr/bin/ssh-keygen -t rsa1 -N '' -f $sshConfigDir/ssh_host_key"); + system("/usr/bin/ssh-keygen -t rsa -N '' -f $sshConfigDir/ssh_host_rsa_key"); + system("/usr/bin/ssh-keygen -t dsa -N '' -f $sshConfigDir/ssh_host_dsa_key"); + } + + // And finally ... + system("sshd"); + fwrite($stderr, "Done.\n"); +?> + diff --git a/etc/syslog.conf b/etc/syslog.conf new file mode 100644 index 0000000..6b7fbd9 --- /dev/null +++ b/etc/syslog.conf @@ -0,0 +1,7 @@ +local0.* %/var/log/filter.log +local3.* %/var/log/vpn.log +local7.* %/var/log/dhcpd.log +*.notice;kern.debug;lpr.info;mail.crit;news.err;local0.none;local3.none;local7.none %/var/log/system.log +security.* %/var/log/system.log +auth.info;authpriv.info;daemon.info %/var/log/system.log +*.emerg * diff --git a/etc/ttys b/etc/ttys new file mode 100644 index 0000000..5cbe714 --- /dev/null +++ b/etc/ttys @@ -0,0 +1,291 @@ +# +# $FreeBSD: src/etc/etc.i386/ttys,v 1.10 2003/10/24 15:44:08 simokawa Exp $ +# @(#)ttys 5.1 (Berkeley) 4/17/89 +# +# This file specifies various information about terminals on the system. +# It is used by several different programs. Common entries for the +# various columns include: +# +# name The name of the terminal device. +# +# getty The program to start running on the terminal. Typically a +# getty program, as the name implies. Other common entries +# include none, when no getty is needed, and xdm, to start the +# X Window System. +# +# type The initial terminal type for this port. For hardwired +# terminal lines, this will contain the type of terminal used. +# For virtual consoles, the correct type is typically cons25, but +# vt220 will work better if you need interoperability with other +# systems like Solaris or GNU/Linux. +# Other common values include network for network connections on +# pseudo-terminals, dialup for incoming modem ports, and unknown +# when the terminal type cannot be predetermined. +# +# status Must be on or off. If on, init will run the getty program on +# the specified port. If the word "secure" appears, this tty +# allows root login. +# +# name getty type status comments +# +# If console is marked "insecure", then init will ask for the root password +# when going to single-user mode. +console none unknown off secure +# +ttyv0 "/usr/libexec/getty Pc" cons25 on secure +ttyp0 none network +ttyp1 none network +ttyp2 none network +ttyp3 none network +ttyp4 none network +ttyp5 none network +ttyp6 none network +ttyp7 none network +ttyp8 none network +ttyp9 none network +ttypa none network +ttypb none network +ttypc none network +ttypd none network +ttype none network +ttypf none network +ttypg none network +ttyph none network +ttypi none network +ttypj none network +ttypk none network +ttypl none network +ttypm none network +ttypn none network +ttypo none network +ttypp none network +ttypq none network +ttypr none network +ttyps none network +ttypt none network +ttypu none network +ttypv none network +ttyq0 none network +ttyq1 none network +ttyq2 none network +ttyq3 none network +ttyq4 none network +ttyq5 none network +ttyq6 none network +ttyq7 none network +ttyq8 none network +ttyq9 none network +ttyqa none network +ttyqb none network +ttyqc none network +ttyqd none network +ttyqe none network +ttyqf none network +ttyqg none network +ttyqh none network +ttyqi none network +ttyqj none network +ttyqk none network +ttyql none network +ttyqm none network +ttyqn none network +ttyqo none network +ttyqp none network +ttyqq none network +ttyqr none network +ttyqs none network +ttyqt none network +ttyqu none network +ttyqv none network +ttyr0 none network +ttyr1 none network +ttyr2 none network +ttyr3 none network +ttyr4 none network +ttyr5 none network +ttyr6 none network +ttyr7 none network +ttyr8 none network +ttyr9 none network +ttyra none network +ttyrb none network +ttyrc none network +ttyrd none network +ttyre none network +ttyrf none network +ttyrg none network +ttyrh none network +ttyri none network +ttyrj none network +ttyrk none network +ttyrl none network +ttyrm none network +ttyrn none network +ttyro none network +ttyrp none network +ttyrq none network +ttyrr none network +ttyrs none network +ttyrt none network +ttyru none network +ttyrv none network +ttys0 none network +ttys1 none network +ttys2 none network +ttys3 none network +ttys4 none network +ttys5 none network +ttys6 none network +ttys7 none network +ttys8 none network +ttys9 none network +ttysa none network +ttysb none network +ttysc none network +ttysd none network +ttyse none network +ttysf none network +ttysg none network +ttysh none network +ttysi none network +ttysj none network +ttysk none network +ttysl none network +ttysm none network +ttysn none network +ttyso none network +ttysp none network +ttysq none network +ttysr none network +ttyss none network +ttyst none network +ttysu none network +ttysv none network +ttyP0 none network +ttyP1 none network +ttyP2 none network +ttyP3 none network +ttyP4 none network +ttyP5 none network +ttyP6 none network +ttyP7 none network +ttyP8 none network +ttyP9 none network +ttyPa none network +ttyPb none network +ttyPc none network +ttyPd none network +ttyPe none network +ttyPf none network +ttyPg none network +ttyPh none network +ttyPi none network +ttyPj none network +ttyPk none network +ttyPl none network +ttyPm none network +ttyPn none network +ttyPo none network +ttyPp none network +ttyPq none network +ttyPr none network +ttyPs none network +ttyPt none network +ttyPu none network +ttyPv none network +ttyQ0 none network +ttyQ1 none network +ttyQ2 none network +ttyQ3 none network +ttyQ4 none network +ttyQ5 none network +ttyQ6 none network +ttyQ7 none network +ttyQ8 none network +ttyQ9 none network +ttyQa none network +ttyQb none network +ttyQc none network +ttyQd none network +ttyQe none network +ttyQf none network +ttyQg none network +ttyQh none network +ttyQi none network +ttyQj none network +ttyQk none network +ttyQl none network +ttyQm none network +ttyQn none network +ttyQo none network +ttyQp none network +ttyQq none network +ttyQr none network +ttyQs none network +ttyQt none network +ttyQu none network +ttyQv none network +ttyR0 none network +ttyR1 none network +ttyR2 none network +ttyR3 none network +ttyR4 none network +ttyR5 none network +ttyR6 none network +ttyR7 none network +ttyR8 none network +ttyR9 none network +ttyRa none network +ttyRb none network +ttyRc none network +ttyRd none network +ttyRe none network +ttyRf none network +ttyRg none network +ttyRh none network +ttyRi none network +ttyRj none network +ttyRk none network +ttyRl none network +ttyRm none network +ttyRn none network +ttyRo none network +ttyRp none network +ttyRq none network +ttyRr none network +ttyRs none network +ttyRt none network +ttyRu none network +ttyRv none network +ttyS0 none network +ttyS1 none network +ttyS2 none network +ttyS3 none network +ttyS4 none network +ttyS5 none network +ttyS6 none network +ttyS7 none network +ttyS8 none network +ttyS9 none network +ttySa none network +ttySb none network +ttySc none network +ttySd none network +ttySe none network +ttySf none network +ttySg none network +ttySh none network +ttySi none network +ttySj none network +ttySk none network +ttySl none network +ttySm none network +ttySn none network +ttySo none network +ttySp none network +ttySq none network +ttySr none network +ttySs none network +ttySt none network +ttySu none network +ttySv none network diff --git a/etc/version b/etc/version new file mode 100644 index 0000000..5b526c0 --- /dev/null +++ b/etc/version @@ -0,0 +1 @@ +1.2b2 |
