summaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
authorScott Ullrich <sullrich@pfsense.org>2004-11-07 03:06:49 +0000
committerScott Ullrich <sullrich@pfsense.org>2004-11-07 03:06:49 +0000
commit5b237745003431d487de361ca0980a467ee2f5d5 (patch)
tree0a29f0237f9e8e536112f9fc816e7a52bbc19691 /etc
downloadpfsense-5b237745003431d487de361ca0980a467ee2f5d5.zip
pfsense-5b237745003431d487de361ca0980a467ee2f5d5.tar.gz
Initial revision
Diffstat (limited to 'etc')
-rw-r--r--etc/auth.conf10
-rw-r--r--etc/disktab235
-rw-r--r--etc/fbtab4
-rw-r--r--etc/group15
-rw-r--r--etc/host.conf7
-rw-r--r--etc/hosts.allow5
-rw-r--r--etc/inc/captiveportal.inc642
-rw-r--r--etc/inc/config.inc551
-rw-r--r--etc/inc/filter.inc946
-rw-r--r--etc/inc/functions.inc41
-rw-r--r--etc/inc/globals.inc54
-rw-r--r--etc/inc/interfaces.inc740
-rw-r--r--etc/inc/openvpn.inc559
-rw-r--r--etc/inc/services.inc440
-rw-r--r--etc/inc/shaper.inc403
-rw-r--r--etc/inc/system.inc563
-rw-r--r--etc/inc/util.inc421
-rw-r--r--etc/inc/vpn.inc559
-rw-r--r--etc/inc/xmlparse.inc205
-rw-r--r--etc/login.conf316
-rw-r--r--etc/master.passwd26
-rw-r--r--etc/networks17
-rw-r--r--etc/pamd.conf55
-rw-r--r--etc/passwd10
-rw-r--r--etc/pccard.conf435
-rw-r--r--etc/platform1
-rw-r--r--etc/protocols146
-rw-r--r--etc/pubkey.pem6
-rwxr-xr-xetc/rc62
-rwxr-xr-xetc/rc.banner59
-rwxr-xr-xetc/rc.bootup147
-rwxr-xr-xetc/rc.dyndns.storecache8
-rwxr-xr-xetc/rc.firmware55
-rwxr-xr-xetc/rc.initial76
-rwxr-xr-xetc/rc.initial.defaults61
-rwxr-xr-xetc/rc.initial.password65
-rwxr-xr-xetc/rc.initial.ping47
-rwxr-xr-xetc/rc.initial.reboot55
-rwxr-xr-xetc/rc.initial.setlanip117
-rwxr-xr-xetc/rc.initial.setports303
-rwxr-xr-xetc/rc.newwanip83
-rwxr-xr-xetc/rc.prunecaptiveportal37
-rwxr-xr-xetc/rc.reboot5
-rwxr-xr-xetc/rc.shutdown17
-rw-r--r--etc/services2106
-rw-r--r--etc/shells12
-rwxr-xr-xetc/sshd62
-rw-r--r--etc/syslog.conf7
-rw-r--r--etc/ttys291
-rw-r--r--etc/version1
50 files changed, 11088 insertions, 0 deletions
diff --git a/etc/auth.conf b/etc/auth.conf
new file mode 100644
index 0000000..3062d37
--- /dev/null
+++ b/etc/auth.conf
@@ -0,0 +1,10 @@
+#
+# $FreeBSD: src/etc/auth.conf,v 1.4.2.1 2001/07/13 14:37:26 dd Exp $
+#
+# This file contains information on what types of authentication to use.
+# It is just the beginnings of a greater scheme.
+
+# crypt_default = md5 des
+# auth_list = passwd kerberos
+
+auth_list = passwd
diff --git a/etc/disktab b/etc/disktab
new file mode 100644
index 0000000..43ebdf9
--- /dev/null
+++ b/etc/disktab
@@ -0,0 +1,235 @@
+# $FreeBSD: src/etc/etc.i386/disktab,v 1.20.2.2 2002/04/15 00:44:15 dougb Exp $
+#
+# Disk geometry and partition layout tables.
+# Key:
+# dt controller type
+# ty type of disk (fixed, removeable, simulated)
+# d[0-4] drive-type-dependent parameters
+# ns #sectors/track
+# nt #tracks/cylinder
+# nc #cylinders/disk
+# sc #sectors/cylinder, ns*nt default
+# su #sectors/unit, sc*nc default
+# se sector size, DEV_BSIZE default
+# rm rpm, 3600 default
+# sf supports bad144-style bad sector forwarding
+# sk sector skew per track, default 0
+# cs sector skew per cylinder, default 0
+# hs headswitch time, default 0
+# ts one-cylinder seek time, default 0
+# il sector interleave (n:1), 1 default
+# bs boot block size, default BBSIZE
+# sb superblock size, default SBSIZE
+# o[a-h] partition offsets in sectors
+# p[a-h] partition sizes in sectors
+# b[a-h] partition block sizes in bytes
+# f[a-h] partition fragment sizes in bytes
+# t[a-h] partition types (filesystem, swap, etc)
+#
+# All partition sizes reserve space for bad sector tables.
+# (5 cylinders needed for maintenance + replacement sectors)
+#
+
+#
+# Floppy formats:
+#
+# To make a filesystem on a floppy:
+# fdformat [-f <size>] fd<drive>[.<size>]
+# disklabel -B -r -w fd<drive>[.<size>] fd<size>
+# newfs <opts> fd<drive>[.<size>]
+#
+# with <opts>:
+# -t 2 - two heads
+# -u 9|15|18 - sectors per track
+# (using the default value of 1/4096 is not much useful for floppies)
+# -l 1 - interleave 1 (for most floppies)
+# -i 65536 - bytes of data per i-node
+# (the default -i value will render you with a floppy wasting way
+# too much space in i-node areas)
+#
+
+fd360:\
+ :ty=floppy:se#512:nt#2:rm#300:ns#9:nc#40:\
+ :pa#720:oa#0:ba#4096:fa#512:\
+ :pb#720:ob#0:bb#4096:fb#512:\
+ :pc#720:oc#0:bc#4096:fc#512:
+
+fd720:\
+ :ty=floppy:se#512:nt#2:rm#300:ns#9:nc#80:\
+ :pa#1440:oa#0:ba#4096:fa#512:\
+ :pb#1440:ob#0:bb#4096:fb#512:\
+ :pc#1440:oc#0:bc#4096:fc#512:
+
+fd1200|floppy5|5in|5.25in High Density Floppy:\
+ :ty=floppy:se#512:nt#2:rm#360:ns#15:nc#80:\
+ :pa#2400:oa#0:ba#4096:fa#512:\
+ :pb#2400:ob#0:bb#4096:fb#512:\
+ :pc#2400:oc#0:bc#4096:fc#512:
+
+fd1440|floppy|floppy3|3in|3.5in High Density Floppy:\
+ :ty=floppy:se#512:nt#2:rm#300:ns#18:nc#80:\
+ :pa#2880:oa#0:ba#4096:fa#512:\
+ :pb#2880:ob#0:bb#4096:fb#512:\
+ :pc#2880:oc#0:bc#4096:fc#512:
+
+#
+# Stressed floppy-formats. No guarantees given.
+#
+
+fd800:\
+ :ty=floppy:se#512:nt#2:rm#300:ns#10:nc#80:\
+ :pa#1600:oa#0:ba#4096:fa#512:\
+ :pb#1600:ob#0:bb#4096:fb#512:\
+ :pc#1600:oc#0:bc#4096:fc#512:
+
+fd820:\
+ :ty=floppy:se#512:nt#2:rm#300:ns#10:nc#82:\
+ :pa#1640:oa#0:ba#4096:fa#512:\
+ :pb#1640:ob#0:bb#4096:fb#512:\
+ :pc#1640:oc#0:bc#4096:fc#512:
+
+fd1480:\
+ :ty=floppy:se#512:nt#2:rm#300:ns#18:nc#82:\
+ :pa#2952:oa#0:ba#4096:fa#512:\
+ :pb#2952:ob#0:bb#4096:fb#512:\
+ :pc#2952:oc#0:bc#4096:fc#512:
+
+fd1720:\
+ :ty=floppy:se#512:nt#2:rm#300:ns#21:nc#82:\
+ :pa#3444:oa#0:ba#4096:fa#512:\
+ :pb#3444:ob#0:bb#4096:fb#512:\
+ :pc#3444:oc#0:bc#4096:fc#512:
+
+#
+# LS-120 floppy-format.
+#
+fd120m|floppy120|floppy120m|3.5in LS-120 Floppy:\
+ :ty=floppy:se#512:nt#8:rm#300:ns#32:nc#963:\
+ :pa#246528:oa#0:ba#4096:fa#512:\
+ :pb#246528:ob#0:bb#4096:fb#512:\
+ :pc#246528:oc#0:bc#4096:fc#512:
+
+#
+# Harddisk formats
+#
+qp120at|Quantum Peripherals 120MB IDE:\
+ :dt=ESDI:ty=winchester:se#512:nt#9:ns#32:nc#813:sf: \
+ :pa#13824:oa#0:ta=4.2BSD:ba#4096:fa#512: \
+ :pb#13824:ob#13824:tb=swap: \
+ :pc#234144:oc#0: \
+ :ph#206496:oh#27648:th=4.2BSD:bh#4096:fh#512:
+
+pan60|Panasonic Laptop's 60MB IDE:\
+ :dt=ST506:ty=winchester:se#512:nt#13:ns#17:nc#565:\
+ :pa#13260:oa#0:ta=4.2BSD:ba#4096:fa#512:\
+ :pb#13260:ob#13260:tb=swap: \
+ :pc#124865:oc#0: \
+ :ph#97682:oh#26520:th=4.2BSD:bh#4096:fh#512:
+
+mk156|toshiba156|Toshiba MK156 156Mb:\
+ :dt=SCSI:ty=winchester:se#512:nt#10:ns#35:nc#825:\
+ :pa#15748:oa#0:ba#4096:fa#512:ta=4.2BSD:\
+ :pb#15748:ob#15748:tb=swap:\
+ :pc#288750:oc#0:\
+ :ph#257250:oh#31500:bh#4096:fh#512:th=4.2BSD:
+
+cp3100|Connor Peripherals 100MB IDE:\
+ :dt=ST506:ty=winchester:se#512:nt#8:ns#33:nc#766: \
+ :pa#12144:oa#0:ta=4.2BSD:ba#4096:fa#512: \
+ :pb#12144:ob#12144:tb=swap: \
+ :pc#202224:oc#0: \
+ :ph#177936:oh#24288:th=4.2BSD:bh#4096:fh#512:
+
+# a == root
+# b == swap
+# c == d == whole disk
+# e == /var
+# f == scratch
+# h == /usr
+
+cp3100new|Connor Peripherals 100MB IDE, with a different configuration:\
+ :dt=ST506:ty=winchester:se#512:nt#8:ns#33:nc#766: \
+ :pa#15840:oa#0:ta=4.2BSD:ba#4096:fa#512: \
+ :pb#24288:ob#15840:tb=swap: \
+ :pc#202224:oc#0: \
+ :pd#202224:od#0: \
+ :pe#15840:oe#40128:te=4.2BSD:be#4096:fe#512: \
+ :pg#15840:og#55968:tg=4.2BSD:bg#4096:fg#512: \
+ :ph#130416:oh#71808:th=4.2BSD:bh#4096:fh#512:
+
+maxtor4380|Maxtor XT4380E ESDI :\
+ :dt=ESDI:ty=winchester:se#512:nt#15:ns#36:nc#1222:sf: \
+ :pa#21600:oa#0:ta=4.2BSD:ba#4096:fa#512:\
+ :pb#21600:ob#21600:tb=swap: \
+ :pc#659880:oc#0: \
+ :pd#216000:od#53200:td=4.2BSD:bd#4096:fd#512: \
+ :ph#398520:oh#269200:th=4.2BSD:bh#4096:fh#512:
+
+miniscribe9380|compaq38|Miniscribe 9380 ESDI :\
+ :ty=winchester:dt=ESDI:se#512:nt#15:ns#35:nc#1223:rm#3600:sf: \
+ :pa#21000:oa#0:ba#8192:fa#1024:ta=4.2BSD: \
+ :pb#42000:ob#21000:tb=swap: \
+ :pc#642075:oc#0: \
+ :pd#21000:od#63000:bd#8192:fd#1024:td=4.2BSD: \
+ :ph#556500:oh#84000:bh#8192:fh#1024:th=4.2BSD:
+
+ida4|compaq88|Compaq IDA (4 drives) :\
+ :ty=winchester:dt=IDA:se#512:nt#16:ns#63:nc#1644:rm#3600:\
+ :pa#20160:oa#0:ba#8192:fa#1024:ta=4.2BSD: \
+ :pb#80640:ob#20160:tb=swap: \
+ :pc#1659168:oc#0: \
+ :pd#201600:od#100800:bd#8192:fd#1024:td=4.2BSD: \
+ :pe#20160:oe#1310400:be#8192:fe#1024:te=4.2BSD: \
+ :ph#1008000:oh#302400:bh#8192:fh#1024:th=4.2BSD: \
+ :pg#302400:og#1330560:bg#4096:fg#512:tg=4.2BSD:
+
+fuji513|Fujitsu M22XXXX: \
+ :ty=winchester:dt=ESDI:se#512:nt#16:ns#63:nc#954:rm#3600:\
+ :pa#20160:oa#82656:ba#4096:fa#512:ta=4.2BSD: \
+ :pb#40320:ob#102816:tb=swap: \
+ :pc#961632:oc#0: \
+ :ph#656208:oh#143136:bh#4096:fh#512:th=4.2BSD:
+
+sony650|Sony 650 MB MOD|\
+ :ty=removable:dt=SCSI:se#512:nt#1:ns#31:nc#18600:ts#1:rm#4800:\
+ :pc#576600:oc#0:\
+ :pa#576600:oa#0:ta=4.2BSD:ba#8192:fa#1024:
+
+mta3230|mo230|IBM MTA-3230 230 Meg 3.5inch Magneto-Optical:\
+ :ty=removeable:dt=SCSI:rm#3600:\
+ :se#512:nt#64:ns#32:nc#216:sc#2048:su#444384:\
+ :pa#444384:oa#0:ba#4096:fa#0:ta=4.2BSD:\
+ :pc#444384:oc#0:
+
+minimum:ty=mfs:se#512:nt#1:rm#300:\
+ :ns#2880:nc#1:\
+ :pa#2880:oa#0:ba#4096:fa#512:\
+ :pc#2880:oc#0:bc#4096:fc#512:
+
+minimum2:ty=mfs:se#512:nt#1:rm#300:\
+ :ns#5760:nc#1:\
+ :pa#5760:oa#0:ba#4096:fa#512:\
+ :pc#5760:oc#0:bc#4096:fc#512:
+
+minimum3:ty=mfs:se#512:nt#1:rm#300:\
+ :ns#8640:nc#1:\
+ :pa#8640:oa#0:ba#4096:fa#512:\
+ :pc#8640:oc#0:bc#4096:fc#512:
+
+zip100|zip 100:\
+ :ty=removable:se#512:nc#96:nt#64:ns#32:\
+ :pa#196608:oa#0:ba#4096:fa#512:\
+ :pb#196608:ob#0:bb#4096:fb#512:\
+ :pc#196608:oc#0:bc#4096:fc#512:
+
+zip250|zip 250:\
+ :ty=removable:se#512:nc#239:nt#64:ns#32:\
+ :pa#489472:oa#0:ba#4096:fa#512:\
+ :pb#489472:ob#0:bb#4096:fb#512:\
+ :pc#489472:oc#0:bc#4096:fc#512:
+
+orb2200|orb22|orb:\
+ :ty=removable:ns#63:nt#128:nc#4273:sc#1008:su#4307184:se#512:\
+ :pa#4307184:oa#0:ba#8192:fa#1024:\
+ :pc#4307184:oc#0:bc#8192:fc#1024:
+
diff --git a/etc/fbtab b/etc/fbtab
new file mode 100644
index 0000000..06d2d61
--- /dev/null
+++ b/etc/fbtab
@@ -0,0 +1,4 @@
+# $FreeBSD: src/etc/fbtab,v 1.3 1999/09/13 17:09:07 peter Exp $
+#
+#/dev/ttyv0 0600 /dev/console
+#/dev/ttyv0 0600 /dev/pcaudio:/dev/pcaudioctl
diff --git a/etc/group b/etc/group
new file mode 100644
index 0000000..cac3e1e
--- /dev/null
+++ b/etc/group
@@ -0,0 +1,15 @@
+wheel:*:0:root,admin
+daemon:*:1:daemon
+kmem:*:2:root
+sys:*:3:root
+tty:*:4:root
+operator:*:5:root
+bin:*:7:
+staff:*:20:root
+guest:*:31:root
+dialer:*:68:
+network:*:69:
+www:*:80:
+nogroup:*:65533:
+nobody:*:65534:
+admin:*:101:
diff --git a/etc/host.conf b/etc/host.conf
new file mode 100644
index 0000000..6643c7f
--- /dev/null
+++ b/etc/host.conf
@@ -0,0 +1,7 @@
+# $FreeBSD: src/etc/host.conf,v 1.6 1999/08/27 23:23:41 peter Exp $
+# First try the /etc/hosts file
+hosts
+# Now try the nameserver next.
+bind
+# If you have YP/NIS configured, uncomment the next line
+# nis
diff --git a/etc/hosts.allow b/etc/hosts.allow
new file mode 100644
index 0000000..ab11cc0
--- /dev/null
+++ b/etc/hosts.allow
@@ -0,0 +1,5 @@
+#
+# hosts.allow access control file for "tcp wrapped" applications.
+#
+ALL : ALL : allow
+
diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc
new file mode 100644
index 0000000..d5d78b1
--- /dev/null
+++ b/etc/inc/captiveportal.inc
@@ -0,0 +1,642 @@
+<?php
+/*
+ captiveportal.inc
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/* include all configuration functions */
+require_once("functions.inc");
+require_once("radius_accounting.inc") ;
+
+function captiveportal_configure() {
+ global $config, $g;
+
+ if (isset($config['captiveportal']['enable']) &&
+ (($config['captiveportal']['interface'] == "lan") ||
+ isset($config['interfaces'][$config['captiveportal']['interface']]['enable']))) {
+
+ if ($g['booting'])
+ echo "Starting captive portal... ";
+
+ /* kill any running mini_httpd */
+ killbypid("{$g['varrun_path']}/mini_httpd.cp.pid");
+ killbypid("{$g['varrun_path']}/mini_httpd.cps.pid");
+
+ /* kill any running minicron */
+ killbypid("{$g['varrun_path']}/minicron.pid");
+
+ /* generate ipfw rules */
+ $cprules = captiveportal_rules_generate();
+
+ /* make sure ipfw is loaded */
+ mwexec("/sbin/kldload ipfw");
+
+ /* stop accounting on all clients */
+ captiveportal_radius_stop_all() ;
+
+ /* remove old information */
+ unlink_if_exists("{$g['vardb_path']}/captiveportal.nextrule");
+ unlink_if_exists("{$g['vardb_path']}/captiveportal.db");
+ unlink_if_exists("{$g['vardb_path']}/captiveportal_mac.db");
+ unlink_if_exists("{$g['vardb_path']}/captiveportal_ip.db");
+ unlink_if_exists("{$g['vardb_path']}/captiveportal_radius.db");
+
+ /* write portal page */
+ if ($config['captiveportal']['page']['htmltext'])
+ $htmltext = base64_decode($config['captiveportal']['page']['htmltext']);
+ else {
+ /* example/template page */
+ $htmltext = <<<EOD
+<html>
+<head>
+<title>m0n0wall captive portal</title>
+</head>
+<body>
+<h2>m0n0wall captive portal</h2>
+<p>This is the default captive portal page. Please upload your own custom HTML file on the <em>Services: Captive portal</em> screen in the m0n0wall webGUI.</p>
+<form method="post" action="">
+ <input name="accept" type="submit" value="Continue">
+</form>
+</body>
+</html>
+
+EOD;
+ }
+
+ $fd = @fopen("{$g['varetc_path']}/captiveportal.html", "w");
+ if ($fd) {
+ fwrite($fd, $htmltext);
+ fclose($fd);
+ }
+
+ /* write error page */
+ if ($config['captiveportal']['page']['errtext'])
+ $errtext = base64_decode($config['captiveportal']['page']['errtext']);
+ else {
+ /* example page */
+ $errtext = <<<EOD
+<html>
+<head>
+<title>Authentication error</title>
+</head>
+<body>
+<font color="#cc0000"><h2>Authentication error</h2></font>
+<b>
+Username and/or password invalid.
+<br><br>
+<a href="javascript:history.back()">Go back</a>
+</b>
+</body>
+</html>
+
+EOD;
+ }
+
+ $fd = @fopen("{$g['varetc_path']}/captiveportal-error.html", "w");
+ if ($fd) {
+ fwrite($fd, $errtext);
+ fclose($fd);
+ }
+
+ /* load rules */
+ mwexec("/sbin/ipfw -f delete set 1");
+ mwexec("/sbin/ipfw -f delete set 2");
+ mwexec("/sbin/ipfw -f delete set 3");
+
+ /* XXX - seems like ipfw cannot accept rules directly on stdin,
+ so we have to write them to a temporary file first */
+ $fd = @fopen("{$g['tmp_path']}/ipfw.cp.rules", "w");
+ if (!$fd) {
+ printf("Cannot open ipfw.cp.rules in captiveportal_configure()\n");
+ return 1;
+ }
+
+ fwrite($fd, $cprules);
+ fclose($fd);
+
+ mwexec("/sbin/ipfw {$g['tmp_path']}/ipfw.cp.rules");
+
+ unlink("{$g['tmp_path']}/ipfw.cp.rules");
+
+ /* filter on layer2 as well so we can check MAC addresses */
+ mwexec("/sbin/sysctl net.link.ether.ipfw=1");
+
+ chdir($g['captiveportal_path']);
+
+ /* start web server */
+ mwexec("/usr/local/sbin/mini_httpd -a -M 0 -u root -maxproc 16" .
+ " -p 8000 -i {$g['varrun_path']}/mini_httpd.cp.pid");
+
+ /* fire up another one for HTTPS if requested */
+ if (isset($config['captiveportal']['httpslogin']) &&
+ $config['captiveportal']['certificate'] && $config['captiveportal']['private-key']) {
+
+ $cert = base64_decode($config['captiveportal']['certificate']);
+ $key = base64_decode($config['captiveportal']['private-key']);
+
+ $fd = fopen("{$g['varetc_path']}/cert-portal.pem", "w");
+ if (!$fd) {
+ printf("Error: cannot open cert-portal.pem in system_webgui_start().\n");
+ return 1;
+ }
+ chmod("{$g['varetc_path']}/cert-portal.pem", 0600);
+ fwrite($fd, $cert);
+ fwrite($fd, "\n");
+ fwrite($fd, $key);
+ fclose($fd);
+
+ mwexec("/usr/local/sbin/mini_httpd -S -a -M 0 -E {$g['varetc_path']}/cert-portal.pem" .
+ " -u root -maxproc 16 -p 8001" .
+ " -i {$g['varrun_path']}/mini_httpd.cps.pid");
+ }
+
+ /* start pruning process (interval = 60 seconds) */
+ mwexec("/usr/local/bin/minicron 60 {$g['varrun_path']}/minicron.pid " .
+ "/etc/rc.prunecaptiveportal");
+
+ /* generate passthru mac database */
+ captiveportal_passthrumac_configure() ;
+ /* create allowed ip database and insert ipfw rules to make it so */
+ captiveportal_allowedip_configure() ;
+
+ /* generate radius server database */
+ if($config['captiveportal']['radiusip']) {
+ $radiusip = $config['captiveportal']['radiusip'] ;
+
+ if($config['captiveportal']['radiusport'])
+ $radiusport = $config['captiveportal']['radiusport'] ;
+ else
+ $radiusport = 1812;
+
+ if($config['captiveportal']['radiusacctport'])
+ $radiusacctport = $config['captiveportal']['radiusacctport'] ;
+ else
+ $radiusacctport = 1813;
+
+ $radiuskey = $config['captiveportal']['radiuskey'];
+
+ $fd = @fopen("{$g['vardb_path']}/captiveportal_radius.db", "w");
+ if (!$fd) {
+ printf("Error: cannot open radius DB file in captiveportal_configure().\n");
+ return 1;
+ } else {
+ fwrite($fd,$radiusip . "," . $radiusport . "," . $radiusacctport . "," . $radiuskey) ;
+ }
+ fclose($fd) ;
+ }
+
+
+ if ($g['booting'])
+ echo "done\n";
+
+ } else {
+ killbypid("{$g['varrun_path']}/mini_httpd.cp.pid");
+ killbypid("{$g['varrun_path']}/minicron.pid");
+ captiveportal_radius_stop_all() ;
+ mwexec("/sbin/sysctl net.link.ether.ipfw=0");
+ if (!isset($config['shaper']['enable'])) {
+ /* unload ipfw */
+ mwexec("/sbin/kldunload ipfw");
+ } else {
+ /* shaper is on - just remove our rules */
+ mwexec("/sbin/ipfw -f delete set 1");
+ mwexec("/sbin/ipfw -f delete set 2");
+ mwexec("/sbin/ipfw -f delete set 3");
+ }
+ }
+
+ return 0;
+}
+
+function captiveportal_rules_generate() {
+ global $config, $g;
+
+ $cpifn = $config['captiveportal']['interface'];
+ $cpif = $config['interfaces'][$cpifn]['if'];
+ $cpip = $config['interfaces'][$cpifn]['ipaddr'];
+
+ /* note: the captive portal daemon inserts all pass rules for authenticated
+ clients as skipto 50000 rules to make traffic shaping work */
+
+ $cprules = "";
+
+ /* captive portal on LAN interface? */
+ if ($cpifn == "lan") {
+ /* add anti-lockout rules */
+ $cprules .= <<<EOD
+add 500 set 1 pass all from $cpip to any out via $cpif
+add 501 set 1 pass all from any to $cpip in via $cpif
+
+EOD;
+ }
+
+ $cprules .= <<<EOD
+# skip to traffic shaper if not on captive portal interface
+add 1000 set 1 skipto 50000 all from any to any not layer2 not via $cpif
+# pass all layer2 traffic on other interfaces
+add 1001 set 1 pass layer2 not via $cpif
+
+# layer 2: pass ARP
+add 1100 set 1 pass layer2 mac-type arp
+# layer 2: block anything else non-IP
+add 1101 set 1 deny layer2 not mac-type ip
+# layer 2: check if MAC addresses of authenticated clients are correct
+add 1102 set 1 skipto 20000 layer2
+
+# allow access to our DHCP server (which needs to be able to ping clients as well)
+add 1200 set 1 pass udp from any 68 to 255.255.255.255 67 in
+add 1201 set 1 pass udp from any 68 to $cpip 67 in
+add 1202 set 1 pass udp from $cpip 67 to any 68 out
+add 1203 set 1 pass icmp from $cpip to any out icmptype 8
+add 1204 set 1 pass icmp from any to $cpip in icmptype 0
+
+# allow access to our DNS forwarder
+add 1300 set 1 pass udp from any to $cpip 53 in
+add 1301 set 1 pass udp from $cpip 53 to any out
+
+# allow access to our web server
+add 1302 set 1 pass tcp from any to $cpip 8000 in
+add 1303 set 1 pass tcp from $cpip 8000 to any out
+
+EOD;
+
+ if (isset($config['captiveportal']['httpslogin'])) {
+ $cprules .= <<<EOD
+add 1304 set 1 pass tcp from any to $cpip 8001 in
+add 1305 set 1 pass tcp from $cpip 8001 to any out
+
+EOD;
+ }
+
+ $cprules .= <<<EOD
+
+# ... 10000-19899: rules per authenticated client go here...
+
+# redirect non-authenticated clients to captive portal
+add 19900 set 1 fwd 127.0.0.1,8000 tcp from any to any 80 in
+# let the responses from the captive portal web server back out
+add 19901 set 1 pass tcp from any 80 to any out
+# block everything else
+add 19902 set 1 deny all from any to any
+
+# ... 20000-29899: layer2 block rules per authenticated client go here...
+
+# pass everything else on layer2
+add 29900 set 1 pass all from any to any layer2
+
+EOD;
+
+ return $cprules;
+}
+
+/* remove clients that have been around for longer than the specified amount of time */
+/* db file structure: timestamp,ipfw_rule_no,clientip,clientmac,username,sessionid */
+function captiveportal_prune_old() {
+
+ global $g, $config;
+
+ /* check for expired entries */
+ if ($config['captiveportal']['timeout'])
+ $timeout = $config['captiveportal']['timeout'] * 60;
+ else
+ $timeout = 0;
+
+ if ($config['captiveportal']['idletimeout'])
+ $idletimeout = $config['captiveportal']['idletimeout'] * 60;
+ else
+ $idletimeout = 0;
+
+ if (!$timeout && !$idletimeout)
+ return;
+
+ captiveportal_lock();
+
+ /* read database */
+ $cpdb = captiveportal_read_db();
+
+ $radiusservers = captiveportal_get_radius_servers();
+
+ for ($i = 0; $i < count($cpdb); $i++) {
+
+ $timedout = false;
+
+ /* hard timeout? */
+ if ($timeout) {
+ if ((time() - $cpdb[$i][0]) >= $timeout)
+ $timedout = true;
+ }
+
+ /* if an idle timeout is specified, get last activity timestamp from ipfw */
+ if (!$timedout && $idletimeout) {
+ $lastact = captiveportal_get_last_activity($cpdb[$i][1]);
+ if ($lastact && ((time() - $lastact) >= $idletimeout))
+ $timedout = true;
+ }
+
+ if ($timedout) {
+ /* this client needs to be deleted - remove ipfw rules */
+ if (isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) {
+ RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno
+ $cpdb[$i][4], // username
+ $cpdb[$i][5], // sessionid
+ $cpdb[$i][0], // start time
+ $radiusservers[0]['ipaddr'],
+ $radiusservers[0]['acctport'],
+ $radiusservers[0]['key']);
+ }
+ mwexec("/sbin/ipfw delete " . $cpdb[$i][1] . " " . ($cpdb[$i][1]+10000));
+ unset($cpdb[$i]);
+ }
+ }
+
+ /* write database */
+ captiveportal_write_db($cpdb);
+
+ captiveportal_unlock();
+}
+
+/* remove a single client by ipfw rule number */
+function captiveportal_disconnect_client($id) {
+
+ global $g, $config;
+
+ captiveportal_lock();
+
+ /* read database */
+ $cpdb = captiveportal_read_db();
+ $radiusservers = captiveportal_get_radius_servers();
+
+ /* find entry */
+ for ($i = 0; $i < count($cpdb); $i++) {
+ if ($cpdb[$i][1] == $id) {
+ /* this client needs to be deleted - remove ipfw rules */
+ if (isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) {
+ RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno
+ $cpdb[$i][4], // username
+ $cpdb[$i][5], // sessionid
+ $cpdb[$i][0], // start time
+ $radiusservers[0]['ipaddr'],
+ $radiusservers[0]['acctport'],
+ $radiusservers[0]['key']);
+ }
+ mwexec("/sbin/ipfw delete " . $cpdb[$i][1] . " " . ($cpdb[$i][1]+10000));
+ unset($cpdb[$i]);
+ break;
+ }
+ }
+
+ /* write database */
+ captiveportal_write_db($cpdb);
+
+ captiveportal_unlock();
+}
+
+/* send RADIUS acct stop for all current clients */
+function captiveportal_radius_stop_all() {
+ global $g, $config;
+
+ captiveportal_lock() ;
+ $cpdb = captiveportal_read_db() ;
+
+ $radiusservers = captiveportal_get_radius_servers();
+
+ if (isset($radiusservers[0])) {
+ for ($i = 0; $i < count($cpdb); $i++) {
+ RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno
+ $cpdb[$i][4], // username
+ $cpdb[$i][5], // sessionid
+ $cpdb[$i][0], // start time
+ $radiusservers[0]['ipaddr'],
+ $radiusservers[0]['acctport'],
+ $radiusservers[0]['key']);
+ }
+ }
+ captiveportal_unlock() ;
+}
+
+function captiveportal_passthrumac_configure() {
+ global $config, $g;
+
+ /* clear out passthru macs, if necessary */
+ if (file_exists("{$g['vardb_path']}/captiveportal_mac.db")) {
+ unlink("{$g['vardb_path']}/captiveportal_mac.db");
+ }
+
+ if (is_array($config['captiveportal']['passthrumac'])) {
+
+ $fd = @fopen("{$g['vardb_path']}/captiveportal_mac.db", "w");
+ if (!$fd) {
+ printf("Error: cannot open passthru mac DB file in captiveportal_passthrumac_configure().\n");
+ return 1;
+ }
+
+ foreach ($config['captiveportal']['passthrumac'] as $macent) {
+ /* record passthru mac so it can be recognized and let thru */
+ fwrite($fd, $macent['mac'] . "\n");
+ }
+
+ fclose($fd);
+ }
+
+ return 0;
+}
+
+function captiveportal_allowedip_configure() {
+ global $config, $g;
+
+ captiveportal_lock() ;
+
+ /* clear out existing allowed ips, if necessary */
+ if (file_exists("{$g['vardb_path']}/captiveportal_ip.db")) {
+ $fd = @fopen("{$g['vardb_path']}/captiveportal_ip.db", "r");
+ if ($fd) {
+ while (!feof($fd)) {
+ $line = trim(fgets($fd));
+ if($line) {
+ list($ip,$rule) = explode(",",$line);
+ mwexec("/sbin/ipfw delete $rule") ;
+ }
+ }
+ }
+ fclose($fd) ;
+ unlink("{$g['vardb_path']}/captiveportal_ip.db");
+ }
+
+ /* get next ipfw rule number */
+ if (file_exists("{$g['vardb_path']}/captiveportal.nextrule"))
+ $ruleno = trim(file_get_contents("{$g['vardb_path']}/captiveportal.nextrule"));
+ if (!$ruleno)
+ $ruleno = 10000; /* first rule number */
+
+ if (is_array($config['captiveportal']['allowedip'])) {
+
+ $fd = @fopen("{$g['vardb_path']}/captiveportal_ip.db", "w");
+ if (!$fd) {
+ printf("Error: cannot open allowed ip DB file in captiveportal_allowedip_configure().\n");
+ captiveportal_unlock() ;
+ return 1;
+ }
+
+ foreach ($config['captiveportal']['allowedip'] as $ipent) {
+ /* record allowed ip so it can be recognized and removed later */
+ fwrite($fd, $ipent['ip'] . "," . $ruleno ."\n");
+ /* insert ipfw rule to allow ip thru */
+ if($ipent['dir'] == "from") {
+ mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from ".$ipent['ip']." to any in") ;
+ mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to ".$ipent['ip']." out") ;
+ } else {
+ mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to ".$ipent['ip']." in") ;
+ mwexec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from ".$ipent['ip']." to any out") ;
+ }
+ $ruleno++ ;
+ if ($ruleno > 19899)
+ $ruleno = 10000;
+ }
+
+ fclose($fd);
+
+ /* write next rule number */
+ $fd = @fopen("{$g['vardb_path']}/captiveportal.nextrule", "w");
+ if ($fd) {
+ fwrite($fd, $ruleno);
+ fclose($fd);
+ }
+ }
+
+ captiveportal_unlock() ;
+ return 0;
+}
+
+/* get last activity timestamp given ipfw rule number */
+function captiveportal_get_last_activity($ruleno) {
+
+ exec("/sbin/ipfw -T list {$ruleno} 2>/dev/null", $ipfwoutput);
+
+ /* in */
+ if ($ipfwoutput[0]) {
+ $ri = explode(" ", $ipfwoutput[0]);
+ if ($ri[1])
+ return $ri[1];
+ }
+
+ return 0;
+}
+
+/* read captive portal DB into array */
+function captiveportal_read_db() {
+
+ global $g;
+
+ $cpdb = array();
+ $fd = @fopen("{$g['vardb_path']}/captiveportal.db", "r");
+ if ($fd) {
+ while (!feof($fd)) {
+ $line = trim(fgets($fd));
+ if ($line) {
+ $cpdb[] = explode(",", $line);
+ }
+ }
+ fclose($fd);
+ }
+ return $cpdb;
+}
+
+/* write captive portal DB */
+function captiveportal_write_db($cpdb) {
+
+ global $g;
+
+ $fd = @fopen("{$g['vardb_path']}/captiveportal.db", "w");
+ if ($fd) {
+ foreach ($cpdb as $cpent) {
+ fwrite($fd, join(",", $cpent) . "\n");
+ }
+ fclose($fd);
+ }
+}
+
+/* read RADIUS servers into array */
+function captiveportal_get_radius_servers() {
+
+ global $g;
+
+ if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) {
+ $fd = @fopen("{$g['vardb_path']}/captiveportal_radius.db","r");
+ if ($fd) {
+ $radiusservers = array();
+ while (!feof($fd)) {
+ $line = trim(fgets($fd));
+ if ($line) {
+ $radsrv = array();
+ list($radsrv['ipaddr'],$radsrv['port'],$radsrv['acctport'],$radsrv['key']) = explode(",",$line);
+ $radiusservers[] = $radsrv;
+ }
+ }
+ fclose($fd);
+
+ return $radiusservers;
+ }
+ }
+
+ return false;
+}
+
+/* lock captive portal information, decide that the lock file is stale after
+ 10 seconds */
+function captiveportal_lock() {
+
+ global $g;
+
+ $lockfile = "{$g['varrun_path']}/captiveportal.lock";
+
+ $n = 0;
+ while ($n < 10) {
+ /* open the lock file in append mode to avoid race condition */
+ if ($fd = @fopen($lockfile, "x")) {
+ /* succeeded */
+ fclose($fd);
+ return;
+ } else {
+ /* file locked, wait and try again */
+ sleep(1);
+ $n++;
+ }
+ }
+}
+
+/* unlock configuration file */
+function captiveportal_unlock() {
+
+ global $g;
+
+ $lockfile = "{$g['varrun_path']}/captiveportal.lock";
+
+ if (file_exists($lockfile))
+ unlink($lockfile);
+}
+
+?>
diff --git a/etc/inc/config.inc b/etc/inc/config.inc
new file mode 100644
index 0000000..58202aa
--- /dev/null
+++ b/etc/inc/config.inc
@@ -0,0 +1,551 @@
+<?php
+/*
+ config.inc
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/* include globals/utility/XML parser files */
+require_once("globals.inc");
+require_once("util.inc");
+require_once("xmlparse.inc");
+
+/* read platform */
+if (file_exists("{$g['etc_path']}/platform")) {
+ $g['platform'] = chop(file_get_contents("{$g['etc_path']}/platform"));
+} else {
+ $g['platform'] = "unknown";
+}
+
+if ($g['booting']) {
+ /* find the device where config.xml resides and write out an fstab */
+ unset($cfgdevice);
+
+ /* check if there's already an fstab (NFS booting?) */
+ if (!file_exists("{$g['etc_path']}/fstab")) {
+
+ if (strstr($g['platform'], "cdrom")) {
+ /* config is on floppy disk for CD-ROM version */
+ $cfgdevice = $cfgpartition = "fd0";
+ $cfgfstype = "msdos";
+ } else {
+ /* probe kernel known disks until we find one with config.xml */
+ $disks = explode(" ", trim(preg_replace("/kern.disks: /", "", exec("/sbin/sysctl kern.disks"))));
+ foreach ($disks as $mountdisk) {
+ /* skip mfs mounted filesystems */
+ if (strstr($mountdisk, "md"))
+ continue;
+ if (mwexec("/sbin/mount -r /dev/{$mountdisk}a {$g['cf_path']}") == 0) {
+ if (file_exists("{$g['cf_conf_path']}/config.xml")) {
+ /* found it */
+ $cfgdevice = $mountdisk;
+ $cfgpartition = $cfgdevice . "a";
+ $cfgfstype = "ufs";
+ echo "Found configuration on $cfgdevice.\n";
+ }
+
+ mwexec("/sbin/umount -f {$g['cf_path']}");
+
+ if ($cfgdevice)
+ break;
+ }
+ }
+ }
+
+ if (!$cfgdevice) {
+ /* no device found, print an error and die */
+ echo <<<EOD
+
+
+*******************************************************************************
+* FATAL ERROR *
+* The device that contains the configuration file (config.xml) could not be *
+* found. m0n0wall cannot continue booting. *
+*******************************************************************************
+
+
+EOD;
+
+ mwexec("/sbin/halt");
+ exit;
+ }
+
+ /* write device name to a file for rc.firmware */
+ $fd = fopen("{$g['varetc_path']}/cfdevice", "w");
+ fwrite($fd, $cfgdevice . "\n");
+ fclose($fd);
+
+ /* write out an fstab */
+ $fd = fopen("{$g['etc_path']}/fstab", "w");
+
+ $fstab = "/dev/{$cfgpartition} {$g['cf_path']} {$cfgfstype} ro 1 1\n";
+ $fstab .= "proc /proc procfs rw 0 0\n";
+
+ fwrite($fd, $fstab);
+ fclose($fd);
+ }
+
+ /* mount all filesystems */
+ mwexec("/sbin/mount -a");
+}
+
+/* parse configuration */
+if (!$noparseconfig) {
+
+ config_lock();
+
+ /* see if there's a newer cache file */
+ if (file_exists("{$g['tmp_path']}/config.cache") &&
+ (filemtime("{$g['tmp_path']}/config.cache") >=
+ filemtime("{$g['conf_path']}/config.xml"))) {
+
+ /* read cache */
+ $config = unserialize(file_get_contents("{$g['tmp_path']}/config.cache"));
+ } else {
+
+ if (!file_exists("{$g['conf_path']}/config.xml")) {
+ if ($g['booting']) {
+ if (strstr($g['platform'], "cdrom")) {
+ /* try copying the default config. to the floppy */
+ reset_factory_defaults();
+
+ echo "No XML configuration file found - using factory defaults.\n";
+ echo "Make sure that the configuration floppy disk with the conf/config.xml\n";
+ echo "file is inserted. If it isn't, your configuration changes will be lost\n";
+ echo "on reboot.\n";
+ } else {
+ echo "XML configuration file not found. m0n0wall cannot continue booting.\n";
+ mwexec("/sbin/halt");
+ exit;
+ }
+ } else {
+ config_unlock();
+ exit(0);
+ }
+ }
+
+ $config = parse_xml_config("{$g['conf_path']}/config.xml", $g['xml_rootobj']);
+
+ if ((float)$config['version'] > (float)$g['latest_config']) {
+ if ($g['booting']) {
+ echo <<<EOD
+
+
+*******************************************************************************
+* WARNING! *
+* The current configuration has been created with a newer version of m0n0wall *
+* than this one! This can lead to serious misbehavior and even security *
+* holes! You are urged to either upgrade to a newer version of m0n0wall or *
+* revert to the default configuration immediately! *
+*******************************************************************************
+
+
+EOD;
+ }
+ }
+
+ /* write config cache */
+ $fd = @fopen("{$g['tmp_path']}/config.cache", "wb");
+ if ($fd) {
+ fwrite($fd, serialize($config));
+ fclose($fd);
+ }
+ }
+
+ config_unlock();
+
+ /* make alias table (for faster lookups) */
+ alias_make_table();
+}
+
+/* mount flash card read/write */
+function conf_mount_rw() {
+ global $g;
+
+ /* don't use mount -u anymore
+ (doesn't sync the files properly and /bin/sync won't help either) */
+ mwexec("/sbin/umount -f {$g['cf_path']}");
+ mwexec("/sbin/mount -w -o noatime {$g['cf_path']}");
+}
+
+/* mount flash card read only */
+function conf_mount_ro() {
+ global $g;
+
+ mwexec("/sbin/umount -f {$g['cf_path']}");
+ mwexec("/sbin/mount -r {$g['cf_path']}");
+}
+
+/* convert configuration, if necessary */
+function convert_config() {
+ global $config, $g;
+
+ if ($config['version'] == $g['latest_config'])
+ return; /* already at latest version */
+
+ if ($g['booting'])
+ echo "Converting configuration... ";
+
+ /* convert 1.0 -> 1.1 */
+ if ($config['version'] == "1.0") {
+ $opti = 1;
+ $ifmap = array('lan' => 'lan', 'wan' => 'wan', 'pptp' => 'pptp');
+
+ /* convert DMZ to optional, if necessary */
+ if (isset($config['interfaces']['dmz'])) {
+
+ $dmzcfg = &$config['interfaces']['dmz'];
+
+ if ($dmzcfg['if']) {
+ $config['interfaces']['opt' . $opti] = array();
+ $optcfg = &$config['interfaces']['opt' . $opti];
+
+ $optcfg['enable'] = $dmzcfg['enable'];
+ $optcfg['descr'] = "DMZ";
+ $optcfg['if'] = $dmzcfg['if'];
+ $optcfg['ipaddr'] = $dmzcfg['ipaddr'];
+ $optcfg['subnet'] = $dmzcfg['subnet'];
+
+ $ifmap['dmz'] = "opt" . $opti;
+ $opti++;
+ }
+
+ unset($config['interfaces']['dmz']);
+ }
+
+ /* convert WLAN1/2 to optional, if necessary */
+ for ($i = 1; isset($config['interfaces']['wlan' . $i]); $i++) {
+
+ if (!$config['interfaces']['wlan' . $i]['if']) {
+ unset($config['interfaces']['wlan' . $i]);
+ continue;
+ }
+
+ $wlancfg = &$config['interfaces']['wlan' . $i];
+ $config['interfaces']['opt' . $opti] = array();
+ $optcfg = &$config['interfaces']['opt' . $opti];
+
+ $optcfg['enable'] = $wlancfg['enable'];
+ $optcfg['descr'] = "WLAN" . $i;
+ $optcfg['if'] = $wlancfg['if'];
+ $optcfg['ipaddr'] = $wlancfg['ipaddr'];
+ $optcfg['subnet'] = $wlancfg['subnet'];
+ $optcfg['bridge'] = $wlancfg['bridge'];
+
+ $optcfg['wireless'] = array();
+ $optcfg['wireless']['mode'] = $wlancfg['mode'];
+ $optcfg['wireless']['ssid'] = $wlancfg['ssid'];
+ $optcfg['wireless']['channel'] = $wlancfg['channel'];
+ $optcfg['wireless']['wep'] = $wlancfg['wep'];
+
+ $ifmap['wlan' . $i] = "opt" . $opti;
+
+ unset($config['interfaces']['wlan' . $i]);
+ $opti++;
+ }
+
+ /* convert filter rules */
+ $n = count($config['filter']['rule']);
+ for ($i = 0; $i < $n; $i++) {
+
+ $fr = &$config['filter']['rule'][$i];
+
+ /* remap interface */
+ if (array_key_exists($fr['interface'], $ifmap))
+ $fr['interface'] = $ifmap[$fr['interface']];
+ else {
+ /* remove the rule */
+ echo "\nWarning: filter rule removed " .
+ "(interface '{$fr['interface']}' does not exist anymore).";
+ unset($config['filter']['rule'][$i]);
+ continue;
+ }
+
+ /* remap source network */
+ if (isset($fr['source']['network'])) {
+ if (array_key_exists($fr['source']['network'], $ifmap))
+ $fr['source']['network'] = $ifmap[$fr['source']['network']];
+ else {
+ /* remove the rule */
+ echo "\nWarning: filter rule removed " .
+ "(source network '{$fr['source']['network']}' does not exist anymore).";
+ unset($config['filter']['rule'][$i]);
+ continue;
+ }
+ }
+
+ /* remap destination network */
+ if (isset($fr['destination']['network'])) {
+ if (array_key_exists($fr['destination']['network'], $ifmap))
+ $fr['destination']['network'] = $ifmap[$fr['destination']['network']];
+ else {
+ /* remove the rule */
+ echo "\nWarning: filter rule removed " .
+ "(destination network '{$fr['destination']['network']}' does not exist anymore).";
+ unset($config['filter']['rule'][$i]);
+ continue;
+ }
+ }
+ }
+
+ /* convert shaper rules */
+ $n = count($config['pfqueueing']['rule']);
+ if (is_array($config['pfqueueing']['rule']))
+ for ($i = 0; $i < $n; $i++) {
+
+ $fr = &$config['pfqueueing']['rule'][$i];
+
+ /* remap interface */
+ if (array_key_exists($fr['interface'], $ifmap))
+ $fr['interface'] = $ifmap[$fr['interface']];
+ else {
+ /* remove the rule */
+ echo "\nWarning: traffic shaper rule removed " .
+ "(interface '{$fr['interface']}' does not exist anymore).";
+ unset($config['pfqueueing']['rule'][$i]);
+ continue;
+ }
+
+ /* remap source network */
+ if (isset($fr['source']['network'])) {
+ if (array_key_exists($fr['source']['network'], $ifmap))
+ $fr['source']['network'] = $ifmap[$fr['source']['network']];
+ else {
+ /* remove the rule */
+ echo "\nWarning: traffic shaper rule removed " .
+ "(source network '{$fr['source']['network']}' does not exist anymore).";
+ unset($config['pfqueueing']['rule'][$i]);
+ continue;
+ }
+ }
+
+ /* remap destination network */
+ if (isset($fr['destination']['network'])) {
+ if (array_key_exists($fr['destination']['network'], $ifmap))
+ $fr['destination']['network'] = $ifmap[$fr['destination']['network']];
+ else {
+ /* remove the rule */
+ echo "\nWarning: traffic shaper rule removed " .
+ "(destination network '{$fr['destination']['network']}' does not exist anymore).";
+ unset($config['pfqueueing']['rule'][$i]);
+ continue;
+ }
+ }
+ }
+
+ $config['version'] = "1.1";
+ }
+
+ /* convert 1.1 -> 1.2 */
+ if ($config['version'] == "1.1") {
+ /* move LAN DHCP server config */
+ $tmp = $config['dhcpd'];
+ $config['dhcpd'] = array();
+ $config['dhcpd']['lan'] = $tmp;
+
+ /* encrypt password */
+ $config['system']['password'] = crypt($config['system']['password']);
+
+ $config['version'] = "1.2";
+ }
+
+ /* convert 1.2 -> 1.3 */
+ if ($config['version'] == "1.2") {
+ /* convert advanced outbound NAT config */
+ for ($i = 0; isset($config['nat']['advancedoutbound']['rule'][$i]); $i++) {
+ $curent = &$config['nat']['advancedoutbound']['rule'][$i];
+ $src = $curent['source'];
+ $curent['source'] = array();
+ $curent['source']['network'] = $src;
+ $curent['destination'] = array();
+ $curent['destination']['any'] = true;
+ }
+
+ /* add an explicit type="pass" to all filter rules to make things consistent */
+ for ($i = 0; isset($config['filter']['rule'][$i]); $i++) {
+ $config['filter']['rule'][$i]['type'] = "pass";
+ }
+
+ $config['version'] = "1.3";
+ }
+
+ /* convert 1.3 -> 1.4 */
+ if ($config['version'] == "1.3") {
+ /* convert shaper rules (make pipes) */
+ if (is_array($config['pfqueueing']['rule'])) {
+ $config['pfqueueing']['pipe'] = array();
+
+ for ($i = 0; isset($config['pfqueueing']['rule'][$i]); $i++) {
+ $curent = &$config['pfqueueing']['rule'][$i];
+
+ /* make new pipe and associate with this rule */
+ $newpipe = array();
+ $newpipe['descr'] = $curent['descr'];
+ $newpipe['bandwidth'] = $curent['bandwidth'];
+ $newpipe['delay'] = $curent['delay'];
+ $newpipe['mask'] = $curent['mask'];
+ $config['pfqueueing']['pipe'][$i] = $newpipe;
+
+ $curent['targetpipe'] = $i;
+
+ unset($curent['bandwidth']);
+ unset($curent['delay']);
+ unset($curent['mask']);
+ }
+ }
+
+ $config['version'] = "1.4";
+ }
+
+ write_config();
+
+ if ($g['booting'])
+ echo "done\n";
+}
+
+/* save the system configuration */
+function write_config() {
+
+ global $config, $g;
+
+ config_lock();
+
+ conf_mount_rw();
+
+ if (time() > mktime(0, 0, 0, 9, 1, 2004)) /* make sure the clock settings is plausible */
+ $config['lastchange'] = time();
+
+ /* generate configuration XML */
+ $xmlconfig = dump_xml_config($config, $g['xml_rootobj']);
+
+ /* write configuration */
+ $fd = fopen("{$g['cf_conf_path']}/config.xml", "w");
+
+ if (!$fd)
+ die("Unable to open config.xml for writing in write_config()\n");
+
+ fwrite($fd, $xmlconfig);
+ fclose($fd);
+
+ conf_mount_ro();
+
+ /* re-read configuration */
+ $config = parse_xml_config("{$g['conf_path']}/config.xml", $g['xml_rootobj']);
+
+ /* write config cache */
+ $fd = @fopen("{$g['tmp_path']}/config.cache", "wb");
+ if ($fd) {
+ fwrite($fd, serialize($config));
+ fclose($fd);
+ }
+
+ config_unlock();
+}
+
+function reset_factory_defaults() {
+
+ global $g;
+
+ config_lock();
+
+ conf_mount_rw();
+
+ /* create conf directory, if necessary */
+ if (!file_exists("{$g['cf_conf_path']}"))
+ @mkdir("{$g['cf_conf_path']}");
+
+ /* clear out /conf */
+ $dh = opendir($g['conf_path']);
+ while ($filename = readdir($dh)) {
+ if (($filename != ".") && ($filename != "..")) {
+ unlink($g['conf_path'] . "/" . $filename);
+ }
+ }
+ closedir($dh);
+
+ /* copy default configuration */
+ @copy("{$g['conf_default_path']}/config.xml", "{$g['conf_path']}/config.xml");
+
+ conf_mount_ro();
+
+ config_unlock();
+
+ return 0;
+}
+
+function config_install($conffile) {
+
+ global $config, $g;
+
+ if (!file_exists($conffile))
+ return 1;
+
+ config_lock();
+ conf_mount_rw();
+
+ copy($conffile, "{$g['conf_path']}/config.xml");
+
+ conf_mount_ro();
+ config_unlock();
+
+ return 0;
+}
+
+/* lock configuration file, decide that the lock file is stale after
+ 10 seconds */
+function config_lock() {
+
+ global $g;
+
+ $lockfile = "{$g['varrun_path']}/config.lock";
+
+ $n = 0;
+ while ($n < 10) {
+ /* open the lock file in append mode to avoid race condition */
+ if ($fd = @fopen($lockfile, "x")) {
+ /* succeeded */
+ fclose($fd);
+ return;
+ } else {
+ /* file locked, wait and try again */
+ sleep(1);
+ $n++;
+ }
+ }
+}
+
+/* unlock configuration file */
+function config_unlock() {
+
+ global $g;
+
+ $lockfile = "{$g['varrun_path']}/config.lock";
+
+ if (file_exists($lockfile))
+ unlink($lockfile);
+}
+
+?>
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
new file mode 100644
index 0000000..1b409f8
--- /dev/null
+++ b/etc/inc/filter.inc
@@ -0,0 +1,946 @@
+<?php
+/*
+ filter.inc
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/* include all configuration functions */
+require_once("functions.inc");
+
+function filter_resync() {
+ global $config, $g;
+
+ mwexec("/sbin/pfctl -y"); /* XXX */
+}
+
+function filter_ipmon_start() {
+ global $config, $g;
+
+ mwexec("/pflogd -sD");
+}
+
+function filter_configure() {
+ global $config, $g;
+
+ if ($g['booting'])
+ echo "Configuring firewall... ";
+
+ /* set TCP timeouts */
+ $tcpidletimeout = 9000;
+ if ($config['filter']['tcpidletimeout'])
+ $tcpidletimeout = $config['filter']['tcpidletimeout'];
+ mwexec("/sbin/sysctl net.inet.ipf.fr_tcpidletimeout={$tcpidletimeout}");
+ mwexec("/sbin/sysctl net.inet.ipf.fr_tcphalfclosed=480");
+
+ /* generate pfctl rules */
+ $natrules = filter_nat_rules_generate();
+ /* generate pfctl rules */
+ $pfrules = filter_rules_generate();
+ /* generate altq interface setup parms */
+ $altq_ints = filter_setup_altq_interfaces();
+ /* generate altq queues */
+ $altq_queues = filter_generate_altq_queues();
+
+ mwexec("/sbin/pfctl -e");
+ mwexec("/sbin/pfctl -F nat");
+ mwexec("/sbin/pfctl -F rules");
+
+ /* get our wan interface? */
+ $wanif = get_real_wan_interface();
+
+ $fd = fopen("/tmp/rules.debug", "w");
+ fwrite($fd, "set loginterface $wanif \n");
+ fwrite($fd, "set optimization aggressive\n");
+ fwrite($fd, $altq_ints);
+ fwrite($fd, $altq_queues);
+ fwrite($fd, $natrules);
+ fwrite($fd, $pfrules);
+ fclose($fd);
+
+ mwexec("chmod a+x /tmp/rules.debug");
+ mwexec("/sbin/pfctl -f /tmp/rules.debug");
+
+ /* set up MSS clamping */
+ if ($config['interfaces']['wan']['mtu'])
+ $mssclamp = $config['interfaces']['wan']['mtu'] - 40;
+ else if ($config['interfaces']['wan']['ipaddr'] == "pppoe")
+ $mssclamp = 1452;
+ else
+ $mssclamp = 0;
+
+ mwexec("/sbin/sysctl net.inet.ipf.fr_mssif={$wanif}");
+ mwexec("/sbin/sysctl net.inet.ipf.fr_mssclamp={$mssclamp}");
+
+ if ($g['booting'])
+ echo "done\n";
+
+ return 0;
+}
+
+function filter_generate_altq_queues() {
+ global $config;
+ $altq_rules = "";
+ if (is_array($config['pfqueueing']['queue'])) {
+ foreach ($config['pfqueueing']['queue'] as $rule) {
+ $altq_rules .= "queue " . $rule['name'] . " ";
+ if (isset($rule['bandwidth']))
+ $altq_rules .= "bandwidth " . $rule['bandwidth'] . " ";
+ if (isset($rule['priority']))
+ $altq_rules .= "priority " . $rule['priority'] . " ";
+ if (isset($rule['options'])) /* XXX turn options into an xml array */
+ $altq_rules .= $rule['schedulertype'] . "(". $rule['options'] . ")";
+ if (isset($rule['subqueue'])) {
+ $altq_rules .= "{ ";
+ $fsq = "";
+ foreach ($rule['subqueue'] as $sq) {
+ if($fsq) $altq_rules .= ",";
+ $altq_rules .= $sq['name'];
+ $fsq = "1";
+ }
+ $altq_rules .= " }";
+ }
+ $altq_rules .= "\n";
+ }
+ }
+ return $altq_rules;
+}
+
+function filter_setup_altq_interfaces() {
+ global $config;
+ $altq_rules = "";
+ $queue_names = "";
+ $is_first = "";
+ if (is_array($config['pfqueueing']['queue'])) {
+ foreach ($config['pfqueueing']['queue'] as $queue) {
+ if(is_subqueue($queue['name']) == 0) {
+ if($is_first) $queue_names .= ", ";
+ $queue_names .= $queue['name'];
+ $is_first = "1";
+ }
+ }
+ }
+ if (is_array($config['interfaces'])) {
+ foreach ($config['interfaces'] as $ifname) {
+ if(isset($ifname['bandwidth'])) {
+ $subnet = $ifname['ipaddr'] . "/" . $ifname['subnet'];
+ $altq_rules .= "altq on " . $ifname['if'] . " ";
+ $altq_rules .= $ifname['schedulertype'] . " bandwidth " . $ifname['bandwidth'] . " ";
+ if($queue_names <> "")
+ $altq_rules .= "queue { " . $queue_names . " }";
+ $altq_rules .= "\n";
+ }
+ }
+ }
+ return $altq_rules;
+}
+
+function is_subqueue($name) {
+ global $config;
+ $status = "";
+ if (is_array($config['pfqueueing']['queue'])) {
+ foreach ($config['pfqueueing']['queue'] as $queue) {
+ if(is_array($queue['subqueue'])) {
+ foreach ($queue['subqueue'] as $sq) {
+ if($sq['name'] == $name) return 1;
+ }
+ }
+ }
+ }
+ return 0;
+}
+
+function filter_flush_nat_table() {
+ global $config, $g;
+
+ return mwexec("/sbin/pfctl -F nat");
+}
+
+function filter_flush_state_table() {
+ global $config, $g;
+
+ return mwexec("/sbin/pfctl -F state");
+}
+
+function filter_nat_rules_generate_if($if, $src, $dst, $target) {
+
+ if ($target)
+ $tgt = $target . "/32";
+ else
+ $tgt = "0/32";
+
+ $natrule = <<<EOD
+nat on $if from $src to any -> $if
+
+EOD;
+
+ return $natrule;
+}
+
+function filter_nat_rules_generate() {
+ global $config, $g;
+
+ $wancfg = $config['interfaces']['wan'];
+ $lancfg = $config['interfaces']['lan'];
+
+ $pptpdcfg = $config['pptpd'];
+ $wanif = get_real_wan_interface();
+
+ $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
+
+ $natrules = "";
+
+ /* any 1:1 mappings? */
+ if (is_array($config['nat']['onetoone'])) {
+ foreach ($config['nat']['onetoone'] as $natent) {
+ if (!is_numeric($natent['subnet']))
+ $sn = 32;
+ else
+ $sn = $natent['subnet'];
+
+ if (!$natent['interface'] || ($natent['interface'] == "wan"))
+ $natif = $wanif;
+ else
+ $natif = $config['interfaces'][$natent['interface']]['if'];
+
+ $natrules .= "binat on {$natif} from {$natent['internal']}/{$sn} to any -> {$natent['external']}\n";
+ }
+ }
+
+ /* outbound rules - advanced or standard */
+ if (isset($config['nat']['advancedoutbound']['enable'])) {
+ /* advanced outbound rules */
+ if (is_array($config['nat']['advancedoutbound']['rule'])) {
+ foreach ($config['nat']['advancedoutbound']['rule'] as $obent) {
+ $dst = "";
+ $src = "";
+ if (!isset($obent['destination']['any'])) {
+ $src = "from ";
+ if (isset($obent['destination']['not']))
+ $dst = "! to ";
+ else
+ $dst = "to ";
+ $dst .= $obent['destination']['network'];
+ }
+ $src .= $obent['source']['network'];
+
+ if (!$obent['interface'] || ($obent['interface'] == "wan"))
+ $natif = $wanif;
+ else
+ $natif = $config['interfaces'][$obent['interface']]['if'];
+
+ $natrules .= filter_nat_rules_generate_if($natif, $src, $dst,
+ $obent['target']);
+ }
+ }
+ } else {
+ /* standard outbound rules (one for each interface) */
+ $natrules .= filter_nat_rules_generate_if($wanif,
+ $lansa . "/" . $lancfg['subnet'], "", null);
+
+ /* optional interfaces */
+ for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) {
+ $optcfg = $config['interfaces']['opt' . $i];
+
+ if (isset($optcfg['enable']) && !$optcfg['bridge']) {
+ $optsa = gen_subnet($optcfg['ipaddr'], $optcfg['subnet']);
+ $natrules .= filter_nat_rules_generate_if($wanif,
+ $optsa . "/" . $optcfg['subnet'], "", null);
+ }
+ }
+
+ /* PPTP subnet */
+ if ($pptpdcfg['mode'] == "server") {
+ $natrules .= filter_nat_rules_generate_if($wanif,
+ $pptpdcfg['remoteip'] . "/" . $g['pptp_subnet'], "", null);
+ }
+
+ /* static routes */
+ if (is_array($config['staticroutes']['route'])) {
+ foreach ($config['staticroutes']['route'] as $route) {
+ if ($route['interface'] != "wan")
+ $natrules .= filter_nat_rules_generate_if($wanif,
+ $route['network'], "", null);
+ }
+ }
+ }
+
+ /* DIAG: add ipv6 NAT, if requested */
+ if (isset($config['diag']['ipv6nat']['enable'])) {
+ $natrules .= "rdr on $wanif proto ipv6 from any to any port 0 -> " .
+ "{$config['diag']['ipv6nat']['ipaddr']}\n";
+ }
+
+ if (isset($config['nat']['rule'])) {
+ foreach ($config['nat']['rule'] as $rule) {
+
+ $extport = explode("-", $rule['external-port']);
+ $target = alias_expand_host($rule['target']);
+
+ if (!$target)
+ continue; /* unresolvable alias */
+
+ if ($rule['external-address'])
+ $extaddr = $rule['external-address'] . "/32";
+ else
+ $extaddr = "0/0";
+
+ if (!$rule['interface'] || ($rule['interface'] == "wan"))
+ $natif = $wanif;
+ else
+ $natif = $config['interfaces'][$rule['interface']]['if'];
+
+ $lanif = $lancfg['if'];
+
+ if ((!$extport[1]) || ($extport[0] == $extport[1])) {
+ $natrules .=
+ "rdr on $natif proto " . $rule['protocol'] . " from any to any port {$extport[0]} -> {$target} \n";
+ } else {
+ $natrules .=
+ "rdr on $natif proto " . $rule['protocol']. " from any to any port {$extport[0]}:{$extport[1]} " .
+ "-> {$target} \n";
+ }
+
+ $natrules .= "\n";
+ }
+ }
+
+ if ($pptpdcfg['mode'] && $pptpdcfg['mode'] != "off") {
+
+ if ($pptpdcfg['mode'] == "server")
+ $pptpdtarget = "127.0.0.1";
+ else if ($pptpdcfg['mode'] == "redir")
+ $pptpdtarget = $pptpdcfg['redir'];
+
+ if ($pptpdtarget) {
+
+ $natrules .= <<<EOD
+
+# PPTP
+rdr on $wanif proto gre from any to any port 0 -> $pptpdtarget
+rdr on $wanif proto tcp from any to any port 1723 -> $pptpdtarget
+
+EOD;
+ }
+ }
+
+ return $natrules;
+}
+
+function filter_rules_generate() {
+ global $config, $g;
+
+ $wancfg = $config['interfaces']['wan'];
+ $lancfg = $config['interfaces']['lan'];
+ $pptpdcfg = $config['pptpd'];
+
+ $lanif = $lancfg['if'];
+ $wanif = get_real_wan_interface();
+
+ /* rule groups (optional interfaces: see below) */
+ $ifgroups = array("lan" => 100, "wan" => 200);
+
+ $lanip = $lancfg['ipaddr'];
+ $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
+ $lansn = $lancfg['subnet'];
+
+ /* optional interfaces */
+ $optcfg = array();
+
+ for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) {
+ $oc = $config['interfaces']['opt' . $i];
+
+ if (isset($oc['enable']) && $oc['if']) {
+ $oic = array();
+ $oic['if'] = $oc['if'];
+
+ if ($oc['bridge']) {
+ if (!strstr($oc['bridge'], "opt") ||
+ isset($config['interfaces'][$oc['bridge']]['enable'])) {
+ if (is_ipaddr($config['interfaces'][$oc['bridge']]['ipaddr'])) {
+ $oic['ip'] = $config['interfaces'][$oc['bridge']]['ipaddr'];
+ $oic['sn'] = $config['interfaces'][$oc['bridge']]['subnet'];
+ $oic['sa'] = gen_subnet($oic['ip'], $oic['sn']);
+ }
+ }
+ $oic['bridge'] = 1;
+ } else {
+ $oic['ip'] = $oc['ipaddr'];
+ $oic['sn'] = $oc['subnet'];
+ $oic['sa'] = gen_subnet($oic['ip'], $oic['sn']);
+ }
+
+ $optcfg['opt' . $i] = $oic;
+ $ifgroups['opt' . $i] = ($i * 100) + 200;
+ }
+ }
+
+ if ($pptpdcfg['mode'] == "server") {
+ $pptpip = $pptpdcfg['localip'];
+ $pptpsa = $pptpdcfg['remoteip'];
+ $pptpsn = $g['pptp_subnet'];
+ }
+
+ /* default block logging? */
+ if (!isset($config['syslog']['nologdefaultblock']))
+ $log = "log";
+ else
+ $log = "";
+
+ $ipfrules = <<<EOD
+
+# loopback
+pass in quick on lo0 all
+pass out quick on lo0 all
+
+# allow access to DHCP server on LAN
+pass in quick on $lanif proto udp from any port = 68 to 255.255.255.255 port = 67
+pass in quick on $lanif proto udp from any port = 68 to $lanip port = 67
+pass out quick on $lanif proto udp from $lanip port = 67 to any port = 68
+
+EOD;
+
+ /* allow access to DHCP server on optional interfaces */
+ foreach ($optcfg as $on => $oc) {
+ if (isset($config['dhcpd'][$on]['enable']) && (!$oc['bridge'])) {
+ $ipfrules .= <<<EOD
+
+# allow access to DHCP server on {$on}
+pass in quick on {$oc['if']} proto udp from any port = 68 to 255.255.255.255 port = 67
+pass in quick on {$oc['if']} proto udp from any port = 68 to {$oc['ip']} port = 67
+pass out quick on {$oc['if']} proto udp from {$oc['ip']} port = 67 to any port = 68
+
+EOD;
+ }
+ }
+
+ /* pass traffic between statically routed subnets and the subnet on the
+ interface in question to avoid problems with complicated routing
+ topologies */
+ if (is_array($config['staticroutes']['route']) && count($config['staticroutes']['route'])) {
+ foreach ($config['staticroutes']['route'] as $route) {
+ unset($sa);
+
+ if ($route['interface'] == "lan") {
+ $sa = $lansa;
+ $sn = $lansn;
+ $if = $lanif;
+ } else if (strstr($route['interface'], "opt")) {
+ $oc = $optcfg[$route['interface']];
+ if ($oc['ip']) {
+ $sa = $oc['sa'];
+ $sn = $oc['sn'];
+ $if = $oc['if'];
+ }
+ }
+
+ if ($sa) {
+ $ipfrules .= <<<EOD
+pass in quick on {$if} from {$sa}/{$sn} to {$route['network']}
+pass in quick on {$if} from {$route['network']} to {$sa}/{$sn}
+pass out quick on {$if} from {$sa}/{$sn} to {$route['network']}
+pass out quick on {$if} from {$route['network']} to {$sa}/{$sn}
+
+EOD;
+ }
+ }
+ }
+
+ $ipfrules .= <<<EOD
+
+# WAN spoof check
+block in $log quick on $wanif from $lansa/$lansn to any
+
+EOD;
+
+ foreach ($optcfg as $oc) {
+ if (!$oc['bridge'])
+ $ipfrules .= "block in $log quick on $wanif from {$oc['sa']}/{$oc['sn']} to any\n";
+ }
+
+ /* allow PPTP traffic if PPTP client is enabled on WAN */
+ if ($wancfg['ipaddr'] == "pptp") {
+ $ipfrules .= <<<EOD
+
+# allow PPTP client
+pass in quick on {$wancfg['if']} proto gre from any to any
+pass out quick on {$wancfg['if']} proto gre from any to any
+pass in quick on {$wancfg['if']} proto tcp from any port = 1723 to any
+pass out quick on {$wancfg['if']} proto tcp from any to any port = 1723
+
+EOD;
+ }
+
+ $ipfrules .= <<<EOD
+
+# allow our DHCP client out to the WAN
+# XXX - should be more restrictive
+# (not possible at the moment - need 'me' like in ipfw)
+pass out quick on $wanif proto udp from any port = 68 to any port = 67
+block in $log quick on $wanif proto udp from any port = 67 to $lansa/$lansn port = 68
+pass in quick on $wanif proto udp from any port = 67 to any port = 68
+
+# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
+
+EOD;
+
+ /* LAN spoof check */
+ $ipfrules .= filter_rules_spoofcheck_generate('lan', $lanif, $lansa, $lansn, $log);
+
+ /* OPT spoof check */
+ foreach ($optcfg as $on => $oc) {
+ if ($oc['ip'])
+ $ipfrules .= filter_rules_spoofcheck_generate($on, $oc['if'], $oc['sa'], $oc['sn'], $log);
+ }
+
+ /* block private networks on WAN? */
+ if (isset($config['interfaces']['wan']['blockpriv'])) {
+ $ipfrules .= <<<EOD
+
+# block anything from private networks on WAN interface
+block in $log quick on $wanif from 10.0.0.0/8 to any
+block in $log quick on $wanif from 127.0.0.0/8 to any
+block in $log quick on $wanif from 172.16.0.0/12 to any
+block in $log quick on $wanif from 192.168.0.0/16 to any
+
+EOD;
+ }
+
+ /* IPsec enabled? */
+ if (isset($config['ipsec']['enable']) &&
+ ((is_array($config['ipsec']['tunnel']) &&
+ count($config['ipsec']['tunnel'])) ||
+ isset($config['ipsec']['mobileclients']['enable']))) {
+
+ $curwanip = get_current_wan_address();
+
+ if ($curwanip)
+ $ipfrules .= filter_rules_ipsec_generate($wanif, $curwanip);
+
+ $ipfrules .= filter_rules_ipsec_generate($lanif, $lanip);
+
+ foreach ($optcfg as $on => $oc) {
+ if ($oc['ip'])
+ $ipfrules .= filter_rules_ipsec_generate($oc['if'], $oc['ip']);
+ }
+ }
+
+ /* XXX - the first section is only needed because pfctl refuses to
+ parse rules that have "flags S/SAFR" and proto "tcp/udp" set because
+ UDP does not have flags, but we still want to offer the TCP/UDP protocol
+ option to the user */
+
+ $ipfrules .= <<<EOD
+
+
+# let out anything from the firewall host itself and decrypted IPsec traffic
+pass out quick on $wanif all keep state
+
+EOD;
+
+ /* group heads for optional interfaces */
+ foreach ($optcfg as $on => $oc) {
+
+ $ingroup = $ifgroups[$on];
+
+ $ipfrules .= <<<EOD
+
+
+# let out anything from the firewall host itself and decrypted IPsec traffic
+pass out quick on {$oc['if']} all keep state
+
+EOD;
+
+ }
+
+ if (!isset($config['system']['webgui']['noantilockout'])) {
+
+ $ipfrules .= <<<EOD
+
+# make sure the user cannot lock himself out of the webGUI
+pass in quick from $lansa/$lansn to $lanip keep state
+# group 100
+
+EOD;
+ }
+
+ /* PPTPd enabled? */
+ if ($pptpdcfg['mode'] && ($pptpdcfg['mode'] != "off")) {
+
+ if ($pptpdcfg['mode'] == "server")
+ $pptpdtarget = "127.0.0.1";
+ else
+ $pptpdtarget = $pptpdcfg['redir'];
+
+ $ipfrules .= <<<EOD
+
+# PPTP rules
+pass in quick proto gre from any to $pptpdtarget keep state
+# group 200
+pass in quick proto tcp from any to $pptpdtarget port = 1723 keep state
+# group 200
+
+EOD;
+ }
+
+ /* BigPond client enabled? */
+ if ($wancfg['ipaddr'] == "bigpond") {
+
+ $ipfrules .= <<<EOD
+
+# BigPond heartbeat rules
+pass in quick proto udp from any to any port = 5050 keep state
+# group 200
+
+EOD;
+ }
+
+ $i = 0;
+
+ $ipfrules .= "\n# User-defined rules follow\n";
+
+ if (isset($config['filter']['rule']))
+ foreach ($config['filter']['rule'] as $rule) {
+
+ /* don't include disabled rules */
+ if (isset($rule['disabled'])) {
+ $i++;
+ continue;
+ }
+
+ /* does the rule deal with a PPTP interface? */
+ if ($rule['interface'] == "pptp") {
+
+ if ($pptpdcfg['mode'] != "server") {
+ $i++;
+ continue;
+ }
+
+ $nif = $g['n_pptp_units'];
+ $ispptp = true;
+ } else {
+
+ if (strstr($rule['interface'], "opt")) {
+ if (!array_key_exists($rule['interface'], $optcfg)) {
+ $i++;
+ continue;
+ }
+ }
+
+ $nif = 1;
+ $ispptp = false;
+ }
+
+ if ($pptpdcfg['mode'] != "server") {
+ if (($rule['source']['network'] == "pptp") ||
+ ($rule['destination']['network'] == "pptp")) {
+ $i++;
+ continue;
+ }
+ }
+
+ if ($rule['source']['network'] && strstr($rule['source']['network'], "opt")) {
+ if (!array_key_exists($rule['source']['network'], $optcfg)) {
+ $i++;
+ continue;
+ }
+ }
+ if ($rule['destination']['network'] && strstr($rule['destination']['network'], "opt")) {
+ if (!array_key_exists($rule['destination']['network'], $optcfg)) {
+ $i++;
+ continue;
+ }
+ }
+
+ /* check for unresolvable aliases */
+ if ($rule['source']['address'] && !alias_expand($rule['source']['address'])) {
+ $i++;
+ continue;
+ }
+ if ($rule['destination']['address'] && !alias_expand($rule['destination']['address'])) {
+ $i++;
+ continue;
+ }
+
+ for ($iif = 0; $iif < $nif; $iif++) {
+
+ if (!$ispptp) {
+
+ $groupnum = $ifgroups[$rule['interface']];
+
+ if (!$groupnum) {
+ printf("Invalid interface name in rule $i\n");
+ break;
+ }
+ }
+
+ $type = $rule['type'];
+ if ($type != "pass" && $type != "block" && $type != "reject") {
+ /* default (for older rules) is pass */
+ $type = "pass";
+ }
+
+ if ($type == "reject") {
+ /* special reject packet */
+ if ($rule['protocol'] == "tcp") {
+ $line = "block return-rst";
+ } else if ($rule['protocol'] == "udp") {
+ $line = "block return-icmp";
+ } else {
+ $line = "block";
+ }
+ } else {
+ $line = $type;
+ }
+
+ if(!isset($rule['direction'])) {
+ $line .= " in ";
+ } else {
+ $line .= " " . $rule['direction'] . " ";
+ }
+
+ if (isset($rule['log']))
+ $line .= "log ";
+
+ $line .= "quick ";
+
+ if ($ispptp) {
+ $line .= "on ng" . ($iif+1) . " ";
+ }
+
+ if (isset($rule['protocol'])) {
+ $line .= "proto {$rule['protocol']} ";
+ }
+
+ /* source address */
+ if (isset($rule['source']['any'])) {
+ $src = "any";
+ } else if ($rule['source']['network']) {
+
+ if (strstr($rule['source']['network'], "opt")) {
+ $src = $optcfg[$rule['source']['network']]['sa'] . "/" .
+ $optcfg[$rule['source']['network']]['sn'];
+ } else {
+ switch ($rule['source']['network']) {
+ case 'lan':
+ $src = "$lansa/$lansn";
+ break;
+ case 'pptp':
+ $src = "$pptpsa/$pptpsn";
+ break;
+ }
+ }
+ } else if ($rule['source']['address']) {
+ $src = alias_expand($rule['source']['address']);
+ }
+
+ if (!$src || ($src == "/")) {
+ //printf("No source address found in rule $i\n");
+ break;
+ }
+
+ if (isset($rule['source']['not'])) {
+ $line .= "from !$src ";
+ } else {
+ $line .= "from $src ";
+ }
+
+ if (in_array($rule['protocol'], array("tcp","udp","tcp/udp"))) {
+
+ if ($rule['source']['port']) {
+ $srcport = explode("-", $rule['source']['port']);
+
+ if ((!$srcport[1]) || ($srcport[0] == $srcport[1])) {
+ $line .= "port = {$srcport[0]} ";
+ } else if (($srcport[0] == 1) && ($srcport[1] == 65535)) {
+ /* no need for a port statement here */
+ } else if ($srcport[1] == 65535) {
+ $line .= "port >= {$srcport[0]} ";
+ } else if ($srcport[0] == 1) {
+ $line .= "port <= {$srcport[1]} ";
+ } else {
+ $srcport[0]--;
+ $srcport[1]++;
+ $line .= "port {$srcport[0]} >< {$srcport[1]} ";
+ }
+ }
+ }
+
+ /* destination address */
+ if (isset($rule['destination']['any'])) {
+ $dst = "any";
+ } else if ($rule['destination']['network']) {
+
+ if (strstr($rule['destination']['network'], "opt")) {
+ $dst = $optcfg[$rule['destination']['network']]['sa'] . "/" .
+ $optcfg[$rule['destination']['network']]['sn'];
+ } else {
+ switch ($rule['destination']['network']) {
+ case 'lan':
+ $dst = "$lansa/$lansn";
+ break;
+ case 'pptp':
+ $dst = "$pptpsa/$pptpsn";
+ break;
+ }
+ }
+ } else if ($rule['destination']['address']) {
+ $dst = alias_expand($rule['destination']['address']);
+ }
+
+ if (!$dst || ($dst == "/")) {
+ //printf("No destination address found in rule $i\n");
+ break;
+ }
+
+ if (isset($rule['destination']['not'])) {
+ $line .= "to !$dst ";
+ } else {
+ $line .= "to $dst ";
+ }
+
+ if (in_array($rule['protocol'], array("tcp","udp","tcp/udp"))) {
+
+ if ($rule['destination']['port']) {
+ $dstport = explode("-", $rule['destination']['port']);
+
+ if ((!$dstport[1]) || ($dstport[0] == $dstport[1])) {
+ $line .= "port = {$dstport[0]} ";
+ } else if (($dstport[0] == 1) && ($dstport[1] == 65535)) {
+ /* no need for a port statement here */
+ } else if ($dstport[1] == 65535) {
+ $line .= "port >= {$dstport[0]} ";
+ } else if ($dstport[0] == 1) {
+ $line .= "port <= {$dstport[1]} ";
+ } else {
+ $dstport[0]--;
+ $dstport[1]++;
+ $line .= "port {$dstport[0]} >< {$dstport[1]} ";
+ }
+ }
+ }
+
+ if (($rule['protocol'] == "icmp") && $rule['icmptype']) {
+ $line .= "icmp-type {$rule['icmptype']} ";
+ }
+
+ if ($type == "pass") {
+ $line .= "keep state ";
+
+ if (isset($rule['frags']))
+ $line .= "keep frags ";
+ }
+
+ if ($type == "reject" && $rule['protocol'] == "tcp") {
+ /* special reject packet */
+ $line .= "flags S/SA ";
+ }
+
+ if (isset($rule['flags'])) {
+ $line .= "flags " . $rule['flags'] . " ";
+ }
+
+ if (!$ispptp) {
+ #$line .= "group $groupnum ";
+ }
+
+ if (isset($rule['queuename'])) {
+ $line .= "queue " . $rule['queuename'];
+ }
+
+ $line .= "\n";
+
+ $ipfrules .= $line;
+ }
+
+ $i++;
+ }
+
+ $ipfrules .= <<<EOD
+
+#---------------------------------------------------------------------------
+# default rules (just to be sure)
+#---------------------------------------------------------------------------
+block in $log quick all
+block out $log quick all
+
+EOD;
+
+ return $ipfrules;
+}
+
+function filter_rules_spoofcheck_generate($ifname, $if, $sa, $sn, $log) {
+
+ global $g, $config;
+
+ $ipfrules = "";
+
+ if (is_array($config['staticroutes']['route']) && count($config['staticroutes']['route'])) {
+ /* count rules */
+ $n = 1;
+ foreach ($config['staticroutes']['route'] as $route) {
+ if ($route['interface'] == $ifname)
+ $n++;
+ }
+
+ /* output skip rules */
+ foreach ($config['staticroutes']['route'] as $route) {
+ if ($route['interface'] == $ifname) {
+ $ipfrules .= "skip $n in on $if from {$route['network']} to any\n";
+ $n--;
+ }
+ }
+ $ipfrules .= "skip 1 in on $if from $sa/$sn to any\n";
+ $ipfrules .= "#block in $log quick on $if all\n";
+ } else {
+ $ipfrules .= "#block in $log quick on $if from ! $sa/$sn to any\n";
+ }
+
+ return $ipfrules;
+}
+
+function filter_rules_ipsec_generate($ifname, $ip) {
+
+ $ipfrules = <<<EOD
+
+# Pass IKE packets
+pass in quick on {$ifname} proto udp from any to {$ip} port = 500
+pass out quick on {$ifname} proto udp from {$ip} port = 500 to any
+
+# Pass ESP packets
+pass in quick on {$ifname} proto esp from any to {$ip}
+pass out quick on {$ifname} proto esp from {$ip} to any
+
+# Pass AH packets
+pass in quick on {$ifname} proto ah from any to {$ip}
+pass out quick on {$ifname} proto ah from {$ip} to any
+
+EOD;
+
+ return $ipfrules;
+}
+
+?>
diff --git a/etc/inc/functions.inc b/etc/inc/functions.inc
new file mode 100644
index 0000000..eab4b82
--- /dev/null
+++ b/etc/inc/functions.inc
@@ -0,0 +1,41 @@
+<?php
+/*
+ functions.inc
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/* include all configuration functions */
+require_once("system.inc");
+require_once("interfaces.inc");
+require_once("services.inc");
+require_once("filter.inc");
+require_once("shaper.inc");
+require_once("vpn.inc");
+require_once("captiveportal.inc");
+require_once("openvpn.inc");
+
+?>
diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc
new file mode 100644
index 0000000..eef6cff
--- /dev/null
+++ b/etc/inc/globals.inc
@@ -0,0 +1,54 @@
+<?php
+/*
+ globals.inc
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+$g = array(
+ "varrun_path" => "/var/run",
+ "varetc_path" => "/var/etc",
+ "vardb_path" => "/var/db",
+ "varlog_path" => "/var/log",
+ "etc_path" => "/etc",
+ "tmp_path" => "/tmp",
+ "conf_path" => "/conf",
+ "ftmp_path" => "/ftmp",
+ "conf_default_path" => "/conf.default",
+ "cf_path" => "/cf",
+ "cf_conf_path" => "/cf/conf",
+ "www_path" => "/usr/local/www",
+ "captiveportal_path" => "/usr/local/captiveportal",
+ "xml_rootobj" => "m0n0wall",
+ "pppoe_interface" => "ng0",
+ "n_pptp_units" => 16,
+ "pptp_subnet" => 28,
+ "debug" => false,
+ "latest_config" => "1.4",
+ "nopccard_platforms" => array("wrap", "net48xx")
+);
+
+?>
diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc
new file mode 100644
index 0000000..00331c1
--- /dev/null
+++ b/etc/inc/interfaces.inc
@@ -0,0 +1,740 @@
+<?php
+/*
+ interfaces.inc
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/* include all configuration functions */
+require_once("functions.inc");
+
+function interfaces_loopback_configure() {
+ global $config, $g;
+
+ mwexec("/sbin/ifconfig lo0 127.0.0.1");
+
+ return 0;
+}
+
+function interfaces_vlan_configure() {
+ global $config, $g;
+
+ if (is_array($config['vlans']['vlan']) && count($config['vlans']['vlan'])) {
+
+ /* load the VLAN module */
+ mwexec("/sbin/kldload if_vlan");
+
+ /* devices with native VLAN support */
+ $vlan_native_supp = explode(" ", "bge em gx nge ti txp");
+
+ /* devices with long frame support */
+ $vlan_long_supp = explode(" ", "dc fxp sis ste tl tx xl");
+
+ $i = 0;
+
+ foreach ($config['vlans']['vlan'] as $vlan) {
+
+ $cmd = "/sbin/ifconfig vlan{$i} create vlan " .
+ escapeshellarg($vlan['tag']) . " vlandev " .
+ escapeshellarg($vlan['if']);
+
+ /* get driver name */
+ for ($j = 0; $j < strlen($vlan['if']); $j++) {
+ if ($vlan['if'][$j] >= '0' && $vlan['if'][$j] <= '9')
+ break;
+ }
+ $drvname = substr($vlan['if'], 0, $j);
+
+ if (in_array($drvname, $vlan_native_supp))
+ $cmd .= " link0";
+ else if (in_array($drvname, $vlan_long_supp))
+ $cmd .= " mtu 1500";
+
+ mwexec($cmd);
+
+ /* make sure the parent interface is up */
+ mwexec("/sbin/ifconfig " . escapeshellarg($vlan['if']) . " up");
+
+ $i++;
+ }
+ }
+
+ return 0;
+}
+
+function interfaces_lan_configure() {
+ global $config, $g;
+
+ if ($g['booting'])
+ echo "Configuring LAN interface... ";
+
+ $lancfg = $config['interfaces']['lan'];
+
+ /* wireless configuration? */
+ if (is_array($lancfg['wireless']))
+ interfaces_wireless_configure($lancfg['if'], $lancfg['wireless']);
+
+ /* MAC spoofing? */
+ if ($lancfg['spoofmac'])
+ mwexec("/sbin/ifconfig " . escapeshellarg($lancfg['if']) .
+ " link " . escapeshellarg($lancfg['spoofmac']));
+
+ /* media */
+ if ($lancfg['media'] || $lancfg['mediaopt']) {
+ $cmd = "/sbin/ifconfig " . escapeshellarg($lancfg['if']);
+ if ($lancfg['media'])
+ $cmd .= " media " . escapeshellarg($lancfg['media']);
+ if ($lancfg['mediaopt'])
+ $cmd .= " mediaopt " . escapeshellarg($lancfg['mediaopt']);
+ mwexec($cmd);
+ }
+
+ mwexec("/sbin/ifconfig " . escapeshellarg($lancfg['if']) . " " .
+ escapeshellarg($lancfg['ipaddr'] . "/" . $lancfg['subnet']));
+
+ if (!$g['booting']) {
+ /* make new hosts file */
+ system_hosts_generate();
+
+ /* reconfigure static routes (kernel may have deleted them) */
+ system_routing_configure();
+
+ /* reload ipfilter (address may have changed) */
+ filter_configure();
+
+ /* reload shaper (subnet may have changed) */
+ shaper_configure();
+
+ /* reload IPsec tunnels */
+ vpn_ipsec_configure();
+
+ /* reload dhcpd (gateway may have changed) */
+ services_dhcpd_configure();
+
+ /* reload dnsmasq */
+ services_dnsmasq_configure();
+
+ /* reload webgui */
+ system_webgui_start();
+
+ /* reload captive portal */
+ captiveportal_configure();
+ }
+
+ if ($g['booting'])
+ echo "done\n";
+
+ return 0;
+}
+
+function interfaces_optional_configure() {
+ global $config, $g;
+ global $bridgeconfig;
+
+ /* Reset bridge configuration. Interfaces will add to it. */
+ $bridgeconfig = "";
+
+ for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) {
+ interfaces_optional_configure_if($i);
+ }
+
+ if ($bridgeconfig) {
+ /* Set the system bridge configuration and enable bridging. */
+ mwexec("/sbin/sysctl net.link.ether.bridge_cfg=" . $bridgeconfig);
+
+ if (isset($config['bridge']['filteringbridge']))
+ mwexec("/sbin/sysctl net.link.ether.bridge_ipf=1");
+
+ mwexec("/sbin/sysctl net.link.ether.bridge=1");
+ } else {
+ mwexec("/sbin/sysctl net.link.ether.bridge_ipf=0");
+ mwexec("/sbin/sysctl net.link.ether.bridge=0");
+ }
+
+ if (!$g['booting']) {
+ /* reconfigure static routes (kernel may have deleted them) */
+ system_routing_configure();
+
+ /* reload ipfilter (address may have changed) */
+ filter_configure();
+
+ /* reload shaper (address may have changed) */
+ shaper_configure();
+
+ /* reload IPsec tunnels */
+ vpn_ipsec_configure();
+
+ /* reload dhcpd (interface enabled/disabled/bridged status may have changed) */
+ services_dhcpd_configure();
+
+ /* restart dnsmasq */
+ services_dnsmasq_configure();
+ }
+
+ return 0;
+}
+
+function interfaces_optional_configure_if($opti) {
+ global $config, $g;
+ global $bridgeconfig;
+
+ $optcfg = $config['interfaces']['opt' . $opti];
+
+ if ($g['booting']) {
+ $optdescr = "";
+ if ($optcfg['descr'])
+ $optdescr = " ({$optcfg['descr']})";
+ echo "Configuring OPT{$opti}{$optdescr} interface... ";
+ }
+
+ if (isset($optcfg['enable'])) {
+ /* wireless configuration? */
+ if (is_array($optcfg['wireless']))
+ interfaces_wireless_configure($optcfg['if'], $optcfg['wireless']);
+
+ /* MAC spoofing? */
+ if ($optcfg['spoofmac'])
+ mwexec("/sbin/ifconfig " . escapeshellarg($optcfg['if']) .
+ " link " . escapeshellarg($optcfg['spoofmac']));
+
+ /* media */
+ if ($optcfg['media'] || $optcfg['mediaopt']) {
+ $cmd = "/sbin/ifconfig " . escapeshellarg($optcfg['if']);
+ if ($optcfg['media'])
+ $cmd .= " media " . escapeshellarg($optcfg['media']);
+ if ($optcfg['mediaopt'])
+ $cmd .= " mediaopt " . escapeshellarg($optcfg['mediaopt']);
+ mwexec($cmd);
+ }
+
+ /* OpenVPN configuration? */
+ if (isset($optcfg['ovpn'])) {
+ if (strstr($if, "tap"))
+ ovpn_link_tap();
+ }
+
+ /* bridged? */
+ if ($optcfg['bridge']) {
+ mwexec("/sbin/ifconfig " . escapeshellarg($optcfg['if']) .
+ " delete up");
+
+ if ($bridgeconfig != "")
+ $bridgeconfig .= ",";
+
+ $bridgeconfig .= $optcfg['if'] . ":" . $opti . "," .
+ $config['interfaces'][$optcfg['bridge']]['if'] .
+ ":" . $opti;
+ } else {
+ mwexec("/sbin/ifconfig " . escapeshellarg($optcfg['if']) . " " .
+ escapeshellarg($optcfg['ipaddr'] . "/" . $optcfg['subnet']));
+ }
+ } else {
+ mwexec("/sbin/ifconfig " . escapeshellarg($optcfg['if']) .
+ " delete down");
+ }
+
+ if ($g['booting'])
+ echo "done\n";
+
+ return 0;
+}
+
+function interfaces_wireless_configure($if, $wlcfg) {
+ global $config, $g;
+
+ /* wireless configuration */
+ $ifcargs = escapeshellarg($if) .
+ " ssid " . escapeshellarg($wlcfg['ssid']) . " channel " .
+ escapeshellarg($wlcfg['channel']) . " ";
+
+ if ($wlcfg['stationname'])
+ $ifcargs .= "stationname " . escapeshellarg($wlcfg['stationname']) . " ";
+
+ if (isset($wlcfg['wep']['enable']) && is_array($wlcfg['wep']['key'])) {
+ $ifcargs .= "wepmode on ";
+
+ $i = 1;
+ foreach ($wlcfg['wep']['key'] as $wepkey) {
+ $ifcargs .= "wepkey " . escapeshellarg("{$i}:{$wepkey['value']}") . " ";
+ if (isset($wepkey['txkey'])) {
+ $ifcargs .= "weptxkey {$i} ";
+ }
+ $i++;
+ }
+ } else {
+ $ifcargs .= "wepmode off ";
+ }
+
+ switch ($wlcfg['mode']) {
+ case 'hostap':
+ if (strstr($if, "wi"))
+ $ifcargs .= "-mediaopt ibss mediaopt hostap ";
+ break;
+ case 'ibss':
+ case 'IBSS':
+ if (strstr($if, "wi"))
+ $ifcargs .= "-mediaopt hostap mediaopt ibss ";
+ else if (strstr($if, "an"))
+ $ifcargs .= "mediaopt adhoc ";
+ break;
+ case 'bss':
+ case 'BSS':
+ if (strstr($if, "wi"))
+ $ifcargs .= "-mediaopt hostap -mediaopt ibss ";
+ else if (strstr($if, "an"))
+ $ifcargs .= "-mediaopt adhoc ";
+ break;
+ }
+
+ $ifcargs .= "up";
+
+ mwexec("/sbin/ifconfig " . $ifcargs);
+
+ return 0;
+}
+
+function interfaces_wan_configure() {
+ global $config, $g;
+
+ $wancfg = $config['interfaces']['wan'];
+
+ if ($g['booting'])
+ echo "Configuring WAN interface... ";
+ else {
+ /* kill dhclient */
+ killbypid("{$g['varrun_path']}/dhclient.pid");
+
+ /* kill PPPoE client (mpd) */
+ killbypid("{$g['varrun_path']}/mpd.pid");
+
+ /* wait for processes to die */
+ sleep(2);
+
+ /* remove dhclient.conf, if it exists */
+ if (file_exists("{$g['varetc_path']}/dhclient.conf")) {
+ unlink("{$g['varetc_path']}/dhclient.conf");
+ }
+ /* remove mpd.conf, if it exists */
+ if (file_exists("{$g['varetc_path']}/mpd.conf")) {
+ unlink("{$g['varetc_path']}/mpd.conf");
+ }
+ /* remove mpd.links, if it exists */
+ if (file_exists("{$g['varetc_path']}/mpd.links")) {
+ unlink("{$g['varetc_path']}/mpd.links");
+ }
+ /* remove wanip, if it exists */
+ if (file_exists("{$g['vardb_path']}/wanip")) {
+ unlink("{$g['vardb_path']}/wanip");
+ }
+ }
+
+ /* remove all addresses first */
+ while (mwexec("/sbin/ifconfig " . escapeshellarg($wancfg['if']) . " -alias") == 0);
+ mwexec("/sbin/ifconfig " . escapeshellarg($wancfg['if']) . " down");
+
+ /* wireless configuration? */
+ if (is_array($wancfg['wireless']))
+ interfaces_wireless_configure($wancfg['if'], $wancfg['wireless']);
+
+ if ($wancfg['spoofmac'])
+ mwexec("/sbin/ifconfig " . escapeshellarg($wancfg['if']) .
+ " link " . escapeshellarg($wancfg['spoofmac']));
+
+ /* media */
+ if ($wancfg['media'] || $wancfg['mediaopt']) {
+ $cmd = "/sbin/ifconfig " . escapeshellarg($wancfg['if']);
+ if ($wancfg['media'])
+ $cmd .= " media " . escapeshellarg($wancfg['media']);
+ if ($wancfg['mediaopt'])
+ $cmd .= " mediaopt " . escapeshellarg($wancfg['mediaopt']);
+ mwexec($cmd);
+ }
+
+ switch ($wancfg['ipaddr']) {
+
+ case 'dhcp':
+ interfaces_wan_dhcp_configure();
+ break;
+
+ case 'pppoe':
+ interfaces_wan_pppoe_configure();
+ break;
+
+ case 'pptp':
+ interfaces_wan_pptp_configure();
+ break;
+
+ case 'bigpond':
+ /* just configure DHCP for now; fire up bpalogin when we've got the lease */
+ interfaces_wan_dhcp_configure();
+ break;
+
+ default:
+ mwexec("/sbin/ifconfig " . escapeshellarg($wancfg['if']) . " " .
+ escapeshellarg($wancfg['ipaddr'] . "/" . $wancfg['subnet']));
+
+ /* install default route */
+ mwexec("/sbin/route delete default");
+ mwexec("/sbin/route add default " . escapeshellarg($wancfg['gateway']));
+
+ /* resync ipfilter (done automatically for DHCP/PPPoE/PPTP) */
+ filter_resync();
+ }
+
+ if (!$g['booting']) {
+ /* reconfigure static routes (kernel may have deleted them) */
+ system_routing_configure();
+
+ /* reload ipfilter */
+ filter_configure();
+
+ /* reload shaper */
+ shaper_configure();
+
+ /* reload ipsec tunnels */
+ vpn_ipsec_configure();
+
+ /* restart ez-ipupdate */
+ services_dyndns_configure();
+
+ /* restart dnsmasq */
+ services_dnsmasq_configure();
+ }
+
+ if ($g['booting'])
+ echo "done\n";
+
+ return 0;
+}
+
+function interfaces_wan_dhcp_configure() {
+ global $config, $g;
+
+ $wancfg = $config['interfaces']['wan'];
+
+ /* generate dhclient.conf */
+ $fd = fopen("{$g['varetc_path']}/dhclient.conf", "w");
+ if (!$fd) {
+ printf("Error: cannot open dhclient.conf in interfaces_wan_dhcp_configure().\n");
+ return 1;
+ }
+
+ $dhclientconf = "";
+
+ if ($wancfg['dhcphostname']) {
+ $dhclientconf .= <<<EOD
+send dhcp-client-identifier "{$wancfg['dhcphostname']}";
+interface "{$wancfg['if']}" {
+ send host-name "{$wancfg['dhcphostname']}";
+}
+
+EOD;
+ }
+
+ fwrite($fd, $dhclientconf);
+ fclose($fd);
+
+ /* fire up dhclient - don't wait for the lease (-nw) */
+ mwexec("/sbin/dhclient -nw -cf {$g['varetc_path']}/dhclient.conf " .
+ escapeshellarg($wancfg['if']) . " &");
+
+ return 0;
+}
+
+function interfaces_wan_pppoe_configure() {
+ global $config, $g;
+
+ $wancfg = $config['interfaces']['wan'];
+ $pppoecfg = $config['pppoe'];
+
+ /* generate mpd.conf */
+ $fd = fopen("{$g['varetc_path']}/mpd.conf", "w");
+ if (!$fd) {
+ printf("Error: cannot open mpd.conf in interfaces_wan_pppoe_configure().\n");
+ return 1;
+ }
+
+ $idle = 0;
+
+ if (isset($pppoecfg['ondemand'])) {
+ $ondemand = "enable";
+ if ($pppoecfg['timeout'])
+ $idle = $pppoecfg['timeout'];
+ } else {
+ $ondemand = "disable";
+ }
+
+ $mpdconf = <<<EOD
+pppoe:
+ new -i ng0 pppoe pppoe
+ set iface route default
+ set iface {$ondemand} on-demand
+ set iface idle {$idle}
+ set iface up-script /usr/local/sbin/ppp-linkup
+
+EOD;
+
+ if (isset($pppoecfg['ondemand'])) {
+ $mpdconf .= <<<EOD
+ set iface addrs 10.0.0.1 10.0.0.2
+
+EOD;
+ }
+
+ $mpdconf .= <<<EOD
+ set bundle disable multilink
+ set bundle authname "{$pppoecfg['username']}"
+ set bundle password "{$pppoecfg['password']}"
+ set link keep-alive 10 60
+ set link max-redial 0
+ set link no acfcomp protocomp
+ set link disable pap chap
+ set link accept chap
+ set link mtu 1492
+ set ipcp yes vjcomp
+ set ipcp ranges 0.0.0.0/0 0.0.0.0/0
+ set ipcp enable req-pri-dns
+ set ipcp enable req-sec-dns
+ open iface
+
+EOD;
+
+ fwrite($fd, $mpdconf);
+ fclose($fd);
+
+ /* generate mpd.links */
+ $fd = fopen("{$g['varetc_path']}/mpd.links", "w");
+ if (!$fd) {
+ printf("Error: cannot open mpd.links in interfaces_wan_pppoe_configure().\n");
+ return 1;
+ }
+
+ $mpdconf = <<<EOD
+pppoe:
+ set link type pppoe
+ set pppoe iface {$wancfg['if']}
+ set pppoe service "{$pppoecfg['provider']}"
+ set pppoe enable originate
+ set pppoe disable incoming
+
+EOD;
+
+ fwrite($fd, $mpdconf);
+ fclose($fd);
+
+ /* fire up mpd */
+ mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']} -p {$g['varrun_path']}/mpd.pid pppoe");
+
+ return 0;
+}
+
+function interfaces_wan_pptp_configure() {
+ global $config, $g;
+
+ $wancfg = $config['interfaces']['wan'];
+ $pptpcfg = $config['pptp'];
+
+ /* generate mpd.conf */
+ $fd = fopen("{$g['varetc_path']}/mpd.conf", "w");
+ if (!$fd) {
+ printf("Error: cannot open mpd.conf in interfaces_wan_pptp_configure().\n");
+ return 1;
+ }
+
+ $idle = 0;
+
+ if (isset($pptpcfg['ondemand'])) {
+ $ondemand = "enable";
+ if ($pptpcfg['timeout'])
+ $idle = $pptpcfg['timeout'];
+ } else {
+ $ondemand = "disable";
+ }
+
+ $mpdconf = <<<EOD
+pptp:
+ new -i ng0 pptp pptp
+ set iface route default
+ set iface {$ondemand} on-demand
+ set iface idle {$idle}
+ set iface up-script /usr/local/sbin/ppp-linkup
+
+EOD;
+
+ if (isset($pptpcfg['ondemand'])) {
+ $mpdconf .= <<<EOD
+ set iface addrs {$pptpcfg['local']} {$pptpcfg['remote']}
+
+EOD;
+ }
+
+ $mpdconf .= <<<EOD
+ set bundle disable multilink
+ set bundle authname "{$pptpcfg['username']}"
+ set bundle password "{$pptpcfg['password']}"
+ set link keep-alive 10 60
+ set link max-redial 0
+ set link no acfcomp protocomp
+ set link disable pap chap
+ set link accept chap
+ set ipcp no vjcomp
+ set ipcp ranges 0.0.0.0/0 0.0.0.0/0
+ set ipcp enable req-pri-dns
+ set ipcp enable req-sec-dns
+ open
+
+EOD;
+
+ fwrite($fd, $mpdconf);
+ fclose($fd);
+
+ /* generate mpd.links */
+ $fd = fopen("{$g['varetc_path']}/mpd.links", "w");
+ if (!$fd) {
+ printf("Error: cannot open mpd.links in interfaces_wan_pptp_configure().\n");
+ return 1;
+ }
+
+ $mpdconf = <<<EOD
+pptp:
+ set link type pptp
+ set pptp enable originate outcall
+ set pptp disable windowing
+ set pptp self {$pptpcfg['local']}
+ set pptp peer {$pptpcfg['remote']}
+
+EOD;
+
+ fwrite($fd, $mpdconf);
+ fclose($fd);
+
+ /* configure interface */
+ mwexec("/sbin/ifconfig " . escapeshellarg($wancfg['if']) . " " .
+ escapeshellarg($pptpcfg['local'] . "/" . $pptpcfg['subnet']));
+
+ /* fire up mpd */
+ mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']} -p {$g['varrun_path']}/mpd.pid pptp");
+
+ return 0;
+}
+
+function interfaces_wan_bigpond_configure($curwanip) {
+ global $config, $g;
+
+ $bpcfg = $config['bigpond'];
+
+ if (!$curwanip) {
+ /* IP address not configured yet, exit */
+ return 0;
+ }
+
+ /* kill bpalogin */
+ killbyname("bpalogin");
+
+ /* wait a moment */
+ sleep(1);
+
+ /* get the default domain */
+ $nfd = @fopen("{$g['varetc_path']}/defaultdomain.conf", "r");
+ if ($nfd) {
+ $defaultdomain = trim(fgets($nfd));
+ fclose($nfd);
+ }
+
+ /* generate bpalogin.conf */
+ $fd = fopen("{$g['varetc_path']}/bpalogin.conf", "w");
+ if (!$fd) {
+ printf("Error: cannot open bpalogin.conf in interfaces_wan_bigpond_configure().\n");
+ return 1;
+ }
+
+ if (!$bpcfg['authserver'])
+ $bpcfg['authserver'] = "dce-server";
+ if (!$bpcfg['authdomain'])
+ $bpcfg['authdomain'] = $defaultdomain;
+
+ $bpconf = <<<EOD
+username {$bpcfg['username']}
+password {$bpcfg['password']}
+authserver {$bpcfg['authserver']}
+authdomain {$bpcfg['authdomain']}
+localport 5050
+
+EOD;
+
+ if ($bpcfg['minheartbeatinterval'])
+ $bpconf .= "minheartbeatinterval {$bpcfg['minheartbeatinterval']}\n";
+
+ fwrite($fd, $bpconf);
+ fclose($fd);
+
+ /* fire up bpalogin */
+ mwexec("/usr/local/sbin/bpalogin -c {$g['varetc_path']}/bpalogin.conf");
+
+ return 0;
+}
+
+function get_real_wan_interface() {
+ global $config, $g;
+
+ $wancfg = $config['interfaces']['wan'];
+
+ $wanif = $wancfg['if'];
+ if (($wancfg['ipaddr'] == "pppoe") || ($wancfg['ipaddr'] == "pptp")) {
+ $wanif = $g['pppoe_interface'];
+ }
+
+ return $wanif;
+}
+
+function get_current_wan_address() {
+ global $config, $g;
+
+ $wancfg = $config['interfaces']['wan'];
+
+ if (in_array($wancfg['ipaddr'], array('pppoe','dhcp','pptp','bigpond'))) {
+ /* dynamic WAN IP address, find out which one */
+ $wanif = get_real_wan_interface();
+
+ /* get interface info with netstat */
+ exec("/usr/bin/netstat -nWI " . escapeshellarg($wanif) . " -f inet", $ifinfo);
+
+ if (isset($ifinfo[1])) {
+ $aif = preg_split("/\s+/", $ifinfo[1]);
+ $curwanip = chop($aif[3]);
+
+ if ($curwanip && is_ipaddr($curwanip) && ($curwanip != "0.0.0.0"))
+ return $curwanip;
+ }
+
+ return null;
+ } else {
+ /* static WAN IP address */
+ return $wancfg['ipaddr'];
+ }
+}
+
+?>
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc
new file mode 100644
index 0000000..2414ae0
--- /dev/null
+++ b/etc/inc/openvpn.inc
@@ -0,0 +1,559 @@
+<?php
+/*
+ openvpn.inc
+
+ Copyright (C) 2004 Peter Curran (peter@closeconsultants.com).
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/* include all configuration functions */
+require_once("globals.inc");
+require_once("config.inc");
+require_once("functions.inc");
+
+function ovpn_configure() {
+ global $config;
+ if (is_array($config['ovpn']['server']))
+ ovpn_config_server();
+ if (is_array($config['ovpn']['client']))
+ ovpn_config_client();
+ return;
+}
+
+function ovpn_link_tap() {
+ /* Add a reference to the tap KLM. If ref count = 1, load it */
+ global $g;
+
+ if (!is_file($g['vardb_path'] ."/ovpn_tap_link")){
+ $link_count = 1;
+ mwexec("/sbin/kldload if_tap");
+ $fd = fopen($g['vardb_path'] ."/ovpn_tap_link", 'w');
+ }
+ else {
+ $fd = fopen($g['vardb_path'] ."/ovpn_tap_link", 'r+');
+ $link_count = fread($fd);
+ $link_count ++;
+ }
+ fwrite($fd, $link_count);
+ fclose($fd);
+ return true;
+}
+
+function ovpn_unlink_tap() {
+ /* Remove a reference to the tap KLM. If ref count = 0, unload it */
+ global $g;
+
+ if (!is_file($g['vardb_path'] ."/ovpn_tap_link"))
+ return false; //no file, no links so why are we called?
+
+ $fd = fopen($g['vardb_path'] ."/ovpn_tap_link", 'r+');
+ $link_count = fread($fd);
+ $link_count --;
+ fwrite($fd, $link_count);
+ fclose($fd);
+
+ if ($link_count == 0)
+ mwexec("/sbin/kldunload if_tap");
+ return true;
+}
+
+/*****************************/
+/* Server-related functions */
+
+/* Configure the server */
+function ovpn_config_server() {
+ global $config, $g;
+
+ if (isset($config['ovpn']['server']['enable'])) {
+
+ if ($g['booting'])
+ echo "Starting OpenVPN server... ";
+
+ /* kill any running openvpn daemon */
+ killbypid($g['varrun_path']."/ovpn_srv.pid");
+
+ /* Remove old certs & keys */
+ unlink_if_exists("{$g['vardb_path']}/ovpn_ca_cert.pem");
+ unlink_if_exists("{$g['vardb_path']}/ovpn_srv_cert.pem");
+ unlink_if_exists("{$g['vardb_path']}/ovpn_srv_key.pem");
+ unlink_if_exists("{$g['vardb_path']}/ovpn_dh.pem");
+
+ /* Copy the TLS-Server certs & keys to disk */
+ $fd = @fopen("{$g['vardb_path']}/ovpn_ca_cert.pem", "w");
+ if ($fd) {
+ fwrite($fd, base64_decode($config['ovpn']['server']['ca_cert'])."\n");
+ fclose($fd);
+ }
+ $fd = @fopen("{$g['vardb_path']}/ovpn_srv_cert.pem", "w");
+ if ($fd) {
+ fwrite($fd, base64_decode($config['ovpn']['server']['srv_cert'])."\n");
+ fclose($fd);
+ }
+ $fd = @fopen("{$g['vardb_path']}/ovpn_srv_key.pem", "w");
+ if ($fd) {
+ fwrite($fd, base64_decode($config['ovpn']['server']['srv_key'])."\n");
+ fclose($fd);
+ }
+ $fd = @fopen("{$g['vardb_path']}/ovpn_dh.pem", "w");
+ if ($fd) {
+ fwrite($fd, base64_decode($config['ovpn']['server']['dh_param'])."\n");
+ fclose($fd);
+ }
+
+ /* Start the openvpn daemon */
+ mwexec("/usr/local/sbin/openvpn " . ovpn_srv_config_generate());
+
+ if ($g['booting'])
+ /* Send the boot message */
+ echo "done\n";
+ }
+ else {
+ if (!$g['booting']){
+ /* stop any processes, unload the tap module */
+ /* Remove old certs & keys */
+ unlink_if_exists("{$g['vardb_path']}/ovpn_ca_cert.pem");
+ unlink_if_exists("{$g['vardb_path']}/ovpn_srv_cert.pem");
+ unlink_if_exists("{$g['vardb_path']}/ovpn_srv_key.pem");
+ unlink_if_exists("{$g['vardb_path']}/ovpn_dh.pem");
+ killbypid("{$g['varrun_path']}/ovpn_srv.pid");
+ if ($config['ovpn']['server']['tun_iface'] == 'tap0')
+ ovpn_unlink_tap();
+ }
+ }
+ return 0;
+}
+
+/* Generate the config for a OpenVPN server */
+function ovpn_srv_config_generate() {
+ global $config, $g;
+ $server = $config['ovpn']['server'];
+
+ /* First the generic stuff:
+ - We are a server
+ - We are a TLS Server (for authentication)
+ - We will run without privilege
+ */
+ $ovpn_config = "--daemon --user nobody --group nobody --verb {$server['verb']} ";
+
+ /* pid file */
+ $ovpn_config .= "--writepid {$g['varrun_path']}/ovpn_srv.pid ";
+
+ /* interface */
+ $ovpn_config .= "--dev {$server['tun_iface']} ";
+
+ /* port */
+ $ovpn_config .= "--port {$server['port']} ";
+
+ /* Interface binding - 1 or all */
+ if ($server['bind_iface'] != 'all') {
+ if ($ipaddr = ovpn_get_ip($server['bind_iface']))
+ $ovpn_config .= "--local $ipaddr ";
+ else
+ return "Interface bridged";
+
+ }
+
+ /* Client to client routing (off by default) */
+ if (isset($server['cli2cli']))
+ $ovpn_config .= "--client-to-client ";
+
+ /* Set maximum simultaneous clients */
+ $ovpn_config .= "--max-clients {$server['maxcli']} ";
+
+ /* New --server macro simplifies config */
+ $mask = ovpn_calc_mask($server['prefix']);
+ $ovpn_config .= "--server {$server['ipblock']} {$mask} ";
+
+ /* TLS-Server params */
+ $ovpn_config .= "--ca {$g['vardb_path']}/ovpn_ca_cert.pem ";
+ $ovpn_config .= "--cert {$g['vardb_path']}/ovpn_srv_cert.pem ";
+ $ovpn_config .= "--key {$g['vardb_path']}/ovpn_srv_key.pem ";
+ $ovpn_config .= "--dh {$g['vardb_path']}/ovpn_dh.pem ";
+
+ /* Data channel encryption cipher*/
+ $ovpn_config .= "--cipher {$server['crypto']} ";
+
+ /* Duplicate CNs */
+ if (isset($server['dupcn']))
+ $ovpn_config .= "--duplicate-cn ";
+
+ /* Client push - redirect gateway */
+ if (isset($server['psh_options']['redir'])){
+ if (isset($server['psh_options']['redir_loc']))
+ $ovpn_config .= "--push \"redirect-gateway 'local'\" ";
+ else
+ $ovpn_config .= "--push \"redirect-gateway\" ";
+ }
+
+ /* Client push - route delay */
+ if (isset($server['psh_options']['rte_delay']))
+ $ovpn_config .= "--push \"route-delay {$server['psh_options']['rte_delay']}\" ";
+
+ /* Client push - ping (note we set both server and client) */
+ if (isset ($server['psh_options']['ping'])){
+ $ovpn_config .= "--ping {$server['psh_options']['ping']} ";
+ $ovpn_config .= "--push \"ping {$server['psh_options']['ping']}\" ";
+ }
+
+ /* Client push - ping-restart (note server uses 2 x client interval) */
+ if (isset ($server['psh_options']['pingrst'])){
+ $interval = $server['psh_options']['pingrst'];
+ $ovpn_config .= "--ping-restart " . ($interval * 2) . " ";
+ $ovpn_config .= "--push \"ping-restart $interval\" ";
+ }
+
+ /* Client push - ping-exit (set on client) */
+ if (isset ($server['psh_options']['pingexit'])){
+ $ovpn_config .= "--ping-exit {$server['psh_options']['pingexit']} ";
+ $ovpn_config .= "--push \"ping-exit {$server['psh_options']['pingexit']}\" ";
+ }
+
+ /* Client push - inactive (set on client) */
+ if (isset ($server['psh_options']['inact'])){
+ $ovpn_config .= "--inactive {$server['psh_options']['pingexit']} ";
+ $ovpn_config .= "--push \"inactive {$server['psh_options']['inact']}\" ";
+ }
+
+ //trigger_error("OVPN: $ovpn_config", E_USER_NOTICE);
+ return $ovpn_config;
+}
+
+/* Define an OVPN Server tunnel interface in the interfaces array and assign a name */
+function ovpn_server_iface(){
+ global $config, $g;
+
+ $i = 1;
+ while (true) {
+ $ifname = 'opt' . $i;
+ if (is_array($config['interfaces'][$ifname])) {
+ if ((isset($config['interfaces'][$ifname]['ovpn']))
+ && ($config['interfaces'][$ifname]['ovpn'] == 'server'))
+ /* Already an interface defined - overwrite */
+ break;
+ }
+ else {
+ /* No existing entry, this is first unused */
+ $config['interfaces'][$ifname] = array();
+ break;
+ }
+ $i++;
+ }
+ $config['interfaces'][$ifname]['descr'] = "OVPN server";
+ $config['interfaces'][$ifname]['if'] = $config['ovpn']['server']['tun_iface'];
+ $config['interfaces'][$ifname]['ipaddr'] = long2ip( ip2long($config['ovpn']['server']['ipblock']) + 1);
+ $config['interfaces'][$ifname]['subnet'] = $config['ovpn']['server']['prefix'];
+ $config['interfaces'][$ifname]['enable'] = isset($config['ovpn']['server']['enable']) ? true : false;
+ $config['interfaces'][$ifname]['ovpn'] = 'server';
+
+ write_config();
+
+ return "OpenVPN server interface defined";
+}
+
+/********************************************************/
+/* Client related functions */
+function ovpn_config_client() {
+ /* Boot time configuration */
+ global $config, $g;
+
+ foreach ($config['ovpn']['client']['tunnel'] as $id => $client) {
+ if (isset($client['enable'])) {
+
+ if ($g['booting'])
+ echo "Starting OpenVPN client $id... ";
+
+ /* kill any running openvpn daemon */
+ killbypid("{$g['varrun_path']}/ovpn_client{$id}.pid");
+
+ /* Remove old certs & keys */
+ unlink_if_exists("{$g['vardb_path']}/ovpn_ca_cert_{$id}.pem");
+ unlink_if_exists("{$g['vardb_path']}/ovpn_cli_cert_{$id}.pem");
+ unlink_if_exists("{$g['vardb_path']}/ovpn_cli_key_{$id}.pem");
+
+ /* Copy the TLS-Client certs & keys to disk */
+ /*$fd = @fopen("{$g['vardb_path']}/ovpn_ca_cert_{$id}.pem", "w");*/
+ $fd = fopen("{$g['vardb_path']}/ovpn_ca_cert_{$id}.pem", "w");
+ if ($fd) {
+ fwrite($fd, base64_decode($client['ca_cert'])."\n");
+ fclose($fd);
+ }
+ else
+ trigger_error("OVPN: No open for CA", E_USER_NOTICE);
+ $fd = fopen($g['vardb_path']."/ovpn_cli_cert_".$id.".pem", "w");
+ if ($fd) {
+ fwrite($fd, base64_decode($client['cli_cert'])."\n");
+ fclose($fd);
+ }
+ $fd = fopen($g['vardb_path']."/ovpn_cli_key_".$id.".pem", "w");
+ if ($fd) {
+ fwrite($fd, base64_decode($client['cli_key'])."\n");
+ fclose($fd);
+ }
+
+ /* Start openvpn for this client */
+ mwexec("/usr/local/sbin/openvpn " . ovpn_cli_config_generate($id));
+
+ if ($g['booting'])
+ /* Send the boot message */
+ echo "done\n";
+ }
+ else {
+ if (!$g['booting']){
+ /* stop any processes, unload the tap module */
+ /* Remove old certs & keys */
+ unlink_if_exists("{$g['vardb_path']}/ovpn_ca_cert_{$id}.pem");
+ unlink_if_exists("{$g['vardb_path']}/ovpn_cli_cert_{$id}.pem");
+ unlink_if_exists("{$g['vardb_path']}/ovpn_cli_key_{$id}.pem");
+ killbypid("{$g['varrun_path']}/ovpn_client{$id}.pid");
+ if ($client['type'] == "tap")
+ ovpn_unlink_tap();
+ }
+ }
+ }
+ return 0;
+
+}
+
+/* Kill off a running client process */
+function ovpn_client_kill($id) {
+ global $g;
+
+ killbypid("{$g['varrun_path']}/ovpn_client{$id}.pid");
+ return 0;
+}
+
+function ovpn_cli_config_generate($id) {
+ /* configure the named client */
+ global $config, $g;
+ $client = $config['ovpn']['client']['tunnel'];
+
+ /* Client support in 2.0 is very simple */
+
+ $ovpn_config = "--client --daemon --verb 1 ";
+
+ /* pid file */
+ $ovpn_config .= "--writepid {$g['varrun_path']}/ovpn_client{$id}.pid ";
+
+ /* interface */
+ $ovpn_config .= "--dev {$client[$id]['if']} ";
+
+ /* protocol */
+ $ovpn_config .= "--proto {$client[$id]['proto']} ";
+
+ /* port */
+ $ovpn_config .= "--lport {$client[$id]['cport']} ";
+
+ /* server location */
+ $ovpn_config .= "--remote {$client[$id]['saddr']} {$client[$id]['sport']} ";
+
+ /* TLS-Server params */
+ $ovpn_config .= "--ca {$g['vardb_path']}/ovpn_ca_cert_{$id}.pem ";
+ $ovpn_config .= "--cert {$g['vardb_path']}/ovpn_cli_cert_{$id}.pem ";
+ $ovpn_config .= "--key {$g['vardb_path']}/ovpn_cli_key_{$id}.pem ";
+
+ /* Data channel encryption cipher*/
+ $ovpn_config .= "--cipher {$client[$id]['crypto']} ";
+
+ //trigger_error("OVPN: $ovpn_config", E_USER_NOTICE);
+ return $ovpn_config;
+}
+
+/* Define an OVPN tunnel interface in the interfaces array for each client */
+function ovpn_client_iface(){
+ global $config;
+
+ foreach ($config['ovpn']['client']['tunnel'] as $id => $client) {
+ if (isset($client['enable'])) {
+ $i = 1;
+ while (true) {
+ $ifname = 'opt' . $i;
+ if (is_array($config['interfaces'][$ifname])) {
+ if ((isset($config['interfaces'][$ifname]['ovpn']))
+ && ($config['interfaces'][$ifname]['ovpn'] == "client{$id}"))
+ /* Already an interface defined - overwrite */
+ break;
+ }
+ else {
+ /* No existing entry, this is first unused */
+ $config['interfaces'][$ifname] = array();
+ break;
+ }
+ $i++;
+ }
+ if (isset($client['descr']))
+ $config['interfaces'][$ifname]['descr'] = $client['descr'];
+ else
+ $config['interfaces'][$ifname]['descr'] = "OVPN client-{$id}";
+ $config['interfaces'][$ifname]['if'] = $client['if'];
+ $config['interfaces'][$ifname]['ipaddr'] = "0.0.0.0";
+ $config['interfaces'][$ifname]['subnet'] = "0";
+ $config['interfaces'][$ifname]['enable'] = isset($client['enable']) ? true : false;
+ $config['interfaces'][$ifname]['ovpn'] = "client{$id}";
+ write_config();
+ }
+ }
+ return "OpenVPN client interfaces defined";
+}
+
+/* Delete a client interface definition */
+function ovpn_client_iface_del($id) {
+ global $config;
+
+ $i = 1;
+ while (true) {
+ $ifname = 'opt' . $i;
+ if (is_array($config['interfaces'][$ifname])) {
+ if ((isset($config['interfaces'][$ifname]['ovpn']))
+ && ($config['interfaces'][$ifname]['ovpn'] == "client{$id}"))
+ unset($config['interfaces'][$ifname]);
+ }
+ }
+}
+
+/******************/
+/* Misc functions */
+
+/* Calculate the last address in a range given the start and /prefix */
+function ovpn_calc_end($start, $prefix){
+
+ $first = ip2long($start);
+ $last = pow(2,(32 - $prefix)) - 1 + $first;
+ return long2ip($last);
+}
+
+/* Calculate a mask given a /prefix */
+function ovpn_calc_mask($prefix){
+
+ return long2ip(ip2long("255.255.255.255") - (pow( 2, (32 - $prefix)) - 1));
+}
+
+/* Read in a file from the $_FILES array */
+function ovpn_get_file($file){
+ global $g;
+
+ if (!is_uploaded_file($_FILES[$file]['tmp_name'])){
+ trigger_error("Bad file upload".$_FILES[$file]['error'], E_USER_NOTICE);
+ return NULL;
+ }
+ $contents = file_get_contents($_FILES[$file]['tmp_name']);
+ return $contents;
+}
+
+
+/* Get the IP address of a specified interface */
+function ovpn_get_ip($iface){
+ global $config;
+
+ if ($iface == 'wan')
+ return get_current_wan_address();
+
+ if ($config['interfaces'][$iface]['bridge'])
+ /* No bridging (yet) */
+ return false;
+ return $config['interfaces'][$iface]['ipaddr'];
+}
+
+/* Get a list of the cipher options supported by OpenVPN */
+function ovpn_get_cipher_list(){
+
+/* exec("/usr/local/sbin/openvpn --show-ciphers", $raw);
+ print_r ($raw);
+
+ $ciphers = preg_grep('/ bit default key /', $raw);
+
+ for($i = 0; $i <count($ciphers); $i++){
+ $tmp = explode(' ',$ciphers[$i]);
+ $cipher_list["$tmp[0]"] = "{$tmp[0]} ({$tmp[1]} {$tmp[2]})";
+ }
+*/
+ $cipher_list = array('DES-CBC' => 'DES-CBC (64 bit)',
+ 'RC2-CBC' => 'RC2-CBC (128 bit)',
+ 'DES-EDE-CBC' => 'DES-EDE-CBC (128 bit)',
+ 'DES-EDE3-CBC' => 'DES-EDE3-CBC (192 bit)',
+ 'DESX-CBC' => 'DESX-CBC (192 bit)',
+ 'BF-CBC' => 'BF-CBC (128 bit)',
+ 'RC2-40-CBC' => 'RC2-40-CBC (40 bit)',
+ 'CAST5-CBC' => 'CAST5-CBC (128 bit)',
+ 'RC5-CBC' => 'RC5-CBC (128 bit)',
+ 'RC2-64-CBC' => 'RC2-64-CBC (64 bit)',
+ 'AES-128-CBC' => 'AES-128-CBC (128 bit)',
+ 'AES-192-CBC' => 'AES-192-CBC (192 bit)',
+ 'AES-256-CBC' => 'AES-256-CBC (256 bit)');
+ return $cipher_list;
+}
+
+
+/* Build a list of the current real interfaces */
+function ovpn_real_interface_list(){
+ global $config;
+
+ $interfaces = array('all' => 'ALL',
+ 'lan' => 'LAN',
+ 'wan' => 'WAN');
+ for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) {
+ if (isset($config['interfaces']['opt' . $i]['ovpn']))
+ /* Hide our own interface */
+ break;
+ if (isset($config['interfaces']['opt' . $i]['enable']))
+ $interfaces['opt' . $i] = $config['interfaces']['opt' . $i]['descr'];
+ }
+ return $interfaces;
+}
+
+
+/* lock openvpn information, decide that the lock file is stale after
+ 10 seconds */
+function ovpn_lock() {
+
+ global $g;
+
+ $lockfile = "{$g['varrun_path']}/ovpn.lock";
+
+ $n = 0;
+ while ($n < 10) {
+ /* open the lock file in append mode to avoid race condition */
+ if ($fd = @fopen($lockfile, "x")) {
+ /* succeeded */
+ fclose($fd);
+ return;
+ } else {
+ /* file locked, wait and try again */
+ sleep(1);
+ $n++;
+ }
+ }
+}
+
+/* unlock configuration file */
+function ovpn_unlock() {
+
+ global $g;
+
+ $lockfile = "{$g['varrun_path']}/ovpn.lock";
+
+ if (file_exists($lockfile))
+ unlink($lockfile);
+}
+
+?>
diff --git a/etc/inc/services.inc b/etc/inc/services.inc
new file mode 100644
index 0000000..17bc959
--- /dev/null
+++ b/etc/inc/services.inc
@@ -0,0 +1,440 @@
+<?php
+/*
+ services.inc
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/* include all configuration functions */
+require_once("functions.inc");
+
+function services_dhcpd_configure() {
+ global $config, $g;
+
+ /* kill any running dhcpd */
+ killbypid("{$g['varrun_path']}/dhcpd.pid");
+
+ $syscfg = $config['system'];
+ $dhcpdcfg = $config['dhcpd'];
+
+ /* DHCP enabled on any interfaces? */
+ $dhcpdenable = false;
+ foreach ($dhcpdcfg as $dhcpif => $dhcpifconf) {
+ if (isset($dhcpifconf['enable']) &&
+ (($dhcpif == "lan") ||
+ (isset($config['interfaces'][$dhcpif]['enable']) &&
+ $config['interfaces'][$dhcpif]['if'] && (!$config['interfaces'][$dhcpif]['bridge']))))
+ $dhcpdenable = true;
+ }
+
+ if (!$dhcpdenable)
+ return 0;
+
+ if ($g['booting'])
+ echo "Starting DHCP service... ";
+ else
+ sleep(1);
+
+ /* write dhcpd.conf */
+ $fd = fopen("{$g['varetc_path']}/dhcpd.conf", "w");
+ if (!$fd) {
+ printf("Error: cannot open dhcpd.conf in services_dhcpd_configure().\n");
+ return 1;
+ }
+
+ $dhcpdconf = <<<EOD
+option domain-name "{$syscfg['domain']}";
+default-lease-time 7200;
+max-lease-time 86400;
+authoritative;
+log-facility local7;
+ddns-update-style none;
+
+EOD;
+
+ $dhcpdifs = array();
+ foreach ($dhcpdcfg as $dhcpif => $dhcpifconf) {
+
+ $ifcfg = $config['interfaces'][$dhcpif];
+
+ if (!isset($dhcpifconf['enable']) ||
+ (($dhcpif != "lan") &&
+ (!isset($ifcfg['enable']) || !$ifcfg['if'] || $ifcfg['bridge'])))
+ continue;
+
+ $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']);
+ $subnetmask = gen_subnet_mask($ifcfg['subnet']);
+
+ $dnscfg = "";
+
+ if ($dhcpifconf['domain']) {
+ $dnscfg .= " option domain-name \"{$dhcpifconf['domain']}\";\n";
+ }
+
+ if (is_array($dhcpifconf['dnsserver']) && ($dhcpifconf['dnsserver'][0])) {
+ $dnscfg .= " option domain-name-servers " . join(",", $dhcpifconf['dnsserver']) . ";";
+ } else if (isset($config['dnsmasq']['enable'])) {
+ $dnscfg .= " option domain-name-servers " . $ifcfg['ipaddr'] . ";";
+ } else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
+ $dnscfg .= " option domain-name-servers " . join(",", $syscfg['dnsserver']) . ";";
+ }
+
+ $dhcpdconf .= "subnet $subnet netmask $subnetmask {\n";
+ $dhcpdconf .= " pool {\n";
+ if (isset($dhcpifconf['denyunknown']))
+ $dhcpdconf .= " deny unknown clients;\n";
+
+ if ($dhcpifconf['gateway'])
+ $routers = $dhcpifconf['gateway'];
+ else
+ $routers = $ifcfg['ipaddr'];
+
+ $dhcpdconf .= <<<EOD
+ range {$dhcpifconf['range']['from']} {$dhcpifconf['range']['to']};
+ }
+ option routers {$routers};
+$dnscfg
+
+EOD;
+
+ if ($dhcpifconf['defaultleasetime'])
+ $dhcpdconf .= " default-lease-time {$dhcpifconf['defaultleasetime']};\n";
+ if ($dhcpifconf['maxleasetime'])
+ $dhcpdconf .= " max-lease-time {$dhcpifconf['maxleasetime']};\n";
+
+ if (is_array($dhcpifconf['winsserver']) && $dhcpifconf['winsserver'][0]) {
+ $dhcpdconf .= " option netbios-name-servers " . join(",", $dhcpifconf['winsserver']) . ";\n";
+ $dhcpdconf .= " option netbios-node-type 8;\n";
+ }
+
+ if ($dhcpifconf['next-server'])
+ $dhcpdconf .= " next-server {$dhcpifconf['next-server']};\n";
+ if ($dhcpifconf['filename'])
+ $dhcpdconf .= " filename \"{$dhcpifconf['filename']}\";\n";
+
+ $dhcpdconf .= <<<EOD
+}
+
+EOD;
+
+ /* add static mappings */
+ if (is_array($dhcpifconf['staticmap'])) {
+
+ $i = 0;
+ foreach ($dhcpifconf['staticmap'] as $sm) {
+ $dhcpdconf .= <<<EOD
+host s_{$dhcpif}_{$i} {
+ hardware ethernet {$sm['mac']};
+
+EOD;
+ if ($sm['ipaddr'])
+ $dhcpdconf .= " fixed-address {$sm['ipaddr']};\n";
+
+ $dhcpdconf .= "}\n";
+ $i++;
+ }
+ }
+
+ $dhcpdifs[] = $ifcfg['if'];
+ }
+
+ fwrite($fd, $dhcpdconf);
+ fclose($fd);
+
+ /* create an empty leases database */
+ touch("{$g['vardb_path']}/dhcpd.leases");
+
+ /* fire up dhcpd */
+ mwexec("/usr/local/sbin/dhcpd -cf {$g['varetc_path']}/dhcpd.conf " .
+ join(" ", $dhcpdifs));
+
+ if (!$g['booting']) {
+ filter_configure();
+ } else
+ echo "done\n";
+
+ return 0;
+}
+
+function services_dhcrelay_configure() {
+ global $config, $g;
+
+ /* kill any running dhcrelay */
+ killbypid("{$g['varrun_path']}/dhcrelay.pid");
+
+ $dhcrelaycfg = $config['dhcrelay'];
+
+ /* DHCPRelay enabled on any interfaces? */
+ $dhcrelayenable = false;
+ foreach ($dhcrelaycfg as $dhcrelayif => $dhcrelayifconf) {
+ if (isset($dhcrelayifconf['enable']) &&
+ (($dhcrelayif == "lan") ||
+ (isset($config['interfaces'][$dhcrelayif]['enable']) &&
+ $config['interfaces'][$dhcrelayif]['if'] && (!$config['interfaces'][$dhcrelayif]['bridge']))))
+ $dhcrelayenable = true;
+ }
+
+ if (!$dhcrelayenable)
+ return 0;
+
+ if ($g['booting'])
+ echo "Starting DHCP relay service... ";
+ else
+ sleep(1);
+
+ $dhcrelayifs = array();
+ foreach ($dhcrelaycfg as $dhcrelayif => $dhcrelayifconf) {
+
+ $ifcfg = $config['interfaces'][$dhcrelayif];
+
+ if (!isset($dhcrelayifconf['enable']) ||
+ (($dhcrelayif != "lan") &&
+ (!isset($ifcfg['enable']) || !$ifcfg['if'] || $ifcfg['bridge'])))
+ continue;
+
+ $dhcrelayifs[] = $ifcfg['if'];
+ }
+
+ /* In order for the relay to work, it needs to be active on the
+ interface in which the destination server sits */
+ foreach ($config['interfaces'] as $ifname) {
+ $subnet = $ifname['ipaddr'] . "/" . $ifname['subnet'];
+ if (ip_in_subnet($dhcrelaycfg['server'],$subnet))
+ $destif = $ifname['if'];
+ }
+
+ if (!isset($destif))
+ $destif = $config['interfaces']['wan']['if'];
+
+ $dhcrelayifs[] = $destif;
+ $dhcrelayifs = array_unique($dhcrelayifs);
+
+ /* fire up dhcrelay */
+ $cmd = "/usr/local/sbin/dhcrelay -i " . join(" -i ", $dhcrelayifs);
+
+ if (isset($dhcrelaycfg['agentoption']))
+ $cmd .= " -a -m replace";
+
+ $cmd .= " {$dhcrelaycfg['server']}";
+ mwexec($cmd);
+
+ if (!$g['booting']) {
+ filter_configure();
+ } else
+ echo "done\n";
+
+ return 0;
+}
+
+function services_dyndns_reset() {
+ global $config, $g;
+
+ if (file_exists("{$g['vardb_path']}/ez-ipupdate.cache")) {
+ unlink("{$g['vardb_path']}/ez-ipupdate.cache");
+ }
+
+ if (file_exists("{$g['conf_path']}/ez-ipupdate.cache")) {
+ conf_mount_rw();
+ unlink("{$g['conf_path']}/ez-ipupdate.cache");
+ conf_mount_ro();
+ }
+
+ return 0;
+}
+
+function services_dyndns_configure() {
+ global $config, $g;
+
+ /* kill any running ez-ipupdate */
+ /* ez-ipupdate needs SIGQUIT instead of SIGTERM */
+ sigkillbypid("{$g['varrun_path']}/ez-ipupdate.pid", "QUIT");
+
+ $dyndnscfg = $config['dyndns'];
+ $wancfg = $config['interfaces']['wan'];
+
+ if (isset($dyndnscfg['enable'])) {
+
+ if ($g['booting'])
+ echo "Starting DynDNS client... ";
+ else
+ sleep(1);
+
+ /* determine WAN interface name */
+ $wanif = get_real_wan_interface();
+
+ /* write ez-ipupdate.conf */
+ $fd = fopen("{$g['varetc_path']}/ez-ipupdate.conf", "w");
+ if (!$fd) {
+ printf("Error: cannot open ez-ipupdate.conf in services_dyndns_configure().\n");
+ return 1;
+ }
+
+ $ezipupdateconf = <<<EOD
+service-type={$dyndnscfg['type']}
+user={$dyndnscfg['username']}:{$dyndnscfg['password']}
+host={$dyndnscfg['host']}
+interface=$wanif
+max-interval=2073600
+pid-file={$g['varrun_path']}/ez-ipupdate.pid
+cache-file={$g['vardb_path']}/ez-ipupdate.cache
+execute=/etc/rc.dyndns.storecache
+daemon
+
+EOD;
+
+ /* enable MX? */
+ if ($dyndnscfg['mx']) {
+ $ezipupdateconf .= "mx={$dyndnscfg['mx']}\n";
+ }
+
+ /* enable wildcards? */
+ if (isset($dyndnscfg['wildcard'])) {
+ $ezipupdateconf .= "wildcard\n";
+ }
+
+ fwrite($fd, $ezipupdateconf);
+ fclose($fd);
+
+ /* if we're booting, copy the cache file from /conf */
+ if ($g['booting']) {
+ if (file_exists("{$g['conf_path']}/ez-ipupdate.cache")) {
+ copy("{$g['conf_path']}/ez-ipupdate.cache", "{$g['vardb_path']}/ez-ipupdate.cache");
+ }
+ }
+
+ /* run ez-ipupdate */
+ mwexec("/usr/local/bin/ez-ipupdate -c {$g['varetc_path']}/ez-ipupdate.conf");
+
+ if ($g['booting'])
+ echo "done\n";
+ }
+
+ return 0;
+}
+
+function services_dnsmasq_configure() {
+ global $config, $g;
+
+ /* kill any running dnsmasq */
+ sigkillbypid("{$g['varrun_path']}/dnsmasq.pid", "TERM");
+
+ if (isset($config['dnsmasq']['enable'])) {
+
+ if ($g['booting'])
+ echo "Starting DNS forwarder... ";
+ else
+ sleep(1);
+
+ /* generate hosts file */
+ system_hosts_generate();
+
+ $args = "";
+
+ if (isset($config['dnsmasq']['regdhcp'])) {
+
+ $args .= " -l {$g['vardb_path']}/dhcpd.leases" .
+ " -s {$config['system']['domain']}";
+ }
+
+ /* run dnsmasq */
+ mwexec("/usr/local/sbin/dnsmasq {$args}");
+
+ if ($g['booting'])
+ echo "done\n";
+ }
+
+ if (!$g['booting']) {
+ services_dhcpd_configure();
+ }
+
+ return 0;
+}
+
+function services_snmpd_configure() {
+ global $config, $g;
+
+ /* kill any running snmpd */
+ sigkillbypid("{$g['varrun_path']}/snmpd.pid", "TERM");
+
+ if (isset($config['snmpd']['enable'])) {
+
+ if ($g['booting'])
+ echo "Starting SNMP agent... ";
+
+ /* generate snmpd.conf */
+ $fd = fopen("{$g['varetc_path']}/snmpd.conf", "w");
+ if (!$fd) {
+ printf("Error: cannot open snmpd.conf in services_snmpd_configure().\n");
+ return 1;
+ }
+
+ $snmpdconf = <<<EOD
+syslocation "{$config['snmpd']['syslocation']}"
+syscontact "{$config['snmpd']['syscontact']}"
+rocommunity "{$config['snmpd']['rocommunity']}"
+
+EOD;
+
+ fwrite($fd, $snmpdconf);
+ fclose($fd);
+
+ /* run snmpd */
+ mwexec("/usr/local/sbin/snmpd -c {$g['varetc_path']}/snmpd.conf" .
+ " -P {$g['varrun_path']}/snmpd.pid");
+
+ if ($g['booting'])
+ echo "done\n";
+ }
+
+ return 0;
+}
+
+function services_proxyarp_configure() {
+ global $config, $g;
+
+ /* kill any running choparp */
+ killbyname("choparp");
+
+ if (is_array($config['proxyarp']) && count($config['proxyarp']) &&
+ (is_ipaddr($config['interfaces']['wan']['ipaddr']) ||
+ ($config['interfaces']['wan']['ipaddr'] == "dhcp") ||
+ ($config['interfaces']['wan']['ipaddr'] == "bigpond"))) {
+
+ $args = $config['interfaces']['wan']['if'] . " auto";
+
+ foreach ($config['proxyarp']['proxyarpnet'] as $paent) {
+ if (isset($paent['network']))
+ $args .= " " . escapeshellarg($paent['network']);
+ else if (isset($paent['range']))
+ $args .= " " . escapeshellarg($paent['range']['from'] . "-" .
+ $paent['range']['to']);
+ }
+
+ mwexec_bg("/usr/local/sbin/choparp " . $args);
+ }
+}
+
+?>
diff --git a/etc/inc/shaper.inc b/etc/inc/shaper.inc
new file mode 100644
index 0000000..71e0575
--- /dev/null
+++ b/etc/inc/shaper.inc
@@ -0,0 +1,403 @@
+<?php
+/*
+ shaper.inc
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/* include all configuration functions */
+require_once("functions.inc");
+
+function shaper_configure() {
+ global $config, $g;
+
+ if (isset($config['pfqueueing']['enable'])) {
+
+ if ($g['booting'])
+ echo "Starting traffic shaper... ";
+
+ /* generate shaper rules */
+ $shaperrules = shaper_rules_generate();
+
+ /* make sure ipfw and dummynet are loaded */
+ mwexec("/sbin/kldload ipfw");
+ mwexec("/sbin/kldload dummynet");
+
+ /* change one_pass to 1 so ipfw stops checking after
+ a rule has matched */
+ mwexec("/sbin/sysctl net.inet.ip.fw.one_pass=1");
+
+ /* load shaper rules */
+ mwexec("/sbin/ipfw -f delete set 4");
+ mwexec("/sbin/ipfw -f pipe flush");
+
+ /* XXX - seems like ipfw cannot accept rules directly on stdin,
+ so we have to write them to a temporary file first */
+ $fd = fopen("{$g['tmp_path']}/ipfw.rules", "w");
+ if (!$fd) {
+ printf("Cannot open ipfw.rules in shaper_configure()\n");
+ return 1;
+ }
+
+ fwrite($fd, $shaperrules);
+ fclose($fd);
+
+ mwexec("/sbin/ipfw {$g['tmp_path']}/ipfw.rules");
+
+ unlink("{$g['tmp_path']}/ipfw.rules");
+
+ /* make sure bridged packets are shaped as well */
+ mwexec("/sbin/sysctl net.link.ether.bridge_ipfw=1");
+
+ if ($g['booting'])
+ echo "done\n";
+
+ } else {
+ mwexec("/sbin/sysctl net.link.ether.bridge_ipfw=0");
+ if (!isset($config['captiveportal']['enable'])) {
+ /* unload ipfw and dummynet */
+ #mwexec("/sbin/kldunload dummynet");
+ #mwexec("/sbin/kldunload ipfw");
+ } else {
+ /* captive portal is on - just remove our rules */
+ mwexec("/sbin/ipfw -f delete set 4");
+ mwexec("/sbin/ipfw -f pipe flush");
+ }
+ }
+
+ return 0;
+}
+
+function shaper_rules_generate() {
+ global $config, $g;
+
+ $wancfg = $config['interfaces']['wan'];
+ $lancfg = $config['interfaces']['lan'];
+ $pptpdcfg = $config['pptpd'];
+
+ $lanif = $lancfg['if'];
+ $wanif = get_real_wan_interface();
+
+ $lanip = $lancfg['ipaddr'];
+ $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
+ $lansn = $lancfg['subnet'];
+
+ /* optional interfaces */
+ $optcfg = array();
+
+ for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) {
+ $oc = $config['interfaces']['opt' . $i];
+
+ if (isset($oc['enable']) && $oc['if']) {
+ $oic = array();
+ $oic['ip'] = $oc['ipaddr'];
+ $oic['if'] = $oc['if'];
+ $oic['sa'] = gen_subnet($oc['ipaddr'], $oc['subnet']);
+ $oic['sn'] = $oc['subnet'];
+
+ $optcfg['opt' . $i] = $oic;
+ }
+ }
+
+ if ($pptpdcfg['mode'] == "server") {
+ $pptpip = $pptpdcfg['localip'];
+ $pptpsa = $pptpdcfg['remoteip'];
+ $pptpsn = $g['pptp_subnet'];
+ }
+
+ $rulei = 50000;
+
+ /* add a rule to pass all traffic from/to the firewall,
+ so the user cannot lock himself out of the webGUI */
+ $shaperrules = "add $rulei set 4 pass all from $lanip to any\n"; $rulei++;
+ $shaperrules .= "add $rulei set 4 pass all from any to $lanip\n"; $rulei++;
+
+ /* generate rules */
+ if (isset($config['pfqueueing']['rule']))
+ foreach ($config['pfqueueing']['rule'] as $rule) {
+
+ /* don't include disabled rules */
+ if (isset($rule['disabled'])) {
+ $i++;
+ continue;
+ }
+
+ /* does the rule deal with a PPTP interface? */
+ if ($rule['interface'] == "pptp") {
+
+ if ($pptpdcfg['mode'] != "server") {
+ $i++;
+ continue;
+ }
+
+ $nif = $g['n_pptp_units'];
+ $ispptp = true;
+ } else {
+
+ if (strstr($rule['interface'], "opt")) {
+ if (!array_key_exists($rule['interface'], $optcfg)) {
+ $i++;
+ continue;
+ }
+ }
+
+ $nif = 1;
+ $ispptp = false;
+ }
+
+ if ($pptpdcfg['mode'] != "server") {
+ if (($rule['source']['network'] == "pptp") ||
+ ($rule['destination']['network'] == "pptp")) {
+ $i++;
+ continue;
+ }
+ }
+
+ if (strstr($rule['source']['network'], "opt")) {
+ if (!array_key_exists($rule['source']['network'], $optcfg)) {
+ $i++;
+ continue;
+ }
+ }
+ if (strstr($rule['destination']['network'], "opt")) {
+ if (!array_key_exists($rule['destination']['network'], $optcfg)) {
+ $i++;
+ continue;
+ }
+ }
+
+ /* check for unresolvable aliases */
+ if ($rule['source']['address'] && !alias_expand($rule['source']['address'])) {
+ $i++;
+ continue;
+ }
+ if ($rule['destination']['address'] && !alias_expand($rule['destination']['address'])) {
+ $i++;
+ continue;
+ }
+
+ for ($iif = 0; $iif < $nif; $iif++) {
+
+ /* pipe or queue? */
+ if (isset($rule['targetpipe']) && isset($config['pfqueueing']['pipe'][$rule['targetpipe']])) {
+ $pipen = $rule['targetpipe'] + 1;
+ $line = "add $rulei set 4 pipe $pipen "; $rulei++;
+ } else if (isset($rule['targetqueue']) && isset($config['pfqueueing']['queue'][$rule['targetqueue']])) {
+ $queuen = $rule['targetqueue'] + 1;
+ $line = "add $rulei set 4 queue $queuen "; $rulei++;
+ } else {
+ printf("Neither existing pipe nor queue found in rule $i\n");
+ break;
+ }
+
+ if (isset($rule['protocol'])) {
+ $line .= "{$rule['protocol']} ";
+ } else {
+ $line .= "all ";
+ }
+
+ /* source address */
+ if (isset($rule['source']['any'])) {
+ $src = "any";
+ } else if ($rule['source']['network']) {
+
+ if (strstr($rule['source']['network'], "opt")) {
+ $src = $optcfg[$rule['source']['network']]['sa'] . "/" .
+ $optcfg[$rule['source']['network']]['sn'];
+ } else {
+ switch ($rule['source']['network']) {
+ case 'lan':
+ $src = "$lansa/$lansn";
+ break;
+ case 'pptp':
+ $src = "$pptpsa/$pptpsn";
+ break;
+ }
+ }
+ } else if ($rule['source']['address']) {
+ $src = alias_expand($rule['source']['address']);
+ }
+
+ if (!$src) {
+ printf("No source address found in rule $i\n");
+ break;
+ }
+
+ if (isset($rule['source']['not'])) {
+ $line .= "from not $src ";
+ } else {
+ $line .= "from $src ";
+ }
+
+ if (!isset($rule['protocol']) || in_array($rule['protocol'], array("tcp","udp"))) {
+
+ if ($rule['source']['port']) {
+ $srcport = explode("-", $rule['source']['port']);
+
+ if ((!$srcport[1]) || ($srcport[0] == $srcport[1])) {
+ $line .= "{$srcport[0]} ";
+ } else {
+ $line .= "{$srcport[0]}-{$srcport[1]} ";
+ }
+ }
+ }
+
+ /* destination address */
+ if (isset($rule['destination']['any'])) {
+ $dst = "any";
+ } else if ($rule['destination']['network']) {
+
+ if (strstr($rule['destination']['network'], "opt")) {
+ $dst = $optcfg[$rule['destination']['network']]['sa'] . "/" .
+ $optcfg[$rule['destination']['network']]['sn'];
+ } else {
+ switch ($rule['destination']['network']) {
+ case 'lan':
+ $dst = "$lansa/$lansn";
+ break;
+ case 'pptp':
+ $dst = "$pptpsa/$pptpsn";
+ break;
+ }
+ }
+ } else if ($rule['destination']['address']) {
+ $dst = alias_expand($rule['destination']['address']);
+ }
+
+ if (!$dst) {
+ printf("No destination address found in rule $i\n");
+ break;
+ }
+
+ if (isset($rule['destination']['not'])) {
+ $line .= "to not $dst ";
+ } else {
+ $line .= "to $dst ";
+ }
+
+ if (!isset($rule['protocol']) || in_array($rule['protocol'], array("tcp","udp"))) {
+
+ if ($rule['destination']['port']) {
+ $dstport = explode("-", $rule['destination']['port']);
+
+ if ((!$dstport[1]) || ($dstport[0] == $dstport[1])) {
+ $line .= "{$dstport[0]} ";
+ } else {
+ $line .= "{$dstport[0]}-{$dstport[1]} ";
+ }
+ }
+ }
+
+ if ($rule['iplen'])
+ $line .= "iplen {$rule['iplen']} ";
+
+ if ($rule['iptos'])
+ $line .= "iptos {$rule['iptos']} ";
+
+ if ($rule['tcpflags'])
+ $line .= "tcpflags {$rule['tcpflags']} ";
+
+ if ($rule['direction'] == "in")
+ $line .= "in ";
+ else if ($rule['direction'] == "out")
+ $line .= "out ";
+
+ if ($ispptp) {
+ $line .= "via ng" . ($iif+1);
+ } else {
+ if ($rule['interface'] == "wan")
+ $if = $wanif;
+ else
+ $if = $config['interfaces'][$rule['interface']]['if'];
+
+ $line .= "via {$if}";
+ }
+
+ $line .= "\n";
+ $shaperrules .= $line;
+ }
+
+ $i++;
+ }
+
+ /* generate pipes */
+ if (isset($config['pfqueueing']['pipe'])) {
+ $pipei = 1;
+ foreach ($config['pfqueueing']['pipe'] as $pipe) {
+ $line = "pipe $pipei config bw {$pipe['bandwidth']}Kbit/s ";
+
+ if ($pipe['delay']) {
+ $line .= "delay {$pipe['delay']} ";
+ }
+
+ switch ($pipe['mask']) {
+ case 'source':
+ $line .= "mask src-ip 0xffffffff ";
+ break;
+ case 'destination':
+ $line .= "mask dst-ip 0xffffffff ";
+ break;
+ }
+
+ $line .= "\n";
+ $shaperrules .= $line;
+ $pipei++;
+ }
+ }
+
+ /* generate queues */
+ if (isset($config['pfqueueing']['queue'])) {
+ $queuei = 1;
+ foreach ($config['pfqueueing']['queue'] as $queue) {
+
+ $pipen = $queue['targetpipe'] + 1;
+ if (!isset($queue['targetpipe']) || !isset($config['pfqueueing']['pipe'][$queue['targetpipe']])) {
+ printf("Pipe $pipen for queue $queuei not found!\n");
+ continue;
+ }
+
+ $line = "queue $queuei config pipe {$pipen}";
+ $line .= " weight {$queue['weight']}";
+
+ switch ($queue['mask']) {
+ case 'source':
+ $line .= " mask src-ip 0xffffffff ";
+ break;
+ case 'destination':
+ $line .= " mask dst-ip 0xffffffff ";
+ break;
+ }
+
+ $line .= "\n";
+ $shaperrules .= $line;
+ $queuei++;
+ }
+ }
+
+ return $shaperrules;
+}
+
+?>
diff --git a/etc/inc/system.inc b/etc/inc/system.inc
new file mode 100644
index 0000000..d2c0b33
--- /dev/null
+++ b/etc/inc/system.inc
@@ -0,0 +1,563 @@
+<?php
+/*
+ system.inc
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/* include all configuration functions */
+require_once("functions.inc");
+
+function system_resolvconf_generate($dynupdate = false) {
+ global $config, $g;
+
+ $syscfg = $config['system'];
+
+ $fd = fopen("{$g['varetc_path']}/resolv.conf", "w");
+ if (!$fd) {
+ printf("Error: cannot open resolv.conf in system_resolvconf_generate().\n");
+ return 1;
+ }
+
+ $resolvconf = "domain {$syscfg['domain']}\n";
+
+ $havedns = false;
+
+ if (isset($syscfg['dnsallowoverride'])) {
+ /* get dynamically assigned DNS servers (if any) */
+ $nfd = @fopen("{$g['varetc_path']}/nameservers.conf", "r");
+ if ($nfd) {
+ while (!feof($nfd)) {
+ $dnss = trim(fgets($nfd));
+ if ($dnss) {
+ $resolvconf .= "nameserver $dnss\n";
+ $havedns = true;
+ }
+ }
+ fclose($nfd);
+ }
+ }
+ if (!$havedns && is_array($syscfg['dnsserver'])) {
+ foreach ($syscfg['dnsserver'] as $ns) {
+ if ($ns)
+ $resolvconf .= "nameserver $ns\n";
+ $havedns = true;
+ }
+ }
+
+ fwrite($fd, $resolvconf);
+ fclose($fd);
+
+ if (!$g['booting']) {
+ /* restart dhcpd (nameservers may have changed) */
+ if (!$dynupdate)
+ services_dhcpd_configure();
+ }
+
+ return 0;
+}
+
+function system_hosts_generate() {
+ global $config, $g;
+
+ $syscfg = $config['system'];
+ $lancfg = $config['interfaces']['lan'];
+ $dnsmasqcfg = $config['dnsmasq'];
+
+ if (!is_array($dnsmasqcfg['hosts'])) {
+ $dnsmasqcfg['hosts'] = array();
+ }
+ $hostscfg = $dnsmasqcfg['hosts'];
+
+ $fd = fopen("{$g['varetc_path']}/hosts", "w");
+ if (!$fd) {
+ printf("Error: cannot open hosts file in system_hosts_generate().\n");
+ return 1;
+ }
+
+ $hosts = <<<EOD
+127.0.0.1 localhost localhost.{$syscfg['domain']}
+{$lancfg['ipaddr']} {$syscfg['hostname']}.{$syscfg['domain']} {$syscfg['hostname']}
+
+EOD;
+
+ foreach ($hostscfg as $host) {
+ if ($host['host'])
+ $hosts .= "{$host['ip']} {$host['host']}.{$host['domain']} {$host['host']}\n";
+ else
+ $hosts .= "{$host['ip']} {$host['domain']}\n";
+ }
+ fwrite($fd, $hosts);
+ fclose($fd);
+
+ return 0;
+}
+
+function system_hostname_configure() {
+ global $config, $g;
+
+ $syscfg = $config['system'];
+
+ /* set hostname */
+ return mwexec("/bin/hostname " .
+ escapeshellarg("{$syscfg['hostname']}.{$syscfg['domain']}"));
+}
+
+function system_routing_configure() {
+ global $config, $g;
+
+ /* clear out old routes, if necessary */
+ if (file_exists("{$g['vardb_path']}/routes.db")) {
+ $fd = fopen("{$g['vardb_path']}/routes.db", "r");
+ if (!$fd) {
+ printf("Error: cannot open routes DB file in system_routing_configure().\n");
+ return 1;
+ }
+ while (!feof($fd)) {
+ $oldrt = fgets($fd);
+ if ($oldrt)
+ mwexec("/sbin/route delete " . escapeshellarg($oldrt));
+ }
+ fclose($fd);
+ unlink("{$g['vardb_path']}/routes.db");
+ }
+
+ if (is_array($config['staticroutes']['route'])) {
+
+ $fd = fopen("{$g['vardb_path']}/routes.db", "w");
+ if (!$fd) {
+ printf("Error: cannot open routes DB file in system_routing_configure().\n");
+ return 1;
+ }
+
+ foreach ($config['staticroutes']['route'] as $rtent) {
+ mwexec("/sbin/route add " . escapeshellarg($rtent['network']) .
+ " " . escapeshellarg($rtent['gateway']));
+
+ /* record route so it can be easily removed later (if necessary) */
+ fwrite($fd, $rtent['network'] . "\n");
+ }
+
+ fclose($fd);
+ }
+
+ return 0;
+}
+
+function system_routing_enable() {
+ global $config, $g;
+
+ return mwexec("/sbin/sysctl net.inet.ip.forwarding=1");
+}
+
+function system_syslogd_start() {
+ global $config, $g;
+
+ $syslogcfg = $config['syslog'];
+
+ if ($g['booting'])
+ echo "Starting syslog service... ";
+ else
+ killbypid("{$g['varrun_path']}/syslog.pid");
+
+ if (isset($syslogcfg['enable'])) {
+
+ /* write syslog.conf */
+ $fd = fopen("{$g['varetc_path']}/syslog.conf", "w");
+ if (!$fd) {
+ printf("Error: cannot open syslog.conf in system_syslogd_start().\n");
+ return 1;
+ }
+
+ $syslogconf = <<<EOD
+local0.* %/var/log/filter.log
+local3.* %/var/log/vpn.log
+local7.* %/var/log/dhcpd.log
+*.notice;kern.debug;lpr.info;mail.crit;news.err;local0.none;local3.none;local7.none %/var/log/system.log
+security.* %/var/log/system.log
+auth.info;authpriv.info;daemon.info %/var/log/system.log
+*.emerg *
+
+EOD;
+
+ if (isset($syslogcfg['filter'])) {
+ $syslogconf .= <<<EOD
+local0.* @{$syslogcfg['remoteserver']}
+
+EOD;
+ }
+
+ if (isset($syslogcfg['vpn'])) {
+ $syslogconf .= <<<EOD
+local3.* @{$syslogcfg['remoteserver']}
+
+EOD;
+ }
+
+ if (isset($syslogcfg['dhcp'])) {
+ $syslogconf .= <<<EOD
+local7.* @{$syslogcfg['remoteserver']}
+
+EOD;
+ }
+
+ if (isset($syslogcfg['system'])) {
+ $syslogconf .= <<<EOD
+*.notice;kern.debug;lpr.info;mail.crit;news.err;local0.none;local7.none @{$syslogcfg['remoteserver']}
+security.* @{$syslogcfg['remoteserver']}
+auth.info;authpriv.info;daemon.info @{$syslogcfg['remoteserver']}
+*.emerg @{$syslogcfg['remoteserver']}
+
+EOD;
+ }
+
+ fwrite($fd, $syslogconf);
+ fclose($fd);
+
+ $retval = mwexec("/usr/sbin/syslogd -s -f {$g['varetc_path']}/syslog.conf");
+
+ } else {
+ $retval = mwexec("/usr/sbin/syslogd -ss");
+ }
+
+ if ($g['booting'])
+ echo "done\n";
+
+ return $retval;
+}
+
+function system_pccard_start() {
+ global $config, $g;
+
+ if ($g['booting'])
+ echo "Initializing PC cards... ";
+
+ /* kill any running pccardd */
+ killbypid("{$g['varrun_path']}/pccardd.pid");
+
+ /* fire up pccardd */
+ $res = mwexec("/usr/sbin/pccardd -z -f {$g['etc_path']}/pccard.conf");
+
+ if ($g['booting']) {
+ if ($res == 0)
+ echo "done\n";
+ else
+ echo "failed (probably no PC card controller present)\n";
+ }
+
+ return $res;
+}
+
+function system_webgui_start() {
+ global $config, $g;
+
+ if ($g['booting'])
+ echo "Starting webGUI... ";
+
+ /* kill any running mini_httpd */
+ killbypid("{$g['varrun_path']}/mini_httpd.pid");
+
+ /* generate password file */
+ system_password_configure();
+
+ chdir($g['www_path']);
+
+ /* non-standard port? */
+ if ($config['system']['webgui']['port'])
+ $portarg = "-p {$config['system']['webgui']['port']}";
+ else
+ $portarg = "";
+
+ if ($config['system']['webgui']['protocol'] == "https") {
+
+ if ($config['system']['webgui']['certificate'] && $config['system']['webgui']['private-key']) {
+ $cert = base64_decode($config['system']['webgui']['certificate']);
+ $key = base64_decode($config['system']['webgui']['private-key']);
+ } else {
+ /* default certificate/key */
+ $cert = <<<EOD
+-----BEGIN CERTIFICATE-----
+MIIBlDCB/gIBADANBgkqhkiG9w0BAQQFADATMREwDwYDVQQKEwhtMG4wd2FsbDAe
+Fw0wMzA5MDgxNzAzNDZaFw0wNDA5MDcxNzAzNDZaMBMxETAPBgNVBAoTCG0wbjB3
+YWxsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAShszhFz+o8lsMWTGgTxs
+TMPR+v4+qL5jXDyY97MLTGFK7aqQOtpIQc+TcTc4jklgOVlHoR7oBXrsi8YrbCd+
+83LPQmQoSPC0VqhfU3uYf3NzxiK8r97aPCsmWgwT2pQ6TcESTm6sF7nLprOf/zFP
+C4jE2fvjkbzyVolPywBuewIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAK2D8NqQSlUs
+pFCe5J9ue1LrjfGHHy4HE9zA9avgrz3Qju+1JOshEwy/1BJjZ93tQUbiRS7RwvDO
+4crGG4IejjhFczzA2CIX3rd2rYM2oGpojKgm5YuuhV5lYPwAHUOLbBaLOVqlLhzw
+VqjD7R2DkXUIfhJ5ZekqK5ZwzqJXta8U
+-----END CERTIFICATE-----
+
+EOD;
+
+ $key = <<<EOD
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDAShszhFz+o8lsMWTGgTxsTMPR+v4+qL5jXDyY97MLTGFK7aqQ
+OtpIQc+TcTc4jklgOVlHoR7oBXrsi8YrbCd+83LPQmQoSPC0VqhfU3uYf3NzxiK8
+r97aPCsmWgwT2pQ6TcESTm6sF7nLprOf/zFPC4jE2fvjkbzyVolPywBuewIDAQAB
+AoGAbJJrQW9fQrggJuLMz/hwsYW2m31oyOBmf5u463YQtjRuSuxe/gj87weZuNqY
+H2rXq2k2K+ehl8hgW+egASyUL3L7kCkEAsVREujKTEyhSqqIRDPWTxo9S/YA9Gvn
+2ZnJvkrcKjqCO9aHX3rvJOK/ErYI6akctgI3KmgkYw5XNmECQQDuZU97RTWH9rmP
+aQr57ysNXxgFsyhetOOqeYkPtIVwpOiNbfwE1zi5RGdtO4Ku3fG1lV4J2UoWJ9yD
+awdoyYIHAkEAzn0xJ90IjPsHk+8SODEj5JGdHSZPNu1tgtrbjEi9sfGWg4K7XTxr
+QW90pWb1bKKU1uh5FzW6OhnFfuQXt1kC7QJAPSthqY+onKqCEnoxhtAHi/bKgyvl
+P+fKQwPMV2tKkgy+XwvJjrRqqZ8TqsOKVLQ+QQmCh6RpjiXMPyxHSmvqIQJBAKLR
+HF1ucDuaBROkwx0DwmWMW/KMLpIFDQDNSaiIAuu4rxHrl4mhBoGGPNffI04RtILw
+s+qVNs5xW8T+XaT4ztECQQDFHPnZeoPWE5z+AX/UUQIUWaDExz3XRzmIxRbOrlFi
+CsF1s0TdJLi/wzNQRAL37A8vqCeVFR/ng3Xpg96Yg+8Z
+-----END RSA PRIVATE KEY-----
+
+EOD;
+ }
+
+ $fd = fopen("{$g['varetc_path']}/cert.pem", "w");
+ if (!$fd) {
+ printf("Error: cannot open cert.pem in system_webgui_start().\n");
+ return 1;
+ }
+ chmod("{$g['varetc_path']}/cert.pem", 0600);
+ fwrite($fd, $cert);
+ fwrite($fd, "\n");
+ fwrite($fd, $key);
+ fclose($fd);
+
+ $res = mwexec("/usr/local/sbin/mini_httpd -S -E {$g['varetc_path']}/cert.pem" .
+ " -c \"**.php|**.cgi\" -u root -maxproc 16 $portarg" .
+ " -i {$g['varrun_path']}/mini_httpd.pid");
+ } else {
+ $res = mwexec("/usr/local/sbin/mini_httpd -c \"**.php|**.cgi\" -u root" .
+ " -maxproc 16 $portarg -i {$g['varrun_path']}/mini_httpd.pid");
+ }
+
+ if ($g['booting']) {
+ if ($res == 0)
+ echo "done\n";
+ else
+ echo "failed\n";
+ }
+
+ return $res;
+}
+
+function system_password_configure() {
+ global $config, $g;
+
+ $fd = fopen("{$g['varrun_path']}/htpasswd", "w");
+ if (!$fd) {
+ printf("Error: cannot open htpasswd in system_password_configure().\n");
+ return 1;
+ }
+
+ if ($config['system']['username'])
+ $username = $config['system']['username'];
+ else
+ $username = "admin";
+
+ fwrite($fd, $username . ":" . $config['system']['password'] . "\n");
+ fclose($fd);
+ chmod("{$g['varrun_path']}/htpasswd", 0600);
+
+ return 0;
+}
+
+function system_timezone_configure() {
+ global $config, $g;
+
+ $syscfg = $config['system'];
+
+ if ($g['booting'])
+ echo "Initializing timezone... ";
+
+ /* extract appropriate timezone file */
+ $timezone = $syscfg['timezone'];
+ if (!$timezone)
+ $timezone = "Etc/UTC";
+
+ exec("/usr/bin/tar xzfO /usr/share/zoneinfo.tgz " .
+ escapeshellarg($timezone) . " > /etc/localtime");
+
+ if ($g['booting'])
+ echo "done\n";
+}
+
+function system_ntp_configure() {
+ global $config, $g;
+
+ $syscfg = $config['system'];
+
+ if ($g['booting'])
+ echo "Starting NTP client... ";
+ else {
+ killbypid("{$g['varrun_path']}/runmsntp.pid");
+ killbypid("{$g['varrun_path']}/msntp.pid");
+ }
+
+ /* start ntp client if needed - needs to be forced into background */
+ $updateinterval = $syscfg['time-update-interval'];
+
+ if ($updateinterval > 0) {
+ if ($updateinterval < 6)
+ $updateinterval = 6;
+
+ $timeservers = "";
+ foreach (explode(' ', $syscfg['timeservers']) as $ts)
+ $timeservers .= " " . $ts;
+
+ mwexec_bg("/usr/local/bin/runmsntp.sh " .
+ escapeshellarg("{$g['varrun_path']}/runmsntp.pid") . " " .
+ escapeshellarg("{$g['varrun_path']}/msntp.pid") . " " .
+ escapeshellarg($updateinterval) . " " .
+ escapeshellarg($timeservers));
+ }
+
+ if ($g['booting'])
+ echo "done\n";
+}
+
+function system_reboot() {
+ global $g;
+
+ system_reboot_cleanup();
+
+ mwexec("nohup /etc/rc.reboot > /dev/null 2>&1 &");
+}
+
+function system_reboot_sync() {
+ global $g;
+
+ system_reboot_cleanup();
+
+ mwexec("/etc/rc.reboot > /dev/null 2>&1");
+}
+
+function system_reboot_cleanup() {
+ captiveportal_radius_stop_all();
+}
+
+function system_do_shell_commands($early = 0) {
+ global $config, $g;
+
+ if ($early)
+ $cmdn = "earlyshellcmd";
+ else
+ $cmdn = "shellcmd";
+
+ if (is_array($config['system'][$cmdn])) {
+
+ foreach ($config['system'][$cmdn] as $cmd) {
+ exec($cmd);
+ }
+ }
+}
+
+function system_do_extensions() {
+ global $config, $g;
+
+ if (!is_dir("{$g['etc_path']}/inc/ext"))
+ return;
+
+ $dh = @opendir("{$g['etc_path']}/inc/ext");
+ if ($dh) {
+ while (($extd = readdir($dh)) !== false) {
+ if (($extd === ".") || ($extd === ".."))
+ continue;
+ $rcfile = "{$g['etc_path']}/inc/ext/" . $extd . "/rc";
+ if (file_exists($rcfile))
+ passthru($rcfile);
+ }
+ closedir($dh);
+ }
+}
+
+function system_console_configure() {
+ global $config, $g;
+
+ if (isset($config['system']['disableconsolemenu'])) {
+ touch("{$g['varetc_path']}/disableconsole");
+ } else {
+ unlink_if_exists("{$g['varetc_path']}/disableconsole");
+ }
+}
+
+function system_dmesg_save() {
+ global $g;
+
+ exec("/sbin/dmesg", $dmesg);
+
+ /* find last copyright line (output from previous boots may be present) */
+ $lastcpline = 0;
+
+ for ($i = 0; $i < count($dmesg); $i++) {
+ if (strstr($dmesg[$i], "Copyright (c) 1992-"))
+ $lastcpline = $i;
+ }
+
+ $fd = fopen("{$g['varlog_path']}/dmesg.boot", "w");
+ if (!$fd) {
+ printf("Error: cannot open dmesg.boot in system_dmesg_save().\n");
+ return 1;
+ }
+
+ for ($i = $lastcpline; $i < count($dmesg); $i++)
+ fwrite($fd, $dmesg[$i] . "\n");
+
+ fclose($fd);
+
+ return 0;
+}
+
+function system_set_harddisk_standby() {
+ global $g, $config;
+
+ if ($g['platform'] != "generic-pc")
+ return;
+
+ if (isset($config['system']['harddiskstandby'])) {
+ if ($g['booting']) {
+ echo 'Setting harddisk standby time... ';
+ }
+
+ $standby = $config['system']['harddiskstandby'];
+ // Check for a numeric value
+ if (is_numeric($standby)) {
+ // Sync the disk(s)
+ mwexec('/bin/sync');
+ if (!mwexec('/sbin/sysctl hw.ata.standby=' . ((int)$standby))) {
+ // Reinitialize ATA-drives
+ mwexec('/usr/local/sbin/atareinit');
+ if ($g['booting']) {
+ echo "done\n";
+ }
+ } else if ($g['booting']) {
+ echo "failed\n";
+ }
+ } else if ($g['booting']) {
+ echo "failed\n";
+ }
+ }
+}
+
+?>
diff --git a/etc/inc/util.inc b/etc/inc/util.inc
new file mode 100644
index 0000000..2b3fa67
--- /dev/null
+++ b/etc/inc/util.inc
@@ -0,0 +1,421 @@
+<?php
+/*
+ util.inc
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/* kill a process by pid file */
+function killbypid($pidfile) {
+ sigkillbypid($pidfile, "TERM");
+}
+
+/* sigkill a process by pid file */
+function sigkillbypid($pidfile, $sig) {
+ if (file_exists($pidfile)) {
+ mwexec("/bin/kill -s $sig `/bin/cat " . $pidfile . "`");
+ }
+}
+
+/* kill a process by name */
+function killbyname($procname) {
+ mwexec("/usr/bin/killall " . escapeshellarg($procname));
+}
+
+/* return the subnet address given a host address and a subnet bit count */
+function gen_subnet($ipaddr, $bits) {
+ if (!is_ipaddr($ipaddr) || !is_numeric($bits))
+ return "";
+
+ return long2ip(ip2long($ipaddr) & gen_subnet_mask_long($bits));
+}
+
+/* return the highest (broadcast) address in the subnet given a host address and a subnet bit count */
+function gen_subnet_max($ipaddr, $bits) {
+ if (!is_ipaddr($ipaddr) || !is_numeric($bits))
+ return "";
+
+ return long2ip(ip2long($ipaddr) | ~gen_subnet_mask_long($bits));
+}
+
+/* returns a subnet mask (long given a bit count) */
+function gen_subnet_mask_long($bits) {
+ $sm = 0;
+ for ($i = 0; $i < $bits; $i++) {
+ $sm >>= 1;
+ $sm |= 0x80000000;
+ }
+ return $sm;
+}
+
+/* same as above but returns a string */
+function gen_subnet_mask($bits) {
+ return long2ip(gen_subnet_mask_long($bits));
+}
+
+function is_numericint($arg) {
+ return (preg_match("/[^0-9]/", $arg) ? false : true);
+}
+
+/* returns true if $ipaddr is a valid dotted IPv4 address */
+function is_ipaddr($ipaddr) {
+ if (!is_string($ipaddr))
+ return false;
+
+ $ip_long = ip2long($ipaddr);
+ $ip_reverse = long2ip($ip_long);
+
+ if ($ipaddr == $ip_reverse)
+ return true;
+ else
+ return false;
+}
+
+/* returns true if $ipaddr is a valid dotted IPv4 address or an alias thereof */
+function is_ipaddroralias($ipaddr) {
+
+ global $aliastable;
+
+ if (isset($aliastable[$ipaddr]) && is_ipaddr($aliastable[$ipaddr]))
+ return true;
+ else
+ return is_ipaddr($ipaddr);
+}
+
+/* returns true if $ipaddr is a valid dotted IPv4 address or any alias */
+function is_ipaddroranyalias($ipaddr) {
+
+ global $aliastable;
+
+ if (isset($aliastable[$ipaddr]))
+ return true;
+ else
+ return is_ipaddr($ipaddr);
+}
+
+/* returns true if $subnet is a valid subnet in CIDR format */
+function is_subnet($subnet) {
+ if (!is_string($subnet))
+ return false;
+
+ list($hp,$np) = explode('/', $subnet);
+
+ if (!is_ipaddr($hp))
+ return false;
+
+ if (!is_numeric($np) || ($np < 1) || ($np > 32))
+ return false;
+
+ return true;
+}
+
+/* returns true if $subnet is a valid subnet in CIDR format or an alias thereof */
+function is_subnetoralias($subnet) {
+
+ global $aliastable;
+
+ if (isset($aliastable[$subnet]) && is_subnet($aliastable[$subnet]))
+ return true;
+ else
+ return is_subnet($subnet);
+}
+
+/* returns true if $hostname is a valid hostname */
+function is_hostname($hostname) {
+ if (!is_string($hostname))
+ return false;
+
+ if (preg_match("/^[a-z0-9\-]+$/i", $hostname))
+ return true;
+ else
+ return false;
+}
+
+/* returns true if $domain is a valid domain name */
+function is_domain($domain) {
+ if (!is_string($domain))
+ return false;
+
+ if (preg_match("/^([a-z0-9\-]+\.?)*$/i", $domain))
+ return true;
+ else
+ return false;
+}
+
+/* returns true if $uname is a valid DynDNS username */
+function is_dyndns_username($uname) {
+ if (!is_string($uname))
+ return false;
+
+ if (preg_match("/[^a-z0-9\-.@_]/i", $uname))
+ return false;
+ else
+ return true;
+}
+
+/* returns true if $macaddr is a valid MAC address */
+function is_macaddr($macaddr) {
+ if (!is_string($macaddr))
+ return false;
+
+ $maca = explode(":", $macaddr);
+ if (count($maca) != 6)
+ return false;
+
+ foreach ($maca as $macel) {
+ if (($macel === "") || (strlen($macel) > 2))
+ return false;
+ if (preg_match("/[^0-9a-f]/i", $macel))
+ return false;
+ }
+
+ return true;
+}
+
+/* returns true if $name is a valid name for an alias */
+function is_validaliasname($name) {
+ if (!preg_match("/[^a-zA-Z0-9]/", $name))
+ return true;
+ else
+ return false;
+}
+
+/* returns true if $port is a valid TCP/UDP port */
+function is_port($port) {
+ if (!is_numericint($port))
+ return false;
+
+ if (($port < 1) || ($port > 65535))
+ return false;
+ else
+ return true;
+}
+
+/* returns a list of interfaces with MAC addresses
+ (skips VLAN and other virtual interfaces) */
+function get_interface_list() {
+
+ global $g;
+
+ /* build interface list with netstat */
+ exec("/usr/bin/netstat -inW -f link", $linkinfo);
+ array_shift($linkinfo);
+
+ $iflist = array();
+
+ foreach ($linkinfo as $link) {
+ $alink = preg_split("/\s+/", $link);
+ $ifname = chop($alink[0]);
+
+ if (substr($ifname, -1) == "*")
+ $ifname = substr($ifname, 0, strlen($ifname) - 1);
+
+ if (!preg_match("/^(ppp|sl|gif|faith|lo|ng|vlan)/", $ifname)) {
+ $iflist[$ifname] = array();
+
+ $iflist[$ifname]['mac'] = chop($alink[3]);
+ $iflist[$ifname]['up'] = false;
+
+ /* find out if the link on this interface is up */
+ unset($ifinfo);
+ exec("/sbin/ifconfig {$ifname}", $ifinfo);
+
+ foreach ($ifinfo as $ifil) {
+ if (preg_match("/status: (.*)$/", $ifil, $matches)) {
+ if ($matches[1] == "active")
+ $iflist[$ifname]['up'] = true;
+ break;
+ }
+ }
+ }
+ }
+
+ return $iflist;
+}
+
+/* wrapper for exec() */
+function mwexec($command) {
+
+ global $g;
+
+ if ($g['debug']) {
+ if (!$_SERVER['REMOTE_ADDR'])
+ echo "mwexec(): $command\n";
+ passthru($command, $retval);
+ } else {
+ exec("$command > /dev/null 2>&1", $oarr, $retval);
+ }
+
+ return $retval;
+}
+
+/* wrapper for exec() in background */
+function mwexec_bg($command) {
+
+ global $g;
+
+ if ($g['debug']) {
+ if (!$_SERVER['REMOTE_ADDR'])
+ echo "mwexec(): $command\n";
+ }
+
+ exec("nohup $command > /dev/null 2>&1 &");
+}
+
+/* unlink a file, if it exists */
+function unlink_if_exists($fn) {
+ if (file_exists($fn))
+ unlink($fn);
+}
+
+/* make a global alias table (for faster lookups) */
+function alias_make_table() {
+
+ global $config, $g, $aliastable;
+
+ $aliastable = array();
+
+ if (is_array($config['aliases']['alias'])) {
+ foreach ($config['aliases']['alias'] as $alias) {
+ if ($alias['name'])
+ $aliastable[$alias['name']] = $alias['address'];
+ }
+ }
+}
+
+/* check if an alias exists */
+function is_alias($name) {
+
+ global $aliastable;
+
+ return isset($aliastable[$name]);
+}
+
+/* expand a host or network alias, if necessary */
+function alias_expand($name) {
+
+ global $aliastable;
+
+ if (isset($aliastable[$name]))
+ return $aliastable[$name];
+ else if (is_ipaddr($name) || is_subnet($name))
+ return $name;
+ else
+ return null;
+}
+
+/* expand a host alias, if necessary */
+function alias_expand_host($name) {
+
+ global $aliastable;
+
+ if (isset($aliastable[$name]) && is_ipaddr($aliastable[$name]))
+ return $aliastable[$name];
+ else if (is_ipaddr($name))
+ return $name;
+ else
+ return null;
+}
+
+/* expand a network alias, if necessary */
+function alias_expand_net($name) {
+
+ global $aliastable;
+
+ if (isset($aliastable[$name]) && is_subnet($aliastable[$name]))
+ return $aliastable[$name];
+ else if (is_subnet($name))
+ return $name;
+ else
+ return null;
+}
+
+/* find out whether two subnets overlap */
+function check_subnets_overlap($subnet1, $bits1, $subnet2, $bits2) {
+
+ if (!is_numeric($bits1))
+ $bits1 = 32;
+ if (!is_numeric($bits2))
+ $bits2 = 32;
+
+ if ($bits1 < $bits2)
+ $relbits = $bits1;
+ else
+ $relbits = $bits2;
+
+ $sn1 = gen_subnet_mask_long($relbits) & ip2long($subnet1);
+ $sn2 = gen_subnet_mask_long($relbits) & ip2long($subnet2);
+
+ if ($sn1 == $sn2)
+ return true;
+ else
+ return false;
+}
+
+/* compare two IP addresses */
+function ipcmp($a, $b) {
+ if (ip2long($a) < ip2long($b))
+ return -1;
+ else if (ip2long($a) > ip2long($b))
+ return 1;
+ else
+ return 0;
+}
+
+/* return true if $addr is in $subnet, false if not */
+function ip_in_subnet($addr,$subnet) {
+ list($ip, $mask) = explode('/', $subnet);
+ $mask = 0xffffffff << (32 - $mask);
+ return ((ip2long($addr) & $mask) == (ip2long($ip) & $mask));
+}
+
+/* verify (and remove) the digital signature on a file - returns 0 if OK */
+function verify_digital_signature($fname) {
+
+ global $g;
+
+ return mwexec("/usr/local/bin/verifysig " .
+ escapeshellarg("{$g['etc_path']}/pubkey.pem") . " " .
+ escapeshellarg($fname));
+}
+
+/* obtain MAC address given an IP address by looking at the ARP table */
+function arp_get_mac_by_ip($ip) {
+ exec("/usr/sbin/arp -n {$ip}", $arpoutput);
+
+ if ($arpoutput[0]) {
+ $arpi = explode(" ", $arpoutput[0]);
+ $macaddr = $arpi[3];
+ if (is_macaddr($macaddr))
+ return $macaddr;
+ else
+ return false;
+ }
+
+ return false;
+}
+
+?>
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
new file mode 100644
index 0000000..b73af46
--- /dev/null
+++ b/etc/inc/vpn.inc
@@ -0,0 +1,559 @@
+<?php
+/*
+ vpn.inc
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/* include all configuration functions */
+require_once("functions.inc");
+
+function vpn_ipsec_configure($ipchg = false) {
+ global $config, $g;
+
+ $curwanip = get_current_wan_address();
+
+ $syscfg = $config['system'];
+ $ipseccfg = $config['ipsec'];
+ $lancfg = $config['interfaces']['lan'];
+ $lanip = $lancfg['ipaddr'];
+ $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
+ $lansn = $lancfg['subnet'];
+
+ if ($g['booting']) {
+ if (!isset($ipseccfg['enable']))
+ return 0;
+
+ echo "Configuring IPsec VPN... ";
+ } else {
+ /* kill racoon */
+ killbypid("{$g['varrun_path']}/racoon.pid");
+
+ /* wait for process to die */
+ sleep(2);
+
+ /* send a SIGKILL to be sure */
+ sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL");
+ }
+
+ /* flush SPD and SAD */
+ mwexec("/usr/sbin/setkey -FP");
+ mwexec("/usr/sbin/setkey -F");
+
+ /* prefer old SAs only for 30 seconds, then use the new one */
+ mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30");
+
+ if (isset($ipseccfg['enable'])) {
+
+ if (!$curwanip) {
+ /* IP address not configured yet, exit */
+ if ($g['booting'])
+ echo "done\n";
+ return 0;
+ }
+
+ if ((is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) ||
+ isset($ipseccfg['mobileclients']['enable'])) {
+
+ if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) {
+
+ /* generate spd.conf */
+ $fd = fopen("{$g['varetc_path']}/spd.conf", "w");
+ if (!$fd) {
+ printf("Error: cannot open spd.conf in vpn_ipsec_configure().\n");
+ return 1;
+ }
+
+ $spdconf = "";
+
+ $spdconf .= "spdadd {$lansa}/{$lansn} {$lanip}/32 any -P in none;\n";
+ $spdconf .= "spdadd {$lanip}/32 {$lansa}/{$lansn} any -P out none;\n";
+
+ foreach ($ipseccfg['tunnel'] as $tunnel) {
+
+ if (isset($tunnel['disabled']))
+ continue;
+
+ $ep = vpn_endpoint_determine($tunnel, $curwanip);
+ if (!$ep)
+ continue;
+
+ vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn);
+
+ $spdconf .= "spdadd {$sa}/{$sn} " .
+ "{$tunnel['remote-subnet']} any -P out ipsec " .
+ "{$tunnel['p2']['protocol']}/tunnel/{$ep}-" .
+ "{$tunnel['remote-gateway']}/unique;\n";
+
+ $spdconf .= "spdadd {$tunnel['remote-subnet']} " .
+ "{$sa}/{$sn} any -P in ipsec " .
+ "{$tunnel['p2']['protocol']}/tunnel/{$tunnel['remote-gateway']}-" .
+ "{$ep}/unique;\n";
+ }
+
+ fwrite($fd, $spdconf);
+ fclose($fd);
+
+ /* load SPD */
+ mwexec("/usr/sbin/setkey -c < {$g['varetc_path']}/spd.conf");
+ }
+
+ /* generate racoon.conf */
+ $fd = fopen("{$g['varetc_path']}/racoon.conf", "w");
+ if (!$fd) {
+ printf("Error: cannot open racoon.conf in vpn_ipsec_configure().\n");
+ return 1;
+ }
+
+ $racoonconf = "path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n";
+
+ if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel']))
+ foreach ($ipseccfg['tunnel'] as $tunnel) {
+
+ if (isset($tunnel['disabled']))
+ continue;
+
+ $ep = vpn_endpoint_determine($tunnel, $curwanip);
+ if (!$ep)
+ continue;
+
+ vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn);
+
+ if (isset($tunnel['p1']['myident']['myaddress'])) {
+ $myidentt = "address";
+ $myident = $ep;
+ } else if (isset($tunnel['p1']['myident']['address'])) {
+ $myidentt = "address";
+ $myident = $tunnel['p1']['myident']['address'];
+ } else if (isset($tunnel['p1']['myident']['fqdn'])) {
+ $myidentt = "fqdn";
+ $myident = $tunnel['p1']['myident']['fqdn'];
+ } else if (isset($tunnel['p1']['myident']['ufqdn'])) {
+ $myidentt = "user_fqdn";
+ $myident = $tunnel['p1']['myident']['ufqdn'];
+ }
+
+ $racoonconf .= <<<EOD
+remote {$tunnel['remote-gateway']} \{
+ exchange_mode {$tunnel['p1']['mode']};
+ my_identifier {$myidentt} "{$myident}";
+ peers_identifier address {$tunnel['remote-gateway']};
+ initial_contact on;
+ support_proxy on;
+ proposal_check obey;
+
+ proposal \{
+ encryption_algorithm {$tunnel['p1']['encryption-algorithm']};
+ hash_algorithm {$tunnel['p1']['hash-algorithm']};
+ authentication_method pre_shared_key;
+ dh_group {$tunnel['p1']['dhgroup']};
+
+EOD;
+ if ($tunnel['p1']['lifetime'])
+ $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n";
+
+ $racoonconf .= " }\n";
+
+ if ($tunnel['p1']['lifetime'])
+ $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n";
+
+ $racoonconf .= "}\n\n";
+
+ $p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']);
+ $p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']);
+
+ $racoonconf .= <<<EOD
+sainfo address {$sa}/{$sn} any address {$tunnel['remote-subnet']} any \{
+ encryption_algorithm {$p2ealgos};
+ authentication_algorithm {$p2halgos};
+ compression_algorithm deflate;
+
+EOD;
+
+ if ($tunnel['p2']['pfsgroup'])
+ $racoonconf .= " pfs_group {$tunnel['p2']['pfsgroup']};\n";
+
+ if ($tunnel['p2']['lifetime'])
+ $racoonconf .= " lifetime time {$tunnel['p2']['lifetime']} secs;\n";
+
+ $racoonconf .= "}\n\n";
+ }
+
+ /* mobile clients? */
+ if (isset($ipseccfg['mobileclients']['enable'])) {
+
+ $tunnel = $ipseccfg['mobileclients'];
+
+ if (isset($tunnel['p1']['myident']['myaddress'])) {
+ $myidentt = "address";
+ $myident = $curwanip;
+ } else if (isset($tunnel['p1']['myident']['address'])) {
+ $myidentt = "address";
+ $myident = $tunnel['p1']['myident']['address'];
+ } else if (isset($tunnel['p1']['myident']['fqdn'])) {
+ $myidentt = "fqdn";
+ $myident = $tunnel['p1']['myident']['fqdn'];
+ } else if (isset($tunnel['p1']['myident']['ufqdn'])) {
+ $myidentt = "user_fqdn";
+ $myident = $tunnel['p1']['myident']['ufqdn'];
+ }
+
+ $racoonconf .= <<<EOD
+remote anonymous \{
+ exchange_mode {$tunnel['p1']['mode']};
+ my_identifier {$myidentt} "{$myident}";
+ initial_contact on;
+ passive on;
+ generate_policy on;
+ support_proxy on;
+ proposal_check obey;
+
+ proposal \{
+ encryption_algorithm {$tunnel['p1']['encryption-algorithm']};
+ hash_algorithm {$tunnel['p1']['hash-algorithm']};
+ authentication_method pre_shared_key;
+ dh_group {$tunnel['p1']['dhgroup']};
+
+EOD;
+ if ($tunnel['p1']['lifetime'])
+ $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n";
+
+ $racoonconf .= " }\n";
+
+ if ($tunnel['p1']['lifetime'])
+ $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n";
+
+ $racoonconf .= "}\n\n";
+
+ $p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']);
+ $p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']);
+
+ $racoonconf .= <<<EOD
+sainfo anonymous \{
+ encryption_algorithm {$p2ealgos};
+ authentication_algorithm {$p2halgos};
+ compression_algorithm deflate;
+
+EOD;
+
+ if ($tunnel['p2']['pfsgroup'])
+ $racoonconf .= " pfs_group {$tunnel['p2']['pfsgroup']};\n";
+
+ if ($tunnel['p2']['lifetime'])
+ $racoonconf .= " lifetime time {$tunnel['p2']['lifetime']} secs;\n";
+
+ $racoonconf .= "}\n\n";
+ }
+
+ fwrite($fd, $racoonconf);
+ fclose($fd);
+
+ /* generate psk.txt */
+ $fd = fopen("{$g['varetc_path']}/psk.txt", "w");
+ if (!$fd) {
+ printf("Error: cannot open psk.txt in vpn_ipsec_configure().\n");
+ return 1;
+ }
+
+ $pskconf = "";
+
+ if (is_array($ipseccfg['tunnel'])) {
+ foreach ($ipseccfg['tunnel'] as $tunnel) {
+ if (isset($tunnel['disabled']))
+ continue;
+ $pskconf .= "{$tunnel['remote-gateway']} {$tunnel['p1']['pre-shared-key']}\n";
+ }
+ }
+
+ /* add PSKs for mobile clients */
+ if (is_array($ipseccfg['mobilekey'])) {
+ foreach ($ipseccfg['mobilekey'] as $key) {
+ $pskconf .= "{$key['ident']} {$key['pre-shared-key']}\n";
+ }
+ }
+
+ fwrite($fd, $pskconf);
+ fclose($fd);
+ chmod("{$g['varetc_path']}/psk.txt", 0600);
+
+ /* start racoon */
+ mwexec("/usr/local/sbin/racoon -d -f {$g['varetc_path']}/racoon.conf");
+
+ foreach ($ipseccfg['tunnel'] as $tunnel) {
+ if (isset($tunnel['auto'])) {
+ $remotehost = substr($tunnel['remote-subnet'],0,strpos($tunnel['remote-subnet'],"/"));
+ $srchost = vpn_endpoint_determine($tunnel, $curwanip);
+ if ($srchost)
+ mwexec_bg("/sbin/ping -c 1 -S {$srchost} {$remotehost}");
+ }
+ }
+ }
+ }
+
+ if (!$g['booting']) {
+ /* reload the filter */
+ filter_configure();
+ }
+
+ if ($g['booting'])
+ echo "done\n";
+
+ return 0;
+}
+
+function vpn_pptpd_configure() {
+ global $config, $g;
+
+ $syscfg = $config['system'];
+ $pptpdcfg = $config['pptpd'];
+
+ if ($g['booting']) {
+ if (!$pptpdcfg['mode'] || ($pptpdcfg['mode'] == "off"))
+ return 0;
+
+ echo "Configuring PPTP VPN service... ";
+ } else {
+ /* kill mpd */
+ killbypid("{$g['varrun_path']}/mpd-vpn.pid");
+
+ /* wait for process to die */
+ sleep(2);
+
+ /* remove mpd.conf, if it exists */
+ unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.conf");
+ unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.links");
+ unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.secret");
+ }
+
+ /* make sure mpd-vpn directory exists */
+ if (!file_exists("{$g['varetc_path']}/mpd-vpn"))
+ mkdir("{$g['varetc_path']}/mpd-vpn");
+
+ switch ($pptpdcfg['mode']) {
+
+ case 'server':
+
+ /* write mpd.conf */
+ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "w");
+ if (!$fd) {
+ printf("Error: cannot open mpd.conf in vpn_pptpd_configure().\n");
+ return 1;
+ }
+
+ $mpdconf = <<<EOD
+pptpd:
+
+EOD;
+
+ for ($i = 0; $i < $g['n_pptp_units']; $i++) {
+ $mpdconf .= " load pt{$i}\n";
+ }
+
+ for ($i = 0; $i < $g['n_pptp_units']; $i++) {
+
+ $clientip = long2ip(ip2long($pptpdcfg['remoteip']) + $i);
+ $ngif = "ng" . ($i+1);
+
+ $mpdconf .= <<<EOD
+
+pt{$i}:
+ new -i {$ngif} pt{$i} pt{$i}
+ set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32
+ load pts
+
+EOD;
+ }
+
+ $mpdconf .= <<<EOD
+
+pts:
+ set iface disable on-demand
+ set iface enable proxy-arp
+ set iface enable tcpmssfix
+ set iface idle 1800
+ set iface up-script /usr/local/sbin/vpn-linkup
+ set iface down-script /usr/local/sbin/vpn-linkdown
+ set bundle enable multilink
+ set bundle enable crypt-reqd
+ set link yes acfcomp protocomp
+ set link no pap chap
+ set link enable chap-msv2
+ set link mtu 1460
+ set link keep-alive 10 60
+ set ipcp yes vjcomp
+ set bundle enable compression
+ set ccp yes mppc
+ set ccp yes mpp-e128
+ set ccp yes mpp-stateless
+
+EOD;
+
+ if (!isset($pptpdcfg['req128'])) {
+ $mpdconf .= <<<EOD
+ set ccp yes mpp-e40
+ set ccp yes mpp-e56
+
+EOD;
+ }
+
+ if (isset($config['dnsmasq']['enable'])) {
+ $mpdconf .= " set ipcp dns " . $config['interfaces']['lan']['ipaddr'];
+ if ($syscfg['dnsserver'][0])
+ $mpdconf .= " " . $syscfg['dnsserver'][0];
+ $mpdconf .= "\n";
+ } else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
+ $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
+ }
+
+ if (isset($pptpdcfg['radius']['enable'])) {
+ $mpdconf .= <<<EOD
+ set radius server {$pptpdcfg['radius']['server']} "{$pptpdcfg['radius']['secret']}"
+ set radius retries 3
+ set radius timeout 10
+ set bundle enable radius-auth
+ set bundle disable radius-fallback
+
+EOD;
+
+ if (isset($pptpdcfg['radius']['accounting'])) {
+ $mpdconf .= <<<EOD
+ set bundle enable radius-acct
+
+EOD;
+ }
+ }
+
+ fwrite($fd, $mpdconf);
+ fclose($fd);
+
+ /* write mpd.links */
+ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "w");
+ if (!$fd) {
+ printf("Error: cannot open mpd.links in vpn_pptpd_configure().\n");
+ return 1;
+ }
+
+ $mpdlinks = "";
+
+ for ($i = 0; $i < $g['n_pptp_units']; $i++) {
+ $mpdlinks .= <<<EOD
+
+pt{$i}:
+ set link type pptp
+ set pptp enable incoming
+ set pptp disable originate
+ set pptp disable windowing
+ set pptp self 127.0.0.1
+
+EOD;
+ }
+
+ fwrite($fd, $mpdlinks);
+ fclose($fd);
+
+ /* write mpd.secret */
+ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "w");
+ if (!$fd) {
+ printf("Error: cannot open mpd.secret in vpn_pptpd_configure().\n");
+ return 1;
+ }
+
+ $mpdsecret = "";
+
+ if (is_array($pptpdcfg['user'])) {
+ foreach ($pptpdcfg['user'] as $user)
+ $mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n";
+ }
+
+ fwrite($fd, $mpdsecret);
+ fclose($fd);
+ chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600);
+
+ /* fire up mpd */
+ mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid pptpd");
+
+ break;
+
+ case 'redir':
+ break;
+ }
+
+ if (!$g['booting']) {
+ /* reload the filter */
+ filter_configure();
+ }
+
+ if ($g['booting'])
+ echo "done\n";
+
+ return 0;
+}
+
+function vpn_localnet_determine($adr, &$sa, &$sn) {
+ global $config, $g;
+
+ if (isset($adr)) {
+ if ($adr['network']) {
+ switch ($adr['network']) {
+ case 'lan':
+ $sn = $config['interfaces']['lan']['subnet'];
+ $sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn);
+ break;
+ }
+ } else if ($adr['address']) {
+ list($sa,$sn) = explode("/", $adr['address']);
+ if (is_null($sn))
+ $sn = 32;
+ }
+ } else {
+ $sn = $config['interfaces']['lan']['subnet'];
+ $sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn);
+ }
+}
+
+function vpn_endpoint_determine($tunnel, $curwanip) {
+
+ global $g, $config;
+
+ if ((!$tunnel['interface']) || ($tunnel['interface'] == "wan")) {
+ if ($curwanip)
+ return $curwanip;
+ else
+ return null;
+ } else if ($tunnel['interface'] == "lan") {
+ return $config['interfaces']['lan']['ipaddr'];
+ } else {
+ $oc = $config['interfaces'][$tunnel['interface']];
+
+ if (isset($oc['enable']) && $oc['if']) {
+ return $oc['ipaddr'];
+ }
+ }
+
+ return null;
+}
+
+?>
diff --git a/etc/inc/xmlparse.inc b/etc/inc/xmlparse.inc
new file mode 100644
index 0000000..1fdadac
--- /dev/null
+++ b/etc/inc/xmlparse.inc
@@ -0,0 +1,205 @@
+<?php
+/*
+ xmlparse.inc
+ functions to parse/dump configuration files in XML format
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/* tags that are always to be handled as lists */
+$listtags = explode(" ", "rule user key subqueue dnsserver winsserver " .
+ "encryption-algorithm-option hash-algorithm-option hosts tunnel onetoone " .
+ "staticmap route alias pipe queue shellcmd earlyshellcmd mobilekey " .
+ "servernat proxyarpnet passthrumac allowedip wolentry vlan");
+
+function startElement($parser, $name, $attrs) {
+ global $depth, $curpath, $config, $havedata, $listtags;
+
+ array_push($curpath, strtolower($name));
+
+ $ptr =& $config;
+ foreach ($curpath as $path) {
+ $ptr =& $ptr[$path];
+ }
+
+ /* is it an element that belongs to a list? */
+ if (in_array(strtolower($name), $listtags)) {
+
+ /* is there an array already? */
+ if (!is_array($ptr)) {
+ /* make an array */
+ $ptr = array();
+ }
+
+ array_push($curpath, count($ptr));
+
+ } else if (isset($ptr)) {
+ /* multiple entries not allowed for this element, bail out */
+ die(sprintf("XML error: %s at line %d cannot occur more than once\n",
+ $name,
+ xml_get_current_line_number($parser)));
+ }
+
+ $depth++;
+ $havedata = $depth;
+}
+
+function endElement($parser, $name) {
+ global $depth, $curpath, $config, $havedata, $listtags;
+
+ if ($havedata == $depth) {
+ $ptr =& $config;
+ foreach ($curpath as $path) {
+ $ptr =& $ptr[$path];
+ }
+ $ptr = "";
+ }
+
+ array_pop($curpath);
+
+ if (in_array(strtolower($name), $listtags))
+ array_pop($curpath);
+
+ $depth--;
+}
+
+function cData($parser, $data) {
+ global $depth, $curpath, $config, $havedata;
+
+ $data = trim($data, "\t\n\r");
+
+ if ($data != "") {
+ $ptr =& $config;
+ foreach ($curpath as $path) {
+ $ptr =& $ptr[$path];
+ }
+
+ if (is_string($ptr)) {
+ $ptr .= $data;
+ } else {
+ if (trim($data, " ") != "") {
+ $ptr = $data;
+ $havedata++;
+ }
+ }
+ }
+}
+
+function parse_xml_config($cffile, $rootobj) {
+
+ global $depth, $curpath, $config, $havedata, $listtags;
+
+ $config = array();
+ $curpath = array();
+ $depth = 0;
+ $havedata = 0;
+
+ $xml_parser = xml_parser_create();
+
+ xml_set_element_handler($xml_parser, "startElement", "endElement");
+ xml_set_character_data_handler($xml_parser, "cdata");
+
+ if (!($fp = fopen($cffile, "r"))) {
+ die("Error: could not open XML input\n");
+ }
+
+ while ($data = fread($fp, 4096)) {
+ if (!xml_parse($xml_parser, $data, feof($fp))) {
+ die(sprintf("XML error: %s at line %d\n",
+ xml_error_string(xml_get_error_code($xml_parser)),
+ xml_get_current_line_number($xml_parser)));
+ }
+ }
+ xml_parser_free($xml_parser);
+
+ if (!$config[$rootobj]) {
+ die("XML error: no $rootobj object found!\n");
+ }
+
+ return $config[$rootobj];
+}
+
+function dump_xml_config_sub($arr, $indent) {
+
+ global $listtags;
+
+ $xmlconfig = "";
+
+ foreach ($arr as $ent => $val) {
+ if (is_array($val)) {
+ /* is it just a list of multiple values? */
+ if (in_array(strtolower($ent), $listtags)) {
+ foreach ($val as $cval) {
+ if (is_array($cval)) {
+ $xmlconfig .= str_repeat("\t", $indent);
+ $xmlconfig .= "<$ent>\n";
+ $xmlconfig .= dump_xml_config_sub($cval, $indent + 1);
+ $xmlconfig .= str_repeat("\t", $indent);
+ $xmlconfig .= "</$ent>\n";
+ } else {
+ $xmlconfig .= str_repeat("\t", $indent);
+ if ((is_bool($cval) && ($cval == true)) ||
+ ($cval === ""))
+ $xmlconfig .= "<$ent/>\n";
+ else if (!is_bool($cval))
+ $xmlconfig .= "<$ent>" . htmlspecialchars($cval) . "</$ent>\n";
+ }
+ }
+ } else {
+ /* it's an array */
+ $xmlconfig .= str_repeat("\t", $indent);
+ $xmlconfig .= "<$ent>\n";
+ $xmlconfig .= dump_xml_config_sub($val, $indent + 1);
+ $xmlconfig .= str_repeat("\t", $indent);
+ $xmlconfig .= "</$ent>\n";
+ }
+ } else {
+ if ((is_bool($val) && ($val == true)) || ($val === "")) {
+ $xmlconfig .= str_repeat("\t", $indent);
+ $xmlconfig .= "<$ent/>\n";
+ } else if (!is_bool($val)) {
+ $xmlconfig .= str_repeat("\t", $indent);
+ $xmlconfig .= "<$ent>" . htmlspecialchars($val) . "</$ent>\n";
+ }
+ }
+ }
+
+ return $xmlconfig;
+}
+
+function dump_xml_config($arr, $rootobj) {
+
+ $xmlconfig = "<?xml version=\"1.0\"?" . ">\n";
+ $xmlconfig .= "<$rootobj>\n";
+
+ $xmlconfig .= dump_xml_config_sub($arr, 1);
+
+ $xmlconfig .= "</$rootobj>\n";
+
+ return $xmlconfig;
+}
+
+?>
diff --git a/etc/login.conf b/etc/login.conf
new file mode 100644
index 0000000..fc6b37c
--- /dev/null
+++ b/etc/login.conf
@@ -0,0 +1,316 @@
+# login.conf - login class capabilities database.
+#
+# Remember to rebuild the database after each change to this file:
+#
+# cap_mkdb /etc/login.conf
+#
+# This file controls resource limits, accounting limits and
+# default user environment settings.
+#
+# $FreeBSD: src/etc/login.conf,v 1.34.2.6 2002/07/02 20:06:18 dillon Exp $
+#
+
+# Default settings effectively disable resource limits, see the
+# examples below for a starting point to enable them.
+
+# defaults
+# These settings are used by login(1) by default for classless users
+# Note that entries like "cputime" set both "cputime-cur" and "cputime-max"
+
+default:\
+ :passwd_format=md5:\
+ :copyright=/etc/COPYRIGHT:\
+ :welcome=/etc/motd:\
+ :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
+ :path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin /usr/X11R6/bin ~/bin:\
+ :nologin=/var/run/nologin:\
+ :cputime=unlimited:\
+ :datasize=unlimited:\
+ :stacksize=unlimited:\
+ :memorylocked=unlimited:\
+ :memoryuse=unlimited:\
+ :filesize=unlimited:\
+ :coredumpsize=unlimited:\
+ :openfiles=unlimited:\
+ :maxproc=unlimited:\
+ :sbsize=unlimited:\
+ :vmemoryuse=unlimited:\
+ :priority=0:\
+ :ignoretime@:\
+ :umask=022:
+
+
+#
+# A collection of common class names - forward them all to 'default'
+# (login would normally do this anyway, but having a class name
+# here suppresses the diagnostic)
+#
+standard:\
+ :tc=default:
+xuser:\
+ :tc=default:
+staff:\
+ :tc=default:
+daemon:\
+ :tc=default:
+news:\
+ :tc=default:
+dialer:\
+ :tc=default:
+
+#
+# Root can always login
+#
+# N.B. login_getpwclass(3) will use this entry for the root account,
+# in preference to 'default'.
+root:\
+ :ignorenologin:\
+ :tc=default:
+
+#
+# Russian Users Accounts. Setup proper environment variables.
+#
+russian|Russian Users Accounts:\
+ :charset=KOI8-R:\
+ :lang=ru_RU.KOI8-R:\
+ :tc=default:
+
+
+######################################################################
+######################################################################
+##
+## Example entries
+##
+######################################################################
+######################################################################
+
+## Example defaults
+## These settings are used by login(1) by default for classless users
+## Note that entries like "cputime" set both "cputime-cur" and "cputime-max"
+#
+#default:\
+# :cputime=infinity:\
+# :datasize-cur=22M:\
+# :stacksize-cur=8M:\
+# :memorylocked-cur=10M:\
+# :memoryuse-cur=30M:\
+# :filesize=infinity:\
+# :coredumpsize=infinity:\
+# :maxproc-cur=64:\
+# :openfiles-cur=64:\
+# :priority=0:\
+# :requirehome@:\
+# :umask=022:\
+# :tc=auth-defaults:
+#
+#
+##
+## standard - standard user defaults
+##
+#standard:\
+# :copyright=/etc/COPYRIGHT:\
+# :welcome=/etc/motd:\
+# :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
+# :path=~/bin /bin /usr/bin /usr/local/bin:\
+# :manpath=/usr/share/man /usr/local/man:\
+# :nologin=/var/run/nologin:\
+# :cputime=1h30m:\
+# :datasize=8M:\
+# :vmemoryuse=100M:\
+# :stacksize=2M:\
+# :memorylocked=4M:\
+# :memoryuse=8M:\
+# :filesize=8M:\
+# :coredumpsize=8M:\
+# :openfiles=24:\
+# :maxproc=32:\
+# :priority=0:\
+# :requirehome:\
+# :passwordtime=90d:\
+# :umask=002:\
+# :ignoretime@:\
+# :tc=default:
+#
+#
+##
+## users of X (needs more resources!)
+##
+#xuser:\
+# :manpath=/usr/share/man /usr/X11R6/man /usr/local/man:\
+# :cputime=4h:\
+# :datasize=12M:\
+# :vmemoryuse=infinity:\
+# :stacksize=4M:\
+# :filesize=8M:\
+# :memoryuse=16M:\
+# :openfiles=32:\
+# :maxproc=48:\
+# :tc=standard:
+#
+#
+##
+## Staff users - few restrictions and allow login anytime
+##
+#staff:\
+# :ignorenologin:\
+# :ignoretime:\
+# :requirehome@:\
+# :accounted@:\
+# :path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\
+# :umask=022:\
+# :tc=standard:
+#
+#
+##
+## root - fallback for root logins
+##
+#root:\
+# :path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\
+# :cputime=infinity:\
+# :datasize=infinity:\
+# :stacksize=infinity:\
+# :memorylocked=infinity:\
+# :memoryuse=infinity:\
+# :filesize=infinity:\
+# :coredumpsize=infinity:\
+# :openfiles=infinity:\
+# :maxproc=infinity:\
+# :memoryuse-cur=32M:\
+# :maxproc-cur=64:\
+# :openfiles-cur=1024:\
+# :priority=0:\
+# :requirehome@:\
+# :umask=022:\
+# :tc=auth-root-defaults:
+#
+#
+##
+## Settings used by /etc/rc
+##
+#daemon:\
+# :coredumpsize@:\
+# :coredumpsize-cur=0:\
+# :datasize=infinity:\
+# :datasize-cur@:\
+# :maxproc=512:\
+# :maxproc-cur@:\
+# :memoryuse-cur=64M:\
+# :memorylocked-cur=64M:\
+# :openfiles=1024:\
+# :openfiles-cur@:\
+# :stacksize=16M:\
+# :stacksize-cur@:\
+# :tc=default:
+#
+#
+##
+## Settings used by news subsystem
+##
+#news:\
+# :path=/usr/local/news/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\
+# :cputime=infinity:\
+# :filesize=128M:\
+# :datasize-cur=64M:\
+# :stacksize-cur=32M:\
+# :coredumpsize-cur=0:\
+# :maxmemorysize-cur=128M:\
+# :memorylocked=32M:\
+# :maxproc=128:\
+# :openfiles=256:\
+# :tc=default:
+#
+#
+##
+## The dialer class should be used for a dialup PPP/SLIP accounts
+## Welcome messages/news suppressed
+##
+#dialer:\
+# :hushlogin:\
+# :requirehome@:\
+# :cputime=unlimited:\
+# :filesize=2M:\
+# :datasize=2M:\
+# :stacksize=4M:\
+# :coredumpsize=0:\
+# :memoryuse=4M:\
+# :memorylocked=1M:\
+# :maxproc=16:\
+# :openfiles=32:\
+# :tc=standard:
+#
+#
+##
+## Site full-time 24/7 PPP/SLIP connections
+## - no time accounting, restricted to access via dialin lines
+##
+#site:\
+# :ignoretime:\
+# :passwordtime@:\
+# :refreshtime@:\
+# :refreshperiod@:\
+# :sessionlimit@:\
+# :autodelete@:\
+# :expireperiod@:\
+# :graceexpire@:\
+# :gracetime@:\
+# :warnexpire@:\
+# :warnpassword@:\
+# :idletime@:\
+# :sessiontime@:\
+# :daytime@:\
+# :weektime@:\
+# :monthtime@:\
+# :warntime@:\
+# :accounted@:\
+# :tc=dialer:\
+# :tc=staff:
+#
+#
+##
+## Example standard accounting entries for subscriber levels
+##
+#
+#subscriber|Subscribers:\
+# :accounted:\
+# :refreshtime=180d:\
+# :refreshperiod@:\
+# :sessionlimit@:\
+# :autodelete=30d:\
+# :expireperiod=180d:\
+# :graceexpire=7d:\
+# :gracetime=10m:\
+# :warnexpire=7d:\
+# :warnpassword=7d:\
+# :idletime=30m:\
+# :sessiontime=4h:\
+# :daytime=6h:\
+# :weektime=40h:\
+# :monthtime=120h:\
+# :warntime=4h:\
+# :tc=standard:
+#
+#
+##
+## Subscriber accounts. These accounts have their login times
+## accounted and have access limits applied.
+##
+#subppp|PPP Subscriber Accounts:\
+# :tc=dialer:\
+# :tc=subscriber:
+#
+#
+#subslip|SLIP Subscriber Accounts:\
+# :tc=dialer:\
+# :tc=subscriber:
+#
+#
+#subshell|Shell Subscriber Accounts:\
+# :tc=subscriber:
+#
+##
+## If you want some of the accounts to use traditional UNIX DES based
+## password hashes.
+##
+#des_users:\
+# :passwd_format=des:\
+# :tc=default:
diff --git a/etc/master.passwd b/etc/master.passwd
new file mode 100644
index 0000000..88b0dd1
--- /dev/null
+++ b/etc/master.passwd
@@ -0,0 +1,26 @@
+# $FreeBSD: src/etc/master.passwd,v 1.39 2004/08/01 21:33:47 markm Exp $
+#
+root::0:0::0:0:Charlie &:/root:/etc/rc.initial
+toor:*:0:0::0:0:Bourne-again Superuser:/root:
+daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
+operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
+bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
+tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
+kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
+games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
+news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
+man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
+sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
+smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
+mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
+bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
+proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
+_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
+uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
+pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
+www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
+nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
+distcc:*:1001:1001::0:0:Distcc:/home/distcc:/sbin/nologin
+dhcpd:*:1002:1002::0:0:DHCP Daemon:/nonexistent:/sbin/nologin
+admin:*:101:101::0:0:Admin User:/home/admin:/etc/rc.initial
+
diff --git a/etc/networks b/etc/networks
new file mode 100644
index 0000000..92982b5
--- /dev/null
+++ b/etc/networks
@@ -0,0 +1,17 @@
+# $FreeBSD: src/etc/networks,v 1.3 1999/08/27 23:23:42 peter Exp $
+# @(#)networks 5.1 (Berkeley) 6/30/90
+#
+# Your Local Networks Database
+#
+your-net 127 # your comment
+your-netmask 255.255.255 # subnet mask for your-net
+
+#
+# Your subnets
+#
+subnet1 127.0.1 alias1 # comment 1
+subnet2 127.0.2 alias2 # comment 2
+
+#
+# Internet networks (from nic.ddn.mil)
+#
diff --git a/etc/pamd.conf b/etc/pamd.conf
new file mode 100644
index 0000000..78df63d
--- /dev/null
+++ b/etc/pamd.conf
@@ -0,0 +1,55 @@
+# Configuration file for Pluggable Authentication Modules (PAM).
+#
+# This file controls the authentication methods that login and other
+# utilities use. See pam(8) for a description of its format.
+#
+# $FreeBSD: src/etc/pam.conf,v 1.6.2.18 2003/02/15 17:20:27 des Exp $
+#
+# service-name module-type control-flag module-path arguments
+#
+# module-type:
+# auth: prompt for a password to authenticate that the user is
+# who they say they are, and set any credentials.
+# account: non-authentication based authorization, based on time,
+# resources, etc.
+# session: housekeeping before and/or after login.
+# password: update authentication tokens.
+#
+# control-flag: How libpam handles success or failure of the module.
+# required: success is required, and on failure all remaining
+# modules are run.
+# requisite: success is required, and on failure no remaining
+# modules are run.
+# sufficient: success is sufficient, and if no previous required
+# module failed, no remaining modules are run.
+# optional: ignored unless the other modules return PAM_IGNORE.
+#
+# arguments:
+# Passed to the module; module-specific plus some generic ones:
+# debug: syslog debug info.
+# no_warn: return no warning messages to the application.
+# use_first_pass: try authentication using password from the
+# preceding auth module.
+# try_first_pass: first try authentication using password from
+# the preceding auth module, and if that fails
+# prompt for a new password.
+# use_mapped_pass: convert cleartext password to a crypto key.
+# expose_account: allow printing more info about the user when
+# prompting.
+#
+# Each final entry must say "required" -- otherwise, things don't
+# work quite right. If you delete a final entry, be sure to change
+# "sufficient" to "required" in the entry before it.
+#
+## OpenSSH with PAM support requires similar modules. The session one is
+## a bit strange, though...
+sshd auth sufficient pam_skey.so
+sshd auth sufficient pam_opie.so no_fake_prompts
+#sshd auth requisite pam_opieaccess.so
+#sshd auth sufficient pam_kerberosIV.so try_first_pass
+#sshd auth sufficient pam_krb5.so try_first_pass
+sshd auth required pam_unix.so try_first_pass
+sshd account required pam_unix.so
+sshd password required pam_permit.so
+sshd session required pam_permit.so
+
diff --git a/etc/passwd b/etc/passwd
new file mode 100644
index 0000000..86c9b58
--- /dev/null
+++ b/etc/passwd
@@ -0,0 +1,10 @@
+root:*:0:0:Charlie &:/root:/etc/rc.initial
+toor:*:0:0:Bourne-again Superuser:/root:
+daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin
+operator:*:2:5:System &:/:/sbin/nologin
+bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
+tty:*:4:65533:Tty Sandbox:/:/sbin/nologin
+kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin
+www:*:80:80:World Wide Web Owner:/nonexistent:/sbin/nologin
+nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin
+admin:*:101:101:Admin Account:/home/admin:/bin/sh
diff --git a/etc/pccard.conf b/etc/pccard.conf
new file mode 100644
index 0000000..75fa24a
--- /dev/null
+++ b/etc/pccard.conf
@@ -0,0 +1,435 @@
+
+# Generally available IO ports
+io 0x240-0x360
+# on i386 IRQs can be any of 3 4 5 7 9 10 11 12 14 15
+# on pc98 IRQs can be any of 3 5 6 9 10 11 12 13
+# but *MUST* *NOT* be used by anything else, unless you are using current
+# and a PCI cardbus bridge that allows sharing. Even then, the rules
+# for interrupt sharing can be tricky.
+# Generally available IRQs (Built-in sound-card owners remove 5)
+irq 3 5 10 11 15
+# Available memory slots
+memory 0xd4000 96k
+# Debug level, so you know how to get more info for maintainers. Put it
+# in /etc/pccard.conf
+#debuglevel 4
+
+########## an ##########
+
+# Aironet PC4500 2Mbps 802.11 wireless NIC
+card "Aironet" "PC4500"
+ config 0x5 "an0" ?
+ config 0x5 "an1" ?
+ config 0x5 "an2" ?
+
+# Aironet PC4800 11Mbps 802.11 wireless NIC
+card "Aironet" "PC4800"
+ config 0x5 "an0" ?
+ config 0x5 "an1" ?
+ config 0x5 "an2" ?
+
+# Aironet 340 Series 11Mbps 802.11 wireless NIC
+card "Cisco Systems" "340 Series Wireless LAN Adapter"
+ config auto "an0" ?
+ config auto "an1" ?
+ config auto "an2" ?
+
+# Aironet 350 Series 11Mbps 802.11 wireless NIC
+card "Cisco Systems" "350 Series Wireless LAN Adapter"
+ config auto "an0" ?
+ config auto "an1" ?
+ config auto "an2" ?
+
+# Xircom sells a rebaded unit
+card "Xircom" "Wireless Ethernet Adapter"
+ config 0x5 "an0" ?
+ config 0x5 "an1" ?
+ config 0x5 "an2" ?
+
+########## wi ##########
+
+# OEM ID 0x5 unlabelled PRISM2.5 card
+card " " "IEEE 802.11 Wireless LAN/PC Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# 3com 3crwe737A AirConnect Wireless LAN PC Card
+card "3Com" "3CRWE737A AirConnect Wireless LAN PC Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Accton airDirect WN3301
+card "Accton" "IEEE802.11 PC Card Adapter"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Actiontec PRISM wireless
+card "ACTIONTEC" "PRISM Wireless LAN PC Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Addtron AWP-100
+card "Addtron" "AWP-100 Wireless PCMCIA"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# ADLINK340APC
+card "ADTEC" "ADLINK/340C"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Home Wireless Networks
+card "AirWay" "802.11 Adapter (PCMCIA)"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Allied Telesis WR211PCM
+card "Allied Telesis K.K." "WR211PCM"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Avaya Wireless PC Card
+card "Avaya Communication" "Avaya Wireless PC Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Belkin wireless card
+card "Belkin" "11Mbps Wireless Notebook Network Adapter"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# BreezeNET
+card "BreezeNET" "PC-DS.11"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Buffalo WLI-CF-S11G
+card "BUFFALO" "WLI-CF-S11G"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Melco Airconnect 3.3V version
+card "BUFFALO" "WLI-PCM-S11"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Melco Airconnect (128bit WEP)
+card "BUFFALO" "WLI-PCM-L11G"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Cabletron RoamAbout, WaveLAN/IEEE clone
+card "Cabletron" "RoamAbout 802.11 DS"
+ config 0x1 "wi0" ?
+ config 0x1 "wi1" ?
+ config 0x1 "wi2" ?
+
+# Compaq WL100
+card "Compaq" "WL100_11Mbps_Wireless_PC_Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Compaq WL110
+card "Compaq" "Compaq WL110 PC Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Compaq WL200
+card "Compaq" "WL200_11Mbps_Wireless_PCI_Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Compaq WL200 (might be wrong)
+card "Compaq" "Compaq WL200_11Mbps_Wireless_PCI_Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Corega KK Wireless LAN PCC-11
+card "corega K.K." "Wireless LAN PCC-11"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Corega KK Wireless LAN PCCA-11
+card "corega K.K." "Wireless LAN PCCA-11"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Corega KK Wireless LAN PCCB-11
+card "corega_K.K." "Wireless_LAN_PCCB-11"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Corega KK Wireless LAN PCCL-11
+card "corega" "WL PCCL-11"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# D Link DWL-650 11Mbps WLAN Card
+card "D" "Link DWL-650 11Mbps WLAN Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# DLink Air DWL-660 Wireless PC Card
+card "D-Link" "D-Link Air DWL-660 Wireless PC Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Dell TrueMobile (OEMed Lucent WaveLAN/IEEE)
+card "Dell" "TrueMobile 1150 Series PC Card"
+ config 0x1 "wi0" ?
+ config 0x1 "wi1" ?
+ config 0x1 "wi2" ?
+
+# ELECOM Air@Hawk/LD-WL11/PCC (0.7.5)
+card "ELECOM" "Air@Hark/LD-WL11/PCC"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# ELECOM Air@Hawk/LD-WL11/PCC (0.7.6 and later)
+card "ELECOM" "Air@Hawk/LD-WL11/PCC"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# ELSA Air Lancer
+card "ELSA" "AirLancer MC-11"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Fujitsu Siemens CONNECT2AIR WLAN C-1100 CF-Card
+card "Fujitsu Siemens Computers" "CONNECT2AIR WLAN C-1100 CF-Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# PLANEX GeoWave/GW-NS11S
+card "Geowave" "GW-NS11S"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Linksys Instant Wireless WPC11
+card "/Instant Wireless */" " Network PC CARD"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Intel PRO/Wireless 2011 LAN PC Card
+card "Intel" "PRO/Wireless 2011 LAN PC Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# ICOM SL-1100
+card "ICOM" "SL-1100"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# OEM PRISM cards
+card "INTERSIL" "HFA384x/IEEE"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# IO Data WN-B11/PCM
+card "IO DATA" "WNB11PCM"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# IBM's rebadged Lucent WaveLAN/IEEE. The FCC IDs are identical to
+# those for the Lucent card, so presumably everything else is as well.
+card "IBM Corporation" "IBM High Rate Wireless LAN PC Card"
+ config 0x1 "wi0" ?
+ config 0x1 "wi1" ?
+ config 0x1 "wi2" ?
+
+# Lucent WaveLAN/IEEE
+card "Lucent Technologies" "WaveLAN/IEEE"
+ config 0x1 "wi0" ?
+ config 0x1 "wi1" ?
+ config 0x1 "wi2" ?
+
+# Melco Airconnect
+card "MELCO" "WLI-PCM-L11"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# nanospeed card of some flavor.
+card "NANOSPEED" "HFA384x/IEEE"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# NCR WaveLAN/IEEE
+card "NCR" "WaveLAN/IEEE"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# NEC Wireless Card CMZ-RT-WP
+card "NEC" "Wireless Card CMZ-RT-WP"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# NEC WL11C (PC-WL/11C)
+card "NEC Aterm" "WL11C (PC-WL/11C)"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# NEC Corporation PK-WL001
+card "NEC Corporation" "Wireless PC Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Netgear MA401
+card "NETGEAR MA401 Wireless PC" "Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Netgear MA401RA
+card "NETGEAR MA401RA Wireless PC" "Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Nortel eMobility
+card "Nortel Networks" "emobility 802.11 Wireless LAN PC Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Generic PRISM2.5 card
+card "PCMCIA" "11M WLAN Card v2.5"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# PLANEX GeoWave/GW-NS110
+card "PLANEX" "GeoWave/GW-NS110"
+ config 0x1 "wi0" ?
+ config 0x1 "wi1" ?
+ config 0x1 "wi2" ?
+
+# PLANEX GW-NS11H
+card "PLANEX" "GW-NS11H Wireless LAN PC Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Proxim Harmony
+card "PROXIM" "Harmony 802.11b/LAN PC CARD"
+ config 0x1 "wi0" ?
+ config 0x1 "wi1" ?
+ config 0x1 "wi2" ?
+
+# Proxim RangeLAN-DS (OEM of Zcommax - Prism2 card)
+card "PROXIM" "RangeLAN-DS/LAN PC CARD"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# SAMSUNG SWL-2000P PCI Card
+card "SAMSUNG" "11Mbps WLAN PCI Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# SMC's SMC2632W (also matches the 3.3V SMC2602W)
+card "SMC" "SMC2632W"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Sony PCWA-C100 WaveLAN
+card "Sony Corporation" "PCWA-C100"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# German Telekom T-Sinus 130card, unknown original manufactor
+card "T-Sinus" "130card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# TDK LAK-CD011WL
+card "TDK" "LAK-CD011WL for Wireless LAN"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Linksys Instant Wireless WPC11 v2.5
+card "The Linksys Group, Inc." "Instant Wireless Network PC Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Toshibas wireless lan card
+card "TOSHIBA" "Wireless LAN Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# U.S. Robotics Wireless Card 2410
+card "U.S. Robotics" "IEEE 802.11b PC-CARD"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Taiwanese Blue Concentric Circle CF Wireless LAN Model WL-379F
+# This is a card sold in Taiwan.
+card "Wireless LAN" "11Mbps PC Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# Wisecom WS-WP100W
+card "OEM" "PRISM25 IEEE 802.11 PC-Card"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# YIS YWL-11B
+card "YIS Corp." "YWL-11b"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
+
+# ZoomAir 802.11
+card "ZoomAir 11Mbps High" "Rate wireless Networking"
+ config auto "wi0" ?
+ config auto "wi1" ?
+ config auto "wi2" ?
diff --git a/etc/platform b/etc/platform
new file mode 100644
index 0000000..f964569
--- /dev/null
+++ b/etc/platform
@@ -0,0 +1 @@
+net45xx
diff --git a/etc/protocols b/etc/protocols
new file mode 100644
index 0000000..20e2741
--- /dev/null
+++ b/etc/protocols
@@ -0,0 +1,146 @@
+#
+# Internet protocols
+#
+# $FreeBSD: src/etc/protocols,v 1.13.2.3 2002/02/27 03:39:00 dd Exp $
+# from: @(#)protocols 5.1 (Berkeley) 4/17/89
+#
+# See also http://www.iana.org/assignments/protocol-numbers
+#
+ip 0 IP # internet protocol, pseudo protocol number
+#hopopt 0 HOPOPT # hop-by-hop options for ipv6
+icmp 1 ICMP # internet control message protocol
+igmp 2 IGMP # internet group management protocol
+ggp 3 GGP # gateway-gateway protocol
+ipencap 4 IP-ENCAP # IP encapsulated in IP (officially ``IP'')
+st2 5 ST2 # ST2 datagram mode (RFC 1819)
+tcp 6 TCP # transmission control protocol
+cbt 7 CBT # CBT, Tony Ballardie <A.Ballardie@cs.ucl.ac.uk>
+egp 8 EGP # exterior gateway protocol
+igp 9 IGP # any private interior gateway (Cisco: for IGRP)
+bbn-rcc 10 BBN-RCC-MON # BBN RCC Monitoring
+nvp 11 NVP-II # Network Voice Protocol
+pup 12 PUP # PARC universal packet protocol
+argus 13 ARGUS # ARGUS
+emcon 14 EMCON # EMCON
+xnet 15 XNET # Cross Net Debugger
+chaos 16 CHAOS # Chaos
+udp 17 UDP # user datagram protocol
+mux 18 MUX # Multiplexing protocol
+dcn 19 DCN-MEAS # DCN Measurement Subsystems
+hmp 20 HMP # host monitoring protocol
+prm 21 PRM # packet radio measurement protocol
+xns-idp 22 XNS-IDP # Xerox NS IDP
+trunk-1 23 TRUNK-1 # Trunk-1
+trunk-2 24 TRUNK-2 # Trunk-2
+leaf-1 25 LEAF-1 # Leaf-1
+leaf-2 26 LEAF-2 # Leaf-2
+rdp 27 RDP # "reliable datagram" protocol
+irtp 28 IRTP # Internet Reliable Transaction Protocol
+iso-tp4 29 ISO-TP4 # ISO Transport Protocol Class 4
+netblt 30 NETBLT # Bulk Data Transfer Protocol
+mfe-nsp 31 MFE-NSP # MFE Network Services Protocol
+merit-inp 32 MERIT-INP # MERIT Internodal Protocol
+sep 33 SEP # Sequential Exchange Protocol
+3pc 34 3PC # Third Party Connect Protocol
+idpr 35 IDPR # Inter-Domain Policy Routing Protocol
+xtp 36 XTP # Xpress Tranfer Protocol
+ddp 37 DDP # Datagram Delivery Protocol
+idpr-cmtp 38 IDPR-CMTP # IDPR Control Message Transport Proto
+tp++ 39 TP++ # TP++ Transport Protocol
+il 40 IL # IL Transport Protocol
+ipv6 41 IPV6 # ipv6
+sdrp 42 SDRP # Source Demand Routing Protocol
+ipv6-route 43 IPV6-ROUTE # routing header for ipv6
+ipv6-frag 44 IPV6-FRAG # fragment header for ipv6
+idrp 45 IDRP # Inter-Domain Routing Protocol
+rsvp 46 RSVP # Resource ReSerVation Protocol
+gre 47 GRE # Generic Routing Encapsulation
+mhrp 48 MHRP # Mobile Host Routing Protocol
+bna 49 BNA # BNA
+esp 50 ESP # encapsulating security payload
+ah 51 AH # authentication header
+i-nlsp 52 I-NLSP # Integrated Net Layer Security TUBA
+swipe 53 SWIPE # IP with Encryption
+narp 54 NARP # NBMA Address Resolution Protocol
+mobile 55 MOBILE # IP Mobility
+tlsp 56 TLSP # Transport Layer Security Protocol
+skip 57 SKIP # SKIP
+ipv6-icmp 58 IPV6-ICMP # ICMP for IPv6
+ipv6-nonxt 59 IPV6-NONXT # no next header for ipv6
+ipv6-opts 60 IPV6-OPTS # destination options for ipv6
+# 61 # any host internal protocol
+cftp 62 CFTP # CFTP
+# 63 # any local network
+sat-expak 64 SAT-EXPAK # SATNET and Backroom EXPAK
+kryptolan 65 KRYPTOLAN # Kryptolan
+rvd 66 RVD # MIT Remote Virtual Disk Protocol
+ippc 67 IPPC # Internet Pluribus Packet Core
+# 68 # any distributed file system
+sat-mon 69 SAT-MON # SATNET Monitoring
+visa 70 VISA # VISA Protocol
+ipcv 71 IPCV # Internet Packet Core Utility
+cpnx 72 CPNX # Computer Protocol Network Executive
+cphb 73 CPHB # Computer Protocol Heart Beat
+wsn 74 WSN # Wang Span Network
+pvp 75 PVP # Packet Video Protocol
+br-sat-mon 76 BR-SAT-MON # Backroom SATNET Monitoring
+sun-nd 77 SUN-ND # SUN ND PROTOCOL-Temporary
+wb-mon 78 WB-MON # WIDEBAND Monitoring
+wb-expak 79 WB-EXPAK # WIDEBAND EXPAK
+iso-ip 80 ISO-IP # ISO Internet Protocol
+vmtp 81 VMTP # Versatile Message Transport
+secure-vmtp 82 SECURE-VMTP # SECURE-VMTP
+vines 83 VINES # VINES
+ttp 84 TTP # TTP
+nsfnet-igp 85 NSFNET-IGP # NSFNET-IGP
+dgp 86 DGP # Dissimilar Gateway Protocol
+tcf 87 TCF # TCF
+eigrp 88 EIGRP # Enhanced Interior Routing Protocol (Cisco)
+ospf 89 OSPFIGP # Open Shortest Path First IGP
+sprite-rpc 90 Sprite-RPC # Sprite RPC Protocol
+larp 91 LARP # Locus Address Resolution Protocol
+mtp 92 MTP # Multicast Transport Protocol
+ax.25 93 AX.25 # AX.25 Frames
+ipip 94 IPIP # Yet Another IP encapsulation
+micp 95 MICP # Mobile Internetworking Control Pro.
+scc-sp 96 SCC-SP # Semaphore Communications Sec. Pro.
+etherip 97 ETHERIP # Ethernet-within-IP Encapsulation
+encap 98 ENCAP # Yet Another IP encapsulation
+# 99 # any private encryption scheme
+gmtp 100 GMTP # GMTP
+ifmp 101 IFMP # Ipsilon Flow Management Protocol
+pnni 102 PNNI # PNNI over IP
+pim 103 PIM # Protocol Independent Multicast
+aris 104 ARIS # ARIS
+scps 105 SCPS # SCPS
+qnx 106 QNX # QNX
+a/n 107 A/N # Active Networks
+ipcomp 108 IPComp # IP Payload Compression Protocol
+snp 109 SNP # Sitara Networks Protocol
+compaq-peer 110 Compaq-Peer # Compaq Peer Protocol
+ipx-in-ip 111 IPX-in-IP # IPX in IP
+vrrp 112 VRRP # Virtual Router Redundancy Protocol
+pgm 113 PGM # PGM Reliable Transport Protocol
+# 114 # any 0-hop protocol
+l2tp 115 L2TP # Layer Two Tunneling Protocol
+ddx 116 DDX # D-II Data Exchange
+iatp 117 IATP # Interactive Agent Transfer Protocol
+st 118 ST # Schedule Transfer
+srp 119 SRP # SpectraLink Radio Protocol
+uti 120 UTI # UTI
+smp 121 SMP # Simple Message Protocol
+sm 122 SM # SM
+ptp 123 PTP # Performance Transparency Protocol
+isis 124 ISIS # ISIS over IPv4
+fire 125 FIRE
+crtp 126 CRTP # Combat Radio Transport Protocol
+crudp 127 CRUDP # Combat Radio User Datagram
+sscopmce 128 SSCOPMCE
+iplt 129 IPLT
+sps 130 SPS # Secure Packet Shield
+pipe 131 PIPE # Private IP Encapsulation within IP
+sctp 132 SCTP # Stream Control Transmission Protocol
+fc 133 FC # Fibre Channel
+# 134-254 # Unassigned
+divert 254 DIVERT # Divert pseudo-protocol [non IANA]
+# 255 # Reserved
diff --git a/etc/pubkey.pem b/etc/pubkey.pem
new file mode 100644
index 0000000..f935cb5
--- /dev/null
+++ b/etc/pubkey.pem
@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDH/03JimtLfN8ggkf26hOCdAaE
+5Ha+c9cqoms2/AXPMWjapkalizztGhvffTk5v1Y/mDwgkI09kqArnXqRCGFSyRDB
+utGizQ4OghmsBgWzBKw/biLiXZcfXpaZxfAsJ2aSDOy+ezIoPblRfqnVBzg49RPM
+Pe9HoJqCn1GxIhHrKwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/etc/rc b/etc/rc
new file mode 100755
index 0000000..af4b2f5
--- /dev/null
+++ b/etc/rc
@@ -0,0 +1,62 @@
+#!/bin/sh
+
+# /etc/rc
+# part of m0n0wall (http://neon1.net/m0n0wall)
+#
+# Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+# All rights reserved.
+
+stty status '^T'
+
+trap : 2
+trap : 3
+
+HOME=/
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+export HOME PATH
+
+/sbin/mount -a || fsck -y && mount -a
+
+set -T
+trap "echo 'Reboot interrupted'; exit 1" 3
+
+# make some directories in /var
+mkdir /var/run /var/log /var/etc /var/db/ipf 2>/dev/null
+chmod 0755 /var/db/ipf
+rm -rf /var/log/*
+
+# generate circular logfiles
+clog -i -s 262144 /var/log/system.log
+clog -i -s 262144 /var/log/filter.log
+clog -i -s 32768 /var/log/dhcpd.log
+clog -i -s 32768 /var/log/vpn.log
+chmod 0600 /var/log/system.log /var/log/filter.log /var/log/dhcpd.log /var/log/vpn.log
+
+adjkerntz -i
+
+#mount_devfs devfs /dev
+
+# Create an initial utmp file
+cd /var/run && cp /dev/null utmp && chmod 644 utmp
+
+# Build devices database
+#dev_mkdb
+
+# Run ldconfig
+/sbin/ldconfig -elf /usr/lib
+
+echo
+echo "Starting LiveBSD.com's m0n0wall 1.2b2 PF ..."
+echo
+
+# let the PHP-based configuration subsystem set up the system now
+/etc/rc.bootup
+
+/usr/sbin/pfctl -f /tmp/rules.debug
+/usr/sbin/pfctl -e
+
+echo Starting Secure Shell Services ...
+/etc/sshd
+
+exit 0
+
diff --git a/etc/rc.banner b/etc/rc.banner
new file mode 100755
index 0000000..0f5b8e5
--- /dev/null
+++ b/etc/rc.banner
@@ -0,0 +1,59 @@
+#!/usr/local/bin/php -f
+<?php
+/*
+ rc.banner
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+ /* parse the configuration and include all functions used below */
+ require_once("config.inc");
+ require_once("functions.inc");
+
+ $version = chop(file_get_contents("{$g['etc_path']}/version"));
+ $buildtime = chop(file_get_contents("{$g['etc_path']}/version.buildtime"));
+
+ echo <<<EOD
+
+*** This is LiveBSD.com's m0n0wall version {$version}
+ Copyright 2004 Scott Ullrich. All rights reserved.
+ Originally based on m0n0wall, version 1.2b1
+ m0n0wall is Copyright 2002-2004 by Manuel Kasper. All rights reserved
+
+ LAN IP address: {$config['interfaces']['lan']['ipaddr']}
+
+ Port configurations:
+
+ LAN -> {$config['interfaces']['lan']['if']}
+ WAN -> {$config['interfaces']['wan']['if']}
+EOD;
+
+ for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++)
+ echo " OPT{$i} -> {$config['interfaces']['opt' . $i]['if']} " .
+ "({$config['interfaces']['opt' . $i]['descr']})\n";
+?>
+
+
diff --git a/etc/rc.bootup b/etc/rc.bootup
new file mode 100755
index 0000000..04f8266
--- /dev/null
+++ b/etc/rc.bootup
@@ -0,0 +1,147 @@
+#!/usr/local/bin/php -f
+<?php
+/*
+ rc.bootup
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+ require_once("globals.inc");
+
+ /* let the other functions know we're booting */
+ $g['booting'] = TRUE;
+ touch("{$g['varrun_path']}/booting");
+
+ /* parse the configuration and include all functions used below */
+ require_once("config.inc");
+ require_once("functions.inc");
+
+ /* convert configuration, if necessary */
+ convert_config();
+
+ /* run any early shell commands specified in config.xml */
+ system_do_shell_commands(1);
+
+ /* save dmesg output to file */
+ system_dmesg_save();
+
+ /* set up our timezone */
+ system_timezone_configure();
+
+ /* set up our hostname */
+ system_hostname_configure();
+
+ /* make hosts file */
+ system_hosts_generate();
+
+ /* generate resolv.conf */
+ system_resolvconf_generate();
+
+ /* start pccardd */
+ if (!in_array($g['platform'], $g['nopccard_platforms']))
+ system_pccard_start();
+
+ /* establish ipfilter ruleset */
+ filter_configure();
+
+ /* configure loopback interface */
+ interfaces_loopback_configure();
+
+ /* set up VLAN virtual interfaces */
+ interfaces_vlan_configure();
+
+ /* set up LAN interface */
+ interfaces_lan_configure();
+
+ /* set up WAN interface */
+ interfaces_wan_configure();
+
+ /* set up Optional interfaces */
+ interfaces_optional_configure();
+
+ /* start OpenVPN server & clients */
+ ovpn_configure();
+
+ /* resync ipfilter */
+ filter_resync();
+
+ /* start ipmon */
+ filter_ipmon_start();
+
+ /* set up static routes */
+ system_routing_configure();
+
+ /* enable routing */
+ system_routing_enable();
+
+ /* start syslogd */
+ system_syslogd_start();
+
+ /* start web server */
+ system_webgui_start();
+
+ /* configure console menu */
+ system_console_configure();
+
+ /* start dnsmasq service */
+ services_dnsmasq_configure();
+
+ /* start dyndns service */
+ services_dyndns_configure();
+
+ /* start DHCP service */
+ services_dhcpd_configure();
+
+ /* start SNMP service */
+ services_snmpd_configure();
+
+ /* start proxy ARP service */
+ services_proxyarp_configure();
+
+ /* start the NTP client */
+ system_ntp_configure();
+
+ /* start pptpd */
+ vpn_pptpd_configure();
+
+ /* start traffic shaper */
+ shaper_configure();
+
+ /* start IPsec tunnels */
+ vpn_ipsec_configure();
+
+ /* start the captive portal */
+ captiveportal_configure();
+
+ /* execute the rc scripts of extensions */
+ system_do_extensions();
+
+ /* run any shell commands specified in config.xml */
+ system_do_shell_commands();
+
+ /* done */
+ unlink("{$g['varrun_path']}/booting");
+?>
diff --git a/etc/rc.dyndns.storecache b/etc/rc.dyndns.storecache
new file mode 100755
index 0000000..180662e
--- /dev/null
+++ b/etc/rc.dyndns.storecache
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+# copy cache file to /conf for permanent storage
+/sbin/umount -f /cf
+/sbin/mount -w -o noatime /cf
+/bin/cp /var/db/ez-ipupdate.cache /conf
+/sbin/umount -f /cf
+/sbin/mount -r /cf
diff --git a/etc/rc.firmware b/etc/rc.firmware
new file mode 100755
index 0000000..56fc7a4
--- /dev/null
+++ b/etc/rc.firmware
@@ -0,0 +1,55 @@
+#!/bin/sh
+
+# /etc/rc.firmware
+# part of m0n0wall (http://neon1.net/m0n0wall)
+#
+# Copyright (C) 2003 Manuel Kasper <mk@neon1.net>.
+# All rights reserved.
+
+CFDEVICE=`cat /var/etc/cfdevice`
+
+if [ $1 != "upgrade" ]; then
+ /sbin/umount -f /ftmp > /dev/null 2>&1
+fi
+
+case $1 in
+enable)
+ /sbin/mount_mfs -s 15360 -T qp120at -b 8192 -f 1024 dummy /ftmp \
+ > /dev/null 2>&1
+ ;;
+upgrade)
+ # wait 5 seconds before beginning
+ sleep 5
+
+ exec </dev/console >/dev/console 2>/dev/console
+
+ echo
+ echo "Firmware upgrade in progress..."
+
+ # backup config
+ mkdir /tmp/configbak
+ cp -p /conf/* /tmp/configbak
+
+ # unmount /cf
+ /sbin/umount -f /cf
+
+ # dd image onto card
+ if [ -r $2 ]; then
+ /usr/bin/gunzip -S "" -c $2 | dd of=/dev/r$CFDEVICE bs=16k > /dev/null 2>&1
+ echo "Image installed."
+ fi
+
+ # mount /cf
+ /sbin/mount -w -o noatime /cf
+
+ # restore config
+ cp -p /tmp/configbak/* /conf
+
+ # remount /cf ro
+ /sbin/umount -f /cf
+ /sbin/mount -r /cf
+
+ echo "Done - rebooting system..."
+ /sbin/reboot
+ ;;
+esac
diff --git a/etc/rc.initial b/etc/rc.initial
new file mode 100755
index 0000000..bece644
--- /dev/null
+++ b/etc/rc.initial
@@ -0,0 +1,76 @@
+#!/bin/sh
+
+# /etc/rc.initial
+# part of m0n0wall (http://neon1.net/m0n0wall)
+#
+# Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+# All rights reserved.
+
+# make sure the user can't kill us by pressing Ctrl-C
+trap : 2
+trap : 3
+trap : 4
+
+if [ -r /var/etc/disableconsole ]; then
+
+while : ; do
+
+echo
+echo
+echo "*** Console menu disabled. ***"
+echo
+
+read tmp
+
+done
+
+else
+
+# endless loop
+while : ; do
+
+/etc/rc.banner
+
+# display a cheap menu
+echo "m0n0wall console setup"
+echo "**********************"
+echo "1) Interfaces: assign network ports"
+echo "2) Set up LAN IP address"
+echo "3) Reset webGUI password"
+echo "4) Reset to factory defaults"
+echo "5) Reboot system"
+echo "6) Ping host"
+echo "7) Shell"
+echo
+
+read -p "Enter a number: " opmode
+
+# see what the user has chosen
+case ${opmode} in
+1)
+ /etc/rc.initial.setports
+ ;;
+2)
+ /etc/rc.initial.setlanip
+ ;;
+3)
+ /etc/rc.initial.password
+ ;;
+4)
+ /etc/rc.initial.defaults
+ ;;
+5)
+ /etc/rc.initial.reboot
+ ;;
+6)
+ /etc/rc.initial.ping
+ ;;
+7)
+ set prompt = "\n`/bin/hostname -s`# "
+ /bin/sh
+ ;;
+esac
+
+done
+
+fi
diff --git a/etc/rc.initial.defaults b/etc/rc.initial.defaults
new file mode 100755
index 0000000..8e33fd2
--- /dev/null
+++ b/etc/rc.initial.defaults
@@ -0,0 +1,61 @@
+#!/usr/local/bin/php -f
+<?php
+/*
+ rc.initial.defaults
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+ /* don't parse the config so we can restore in case it's broken */
+ $noparseconfig = 1;
+
+ /* parse the configuration and include all functions used below */
+ require_once("config.inc");
+ require_once("functions.inc");
+
+ $fp = fopen('php://stdin', 'r');
+
+ echo <<<EOD
+
+You are about to reset the firewall to factory defaults.
+The firewall will reboot after resetting the configuration.
+
+Do you want to proceed? (y/n)
+EOD;
+
+ if (strcasecmp(chop(fgets($fp)), "y") == 0) {
+
+ reset_factory_defaults();
+
+ echo <<<EOD
+
+The firewall is rebooting now.
+
+EOD;
+
+ system_reboot_sync();
+ }
+?>
diff --git a/etc/rc.initial.password b/etc/rc.initial.password
new file mode 100755
index 0000000..7859e2c
--- /dev/null
+++ b/etc/rc.initial.password
@@ -0,0 +1,65 @@
+#!/usr/local/bin/php -f
+<?php
+/*
+ rc.initial.password
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+ /* parse the configuration and include all functions used below */
+ require_once("config.inc");
+ require_once("functions.inc");
+
+ $fp = fopen('php://stdin', 'r');
+
+ echo <<<EOD
+
+The webGUI password will be reset to the default (which is 'mono').
+
+Do you want to proceed? (y/n)
+EOD;
+
+ if (strcasecmp(chop(fgets($fp)), "y") == 0) {
+
+ $config['system']['password'] = crypt("mono");
+
+ write_config();
+ system_password_configure();
+
+ echo <<<EOD
+
+The password for the webGUI has been reset.
+
+Remember to set the password to something else than
+the default as soon as you have logged into the webGUI.
+
+Press ENTER to continue.
+
+EOD;
+
+ fgets($fp);
+ }
+?>
diff --git a/etc/rc.initial.ping b/etc/rc.initial.ping
new file mode 100755
index 0000000..d069566
--- /dev/null
+++ b/etc/rc.initial.ping
@@ -0,0 +1,47 @@
+#!/usr/local/bin/php -f
+<?php
+/*
+ rc.initial.ping
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+ /* parse the configuration and include all functions used below */
+ require_once("config.inc");
+ require_once("functions.inc");
+
+ $fp = fopen('php://stdin', 'r');
+
+ echo "\nEnter a host name or IP address: ";
+
+ $pinghost = chop(fgets($fp));
+ if ($pinghost) {
+ echo "\n";
+ passthru("/sbin/ping -c 3 -n " . escapeshellarg($pinghost));
+ echo "\nPress ENTER to continue.\n";
+ fgets($fp);
+ }
+?>
diff --git a/etc/rc.initial.reboot b/etc/rc.initial.reboot
new file mode 100755
index 0000000..053d492
--- /dev/null
+++ b/etc/rc.initial.reboot
@@ -0,0 +1,55 @@
+#!/usr/local/bin/php -f
+<?php
+/*
+ rc.initial.reboot
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+ /* parse the configuration and include all functions used below */
+ require_once("config.inc");
+ require_once("functions.inc");
+
+ $fp = fopen('php://stdin', 'r');
+
+ echo <<<EOD
+
+The firewall will reboot. This may take one minute.
+
+Do you want to proceed? (y/n)
+EOD;
+
+ if (strcasecmp(chop(fgets($fp)), "y") == 0) {
+
+ echo <<<EOD
+
+The firewall is rebooting now.
+
+EOD;
+
+ system_reboot_sync();
+ }
+?>
diff --git a/etc/rc.initial.setlanip b/etc/rc.initial.setlanip
new file mode 100755
index 0000000..99fd922
--- /dev/null
+++ b/etc/rc.initial.setlanip
@@ -0,0 +1,117 @@
+#!/usr/local/bin/php -f
+<?php
+/*
+ rc.initial.setlanip
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+ /* parse the configuration and include all functions used below */
+ require_once("config.inc");
+ require_once("functions.inc");
+
+ $fp = fopen('php://stdin', 'r');
+
+ do {
+ echo "\nEnter the new LAN IP address: ";
+ $lanip = chop(fgets($fp));
+ if ($lanip === "") {
+ exit(0);
+ }
+ } while (!is_ipaddr($lanip));
+
+ echo "\nSubnet masks are entered as bit counts (as in CIDR notation) in m0n0wall.\n";
+ echo "e.g. 255.255.255.0 = 24\n";
+ echo " 255.255.0.0 = 16\n";
+ echo " 255.0.0.0 = 8\n\n";
+
+ do {
+ echo "Enter the new LAN subnet bit count: ";
+ $lanbits = chop(fgets($fp));
+ if ($lanbits === "") {
+ exit(0);
+ }
+ } while (!is_numeric($lanbits) || ($lanbits < 1) || ($lanbits > 31));
+
+ $config['interfaces']['lan']['ipaddr'] = $lanip;
+ $config['interfaces']['lan']['subnet'] = $lanbits;
+
+ echo "\nDo you want to enable the DHCP server on LAN? (y/n) ";
+
+ if (strcasecmp(chop(fgets($fp)), "y") == 0) {
+ do {
+ echo "Enter the start address of the client address range: ";
+ $dhcpstartip = chop(fgets($fp));
+ if ($dhcpstartip === "") {
+ exit(0);
+ }
+ } while (!is_ipaddr($dhcpstartip));
+
+ do {
+ echo "Enter the end address of the client address range: ";
+ $dhcpendip = chop(fgets($fp));
+ if ($dhcpendip === "") {
+ exit(0);
+ }
+ } while (!is_ipaddr($dhcpendip));
+
+ $config['dhcpd']['lan']['enable'] = true;
+ $config['dhcpd']['lan']['range']['from'] = $dhcpstartip;
+ $config['dhcpd']['lan']['range']['to'] = $dhcpendip;
+ } else {
+ unset($config['dhcpd']['lan']['enable']);
+ }
+
+ if ($config['system']['webgui']['protocol'] == "https") {
+
+ echo "\nDo you want to revert to HTTP as the webGUI protocol? (y/n) ";
+
+ if (strcasecmp(chop(fgets($fp)), "y") == 0)
+ $config['system']['webgui']['protocol'] = "http";
+ }
+
+ if (isset($config['system']['webgui']['noantilockout'])) {
+ echo "\nNote: the anti-lockout rule on LAN has been re-enabled.\n";
+ unset($config['system']['webgui']['noantilockout']);
+ }
+
+ write_config();
+ interfaces_lan_configure();
+
+ echo <<<EOD
+
+The LAN IP address has been set to $lanip/$lanbits.
+You can now access the webGUI by opening the following URL
+in your browser:
+
+http://$lanip/
+
+Press ENTER to continue.
+
+EOD;
+
+ fgets($fp);
+?>
diff --git a/etc/rc.initial.setports b/etc/rc.initial.setports
new file mode 100755
index 0000000..049879a
--- /dev/null
+++ b/etc/rc.initial.setports
@@ -0,0 +1,303 @@
+#!/usr/local/bin/php -f
+<?php
+/*
+ rc.initial.setports
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+ /* parse the configuration and include all functions used below */
+ require_once("config.inc");
+ require_once("functions.inc");
+
+ $fp = fopen('php://stdin', 'r');
+
+ $iflist = get_interface_list();
+
+ echo <<<EOD
+
+Valid interfaces are:
+
+
+EOD;
+
+ foreach ($iflist as $iface => $ifa) {
+ echo sprintf("% -8s%s%s\n", $iface, $ifa['mac'],
+ $ifa['up'] ? " (up)" : "");
+ }
+
+ echo <<<EOD
+
+Do you want to set up VLANs first?
+If you're not going to use VLANs, or only for optional interfaces, you
+should say no here and use the webGUI to configure VLANs later, if required.
+
+Do you want to set up VLANs now? (y/n)
+EOD;
+
+ if (strcasecmp(chop(fgets($fp)), "y") == 0)
+ vlan_setup();
+
+ if (is_array($config['vlans']['vlan']) && count($config['vlans']['vlan'])) {
+
+ echo "\n\nVLAN interfaces:\n\n";
+ $i = 0;
+ foreach ($config['vlans']['vlan'] as $vlan) {
+
+ echo sprintf("% -8s%s\n", "vlan{$i}",
+ "VLAN tag {$vlan['tag']}, interface {$vlan['if']}");
+
+ $iflist['vlan' . $i] = array();
+ $i++;
+ }
+ }
+
+ echo <<<EOD
+
+If you don't know the names of your interfaces, you may choose to use
+auto-detection. In that case, disconnect all interfaces before you begin,
+and reconnect each one when prompted to do so.
+
+EOD;
+
+ do {
+ echo "\nEnter the LAN interface name or 'a' for auto-detection: ";
+ $lanif = chop(fgets($fp));
+ if ($lanif === "") {
+ exit(0);
+ }
+
+ if ($lanif === "a")
+ $lanif = autodetect_interface("LAN", $fp);
+ else if (!array_key_exists($lanif, $iflist)) {
+ echo "\nInvalid interface name '{$lanif}'\n";
+ unset($lanif);
+ continue;
+ }
+ } while (!$lanif);
+
+ do {
+ echo "\nEnter the WAN interface name or 'a' for auto-detection: ";
+ $wanif = chop(fgets($fp));
+ if ($wanif === "") {
+ exit(0);
+ }
+ if ($wanif === "a")
+ $wanif = autodetect_interface("WAN", $fp);
+ else if (!array_key_exists($wanif, $iflist)) {
+ echo "\nInvalid interface name '{$wanif}'\n";
+ unset($wanif);
+ continue;
+ }
+ } while (!$wanif);
+
+ /* optional interfaces */
+ $i = 0;
+ $optif = array();
+
+ while (1) {
+ if ($optif[$i])
+ $i++;
+ $i1 = $i + 1;
+ echo "\nEnter the Optional {$i1} interface name or 'a' for auto-detection\n" .
+ "(or nothing if finished): ";
+ $optif[$i] = chop(fgets($fp));
+
+ if ($optif[$i]) {
+ if ($optif[$i] === "a") {
+ $ad = autodetect_interface("Optional " . $i1, $fp);
+ if ($ad)
+ $optif[$i] = $ad;
+ else
+ unset($optif[$i]);
+ } else if (!array_key_exists($optif[$i], $iflist)) {
+ echo "\nInvalid interface name '{$optif[$i]}'\n";
+ unset($optif[$i]);
+ continue;
+ }
+ } else {
+ unset($optif[$i]);
+ break;
+ }
+ }
+
+ /* check for double assignments */
+ $ifarr = array_merge(array($lanif, $wanif), $optif);
+
+ for ($i = 0; $i < (count($ifarr)-1); $i++) {
+ for ($j = ($i+1); $j < count($ifarr); $j++) {
+ if ($ifarr[$i] == $ifarr[$j]) {
+ echo <<<EOD
+
+Error: you can't assign the same interface name twice!
+
+EOD;
+
+ exit(0);
+ }
+ }
+ }
+
+ echo <<<EOD
+
+The interfaces will be assigned as follows:
+
+LAN -> {$lanif}
+WAN -> {$wanif}
+
+EOD;
+
+ for ($i = 0; $i < count($optif); $i++) {
+ echo "OPT" . ($i+1) . " -> " . $optif[$i] . "\n";
+ }
+
+echo <<<EOD
+
+The firewall will reboot after saving the changes.
+
+Do you want to proceed? (y/n)
+EOD;
+
+ if (strcasecmp(chop(fgets($fp)), "y") == 0) {
+
+ $config['interfaces']['lan']['if'] = $lanif;
+ if (preg_match("/^(wi|awi|an)/", $lanif)) {
+ if (!is_array($config['interfaces']['lan']['wireless']))
+ $config['interfaces']['lan']['wireless'] = array();
+ } else {
+ unset($config['interfaces']['lan']['wireless']);
+ }
+
+ $config['interfaces']['wan']['if'] = $wanif;
+ if (preg_match("/^(wi|awi|an)/", $wanif)) {
+ if (!is_array($config['interfaces']['wan']['wireless']))
+ $config['interfaces']['wan']['wireless'] = array();
+ } else {
+ unset($config['interfaces']['wan']['wireless']);
+ }
+
+ for ($i = 0; $i < count($optif); $i++) {
+ if (!is_array($config['interfaces']['opt' . ($i+1)]))
+ $config['interfaces']['opt' . ($i+1)] = array();
+
+ $config['interfaces']['opt' . ($i+1)]['if'] = $optif[$i];
+
+ /* wireless interface? */
+ if (preg_match("/^(wi|awi|an)/", $optif[$i])) {
+ if (!is_array($config['interfaces']['opt' . ($i+1)]['wireless']))
+ $config['interfaces']['opt' . ($i+1)]['wireless'] = array();
+ } else {
+ unset($config['interfaces']['opt' . ($i+1)]['wireless']);
+ }
+
+ unset($config['interfaces']['opt' . ($i+1)]['enable']);
+ $config['interfaces']['opt' . ($i+1)]['descr'] = "OPT" . ($i+1);
+ }
+
+ /* remove all other (old) optional interfaces */
+ for (; isset($config['interfaces']['opt' . ($i+1)]); $i++)
+ unset($config['interfaces']['opt' . ($i+1)]);
+
+ write_config();
+
+ echo <<<EOD
+
+The firewall is rebooting now.
+
+EOD;
+
+ system_reboot_sync();
+ }
+
+ function autodetect_interface($ifname, $fp) {
+ $iflist_prev = get_interface_list();
+ echo <<<EOD
+
+Connect the {$ifname} interface now and make sure that the link is up.
+Then press ENTER to continue.
+
+EOD;
+ fgets($fp);
+ $iflist = get_interface_list();
+
+ foreach ($iflist_prev as $ifn => $ifa) {
+ if (!$ifa['up'] && $iflist[$ifn]['up']) {
+ echo "Detected link-up on interface {$ifn}.\n";
+ return $ifn;
+ }
+ }
+
+ echo "No link-up detected.\n";
+
+ return null;
+ }
+
+ function vlan_setup() {
+ global $iflist, $config, $g, $fp;
+
+ if (is_array($config['vlans']['vlan']) && count($config['vlans']['vlan'])) {
+
+ echo <<<EOD
+
+WARNING: all existing VLANs will be cleared if you proceed!
+
+Do you want to proceed? (y/n)
+EOD;
+
+ if (strcasecmp(chop(fgets($fp)), "y") != 0)
+ return;
+ }
+
+ $config['vlans']['vlan'] = array();
+ echo "\n";
+
+ while (1) {
+ $vlan = array();
+
+ echo "\nEnter the parent interface name for the new VLAN (or nothing if finished): ";
+ $vlan['if'] = chop(fgets($fp));
+
+ if ($vlan['if']) {
+ if (!array_key_exists($vlan['if'], $iflist)) {
+ echo "\nInvalid interface name '{$vlan['if']}'\n";
+ continue;
+ }
+ } else {
+ break;
+ }
+
+ echo "Enter the VLAN tag (1-4094): ";
+ $vlan['tag'] = chop(fgets($fp));
+
+ if (!is_numericint($vlan['tag']) || ($vlan['tag'] < 1) || ($vlan['tag'] > 4094)) {
+ echo "\nInvalid VLAN tag '{$vlan['tag']}'\n";
+ continue;
+ }
+
+ $config['vlans']['vlan'][] = $vlan;
+ }
+ }
+?>
diff --git a/etc/rc.newwanip b/etc/rc.newwanip
new file mode 100755
index 0000000..5328028
--- /dev/null
+++ b/etc/rc.newwanip
@@ -0,0 +1,83 @@
+#!/usr/local/bin/php -f
+<?php
+/*
+ rc.newwanip
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+ /* parse the configuration and include all functions used below */
+ require_once("config.inc");
+ require_once("functions.inc");
+
+ /* WAN IP address has changed */
+
+ /* make sure to wait until the boot scripts have finished
+ while (file_exists("{$g['varrun_path']}/booting")) {
+ sleep(1);
+ }
+ */
+
+ $curwanip = get_current_wan_address();
+
+ /* dhclient or MPD told us that the IP address has changed;
+ let's see if that's really true to avoid reloading things
+ when it's not really necessary (dhclient likes to
+ execute its dhclient-exit-hooks also on renewals)
+ */
+ if (file_exists("{$g['vardb_path']}/wanip")) {
+ $oldwanip = chop(file_get_contents("{$g['vardb_path']}/wanip"));
+
+ if ($curwanip == $oldwanip)
+ return 0; /* nothing to do */
+ }
+
+ /* resync ipfilter */
+ filter_resync();
+
+ /* flush NAT table */
+ filter_flush_nat_table();
+
+ /* reconfigure IPsec tunnels */
+ vpn_ipsec_configure(true);
+
+ /* regenerate resolv.conf if DNS overrides are allowed or the BigPond
+ client is enabled */
+ if (isset($config['system']['dnsallowoverride']) ||
+ ($config['interfaces']['wan']['ipaddr'] == "bigpond"))
+ system_resolvconf_generate(true);
+
+ /* fire up the BigPond client, if necessary */
+ if ($config['interfaces']['wan']['ipaddr'] == "bigpond")
+ interfaces_wan_bigpond_configure($curwanip);
+
+ /* write current WAN IP to file */
+ $fd = @fopen("{$g['vardb_path']}/wanip", "w");
+ if ($fd) {
+ fwrite($fd, $curwanip);
+ fclose($fd);
+ }
+?>
diff --git a/etc/rc.prunecaptiveportal b/etc/rc.prunecaptiveportal
new file mode 100755
index 0000000..108b029
--- /dev/null
+++ b/etc/rc.prunecaptiveportal
@@ -0,0 +1,37 @@
+#!/usr/local/bin/php -f
+<?php
+/*
+ rc.prunecaptiveportal
+ part of m0n0wall (http://m0n0.ch/wall)
+
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+ /* parse the configuration and include all functions used below */
+ require_once("config.inc");
+ require_once("functions.inc");
+
+ captiveportal_prune_old();
+?>
diff --git a/etc/rc.reboot b/etc/rc.reboot
new file mode 100755
index 0000000..2b3eb08
--- /dev/null
+++ b/etc/rc.reboot
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+sleep 1
+
+/sbin/reboot
diff --git a/etc/rc.shutdown b/etc/rc.shutdown
new file mode 100755
index 0000000..1deb79a
--- /dev/null
+++ b/etc/rc.shutdown
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+stty status '^T'
+
+# Set shell to ignore SIGINT (2), but not children;
+# shell catches SIGQUIT (3) and returns to single user after fsck.
+trap : 2
+trap : 3 # shouldn't be needed
+
+HOME=/
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin
+export HOME PATH
+
+# Insert other shutdown procedures here
+
+exit 0
+
diff --git a/etc/services b/etc/services
new file mode 100644
index 0000000..c583eac
--- /dev/null
+++ b/etc/services
@@ -0,0 +1,2106 @@
+#
+# Network services, Internet style
+#
+# Note that it is presently the policy of IANA to assign a single well-known
+# port number for both TCP and UDP; hence, most entries here have two entries
+# even if the protocol doesn't support UDP operations.
+#
+# The latest IANA port assignments can be gotten from
+#
+# http://www.iana.org/assignments/port-numbers
+#
+# The Well Known Ports are those from 0 through 1023.
+# The Registered Ports are those from 1024 through 49151
+# The Dynamic and/or Private Ports are those from 49152 through 65535
+#
+# Kerberos services are for Kerberos v4, and are unofficial. Sites running
+# v5 should uncomment v5 entries and comment v4 entries.
+#
+# $FreeBSD: src/etc/services,v 1.62.2.12 2003/02/01 16:48:17 schweikh Exp $
+# From: @(#)services 5.8 (Berkeley) 5/9/91
+#
+# WELL KNOWN PORT NUMBERS
+#
+rtmp 1/ddp #Routing Table Maintenance Protocol
+tcpmux 1/tcp #TCP Port Service Multiplexer
+tcpmux 1/udp #TCP Port Service Multiplexer
+nbp 2/ddp #Name Binding Protocol
+compressnet 2/tcp #Management Utility
+compressnet 2/udp #Management Utility
+compressnet 3/tcp #Compression Process
+compressnet 3/udp #Compression Process
+echo 4/ddp #AppleTalk Echo Protocol
+rje 5/tcp #Remote Job Entry
+rje 5/udp #Remote Job Entry
+zip 6/ddp #Zone Information Protocol
+echo 7/tcp
+echo 7/udp
+discard 9/tcp sink null
+discard 9/udp sink null
+systat 11/tcp users #Active Users
+systat 11/udp users #Active Users
+daytime 13/tcp
+daytime 13/udp
+qotd 17/tcp quote #Quote of the Day
+qotd 17/udp quote #Quote of the Day
+msp 18/tcp #Message Send Protocol
+msp 18/udp #Message Send Protocol
+chargen 19/tcp ttytst source #Character Generator
+chargen 19/udp ttytst source #Character Generator
+ftp-data 20/tcp #File Transfer [Default Data]
+ftp-data 20/udp #File Transfer [Default Data]
+ftp 21/tcp #File Transfer [Control]
+ftp 21/udp #File Transfer [Control]
+ssh 22/tcp #Secure Shell Login
+ssh 22/udp #Secure Shell Login
+telnet 23/tcp
+telnet 23/udp
+# 24/tcp any private mail system
+# 24/udp any private mail system
+smtp 25/tcp mail #Simple Mail Transfer
+smtp 25/udp mail #Simple Mail Transfer
+nsw-fe 27/tcp #NSW User System FE
+nsw-fe 27/udp #NSW User System FE
+msg-icp 29/tcp #MSG ICP
+msg-icp 29/udp #MSG ICP
+msg-auth 31/tcp #MSG Authentication
+msg-auth 31/udp #MSG Authentication
+dsp 33/tcp #Display Support Protocol
+dsp 33/udp #Display Support Protocol
+# 35/tcp any private printer server
+# 35/udp any private printer server
+time 37/tcp timserver
+time 37/udp timserver
+rap 38/tcp #Route Access Protocol
+rap 38/udp #Route Access Protocol
+rlp 39/tcp resource #Resource Location Protocol
+rlp 39/udp resource #Resource Location Protocol
+graphics 41/tcp
+graphics 41/udp
+nameserver 42/tcp name #Host Name Server
+nameserver 42/udp name #Host Name Server
+nicname 43/tcp whois
+nicname 43/udp whois
+mpm-flags 44/tcp #MPM FLAGS Protocol
+mpm-flags 44/udp #MPM FLAGS Protocol
+mpm 45/tcp #Message Processing Module [recv]
+mpm 45/udp #Message Processing Module [recv]
+mpm-snd 46/tcp #MPM [default send]
+mpm-snd 46/udp #MPM [default send]
+ni-ftp 47/tcp #NI FTP
+ni-ftp 47/udp #NI FTP
+auditd 48/tcp #Digital Audit Daemon
+auditd 48/udp #Digital Audit Daemon
+tacacs 49/tcp #Login Host Protocol (TACACS)
+tacacs 49/udp #Login Host Protocol (TACACS)
+re-mail-ck 50/tcp #Remote Mail Checking Protocol
+re-mail-ck 50/udp #Remote Mail Checking Protocol
+la-maint 51/tcp #IMP Logical Address Maintenance
+la-maint 51/udp #IMP Logical Address Maintenance
+xns-time 52/tcp #XNS Time Protocol
+xns-time 52/udp #XNS Time Protocol
+domain 53/tcp #Domain Name Server
+domain 53/udp #Domain Name Server
+xns-ch 54/tcp #XNS Clearinghouse
+xns-ch 54/udp #XNS Clearinghouse
+isi-gl 55/tcp #ISI Graphics Language
+isi-gl 55/udp #ISI Graphics Language
+xns-auth 56/tcp #XNS Authentication
+xns-auth 56/udp #XNS Authentication
+mtp 57/tcp # deprecated
+#PROBLEMS!==============================================================
+# 57/tcp any private terminal access
+#PROBLEMS!==============================================================
+# 57/udp any private terminal access
+xns-mail 58/tcp #XNS Mail
+xns-mail 58/udp #XNS Mail
+# 59/tcp any private file service
+# 59/udp any private file service
+ni-mail 61/tcp #NI MAIL
+ni-mail 61/udp #NI MAIL
+acas 62/tcp #ACA Services
+acas 62/udp #ACA Services
+whois++ 63/tcp
+whois++ 63/udp
+covia 64/tcp #Communications Integrator (CI)
+covia 64/udp #Communications Integrator (CI)
+tacacs-ds 65/tcp #TACACS-Database Service
+tacacs-ds 65/udp #TACACS-Database Service
+sql*net 66/tcp #Oracle SQL*NET
+sql*net 66/udp #Oracle SQL*NET
+bootps 67/tcp dhcps #Bootstrap Protocol Server
+bootps 67/udp dhcps #Bootstrap Protocol Server
+bootpc 68/tcp dhcpc #Bootstrap Protocol Client
+bootpc 68/udp dhcpc #Bootstrap Protocol Client
+tftp 69/tcp #Trivial File Transfer
+tftp 69/udp #Trivial File Transfer
+gopher 70/tcp
+gopher 70/udp
+netrjs-1 71/tcp #Remote Job Service
+netrjs-1 71/udp #Remote Job Service
+netrjs-2 72/tcp #Remote Job Service
+netrjs-2 72/udp #Remote Job Service
+netrjs-3 73/tcp #Remote Job Service
+netrjs-3 73/udp #Remote Job Service
+netrjs-4 74/tcp #Remote Job Service
+netrjs-4 74/udp #Remote Job Service
+# 75/tcp any private dial out service
+# 75/udp any private dial out service
+deos 76/tcp #Distributed External Object Store
+deos 76/udp #Distributed External Object Store
+netrjs 77/tcp
+#PROBLEMS!==============================================================
+# 77/tcp any private RJE service
+#PROBLEMS!==============================================================
+# 77/udp any private RJE service
+vettcp 78/tcp
+vettcp 78/udp
+finger 79/tcp
+finger 79/udp
+http 80/tcp www www-http #World Wide Web HTTP
+http 80/udp www www-http #World Wide Web HTTP
+hosts2-ns 81/tcp #HOSTS2 Name Server
+hosts2-ns 81/udp #HOSTS2 Name Server
+xfer 82/tcp #XFER Utility
+xfer 82/udp #XFER Utility
+mit-ml-dev 83/tcp #MIT ML Device
+mit-ml-dev 83/udp #MIT ML Device
+ctf 84/tcp #Common Trace Facility
+ctf 84/udp #Common Trace Facility
+mit-ml-dev 85/tcp #MIT ML Device
+mit-ml-dev 85/udp #MIT ML Device
+mfcobol 86/tcp #Micro Focus Cobol
+mfcobol 86/udp #Micro Focus Cobol
+ttylink 87/tcp
+#PROBLEMS!===========================================================
+# 87/tcp any private terminal link
+#PROBLEMS!===========================================================
+# 87/udp any private terminal link
+kerberos-sec 88/tcp kerberos # krb5 # Kerberos (v5)
+kerberos-sec 88/udp kerberos # krb5 # Kerberos (v5)
+su-mit-tg 89/tcp #SU/MIT Telnet Gateway
+su-mit-tg 89/udp #SU/MIT Telnet Gateway
+dnsix 90/tcp #DNSIX Securit Attribute Token Map
+dnsix 90/udp #DNSIX Securit Attribute Token Map
+mit-dov 91/tcp #MIT Dover Spooler
+mit-dov 91/udp #MIT Dover Spooler
+npp 92/tcp #Network Printing Protocol
+npp 92/udp #Network Printing Protocol
+dcp 93/tcp #Device Control Protocol
+dcp 93/udp #Device Control Protocol
+objcall 94/tcp #Tivoli Object Dispatcher
+objcall 94/udp #Tivoli Object Dispatcher
+supdup 95/tcp
+supdup 95/udp
+dixie 96/tcp #DIXIE Protocol Specification
+dixie 96/udp #DIXIE Protocol Specification
+swift-rvf 97/tcp #Swift Remote Virtural File Protocol
+swift-rvf 97/udp #Swift Remote Virtural File Protocol
+tacnews 98/tcp #TAC News, Unofficial: Red Hat linuxconf
+tacnews 98/udp #TAC News, Unofficial: Red Hat linuxconf
+metagram 99/tcp #Metagram Relay
+metagram 99/udp #Metagram Relay
+newacct 100/tcp #[unauthorized use]
+hostname 101/tcp hostnames #NIC Host Name Server
+hostname 101/udp hostnames #NIC Host Name Server
+iso-tsap 102/tcp tsap #ISO-TSAP Class 0
+iso-tsap 102/udp tsap #ISO-TSAP Class 0
+gppitnp 103/tcp #Genesis Point-to-Point Trans Net
+gppitnp 103/udp #Genesis Point-to-Point Trans Net
+acr-nema 104/tcp #ACR-NEMA Digital Imag. & Comm. 300
+acr-nema 104/udp #ACR-NEMA Digital Imag. & Comm. 300
+csnet-ns 105/tcp cso-ns cso #Mailbox Name Nameserver
+csnet-ns 105/udp cso-ns cso #Mailbox Name Nameserver
+pop3pw 106/tcp 3com-tsmux #Eudora compatible PW changer
+3com-tsmux 106/udp
+rtelnet 107/tcp #Remote Telnet Service
+rtelnet 107/udp #Remote Telnet Service
+snagas 108/tcp #SNA Gateway Access Server
+snagas 108/udp #SNA Gateway Access Server
+pop2 109/tcp postoffice #Post Office Protocol - Version 2
+pop2 109/udp postoffice #Post Office Protocol - Version 2
+pop3 110/tcp #Post Office Protocol - Version 3
+pop3 110/udp #Post Office Protocol - Version 3
+sunrpc 111/tcp rpcbind #SUN Remote Procedure Call
+sunrpc 111/udp rpcbind #SUN Remote Procedure Call
+mcidas 112/tcp #McIDAS Data Transmission Protocol
+mcidas 112/udp #McIDAS Data Transmission Protocol
+auth 113/tcp ident tap #Authentication Service
+auth 113/udp ident tap #Authentication Service
+audionews 114/tcp #Audio News Multicast
+audionews 114/udp #Audio News Multicast
+sftp 115/tcp #Simple File Transfer Protocol
+sftp 115/udp #Simple File Transfer Protocol
+ansanotify 116/tcp #ANSA REX Notify
+ansanotify 116/udp #ANSA REX Notify
+uucp-path 117/tcp #UUCP Path Service
+uucp-path 117/udp #UUCP Path Service
+sqlserv 118/tcp #SQL Services
+sqlserv 118/udp #SQL Services
+nntp 119/tcp usenet #Network News Transfer Protocol
+nntp 119/udp usenet #Network News Transfer Protocol
+cfdptkt 120/tcp
+cfdptkt 120/udp
+erpc 121/tcp #Encore Expedited Remote Pro.Call
+erpc 121/udp #Encore Expedited Remote Pro.Call
+smakynet 122/tcp
+smakynet 122/udp
+ntp 123/tcp #Network Time Protocol
+ntp 123/udp #Network Time Protocol
+ansatrader 124/tcp #ANSA REX Trader
+ansatrader 124/udp #ANSA REX Trader
+locus-map 125/tcp #Locus PC-Interface Net Map Ser
+locus-map 125/udp #Locus PC-Interface Net Map Ser
+unitary 126/tcp #Unisys Unitary Login
+unitary 126/udp #Unisys Unitary Login
+locus-con 127/tcp #Locus PC-Interface Conn Server
+locus-con 127/udp #Locus PC-Interface Conn Server
+gss-xlicen 128/tcp #GSS X License Verification
+gss-xlicen 128/udp #GSS X License Verification
+pwdgen 129/tcp #Password Generator Protocol
+pwdgen 129/udp #Password Generator Protocol
+cisco-fna 130/tcp #cisco FNATIVE
+cisco-fna 130/udp #cisco FNATIVE
+cisco-tna 131/tcp #cisco TNATIVE
+cisco-tna 131/udp #cisco TNATIVE
+cisco-sys 132/tcp #cisco SYSMAINT
+cisco-sys 132/udp #cisco SYSMAINT
+statsrv 133/tcp #Statistics Service
+statsrv 133/udp #Statistics Service
+ingres-net 134/tcp #INGRES-NET Service
+ingres-net 134/udp #INGRES-NET Service
+loc-srv 135/tcp epmap #Location Service
+loc-srv 135/udp epmap #Location Service
+profile 136/tcp #PROFILE Naming System
+profile 136/udp #PROFILE Naming System
+netbios-ns 137/tcp #NETBIOS Name Service
+netbios-ns 137/udp #NETBIOS Name Service
+netbios-dgm 138/tcp #NETBIOS Datagram Service
+netbios-dgm 138/udp #NETBIOS Datagram Service
+netbios-ssn 139/tcp #NETBIOS Session Service
+netbios-ssn 139/udp #NETBIOS Session Service
+emfis-data 140/tcp #EMFIS Data Service
+emfis-data 140/udp #EMFIS Data Service
+emfis-cntl 141/tcp #EMFIS Control Service
+emfis-cntl 141/udp #EMFIS Control Service
+bl-idm 142/tcp #Britton-Lee IDM
+bl-idm 142/udp #Britton-Lee IDM
+imap 143/tcp imap2 imap4 #Interim Mail Access Protocol v2
+imap 143/udp imap2 imap4 #Interim Mail Access Protocol v2
+NeWS 144/tcp # Window System
+NeWS 144/udp # Window System
+#PROBLEMS!==============================================================
+#uma 144/tcp #Universal Management Architecture
+#uma 144/udp #Universal Management Architecture
+#PROBLEMS!==============================================================
+uaac 145/tcp #UAAC Protocol
+uaac 145/udp #UAAC Protocol
+iso-tp0 146/tcp
+iso-tp0 146/udp
+iso-ip 147/tcp
+iso-ip 147/udp
+cronus 148/tcp jargon #CRONUS-SUPPORT
+cronus 148/udp jargon #CRONUS-SUPPORT
+aed-512 149/tcp #AED 512 Emulation Service
+aed-512 149/udp #AED 512 Emulation Service
+sql-net 150/tcp
+sql-net 150/udp
+hems 151/tcp
+hems 151/udp
+bftp 152/tcp #Background File Transfer Program
+bftp 152/udp #Background File Transfer Program
+sgmp 153/tcp
+sgmp 153/udp
+netsc-prod 154/tcp
+netsc-prod 154/udp
+netsc-dev 155/tcp
+netsc-dev 155/udp
+sqlsrv 156/tcp #SQL Service
+sqlsrv 156/udp #SQL Service
+knet-cmp 157/tcp #KNET/VM Command/Message Protocol
+knet-cmp 157/udp #KNET/VM Command/Message Protocol
+pcmail-srv 158/tcp #PCMail Server
+pcmail-srv 158/udp #PCMail Server
+nss-routing 159/tcp
+nss-routing 159/udp
+sgmp-traps 160/tcp
+sgmp-traps 160/udp
+snmp 161/tcp
+snmp 161/udp
+snmptrap 162/tcp snmp-trap
+snmptrap 162/udp snmp-trap
+cmip-man 163/tcp #CMIP/TCP Manager
+cmip-man 163/udp #CMIP/TCP Manager
+cmip-agent 164/tcp #CMIP/TCP Agent
+smip-agent 164/udp #CMIP/TCP Agent
+xns-courier 165/tcp #Xerox
+xns-courier 165/udp #Xerox
+s-net 166/tcp #Sirius Systems
+s-net 166/udp #Sirius Systems
+namp 167/tcp
+namp 167/udp
+rsvd 168/tcp
+rsvd 168/udp
+send 169/tcp
+send 169/udp
+print-srv 170/tcp #Network PostScript
+print-srv 170/udp #Network PostScript
+multiplex 171/tcp #Network Innovations Multiplex
+multiplex 171/udp #Network Innovations Multiplex
+cl/1 172/tcp #Network Innovations CL/1
+cl/1 172/udp #Network Innovations CL/1
+xyplex-mux 173/tcp
+xyplex-mux 173/udp
+mailq 174/tcp
+mailq 174/udp
+vmnet 175/tcp
+vmnet 175/udp
+genrad-mux 176/tcp
+genrad-mux 176/udp
+xdmcp 177/tcp #X Display Manager Control Protocol
+xdmcp 177/udp #X Display Manager Control Protocol
+NextStep 178/tcp nextstep NeXTStep #NextStep Window Server
+NextStep 178/udp nextstep NeXTStep #NextStep Window Server
+bgp 179/tcp #Border Gateway Protocol
+bgp 179/udp #Border Gateway Protocol
+ris 180/tcp #Intergraph
+ris 180/udp #Intergraph
+unify 181/tcp
+unify 181/udp
+audit 182/tcp #Unisys Audit SITP
+audit 182/udp #Unisys Audit SITP
+ocbinder 183/tcp
+ocbinder 183/udp
+ocserver 184/tcp
+ocserver 184/udp
+remote-kis 185/tcp
+remote-kis 185/udp
+kis 186/tcp #KIS Protocol
+kis 186/udp #KIS Protocol
+aci 187/tcp #Application Communication Interface
+aci 187/udp #Application Communication Interface
+mumps 188/tcp #Plus Five's MUMPS
+mumps 188/udp #Plus Five's MUMPS
+qft 189/tcp #Queued File Transport
+qft 189/udp #Queued File Transport
+gacp 190/tcp #Gateway Access Control Protocol
+gacp 190/udp cacp #Gateway Access Control Protocol
+prospero 191/tcp #Prospero Directory Service
+prospero 191/udp #Prospero Directory Service
+osu-nms 192/tcp #OSU Network Monitoring System
+osu-nms 192/udp #OSU Network Monitoring System
+srmp 193/tcp #Spider Remote Monitoring Protocol
+srmp 193/udp #Spider Remote Monitoring Protocol
+irc 194/tcp #Internet Relay Chat Protocol
+irc 194/udp #Internet Relay Chat Protocol
+dn6-nlm-aud 195/tcp #DNSIX Network Level Module Audit
+dn6-nlm-aud 195/udp #DNSIX Network Level Module Audit
+dn6-smm-red 196/tcp #DNSIX Session Mgt Module Audit Redir
+dn6-smm-red 196/udp #DNSIX Session Mgt Module Audit Redir
+dls 197/tcp #Directory Location Service
+dls 197/udp #Directory Location Service
+dls-mon 198/tcp #Directory Location Service Monitor
+dls-mon 198/udp #Directory Location Service Monitor
+smux 199/tcp
+smux 199/udp
+src 200/tcp #IBM System Resource Controller
+src 200/udp #IBM System Resource Controller
+at-rtmp 201/tcp #AppleTalk Routing Maintenance
+at-rtmp 201/udp #AppleTalk Routing Maintenance
+at-nbp 202/tcp #AppleTalk Name Binding
+at-nbp 202/udp #AppleTalk Name Binding
+at-3 203/tcp #AppleTalk Unused
+at-3 203/udp #AppleTalk Unused
+at-echo 204/tcp #AppleTalk Echo
+at-echo 204/udp #AppleTalk Echo
+at-5 205/tcp #AppleTalk Unused
+at-5 205/udp #AppleTalk Unused
+at-zis 206/tcp #AppleTalk Zone Information
+at-zis 206/udp #AppleTalk Zone Information
+at-7 207/tcp #AppleTalk Unused
+at-7 207/udp #AppleTalk Unused
+at-8 208/tcp #AppleTalk Unused
+at-8 208/udp #AppleTalk Unused
+qmtp 209/tcp #The Quick Mail Transfer Protocol
+qmtp 209/udp #The Quick Mail Transfer Protocol
+#PROBLEMS!==============================================================
+#tam 209/tcp #Trivial Authenticated Mail Protocol
+#tam 209/udp #Trivial Authenticated Mail Protocol
+#PROBLEMS!==============================================================
+z39.50 210/tcp wais #ANSI Z39.50
+z39.50 210/udp wais #ANSI Z39.50
+914c/g 211/tcp #Texas Instruments 914C/G Terminal
+914c/g 211/udp #Texas Instruments 914C/G Terminal
+anet 212/tcp #ATEXSSTR
+anet 212/udp #ATEXSSTR
+ipx 213/tcp
+ipx 213/udp
+vmpwscs 214/tcp
+vmpwscs 214/udp
+softpc 215/tcp #Insignia Solutions
+softpc 215/udp #Insignia Solutions
+CAIlic 216/tcp atls #Computer Associates Int'l License Server
+CAIlic 216/udp atls #Computer Associates Int'l License Server
+dbase 217/tcp #dBASE Unix
+dbase 217/udp #dBASE Unix
+mpp 218/tcp #Netix Message Posting Protocol
+mpp 218/udp #Netix Message Posting Protocol
+uarps 219/tcp #Unisys ARPs
+uarps 219/udp #Unisys ARPs
+#imap3@220 was never used and never should have been allocated. See PR 46294.
+#imap3 220/tcp #Interactive Mail Access Protocol v3
+#imap3 220/udp #Interactive Mail Access Protocol v3
+fln-spx 221/tcp #Berkeley rlogind with SPX auth
+fln-spx 221/udp #Berkeley rlogind with SPX auth
+rsh-spx 222/tcp #Berkeley rshd with SPX auth
+rsh-spx 222/udp #Berkeley rshd with SPX auth
+cdc 223/tcp #Certificate Distribution Center
+cdc 223/udp #Certificate Distribution Center
+direct 242/tcp
+direct 242/udp
+sur-meas 243/tcp #Survey Measurement
+sur-meas 243/udp #Survey Measurement
+dayna 244/tcp
+dayna 244/udp
+link 245/tcp
+link 245/udp
+dsp3270 246/tcp #Display Systems Protocol
+dsp3270 246/udp #Display Systems Protocol
+subntbcst_tftp 247/tcp #subntbcst_tftp
+subntbcst_tftp 247/udp #subntbcst_tftp
+bhfhs 248/tcp
+bhfhs 248/udp
+# 249-255 reserved
+rap 256/tcp
+rap 256/udp
+set 257/tcp #secure electronic transaction
+set 257/udp #secure electronic transaction
+yak-chat 258/tcp #yak winsock personal chat
+yak-chat 258/udp #yak winsock personal chat
+esro-gen 259/tcp #efficient short remote operations
+esro-gen 259/udp #efficient short remote operations
+openport 260/tcp
+openport 260/udp
+nsiiops 261/tcp #iiop name service over tls/ssl
+nsiiops 261/udp #iiop name service over tls/ssl
+arcisdms 262/tcp
+arcisdms 262/udp
+hdap 263/tcp
+hdap 263/udp
+bgmp 264/tcp
+bgmp 264/udp
+# 265-279 unassigned
+http-mgmt 280/tcp
+http-mgmt 280/udp
+personal-link 281/tcp
+personal-link 281/udp
+cableport-ax 282/tcp #cable port a/x
+cableport-ax 282/udp #cable port a/x
+# 283-307 unassigned
+novastorbakcup 308/tcp #novastor backup
+novastorbakcup 308/udp #novastor backup
+entrusttime 309/tcp
+entrusttime 309/udp
+bhmds 310/tcp
+bhmds 310/udp
+asip-webadmin 311/tcp #appleshare ip webadmin
+asip-webadmin 311/udp #appleshare ip webadmin
+vslmp 312/tcp
+vslmp 312/udp
+magenta-logic 313/tcp
+magenta-logic 313/udp
+opalis-robot 314/tcp
+opalis-robot 314/udp
+dpsi 315/tcp
+dpsi 315/udp
+decauth 316/tcp
+decauth 316/udp
+zannet 317/tcp
+zannet 317/udp
+# 318-320 #unassigned
+pip 321/tcp
+pip 321/udp
+# 322-343 #unassigned
+pdap 344/tcp #Prospero Data Access Protocol
+pdap 344/udp #Prospero Data Access Protocol
+pawserv 345/tcp #Perf Analysis Workbench
+pawserv 345/udp #Perf Analysis Workbench
+zserv 346/tcp #Zebra server
+zserv 346/udp #Zebra server
+fatserv 347/tcp #Fatmen Server
+fatserv 347/udp #Fatmen Server
+csi-sgwp 348/tcp #Cabletron Management Protocol
+csi-sgwp 348/udp #Cabletron Management Protocol
+mftp 349/tcp
+mftp 349/udp
+matip-type-a 350/tcp #MATIP Type A
+matip-type-a 350/udp
+matip-type-b 351/tcp #MATIP Type B
+matip-type-b 351/udp
+bhoetty 351/tcp #unassigned but widespread use
+bhoetty 351/udp #unassigned but widespread use
+dtag-ste-sb 352/tcp #DTAG
+dtag-ste-sb 352/udp #DTAG
+bhoedap4 352/tcp #unassigned but widespread use
+bhoedap4 352/udp #unassigned but widespread use
+ndsauth 353/tcp
+ndsauth 353/udp
+bh611 354/tcp
+bh611 354/udp
+datex-asn 355/tcp
+datex-asn 355/udp
+cloanto-net-1 356/tcp #Cloanto Net 1
+cloanto-net-1 356/udp
+bhevent 357/tcp
+bhevent 357/udp
+shrinkwrap 358/tcp
+shrinkwrap 358/udp
+tenebris_nts 359/tcp #Tenebris Network Trace Service
+tenebris_nts 359/udp #Tenebris Network Trace Service
+scoi2odialog 360/tcp
+scoi2odialog 360/udp
+semantix 361/tcp
+semantix 361/udp
+srssend 362/tcp #SRS Send
+srssend 362/udp #SRS Send
+rsvp_tunnel 363/tcp
+rsvp_tunnel 363/udp
+aurora-cmgr 364/tcp
+aurora-cmgr 364/udp
+dtk 365/tcp #Deception Tool Kit - Fred Cohen <fc@all.net>
+dtk 365/udp #Deception Tool Kit - Fred Cohen <fc@all.net>
+odmr 366/tcp
+odmr 366/udp
+mortgageware 367/tcp
+mortgageware 367/udp
+qbikgdp 368/tcp #QbikGDP
+qbikgdp 368/udp
+rpc2portmap 369/tcp
+rpc2portmap 369/udp
+codaauth2 370/tcp
+codaauth2 370/udp
+clearcase 371/tcp
+clearcase 371/udp
+ulistserv 372/tcp ulistproc #Unix Listserv
+ulistserv 372/udp ulistproc #Unix Listserv
+legent-1 373/tcp #Legent Corporation (now Computer Associates Intl.)
+legent-1 373/udp #Legent Corporation (now Computer Associates Intl.)
+legent-2 374/tcp #Legent Corporation (now Computer Associates Intl.)
+legent-2 374/udp #Legent Corporation (now Computer Associates Intl.)
+hassle 375/tcp
+hassle 375/udp
+nip 376/tcp #Amiga Envoy Network Inquiry Proto
+nip 376/udp #Amiga Envoy Network Inquiry Proto
+tnETOS 377/tcp #NEC Corporation
+tnETOS 377/udp #NEC Corporation
+dsETOS 378/tcp #NEC Corporation
+dsETOS 378/udp #NEC Corporation
+is99c 379/tcp #TIA/EIA/IS-99 modem client
+is99c 379/udp #TIA/EIA/IS-99 modem client
+is99s 380/tcp #TIA/EIA/IS-99 modem server
+is99s 380/udp #TIA/EIA/IS-99 modem server
+hp-collector 381/tcp #hp performance data collector
+hp-collector 381/udp #hp performance data collector
+hp-managed-node 382/tcp #hp performance data managed node
+hp-managed-node 382/udp #hp performance data managed node
+hp-alarm-mgr 383/tcp #hp performance data alarm manager
+hp-alarm-mgr 383/udp #hp performance data alarm manager
+arns 384/tcp #A Remote Network Server System
+arns 384/udp #A Remote Network Server System
+ibm-app 385/tcp #IBM Application
+ibm-app 385/udp #IBM Application
+asa 386/tcp #ASA Message Router Object Def.
+asa 386/udp #ASA Message Router Object Def.
+aurp 387/tcp #Appletalk Update-Based Routing Pro.
+aurp 387/udp #Appletalk Update-Based Routing Pro.
+unidata-ldm 388/tcp #Unidata LDM Version 4
+unidata-ldm 388/udp #Unidata LDM Version 4
+ldap 389/tcp #Lightweight Directory Access Protocol
+ldap 389/udp #Lightweight Directory Access Protocol
+uis 390/tcp
+uis 390/udp
+synotics-relay 391/tcp #SynOptics SNMP Relay Port
+synotics-relay 391/udp #SynOptics SNMP Relay Port
+synotics-broker 392/tcp #SynOptics Port Broker Port
+synotics-broker 392/udp #SynOptics Port Broker Port
+dis 393/tcp #Data Interpretation System
+dis 393/udp #Data Interpretation System
+embl-ndt 394/tcp #EMBL Nucleic Data Transfer
+embl-ndt 394/udp #EMBL Nucleic Data Transfer
+netcp 395/tcp #NETscout Control Protocol
+netcp 395/udp #NETscout Control Protocol
+netware-ip 396/tcp #Novell Netware over IP
+netware-ip 396/udp #Novell Netware over IP
+mptn 397/tcp #Multi Protocol Trans. Net.
+mptn 397/udp #Multi Protocol Trans. Net.
+kryptolan 398/tcp
+kryptolan 398/udp
+iso-tsap-c2 399/tcp #ISO-TSAP Class 2
+iso-tsap-c2 399/udp #ISO-TSAP Class 2
+work-sol 400/tcp #Workstation Solutions
+work-sol 400/udp #Workstation Solutions
+ups 401/tcp #Uninterruptible Power Supply
+ups 401/udp #Uninterruptible Power Supply
+genie 402/tcp #Genie Protocol
+genie 402/udp #Genie Protocol
+decap 403/tcp
+decap 403/udp
+nced 404/tcp
+nced 404/udp
+ncld 405/tcp
+ncld 405/udp
+imsp 406/tcp #Interactive Mail Support Protocol
+imsp 406/udp #Interactive Mail Support Protocol
+timbuktu 407/tcp
+timbuktu 407/udp
+prm-sm 408/tcp #Prospero Resource Manager Sys. Man.
+prm-sm 408/udp #Prospero Resource Manager Sys. Man.
+prm-nm 409/tcp #Prospero Resource Manager Node Man.
+prm-nm 409/udp #Prospero Resource Manager Node Man.
+decladebug 410/tcp #DECLadebug Remote Debug Protocol
+decladebug 410/udp #DECLadebug Remote Debug Protocol
+rmt 411/tcp #Remote MT Protocol
+rmt 411/udp #Remote MT Protocol
+synoptics-trap 412/tcp #Trap Convention Port
+synoptics-trap 412/udp #Trap Convention Port
+smsp 413/tcp
+smsp 413/udp
+infoseek 414/tcp
+infoseek 414/udp
+bnet 415/tcp
+bnet 415/udp
+silverplatter 416/tcp
+silverplatter 416/udp
+onmux 417/tcp
+onmux 417/udp
+hyper-g 418/tcp
+hyper-g 418/udp
+ariel1 419/tcp
+ariel1 419/udp
+smpte 420/tcp
+smpte 420/udp
+ariel2 421/tcp
+ariel2 421/udp
+ariel3 422/tcp
+ariel3 422/udp
+opc-job-start 423/tcp #IBM Operations Planning and Control Start
+opc-job-start 423/udp #IBM Operations Planning and Control Start
+opc-job-track 424/tcp #IBM Operations Planning and Control Track
+opc-job-track 424/udp #IBM Operations Planning and Control Track
+icad-el 425/tcp
+icad-el 425/udp
+smartsdp 426/tcp
+smartsdp 426/udp
+svrloc 427/tcp #Server Location
+svrloc 427/udp #Server Location
+ocs_cmu 428/tcp
+ocs_cmu 428/udp
+ocs_amu 429/tcp
+ocs_amu 429/udp
+utmpsd 430/tcp
+utmpsd 430/udp
+utmpcd 431/tcp
+utmpcd 431/udp
+iasd 432/tcp
+iasd 432/udp
+nnsp 433/tcp
+nnsp 433/udp
+mobileip-agent 434/tcp
+mobileip-agent 434/udp
+mobilip-mn 435/tcp
+mobilip-mn 435/udp
+dna-cml 436/tcp
+dna-cml 436/udp
+comscm 437/tcp
+comscm 437/udp
+dsfgw 438/tcp
+dsfgw 438/udp
+dasp 439/tcp
+dasp 439/udp
+sgcp 440/tcp
+sgcp 440/udp
+decvms-sysmgt 441/tcp
+decvms-sysmgt 441/udp
+cvc_hostd 442/tcp
+cvc_hostd 442/udp
+https 443/tcp
+https 443/udp
+snpp 444/tcp #Simple Network Paging Protocol
+snpp 444/udp #Simple Network Paging Protocol
+# [RFC1568]
+microsoft-ds 445/tcp
+microsoft-ds 445/udp
+ddm-rdb 446/tcp
+ddm-rdb 446/udp
+ddm-dfm 447/tcp
+ddm-dfm 447/udp
+ddm-ssl 448/tcp ddm-byte
+ddm-ssl 448/udp ddm-byte
+as-servermap 449/tcp #AS Server Mapper
+as-servermap 449/udp #AS Server Mapper
+tserver 450/tcp
+tserver 450/udp
+sfs-smp-net 451/tcp #Cray Network Semaphore server
+sfs-smp-net 451/udp #Cray Network Semaphore server
+sfs-config 452/tcp #Cray SFS config server
+sfs-config 452/udp #Cray SFS config server
+creativeserver 453/tcp #CreativeServer
+creativeserver 453/udp #CreativeServer
+contentserver 454/tcp #ContentServer
+contentserver 454/udp #ContentServer
+creativepartnr 455/tcp #CreativePartnr
+creativepartnr 455/udp #CreativePartnr
+macon-tcp 456/tcp
+macon-udp 456/udp
+scohelp 457/tcp
+scohelp 457/udp
+appleqtc 458/tcp #apple quick time
+appleqtc 458/udp #apple quick time
+ampr-rcmd 459/tcp
+ampr-rcmd 459/udp
+skronk 460/tcp
+skronk 460/udp
+datasurfsrv 461/tcp
+datasurfsrv 461/udp
+datasurfsrvsec 462/tcp
+datasurfsrvsec 462/udp
+alpes 463/tcp
+alpes 463/udp
+#
+kpasswd5 464/tcp # Kerberos (v5)
+kpasswd5 464/udp # Kerberos (v5)
+#PROBLEMS!==============================================================
+# IANA has offically assigned these two ports as ``kpasswd''
+#kpasswd 464/tcp # Kerberos (v5)
+#kpasswd 464/udp # Kerberos (v5)
+#PROBLEMS!==============================================================
+smtps 465/tcp #smtp protocol over TLS/SSL (was ssmtp)
+smtps 465/udp #smtp protocol over TLS/SSL (was ssmtp)
+digital-vrc 466/tcp
+digital-vrc 466/udp
+mylex-mapd 467/tcp
+mylex-mapd 467/udp
+photuris 468/tcp
+photuris 468/udp
+rcp 469/tcp #Radio Control Protocol
+rcp 469/udp #Radio Control Protocol
+scx-proxy 470/tcp
+scx-proxy 470/udp
+mondex 471/tcp
+mondex 471/udp
+ljk-login 472/tcp
+ljk-login 472/udp
+hybrid-pop 473/tcp
+hybrid-pop 473/udp
+tn-tl-w1 474/tcp
+tn-tl-w2 474/udp
+tcpnethaspsrv 475/tcp
+tcpnethaspsrv 475/udp
+tn-tl-fd1 476/tcp
+tn-tl-fd1 476/udp
+ss7ns 477/tcp
+ss7ns 477/udp
+spsc 478/tcp
+spsc 478/udp
+iafserver 479/tcp
+iafserver 479/udp
+iafdbase 480/tcp
+iafdbase 480/udp
+ph 481/tcp
+ph 481/udp
+bgs-nsi 482/tcp
+bgs-nsi 482/udp
+ulpnet 483/tcp
+ulpnet 483/udp
+integra-sme 484/tcp #Integra Software Management Environment
+integra-sme 484/udp #Integra Software Management Environment
+powerburst 485/tcp #Air Soft Power Burst
+powerburst 485/udp #Air Soft Power Burst
+avian 486/tcp
+avian 486/udp
+saft 487/tcp #saft Simple Asynchronous File Transfer
+saft 487/udp #saft Simple Asynchronous File Transfer
+gss-http 488/tcp
+gss-http 488/udp
+nest-protocol 489/tcp
+nest-protocol 489/udp
+micom-pfs 490/tcp
+micom-pfs 490/udp
+go-login 491/tcp
+go-login 491/udp
+ticf-1 492/tcp #Transport Independent Convergence for FNA
+ticf-1 492/udp #Transport Independent Convergence for FNA
+ticf-2 493/tcp #Transport Independent Convergence for FNA
+ticf-2 493/udp #Transport Independent Convergence for FNA
+pov-ray 494/tcp
+pov-ray 494/udp
+intecourier 495/tcp
+intecourier 495/udp
+pim-rp-disc 496/tcp
+pim-rp-disc 496/udp
+dantz 497/tcp
+dantz 497/udp
+siam 498/tcp
+siam 498/udp
+iso-ill 499/tcp #ISO ILL Protocol
+iso-ill 499/udp #ISO ILL Protocol
+isakmp 500/tcp
+isakmp 500/udp
+stmf 501/tcp
+stmf 501/udp
+asa-appl-proto 502/tcp
+asa-appl-proto 502/udp
+intrinsa 503/tcp
+intrinsa 503/udp
+citadel 504/tcp
+citadel 504/udp
+mailbox-lm 505/tcp
+mailbox-lm 505/udp
+ohimsrv 506/tcp
+ohimsrv 506/udp
+crs 507/tcp
+crs 507/udp
+xvttp 508/tcp
+xvttp 508/udp
+snare 509/tcp
+snare 509/udp
+fcp 510/tcp #FirstClass Protocol
+fcp 510/udp #FirstClass Protocol
+passgo 511/tcp
+passgo 511/udp
+#
+# Berkeley-specific services
+#
+exec 512/tcp #remote process execution;
+# authentication performed using
+# passwords and UNIX login names
+biff 512/udp comsat #used by mail system to notify users
+# of new mail received; currently
+# receives messages only from
+# processes on the same machine
+login 513/tcp #remote login a la telnet;
+# automatic authentication performed
+# based on priviledged port numbers
+# and distributed data bases which
+# identify "authentication domains"
+who 513/udp whod #maintains data bases showing who's
+# logged in to machines on a local
+# net and the load average of the
+# machine
+shell 514/tcp cmd #like exec, but automatic
+# authentication is performed as for
+# login server
+syslog 514/udp
+printer 515/tcp spooler
+printer 515/udp spooler
+videotex 516/tcp
+videotex 516/udp
+talk 517/tcp #like tenex link, but across
+# machine - unfortunately, doesn't
+# use link protocol (this is actually
+# just a rendezvous port from which a
+# tcp connection is established)
+talk 517/udp #like tenex link, but across
+# machine - unfortunately, doesn't
+# use link protocol (this is actually
+# just a rendezvous port from which a
+# tcp connection is established)
+ntalk 518/tcp
+ntalk 518/udp
+utime 519/tcp unixtime
+utime 519/udp unixtime
+efs 520/tcp #extended file name server
+router 520/udp route routed #local routing process (on site);
+# uses variant of Xerox NS routing
+# information protocol
+ripng 521/tcp
+ripng 521/udp
+ulp 522/tcp
+ulp 522/udp
+ibm-db2 523/tcp
+ibm-db2 523/udp
+ncp 524/tcp
+ncp 524/udp
+timed 525/tcp timeserver
+timed 525/udp timeserver
+tempo 526/tcp newdate
+tempo 526/udp newdate
+stx 527/tcp #Stock IXChange
+stx 527/udp #Stock IXChange
+custix 528/tcp #Customer IXChange
+custix 528/udp #Customer IXChange
+irc-serv 529/tcp
+irc-serv 529/udp
+courier 530/tcp rpc
+courier 530/udp rpc
+conference 531/tcp chat
+conference 531/udp chat
+netnews 532/tcp readnews
+netnews 532/udp readnews
+netwall 533/tcp #for emergency broadcasts
+netwall 533/udp #for emergency broadcasts
+mm-admin 534/tcp #MegaMedia Admin
+mm-admin 534/udp #MegaMedia Admin
+iiop 535/tcp
+iiop 535/udp
+opalis-rdv 536/tcp
+opalis-rdv 536/udp
+nmsp 537/tcp #Networked Media Streaming Protocol
+nmsp 537/udp #Networked Media Streaming Protocol
+gdomap 538/tcp
+gdomap 538/udp
+apertus-ldp 539/tcp #Apertus Technologies Load Determination
+apertus-ldp 539/udp #Apertus Technologies Load Determination
+uucp 540/tcp uucpd
+uucp 540/udp uucpd
+uucp-rlogin 541/tcp
+uucp-rlogin 541/udp
+commerce 542/tcp
+commerce 542/udp
+klogin 543/tcp # Kerberos (v4/v5)
+klogin 543/udp # Kerberos (v4/v5)
+kshell 544/tcp krcmd # Kerberos (v4/v5)
+kshell 544/udp krcmd # Kerberos (v4/v5)
+appleqtcsrvr 545/tcp
+appleqtcsrvr 545/udp
+dhcpv6-client 546/tcp #DHCPv6 Client
+dhcpv6-client 546/udp #DHCPv6 Client
+dhcpv6-server 547/tcp #DHCPv6 Server
+dhcpv6-server 547/udp #DHCPv6 Server
+afpovertcp 548/tcp #AFP over TCP
+afpovertcp 548/udp #AFP over TCP
+idfp 549/tcp
+idfp 549/udp
+new-rwho 550/tcp new-who
+new-rwho 550/udp new-who
+cybercash 551/tcp
+cybercash 551/udp
+deviceshare 552/tcp
+deviceshare 552/udp
+pirp 553/tcp
+pirp 553/udp
+rtsp 554/tcp #Real Time Stream Control Protocol
+rtsp 554/udp #Real Time Stream Control Protocol
+dsf 555/tcp
+dsf 555/udp
+remotefs 556/tcp rfs rfs_server # Brunhoff remote filesystem
+remotefs 556/udp rfs rfs_server # Brunhoff remote filesystem
+openvms-sysipc 557/tcp
+openvms-sysipc 557/udp
+sdnskmp 558/tcp
+sdnskmp 558/udp
+teedtap 559/tcp
+teedtap 559/udp
+rmonitor 560/tcp rmonitord
+rmonitor 560/udp rmonitord
+monitor 561/tcp
+monitor 561/udp
+chshell 562/tcp chcmd
+chshell 562/udp chcmd
+nntps 563/tcp snntp #nntp protocol over TLS/SSL
+nntps 563/udp snntp #nntp protocol over TLS/SSL
+9pfs 564/tcp #plan 9 file service
+9pfs 564/udp #plan 9 file service
+whoami 565/tcp
+whoami 565/udp
+streettalk 566/tcp
+banyan-rpc 567/tcp
+banyan-rpc 567/udp
+ms-shuttle 568/tcp #Microsoft shuttle
+ms-shuttle 568/udp #Microsoft shuttle
+ms-rome 569/tcp #Microsoft rome
+ms-rome 569/udp #Microsoft rome
+meter 570/tcp #demon
+meter 570/udp #demon
+umeter 571/tcp #udemon
+umeter 571/udp #udemon
+sonar 572/tcp
+sonar 572/udp
+banyan-vip 573/tcp
+banyan-vip 573/udp
+ftp-agent 574/tcp #FTP Software Agent System
+ftp-agent 574/udp #FTP Software Agent System
+vemmi 575/tcp
+vemmi 575/udp
+ipcd 576/tcp
+ipcd 576/udp
+vnas 577/tcp
+vnas 577/udp
+ipdd 578/tcp
+ipdd 578/udp
+decbsrv 579/tcp
+decbsrv 579/udp
+sntp-heartbeat 580/tcp
+sntp-heartbeat 580/udp
+bdp 581/tcp #Bundle Discovery Protocol
+bdp 581/udp #Bundle Discovery Protocol
+scc-security 582/tcp
+scc-security 582/udp
+philips-vc 583/tcp #Philips Video-Conferencing
+philips-vc 583/udp #Philips Video-Conferencing
+keyserver 584/tcp
+keyserver 584/udp
+#imap4-ssl@585 never should have been allocated. See PR 46294.
+#imap4-ssl 585/tcp #IMAP4+SSL (use of 585 is not recommended,
+#imap4-ssl 585/udp # use 993 instead)
+password-chg 586/tcp
+password-chg 586/udp
+submission 587/tcp
+submission 587/udp
+cal 588/tcp
+cal 588/udp
+eyelink 589/tcp
+eyelink 589/udp
+tns-cml 590/tcp
+tns-cml 590/udp
+http-alt 591/tcp #FileMaker, Inc. - HTTP Alternate (see Port 80)
+http-alt 591/udp #FileMaker, Inc. - HTTP Alternate (see Port 80)
+eudora-set 592/tcp
+eudora-set 592/udp
+http-rpc-epmap 593/tcp #HTTP RPC Ep Map
+http-rpc-epmap 593/udp #HTTP RPC Ep Map
+tpip 594/tcp
+tpip 594/udp
+cab-protocol 595/tcp
+cab-protocol 595/udp
+smsd 596/tcp
+smsd 596/udp
+ptcnameservice 597/tcp #PTC Name Service
+ptcnameservice 597/udp #PTC Name Service
+sco-websrvrmg3 598/tcp #SCO Web Server Manager 3
+sco-websrvrmg3 598/udp #SCO Web Server Manager 3
+acp 599/tcp #Aeolon Core Protocol
+acp 599/udp #Aeolon Core Protocol
+ipcserver 600/tcp #Sun IPC server
+ipcserver 600/udp #Sun IPC server
+nqs 607/tcp
+nqs 607/udp
+urm 606/tcp #Cray Unified Resource Manager
+urm 606/udp #Cray Unified Resource Manager
+sift-uft 608/tcp #Sender-Initiated/Unsolicited File Transfer
+sift-uft 608/udp #Sender-Initiated/Unsolicited File Transfer
+npmp-trap 609/tcp
+npmp-trap 609/udp
+npmp-local 610/tcp
+npmp-local 610/udp
+npmp-gui 611/tcp
+npmp-gui 611/udp
+sshell 614/tcp #SSLshell
+sshell 614/udp
+ipp 631/tcp #IPP (Internet Printing Protocol)
+ipp 631/udp #IPP (Internet Printing Protocol)
+ginad 634/tcp
+ginad 634/udp
+ldaps 636/tcp sldap #ldap protocol over TLS/SSL
+ldaps 636/udp sldap
+mdqs 666/tcp
+mdqs 666/udp
+#PROBLEMS!===============================================
+doom 666/tcp #doom Id Software
+doom 666/udp #doom Id Software
+#PROBLEMS!===============================================
+acap 674/tcp #Application Configuration Access Protocol
+acap 674/udp #Application Configuration Access Protocol
+elcsd 704/tcp #errlog copy/server daemon
+elcsd 704/udp #errlog copy/server daemon
+entrustmanager 709/tcp #EntrustManager
+entrustmanager 709/udp #EntrustManager
+netviewdm1 729/tcp #IBM NetView DM/6000 Server/Client
+netviewdm1 729/udp #IBM NetView DM/6000 Server/Client
+netviewdm2 730/tcp #IBM NetView DM/6000 send/tcp
+netviewdm2 730/udp #IBM NetView DM/6000 send/tcp
+netviewdm3 731/tcp #IBM NetView DM/6000 receive/tcp
+netviewdm3 731/udp #IBM NetView DM/6000 receive/tcp
+netgw 741/tcp
+netgw 741/udp
+netrcs 742/tcp #Network based Rev. Cont. Sys.
+netrcs 742/udp #Network based Rev. Cont. Sys.
+flexlm 744/tcp #Flexible License Manager
+flexlm 744/udp #Flexible License Manager
+fujitsu-dev 747/tcp #Fujitsu Device Control
+fujitsu-dev 747/udp #Fujitsu Device Control
+ris-cm 748/tcp #Russell Info Sci Calendar Manager
+ris-cm 748/udp #Russell Info Sci Calendar Manager
+kerberos-adm 749/tcp #Kerberos administration (v5)
+kerberos-adm 749/udp #Kerberos administration (v5)
+kerberos-iv 750/udp kdc # Kerberos (v4)
+kerberos-iv 750/tcp kdc # Kerberos (v4)
+#PROBLEMS!========================================================
+#rfile 750/tcp
+#loadav 750/udp
+#PROBLEMS!========================================================
+kerberos_master 751/tcp # Kerberos `kadmin' (v4)
+kerberos_master 751/udp # Kerberos `kadmin' (v4)
+#PROBLEMS!========================================================
+pump 751/tcp
+pump 751/udp
+#PROBLEMS!========================================================
+qrh 752/tcp
+qrh 752/udp
+rrh 753/tcp
+rrh 753/udp
+krb_prop 754/tcp krb5_prop # kerberos/v5 server propagation
+#PROBLEMS!========================================================
+tell 754/tcp #send
+#PROBLEMS!========================================================
+tell 754/udp #send
+nlogin 758/tcp
+nlogin 758/udp
+con 759/tcp
+con 759/udp
+krbupdate 760/tcp kreg # Kerberos (v4) registration
+#PROBLEMS!========================================================
+ns 760/tcp
+#PROBLEMS!========================================================
+ns 760/udp
+kpasswd 761/tcp kpwd # Kerberos (v4) "passwd"
+#PROBLEMS!========================================================
+rxe 761/tcp
+#PROBLEMS!========================================================
+rxe 761/udp
+quotad 762/tcp
+quotad 762/udp
+cycleserv 763/tcp
+cycleserv 763/udp
+omserv 764/tcp
+omserv 764/udp
+webster 765/tcp
+webster 765/udp
+phonebook 767/tcp #phone
+phonebook 767/udp #phone
+vid 769/tcp
+vid 769/udp
+cadlock 770/tcp
+cadlock 770/udp
+rtip 771/tcp
+rtip 771/udp
+cycleserv2 772/tcp
+cycleserv2 772/udp
+submit 773/tcp
+notify 773/udp
+rpasswd 774/tcp
+acmaint_dbd 774/udp
+entomb 775/tcp
+acmaint_transd 775/udp
+wpages 776/tcp
+wpages 776/udp
+wpgs 780/tcp
+wpgs 780/udp
+concert 786/tcp
+concert 786/udp
+mdbs_daemon 800/tcp
+mdbs_daemon 800/udp
+device 801/tcp
+device 801/udp
+supfilesrv 871/tcp # for SUP
+rsync 873/tcp
+rsync 873/udp
+accessbuilder 888/tcp
+accessbuilder 888/udp
+swat 901/tcp # samba web configuration tool
+ftps-data 989/tcp # ftp protocol, data, over TLS/SSL
+ftps-data 989/udp
+ftps 990/tcp # ftp protocol, control, over TLS/SSL
+ftps 990/udp
+telnets 992/tcp # telnet protocol over TLS/SSL
+telnets 992/udp
+imaps 993/tcp # imap4 protocol over TLS/SSL
+imaps 993/udp
+ircs 994/tcp # irc protocol over TLS/SSL
+ircs 994/udp
+pop3s 995/tcp spop3 # pop3 protocol over TLS/SSL
+pop3s 995/udp spop3
+vsinet 996/tcp
+vsinet 996/udp
+maitrd 997/tcp
+maitrd 997/udp
+busboy 998/tcp
+puparp 998/udp
+garcon 999/tcp
+applix 999/udp #Applix ac
+puprouter 999/tcp
+puprouter 999/udp
+cadlock 1000/tcp
+ock 1000/udp
+#
+# REGISTERED PORT NUMBERS
+#
+blackjack 1025/tcp #network blackjack
+blackjack 1025/udp #network blackjack
+iad1 1030/tcp #BBN IAD
+iad1 1030/udp #BBN IAD
+iad2 1031/tcp #BBN IAD
+iad2 1031/udp #BBN IAD
+iad3 1032/tcp #BBN IAD
+iad3 1032/udp #BBN IAD
+nim 1058/tcp
+nim 1058/udp
+nimreg 1059/tcp
+nimreg 1059/udp
+instl_boots 1067/tcp #Installation Bootstrap Proto. Serv.
+instl_boots 1067/udp #Installation Bootstrap Proto. Serv.
+instl_bootc 1068/tcp #Installation Bootstrap Proto. Cli.
+instl_bootc 1068/udp #Installation Bootstrap Proto. Cli.
+socks 1080/tcp
+socks 1080/udp
+ansoft-lm-1 1083/tcp #Anasoft License Manager
+ansoft-lm-1 1083/udp #Anasoft License Manager
+ansoft-lm-2 1084/tcp #Anasoft License Manager
+ansoft-lm-2 1084/udp #Anasoft License Manager
+webobjects 1085/tcp #Web Objects
+webobjects 1085/udp #Web Objects
+kpop 1109/tcp #Unofficial
+kpop 1109/udp #Unofficial
+nfsd-status 1110/tcp #Cluster status info
+nfsd-keepalive 1110/udp #Client status info
+supfiledbg 1127/tcp # for SUP
+nfa 1155/tcp #Network File Access
+nfa 1155/udp #Network File Access
+phone 1167/udp #conference calling
+skkserv 1178/tcp #SKK (kanji input)
+lupa 1212/tcp
+lupa 1212/udp
+nerv 1222/tcp #SNI R&D network
+nerv 1222/udp #SNI R&D network
+hermes 1248/tcp
+hermes 1248/udp
+healthd 1281/tcp #healthd
+healthd 1281/udp #healthd
+alta-ana-lm 1346/tcp #Alta Analytics License Manager
+alta-ana-lm 1346/udp #Alta Analytics License Manager
+bbn-mmc 1347/tcp #multi media conferencing
+bbn-mmc 1347/udp #multi media conferencing
+bbn-mmx 1348/tcp #multi media conferencing
+bbn-mmx 1348/udp #multi media conferencing
+sbook 1349/tcp #Registration Network Protocol
+sbook 1349/udp #Registration Network Protocol
+editbench 1350/tcp #Registration Network Protocol
+editbench 1350/udp #Registration Network Protocol
+equationbuilder 1351/tcp #Digital Tool Works (MIT)
+equationbuilder 1351/udp #Digital Tool Works (MIT)
+lotusnote 1352/tcp #Lotus Note
+lotusnote 1352/udp #Lotus Note
+relief 1353/tcp #Relief Consulting
+relief 1353/udp #Relief Consulting
+rightbrain 1354/tcp #RightBrain Software
+rightbrain 1354/udp #RightBrain Software
+intuitive-edge 1355/tcp #Intuitive Edge
+intuitive-edge 1355/udp #Intuitive Edge
+cuillamartin 1356/tcp #CuillaMartin Company
+cuillamartin 1356/udp #CuillaMartin Company
+pegboard 1357/tcp #Electronic PegBoard
+pegboard 1357/udp #Electronic PegBoard
+connlcli 1358/tcp
+connlcli 1358/udp
+ftsrv 1359/tcp
+ftsrv 1359/udp
+mimer 1360/tcp
+mimer 1360/udp
+linx 1361/tcp
+linx 1361/udp
+timeflies 1362/tcp
+timeflies 1362/udp
+ndm-requester 1363/tcp #Network DataMover Requester
+ndm-requester 1363/udp #Network DataMover Requester
+ndm-server 1364/tcp #Network DataMover Server
+ndm-server 1364/udp #Network DataMover Server
+adapt-sna 1365/tcp #Network Software Associates
+adapt-sna 1365/udp #Network Software Associates
+netware-csp 1366/tcp #Novell NetWare Comm Service Platform
+netware-csp 1366/udp #Novell NetWare Comm Service Platform
+dcs 1367/tcp
+dcs 1367/udp
+screencast 1368/tcp
+screencast 1368/udp
+gv-us 1369/tcp #GlobalView to Unix Shell
+gv-us 1369/udp #GlobalView to Unix Shell
+us-gv 1370/tcp #Unix Shell to GlobalView
+us-gv 1370/udp #Unix Shell to GlobalView
+fc-cli 1371/tcp #Fujitsu Config Protocol
+fc-cli 1371/udp #Fujitsu Config Protocol
+fc-ser 1372/tcp #Fujitsu Config Protocol
+fc-ser 1372/udp #Fujitsu Config Protocol
+chromagrafx 1373/tcp
+chromagrafx 1373/udp
+molly 1374/tcp #EPI Software Systems
+molly 1374/udp #EPI Software Systems
+bytex 1375/tcp
+bytex 1375/udp
+ibm-pps 1376/tcp #IBM Person to Person Software
+ibm-pps 1376/udp #IBM Person to Person Software
+cichlid 1377/tcp #Cichlid License Manager
+cichlid 1377/udp #Cichlid License Manager
+elan 1378/tcp #Elan License Manager
+elan 1378/udp #Elan License Manager
+dbreporter 1379/tcp #Integrity Solutions
+dbreporter 1379/udp #Integrity Solutions
+telesis-licman 1380/tcp #Telesis Network License Manager
+telesis-licman 1380/udp #Telesis Network License Manager
+apple-licman 1381/tcp #Apple Network License Manager
+apple-licman 1381/udp #Apple Network License Manager
+#udt_os 1382/tcp
+#udt_os 1382/udp
+gwha 1383/tcp #GW Hannaway Network License Manager
+gwha 1383/udp #GW Hannaway Network License Manager
+os-licman 1384/tcp #Objective Solutions License Manager
+os-licman 1384/udp #Objective Solutions License Manager
+atex_elmd 1385/tcp #Atex Publishing License Manager
+atex_elmd 1385/udp #Atex Publishing License Manager
+checksum 1386/tcp #CheckSum License Manager
+checksum 1386/udp #CheckSum License Manager
+cadsi-lm 1387/tcp #Computer Aided Design Software Inc LM
+cadsi-lm 1387/udp #Computer Aided Design Software Inc LM
+objective-dbc 1388/tcp #Objective Solutions DataBase Cache
+objective-dbc 1388/udp #Objective Solutions DataBase Cache
+iclpv-dm 1389/tcp #Document Manager
+iclpv-dm 1389/udp #Document Manager
+iclpv-sc 1390/tcp #Storage Controller
+iclpv-sc 1390/udp #Storage Controller
+iclpv-sas 1391/tcp #Storage Access Server
+iclpv-sas 1391/udp #Storage Access Server
+iclpv-pm 1392/tcp #Print Manager
+iclpv-pm 1392/udp #Print Manager
+iclpv-nls 1393/tcp #Network Log Server
+iclpv-nls 1393/udp #Network Log Server
+iclpv-nlc 1394/tcp #Network Log Client
+iclpv-nlc 1394/udp #Network Log Client
+iclpv-wsm 1395/tcp #PC Workstation Manager software
+iclpv-wsm 1395/udp #PC Workstation Manager software
+dvl-activemail 1396/tcp #DVL Active Mail
+dvl-activemail 1396/udp #DVL Active Mail
+audio-activmail 1397/tcp #Audio Active Mail
+audio-activmail 1397/udp #Audio Active Mail
+video-activmail 1398/tcp #Video Active Mail
+video-activmail 1398/udp #Video Active Mail
+cadkey-licman 1399/tcp #Cadkey License Manager
+cadkey-licman 1399/udp #Cadkey License Manager
+cadkey-tablet 1400/tcp #Cadkey Tablet Daemon
+cadkey-tablet 1400/udp #Cadkey Tablet Daemon
+goldleaf-licman 1401/tcp #Goldleaf License Manager
+goldleaf-licman 1401/udp #Goldleaf License Manager
+prm-sm-np 1402/tcp #Prospero Resource Manager
+prm-sm-np 1402/udp #Prospero Resource Manager
+prm-nm-np 1403/tcp #Prospero Resource Manager
+prm-nm-np 1403/udp #Prospero Resource Manager
+igi-lm 1404/tcp #Infinite Graphics License Manager
+igi-lm 1404/udp #Infinite Graphics License Manager
+ibm-res 1405/tcp #IBM Remote Execution Starter
+ibm-res 1405/udp #IBM Remote Execution Starter
+netlabs-lm 1406/tcp #NetLabs License Manager
+netlabs-lm 1406/udp #NetLabs License Manager
+dbsa-lm 1407/tcp #DBSA License Manager
+dbsa-lm 1407/udp #DBSA License Manager
+sophia-lm 1408/tcp #Sophia License Manager
+sophia-lm 1408/udp #Sophia License Manager
+here-lm 1409/tcp #Here License Manager
+here-lm 1409/udp #Here License Manager
+hiq 1410/tcp #HiQ License Manager
+hiq 1410/udp #HiQ License Manager
+af 1411/tcp #AudioFile
+af 1411/udp #AudioFile
+innosys 1412/tcp
+innosys 1412/udp
+innosys-acl 1413/tcp
+innosys-acl 1413/udp
+ibm-mqseries 1414/tcp #IBM MQSeries
+ibm-mqseries 1414/udp #IBM MQSeries
+dbstar 1415/tcp
+dbstar 1415/udp
+novell-lu6.2 1416/tcp #Novell LU6.2
+novell-lu6.2 1416/udp #Novell LU6.2
+timbuktu-srv1 1417/tcp #Timbuktu Service 1 Port
+timbuktu-srv1 1417/udp #Timbuktu Service 1 Port
+timbuktu-srv2 1418/tcp #Timbuktu Service 2 Port
+timbuktu-srv2 1418/udp #Timbuktu Service 2 Port
+timbuktu-srv3 1419/tcp #Timbuktu Service 3 Port
+timbuktu-srv3 1419/udp #Timbuktu Service 3 Port
+timbuktu-srv4 1420/tcp #Timbuktu Service 4 Port
+timbuktu-srv4 1420/udp #Timbuktu Service 4 Port
+gandalf-lm 1421/tcp #Gandalf License Manager
+gandalf-lm 1421/udp #Gandalf License Manager
+autodesk-lm 1422/tcp #Autodesk License Manager
+autodesk-lm 1422/udp #Autodesk License Manager
+essbase 1423/tcp #Essbase Arbor Software
+essbase 1423/udp #Essbase Arbor Software
+hybrid 1424/tcp #Hybrid Encryption Protocol
+hybrid 1424/udp #Hybrid Encryption Protocol
+zion-lm 1425/tcp #Zion Software License Manager
+zion-lm 1425/udp #Zion Software License Manager
+sas-1 1426/tcp #Satellite-data Acquisition System 1
+sas-1 1426/udp #Satellite-data Acquisition System 1
+mloadd 1427/tcp #mloadd monitoring tool
+mloadd 1427/udp #mloadd monitoring tool
+informatik-lm 1428/tcp #Informatik License Manager
+informatik-lm 1428/udp #Informatik License Manager
+nms 1429/tcp #Hypercom NMS
+nms 1429/udp #Hypercom NMS
+tpdu 1430/tcp #Hypercom TPDU
+tpdu 1430/udp #Hypercom TPDU
+rgtp 1431/tcp #Reverse Gossip Transport
+rgtp 1431/udp #Reverse Gossip Transport
+blueberry-lm 1432/tcp #Blueberry Software License Manager
+blueberry-lm 1432/udp #Blueberry Software License Manager
+ms-sql-s 1433/tcp #Microsoft-SQL-Server
+ms-sql-s 1433/udp #Microsoft-SQL-Server
+ms-sql-m 1434/tcp #Microsoft-SQL-Monitor
+ms-sql-m 1434/udp #Microsoft-SQL-Monitor
+ibm-cics 1435/tcp
+ibm-cics 1435/udp
+sas-2 1436/tcp #Satellite-data Acquisition System 2
+sas-2 1436/udp #Satellite-data Acquisition System 2
+tabula 1437/tcp
+tabula 1437/udp
+eicon-server 1438/tcp #Eicon Security Agent/Server
+eicon-server 1438/udp #Eicon Security Agent/Server
+eicon-x25 1439/tcp #Eicon X25/SNA Gateway
+eicon-x25 1439/udp #Eicon X25/SNA Gateway
+eicon-slp 1440/tcp #Eicon Service Location Protocol
+eicon-slp 1440/udp #Eicon Service Location Protocol
+cadis-1 1441/tcp #Cadis License Management
+cadis-1 1441/udp #Cadis License Management
+cadis-2 1442/tcp #Cadis License Management
+cadis-2 1442/udp #Cadis License Management
+ies-lm 1443/tcp #Integrated Engineering Software
+ies-lm 1443/udp #Integrated Engineering Software
+marcam-lm 1444/tcp #Marcam License Management
+marcam-lm 1444/udp #Marcam License Management
+proxima-lm 1445/tcp #Proxima License Manager
+proxima-lm 1445/udp #Proxima License Manager
+ora-lm 1446/tcp #Optical Research Associates License Manager
+ora-lm 1446/udp #Optical Research Associates License Manager
+apri-lm 1447/tcp #Applied Parallel Research LM
+apri-lm 1447/udp #Applied Parallel Research LM
+oc-lm 1448/tcp #OpenConnect License Manager
+oc-lm 1448/udp #OpenConnect License Manager
+peport 1449/tcp
+peport 1449/udp
+dwf 1450/tcp #Tandem Distributed Workbench Facility
+dwf 1450/udp #Tandem Distributed Workbench Facility
+infoman 1451/tcp #IBM Information Management
+infoman 1451/udp #IBM Information Management
+gtegsc-lm 1452/tcp #GTE Government Systems License Man
+gtegsc-lm 1452/udp #GTE Government Systems License Man
+genie-lm 1453/tcp #Genie License Manager
+genie-lm 1453/udp #Genie License Manager
+interhdl_elmd 1454/tcp #interHDL License Manager
+interhdl_elmd 1454/udp #interHDL License Manager
+esl-lm 1455/tcp #ESL License Manager
+esl-lm 1455/udp #ESL License Manager
+dca 1456/tcp
+dca 1456/udp
+valisys-lm 1457/tcp #Valisys License Manager
+valisys-lm 1457/udp #Valisys License Manager
+nrcabq-lm 1458/tcp #Nichols Research Corp.
+nrcabq-lm 1458/udp #Nichols Research Corp.
+proshare1 1459/tcp #Proshare Notebook Application
+proshare1 1459/udp #Proshare Notebook Application
+proshare2 1460/tcp #Proshare Notebook Application
+proshare2 1460/udp #Proshare Notebook Application
+ibm_wrless_lan 1461/tcp #IBM Wireless LAN
+ibm_wrless_lan 1461/udp #IBM Wireless LAN
+world-lm 1462/tcp #World License Manager
+world-lm 1462/udp #World License Manager
+nucleus 1463/tcp
+nucleus 1463/udp
+msl_lmd 1464/tcp #MSL License Manager
+msl_lmd 1464/udp #MSL License Manager
+pipes 1465/tcp #Pipes Platform
+pipes 1465/udp #Pipes Platform mfarlin@peerlogic.com
+oceansoft-lm 1466/tcp #Ocean Software License Manager
+oceansoft-lm 1466/udp #Ocean Software License Manager
+csdmbase 1467/tcp
+csdmbase 1467/udp
+csdm 1468/tcp
+csdm 1468/udp
+aal-lm 1469/tcp #Active Analysis Limited License Manager
+aal-lm 1469/udp #Active Analysis Limited License Manager
+uaiact 1470/tcp #Universal Analytics
+uaiact 1470/udp #Universal Analytics
+csdmbase 1471/tcp
+csdmbase 1471/udp
+csdm 1472/tcp
+csdm 1472/udp
+openmath 1473/tcp
+openmath 1473/udp
+telefinder 1474/tcp
+telefinder 1474/udp
+taligent-lm 1475/tcp #Taligent License Manager
+taligent-lm 1475/udp #Taligent License Manager
+clvm-cfg 1476/tcp
+clvm-cfg 1476/udp
+ms-sna-server 1477/tcp
+ms-sna-server 1477/udp
+ms-sna-base 1478/tcp
+ms-sna-base 1478/udp
+dberegister 1479/tcp
+dberegister 1479/udp
+pacerforum 1480/tcp
+pacerforum 1480/udp
+airs 1481/tcp
+airs 1481/udp
+miteksys-lm 1482/tcp #Miteksys License Manager
+miteksys-lm 1482/udp #Miteksys License Manager
+afs 1483/tcp #AFS License Manager
+afs 1483/udp #AFS License Manager
+confluent 1484/tcp #Confluent License Manager
+confluent 1484/udp #Confluent License Manager
+lansource 1485/tcp
+lansource 1485/udp
+nms_topo_serv 1486/tcp
+nms_topo_serv 1486/udp
+localinfosrvr 1487/tcp
+localinfosrvr 1487/udp
+docstor 1488/tcp
+docstor 1488/udp
+dmdocbroker 1489/tcp
+dmdocbroker 1489/udp
+insitu-conf 1490/tcp
+insitu-conf 1490/udp
+anynetgateway 1491/tcp
+anynetgateway 1491/udp
+stone-design-1 1492/tcp
+stone-design-1 1492/udp
+netmap_lm 1493/tcp
+netmap_lm 1493/udp
+ica 1494/tcp
+ica 1494/udp
+cvc 1495/tcp
+cvc 1495/udp
+liberty-lm 1496/tcp
+liberty-lm 1496/udp
+rfx-lm 1497/tcp
+rfx-lm 1497/udp
+watcom-sql 1498/tcp
+watcom-sql 1498/udp
+fhc 1499/tcp #Federico Heinz Consultora
+fhc 1499/udp #Federico Heinz Consultora
+vlsi-lm 1500/tcp #VLSI License Manager
+vlsi-lm 1500/udp #VLSI License Manager
+sas-3 1501/tcp #Satellite-data Acquisition System 3
+sas-3 1501/udp #Satellite-data Acquisition System 3
+shivadiscovery 1502/tcp #Shiva
+shivadiscovery 1502/udp #Shiva
+imtc-mcs 1503/tcp #Databeam
+imtc-mcs 1503/udp #Databeam
+evb-elm 1504/tcp #EVB Software Engineering License Manager
+evb-elm 1504/udp #EVB Software Engineering License Manager
+funkproxy 1505/tcp #Funk Software, Inc.
+funkproxy 1505/udp #Funk Software, Inc.
+utcd 1506/tcp #Universal Time daemon (utcd)
+utcd 1506/udp #Universal Time daemon (utcd)
+symplex 1507/tcp
+symplex 1507/udp
+diagmond 1508/tcp
+diagmond 1508/udp
+robcad-lm 1509/tcp #Robcad, Ltd. License Manager
+robcad-lm 1509/udp #Robcad, Ltd. License Manager
+mvx-lm 1510/tcp #Midland Valley Exploration Ltd. Lic. Man.
+mvx-lm 1510/udp #Midland Valley Exploration Ltd. Lic. Man.
+3l-l1 1511/tcp
+3l-l1 1511/udp
+wins 1512/tcp #Microsoft's Windows Internet Name Service
+wins 1512/udp #Microsoft's Windows Internet Name Service
+fujitsu-dtc 1513/tcp #Fujitsu Systems Business of America, Inc
+fujitsu-dtc 1513/udp #Fujitsu Systems Business of America, Inc
+fujitsu-dtcns 1514/tcp #Fujitsu Systems Business of America, Inc
+fujitsu-dtcns 1514/udp #Fujitsu Systems Business of America, Inc
+ifor-protocol 1515/tcp
+ifor-protocol 1515/udp
+vpad 1516/tcp #Virtual Places Audio data
+vpad 1516/udp #Virtual Places Audio data
+vpac 1517/tcp #Virtual Places Audio control
+vpac 1517/udp #Virtual Places Audio control
+vpvd 1518/tcp #Virtual Places Video data
+vpvd 1518/udp #Virtual Places Video data
+vpvc 1519/tcp #Virtual Places Video control
+vpvc 1519/udp #Virtual Places Video control
+atm-zip-office 1520/tcp #atm zip office
+atm-zip-office 1520/udp #atm zip office
+ncube-lm 1521/tcp #nCube License Manager
+ncube-lm 1521/udp #nCube License Manager
+rna-lm 1522/tcp #Ricardo North America License Manager
+rna-lm 1522/udp #Ricardo North America License Manager
+cichild-lm 1523/tcp
+cichild-lm 1523/udp
+ingreslock 1524/tcp #ingres
+ingreslock 1524/udp #ingres
+prospero-np 1525/tcp #Prospero Directory Service non-priv
+prospero-np 1525/udp #Prospero Directory Service non-priv
+#PROBLEMS!========================================================
+orasrv 1525/tcp #oracle
+orasrv 1525/udp #oracle
+#PROBLEMS!========================================================
+pdap-np 1526/tcp #Prospero Data Access Prot non-priv
+pdap-np 1526/udp #Prospero Data Access Prot non-priv
+tlisrv 1527/tcp #oracle
+tlisrv 1527/udp #oracle
+mciautoreg 1528/tcp
+mciautoreg 1528/udp
+support 1529/tcp prmsd gnatsd # cygnus bug tracker
+coauthor 1529/tcp #oracle
+coauthor 1529/udp #oracle
+rap-service 1530/tcp
+rap-service 1530/udp
+rap-listen 1531/tcp
+rap-listen 1531/udp
+miroconnect 1532/tcp
+miroconnect 1532/udp
+virtual-places 1533/tcp #Virtual Places Software
+virtual-places 1533/udp #Virtual Places Software
+micromuse-lm 1534/tcp
+micromuse-lm 1534/udp
+ampr-info 1535/tcp
+ampr-info 1535/udp
+ampr-inter 1536/tcp
+ampr-inter 1536/udp
+sdsc-lm 1537/tcp
+sdsc-lm 1537/udp
+3ds-lm 1538/tcp
+3ds-lm 1538/udp
+intellistor-lm 1539/tcp #Intellistor License Manager
+intellistor-lm 1539/udp #Intellistor License Manager
+rds 1540/tcp
+rds 1540/udp
+rds2 1541/tcp
+rds2 1541/udp
+gridgen-elmd 1542/tcp
+gridgen-elmd 1542/udp
+simba-cs 1543/tcp
+simba-cs 1543/udp
+aspeclmd 1544/tcp
+aspeclmd 1544/udp
+vistium-share 1545/tcp
+vistium-share 1545/udp
+abbaccuray 1546/tcp
+abbaccuray 1546/udp
+laplink 1547/tcp
+laplink 1547/udp
+axon-lm 1548/tcp #Axon License Manager
+axon-lm 1548/udp #Axon License Manager
+shivahose 1549/tcp #Shiva Hose
+shivasound 1549/udp #Shiva Sound
+3m-image-lm 1550/tcp #Image Storage license manager 3M Company
+3m-image-lm 1550/udp #Image Storage license manager 3M Company
+hecmtl-db 1551/tcp
+hecmtl-db 1551/udp
+pciarray 1552/tcp
+pciarray 1552/udp
+issd 1600/tcp
+issd 1600/udp
+# IMPORTANT NOTE: Ports 1645/1646 are the traditional radius ports used by
+# many vendors without obtaining official IANA assignment. The official
+# assignment is now ports 1812/1813 and users are encouraged to migrate
+# when possible to these new ports.
+#radius 1645/udp #RADIUS authentication protocol (old)
+#radacct 1646/udp #RADIUS accounting protocol (old)
+nkd 1650/tcp
+nkd 1650/udp
+shiva_confsrvr 1651/tcp
+shiva_confsrvr 1651/udp
+xnmp 1652/tcp
+xnmp 1652/udp
+netview-aix-1 1661/tcp
+netview-aix-1 1661/udp
+netview-aix-2 1662/tcp
+netview-aix-2 1662/udp
+netview-aix-3 1663/tcp
+netview-aix-3 1663/udp
+netview-aix-4 1664/tcp
+netview-aix-4 1664/udp
+netview-aix-5 1665/tcp
+netview-aix-5 1665/udp
+netview-aix-6 1666/tcp
+netview-aix-6 1666/udp
+netview-aix-7 1667/tcp
+netview-aix-7 1667/udp
+netview-aix-8 1668/tcp
+netview-aix-8 1668/udp
+netview-aix-9 1669/tcp
+netview-aix-9 1669/udp
+netview-aix-10 1670/tcp
+netview-aix-10 1670/udp
+netview-aix-11 1671/tcp
+netview-aix-11 1671/udp
+netview-aix-12 1672/tcp
+netview-aix-12 1672/udp
+l2f 1701/tcp #l2f
+l2f 1701/udp #l2f
+l2tp 1701/tcp #Layer 2 Tunnelling Protocol
+l2tp 1701/udp #Layer 2 Tunnelling Protocol
+pptp 1723/tcp #Point-to-point tunnelling protocol
+# IMPORTANT NOTE: See comments for ports 1645/1646 when using older equipment
+radius 1812/udp #RADIUS authentication protocol (IANA sanctioned)
+radacct 1813/udp #RADIUS accounting protocol (IANA sanctioned)
+licensedaemon 1986/tcp #cisco license management
+licensedaemon 1986/udp #cisco license management
+tr-rsrb-p1 1987/tcp #cisco RSRB Priority 1 port
+tr-rsrb-p1 1987/udp #cisco RSRB Priority 1 port
+tr-rsrb-p2 1988/tcp #cisco RSRB Priority 2 port
+tr-rsrb-p2 1988/udp #cisco RSRB Priority 2 port
+tr-rsrb-p3 1989/tcp #cisco RSRB Priority 3 port
+tr-rsrb-p3 1989/udp #cisco RSRB Priority 3 port
+#PROBLEMS!===================================================
+mshnet 1989/tcp #MHSnet system
+mshnet 1989/udp #MHSnet system
+#PROBLEMS!===================================================
+stun-p1 1990/tcp #cisco STUN Priority 1 port
+stun-p1 1990/udp #cisco STUN Priority 1 port
+stun-p2 1991/tcp #cisco STUN Priority 2 port
+stun-p2 1991/udp #cisco STUN Priority 2 port
+stun-p3 1992/tcp #cisco STUN Priority 3 port
+stun-p3 1992/udp #cisco STUN Priority 3 port
+#PROBLEMS!===================================================
+ipsendmsg 1992/tcp
+ipsendmsg 1992/udp
+#PROBLEMS!===================================================
+snmp-tcp-port 1993/tcp #cisco SNMP TCP port
+snmp-tcp-port 1993/udp #cisco SNMP TCP port
+stun-port 1994/tcp #cisco serial tunnel port
+stun-port 1994/udp #cisco serial tunnel port
+perf-port 1995/tcp #cisco perf port
+perf-port 1995/udp #cisco perf port
+tr-rsrb-port 1996/tcp #cisco Remote SRB port
+tr-rsrb-port 1996/udp #cisco Remote SRB port
+gdp-port 1997/tcp #cisco Gateway Discovery Protocol
+gdp-port 1997/udp #cisco Gateway Discovery Protocol
+x25-svc-port 1998/tcp #cisco X.25 service (XOT)
+x25-svc-port 1998/udp #cisco X.25 service (XOT)
+tcp-id-port 1999/tcp #cisco identification port
+tcp-id-port 1999/udp #cisco identification port
+callbook 2000/tcp
+callbook 2000/udp
+dc 2001/tcp
+wizard 2001/udp #curry
+globe 2002/tcp
+globe 2002/udp
+cfingerd 2003/tcp #GNU finger
+mailbox 2004/tcp
+emce 2004/udp #CCWS mm conf
+berknet 2005/tcp
+oracle 2005/udp
+invokator 2006/tcp
+raid-cc 2006/udp #raid
+dectalk 2007/tcp
+raid-am 2007/udp
+conf 2008/tcp
+terminaldb 2008/udp
+news 2009/tcp
+whosockami 2009/udp
+search 2010/tcp
+pipe_server 2010/udp
+raid-cc 2011/tcp #raid
+servserv 2011/udp
+ttyinfo 2012/tcp
+raid-ac 2012/udp
+raid-am 2013/tcp
+raid-cd 2013/udp
+troff 2014/tcp
+raid-sf 2014/udp
+cypress 2015/tcp
+raid-cs 2015/udp
+bootserver 2016/tcp
+bootserver 2016/udp
+cypress-stat 2017/tcp
+bootclient 2017/udp
+terminaldb 2018/tcp
+rellpack 2018/udp
+whosockami 2019/tcp
+about 2019/udp
+xinupageserver 2020/tcp
+xinupageserver 2020/udp
+servexec 2021/tcp
+xinuexpansion1 2021/udp
+down 2022/tcp
+xinuexpansion2 2022/udp
+xinuexpansion3 2023/tcp
+xinuexpansion3 2023/udp
+xinuexpansion4 2024/tcp
+xinuexpansion4 2024/udp
+ellpack 2025/tcp
+xribs 2025/udp
+scrabble 2026/tcp
+scrabble 2026/udp
+shadowserver 2027/tcp
+shadowserver 2027/udp
+submitserver 2028/tcp
+submitserver 2028/udp
+device2 2030/tcp
+device2 2030/udp
+blackboard 2032/tcp
+blackboard 2032/udp
+glogger 2033/tcp
+glogger 2033/udp
+scoremgr 2034/tcp
+scoremgr 2034/udp
+imsldoc 2035/tcp
+imsldoc 2035/udp
+objectmanager 2038/tcp
+objectmanager 2038/udp
+lam 2040/tcp
+lam 2040/udp
+interbase 2041/tcp
+interbase 2041/udp
+isis 2042/tcp
+isis 2042/udp
+isis-bcast 2043/tcp
+isis-bcast 2043/udp
+rimsl 2044/tcp
+rimsl 2044/udp
+cdfunc 2045/tcp
+cdfunc 2045/udp
+sdfunc 2046/tcp
+sdfunc 2046/udp
+#dls 2047/tcp
+#dls 2047/udp
+dls-monitor 2048/tcp
+dls-monitor 2048/udp
+nfsd 2049/tcp nfs # NFS server daemon
+nfsd 2049/udp nfs # NFS server daemon
+#PROBLEMS!=============================================================
+#shilp 2049/tcp
+#shilp 2049/udp
+#PROBLEMS!=============================================================
+dlsrpn 2065/tcp #Data Link Switch Read Port Number
+dlsrpn 2065/udp #Data Link Switch Read Port Number
+dlswpn 2067/tcp #Data Link Switch Write Port Number
+dlswpn 2067/udp #Data Link Switch Write Port Number
+zephyr-clt 2103/udp #Zephyr serv-hm connection
+zephyr-hm 2104/udp #Zephyr hostmanager
+#PROBLEMS!=============================================================
+#zephyr-hm-srv 2105/udp #Zephyr hm-serv connection
+#PROBLEMS!=============================================================
+eklogin 2105/tcp #Kerberos (v4) encrypted rlogin
+eklogin 2105/udp #Kerberos (v4) encrypted rlogin
+ekshell 2106/tcp #Kerberos (v4) encrypted rshell
+ekshell 2106/udp #Kerberos (v4) encrypted rshell
+rkinit 2108/tcp #Kerberos (v4) remote initialization
+rkinit 2108/udp #Kerberos (v4) remote initialization
+ats 2201/tcp #Advanced Training System Program
+ats 2201/udp #Advanced Training System Program
+ivs-video 2232/tcp #IVS Video default
+ivs-video 2232/udp #IVS Video default
+ivsd 2241/tcp #IVS Daemon
+ivsd 2241/udp #IVS Daemon
+pehelp 2307/tcp
+pehelp 2307/udp
+cvspserver 2401/tcp #CVS network server
+cvspserver 2401/udp #CVS network server
+venus 2430/tcp #venus
+venus 2430/udp #venus
+venus-se 2431/tcp #venus-se
+venus-se 2431/udp #venus-se
+codasrv 2432/tcp #codasrv
+codasrv 2432/udp #codasrv
+codasrv-se 2433/tcp #codasrv-se
+codasrv-se 2433/udp #codasrv-se
+rtsserv 2500/tcp #Resource Tracking system server
+rtsserv 2500/udp #Resource Tracking system server
+rtsclient 2501/tcp #Resource Tracking system client
+rtsclient 2501/udp #Resource Tracking system client
+hp-3000-telnet 2564/tcp #HP 3000 NS/VT block mode telnet
+zebrasrv 2600/tcp #zebra service
+zebra 2601/tcp #zebra vty
+ripd 2602/tcp #RIPd vty
+ripngd 2603/tcp #RIPngd vty
+ospfd 2604/tcp #OSPFd vty
+bgpd 2605/tcp #BGPd vty
+ospf6d 2606/tcp #OSPF6d vty
+listen 2766/tcp #System V listener port
+www-dev 2784/tcp #world wide web - development
+www-dev 2784/udp #world wide web - development
+dict 2628/tcp #RFC 2229
+dict 2628/udp #RFC 2229
+eppc 3031/tcp #Remote AppleEvents/PPC Toolbox
+eppc 3031/udp #Remote AppleEvents/PPC Toolbox
+NSWS 3049/tcp
+NSWS 3049/udp
+sj3 3086/tcp #SJ3 (kanji input)
+vmodem 3141/tcp
+vmodem 3141/udp
+ccmail 3264/tcp #cc:mail/lotus
+ccmail 3264/udp #cc:mail/lotus
+dec-notes 3333/tcp #DEC Notes
+dec-notes 3333/udp #DEC Notes
+rsvp-encap 3455/udp #RSVP encapsulated in UDP
+mapper-nodemgr 3984/tcp #MAPPER network node manager
+mapper-nodemgr 3984/udp #MAPPER network node manager
+mapper-mapethd 3985/tcp #MAPPER TCP/IP server
+mapper-mapethd 3985/udp #MAPPER TCP/IP server
+mapper-ws_ethd 3986/tcp #MAPPER workstation server
+mapper-ws_ethd 3986/udp #MAPPER workstation server
+bmap 3421/tcp #Bull Apprise portmapper
+bmap 3421/udp #Bull Apprise portmapper
+prsvp 3455/tcp #RSVP Port
+prsvp 3455/udp #RSVP Port
+vat 3456/tcp #VAT default data
+vat 3456/udp #VAT default data
+vat-control 3457/tcp #VAT default control
+vat-control 3457/udp #VAT default control
+udt_os 3900/tcp #Unidata UDT OS
+udt_os 3900/udp #Unidata UDT OS
+netcheque 4008/tcp #NetCheque accounting
+netcheque 4008/udp #NetCheque accounting
+lockd 4045/udp # NFS lock daemon/manager
+lockd 4045/tcp
+nuts_dem 4132/tcp #NUTS Daemon
+nuts_dem 4132/udp #NUTS Daemon
+nuts_bootp 4133/tcp #NUTS Bootp Server
+nuts_bootp 4133/udp #NUTS Bootp Server
+rwhois 4321/tcp #Remote Who Is
+rwhois 4321/udp #Remote Who Is
+unicall 4343/tcp
+unicall 4343/udp
+krb524 4444/tcp
+krb524 4444/udp
+# PROBLEM krb524 assigned the port,
+# PROBLEM nv used it without an assignment
+nv-video 4444/tcp #NV Video default
+nv-video 4444/udp #NV Video default
+sae-urn 4500/tcp
+sae-urn 4500/udp
+fax 4557/tcp #FAX transmission service
+hylafax 4559/tcp #HylaFAX client-server protocol
+rfa 4672/tcp #remote file access server
+rfa 4672/udp #remote file access server
+commplex-main 5000/tcp
+commplex-main 5000/udp
+commplex-link 5001/tcp
+commplex-link 5001/udp
+rfe 5002/tcp #radio free ethernet
+rfe 5002/udp #radio free ethernet
+telelpathstart 5010/tcp
+telelpathstart 5010/udp
+telelpathattack 5011/tcp
+telelpathattack 5011/udp
+mmcc 5050/tcp #multimedia conference control tool
+mmcc 5050/udp #multimedia conference control tool
+rmonitor_secure 5145/tcp
+rmonitor_secure 5145/udp
+aol 5190/tcp #America-Online
+aol 5190/udp #America-Online
+aol-1 5191/tcp #AmericaOnline1
+aol-1 5191/udp #AmericaOnline1
+aol-2 5192/tcp #AmericaOnline2
+aol-2 5192/udp #AmericaOnline2
+aol-3 5193/tcp #AmericaOnline3
+aol-3 5193/udp #AmericaOnline3
+jabber-client 5222/tcp #Jabber Client Connection
+jabber-client 5222/udp #Jabber Client Connection
+padl2sim 5236/tcp
+padl2sim 5236/udp
+jabber-server 5269/tcp #Jabber Server Connection
+jabber-server 5269/udp #Jabber Server Connection
+hacl-hb 5300/tcp # HA cluster heartbeat
+hacl-hb 5300/udp # HA cluster heartbeat
+hacl-gs 5301/tcp # HA cluster general services
+hacl-gs 5301/udp # HA cluster general services
+hacl-cfg 5302/tcp # HA cluster configuration
+hacl-cfg 5302/udp # HA cluster configuration
+hacl-probe 5303/tcp # HA cluster probing
+hacl-probe 5303/udp # HA cluster probing
+hacl-local 5304/tcp
+hacl-local 5304/udp
+hacl-test 5305/tcp
+hacl-test 5305/udp
+cfengine 5308/tcp
+cfengine 5308/udp
+postgresql 5432/tcp #PostgreSQL Database
+postgresql 5432/udp #PostgreSQL Database
+rplay 5555/udp
+canna 5680/tcp #Canna (Japanese Input)
+proshareaudio 5713/tcp #proshare conf audio
+proshareaudio 5713/udp #proshare conf audio
+prosharevideo 5714/tcp #proshare conf video
+prosharevideo 5714/udp #proshare conf video
+prosharedata 5715/tcp #proshare conf data
+prosharedata 5715/udp #proshare conf data
+prosharerequest 5716/tcp #proshare conf request
+prosharerequest 5716/udp #proshare conf request
+prosharenotify 5717/tcp #proshare conf notify
+prosharenotify 5717/udp #proshare conf notify
+cvsup 5999/tcp #CVSup file transfer/John Polstra/FreeBSD
+x11 6000/tcp #6000-6063 are assigned to X Window System
+x11 6000/udp
+x11-ssh 6010/tcp #Unofficial name, for convenience
+x11-ssh 6010/udp
+softcm 6110/tcp #HP SoftBench CM
+softcm 6110/udp #HP SoftBench CM
+spc 6111/tcp #HP SoftBench Sub-Process Control
+spc 6111/udp #HP SoftBench Sub-Process Control
+meta-corp 6141/tcp #Meta Corporation License Manager
+meta-corp 6141/udp #Meta Corporation License Manager
+aspentec-lm 6142/tcp #Aspen Technology License Manager
+aspentec-lm 6142/udp #Aspen Technology License Manager
+watershed-lm 6143/tcp #Watershed License Manager
+watershed-lm 6143/udp #Watershed License Manager
+statsci1-lm 6144/tcp #StatSci License Manager - 1
+statsci1-lm 6144/udp #StatSci License Manager - 1
+statsci2-lm 6145/tcp #StatSci License Manager - 2
+statsci2-lm 6145/udp #StatSci License Manager - 2
+lonewolf-lm 6146/tcp #Lone Wolf Systems License Manager
+lonewolf-lm 6146/udp #Lone Wolf Systems License Manager
+montage-lm 6147/tcp #Montage License Manager
+montage-lm 6147/udp #Montage License Manager
+ricardo-lm 6148/tcp #Ricardo North America License Manager
+ricardo-lm 6148/udp #Ricardo North America License Manager
+xdsxdm 6558/tcp
+xdsxdm 6558/udp
+ircd 6667/tcp #Internet Relay Chat (unoffical)
+acmsoda 6969/tcp
+acmsoda 6969/udp
+afs3-fileserver 7000/tcp #file server itself
+afs3-fileserver 7000/udp #file server itself
+afs3-callback 7001/tcp #callbacks to cache managers
+afs3-callback 7001/udp #callbacks to cache managers
+afs3-prserver 7002/tcp #users & groups database
+afs3-prserver 7002/udp #users & groups database
+afs3-vlserver 7003/tcp #volume location database
+afs3-vlserver 7003/udp #volume location database
+afs3-kaserver 7004/tcp #AFS/Kerberos authentication service
+afs3-kaserver 7004/udp #AFS/Kerberos authentication service
+afs3-volser 7005/tcp #volume management server
+afs3-volser 7005/udp #volume management server
+afs3-errors 7006/tcp #error interpretation service
+afs3-errors 7006/udp #error interpretation service
+afs3-bos 7007/tcp #basic overseer process
+afs3-bos 7007/udp #basic overseer process
+afs3-update 7008/tcp #server-to-server updater
+afs3-update 7008/udp #server-to-server updater
+afs3-rmtsys 7009/tcp #remote cache manager service
+afs3-rmtsys 7009/udp #remote cache manager service
+afs3-resserver 7010/tcp #MR-AFS residence server
+afs3-resserver 7010/udp #MR-AFS residence server
+afs3-remio 7011/tcp #MR-AFS remote IO server
+afs3-remio 7011/udp #MR-AFS remote IO server
+ups-onlinet 7010/tcp #onlinet uninterruptable power supplies
+ups-onlinet 7010/udp #onlinet uninterruptable power supplies
+font-service 7100/tcp #X Font Service
+font-service 7100/udp #X Font Service
+fodms 7200/tcp #FODMS FLIP
+fodms 7200/udp #FODMS FLIP
+dlip 7201/tcp
+dlip 7201/udp
+natd 8668/divert # Network Address Translation
+jetdirect 9100/tcp #HP JetDirect card
+man 9535/tcp
+man 9535/udp
+sd 9876/tcp #Session Director
+sd 9876/udp #Session Director
+amanda 10080/udp #Dump server control
+amandaidx 10082/tcp #Amanda indexing
+amidxtape 10083/tcp #Amanda tape indexing
+isode-dua 17007/tcp
+isode-dua 17007/udp
+biimenu 18000/tcp #Beckman Instruments, Inc.
+biimenu 18000/udp #Beckman Instruments, Inc.
+dbbrowse 47557/tcp #Databeam Corporation
+dbbrowse 47557/udp #Databeam Corporation
+wnn4 22273/tcp #Wnn4 (Japanese input)
+wnn4_Cn 22289/tcp #Wnn4 (Chinese input)
+wnn4_Tw 22321/tcp #Wnn4 (Taiwanse input)
+wnn4_Kr 22305/tcp #Wnn4 (Korean input)
+wnn6 22273/tcp #Wnn6 (Japanese input)
+wnn6_Cn 22289/tcp #Wnn6 (Chinese input)
+wnn6_Tw 22321/tcp #Wnn6 (Taiwanse input)
+wnn6_Kr 22305/tcp #Wnn6 (Korean input)
+wnn6_DS 26208/tcp #Wnn6 (Dserver)
diff --git a/etc/shells b/etc/shells
new file mode 100644
index 0000000..ae7f33c
--- /dev/null
+++ b/etc/shells
@@ -0,0 +1,12 @@
+# $FreeBSD: src/etc/shells,v 1.5 2000/04/27 21:58:46 ache Exp $
+#
+# List of acceptable shells for chpass(1).
+# Ftpd will not allow users to connect who are not using
+# one of these shells.
+
+/bin/sh
+/bin/csh
+/bin/tcsh
+/usr/local/bin/bash
+/etc/rc.initial
+
diff --git a/etc/sshd b/etc/sshd
new file mode 100755
index 0000000..58c3dbe
--- /dev/null
+++ b/etc/sshd
@@ -0,0 +1,62 @@
+#! /usr/local/bin/php -f
+<?php
+/*
+ sshd - Modified to work on disk based system
+ Copyright 2004 Scott K Ullrich
+
+ Original Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+ require_once("config.inc");
+
+ $stderr = fopen("php://stderr", "w");
+ fwrite($stderr, "Initializing module ssh...\n");
+
+ if (!is_dir("/var/empty")) {
+ // Home directory of sshd.
+ mkdir("/var/empty", 0555);
+ }
+
+ if(!file_exists("")) {
+ // Login related files.
+ touch("/var/log/lastlog");
+ }
+
+ // Make the root password the same as the admin password of m0n0.
+ $fd = popen("/usr/sbin/pw usermod -n root -H 0", "w");
+ fwrite($fd, $config['system']['password']);
+ pclose($fd);
+
+ $sshConfigDir = "/etc/ssh";
+ if (!file_exists("$sshConfigDir/ssh_host_key")) {
+ system("/usr/bin/ssh-keygen -t rsa1 -N '' -f $sshConfigDir/ssh_host_key");
+ system("/usr/bin/ssh-keygen -t rsa -N '' -f $sshConfigDir/ssh_host_rsa_key");
+ system("/usr/bin/ssh-keygen -t dsa -N '' -f $sshConfigDir/ssh_host_dsa_key");
+ }
+
+ // And finally ...
+ system("sshd");
+ fwrite($stderr, "Done.\n");
+?>
+
diff --git a/etc/syslog.conf b/etc/syslog.conf
new file mode 100644
index 0000000..6b7fbd9
--- /dev/null
+++ b/etc/syslog.conf
@@ -0,0 +1,7 @@
+local0.* %/var/log/filter.log
+local3.* %/var/log/vpn.log
+local7.* %/var/log/dhcpd.log
+*.notice;kern.debug;lpr.info;mail.crit;news.err;local0.none;local3.none;local7.none %/var/log/system.log
+security.* %/var/log/system.log
+auth.info;authpriv.info;daemon.info %/var/log/system.log
+*.emerg *
diff --git a/etc/ttys b/etc/ttys
new file mode 100644
index 0000000..5cbe714
--- /dev/null
+++ b/etc/ttys
@@ -0,0 +1,291 @@
+#
+# $FreeBSD: src/etc/etc.i386/ttys,v 1.10 2003/10/24 15:44:08 simokawa Exp $
+# @(#)ttys 5.1 (Berkeley) 4/17/89
+#
+# This file specifies various information about terminals on the system.
+# It is used by several different programs. Common entries for the
+# various columns include:
+#
+# name The name of the terminal device.
+#
+# getty The program to start running on the terminal. Typically a
+# getty program, as the name implies. Other common entries
+# include none, when no getty is needed, and xdm, to start the
+# X Window System.
+#
+# type The initial terminal type for this port. For hardwired
+# terminal lines, this will contain the type of terminal used.
+# For virtual consoles, the correct type is typically cons25, but
+# vt220 will work better if you need interoperability with other
+# systems like Solaris or GNU/Linux.
+# Other common values include network for network connections on
+# pseudo-terminals, dialup for incoming modem ports, and unknown
+# when the terminal type cannot be predetermined.
+#
+# status Must be on or off. If on, init will run the getty program on
+# the specified port. If the word "secure" appears, this tty
+# allows root login.
+#
+# name getty type status comments
+#
+# If console is marked "insecure", then init will ask for the root password
+# when going to single-user mode.
+console none unknown off secure
+#
+ttyv0 "/usr/libexec/getty Pc" cons25 on secure
+ttyp0 none network
+ttyp1 none network
+ttyp2 none network
+ttyp3 none network
+ttyp4 none network
+ttyp5 none network
+ttyp6 none network
+ttyp7 none network
+ttyp8 none network
+ttyp9 none network
+ttypa none network
+ttypb none network
+ttypc none network
+ttypd none network
+ttype none network
+ttypf none network
+ttypg none network
+ttyph none network
+ttypi none network
+ttypj none network
+ttypk none network
+ttypl none network
+ttypm none network
+ttypn none network
+ttypo none network
+ttypp none network
+ttypq none network
+ttypr none network
+ttyps none network
+ttypt none network
+ttypu none network
+ttypv none network
+ttyq0 none network
+ttyq1 none network
+ttyq2 none network
+ttyq3 none network
+ttyq4 none network
+ttyq5 none network
+ttyq6 none network
+ttyq7 none network
+ttyq8 none network
+ttyq9 none network
+ttyqa none network
+ttyqb none network
+ttyqc none network
+ttyqd none network
+ttyqe none network
+ttyqf none network
+ttyqg none network
+ttyqh none network
+ttyqi none network
+ttyqj none network
+ttyqk none network
+ttyql none network
+ttyqm none network
+ttyqn none network
+ttyqo none network
+ttyqp none network
+ttyqq none network
+ttyqr none network
+ttyqs none network
+ttyqt none network
+ttyqu none network
+ttyqv none network
+ttyr0 none network
+ttyr1 none network
+ttyr2 none network
+ttyr3 none network
+ttyr4 none network
+ttyr5 none network
+ttyr6 none network
+ttyr7 none network
+ttyr8 none network
+ttyr9 none network
+ttyra none network
+ttyrb none network
+ttyrc none network
+ttyrd none network
+ttyre none network
+ttyrf none network
+ttyrg none network
+ttyrh none network
+ttyri none network
+ttyrj none network
+ttyrk none network
+ttyrl none network
+ttyrm none network
+ttyrn none network
+ttyro none network
+ttyrp none network
+ttyrq none network
+ttyrr none network
+ttyrs none network
+ttyrt none network
+ttyru none network
+ttyrv none network
+ttys0 none network
+ttys1 none network
+ttys2 none network
+ttys3 none network
+ttys4 none network
+ttys5 none network
+ttys6 none network
+ttys7 none network
+ttys8 none network
+ttys9 none network
+ttysa none network
+ttysb none network
+ttysc none network
+ttysd none network
+ttyse none network
+ttysf none network
+ttysg none network
+ttysh none network
+ttysi none network
+ttysj none network
+ttysk none network
+ttysl none network
+ttysm none network
+ttysn none network
+ttyso none network
+ttysp none network
+ttysq none network
+ttysr none network
+ttyss none network
+ttyst none network
+ttysu none network
+ttysv none network
+ttyP0 none network
+ttyP1 none network
+ttyP2 none network
+ttyP3 none network
+ttyP4 none network
+ttyP5 none network
+ttyP6 none network
+ttyP7 none network
+ttyP8 none network
+ttyP9 none network
+ttyPa none network
+ttyPb none network
+ttyPc none network
+ttyPd none network
+ttyPe none network
+ttyPf none network
+ttyPg none network
+ttyPh none network
+ttyPi none network
+ttyPj none network
+ttyPk none network
+ttyPl none network
+ttyPm none network
+ttyPn none network
+ttyPo none network
+ttyPp none network
+ttyPq none network
+ttyPr none network
+ttyPs none network
+ttyPt none network
+ttyPu none network
+ttyPv none network
+ttyQ0 none network
+ttyQ1 none network
+ttyQ2 none network
+ttyQ3 none network
+ttyQ4 none network
+ttyQ5 none network
+ttyQ6 none network
+ttyQ7 none network
+ttyQ8 none network
+ttyQ9 none network
+ttyQa none network
+ttyQb none network
+ttyQc none network
+ttyQd none network
+ttyQe none network
+ttyQf none network
+ttyQg none network
+ttyQh none network
+ttyQi none network
+ttyQj none network
+ttyQk none network
+ttyQl none network
+ttyQm none network
+ttyQn none network
+ttyQo none network
+ttyQp none network
+ttyQq none network
+ttyQr none network
+ttyQs none network
+ttyQt none network
+ttyQu none network
+ttyQv none network
+ttyR0 none network
+ttyR1 none network
+ttyR2 none network
+ttyR3 none network
+ttyR4 none network
+ttyR5 none network
+ttyR6 none network
+ttyR7 none network
+ttyR8 none network
+ttyR9 none network
+ttyRa none network
+ttyRb none network
+ttyRc none network
+ttyRd none network
+ttyRe none network
+ttyRf none network
+ttyRg none network
+ttyRh none network
+ttyRi none network
+ttyRj none network
+ttyRk none network
+ttyRl none network
+ttyRm none network
+ttyRn none network
+ttyRo none network
+ttyRp none network
+ttyRq none network
+ttyRr none network
+ttyRs none network
+ttyRt none network
+ttyRu none network
+ttyRv none network
+ttyS0 none network
+ttyS1 none network
+ttyS2 none network
+ttyS3 none network
+ttyS4 none network
+ttyS5 none network
+ttyS6 none network
+ttyS7 none network
+ttyS8 none network
+ttyS9 none network
+ttySa none network
+ttySb none network
+ttySc none network
+ttySd none network
+ttySe none network
+ttySf none network
+ttySg none network
+ttySh none network
+ttySi none network
+ttySj none network
+ttySk none network
+ttySl none network
+ttySm none network
+ttySn none network
+ttySo none network
+ttySp none network
+ttySq none network
+ttySr none network
+ttySs none network
+ttySt none network
+ttySu none network
+ttySv none network
diff --git a/etc/version b/etc/version
new file mode 100644
index 0000000..5b526c0
--- /dev/null
+++ b/etc/version
@@ -0,0 +1 @@
+1.2b2
OpenPOWER on IntegriCloud