From 237db535074f50d99197a9ebe1deb96f70816d8a Mon Sep 17 00:00:00 2001 From: Pav Lucistnik Date: Mon, 28 Aug 2006 12:42:54 +0000 Subject: - Provide rc script - Install sample configuration and detailed installation instructions PR: ports/102586 Submitted by: Sevan Janiyan (maintainer) --- net-mgmt/chillispot/Makefile | 15 +- net-mgmt/chillispot/files/chillispot.sh.in | 26 ++ net-mgmt/chillispot/files/installguide.txt | 435 +++++++++++++++++++++++++++ net-mgmt/chillispot/files/ipfw-config.sample | 71 +++++ net-mgmt/chillispot/files/pf.conf.sample | 47 +++ net-mgmt/chillispot/files/pkg-message.in | 8 + net-mgmt/chillispot/pkg-message | 5 - net-mgmt/chillispot/pkg-plist | 6 +- 8 files changed, 602 insertions(+), 11 deletions(-) create mode 100644 net-mgmt/chillispot/files/chillispot.sh.in create mode 100644 net-mgmt/chillispot/files/installguide.txt create mode 100644 net-mgmt/chillispot/files/ipfw-config.sample create mode 100644 net-mgmt/chillispot/files/pf.conf.sample create mode 100644 net-mgmt/chillispot/files/pkg-message.in delete mode 100644 net-mgmt/chillispot/pkg-message (limited to 'net-mgmt/chillispot') diff --git a/net-mgmt/chillispot/Makefile b/net-mgmt/chillispot/Makefile index e6ddd4d174e7..e7b261416525 100644 --- a/net-mgmt/chillispot/Makefile +++ b/net-mgmt/chillispot/Makefile @@ -7,7 +7,7 @@ PORTNAME= chillispot PORTVERSION= 1.0 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= net-mgmt MASTER_SITES= http://www.chillispot.org/download/ \ http://www.geeklan.co.uk/files/ \ @@ -20,10 +20,12 @@ GNU_CONFIGURE= yes USE_GETOPT_LONG=yes CONFIGURE_TARGET=-build=${MACHINE_ARCH}-portbld-freebsd${OSREL} CONFIGURE_ARGS=-sysconfdir=${PREFIX}/etc +USE_RC_SUBR= chillispot.sh +SUB_FILES= pkg-message MAN8= chilli.8 OPTIONS= RAW "Latest Release Of Apache & mySQL" Off \ - MATURE "Stable Releases of Apache & mySQL" Off \ + MATURE "Stable Releases of Apache with mod_ssl & MySQL" Off \ FREE "freeRADIUS" Off \ OPENR "openradius" Off @@ -35,7 +37,7 @@ RUN_DEPENDS+= ${LOCALBASE}/sbin/httpd:${PORTSDIR}/www/apache20 \ .endif .if defined(WITH_MATURE) -RUN_DEPENDS+= ${LOCALBASE}/sbin/httpd:${PORTSDIR}/www/apache13 \ +RUN_DEPENDS+= ${LOCALBASE}/sbin/httpd:${PORTSDIR}/www/apache13-modssl \ ${LOCALBASE}/libexec/mysqld:${PORTSDIR}/databases/mysql41-server .endif @@ -50,11 +52,14 @@ RUN_DEPENDS+= radiusd:${PORTSDIR}/net/openradius post-install: .if !defined(NOPORTDOCS) ${MKDIR} ${DATADIR} - ${INSTALL_MAN} ${WRKSRC}/doc/chilli.conf ${DATADIR}/chilli.sample + ${INSTALL_MAN} ${WRKSRC}/doc/chilli.conf ${DATADIR}/chilli.conf.sample ${INSTALL_MAN} ${WRKSRC}/doc/dictionary.chillispot ${DATADIR} ${INSTALL_MAN} ${WRKSRC}/doc/freeradius.users ${DATADIR} ${INSTALL_MAN} ${WRKSRC}/doc/hotspotlogin.cgi ${DATADIR} + ${INSTALL_MAN} ${FILESDIR}/installguide.txt ${DATADIR} + ${INSTALL_MAN} ${FILESDIR}/pf.conf.sample ${DATADIR} + ${INSTALL_MAN} ${FILESDIR}/ipfw-config.sample ${DATADIR} .endif - ${CAT} ${PKGMESSAGE} + @${CAT} ${PKGMESSAGE} .include diff --git a/net-mgmt/chillispot/files/chillispot.sh.in b/net-mgmt/chillispot/files/chillispot.sh.in new file mode 100644 index 000000000000..4c837587bac5 --- /dev/null +++ b/net-mgmt/chillispot/files/chillispot.sh.in @@ -0,0 +1,26 @@ +#!/bin/sh + +# PROVIDE: chillispot +# REQUIRE: netif +# BEFORE: pf ipfw ipfilter +# KEYWORD: nojail + +. /etc/rc.subr + +chillispot_enable=${chillispot_enable-"NO"} +chillispot_flags=${chillispot_flags-"--conf=/usr/local/etc/chilli.conf"} +chillispot_pidfile=${utility_pidfile-"/var/run/chilli.pid"} + +. /etc/rc.subr + +name="chillispot" +rcvar=`set_rcvar` +command="/usr/local/sbin/chilli" + +load_rc_config $name + +pidfile="${chillipot_pidfile}" + +start_cmd="echo \"Starting ${name}.\"; /usr/bin/nice -5 ${command} ${chillispot_flags} ${command_args}" + +run_rc_command "$1" diff --git a/net-mgmt/chillispot/files/installguide.txt b/net-mgmt/chillispot/files/installguide.txt new file mode 100644 index 000000000000..1b9976252f1f --- /dev/null +++ b/net-mgmt/chillispot/files/installguide.txt @@ -0,0 +1,435 @@ + Installing Chillispot on FreeBSD + By Venture37 + www.geeklan.co.uk + venture37@geekla.co.uk + + +This guide will cover how to get a basic Chillispot installation going with Apache 1.3 + mod_ssl, mySQL 4.1, freeRADIUS & OpenBSD's Packet Filter PF + +1) Update your ports tree!!!! +Instructions on how to do so are included in the HandBook under the Using CVSup section: +http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html + +2) Once the update is complete goto {PORTSDIR}/net-mgmt/chillispot & run make install, you'll be presented with a menu, select: +MATURE Stable Releases of Apache with mod_ssl & mySQL +& +FREE freeRADIUS +& choose Ok + +During the build process you'll be asked what flavour of freeRADIUS you'd like to build, +choose MYSQL With MySQL user database + +3) When the build & install process is complete go back to the apache directory, +regenerate & install some new certs & optionally remove the preinstalled snakeoil test ones. +goto {PORTSDIR}/www/apache13-modssl +& run make certificate TYPE=custom +Answer the questions in each step & when you're finished you'll be given a summary of files & their functions +Now copy those files from the summary by going to work/apache_1.X.XX/conf & copy the certs to your apache config directory +(replace X.XX with the relevant version number) +cp work/apache_1.X.XX/conf/ssl.key/ca.key {PREFIX}/etc/apache/ssl.key/ +cp work/apache_1.XXX/conf/ssl.key/server.key {PREFIX}/etc/apache/ssl.key/ +cp work/apache_1.XXX/conf/ssl.crt/ca.crt {PREFIX}/etc/apache/ssl.crt/ +cp work/apache_1.XXX/conf/ssl.crt/server.crt {PREFIX}/etc/apache/ssl.crt/ +chmod 400 {PREFIX}/etc/apache/ssl.key/ca.key +chmod 400 {PREFIX}/etc/apache/ssl.crt/ca.crt + +Optional: +rm {PREFIX}/etc/apache/ssl.key/snakeoil-* +rm {PREFIX}/etc/apache/ssl.crt/snakeoil-* +then goto {PREFIX}/etc/apache/ssl.crt/ & delete the bunch of alphanumeric filenamed symbolic links + +4) Put Chillispots files into place: +copy hotspotlogin.cgi from {PREFIX}/share/chillispot/ to {PREFIX}/www/cgi/ +& make it executable: +chmod 555 {PREFIX}/www/cgi-bin/hotspotlogin.cgi + +put chillispot.conf file into place +cp {PREFIX}/share/chillispot/chilli.conf.sample {PREFIX}/etc/chilli.conf + +freeRADIUS related files +cp {PREFIX}/share/chillispot/dictionary.chillispot {PREFIX}/etc/raddb/ +cp {PREFIX}/share/chillispot/freeradius.users {PREFIX}/etc/raddb/ + +PF Config file +cp {PREFIX}/share/chillispot/pf.conf.sample /etc/pf.conf + +5) Setup MySQL +run ./mysql_install_db +& follow the onscreen instructions provided to set a new root password + +6) Create a Database for freeRADIUS +at the mysql prompt issue the following: +create database mydbname; +grant all privileges on mydbname.* to 'dbusername'@'localhost' identified by 'mypass'; +flush privileges; +quit; + +7) Import the freeRADIUS MySQL DB Schema +by running the following: +mysql -u dbusrname -p mydbname < {PREFIX}/share/doc/freeradius/examples/mysql.sql + +8) Configure freeRADIUS +goto {PREFIX}/etc/raddb +trim .sample from the end of the filenames off the following files: +acct_users +certs +clients.conf +dictionary , then edit if & add $INCLUDE dictionary.chillispot + +eap.conf +hints +huntgroups +preproxy_users +proxy.conf +radiusd.conf +snmp.conf +sql.conf +users + +9) Before going ahead & configuring freeRADIUS to use MySQL +setup a basic account using the existing flatfiles to make sure everything is working so far +edit {PREFIX}/etc/raddb/clients.conf +& change the secret entry e.g: +secret = s3cr3t + +then add the sample chillispot user by copying the contents of freeradius.users to users + +then run adduser to create a user which radiusd will run under +#adduser +Username: radiusd +Full name: freeRADIUS +Uid (Leave empty for default): +Login group [radiusd]: +Login group is radiusd. Invite radiusd into other groups? []: +Login class [default]: +Shell (sh csh tcsh nologin) [sh]: nologin +Home directory [/home/radiusd]: /nonexistent +Use password-based authentication? [yes]: +Use an empty password? (yes/no) [no]: +Use a random password? (yes/no) [no]: y +Lock out the account after creation? [no]: y +Username : radiusd +Password : +Full Name : freeRADIUS +Uid : 1002 +Class : +Groups : radiusd +Home : /nonexistent +Shell : /usr/sbin/nologin +Locked : yes +OK? (yes/no): y +adduser: INFO: Successfully added (radiusd) to the user database. +adduser: INFO: Password for (radiusd) is: blablabla123 +adduser: INFO: Account (radiusd) is locked. + +now edit {PREFIX}/etc/raddb/radiusd.conf +uncomment & change the user & group entries from +#user = nobody to user = radiusd +#group = nobody to group = radiusd + & change +proxy_requests = yes to no + +10) Now fireup freeRADIUS in debug mode + by issuing {PREFIX}/sbin/radiusd -X +& using the radtest tool query freeRADIUS +radtest steve testing localhost 1812 s3cr3t + +you should get the following output back: +Sending Access-Request of id 57 to 127.0.0.1 port 1812 + User-Name = "steve" + User-Password = "testing" + NAS-IP-Address = 255.255.255.255 + NAS-Port = 1812 +rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=57, length=74 + Class = 0x30373032333435363738 + Session-Timeout = 3600 + Idle-Timeout = 600 + Acct-Interim-Interval = 60 + WISPr-Bandwidth-Max-Up = 128000 + WISPr-Bandwidth-Max-Down = 512000 + +if you're not sure if freeRADIUS is listening on port 1812/udp or 1645/udp check your /etc/services file +$ cat /etc/services | grep radius +# IMPORTANT NOTE: Ports 1645/1646 are the traditional radius ports used by +#radius 1645/udp #RADIUS authentication protocol (old) +radius 1812/udp #RADIUS authentication protocol (IANA sanctioned) + +If everything went along ok without any errors edit users & remove the entries you added from chillispots freeradius.users files. + +11) Configuring freeRADIUS to use MySQL instead of flat files +edit {PREFIX}/etc/raddb/sql.conf & +change the login, password & radius_db entries to those used in step 6 +then uncomment + #sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}" +& comment out sql_user_name = "%{User-Name}" +if you'd like to use shortames (username minus realm) aswell as user@realm.f00 & :-DEFAULT +then uncomment simul_count_query + +edit {PREFIX}/etc/raddb/radiusd.conf +then uncomment sql in the Authorize { +comment out unix in Authenticate { +comment out files in preacct { +uncomment sql in accounting { +comment radutmp & uncomment sql in session { + +freeRADIUS is now setup to use MySQL. + +12) You now need to setup some users for your wireless clients to use +12.1: login to the mysql console: +mysql -u dbusername -p + +12.2: choose the database you created for freeRADIUS to work on +mysql> use mydbname; + +12.3: lets see what in here: +mysql> show tables; ++----------------------+ +| Tables_in_mydbname | ++----------------------+ +| nas | +| radacct | +| radcheck | +| radgroupcheck | +| radgroupreply | +| radpostauth | +| radreply | +| usergroup | ++----------------------+ +8 rows in set (0.00 sec) + +12.4: to see what fields you need to fill in isse: +mysql> show columns from radcheck; ++-----------+------------------+------+-----+---------+----------------+ +| Field | Type | Null | Key | Default | Extra | ++-----------+------------------+------+-----+---------+----------------+ +| id | int(11) unsigned | | PRI | NULL | auto_increment | +| UserName | varchar(64) | | MUL | | | +| Attribute | varchar(32) | | | | | +| op | char(2) | | | == | | +| Value | varchar(253) | | | | | ++-----------+------------------+------+-----+---------+----------------+ +5 rows in set (0.01 sec) + +12.5: lets add our first username: +mysql> insert into radcheck (Username, Attribute, Value) VALUES ('fry', 'Password', 'walkingonsunshine'); +Query OK, 1 row affected (0.00 sec) + +12.6: is it there? +mysql> select * from radcheck; ++----+----------+-----------+----+-------------------+ +| id | UserName | Attribute | op | Value | ++----+----------+-----------+----+-------------------+ +| 1 | fry | Password | == | walkingonsunshine | ++----+----------+-----------+----+-------------------+ +1 row in set (0.00 sec) + +12.7: assign the user to a group: +mysql> show columns from usergroup; ++-----------+-------------+------+-----+---------+-------+ +| Field | Type | Null | Key | Default | Extra | ++-----------+-------------+------+-----+---------+-------+ +| UserName | varchar(64) | | MUL | | | +| GroupName | varchar(64) | | | | | +| priority | int(11) | | | 1 | | ++-----------+-------------+------+-----+---------+-------+ +3 rows in set (0.01 sec) + +mysql> insert into usergroup (UserName, GroupName, Priority) VALUES ('fry', 'dynamic', 1); +Query OK, 1 row affected (0.00 sec) + +mysql> select * from usergroup; ++----------+-----------+----------+ +| UserName | GroupName | priority | ++----------+-----------+----------+ +| fry | dynamic | 1 | ++----------+-----------+----------+ +1 row in set (0.01 sec) + +12.8) Authorization Type: +mysql> show columns from radgroupcheck; ++-----------+------------------+------+-----+---------+----------------+ +| Field | Type | Null | Key | Default | Extra | ++-----------+------------------+------+-----+---------+----------------+ +| id | int(11) unsigned | | PRI | NULL | auto_increment | +| GroupName | varchar(64) | | MUL | | | +| Attribute | varchar(32) | | | | | +| op | char(2) | | | == | | +| Value | varchar(253) | | | | | ++-----------+------------------+------+-----+---------+----------------+ +5 rows in set (0.00 sec) + +mysql> insert into radgroupcheck (GroupName, Attribute, Value) VALUES ('dynamic', 'Auth-Type', 'Local'); +Query OK, 1 row affected (0.00 sec) + +mysql> select * from radgroupcheck; ++----+-----------+-----------+----+-------+ +| id | GroupName | Attribute | op | Value | ++----+-----------+-----------+----+-------+ +| 1 | dynamic | Auth-Type | == | Local | ++----+-----------+-----------+----+-------+ +1 row in set (0.00 sec) + + +mysql> show columns from radgroupcheck; ++-----------+------------------+------+-----+---------+----------------+ +| Field | Type | Null | Key | Default | Extra | ++-----------+------------------+------+-----+---------+----------------+ +| id | int(11) unsigned | | PRI | NULL | auto_increment | +| GroupName | varchar(64) | | MUL | | | +| Attribute | varchar(32) | | | | | +| op | char(2) | | | == | | +| Value | varchar(253) | | | | | ++-----------+------------------+------+-----+---------+----------------+ +5 rows in set (0.00 sec) + +12.9) User & Group Attribute settings +User specific attributes: +mysql> show columns from radreply; ++-----------+------------------+------+-----+---------+----------------+ +| Field | Type | Null | Key | Default | Extra | ++-----------+------------------+------+-----+---------+----------------+ +| id | int(11) unsigned | | PRI | NULL | auto_increment | +| UserName | varchar(64) | | MUL | | | +| Attribute | varchar(32) | | | | | +| op | char(2) | | | = | | +| Value | varchar(253) | | | | | ++-----------+------------------+------+-----+---------+----------------+ +5 rows in set (0.00 sec) + +mysql> insert into radreply (UserName, Attribute, Value) VALUES ('fry', 'Class', '0702345678'); +Query OK, 1 row affected (0.01 sec) + +mysql> select * from radreply; ++----+----------+-----------+----+------------+ +| id | UserName | Attribute | op | Value | ++----+----------+-----------+----+------------+ +| 1 | fry | Class | = | 0702345678 | ++----+----------+-----------+----+------------+ +1 row in set (0.00 sec) + +Group specific settings: +mysql> show columns from radgroupreply; ++-----------+------------------+------+-----+---------+----------------+ +| Field | Type | Null | Key | Default | Extra | ++-----------+------------------+------+-----+---------+----------------+ +| id | int(11) unsigned | | PRI | NULL | auto_increment | +| GroupName | varchar(64) | | MUL | | | +| Attribute | varchar(32) | | | | | +| op | char(2) | | | = | | +| Value | varchar(253) | | | | | ++-----------+------------------+------+-----+---------+----------------+ +5 rows in set (0.00 sec) + +mysql> insert into radgroupreply (GroupName, Attribute, Value) VALUES ('dynamic', 'Session-Timeout', '3600'); +Query OK, 1 row affected (0.00 sec) + +mysql> insert into radgroupreply (GroupName, Attribute, Value) VALUES ('dynamic', 'Idle-Timeout', '600'); +Query OK, 1 row affected (0.00 sec) + +mysql> insert into radgroupreply (GroupName, Attribute, Value) VALUES ('dynamic', 'Acct-Interim-Interval', '60'); +Query OK, 1 row affected (0.01 sec) + +mysql> insert into radgroupreply (GroupName, Attribute, Value) VALUES ('dynamic', 'WISPr-Redirection-URL', 'http://www.geeklan.co.uk'); +Query OK, 1 row affected (0.00 sec) + +mysql> insert into radgroupreply (GroupName, Attribute, Value) VALUES ('dynamic', 'WISPr-Bandwidth-Max-Up', '128000'); +Query OK, 1 row affected (0.01 sec) + +mysql> insert into radgroupreply (GroupName, Attribute, Value) VALUES ('dynamic', 'WISPr-Bandwidth-Max-Down', '512000'); +Query OK, 1 row affected (0.01 sec) + +mysql> select * from radgroupreply; ++----+-----------+--------------------------+----+--------------------------+ +| id | GroupName | Attribute | op | Value | ++----+-----------+--------------------------+----+--------------------------+ +| 1 | dynamic | Session-Timeout | = | 3600 | +| 2 | dynamic | Idle-Timeout | = | 600 | +| 3 | dynamic | Acct-Interim-Interval | = | 60 | +| 4 | dynamic | WISPr-Redirection-URL | = | http://www.geeklan.co.uk | +| 5 | dynamic | WISPr-Bandwidth-Max-Up | = | 128000 | +| 6 | dynamic | WISPr-Bandwidth-Max-Down | = | 512000 | ++----+-----------+--------------------------+----+--------------------------+ +6 rows in set (0.00 sec) + +Test: +{PREFIX}/bin/radtest fry walkingonsunshine localhost 1812 s3cr3t +Sending Access-Request of id 250 to 127.0.0.1 port 1812 + User-Name = "fry" + User-Password = "walkingonsunshine" + NAS-IP-Address = 255.255.255.255 + NAS-Port = 1812 +rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=250, length=106 + Class = 0x30373032333435363738 + Session-Timeout = 3600 + Idle-Timeout = 600 + Acct-Interim-Interval = 60 + WISPr-Redirection-URL = "http://www.geeklan.co.uk" + WISPr-Bandwidth-Max-Up = 128000 + WISPr-Bandwidth-Max-Down = 512000 + +13) Nearly There +edit {PREFIX}/etc/chilli.conf +& change the dns1 & dns2 entries to your dns servers +(note, if you're not running a dns server locally you'll need to uncomment uamanydns) +change radiusserver1 & radiusserver2 to localhost +set radiussecret to whatever you selected in step 9 +e.g s3cr3t +set dhcpif to your wifi card e.g ral0 +change uamserver to https://192.168.182.1/cgi-bin/hotspotlogin.cgi +(if you're not running a dns server locally, if you are use the fqdn) +change the uamsecret to another value, then edit {PREFIX}/www/cgi-bin/hotspotlogin.cgi & add the same value to $uamsecret + +14) Finishing Stage +Edit /etc/pf.conf & make sure the $ext_if & $int_if are correct +Edit /etc/rc.conf & add the following: +chillispot_enable="YES" +apache_enable="YES" +radiusd_enale="YES" +mysql_enable="YES" +pf_enable="YES" # Enable PF (load module if required) +pf_rules="/etc/pf.conf" # rules definition file for pf +pf_flags="" # additional flags for pfctl startup +pflog_enable="YES" # start pflogd(8) +pflog_logfile="/var/log/pflog" # where pflogd should store the logfile +pflog_flags="" # additional flags for pflogd startup +gateway_enable="YES" + +& remove any IP addresses assigned to your wifi card +this is enough for chilli to work: +ifconfig_ral0="ssid chilli mediaopt hostap mode 11b" + +save & reboot or quit to back to the shell & run the following to get everything started +{PREFIX}/etc/rc.d/chillispot start +{PREFIX}/etc/rc.d/apache.sh start you'll be asked for the password that you assigned whilst generating the certs in the step 3 +{PREFIX}/etc/rc.d/mysql-server start +{PREFIX}/etc/rc.d/radiusd start +pfctl -e +pfctl -f /etc/pf.conf + + + +THE END!!! + + + +Original Sources for info: +OpenBSD PF FAQ +http://www.openbsd.org/faq/ + +The FreeBSD HandBook +http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html + +SB's very rough notes to FreeRadius and MySQL +http://www.frontios.com/freeradius.html + +ONLamp Getting Started with FreeRADIUS +http://www.onlamp.com/pub/a/onlamp/excerpt/radius_5/index1.html?page=1 + + +TAASC MySQL Basics +http://www.analysisandsolutions.com/code/mybasic.htm + +This work is licensed under the Creative Commons Attribution-Share Alike 2.5 License. To view a copy of this license, visit +http://creativecommons.org/licenses/by-sa/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, +94105, USA. + diff --git a/net-mgmt/chillispot/files/ipfw-config.sample b/net-mgmt/chillispot/files/ipfw-config.sample new file mode 100644 index 000000000000..93829e8f4912 --- /dev/null +++ b/net-mgmt/chillispot/files/ipfw-config.sample @@ -0,0 +1,71 @@ +network inetrface + +fxp0 : 11.11.11.1 +fxp1 : 10.14.1.254 + +/etc/ipnat.rules + +# NAT +# +map fxp0 192.168.182.0/24 -> 11.11.11.1/32 portmap tcp/udp auto + +-------------------------------------------------------- + +/usr/local/etc/rc.d/ipfw.sh + +#!/bin/sh + +RULENO="1500" + +EXT_IF="fxp0" +INT_IF="fxp1" + +EXT_IP="11.11.11.1" +#INT_IP="10.14.1.0/24" + +# flush rules +# +ipfw -f flush + +## setup loopback +## +ipfw $RULENO add pass all from any to any via lo0 +ipfw add deny all from any to 127.0.0.0/8 +ipfw add deny ip from 127.0.0.0/8 to any + +# allow related and established on all interfaces +# +ipfw add pass ip from any to any established + +# allow SA connect to me , deny any others use ssh +# +ipfw add pass tcp from 11.11.11.5 to any setup +ipfw add deny tcp from any to ${EXT_IP} 22 + +## allow me (firewall) to access anywhere +## +ipfw add pass tcp from ${EXT_IP} to any setup +ipfw add pass udp from ${EXT_IP} to any keep-state + +## allow tun0 device to connect to anywhere +## +ipfw add pass tcp from any to any via tun0 setup +ipfw add pass udp from any to any via tun0 keep-state + +# allow icmp +# +ipfw add pass icmp from any to any icmptypes 0,3,8,11 + +# allow http , https and dns on internal interface +# +ipfw add pass tcp from any to any 80 via ${INT_IF} setup +ipfw add pass tcp from any to any 443 via ${INT_IF} setup +ipfw add pass udp from any to any 53 via ${INT_IF} keep-state + +# allow tcp port 3990 on internal interface for chillispot redirection +# +ipfw add pass tcp from any to any 3990 via ${INT_IF} setup + +# except for any condition above , reject everything on all interfaces +# +ipfw add deny all from any to any diff --git a/net-mgmt/chillispot/files/pf.conf.sample b/net-mgmt/chillispot/files/pf.conf.sample new file mode 100644 index 000000000000..73a3d9cd2ab2 --- /dev/null +++ b/net-mgmt/chillispot/files/pf.conf.sample @@ -0,0 +1,47 @@ +# +# Basic Chillispot PF Config +# A tweak of Example 1 from the PF FAQ +# http://www.openbsd.org/faq/pf/example1.html +# By Venture37 +# venture37@geeklan.co.uk +# http://www.geeklan.co.uk + +# macros +int_if = "ral0" +ext_if = "fxp0" +chilli_if = "tun0" + +tcp_services = "{ 22, 113 }" +icmp_types = "echoreq" + +priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" + +# options +set block-policy return +set loginterface $ext_if + +# scrub +scrub in all + +# nat/rdr +nat on $ext_if from $chilli_if:network to any -> ($ext_if) + +# filter rules +block all + +pass quick on lo0 all + +block drop in quick on $ext_if from $priv_nets to any +block drop out quick on $ext_if from any to $priv_nets +block drop on $int_if all + +pass in on $ext_if inet proto tcp from any to ($ext_if) \ + port $tcp_services flags S/SA keep state + +pass in inet proto icmp all icmp-type $icmp_types keep state + +pass in on $chilli_if from $chilli_if:network to any keep state +pass out on $chilli_if from any to $chilli_if:network keep state + +pass out on $ext_if proto tcp all modulate state flags S/SA +pass out on $ext_if proto { udp, icmp } all keep state diff --git a/net-mgmt/chillispot/files/pkg-message.in b/net-mgmt/chillispot/files/pkg-message.in new file mode 100644 index 000000000000..ea7cd10b5287 --- /dev/null +++ b/net-mgmt/chillispot/files/pkg-message.in @@ -0,0 +1,8 @@ +| +| OK, everything you're going to need is going to be in %%DATADIR%% +| This update includes a sample ipfw config files, a sample pf config file and +| a installation guide which covers how to get a basic hotspot up & running +| with chillispot, freeRADIUS & Apache+mod_ssl +| +| For further config info/help check out the chillispot forum & mailing list +| diff --git a/net-mgmt/chillispot/pkg-message b/net-mgmt/chillispot/pkg-message deleted file mode 100644 index b427e44bf791..000000000000 --- a/net-mgmt/chillispot/pkg-message +++ /dev/null @@ -1,5 +0,0 @@ -A bit of post install work needs to be done to get everything rolling -rename & copy chillspot.sample from ${PREFIX}/share/chillispot/ to ${PREFIX}/etc/chillispot.conf -& hotspotlogin.cgi from ${PREFIX}/share/chillispot/ to your apache cgi-bin directory - -For further config info/help check out the chillispot forum & mailing list diff --git a/net-mgmt/chillispot/pkg-plist b/net-mgmt/chillispot/pkg-plist index 30558537e1bc..022be5f5d91c 100644 --- a/net-mgmt/chillispot/pkg-plist +++ b/net-mgmt/chillispot/pkg-plist @@ -1,6 +1,10 @@ +@unexec %D/etc/rc.d/chillispot forcestop 2>/dev/null || true sbin/chilli -%%DATADIR%%/chilli.sample +%%DATADIR%%/chilli.conf.sample %%DATADIR%%/dictionary.chillispot %%DATADIR%%/freeradius.users %%DATADIR%%/hotspotlogin.cgi +%%DATADIR%%/pf.conf.sample +%%DATADIR%%/ipfw-config.sample +%%DATADIR%%/installguide.txt @dirrm %%DATADIR%% -- cgit v1.2.3