<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><br><div><div><br></div><div><div>root@BornAgain2:~# cat /etc/nodogsplash/nodogsplash.conf </div><div>#</div><div># Nodogsplash Configuration File</div><div>#</div><div><br></div><div># Parameter: GatewayInterface</div><div># Default: NONE</div><div>#</div><div># GatewayInterface is not autodetected, has no default, and must be set here.</div><div># Set GatewayInterface to the interface on your router</div><div># that is to be managed by Nodogsplash.</div><div># Typically br-lan for the wired and wireless lan on OpenWrt White Russian.</div><div># May be br-lan on OpenWrt Kamikaze.</div><div>#</div><div>GatewayInterface br-lan</div><div><br></div><div># FirewallRuleSet: authenticated-users</div><div>#</div><div># Control access for users after authentication.</div><div># These rules are inserted at the beginning of the</div><div># FORWARD chain of the router's filter table, and</div><div># apply to packets that have come in to the router</div><div># over the GatewayInterface from MAC addresses that</div><div># have authenticated with Nodogsplash, and that are</div><div># destined to be routed through the router. The rules are</div><div># considered in order, and the first rule that matches</div><div># a packet applies to it.</div><div># If there are any rules in this ruleset, an authenticated</div><div># packet that does not match any rule is rejected.</div><div># N.B.: This ruleset is completely independent of</div><div># the preauthenticated-users ruleset.</div><div>#</div><div>FirewallRuleSet authenticated-users {</div><div><br></div><div> # You may want to open access to a machine on a local</div><div> # subnet that is otherwise blocked (for example, to</div><div> # serve a redirect page; see RedirectURL). If so,</div><div> # allow that explicitly here, e.g:</div><div> # FirewallRule allow tcp port 80 to 192.168.254.254</div><div><br></div><div> # Your router may have several interfaces, and you</div><div> # probably want to keep them private from the GatewayInterface.</div><div> # If so, you should block the entire subnets on those interfaces, e.g.:</div><div> #FirewallRule block to 192.168.0.0/16</div><div> #FirewallRule block to 10.0.0.0/8</div><div><br></div><div> # Typical ports you will probably want to open up include</div><div> # 53 udp and tcp for DNS,</div><div> # 80 for http,</div><div> # 443 for https,</div><div> # 22 for ssh:</div><div> #FirewallRule allow tcp port 53</div><div> #FirewallRule allow udp port 53</div><div> #FirewallRule allow tcp port 80</div><div> #FirewallRule allow tcp port 443</div><div> #FirewallRule allow tcp port 22</div><div> FirewallRule allow all</div><div><br></div><div>}</div><div># end FirewallRuleSet authenticated-users</div><div><br></div><div><br></div><div># FirewallRuleSet: preauthenticated-users</div><div>#</div><div># Control access for users before authentication.</div><div># These rules are inserted in the PREROUTING chain</div><div># of the router's nat table, and in the</div><div># FORWARD chain of the router's filter table.</div><div># These rules apply to packets that have come in to the </div><div># router over the GatewayInterface from MAC addresses that</div><div># are not on the BlockedMACList or TrustedMACList,</div><div># are *not* authenticated with Nodogsplash. The rules are</div><div># considered in order, and the first rule that matches</div><div># a packet applies to it. A packet that does not match </div><div># any rule here is rejected.</div><div># N.B.: This ruleset is completely independent of</div><div># the authenticated-users and users-to-router rulesets.</div><div>#</div><div>FirewallRuleSet preauthenticated-users {</div><div> # For preauthenticated users to resolve IP addresses in their initial</div><div> # request not using the router itself as a DNS server,</div><div> # you probably want to allow port 53 udp and tcp for DNS.</div><div> FirewallRule allow tcp port 53<span class="Apple-tab-span" style="white-space:pre"> </span></div><div> FirewallRule allow udp port 53</div><div> # For splash page content not hosted on the router, you</div><div> # will want to allow port 80 tcp to the remote host here.</div><div> # Doing so circumvents the usual capture and redirect of</div><div> # any port 80 request to this remote host.</div><div> # Note that the remote host's numerical IP address must be known</div><div> # and used here. </div><div> # FirewallRule allow tcp port 80 to 123.321.123.321</div><div>}</div><div># end FirewallRuleSet preauthenticated-users</div><div><br></div><div><br></div><div># FirewallRuleSet: users-to-router</div><div>#</div><div># Control access to the router itself from the GatewayInterface.</div><div># These rules are inserted at the beginning of the</div><div># INPUT chain of the router's filter table, and</div><div># apply to packets that have come in to the router</div><div># over the GatewayInterface from MAC addresses that</div><div># are not on the TrustedMACList, and are destined for</div><div># the router itself. The rules are</div><div># considered in order, and the first rule that matches</div><div># a packet applies to it. </div><div># If there are any rules in this ruleset, a</div><div># packet that does not match any rule is rejected.</div><div>#</div><div>FirewallRuleSet users-to-router {</div><div> # Nodogsplash automatically allows tcp to GatewayPort,</div><div> # at GatewayAddress, to serve the splash page.</div><div> # However you may want to open up other ports, e.g.</div><div> # 53 for DNS and 67 for DHCP if the router itself is</div><div> # providing these services.</div><div> FirewallRule allow udp port 53<span class="Apple-tab-span" style="white-space:pre"> </span></div><div> FirewallRule allow tcp port 53<span class="Apple-tab-span" style="white-space:pre"> </span></div><div> FirewallRule allow udp port 67</div><div> # You may want to allow ssh, http, and https to the router</div><div> # for administration from the GatewayInterface. If not,</div><div> # comment these out.</div><div> FirewallRule allow tcp port 22</div><div> FirewallRule allow tcp port 23</div><div> FirewallRule allow tcp port 80</div><div> FirewallRule allow tcp port 443</div><div>}</div><div># end FirewallRuleSet users-to-router</div><div><br></div><div># EmptyRuleSetPolicy directives</div><div># The FirewallRuleSets that NoDogSplash permits are:</div><div>#</div><div># authenticated-users</div><div># preauthenticated-users</div><div># users-to-router</div><div># trusted-users</div><div># trusted-users-to-router</div><div>#</div><div># For each of these, an EmptyRuleSetPolicy can be specified.</div><div># An EmptyRuleSet policy applies to a FirewallRuleSet if the</div><div># FirewallRuleSet is missing from this configuration file,</div><div># or if it exists but contains no FirewallRules.</div><div>#</div><div># The possible values of an EmptyRuleSetPolicy are:</div><div># allow -- packets are accepted</div><div># block -- packets are rejected</div><div># passthrough -- packets are passed through to pre-existing firewall rules</div><div>#</div><div># Default EmptyRuleSetPolicies are set as follows:</div><div># EmptyRuleSetPolicy authenticated-users passthrough</div><div># EmptyRuleSetPolicy preauthenticated-users block</div><div># EmptyRuleSetPolicy users-to-router block</div><div># EmptyRuleSetPolicy trusted-users allow</div><div># EmptyRuleSetPolicy trusted-users-to-router allow</div><div><br></div><div><br></div><div># Parameter: GatewayName</div><div># Default: NoDogSplash</div><div>#</div><div># Set GatewayName to the name of your gateway. This value</div><div># will be available as variable $gatewayname in the splash page source</div><div># and in status output from ndsctl, but otherwise doesn't matter.</div><div># If none is supplied, the value "NoDogSplash" is used.</div><div>#</div><div># GatewayName NoDogSplash</div><div><br></div><div># Parameter: GatewayAddress</div><div># Default: Discovered from GatewayInterface</div><div>#</div><div># This should be autodetected on an OpenWRT system, but if not:</div><div># Set GatewayAddress to the IP address of the router on</div><div># the GatewayInterface. This is the address that the Nodogsplash</div><div># server listens on.</div><div>#</div><div># GatewayAddress 192.168.1.1</div><div><br></div><div># Parameter: ExternalInterface</div><div># Default: Autodetected from /proc/net/route</div><div>#</div><div># This should be autodetected on a OpenWRT system, but if not:</div><div># Set ExtrnalInterface to the 'external' interface on your router, </div><div># i.e. the one which provides the default route to the internet.</div><div># Typically vlan1 for OpenWRT.</div><div>#</div><div># ExternalInterface vlan1</div><div><br></div><div># Parameter: RedirectURL</div><div># Default: none</div><div>#</div><div># After authentication, normally a user is redirected </div><div># to their initially requested page. </div><div># If RedirectURL is set, the user is redirected to this URL instead.</div><div># </div><div># RedirectURL <a href="http://www.ilesansfil.org/">http://www.ilesansfil.org/</a></div><div><br></div><div># Parameter: GatewayPort</div><div># Default: 2050</div><div>#</div><div># Nodogsplash's own http server uses GatewayAddress as its IP address.</div><div># The port it listens to at that IP can be set here; default is 2050.</div><div>#</div><div># GatewayPort 2050</div><div><br></div><div># Parameter: MaxClients</div><div># Default: 20</div><div>#</div><div># Set MaxClients to the maximum number of users allowed to </div><div># connect at any time. (Does not include users on the TrustedMACList,</div><div># who do not authenticate.)</div><div>#</div><div># MaxClients 20</div><div><br></div><div># ClientIdleTimeout</div><div># Parameter: ClientIdleTimeout</div><div># Default: 10</div><div>#</div><div># Set ClientIdleTimeout to the desired of number of minutes</div><div># of inactivity before a user is automatically 'deauthenticated'.</div><div>#</div><div># ClientIdleTimeout 10</div><div><br></div><div># Parameter: ClientForceTimeout</div><div># Default: 360</div><div>#</div><div># Set ClientForceTimeout to the desired number of minutes before</div><div># a user is automatically 'deauthenticated', whether active or not</div><div>#</div><div># ClientForceTimeout 360</div><div><br></div><div># Parameter: AuthenticateImmediately</div><div># Default: no</div><div>#</div><div># Set to yes (or true or 1), to immediately authenticate users</div><div># who make a http port 80 request on the GatewayInterface (that is,</div><div># do not serve a splash page, just redirect to the user's request,</div><div># or to RedirectURL if set).</div><div>#</div><div># AuthenticateImmediately no</div><div><br></div><div># Parameter: MACMechanism</div><div># Default: block</div><div>#</div><div># Either block or allow.</div><div># If 'block', MAC addresses on BlockedMACList are blocked from</div><div># authenticating, and all others are allowed.</div><div># If 'allow', MAC addresses on AllowedMACList are allowed to</div><div># authenticate, and all other (non-trusted) MAC's are blocked.</div><div>#</div><div># MACMechanism block</div><div><br></div><div># Parameter: BlockedMACList</div><div># Default: none</div><div>#</div><div># Comma-separated list of MAC addresses who will be completely blocked</div><div># from the GatewayInterface. Ignored if MACMechanism is allow.</div><div># N.B.: weak security, since MAC addresses are easy to spoof.</div><div>#</div><div># BlockedMACList 00:00:DE:AD:BE:EF,00:00:C0:1D:F0:0D</div><div><br></div><div># Parameter: AllowedMACList</div><div># Default: none</div><div>#</div><div># Comma-separated list of MAC addresses who will not be completely</div><div># blocked from the GatewayInterface. Ignored if MACMechanism is block.</div><div># N.B.: weak security, since MAC addresses are easy to spoof.</div><div>#</div><div># AllowedMACList 00:00:12:34:56:78</div><div><br></div><div># Parameter: TrustedMACList</div><div># Default: none</div><div>#</div><div># Comma-separated list of MAC addresses who are not subject to</div><div># authentication, and are not restricted by any FirewallRuleSet.</div><div># N.B.: weak security, since MAC addresses are easy to spoof.</div><div>#</div><div># TrustedMACList 00:00:CA:FE:BA:BE, 00:00:C0:01:D0:0D</div><div><br></div><div><br></div><div># Parameter: PasswordAuthentication</div><div># Default: no</div><div># Set to yes (or true or 1), to require a password matching</div><div># the Password parameter to be supplied when authenticating. </div><div>#</div><div>#</div><div># PasswordAuthentication no</div><div><br></div><div># Parameter: Password</div><div># Default: none</div><div># Whitespace delimited string that is compared to user-supplied</div><div># password when authenticating. </div><div>#</div><div>#</div><div># Password nodog</div><div><br></div><div># Parameter: UsernameAuthentication</div><div># Default: no</div><div># Set to yes (or true or 1), to require a username matching</div><div># the Username parameter to be supplied when authenticating. </div><div>#</div><div>#</div><div># UsernameAuthentication no</div><div><br></div><div># Parameter: Username</div><div># Default: none</div><div># Whitespace delimited string that is compared to user-supplied</div><div># username when authenticating. </div><div>#</div><div>#</div><div># Username guest</div><div><br></div><div># Parameter: PasswordAttempts</div><div># Default: 5</div><div># Integer number of failed password/username entries before</div><div># a user is forced to reauthenticate.</div><div>#</div><div>#</div><div># PasswordAttempts 5</div><div><br></div><div># Parameter: TrafficControl</div><div># Default: no</div><div>#</div><div># Set to yes (or true or 1), to enable traffic control in Nodogsplash.</div><div>#</div><div># TrafficControl no</div><div><br></div><div># Parameter: DownloadLimit</div><div># Default: 0</div><div>#</div><div># If TrafficControl is enabled, this sets the maximum download</div><div># speed to the GatewayInterface, in kilobits per second.</div><div># For example if you have an ADSL connection with 768 kbit</div><div># download speed, and you want to allow about half of that</div><div># bandwidth for the GatewayInterface, set this to 384.</div><div># A value of 0 means no download limiting is done.</div><div>#</div><div># DownloadLimit 384</div><div><br></div><div># Parameter: UploadLimit</div><div># Default: 0</div><div>#</div><div># If TrafficControl is enabled, this sets the maximum upload</div><div># speed from the GatewayInterface, in kilobits per second.</div><div># For example if you have an ADSL connection with 128 kbit</div><div># upload speed, and you want to allow about half of that</div><div># bandwidth for the GatewayInterface, set this to 64.</div><div># A value of 0 means no upload limiting is done.</div><div>#</div><div># UploadLimit 64</div><div><br></div><div># Paramter: GatewayIPRange</div><div># Default: 0.0.0.0/0</div><div>#</div><div># By setting this parameter, you can specify a range of IP addresses</div><div># on the GatewayInterface that will be responded to and managed by</div><div># Nodogsplash. Addresses outside this range do not have their packets</div><div># touched by Nodogsplash at all.</div><div># Defaults to 0.0.0.0/0, that is, all addresses.</div><div>#</div><div># GatewayIPRange 0.0.0.0/0</div></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div></div><br><br><div>
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">--------------------</div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">BornAgain</div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><a href="mailto:bornagain@autoproduzioni.net">bornagain@autoproduzioni.net</a> </div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br>Nodo su wireless comunitaria <a href="http://Ninux.org">Ninux.org</a> <br><div><a href="http://map.ninux.org/select/reggiocalbornagain/">http://map.ninux.org/select/reggiocalbornagain/</a><br><br></div></div></div></span></div></span></span>
</div>
<br></body></html>