nodogsplash/files/etc/config/nodogsplash

   1
   2 # The options available here are an adaptation of the settings used in nodogsplash.conf.
   3 # See https://github.com/nodogsplash/nodogsplash/blob/master/resources/nodogsplash.conf
   4
   5 config nodogsplash
   6   # Set to 0 to disable nodogsplash
   7   option enabled 1
   8
   9   # Set to 0 to disable hook that makes nodogsplash restart when the firewall restarts.
  10   # This hook is needed as a restart of Firewall overwrites nodogsplash iptables entries.
  11   option fwhook_enabled '1'
  12
  13   # WebRoot
  14   # Default: /etc/nodogsplash/htdocs
  15   #
  16   # The local path where the splash page content resides.
  17   # ie. Serve the file splash.html from this directory
  18   #option webroot '/etc/nodogsplash/htdocs'
  19
  20   # Use plain configuration file
  21   #option config '/etc/nodogsplash/nodogsplash.conf'
  22
  23   # Use this option to set the device nodogsplash will bind to.
  24   # The value may be an interface section in /etc/config/network or a device name such as br-lan.
  25   option gatewayinterface 'br-lan'
  26
  27   # GatewayPort
  28   # Default: 2050
  29   #
  30   # Nodogsplash's own http server uses gateway address as its IP address.
  31   # The port it listens to at that IP can be set here; default is 2050.
  32   #
  33   #option gatewayport '2050'
  34
  35
  36   option gatewayname 'OpenWrt Nodogsplash'
  37   option maxclients '250'
  38
  39   # Enables debug output (0-3)
  40   #option debuglevel '1'
  41
  42   # Client timeouts in minutes
  43   option preauthidletimeout '30'
  44   option authidletimeout '120'
  45   # Session Timeout is the interval after which clients are forced out (a value of 0 means never)
  46   option sessiontimeout '1200'
  47
  48   # The interval in seconds at which nodogsplash checks client timeout status
  49   option checkinterval '600'
  50
  51   # Enable BinAuth Support.
  52   # If set, a program is called with several parameters on authentication (request) and deauthentication.
  53   # Request for authentication:
  54   # $<BinAuth> auth_client <client_mac> '<username>' '<password>'
  55   #
  56   # The username and password values may be empty strings and are URL encoded.
  57   # The program is expected to output the number of seconds the client
  58   # is to be authenticated. Zero or negative seconds will cause the authentification request
  59   # to be rejected. The same goes for an exit code that is not 0.
  60   # The output may contain a user specific download and upload limit in KBit/s:
  61   # <seconds> <upload> <download>
  62   #
  63   # Called on authentication or deauthentication:
  64   # $<BinAuth> <*auth|*deauth> <incoming_bytes> <outgoing_bytes> <session_start> <session_end>
  65   #
  66   # "client_auth": Client authenticated via this script.
  67   # "client_deauth": Client deauthenticated by the client via splash page.
  68   # "idle_deauth": Client was deauthenticated because of inactivity.
  69   # "timeout_deauth": Client was deauthenticated because the session timed out.
  70   # "ndsctl_auth": Client was authenticated manually by the ndsctl tool.
  71   # "ndsctl_deauth": Client was deauthenticated by the ndsctl tool.
  72   # "shutdown_deauth": Client was deauthenticated by Nodogsplash terminating.
  73   #
  74   # Values session_start and session_start are in seconds since 1970 or 0 for unknown/unlimited.
  75   #
  76   #option binauth '/bin/myauth.sh'
  77   # Enable PreAuth Support.
  78   #
  79   # A simple login script is provided in the package.
  80   # This generates a login page asking for usename and email address.
  81   # User logins are recorded in the log file /tmp/ndslog.log
  82   # Details of how the script works are contained in comments in the script itself.
  83   #
  84   # The Preauth program will output html code that will be served to the client by NDS
  85   # Using html GET the Preauth program may call:
  86   # /nodogsplash_preauth/ to ask the client for more information
  87   # or
  88   # /nodogsplash_auth/ to authenticate the client
  89   #
  90   # The Preauth program should append at least the client ip to the query string
  91   # (using html input type hidden) for all calls to /nodogsplash_preauth/
  92   # It must also obtain the client token using ndsctl (or the original query string if fas_secure_enabled=0)
  93   # for NDS authentication when calling /nodogsplash_auth/
  94   #
  95   #option preauth '/usr/lib/nodogsplash/login.sh'
  96
  97   # Your router may have several interfaces, and you
  98   # probably want to keep them private from the gatewayinterface.
  99   # If so, you should block the entire subnets on those interfaces, e.g.:
 100   #list authenticated_users 'block to 192.168.0.0/16'
 101   #list authenticated_users 'block to 10.0.0.0/8'
 102
 103   # Typical ports you will probably want to open up.
 104   #list authenticated_users 'allow tcp port 22'
 105   #list authenticated_users 'allow tcp port 53'
 106   #list authenticated_users 'allow udp port 53'
 107   #list authenticated_users 'allow tcp port 80'
 108   #list authenticated_users 'allow tcp port 443'
 109   # Or for happy customers allow all
 110   list authenticated_users 'allow all'
 111
 112   # For preauthenticated users to resolve IP addresses in their
 113   # initial request not using the router itself as a DNS server,
 114   # Leave commented to help prevent DNS tunnelling
 115   #list preauthenticated_users 'allow tcp port 53'
 116   #list preauthenticated_users 'allow udp port 53'
 117
 118   # Allow ports for SSH/Telnet/DNS/DHCP/HTTP/HTTPS
 119   list users_to_router 'allow tcp port 22'
 120   list users_to_router 'allow tcp port 23'
 121   list users_to_router 'allow tcp port 53'
 122   list users_to_router 'allow udp port 53'
 123   list users_to_router 'allow udp port 67'
 124   list users_to_router 'allow tcp port 80'
 125
 126   # MAC addresses that are / are not allowed to access the splash page
 127   # Value is either 'allow' or 'block'. The allowedmac or blockedmac list is used.
 128   #option macmechanism 'allow'
 129   #list allowedmac '00:00:C0:01:D0:0D'
 130   #list allowedmac '00:00:C0:01:D0:1D'
 131   #list blockedmac '00:00:C0:01:D0:2D'
 132
 133   # MAC addresses that do not need to authenticate
 134   #list trustedmac '00:00:C0:01:D0:1D'
 135
 136   # Nodogsplash uses specific HEXADECIMAL values to mark packets used by iptables as a bitwise mask.
 137   # This mask can conflict with the requirements of other packages such as mwan3, sqm etc
 138   # Any values set here are interpreted as in hex format.
 139   #
 140   # List: fw_mark_authenticated
 141   # Default: 30000 (0011|0000|0000|0000|0000 binary)
 142   #
 143   # List: fw_mark_trusted
 144   # Default: 20000 (0010|0000|0000|0000|0000 binary)
 145   #
 146   # List: fw_mark_blocked
 147   # Default: 10000 (0001|0000|0000|0000|0000 binary)
 148   #
 149   #option fw_mark_authenticated '30000'
 150   #option fw_mark_trusted '20000'
 151   #option fw_mark_blocked '10000'
 152