reddarien/config/nodogsplash

145 lines
5.8 KiB
Plaintext
Raw Permalink Normal View History

2019-10-14 16:08:36 +00:00
# The options available here are an adaptation of the settings used in nodogsplash.conf.
# See https://github.com/nodogsplash/nodogsplash/blob/master/resources/nodogsplash.conf
config nodogsplash
# Set to 0 to disable nodogsplash
option enabled 1
# Set to 0 to disable hook that makes nodogsplash restart when the firewall restarts.
# This hook is needed as a restart of Firewall overwrites nodogsplash iptables entries.
option fwhook_enabled '1'
# Serve the file splash.html from this directory
option webroot '/etc/nodogsplash/htdocs'
# Use plain configuration file
#option config '/etc/nodogsplash/nodogsplash.conf'
# Use this option to set the device nogogsplash will bind to.
# The value may be an interface section in /etc/config/network or a device name such as br-lan.
option gatewayinterface 'br-lan'
option gatewayname 'OpenWrt Nodogsplash'
option maxclients '250'
# Enables debug output (0-7)
#option debuglevel '7'
# Client timeouts in minutes
option preauthidletimeout '30'
option authidletimeout '120'
# Session Timeout is the interval after which clients are forced out (a value of 0 means never)
option sessiontimeout '1200'
# The interval in seconds at which nodogsplash checks client timeout status
option checkinterval '600'
# Enable BinAuth Support.
# If set, a program is called with several parameters on authentication (request) and deauthentication.
# Request for authentication:
# $<BinAuth> auth_client <client_mac> '<username>' '<password>'
#
# The username and password values may be empty strings and are URL encoded.
# The program is expected to output the number of seconds the client
# is to be authenticated. Zero or negative seconds will cause the authentification request
# to be rejected. The same goes for an exit code that is not 0.
# The output may contain a user specific download and upload limit in KBit/s:
# <seconds> <upload> <download>
#
# Called on authentication or deauthentication:
# $<BinAuth> <*auth|*deauth> <incoming_bytes> <outgoing_bytes> <session_start> <session_end>
#
# "client_auth": Client authenticated via this script.
# "client_deauth": Client deauthenticated by the client via splash page.
# "idle_deauth": Client was deauthenticated because of inactivity.
# "timeout_deauth": Client was deauthenticated because the session timed out.
# "ndsctl_auth": Client was authenticated manually by the ndsctl tool.
# "ndsctl_deauth": Client was deauthenticated by the ndsctl tool.
# "shutdown_deauth": Client was deauthenticated by Nodogsplash terminating.
#
# Values session_start and session_start are in seconds since 1970 or 0 for unknown/unlimited.
#
#option binauth '/bin/myauth.sh'
# Enable Forwarding Authentication Service (FAS)
# If set redirection is changed from splash.html to a FAS (provided by the system administrator)
# The value is the IP port number of the FAS
#option fasport '80'
# Option: fasremoteip
# Default: GatewayAddress (the IP of NDS)
# If set, this is the remote ip address of the FAS.
#option fasremoteip '46.32.240.41'
# Option: faspath
# Default: /
# This is the path from the FAS Web Root to the FAS login page
# (not the file system root).
#option faspath '/onboard-wifi.net/nodog/fas.php'
# Option: fas_secure_enabled
# Default: 1
# If set to "1", authaction and the client token are not revealed and it is the responsibility
# of the FAS to request the token from NDSCTL.
# If set to "0", the client token is sent to the FAS in clear text in the query string of the
# redirect along with authaction and redir.
#option fas_secure_enabled '0'
# Your router may have several interfaces, and you
# probably want to keep them private from the network/gatewayinterface.
# If so, you should block the entire subnets on those interfaces, e.g.:
#list authenticated_users 'block to 192.168.0.0/16'
#list authenticated_users 'block to 10.0.0.0/8'
# Typical ports you will probably want to open up.
#list authenticated_users 'allow tcp port 22'
#list authenticated_users 'allow tcp port 53'
#list authenticated_users 'allow udp port 53'
#list authenticated_users 'allow tcp port 80'
#list authenticated_users 'allow tcp port 443'
# Or for happy customers allow all
list authenticated_users 'allow all'
# For preauthenticated users to resolve IP addresses in their
# initial request not using the router itself as a DNS server,
# Leave commented to help prevent DNS tunnelling
#list preauthenticated_users 'allow tcp port 53'
#list preauthenticated_users 'allow udp port 53'
# Allow ports for SSH/Telnet/DNS/DHCP/HTTP/HTTPS
list users_to_router 'allow tcp port 22'
list users_to_router 'allow tcp port 23'
list users_to_router 'allow tcp port 53'
list users_to_router 'allow udp port 53'
list users_to_router 'allow udp port 67'
list users_to_router 'allow tcp port 80'
# MAC addresses that are / are not allowed to access the splash page
# Value is either 'allow' or 'block'. The allowedmac or blockedmac list is used.
#option macmechanism 'allow'
#list allowedmac '00:00:C0:01:D0:0D'
#list allowedmac '00:00:C0:01:D0:1D'
#list blockedmac '00:00:C0:01:D0:2D'
# MAC addresses that do not need to authenticate
#list trustedmac '00:00:C0:01:D0:1D'
# Nodogsplash uses specific HEXADECIMAL values to mark packets used by iptables as a bitwise mask.
# This mask can conflict with the requirements of other packages such as mwan3, sqm etc
# Any values set here are interpreted as in hex format.
#
# List: fw_mark_authenticated
# Default: 30000 (0011|0000|0000|0000|0000 binary)
#
# List: fw_mark_trusted
# Default: 20000 (0010|0000|0000|0000|0000 binary)
#
# List: fw_mark_blocked
# Default: 10000 (0001|0000|0000|0000|0000 binary)
#
#list fw_mark_authenticated '30000'
#list fw_mark_trusted '20000'
#list fw_mark_blocked '10000'