Index: gateway.conf
===================================================================
RCS file: /cvsroot/NoCatAuth/gateway.conf,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.1
diff -u -r1.1.1.1 -r1.1.1.1.2.1
--- gateway.conf 23 Jun 2003 03:02:53 -0000 1.1.1.1
+++ gateway.conf 14 Jul 2003 16:34:17 -0000 1.1.1.1.2.1
@@ -284,6 +284,11 @@
# GatewayPort 5280
##
+# GatewayAddr - The IP address to bind the gateway
+# service to.
+# GatewayAddr 127.0.0.1
+
+##
# PGPKeyPath -- The directory in which PGP keys are stored.
# NoCat tries to find this in the pgp/ directory above
# the bin/ parent directory. Set this only if you put it
Index: bin/detect-fw.sh
===================================================================
RCS file: /cvsroot/NoCatAuth/bin/detect-fw.sh,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.1.1
diff -u -r1.1.1.1 -r1.1.1.1.1.1
--- bin/detect-fw.sh 23 Jun 2003 03:02:53 -0000 1.1.1.1
+++ bin/detect-fw.sh 27 Jun 2003 04:38:28 -0000 1.1.1.1.1.1
@@ -25,21 +25,20 @@
# Or ip_filter (e.g. *BSD, Solaris, HP-UX, etc)?
#
#
-elif which ipf >/dev/null 2>&1; then
ipf_running="`ipf -V | grep 'Running' | awk '{print $2}'`";
- if [ "$ipf_running" = "yes" ]; then
- FIREWALL="ipfilter"
- FW_BIN=ipf
- else
- echo "ERROR: ip_filter appears to exist, but we're not postive that it's running"
- echo "1. You must be root for us to verify this"
- echo "2. Check that it's compiled in your kernel (either staticlly or a loaded module)"
- fi
+elif (which ipf >/dev/null 2>&1 && [ "$ipf_running" = "yes" ]); then
+ FIREWALL="ipfilter"
+ FW_BIN=ipf
# Or packetfilter (OpenBSD 3.0+)
elif which pfctl >/dev/null 2>&1; then
FIREWALL=pf
FW_BIN=pfctl
+
+# Or IPFW2 (FreeBSD 4.7+)
+elif which ipfw >/dev/null 2>&1; then
+ FIREWALL=ipfw2
+ FW_BIN=ipfw
else
echo "No supported firewalls detected! Check your path."
Index: lib/NoCat/Gateway/Passive.pm
===================================================================
RCS file: /cvsroot/NoCatAuth/lib/NoCat/Gateway/Passive.pm,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.1
diff -u -r1.1.1.1 -r1.1.1.1.2.1
--- lib/NoCat/Gateway/Passive.pm 23 Jun 2003 03:02:53 -0000 1.1.1.1
+++ lib/NoCat/Gateway/Passive.pm 14 Jul 2003 16:34:17 -0000 1.1.1.1.2.1
@@ -48,7 +48,8 @@
token => $peer->token,
redirect => $request,
timeout => $self->{LoginTimeout},
- gateway => $peer->socket->sockhost . ":$self->{GatewayPort}"
+ #gateway => $peer->socket->sockhost . ":$self->{GatewayPort}"
+ gateway => $self->{GatewayAddr} . ":$self->{GatewayPort}"
};
}
Index: libexec/ipfw2/access.fw
===================================================================
RCS file: libexec/ipfw2/access.fw
diff -N libexec/ipfw2/access.fw
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ libexec/ipfw2/access.fw 23 Jun 2003 03:16:42 -0000 1.1
@@ -0,0 +1,56 @@
+#!/bin/sh
+
+# Note: your PATH is inherited from the gateway process
+#
+
+MINRULE=1000
+MAXRULE=50000
+#PASSRULE=65533
+IPFW="/sbin/ipfw -q"
+AWK=/usr/bin/awk
+
+get_next_rulenumber() {
+ NEXTID=`${IPFW} list | ${AWK} '(($1 >= '${MINRULE}') && ($1 < '${MAXRULE}') && ($1 >= N)) { N=$1 + 1 } BEGIN {N = '${MINRULE}'} END {print N}'`
+ # echo Next ID: ${NEXTID}
+}
+
+permit_fw () {
+ case ${CLASS} in
+ member)
+ SKIPTO=60000
+ ;;
+ *)
+ SKIPTO=60100
+ ;;
+ esac
+
+ get_next_rulenumber
+
+ ${IPFW} add ${NEXTID} deny log ip from ${IP} to any layer2 not mac any ${MAC} in recv ${InternalDevice}
+ ${IPFW} add ${NEXTID} skipto ${SKIPTO} all from ${IP} to any in via ${InternalDevice}
+ ${IPFW} add ${NEXTID} skipto ${SKIPTO} all from any to ${IP} out via ${InternalDevice}
+}
+
+deny_fw () {
+ KILLRULE=`${IPFW} list | ${AWK} '/'${MAC}'/ { print $1 }'|tail -1`
+ [ "${KILLRULE}" != "" ] && ${IPFW} del ${KILLRULE}
+}
+
+ACTION=$1
+MAC=$2
+IP=$3
+CLASS=$4
+
+if [ -z "$ACTION" -o -z "$MAC" -o -z "$IP" -o -z "$CLASS" ]; then
+ echo Usage: $0 [permit\|deny] [MAC] [IP] [Class]
+ echo Example: $0 permit 00:02:2d:aa:bb:cc 10.0.0.105 member
+ exit 1
+fi
+
+if [ "$ACTION" = 'permit' ]; then
+ deny_fw
+ permit_fw
+elif [ "$ACTION" = 'deny' ]; then
+ deny_fw
+fi
+
Index: libexec/ipfw2/dump.fw
===================================================================
RCS file: libexec/ipfw2/dump.fw
diff -N libexec/ipfw2/dump.fw
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ libexec/ipfw2/dump.fw 23 Jun 2003 03:16:42 -0000 1.1
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+# Note: your PATH is inherited from the gateway process
+#
+
+ipfw -at show
Index: libexec/ipfw2/initialize.fw
===================================================================
RCS file: libexec/ipfw2/initialize.fw
diff -N libexec/ipfw2/initialize.fw
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ libexec/ipfw2/initialize.fw 14 Jul 2003 16:34:17 -0000 1.1.2.1
@@ -0,0 +1,107 @@
+#!/bin/sh
+
+# Note: your PATH is inherited from the gateway process
+#
+
+IPFW=/sbin/ipfw
+
+# Enable IP forwarding
+sysctl net.inet.ip.forwarding=1
+
+# Enable ethernet filtering
+sysctl net.link.ether.ipfw=1
+
+# clear all packet filter rules
+${IPFW} -fq flush
+${IPFW} -fq pipe flush
+
+# Pass external device traffic
+${IPFW} add pass all from any to any via ${ExternalDevice}
+
+# Pass loopback traffic
+${IPFW} add pass all from any to any via lo0
+
+#########################
+# Capture rules #
+#########################
+
+# Pass all layer2
+${IPFW} add 50000 pass layer2
+
+# Pass Gateway
+${IPFW} add pass tcp from any to any ${GatewayPort} in via ${InternalDevice}
+${IPFW} add pass tcp from any to any ${GatewayPort} out via ${InternalDevice}
+
+# Pass SSH for DEBUG
+${IPFW} add pass tcp from any to any ssh in via ${InternalDevice}
+${IPFW} add pass tcp from any to any ssh out via ${InternalDevice}
+
+# Pass DNS
+if [ "${DNSAddr}" != "" ]; then
+ # Use external DNS server
+ for a in ${DNSAddr}; do
+ ${IPFW} add pass udp from any to ${a} domain in via ${InternalDevice} keep-state
+ done
+else
+ # Use local DNS server on gateway
+ ${IPFW} add pass udp from any to ${LocalNetwork} domain in via ${InternalDevice} keep-state
+fi
+
+# Allow access to the AuthService
+${IPFW} add pass tcp from any to ${AuthServiceAddr} http,https in via ${InternalDevice}
+
+# Forward all http and https traffic to the Gateway
+${IPFW} add fwd ${GatewayAddr},${GatewayPort} tcp from any to any http,https in via ${InternalDevice}
+
+# Deny everything else
+${IPFW} add deny log all from any to any in via ${InternalDevice}
+
+#########################
+# DummyNet rules #
+#########################
+
+# Members
+${IPFW} add 60000 queue 1 all from any to any in
+${IPFW} add 60000 queue 2 all from any to any out
+${IPFW} add 60010 skipto 61000 all from any to any
+${IPFW} queue 1 config mask src-ip 0xffffffff pipe 1 weight 75
+${IPFW} queue 2 config mask dst-ip 0xffffffff pipe 2 weight 100
+${IPFW} pipe 1 config
+${IPFW} pipe 2 config
+
+# Others
+${IPFW} add 60100 queue 3 all from any to any in
+${IPFW} add 60100 queue 4 all from any to any out
+${IPFW} add 60110 skipto 61000 all from any to any
+${IPFW} queue 3 config mask src-ip 0xffffffff pipe 3 weight 75
+${IPFW} queue 4 config mask dst-ip 0xffffffff pipe 4 weight 100
+${IPFW} pipe 3 config bw 128Kbit/s
+${IPFW} pipe 4 config bw 512Kbit/s
+
+
+#########################
+# Set NAT and RDR rules #
+#########################
+
+
+# Setup basic nat rule, any traffic out ExternalDevice with the IP from
+# $LocalNetwork gets rewritten to the ip of the $ExternalDevice
+
+#NAT="nat on $ExternalDevice from $LocalNetwork to any -> $ExternalDevice\n"
+
+# redir all web traffic to the gateway
+#NAT="${NAT}\n rdr on $InternalDevice proto tcp from any to any port 80 -> $ExternalDevice port $GatewayPort\n"
+#if [ $AuthServiceAddr != "" ]; then
+# NAT="${NAT}\n rdr on $InternalDevice proto tcp from any to ! $AuthServiceAddr port 443 -> $ExternalDevice port $GatewayPort\n"
+#else
+# NAT="${NAT}\n rdr on $InternalDevice proto tcp from any to any port 443 -> $ExternalDevice port $GatewayPort\n"
+#fi
+
+# Setup rdr for ftp-proxy(8) incase we decide it's needed.
+# (I turned this off by default -- I'm afraid it'll confuse people who aren't expecting it -- SDE)
+# NAT="${NAT}\n rdr on $InternalDevice from any to any port 21 -> $ExternalDevice port 8081\n"
+
+# this should eventually be pfctl -N "$NAT"
+#print "$NAT" | pfctl -N -
+
+
Index: libexec/ipfw2/ipfw2.c.patch
===================================================================
RCS file: libexec/ipfw2/ipfw2.c.patch
diff -N libexec/ipfw2/ipfw2.c.patch
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ libexec/ipfw2/ipfw2.c.patch 23 Jun 2003 03:16:43 -0000 1.1
@@ -0,0 +1,39 @@
+--- ipfw2.c.orig Mon Jun 16 06:21:26 2003
++++ ipfw2.c Mon Jun 16 06:25:14 2003
+@@ -58,6 +58,7 @@
+ do_resolv, /* Would try to resolve all */
+ do_acct, /* Show packet/byte count */
+ do_time, /* Show time stamps */
++ do_timestamp, /* Show time stamps in seconds*/
+ do_quiet, /* Be quiet in add and flush */
+ do_force, /* Don't ask for confirmation */
+ do_pipe, /* this cmd refers to a pipe */
+@@ -824,6 +825,9 @@
+ if (do_acct)
+ printf("%10qu %10qu ", rule->pcnt, rule->bcnt);
+
++ if (do_timestamp)
++ printf("%10lu ", rule->timestamp);
++
+ if (do_time) {
+ char timestr[30];
+
+@@ -3344,7 +3348,7 @@
+ do_force = !isatty(STDIN_FILENO);
+
+ optind = optreset = 1;
+- while ((ch = getopt(ac, av, "hs:acdefNqStv")) != -1)
++ while ((ch = getopt(ac, av, "hs:acdefNqStTv")) != -1)
+ switch (ch) {
+ case 'h': /* help */
+ help();
+@@ -3379,6 +3383,9 @@
+ break;
+ case 't':
+ do_time = 1;
++ break;
++ case 'T':
++ do_timestamp = 1;
+ break;
+ case 'v': /* verbose */
+ verbose++;
Index: libexec/ipfw2/stats.fw
===================================================================
RCS file: libexec/ipfw2/stats.fw
diff -N libexec/ipfw2/stats.fw
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ libexec/ipfw2/stats.fw 24 Jun 2003 05:21:21 -0000 1.1
@@ -0,0 +1,66 @@
+#!/bin/sh
+
+if [ "$1" != "" ]; then
+{
+# Specific
+# Must output in the following form:
+#
+#
+
+ipfw -acT list | awk -v IP=$2 -- '\
+{\
+ if ($1 < 1000) next;\
+ if ($1 >= 50000) nextfile;\
+ if (/skipto.*to any/)\
+ {\
+ if ($9 == IP)\
+ {\
+ outOctets = $3;\
+ outTime = $4;\
+ }\
+ }\
+ if (/skipto.*from any/)\
+ {\
+ if ($11 == IP)\
+ {\
+ inOctets = $3;\
+ inTime = $4;\
+ lastTime = (inTime > outTime) ? inTime : outTime;\
+ printf("%d %d %d\n", inOctets, outOctets, lastTime);\
+ nextfile;
+ }\
+ }\
+}\
+'
+}
+else
+{
+# All
+# Must output in the following form:
+#
+#
+
+ipfw -acT list | awk -- '\
+{\
+ if ($1 < 1000) next;\
+ if ($1 >= 50000) nextfile;\
+ if (/skipto.*to any/)\
+ {\
+ outPackets = $2;\
+ outOctets = $3;\
+ outTime = $4;\
+ outIP = $9;\
+ }\
+ if (/skipto.*from any/)\
+ {\
+ inPackets = $2;\
+ inOctets = $3;\
+ inTime = $4;\
+ inIP = $11;\
+ lastTime = (inTime > outTime) ? inTime : outTime;\
+ printf("%s %d %d %d\n", inIP, inOctets, outOctets, lastTime);\
+ }\
+}\
+'
+}
+fi