##----------------------------------------------------------------------------- ## fli4l __FLI4LVER__ - configuration for package "base" ## ## P L E A S E R E A D T H E D O C U M E N T A T I O N ! ## ## B I T T E U N B E D I N G T D I E D O K U M E N T A T I O N L E S E N ! ## ##----------------------------------------------------------------------------- ## Creation: 26.06.2001 fm ## Last Update: $Id: base.txt 60747 2022-09-15 11:47:18Z florian $ ## ## Copyright (c) 2001-2016 - Frank Meyer, fli4l-Team ## ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by ## the Free Software Foundation; either version 2 of the License, or ## (at your option) any later version. ##----------------------------------------------------------------------------- #------------------------------------------------------------------------------ # General settings: #------------------------------------------------------------------------------ HOSTNAME='fli4l' # name of fli4l router PASSWORD='fli4l' # password for root login (console, sshd, # imond) BOOT_TYPE='hd' # boot device: hd, cd, ls120, integrated, # attached, netboot, pxeboot LIBATA_DMA='disabled' # Use DMA on ATA Drives ('enabled') or not # ('disabled'). The default 'disabled' allows # ancient IDE CF cards to be booted from. # Use 'enabled' if you boot from a VirtualBox's # virtual device. MOUNT_BOOT='rw' # mount boot device: ro, rw, no BOOTMENU_TIME='5' # waiting time of bootmenu in seconds # before activating normal boot TIME_INFO='MEZ-1MESZ,M3.5.0,M10.5.0/3' # description of local time zone, # don't touch without reading documentation RTC_SYNC='hwclock' # how to synchronize the hardware clock? KERNEL_VERSION='5.4.213' # kernel version KERNEL_BOOT_OPTION='' # append option to kernel command line COMP_TYPE_OPT='xz' # compression algorithm if compression is # enabled for OPT archive; # NOTE that some boot types may disallow # some compression algorithms IP_CONNTRACK_MAX='' # override maximum limit of connection # tracking entries POWERMANAGEMENT='acpi' # select pm interface: none, acpi, apm, apm_rm # apm_rm switches to real mode before invoking # apm power off #------------------------------------------------------------------------------ # Localisation #------------------------------------------------------------------------------ LOCALE='de' # defines the default language for several # components, such as httpd #------------------------------------------------------------------------------ # Console settings (serial console, blank time, beep): #------------------------------------------------------------------------------ CONSOLE_BLANK_TIME='' # time in minutes (1-60) to blank # console; '0' = never, '' = system default BEEP='yes' # enable beep after boot and shutdown SER_CONSOLE='no' # use serial interface instead of or as # additional output device and main input # device SER_CONSOLE_IF='0' # serial interface to use, 0 for ttyS0 (COM1) SER_CONSOLE_RATE='9600' # baudrate for serial console #------------------------------------------------------------------------------ # Debug Settings: #------------------------------------------------------------------------------ DEBUG_STARTUP='no' # write an execution trace of the boot #------------------------------------------------------------------------------ # Keyboard layout #------------------------------------------------------------------------------ KEYBOARD_LOCALE='auto' # auto: use most common keyboard layout for # the language specified in 'LOCALE' #OPT_MAKEKBL='no' # set to 'yes' to make a new local keyboard # layout map on the fli4l-router #------------------------------------------------------------------------------ # Ethernet card drivers: #------------------------------------------------------------------------------ # # please see file base_nic.list in your config-dir or read the documentation # # # If you need a dummy device, use 'dummy' as your NET_DRV # and IP_NET_%_DEV='dummy' as your device # #------------------------------------------------------------------------------ #NET_DRV[]='ne2k-pci' # 1st driver: name (e.g. NE2000 PCI clone) #{ # OPTION='' # 1st driver: additional option #} #NET_DRV[]='ne' # 2nd driver: name (e.g. NE2000 ISA clone) #{ # OPTION='io=0x320' # 2nd driver: additional option #} #------------------------------------------------------------------------------ # Network prefixes #------------------------------------------------------------------------------ #OPT_NET_PREFIX='no' # enable use of network prefixes: yes or no #NET_PREFIX # network prefixes not bound to an interface #{ # [] # network prefix assignment # { # NAME="site" # name of network prefix # TYPE="static" # type of network prefix # STATIC_IPV4="192.168.10.0/24" # static IPv4 prefix # STATIC_IPV6="fd6e:d748:fdfd::/48" # static IPv6 prefix # } #} #------------------------------------------------------------------------------ # ULA prefixes #------------------------------------------------------------------------------ #OPT_NET_PREFIX_ULA='no' # enable generation of ULAs: yes or no #NET_PREFIX #{ # [] # { # NAME="LAN" # name of network prefix # TYPE="generated-ula" # type of network prefix # ULA_DEV='eth0' # Ethernet interface of which the MAC is taken # } #} #------------------------------------------------------------------------------ # Networks #------------------------------------------------------------------------------ OPT_IPV4='yes' # enable IPv4 networking # WARNING: Don't set this to 'no', this is # currently not supported! #IP_NET[1]='192.168.6.1/24' # IP address of your n'th ethernet card and # netmask in CIDR (no. of set bits) #{ # DEV='eth0' # required: device name like ethX #} #OPT_IPV6='no' # set to 'yes' to activate IPv6 support #IPV6_NET[1]='{internet-v6}+::1:0:0:0:1/64' # The router address and net mask of # this subnet. If this subnet is associated # with a circuit (i.e. the address is # prefixed by {}), use an address # WITHOUT the subnet prefix; when the # associated circuit comes up, its prefix # will be combined with the address # specified here to yield a complete # address. # # NOTE that the net mask must be equal to # 64 if you want to use stateless IPv6 # autoconfiguration! # # In this example, a /48 subnet prefix is # assumed which is extended by the subnet # '1' and the host part '0:0:0:1'. So with # e.g. '2001:db8:13bc/48' as subnet prefix # provided by circuit 'internet-v6', the # complete address and mask becomes # '2001:db8:13bc:1::1/64'. # # If no circuit prefix is used, no circuit # is associated, so the address # specification is taken "as is" and is not # completed by any prefix #{ # DEV='IP_NET_1_DEV' # interface this subnet is bound to # ADVERTISE='yes' # should the subnet prefix be advertised # automatically via RA in order to enable # stateless autoconfiguration? # ADVERTISE_DNS='no' # should the DNS service be advertised # within this subnet via RA? #} #------------------------------------------------------------------------------ # Additional routes, optional #------------------------------------------------------------------------------ #IP_ROUTE[]='192.168.7.0/24 192.168.6.99' # network/netmaskbits gateway #IP_ROUTE[]='0.0.0.0/0 192.168.6.99' # example for default-route #IPV6_ROUTE[]='2001:db8:13bc:2::/64 2001:db8:900:530::1' # example route #------------------------------------------------------------------------------ # Packet filter configuration #------------------------------------------------------------------------------ #------------------------------------------------------------------------------ # INPUT chain #------------------------------------------------------------------------------ PF_INPUT_POLICY='REJECT' # be nice and use reject as policy PF_INPUT_ACCEPT_DEF='yes' # use default rule set PF_INPUT_LOG='no' # don't log at all PF_INPUT_LOG_LIMIT='3/minute:5' # log 3 events per minute; allow a burst of 5 # events PF_INPUT_REJ_LIMIT='1/second:5' # reject 1 connection per second; allow a burst # of 5 events; otherwise drop packet PF_INPUT_UDP_REJ_LIMIT='1/second:5' # reject 1 udp packet per second; allow a burst # of 5 events; otherwise drop packet #PF_INPUT[]='IP_NET_1 ACCEPT' # allow all hosts in the local network to # access the router #PF_INPUT[]='tmpl:samba DROP NOLOG' # drop (or reject) samba access #{ # COMMENT='no samba traffic allowed' # without logging, otherwise the log file will # be filled with useless entries #} PF6_INPUT_POLICY='REJECT' # be nice and use reject as policy PF6_INPUT_ACCEPT_DEF='yes' # use default rule set PF6_INPUT_LOG='no' # don't log anything PF6_INPUT_LOG_LIMIT='3/minute:5' # log 3 events per minute; allow a burst of 5 # events PF6_INPUT_REJ_LIMIT='1/second:5' # reject 1 connection per second; allow a burst # of 5 events; otherwise drop packet PF6_INPUT_UDP_REJ_LIMIT='1/second:5' # reject 1 udp packet per second; allow a burst # of 5 events; otherwise drop packet #PF6_INPUT[]='[fe80::0/10] ACCEPT' # allow all hosts in the local network to # access the router #PF6_INPUT[]='IPV6_NET_1 ACCEPT' # allow all hosts in the first subnet to access # the router #PF6_INPUT[]='tmpl:samba DROP NOLOG' # drop (or reject) samba access #{ # COMMENT='no samba traffic allowed' # without logging, otherwise the log file will # be filled with useless entries #} #------------------------------------------------------------------------------ # FORWARD chain #------------------------------------------------------------------------------ PF_FORWARD_POLICY='REJECT' # be nice and use reject as policy PF_FORWARD_ACCEPT_DEF='yes' # use default rule set PF_FORWARD_LOG='no' # don't log at all PF_FORWARD_LOG_LIMIT='3/minute:5' # log 3 events per minute; allow a burst of 5 # events PF_FORWARD_REJ_LIMIT='1/second:5' # reject 1 connection per second; allow a burst # of 5 events; otherwise drop packet PF_FORWARD_UDP_REJ_LIMIT='1/second:5' # reject 1 udp packet per second; allow a burst # of 5 events; otherwise drop packet #PF_FORWARD[]='tmpl:samba DROP' # drop samba traffic if it tries to leave the # subnet #PF_FORWARD[]='IP_NET_1 ACCEPT' # accept everything else PF6_FORWARD_POLICY='REJECT' # be nice and use reject as policy PF6_FORWARD_ACCEPT_DEF='yes' # use default rule set PF6_FORWARD_LOG='no' # don't log anything PF6_FORWARD_LOG_LIMIT='3/minute:5' # log 3 events per minute; allow a burst of 5 # events PF6_FORWARD_REJ_LIMIT='1/second:5' # reject 1 connection per second; allow a burst # of 5 events; otherwise drop packet PF6_FORWARD_UDP_REJ_LIMIT='1/second:5' # reject 1 udp packet per second; allow a burst # of 5 events; otherwise drop packet #PF6_FORWARD[]='tmpl:samba DROP' # drop samba traffic if it tries to leave the # subnet #PF6_FORWARD[]='IPV6_NET_1 ACCEPT' # accept everything else #------------------------------------------------------------------------------ # OUTPUT chain #------------------------------------------------------------------------------ PF_OUTPUT_POLICY='ACCEPT' # default policy for outgoing packets PF_OUTPUT_ACCEPT_DEF='yes' # use default rule set PF_OUTPUT_LOG='no' # don't log at all PF_OUTPUT_LOG_LIMIT='3/minute:5' # log 3 events per minute; allow a burst of 5 # events PF_OUTPUT_REJ_LIMIT='1/second:5' # reject 1 connection per second; allow a burst # of 5 events; otherwise drop packet PF_OUTPUT_UDP_REJ_LIMIT='1/second:5' # reject 1 udp packet per second; allow a burst # of 5 events; otherwise drop packet #PF_OUTPUT[]='any 217.197.80.132 REJECT' # don't allow the fli4l to reach fli4l.de PF6_OUTPUT_POLICY='ACCEPT' # default policy for outgoing packets PF6_OUTPUT_ACCEPT_DEF='yes' # use default rule set PF6_OUTPUT_LOG='no' # don't log anything PF6_OUTPUT_LOG_LIMIT='3/minute:5' # log 3 events per minute; allow a burst of 5 # events PF6_OUTPUT_REJ_LIMIT='1/second:5' # reject 1 connection per second; allow a burst # of 5 events; otherwise drop packet PF6_OUTPUT_UDP_REJ_LIMIT='1/second:5' # reject 1 udp packet per second; allow a burst # of 5 events; otherwise drop packet #PF6_OUTPUT[]='any 2001:bf0:c000:a::2:132 REJECT' # don't allow the fli4l to reach fli4l.de #------------------------------------------------------------------------------ # POSTROUTING chain #------------------------------------------------------------------------------ #PF_POSTROUTING[]='IP_NET_1 MASQUERADE' # masquerade traffic leaving the subnet #PF6_POSTROUTING[]='IPV6_NET_1 MASQUERADE' # masquerade traffic leaving the subnet #------------------------------------------------------------------------------ # PREROUTING chain #------------------------------------------------------------------------------ #PF_PREROUTING[]='1.2.3.4 dynamic:22 DNAT:@client2' # forward ssh connections coming from 1.2.3.4 # to client2 #PF6_PREROUTING[]='tmpl:ssh [2001:db8::1] DNAT:@client2' # forward ssh connections coming from # [2001:db8::1] to client2 #------------------------------------------------------------------------------ # PREROUTING_CT chain #------------------------------------------------------------------------------ PF_PREROUTING_CT_ACCEPT_DEF='yes' # use default rule set #PF_PREROUTING_CT[]='tmpl:ftp IP_NET_1 HELPER:ftp' # associate FTP conntrack helper for active FTP # forwarded from within the LAN to some FTP # server outside #PF_PREROUTING_CT[]='tmpl:ftp any dynamic HELPER:ftp' # associate FTP conntrack helper for passive # FTP forwarded to the router's external IP # (some PREROUTING rule needs to forward the # packets to some FTP server within the LAN) #PF6_PREROUTING_CT[]='tmpl:ftp IPV6_NET_1 HELPER:ftp' # associate FTP conntrack helper for active FTP # forwarded from within the LAN to some FTP # server outside #PF6_PREROUTING_CT[]='tmpl:ftp any IPV6_NET_1 HELPER:ftp' # associate FTP conntrack helper for passive # FTP forwarded to some FTP server within the # LAN #------------------------------------------------------------------------------ # OUTPUT_CT chain #------------------------------------------------------------------------------ PF_OUTPUT_CT_ACCEPT_DEF='yes' # use default rule set #PF_OUTPUT_CT[]='tmpl:ftp HELPER:ftp' # associate FTP conntrack helper for outgoing # active FTP on the router (this rule is added # automatically by the tools package if # OPT_FTP='yes' and FTP_PF_ENABLE_ACTIVE='yes') #PF6_OUTPUT_CT[]='tmpl:ftp HELPER:ftp' # associate FTP conntrack helper for outgoing # active FTP on the router (this rule is added # automatically by the tools package if # OPT_FTP='yes' and FTP_PF_ENABLE_ACTIVE='yes') #------------------------------------------------------------------------------ # USER chain #------------------------------------------------------------------------------ #PF_USR_CHAIN[]='...' # some user-defined rule #PF6_USR_CHAIN[]='...' # some user-defined rule #------------------------------------------------------------------------------ # Domain configuration: # settings for DNS, DHCP server and HOSTS -> see package DNS_DHCP #------------------------------------------------------------------------------ DOMAIN_NAME='lan.fli4l' # your domain name DNS_FORWARDERS='194.8.57.8' # DNS servers of your provider, # e.g. ns.n-ix.net # optional configuration for the host-entry of the router in /etc/hosts #HOSTNAME_IP='IP_NET_1_IPADDR' # IP to bind to HOSTNAME #HOSTNAME_IP6='IPV6_NET_1_IPADDR' # optional, can be used to explicitly set # the router's IPv6 address; if left empty, # this setting is taken from the first # configured /64 IPv6 subnet (see below) #HOSTNAME_ALIAS[]='router.lan.fli4l' # first ALIAS name #HOSTNAME_ALIAS[]='gateway.my.lan' # secound ALIAS name #------------------------------------------------------------------------------ # optional package: syslogd #------------------------------------------------------------------------------ #OPT_SYSLOGD='no' # start syslogd: yes or no #SYSLOGD_RECEIVER='yes' # receive messages from network #SYSLOGD_DEST[]='*.* /dev/console' # n'th prio & destination of syslog msgs #SYSLOGD_DEST[]='*.* @192.168.6.2' # example: loghost 192.168.6.2 #SYSLOGD_DEST[]='kern.info /var/log/dial.log' # example: log infos to file SYSLOGD_ROTATE='no' # rotate syslog-files once every day SYSLOGD_ROTATE_DIR='/data/syslog' # move rotated files to .... SYSLOGD_ROTATE_MAX='5' # max number of rotated syslog-files #------------------------------------------------------------------------------ # Optional package: klogd #------------------------------------------------------------------------------ #OPT_KLOGD='no' # start klogd: yes or no #------------------------------------------------------------------------------ # Optional package: logip #------------------------------------------------------------------------------ #OPT_LOGIP='no' # logip: yes or no LOGIP_LOGDIR='auto' # log-directory, e.g. /boot or auto-detected #------------------------------------------------------------------------------ # Optional package: y2k correction #------------------------------------------------------------------------------ #OPT_Y2K='no' # y2k correction: yes or no Y2K_DAYS='0' # correct hardware y2k-bug: add x days #------------------------------------------------------------------------------ # Optional package: PNP #------------------------------------------------------------------------------ #OPT_PNP='no' # install isapnp tools: yes or no #------------------------------------------------------------------------------ # Optional: PCI hotplugging #------------------------------------------------------------------------------ #OPT_HOTPLUG_PCI='no' # if yes, various PCI hotplugging drivers are # loaded at boot time; note that ACPI hot- # plugging (as used by e.g. KVM) is built into # the kernel and does _not_ require this OPT to # be enabled (but it doesn't hurt neither) #------------------------------------------------------------------------------ # Optional package: lua # (Note: This package will eventually be integrated into the base package as # it is planned to implement core fli4l services in Lua!) #------------------------------------------------------------------------------ #OPT_LUA='no' # enable Lua #------------------------------------------------------------------------------ # Optional package: luatests #------------------------------------------------------------------------------ #OPT_LUATESTS='no' # enable Lua test suite #LUATESTS_RUNATBOOTTIME='yes' # set to 'yes' if test suite should run when # the fli4l boots