*Empty MediaWiki Message*
This commit is contained in:
parent
c3148ec864
commit
766bab4cab
|
@ -292,6 +292,261 @@ exit 0
|
|||
Sofern ich an dieser Stelle nichts nennenswertes vergessen habe zu erwähnen, sollte nach einem Container Neustart die PPPoE Einwahl und das Routing schon funktionieren
|
||||
|
||||
=== JAIL: dropbert2 ===
|
||||
|
||||
„dropbert2“ Container: ucarp installieren
|
||||
<source lang=bash>
|
||||
pkg install ucarp
|
||||
</source>
|
||||
|
||||
„dropbert2“ Container: ucarp up & down scripts
|
||||
<source lang=bash>
|
||||
vi /root/ucarp_up.sh
|
||||
|
||||
#!/bin/sh
|
||||
### ### ### PLITC // ### ### ###
|
||||
#// Load variables from rc.conf
|
||||
. /etc/rc.subr
|
||||
load_rc_config ucarp
|
||||
/sbin/ifconfig $ucarp_if alias $ucarp_addr/24
|
||||
#// force arp refresh for the shared ip
|
||||
ping -S 172.22.99.4 -c 2 -q 172.22.99.7 > /dev/null
|
||||
#// delete default gateway
|
||||
route -n delete default >/dev/null 2>&1
|
||||
#// clean ppp log
|
||||
echo "" > /var/log/ppp.log
|
||||
#// dialin
|
||||
/usr/sbin/ppp -ddial telekom
|
||||
#// load firewall after being successful pppoe connection
|
||||
while true ; do
|
||||
CHECKPPP=$(cat /var/log/ppp.log | grep -c "Pap Input: SUCCESS")
|
||||
if [ "$CHECKPPP" -eq 1 ]
|
||||
then
|
||||
sleep 5
|
||||
/etc/rc.firewall.local
|
||||
break
|
||||
else
|
||||
sleep 1
|
||||
fi
|
||||
done
|
||||
### ### ### // PLITC ### ### ###
|
||||
# EOF
|
||||
|
||||
chmod 0755 /root/ucarp_up.sh
|
||||
</source>
|
||||
|
||||
Die „while true“ Schleife ist notwendig, da ipfw mit dem laden der Regelsätze abbricht wenn ein (noch nicht) vorhandenes Device (in dem Fall: tun0) auf Firewallregeln matchen soll
|
||||
|
||||
<source lang=bash>
|
||||
vi /root/ucarp_down.sh
|
||||
|
||||
#!/bin/sh
|
||||
# Load variables from rc.conf
|
||||
. /etc/rc.subr
|
||||
load_rc_config ucarp
|
||||
/sbin/ifconfig $ucarp_if -alias $ucarp_addr
|
||||
pkill -9 ppp
|
||||
#// default gateway
|
||||
route add default 172.22.99.4
|
||||
# EOF
|
||||
|
||||
chmod 0755 /root/ucarp_down.sh
|
||||
</source>
|
||||
|
||||
„dropbert2“ Container: /etc/ppp/ppp.conf (PPPoE Config!)
|
||||
<source lang=bash>
|
||||
vi /etc/ppp/ppp.conf
|
||||
|
||||
default:
|
||||
set log Chat Command Connect Filter Phase tun Error Alert
|
||||
|
||||
telekom:
|
||||
set device PPPoE:epair1b
|
||||
set redial 1 0
|
||||
set reconnect 3 23
|
||||
set mtu max 1492
|
||||
set mru max 1492
|
||||
set speed sync
|
||||
set server /var/run/internet "" 0177
|
||||
set dial
|
||||
set login
|
||||
set authname "000000000000000000000000#0001@t-online.de"
|
||||
set authkey "00000000"
|
||||
disable acfcomp protocomp
|
||||
disable ipv6cp
|
||||
enable mssfixup
|
||||
enable dns
|
||||
enable lqr
|
||||
enable echo
|
||||
accept lqr
|
||||
add default HISADDR
|
||||
set timeout 0
|
||||
open
|
||||
</source>
|
||||
|
||||
„dropbert2“ Container: /etc/sysctl.conf
|
||||
<source lang=bash>
|
||||
vi /etc/sysctl.conf
|
||||
|
||||
# $FreeBSD: releng/9.3/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
|
||||
#
|
||||
# This file is read when going to multi-user and its contents piped thru
|
||||
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
|
||||
#
|
||||
|
||||
# Uncomment this to prevent users from seeing information about processes that
|
||||
# are being run under another UID.
|
||||
#security.bsd.see_other_uids=0
|
||||
|
||||
net.inet.ip.forwarding=1
|
||||
</source>
|
||||
|
||||
„dropbert2“ Container: /etc/rc.conf
|
||||
<source lang=bash>
|
||||
vi /etc/rc.conf
|
||||
|
||||
### ### ### /etc/rc.conf ### ### ###
|
||||
portmap_enable="NO"
|
||||
sshd_enable="NO"
|
||||
sendmail_enable="NO"
|
||||
sendmail_submit_enable="NO"
|
||||
sendmail_outbound_enable="NO"
|
||||
sendmail_msp_queue_enable="NO"
|
||||
hostname="routbert"
|
||||
devfs_enable="YES"
|
||||
devfs_system_ruleset="devfsrules_common"
|
||||
inet6_enable="YES"
|
||||
ip6addrctl_enable="YES"
|
||||
|
||||
ucarp_enable="YES"
|
||||
ucarp_if="epair1b"
|
||||
ucarp_vhid="1"
|
||||
ucarp_pass="TOPSECRET"
|
||||
ucarp_preempt="YES"
|
||||
ucarp_facility="daemon"
|
||||
ucarp_src="172.22.99.92"
|
||||
ucarp_addr="172.22.99.4"
|
||||
ucarp_advbase="1"
|
||||
ucarp_advskew="10"
|
||||
ucarp_upscript="/root/ucarp_up.sh"
|
||||
ucarp_downscript="/root/ucarp_down.sh"
|
||||
|
||||
cloned_interfaces="tun"
|
||||
gateway_enable="YES"
|
||||
firewall_enable="YES"
|
||||
# firewall_type="OPEN"
|
||||
firewall_logging="YES"
|
||||
firewall_type="/etc/firewall.rules"
|
||||
firewall_script="/etc/rc.firewall.local"
|
||||
|
||||
ppp_enable="YES"
|
||||
ppp_mode="ddial"
|
||||
# ppp_nat="YES" # if you want to enable nat for your local network, otherwise NO (or nat with ipfw)
|
||||
ppp_user="root"
|
||||
ppp_profile="telekom"
|
||||
# EOF
|
||||
</source>
|
||||
|
||||
„dropbert2“ Container: /etc/rc.local
|
||||
<source lang=bash>
|
||||
vi /etc/rc.local
|
||||
|
||||
#!/bin/sh
|
||||
NEWINTERFACE=$(ifconfig | grep "flags" | grep "epair" | awk '{print $1}' | sed 's/://')
|
||||
find /etc -name "rc.conf" -type f -exec sed -i "" 's/epair[0-9]b/'"$NEWINTERFACE"'/g' {} \;
|
||||
find /etc -name "firewall.rules" -type f -exec sed -i "" 's/epair[0-9]b/'"$NEWINTERFACE"'/g' {} \;
|
||||
find /etc/ppp -name "ppp.conf" -type f -exec sed -i "" 's/epair[0-9]b/'"$NEWINTERFACE"'/g' {} \;
|
||||
/usr/local/etc/rc.d/ucarp start
|
||||
exit 0
|
||||
# EOF
|
||||
|
||||
chmod 0755 /etc/rc.local
|
||||
</source>
|
||||
|
||||
„dropbert2“ Container: /etc/firewall.rules
|
||||
<source lang=bash>
|
||||
vi /etc/firewall.rules
|
||||
|
||||
### ### ### etc/firewall.rules ### ### ###
|
||||
|
||||
### stage0 // ###
|
||||
#/ add 00001 check-state
|
||||
#/ add 00003 deny tcp from any to any established in via epair1b
|
||||
### // statefull ###
|
||||
#
|
||||
add 00002 deny all from any to any frag in via epair1b
|
||||
#
|
||||
### // stage0 ###
|
||||
|
||||
### stage1 - Uplink Filter // ###
|
||||
# Throw away RFC 1918 networks
|
||||
#/ add 10 drop all from 10.0.0.0/8 to any in via epair1b
|
||||
#/ add 11 drop all from 172.16.0.0/12 to any in via epair1b
|
||||
#/ add 12 drop all from 192.168.0.0/16 to any in via epair1b
|
||||
#
|
||||
add 00045 count icmp from any to any via epair1b
|
||||
add 00046 count ipv6-icmp from any to any via epair1b
|
||||
add 00047 count icmp from any to any via tun0
|
||||
add 00048 count ipv6-icmp from any to any via tun0
|
||||
### // stage1 - Uplink Filter ###
|
||||
|
||||
### stage2 // ###
|
||||
add 00098 allow ip4 from me to any
|
||||
add 00099 allow ip6 from me6 to any
|
||||
### // stage2 ###
|
||||
|
||||
### stage3 - Admin SSH // ###
|
||||
### // stage3 - Admin SSH ###
|
||||
|
||||
### stage4 // ###
|
||||
#
|
||||
nat 1 config if tun0 reset
|
||||
add 10001 nat 1 ip4 from any to any via tun0
|
||||
#
|
||||
### // stage4 ###
|
||||
|
||||
### stage9 // ###
|
||||
add 60100 allow ip from any to any via lo0
|
||||
add 60200 deny ip from any to 127.0.0.0/8
|
||||
add 60300 deny ip from 127.0.0.0/8 to any
|
||||
add 60400 deny ip from any to ::1
|
||||
add 60500 deny ip from ::1 to any
|
||||
add 60600 allow ipv6-icmp from :: to ff02::/16
|
||||
add 60700 allow ipv6-icmp from fe80::/10 to fe80::/10
|
||||
add 60800 allow ipv6-icmp from fe80::/10 to ff02::/16
|
||||
add 60900 allow ipv6-icmp from any to any ip6 icmp6types 1
|
||||
add 61000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
|
||||
### // stage9 ###
|
||||
|
||||
### stage10 // ###
|
||||
add 65001 allow ip4 from any to any
|
||||
add 65002 allow ip6 from any to any
|
||||
### // stage10 ###
|
||||
|
||||
# EOF
|
||||
</source>
|
||||
|
||||
„dropbert2“ Container: /etc/rc.firewall.local
|
||||
<source lang=bash>
|
||||
vi /etc/rc.firewall.local
|
||||
|
||||
#!/bin/sh
|
||||
### ### ### etc/rc.firewall.local // ### ### ###
|
||||
/sbin/ipfw -q flush
|
||||
/sbin/ipfw -q pipe flush
|
||||
/sbin/ipfw -q queue flush
|
||||
/sbin/ipfw -q /etc/firewall.rules
|
||||
### ### ### // etc/rc.firewall.local ### ### ###
|
||||
# EOF
|
||||
|
||||
chmod 0755 /etc/rc.firewall.local
|
||||
</source>
|
||||
|
||||
Das sollte es gewesen sein!
|
||||
|
||||
Nun sollte man einmal die „routbert“ JAIL, per FreeNAS Web GUI, neustarten lassen
|
||||
|
||||
|
||||
|
||||
<source lang=bash>
|
||||
|
||||
</source>
|
||||
|
|
Loading…
Reference in New Issue