From b1aec80110e822d835f6c97a2320b7dfc5fba039 Mon Sep 17 00:00:00 2001 From: ficus Date: Sun, 23 Sep 2012 04:22:14 +0200 Subject: possibly functional image builder --- .../torouter-prep/configs/etc/apt/sources.list | 2 + .../torouter-prep/configs/etc/default/openntpd | 6 + packages/torouter-prep/configs/etc/default/ttdnsd | 17 + packages/torouter-prep/configs/etc/dhcp/dhcpd.conf | 32 ++ packages/torouter-prep/configs/etc/dnsmasq.conf | 557 +++++++++++++++++++++ packages/torouter-prep/configs/etc/fstab | 6 + packages/torouter-prep/configs/etc/hostname | 1 + packages/torouter-prep/configs/etc/hosts | 7 + .../torouter-prep/configs/etc/init.d/first-run | 71 +++ packages/torouter-prep/configs/etc/init.d/proxy | 61 +++ packages/torouter-prep/configs/etc/inittab | 70 +++ .../configs/etc/modprobe.d/blacklist.conf | 26 + packages/torouter-prep/configs/etc/mtab | 0 .../torouter-prep/configs/etc/network/interfaces | 39 ++ packages/torouter-prep/configs/etc/ntp.conf | 55 ++ .../torouter-prep/configs/etc/openvpn/client.conf | 0 .../torouter-prep/configs/etc/openvpn/static.key | 0 .../torouter-prep/configs/etc/rc1.d/S01first-run | 1 + .../torouter-prep/configs/etc/rc2.d/S01first-run | 1 + packages/torouter-prep/configs/etc/rc2.d/S50proxy | 1 + packages/torouter-prep/configs/etc/resolv.conf | 2 + .../configs/etc/ssh/sshd_config/sshd_config | 87 ++++ packages/torouter-prep/configs/etc/sysctl.conf | 5 + packages/torouter-prep/configs/etc/tor/torrc | 180 +++++++ .../udev/rules.d/75-persistent-net-generator.rules | 0 25 files changed, 1227 insertions(+) create mode 100644 packages/torouter-prep/configs/etc/apt/sources.list create mode 100644 packages/torouter-prep/configs/etc/default/openntpd create mode 100755 packages/torouter-prep/configs/etc/default/ttdnsd create mode 100644 packages/torouter-prep/configs/etc/dhcp/dhcpd.conf create mode 100644 packages/torouter-prep/configs/etc/dnsmasq.conf create mode 100644 packages/torouter-prep/configs/etc/fstab create mode 100644 packages/torouter-prep/configs/etc/hostname create mode 100644 packages/torouter-prep/configs/etc/hosts create mode 100755 packages/torouter-prep/configs/etc/init.d/first-run create mode 100755 packages/torouter-prep/configs/etc/init.d/proxy create mode 100644 packages/torouter-prep/configs/etc/inittab create mode 100644 packages/torouter-prep/configs/etc/modprobe.d/blacklist.conf create mode 100644 packages/torouter-prep/configs/etc/mtab create mode 100644 packages/torouter-prep/configs/etc/network/interfaces create mode 100644 packages/torouter-prep/configs/etc/ntp.conf create mode 100644 packages/torouter-prep/configs/etc/openvpn/client.conf create mode 100644 packages/torouter-prep/configs/etc/openvpn/static.key create mode 120000 packages/torouter-prep/configs/etc/rc1.d/S01first-run create mode 120000 packages/torouter-prep/configs/etc/rc2.d/S01first-run create mode 120000 packages/torouter-prep/configs/etc/rc2.d/S50proxy create mode 100644 packages/torouter-prep/configs/etc/resolv.conf create mode 100644 packages/torouter-prep/configs/etc/ssh/sshd_config/sshd_config create mode 100644 packages/torouter-prep/configs/etc/sysctl.conf create mode 100644 packages/torouter-prep/configs/etc/tor/torrc create mode 100644 packages/torouter-prep/configs/etc/udev/rules.d/75-persistent-net-generator.rules (limited to 'packages/torouter-prep/configs/etc') diff --git a/packages/torouter-prep/configs/etc/apt/sources.list b/packages/torouter-prep/configs/etc/apt/sources.list new file mode 100644 index 0000000..c06710c --- /dev/null +++ b/packages/torouter-prep/configs/etc/apt/sources.list @@ -0,0 +1,2 @@ +deb http://http.debian.net/debian wheezy main +deb-src http://http.debian.net/debian wheezy main diff --git a/packages/torouter-prep/configs/etc/default/openntpd b/packages/torouter-prep/configs/etc/default/openntpd new file mode 100644 index 0000000..318e7bd --- /dev/null +++ b/packages/torouter-prep/configs/etc/default/openntpd @@ -0,0 +1,6 @@ +# /etc/default/openntpd + +# Append '-s' to set the system time when starting in case the offset +# between the local clock and the servers is more than 180 seconds. +# For other options, see man ntpd(8). +DAEMON_OPTS="-f /etc/openntpd/ntpd.conf -s" diff --git a/packages/torouter-prep/configs/etc/default/ttdnsd b/packages/torouter-prep/configs/etc/default/ttdnsd new file mode 100755 index 0000000..0a22bc4 --- /dev/null +++ b/packages/torouter-prep/configs/etc/default/ttdnsd @@ -0,0 +1,17 @@ +# /etc/default/ttdnsd + +# Address to bind to - usually this should be 127.0.0.1 +# unless a copy of ttdnsd runs on 127.0.0.n +ADDR_ARG="-b 172.16.23.1" + +# Port to listen on - almost always this should be port 53 +# unless an additional local DNS cache (like unbound, dnscache, pdnsd) +# listen on port 53 as system resolver and is used in front of ttdnsd +# for caching purposes. +PORT_ARG="-p 5354" + +# Debug logging +# DEBUG_LOGGING="-l" + +# Glue all of it together below +DEFAULTS="$ADDR_ARG $PORT_ARG" diff --git a/packages/torouter-prep/configs/etc/dhcp/dhcpd.conf b/packages/torouter-prep/configs/etc/dhcp/dhcpd.conf new file mode 100644 index 0000000..ec502c6 --- /dev/null +++ b/packages/torouter-prep/configs/etc/dhcp/dhcpd.conf @@ -0,0 +1,32 @@ +# +# FreedomBox ISC dhcpd configuration +# +# + +# The ddns-updates-style parameter controls whether or not the server will +# attempt to do a DNS update when a lease is confirmed. We default to the +# behavior of the version 2 packages ('none', since DHCP v2 didn't +# have support for DDNS.) +ddns-update-style none; + +# option definitions common to all supported networks... +option domain-name "free.dom"; +option domain-name-servers ns1.free.dom, ns2.free.dom; + +default-lease-time 600; +max-lease-time 7200; + +# If this DHCP server is the official DHCP server for the local +# network, the authoritative directive should be uncommented. +authoritative; + +# Use this to send dhcp log messages to a different log file (you also +# have to hack syslog.conf to complete the redirection). +log-facility local7; + +# basic subnet configuration for the 'downstream' wired network + +subnet 192.168.1.0 netmask 255.255.255.0 { + range 192.168.1.10 192.168.1.100; + option routers 192.168.1.1; +} diff --git a/packages/torouter-prep/configs/etc/dnsmasq.conf b/packages/torouter-prep/configs/etc/dnsmasq.conf new file mode 100644 index 0000000..2711486 --- /dev/null +++ b/packages/torouter-prep/configs/etc/dnsmasq.conf @@ -0,0 +1,557 @@ +# Configuration file for dnsmasq. +# +# Format is one option per line, legal options are the same +# as the long options legal on the command line. See +# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. + +# The following two options make you a better netizen, since they +# tell dnsmasq to filter out queries which the public DNS cannot +# answer, and which load the servers (especially the root servers) +# uneccessarily. If you have a dial-on-demand link they also stop +# these requests from bringing up the link uneccessarily. + +# Never forward plain names (without a dot or domain part) +#domain-needed +# Never forward addresses in the non-routed address spaces. +#bogus-priv + + +# Uncomment this to filter useless windows-originated DNS requests +# which can trigger dial-on-demand links needlessly. +# Note that (amongst other things) this blocks all SRV requests, +# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. +# This option only affects forwarding, SRV records originating for +# dnsmasq (via srv-host= lines) are not suppressed by it. +#filterwin2k + +# Change this line if you want dns to get its upstream servers from +# somewhere other that /etc/resolv.conf +#resolv-file= + +# By default, dnsmasq will send queries to any of the upstream +# servers it knows about and tries to favour servers to are known +# to be up. Uncommenting this forces dnsmasq to try each query +# with each server strictly in the order they appear in +# /etc/resolv.conf +#strict-order + +# If you don't want dnsmasq to read /etc/resolv.conf or any other +# file, getting its servers from this file instead (see below), then +# uncomment this. +#no-resolv + +# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv +# files for changes and re-read them then uncomment this. +no-poll + +# Add other name servers here, with domain specs if they are for +# non-public domains. +#server=/localnet/192.168.0.1 + +# Example of routing PTR queries to nameservers: this will send all +# address->name queries for 192.168.3/24 to nameserver 10.1.2.3 +#server=/3.168.192.in-addr.arpa/10.1.2.3 + +# Add local-only domains here, queries in these domains are answered +# from /etc/hosts or DHCP only. +#local=/localnet/ + +# Add domains which you want to force to an IP address here. +# The example below send any host in doubleclick.net to a local +# webserver. +#address=/doubleclick.net/127.0.0.1 + +# --address (and --server) work with IPv6 addresses too. +#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 + +# You can control how dnsmasq talks to a server: this forces +# queries to 10.1.2.3 to be routed via eth1 +# server=10.1.2.3@eth1 + +# and this sets the source (ie local) address used to talk to +# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that +# IP on the machine, obviously). +# server=10.1.2.3@192.168.1.1#55 + +# If you want dnsmasq to change uid and gid to something other +# than the default, edit the following lines. +#user= +#group= + +# If you want dnsmasq to listen for DHCP and DNS requests only on +# specified interfaces (and the loopback) give the name of the +# interface (eg eth0) here. +# Repeat the line for more than one interface. +interface=eth1 +interface=uap0 +# Or you can specify which interface _not_ to listen on +except-interface=eth0 +except-interface=lo +# Or which to listen on by address (remember to include 127.0.0.1 if +# you use this.) +#listen-address= +# If you want dnsmasq to provide only DNS service on an interface, +# configure it as shown above, and then use the following line to +# disable DHCP on it. +#no-dhcp-interface= +#no-dns-interface=uap0 + +# On systems which support it, dnsmasq binds the wildcard address, +# even when it is listening on only some interfaces. It then discards +# requests that it shouldn't reply to. This has the advantage of +# working even when interfaces come and go and change address. If you +# want dnsmasq to really bind only the interfaces it is listening on, +# uncomment this option. About the only time you may need this is when +# running another nameserver on the same machine. +bind-interfaces + +# If you don't want dnsmasq to read /etc/hosts, uncomment the +# following line. +#no-hosts +# or if you want it to read another file, as well as /etc/hosts, use +# this. +#addn-hosts=/etc/banner_add_hosts + +# Set this (and domain: see below) if you want to have a domain +# automatically added to simple names in a hosts-file. +#expand-hosts + +# Set the domain for dnsmasq. this is optional, but if it is set, it +# does the following things. +# 1) Allows DHCP hosts to have fully qualified domain names, as long +# as the domain part matches this setting. +# 2) Sets the "domain" DHCP option thereby potentially setting the +# domain of all systems configured by DHCP +# 3) Provides the domain part for "expand-hosts" +#domain=thekelleys.org.uk + +# Set a different domain for a particular subnet +#domain=wireless.thekelleys.org.uk,192.168.2.0/24 + +# Same idea, but range rather then subnet +#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 + +# Uncomment this to enable the integrated DHCP server, you need +# to supply the range of addresses available for lease and optionally +# a lease time. If you have more than one network, you will need to +# repeat this for each network on which you want to supply DHCP +# service. +#dhcp-range=192.168.0.50,192.168.0.150,12h +dhcp-range=10.23.42.10,10.23.42.254,255.255.255.0,12h +dhcp-range=172.16.23.10,172.16.23.254,255.255.255.0,12h + +# This is an example of a DHCP range where the netmask is given. This +# is needed for networks we reach the dnsmasq DHCP server via a relay +# agent. If you don't know what a DHCP relay agent is, you probably +# don't need to worry about this. +#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h + +# This is an example of a DHCP range which sets a tag, so that +# some DHCP options may be set only for this network. +#dhcp-range=set:red,192.168.0.50,192.168.0.150 + +# Use this DHCP range only when the tag "green" is set. +#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h + +# Specify a subnet which can't be used for dynamic address allocation, +# is available for hosts with matching --dhcp-host lines. Note that +# dhcp-host declarations will be ignored unless there is a dhcp-range +# of some type for the subnet in question. +# In this case the netmask is implied (it comes from the network +# configuration on the machine running dnsmasq) it is possible to give +# an explict netmask instead. +#dhcp-range=192.168.0.0,static + +# Supply parameters for specified hosts using DHCP. There are lots +# of valid alternatives, so we will give examples of each. Note that +# IP addresses DO NOT have to be in the range given above, they just +# need to be on the same network. The order of the parameters in these +# do not matter, it's permissble to give name,adddress and MAC in any order + +# Always allocate the host with ethernet address 11:22:33:44:55:66 +# The IP address 192.168.0.60 +#dhcp-host=11:22:33:44:55:66,192.168.0.60 + +# Always set the name of the host with hardware address +# 11:22:33:44:55:66 to be "fred" +#dhcp-host=11:22:33:44:55:66,fred + +# Always give the host with ethernet address 11:22:33:44:55:66 +# the name fred and IP address 192.168.0.60 and lease time 45 minutes +#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m + +# Give a host with ethernet address 11:22:33:44:55:66 or +# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume +# that these two ethernet interfaces will never be in use at the same +# time, and give the IP address to the second, even if it is already +# in use by the first. Useful for laptops with wired and wireless +# addresses. +#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60 + +# Give the machine which says its name is "bert" IP address +# 192.168.0.70 and an infinite lease +#dhcp-host=bert,192.168.0.70,infinite + +# Always give the host with client identifier 01:02:02:04 +# the IP address 192.168.0.60 +#dhcp-host=id:01:02:02:04,192.168.0.60 + +# Always give the host with client identifier "marjorie" +# the IP address 192.168.0.60 +#dhcp-host=id:marjorie,192.168.0.60 + +# Enable the address given for "judge" in /etc/hosts +# to be given to a machine presenting the name "judge" when +# it asks for a DHCP lease. +#dhcp-host=judge + +# Never offer DHCP service to a machine whose ethernet +# address is 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,ignore + +# Ignore any client-id presented by the machine with ethernet +# address 11:22:33:44:55:66. This is useful to prevent a machine +# being treated differently when running under different OS's or +# between PXE boot and OS boot. +#dhcp-host=11:22:33:44:55:66,id:* + +# Send extra options which are tagged as "red" to +# the machine with ethernet address 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,set:red + +# Send extra options which are tagged as "red" to +# any machine with ethernet address starting 11:22:33: +#dhcp-host=11:22:33:*:*:*,set:red + +# Ignore any clients which are specified in dhcp-host lines +# or /etc/ethers. Equivalent to ISC "deny unkown-clients". +# This relies on the special "known" tag which is set when +# a host is matched. +#dhcp-ignore=tag:!known + +# Send extra options which are tagged as "red" to any machine whose +# DHCP vendorclass string includes the substring "Linux" +#dhcp-vendorclass=set:red,Linux + +# Send extra options which are tagged as "red" to any machine one +# of whose DHCP userclass strings includes the substring "accounts" +#dhcp-userclass=set:red,accounts + +# Send extra options which are tagged as "red" to any machine whose +# MAC address matches the pattern. +#dhcp-mac=set:red,00:60:8C:*:*:* + +# If this line is uncommented, dnsmasq will read /etc/ethers and act +# on the ethernet-address/IP pairs found there just as if they had +# been given as --dhcp-host options. Useful if you keep +# MAC-address/host mappings there for other purposes. +#read-ethers + +# Send options to hosts which ask for a DHCP lease. +# See RFC 2132 for details of available options. +# Common options can be given to dnsmasq by name: +# run "dnsmasq --help dhcp" to get a list. +# Note that all the common settings, such as netmask and +# broadcast address, DNS server and default route, are given +# sane defaults by dnsmasq. You very likely will not need +# any dhcp-options. If you use Windows clients and Samba, there +# are some options which are recommended, they are detailed at the +# end of this section. + +# Override the default route supplied by dnsmasq, which assumes the +# router is the same machine as the one running dnsmasq. +#dhcp-option=3,1.2.3.4 + +# Do the same thing, but using the option name +#dhcp-option=option:router,1.2.3.4 + +# Override the default route supplied by dnsmasq and send no default +# route at all. Note that this only works for the options sent by +# default (1, 3, 6, 12, 28) the same line will send a zero-length option +# for all other option numbers. +#dhcp-option=3 + +# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 +#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 + +# Set the NTP time server address to be the same machine as +# is running dnsmasq +#dhcp-option=42,0.0.0.0 + +# Set the NIS domain name to "welly" +#dhcp-option=40,welly + +# Set the default time-to-live to 50 +#dhcp-option=23,50 + +# Set the "all subnets are local" flag +#dhcp-option=27,1 + +# Send the etherboot magic flag and then etherboot options (a string). +#dhcp-option=128,e4:45:74:68:00:00 +#dhcp-option=129,NIC=eepro100 + +# Specify an option which will only be sent to the "red" network +# (see dhcp-range for the declaration of the "red" network) +# Note that the tag: part must precede the option: part. +#dhcp-option = tag:red, option:ntp-server, 192.168.1.1 + +# The following DHCP options set up dnsmasq in the same way as is specified +# for the ISC dhcpcd in +# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt +# adapted for a typical dnsmasq installation where the host running +# dnsmasq is also the host running samba. +# you may want to uncomment some or all of them if you use +# Windows clients and Samba. +#dhcp-option=19,0 # option ip-forwarding off +#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) +#dhcp-option=45,0.0.0.0 # netbios datagram distribution server +#dhcp-option=46,8 # netbios node type + +# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client +# probably doesn't support this...... +#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com + +# Send RFC-3442 classless static routes (note the netmask encoding) +#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 + +# Send vendor-class specific options encapsulated in DHCP option 43. +# The meaning of the options is defined by the vendor-class so +# options are sent only when the client supplied vendor class +# matches the class given here. (A substring match is OK, so "MSFT" +# matches "MSFT" and "MSFT 5.0"). This example sets the +# mtftp address to 0.0.0.0 for PXEClients. +#dhcp-option=vendor:PXEClient,1,0.0.0.0 + +# Send microsoft-specific option to tell windows to release the DHCP lease +# when it shuts down. Note the "i" flag, to tell dnsmasq to send the +# value as a four-byte integer - that's what microsoft wants. See +# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true +#dhcp-option=vendor:MSFT,2,1i + +# Send the Encapsulated-vendor-class ID needed by some configurations of +# Etherboot to allow is to recognise the DHCP server. +#dhcp-option=vendor:Etherboot,60,"Etherboot" + +# Send options to PXELinux. Note that we need to send the options even +# though they don't appear in the parameter request list, so we need +# to use dhcp-option-force here. +# See http://syslinux.zytor.com/pxe.php#special for details. +# Magic number - needed before anything else is recognised +#dhcp-option-force=208,f1:00:74:7e +# Configuration file name +#dhcp-option-force=209,configs/common +# Path prefix +#dhcp-option-force=210,/tftpboot/pxelinux/files/ +# Reboot time. (Note 'i' to send 32-bit value) +#dhcp-option-force=211,30i + +# Set the boot filename for netboot/PXE. You will only need +# this is you want to boot machines over the network and you will need +# a TFTP server; either dnsmasq's built in TFTP server or an +# external one. (See below for how to enable the TFTP server.) +#dhcp-boot=pxelinux.0 + +# Boot for Etherboot gPXE. The idea is to send two different +# filenames, the first loads gPXE, and the second tells gPXE what to +# load. The dhcp-match sets the gpxe tag for requests from gPXE. +#dhcp-match=set:gpxe,175 # gPXE sends a 175 option. +#dhcp-boot=tag:!gpxe,undionly.kpxe +#dhcp-boot=mybootimage + +# Encapsulated options for Etherboot gPXE. All the options are +# encapsulated within option 175 +#dhcp-option=encap:175, 1, 5b # priority code +#dhcp-option=encap:175, 176, 1b # no-proxydhcp +#dhcp-option=encap:175, 177, string # bus-id +#dhcp-option=encap:175, 189, 1b # BIOS drive code +#dhcp-option=encap:175, 190, user # iSCSI username +#dhcp-option=encap:175, 191, pass # iSCSI password + +# Test for the architecture of a netboot client. PXE clients are +# supposed to send their architecture as option 93. (See RFC 4578) +#dhcp-match=peecees, option:client-arch, 0 #x86-32 +#dhcp-match=itanics, option:client-arch, 2 #IA64 +#dhcp-match=hammers, option:client-arch, 6 #x86-64 +#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 + +# Do real PXE, rather than just booting a single file, this is an +# alternative to dhcp-boot. +#pxe-prompt="What system shall I netboot?" +# or with timeout before first available action is taken: +#pxe-prompt="Press F8 for menu.", 60 + +# Available boot services. for PXE. +#pxe-service=x86PC, "Boot from local disk" + +# Loads /pxelinux.0 from dnsmasq TFTP server. +#pxe-service=x86PC, "Install Linux", pxelinux + +# Loads /pxelinux.0 from TFTP server at 1.2.3.4. +# Beware this fails on old PXE ROMS. +#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 + +# Use bootserver on network, found my multicast or broadcast. +#pxe-service=x86PC, "Install windows from RIS server", 1 + +# Use bootserver at a known IP address. +#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 + +# If you have multicast-FTP available, +# information for that can be passed in a similar way using options 1 +# to 5. See page 19 of +# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf + + +# Enable dnsmasq's built-in TFTP server +#enable-tftp + +# Set the root directory for files availble via FTP. +#tftp-root=/var/ftpd + +# Make the TFTP server more secure: with this set, only files owned by +# the user dnsmasq is running as will be send over the net. +#tftp-secure + +# This option stops dnsmasq from negotiating a larger blocksize for TFTP +# transfers. It will slow things down, but may rescue some broken TFTP +# clients. +#tftp-no-blocksize + +# Set the boot file name only when the "red" tag is set. +#dhcp-boot=net:red,pxelinux.red-net + +# An example of dhcp-boot with an external TFTP server: the name and IP +# address of the server are given after the filename. +# Can fail with old PXE ROMS. Overridden by --pxe-service. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 + +# Set the limit on DHCP leases, the default is 150 +#dhcp-lease-max=150 + +# The DHCP server needs somewhere on disk to keep its lease database. +# This defaults to a sane location, but if you want to change it, use +# the line below. +#dhcp-leasefile=/var/lib/misc/dnsmasq.leases + +# Set the DHCP server to authoritative mode. In this mode it will barge in +# and take over the lease for any client which broadcasts on the network, +# whether it has a record of the lease or not. This avoids long timeouts +# when a machine wakes up on a new network. DO NOT enable this if there's +# the slighest chance that you might end up accidentally configuring a DHCP +# server for your campus/company accidentally. The ISC server uses +# the same option, and this URL provides more information: +# http://www.isc.org/index.pl?/sw/dhcp/authoritative.php +#dhcp-authoritative + +# Run an executable when a DHCP lease is created or destroyed. +# The arguments sent to the script are "add" or "del", +# then the MAC address, the IP address and finally the hostname +# if there is one. +#dhcp-script=/bin/echo + +# Set the cachesize here. +#cache-size=150 + +# If you want to disable negative caching, uncomment this. +#no-negcache + +# Normally responses which come form /etc/hosts and the DHCP lease +# file have Time-To-Live set as zero, which conventionally means +# do not cache further. If you are happy to trade lower load on the +# server for potentially stale date, you can set a time-to-live (in +# seconds) here. +#local-ttl= + +# If you want dnsmasq to detect attempts by Verisign to send queries +# to unregistered .com and .net hosts to its sitefinder service and +# have dnsmasq instead return the correct NXDOMAIN response, uncomment +# this line. You can add similar lines to do the same for other +# registries which have implemented wildcard A records. +#bogus-nxdomain=64.94.110.11 + +# If you want to fix up DNS results from upstream servers, use the +# alias option. This only works for IPv4. +# This alias makes a result of 1.2.3.4 appear as 5.6.7.8 +#alias=1.2.3.4,5.6.7.8 +# and this maps 1.2.3.x to 5.6.7.x +#alias=1.2.3.0,5.6.7.0,255.255.255.0 +# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 +#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 + +# Change these lines if you want dnsmasq to serve MX records. + +# Return an MX record named "maildomain.com" with target +# servermachine.com and preference 50 +#mx-host=maildomain.com,servermachine.com,50 + +# Set the default target for MX records created using the localmx option. +#mx-target=servermachine.com + +# Return an MX record pointing to the mx-target for all local +# machines. +#localmx + +# Return an MX record pointing to itself for all local machines. +#selfmx + +# Change the following lines if you want dnsmasq to serve SRV +# records. These are useful if you want to serve ldap requests for +# Active Directory and other windows-originated DNS requests. +# See RFC 2782. +# You may add multiple srv-host lines. +# The fields are ,,,, +# If the domain part if missing from the name (so that is just has the +# service and protocol sections) then the domain given by the domain= +# config option is used. (Note that expand-hosts does not need to be +# set for this to work.) + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 (using domain=) +#domain=example.com +#srv-host=_ldap._tcp,ldapserver.example.com,389 + +# Two SRV records for LDAP, each with different priorities +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 + +# A SRV record indicating that there is no LDAP server for the domain +# example.com +#srv-host=_ldap._tcp.example.com + +# The following line shows how to make dnsmasq serve an arbitrary PTR +# record. This is useful for DNS-SD. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for PTR records.) +#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" + +# Change the following lines to enable dnsmasq to serve TXT records. +# These are used for things like SPF and zeroconf. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for TXT records.) + +#Example SPF. +#txt-record=example.com,"v=spf1 a -all" + +#Example zeroconf +#txt-record=_http._tcp.example.com,name=value,paper=A4 + +# Provide an alias for a "local" DNS name. Note that this _only_ works +# for targets which are names from DHCP or /etc/hosts. Give host +# "bert" another name, bertrand +#cname=bertand,bert + +# For debugging purposes, log each DNS query as it passes through +# dnsmasq. +#log-queries + +# Log lots of extra information about DHCP transactions. +#log-dhcp + +# Include a another lot of configuration options. +#conf-file=/etc/dnsmasq.more.conf +#conf-dir=/etc/dnsmasq.d diff --git a/packages/torouter-prep/configs/etc/fstab b/packages/torouter-prep/configs/etc/fstab new file mode 100644 index 0000000..7c48827 --- /dev/null +++ b/packages/torouter-prep/configs/etc/fstab @@ -0,0 +1,6 @@ +/dev/sdc2 / auto relatime,rw 0 0 +proc /proc proc none 0 0 +sys /sys sysfs none 0 0 +none /dev/pts devpts defaults 0 0 +tmpfs /tmp tmpfs rw,nosuid,nodev 0 0 +/dev/sdc1 /boot vfat defaults 0 0 diff --git a/packages/torouter-prep/configs/etc/hostname b/packages/torouter-prep/configs/etc/hostname new file mode 100644 index 0000000..a4a2962 --- /dev/null +++ b/packages/torouter-prep/configs/etc/hostname @@ -0,0 +1 @@ +torouter diff --git a/packages/torouter-prep/configs/etc/hosts b/packages/torouter-prep/configs/etc/hosts new file mode 100644 index 0000000..42dbc33 --- /dev/null +++ b/packages/torouter-prep/configs/etc/hosts @@ -0,0 +1,7 @@ +127.0.0.1 localhost torouter +::1 localhost ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters + diff --git a/packages/torouter-prep/configs/etc/init.d/first-run b/packages/torouter-prep/configs/etc/init.d/first-run new file mode 100755 index 0000000..8df2c2d --- /dev/null +++ b/packages/torouter-prep/configs/etc/init.d/first-run @@ -0,0 +1,71 @@ +#!/bin/bash +# +# Script to complete the post-install process on first FBX boot. + +### BEGIN INIT INFO +# Provides: first-run +# Default-Start: 1 2 +# Required-Start: 2 +# Required-Stop: +# Default-Stop: +# Short-Description: Finish FBX install on DreamPlug +### END INIT INFO + +function tweak-kernel { + # Update the kernel unless requested otherwise. + + if [ -e /var/freedombox/dont-tweak-kernel ] + then + rm /var/freedombox/dont-tweak-kernel + else + kernel_version="$(/bin/ls $mountpoint/boot/vmlinuz-*-kirkwood | sort -rn | head -n1 | sed s#$mountpoint/boot/vmlinuz-##)" + + mount -t proc proc /proc + flash-kernel $kernel_version + umount /proc + fi +} + +function wifi-ap-setup { + # configure wireless access point with spinifex's prebuilt firmware + + echo "Sleeping 30s for DHCP" + sleep 30 # wait for dhcp + + echo "Installing UAP Firmware." + wget -O /tmp/marvell_wifi_firmware.tar.gz http://www.spinifex.com.au/plugs/downloads/dreamplug/marvell_wifi_firmware.tar.gz + tar -C /tmp -zxf /tmp/marvell_wifi_firmware.tar.gz + mkdir -p /lib/firmware/mrvl + cp /tmp/lib/firmware/mrvl/* /lib/firmware/mrvl +} + +function create-keys { + echo "Creating Keys." + + echo "Creating SSH keys." + rm /etc/ssh/ssh_host_* + dpkg-reconfigure openssh-server + + echo "Need to create other keys." + # gpg --batch --gen-key + # see http://lists.gnupg.org/pipermail/gnupg-users/2003-March/017376.html +} + +function remove-self { + rm -f /etc/init.d/first-run + rm -f /etc/rc1.d/S01first-run + rm -f /etc/rc2.d/S01first-run + rm /etc/init.d/first-run + rm /etc/rc1.d/S01first-run + rm /etc/rc2.d/S01first-run +} + +create-keys +# wifi-ap-setup + +# the last things we do before quitting. +tweak-kernel +remove-self + +echo "Kernel flashed. Rebooting." +reboot diff --git a/packages/torouter-prep/configs/etc/init.d/proxy b/packages/torouter-prep/configs/etc/init.d/proxy new file mode 100755 index 0000000..901507b --- /dev/null +++ b/packages/torouter-prep/configs/etc/init.d/proxy @@ -0,0 +1,61 @@ +#! /bin/sh + +### BEGIN INIT INFO +# Provides: proxy +# Required-Start: $network $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Proxy for clients. +### END INIT INFO + +set -e + +INTIF1="eth0" +INTIF2="uap0" +EXTIF="eth1" +EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`" + +loadModules() { + depmod -a + modprobe ip_tables + modprobe ip_conntrack + modprobe ip_conntrack_ftp + modprobe ip_conntrack_irc + modprobe iptable_nat + modprobe ip_nat_ftp +} + +setProc() { + echo "1" > /proc/sys/net/ipv4/ip_forward + echo "1" > /proc/sys/net/ipv4/ip_dynaddr +} + +configIpTables() { + iptables -P INPUT ACCEPT + iptables -F INPUT + iptables -P OUTPUT ACCEPT + iptables -F OUTPUT + iptables -P FORWARD DROP + iptables -F FORWARD + iptables -t nat -F + + iptables -A FORWARD -i $EXTIF -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT + iptables -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT + iptables -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT + iptables -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT + + iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE +} + +case "$1" in + start) + loadModules + setProc + configIpTables + ;; + *) + log_success_msg "Usage: /etc/init.d/proxy {start}" + exit 1 + ;; +esac diff --git a/packages/torouter-prep/configs/etc/inittab b/packages/torouter-prep/configs/etc/inittab new file mode 100644 index 0000000..98dca83 --- /dev/null +++ b/packages/torouter-prep/configs/etc/inittab @@ -0,0 +1,70 @@ +# /etc/inittab: init(8) configuration. +# $Id: inittab,v 1.91 2002/01/25 13:35:21 miquels Exp $ + +# The default runlevel. +id:2:initdefault: + +# Boot-time system configuration/initialization script. +# This is run first except when booting in emergency (-b) mode. +si::sysinit:/etc/init.d/rcS + +# What to do in single-user mode. +~~:S:wait:/sbin/sulogin + +# /etc/init.d executes the S and K scripts upon change +# of runlevel. +# +# Runlevel 0 is halt. +# Runlevel 1 is single-user. +# Runlevels 2-5 are multi-user. +# Runlevel 6 is reboot. + +l0:0:wait:/etc/init.d/rc 0 +l1:1:wait:/etc/init.d/rc 1 +l2:2:wait:/etc/init.d/rc 2 +l3:3:wait:/etc/init.d/rc 3 +l4:4:wait:/etc/init.d/rc 4 +l5:5:wait:/etc/init.d/rc 5 +l6:6:wait:/etc/init.d/rc 6 +# Normally not reached, but fallthrough in case of emergency. +z6:6:respawn:/sbin/sulogin + +# What to do when CTRL-ALT-DEL is pressed. +ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now + +# Action on special keypress (ALT-UpArrow). +#kb::kbrequest:/bin/echo "Keyboard Request--edit /etc/inittab to let this work." + +# What to do when the power fails/returns. +pf::powerwait:/etc/init.d/powerfail start +pn::powerfailnow:/etc/init.d/powerfail now +po::powerokwait:/etc/init.d/powerfail stop + +# /sbin/getty invocations for the runlevels. +# +# The "id" field MUST be the same as the last +# characters of the device (after "tty"). +# +# Format: +# ::: +# +# Note that on most Debian systems tty7 is used by the X Window System, +# so if you want to add more getty's go ahead but skip tty7 if you run X. +# +1:2345:respawn:/sbin/getty 38400 tty1 +#2:23:respawn:/sbin/getty 38400 tty2 +#3:23:respawn:/sbin/getty 38400 tty3 +#4:23:respawn:/sbin/getty 38400 tty4 +#5:23:respawn:/sbin/getty 38400 tty5 +#6:23:respawn:/sbin/getty 38400 tty6 + +# Example how to put a getty on a serial line (for a terminal) +# +#T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100 +#T1:23:respawn:/sbin/getty -L ttyS1 9600 vt100 + +# Example how to put a getty on a modem line. +# +#T3:23:respawn:/sbin/mgetty -x0 -s 57600 ttyS3 + +T0:2345:respawn:/sbin/getty -L ttyS0 115200 linux diff --git a/packages/torouter-prep/configs/etc/modprobe.d/blacklist.conf b/packages/torouter-prep/configs/etc/modprobe.d/blacklist.conf new file mode 100644 index 0000000..dfb7967 --- /dev/null +++ b/packages/torouter-prep/configs/etc/modprobe.d/blacklist.conf @@ -0,0 +1,26 @@ +# This file lists modules which will not be loaded as the result of +# alias expansion, with the purpose of preventing the hotplug subsystem +# to load them. It does not affect autoloading of modules by the kernel. +# This file is provided by the udev package. + +# evbug is a debug tool and should be loaded explicitly +blacklist evbug + +# these drivers are very simple, the HID drivers are usually preferred +blacklist usbmouse +blacklist usbkbd + +# replaced by e100 +blacklist eepro100 + +# replaced by tulip +blacklist de4x5 + +# replaced by tmscsim +blacklist am53c974 + +# these watchdog drivers break some systems +blacklist iTCO_wdt + +# We do not need or want ipv6 right now +blacklist ipv6 diff --git a/packages/torouter-prep/configs/etc/mtab b/packages/torouter-prep/configs/etc/mtab new file mode 100644 index 0000000..e69de29 diff --git a/packages/torouter-prep/configs/etc/network/interfaces b/packages/torouter-prep/configs/etc/network/interfaces new file mode 100644 index 0000000..255075f --- /dev/null +++ b/packages/torouter-prep/configs/etc/network/interfaces @@ -0,0 +1,39 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# The primary network interface +auto eth0 +iface eth0 inet manual + post-up ifup uap0 + post-down ifdown uap0 + +auto eth1 +iface eth1 inet static + address 10.23.42.1 + netmask 255.255.255.0 + network 10.23.42.0 + broadcast 10.23.42.255 + post-up echo 1 > /proc/sys/net/ipv4/ip_forward + # this must happen after have brought up uap0 because it clears the nat tables + post-up iptables -t nat -A POSTROUTING -s 10.23.42.0/24 -o eth0 -j MASQUERADE + post-up /etc/init.d/dnsmasq restart + +# The magic Tor wireless network +auto uap0 +iface uap0 inet static + address 172.16.23.1 + netmask 255.255.255.0 + network 172.16.23.0 + broadcast 172.16.23.255 + pre-up ifconfig uap0 hw ether 00:66:66:66:66:66 + post-up /etc/init.d/tor reload + post-up /etc/init.d/dnsmasq restart + post-up /etc/init.d/ttdnsd restart + post-up /usr/bin/uaputl sys_cfg_ssid "torproject" || true + post-up /usr/bin/uaputl bss_start || true + post-up /usr/share/torouter-prep/example-configs/tor-wireless-firewall.sh || true + pre-down /usr/bin/uaputl bss_stop || true diff --git a/packages/torouter-prep/configs/etc/ntp.conf b/packages/torouter-prep/configs/etc/ntp.conf new file mode 100644 index 0000000..cb7d021 --- /dev/null +++ b/packages/torouter-prep/configs/etc/ntp.conf @@ -0,0 +1,55 @@ +# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help + +driftfile /var/lib/ntp/ntp.drift + + +# Enable this if you want statistics to be logged. +#statsdir /var/log/ntpstats/ + +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable + + +# You do need to talk to an NTP server or two (or three). +#server ntp.your-provider.example + +# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will +# pick a different set every time it starts up. Please consider joining the +# pool: +server 0.debian.pool.ntp.org iburst +server 1.debian.pool.ntp.org iburst +server 2.debian.pool.ntp.org iburst +server 3.debian.pool.ntp.org iburst + + +# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for +# details. The web page +# might also be helpful. +# +# Note that "restrict" applies to both servers and clients, so a configuration +# that might be intended to block requests from certain clients could also end +# up blocking replies from your own upstream servers. + +# By default, exchange time with everybody, but don't allow configuration. +restrict -4 default kod notrap nomodify nopeer noquery +restrict -6 default kod notrap nomodify nopeer noquery + +# Local users may interrogate the ntp server more closely. +restrict 127.0.0.1 +restrict ::1 + +# Clients from this (example!) subnet have unlimited access, but only if +# cryptographically authenticated. +#restrict 192.168.123.0 mask 255.255.255.0 notrust + + +# If you want to provide time to your local subnet, change the next line. +# (Again, the address is an example only.) +#broadcast 192.168.123.255 + +# If you want to listen to time broadcasts on your local subnet, de-comment the +# next lines. Please do this only if you trust everybody on the network! +#disable auth +#broadcastclient diff --git a/packages/torouter-prep/configs/etc/openvpn/client.conf b/packages/torouter-prep/configs/etc/openvpn/client.conf new file mode 100644 index 0000000..e69de29 diff --git a/packages/torouter-prep/configs/etc/openvpn/static.key b/packages/torouter-prep/configs/etc/openvpn/static.key new file mode 100644 index 0000000..e69de29 diff --git a/packages/torouter-prep/configs/etc/rc1.d/S01first-run b/packages/torouter-prep/configs/etc/rc1.d/S01first-run new file mode 120000 index 0000000..e24a808 --- /dev/null +++ b/packages/torouter-prep/configs/etc/rc1.d/S01first-run @@ -0,0 +1 @@ +../init.d/first-run \ No newline at end of file diff --git a/packages/torouter-prep/configs/etc/rc2.d/S01first-run b/packages/torouter-prep/configs/etc/rc2.d/S01first-run new file mode 120000 index 0000000..e24a808 --- /dev/null +++ b/packages/torouter-prep/configs/etc/rc2.d/S01first-run @@ -0,0 +1 @@ +../init.d/first-run \ No newline at end of file diff --git a/packages/torouter-prep/configs/etc/rc2.d/S50proxy b/packages/torouter-prep/configs/etc/rc2.d/S50proxy new file mode 120000 index 0000000..9855df4 --- /dev/null +++ b/packages/torouter-prep/configs/etc/rc2.d/S50proxy @@ -0,0 +1 @@ +../init.d/proxy \ No newline at end of file diff --git a/packages/torouter-prep/configs/etc/resolv.conf b/packages/torouter-prep/configs/etc/resolv.conf new file mode 100644 index 0000000..af9304d --- /dev/null +++ b/packages/torouter-prep/configs/etc/resolv.conf @@ -0,0 +1,2 @@ +nameserver 208.67.222.222 +nameserver 208.67.220.220 diff --git a/packages/torouter-prep/configs/etc/ssh/sshd_config/sshd_config b/packages/torouter-prep/configs/etc/ssh/sshd_config/sshd_config new file mode 100644 index 0000000..d079ac0 --- /dev/null +++ b/packages/torouter-prep/configs/etc/ssh/sshd_config/sshd_config @@ -0,0 +1,87 @@ +# Package generated configuration file +# See the sshd_config(5) manpage for details + +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin yes +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +#PasswordAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +X11Forwarding yes +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes +AddressFamily inet diff --git a/packages/torouter-prep/configs/etc/sysctl.conf b/packages/torouter-prep/configs/etc/sysctl.conf new file mode 100644 index 0000000..916e972 --- /dev/null +++ b/packages/torouter-prep/configs/etc/sysctl.conf @@ -0,0 +1,5 @@ +# Reduce writes to flash drives +vm.laptop_mode=5 +vm.swappiness=0 +vm.dirty_writeback_centisecs=1500 +vm.dirty_expire_centisecs=1500 diff --git a/packages/torouter-prep/configs/etc/tor/torrc b/packages/torouter-prep/configs/etc/tor/torrc new file mode 100644 index 0000000..5023d57 --- /dev/null +++ b/packages/torouter-prep/configs/etc/tor/torrc @@ -0,0 +1,180 @@ +## Configuration file for a typical Tor user +## Last updated 12 April 2009 for Tor 0.2.1.14-rc. +## (May or may not work for much older or much newer versions of Tor.) +## +## Lines that begin with "## " try to explain what's going on. Lines +## that begin with just "#" are disabled commands: you can enable them +## by removing the "#" symbol. +## +## See 'man tor', or https://www.torproject.org/tor-manual.html, +## for more options you can use in this file. +## +## Tor will look for this file in various places based on your platform: +## https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#torrc + + +## Replace this with "SocksPort 0" if you plan to run Tor only as a +## relay, and not make any local application connections yourself. +SocksPort 9050 # what port to open for local application connections +SocksListenAddress 127.0.0.1 # accept connections only from localhost +#SocksListenAddress 192.168.0.1:9100 # listen on this IP:port also + +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SocksPolicy is set, we accept +## all (and only) requests from SocksListenAddress. +#SocksPolicy accept 192.168.0.0/16 +#SocksPolicy reject * + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to /var/log/tor/notices.log +Log notice file /var/log/tor/notices.log +## Send every possible message to /var/log/tor/debug.log +#Log debug file /var/log/tor/debug.log +## Use the system log instead of Tor's logfiles +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +## Uncomment this to start the process in the background... or use +## --runasdaemon 1 on the command line. This is ignored on Windows; +## see the FAQ entry if you want Tor to run as an NT service. +RunAsDaemon 1 + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +DataDirectory /var/lib/tor + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +#ControlPort 9051 +## If you enable the controlport, be sure to enable one of these +## authentication methods, to prevent attackers from accessing it. +#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C +#CookieAuthentication 1 + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. + +# Uncomment this to allow ssh access to the Torouter over your own Hidden Service +#HiddenServiceDir /var/lib/tor/hidden_service/ +#HiddenServicePort 22 127.0.0.1:22 + +#HiddenServiceDir /var/lib/tor/other_hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 +#HiddenServicePort 22 127.0.0.1:22 + +################ This section is just for relays ##################### +# +## See https://www.torproject.org/docs/tor-doc-relay for details. + +### Required: what port to advertise for incoming Tor connections. +ORPort auto +## If you want to listen on a port other than the one advertised +## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment the +## line below too. You'll need to do ipchains or other port forwarding +## yourself to make this work. +#ORListenAddress 0.0.0.0:9090 +#ORListenAddress 0.0.0.0:9090 +Nickname Torouter + +## The IP address or full DNS name for your relay. Leave commented out +## and Tor will guess. +#Address noname.example.com + +## Define these to limit how much relayed traffic you will allow. Your +## own traffic is still unthrottled. Note that RelayBandwidthRate must +## be at least 20 KBytes. +RelayBandwidthRate 50KB +RelayBandwidthBurst 75KB + +## Contact info to be published in the directory, so we can contact you +## if your relay is misconfigured or something else goes wrong. Google +## indexes this, so spammers might also collect it. +#ContactInfo Random Person +## You might also include your PGP or GPG fingerprint if you have one: +#ContactInfo 1234D/FFFFFFFF Random Person + +## Uncomment this to mirror directory information for others. Please do +## if you have enough bandwidth. +#DirPort 9030 # what port to advertise for directory connections +## If you want to listen on a port other than the one advertised +## in DirPort (e.g. to advertise 80 but bind to 9091), uncomment the line +## below too. You'll need to do ipchains or other port forwarding yourself +## to make this work. +#DirListenAddress 0.0.0.0:9091 +## Uncomment to return an arbitrary blob of html on your DirPort. Now you +## can explain what Tor is if anybody wonders why your IP address is +## contacting them. See contrib/tor-exit-notice.html for a sample. +#DirPortFrontPage /etc/tor/exit-notice.html + +## Uncomment this if you run more than one Tor relay, and add the identity +## key fingerprint of each Tor relay you control, even if they're on +## different networks. You declare it here so Tor clients can avoid +## using more than one of your relays in a single circuit. See +## https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#MultipleServers +#MyFamily $keyid,$keyid,... + +## A comma-separated list of exit policies. They're considered first +## to last, and the first match wins. If you want to _replace_ +## the default exit policy, end this with either a reject *:* or an +## accept *:*. Otherwise, you're _augmenting_ (prepending to) the +## default exit policy. Leave commented to just use the default, which is +## described in the man page or at +## https://www.torproject.org/documentation.html +## +## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses +## for issues you might encounter if you use the default exit policy. +## +## If certain IPs and ports are blocked externally, e.g. by your firewall, +## you should update your exit policy to reflect this -- otherwise Tor +## users will be told that those destinations are down. +## +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more +#ExitPolicy accept *:119 # accept nntp as well as default exit policy +#ExitPolicy reject *:* # no exits allowed +# +## Bridge relays (or "bridges") are Tor relays that aren't listed in the +## main directory. Since there is no complete public list of them, even if an +## ISP is filtering connections to all the known Tor relays, they probably +## won't be able to block all the bridges. Also, websites won't treat you +## differently because they won't know you're running Tor. If you can +# be a real relay, please do; but if not, be a bridge! +BridgeRelay 1 +ExitPolicy reject *:* + +AvoidDiskWrites 1 + +# middle box stuff +VirtualAddrNetwork 10.192.0.0/10 +AutomapHostsOnResolve 1 +TransPort 9040 +TransListenAddress 172.16.23.1 +DNSPort 5353 +DNSListenAddress 172.16.23.1 +# If you disable unbound, you may enable this +#DNSListenAddress 127.0.0.1:53 + +User debian-tor + +# By default we do not have PortForwarding support +# PortForwarding 1 +# PortForwardingHelper /usr/local/bin/tor-fw-helper + +PIDFile /var/run/tor/tor.pid + +ControlPort 9051 +ControlListenAddress 127.0.0.1:9051 +CookieAuthentication 1 + diff --git a/packages/torouter-prep/configs/etc/udev/rules.d/75-persistent-net-generator.rules b/packages/torouter-prep/configs/etc/udev/rules.d/75-persistent-net-generator.rules new file mode 100644 index 0000000..e69de29 -- cgit v1.2.3