aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJacob Appelbaum <jacob@appelbaum.net>2011-08-18 17:06:50 +0200
committerJacob Appelbaum <jacob@appelbaum.net>2011-08-18 17:06:50 +0200
commitf201878306730677591d08ad6f09965910b97e61 (patch)
tree41500ca031ad6641bf97faedaba0a92c4666f9cd
parent748989b43f0f82668e1bbabfeba309857cde8272 (diff)
downloadtorouter-f201878306730677591d08ad6f09965910b97e61.tar.gz
torouter-f201878306730677591d08ad6f09965910b97e61.zip
update torouter_config.sh to copy files
-rw-r--r--packages/torouter-prep/configs/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.apt-keybin0 -> 3742 bytes
-rw-r--r--packages/torouter-prep/configs/apt-preferences.d-backports3
-rw-r--r--packages/torouter-prep/configs/armrc.sample.gzbin0 -> 3633 bytes
-rw-r--r--packages/torouter-prep/configs/dnsmasq.conf3
-rw-r--r--packages/torouter-prep/configs/inittab70
-rw-r--r--packages/torouter-prep/configs/interfaces10
-rw-r--r--packages/torouter-prep/configs/modprobe.d-blacklist.conf26
-rw-r--r--packages/torouter-prep/configs/ntp.conf55
-rw-r--r--packages/torouter-prep/configs/torrc31
-rwxr-xr-xpackages/torouter-prep/configs/ttdnsd-default17
-rw-r--r--packages/torouter-prep/src/torouter_config.sh131
11 files changed, 242 insertions, 104 deletions
diff --git a/packages/torouter-prep/configs/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.apt-key b/packages/torouter-prep/configs/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.apt-key
new file mode 100644
index 0000000..5b6a4d3
--- /dev/null
+++ b/packages/torouter-prep/configs/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.apt-key
Binary files differ
diff --git a/packages/torouter-prep/configs/apt-preferences.d-backports b/packages/torouter-prep/configs/apt-preferences.d-backports
new file mode 100644
index 0000000..8e9275b
--- /dev/null
+++ b/packages/torouter-prep/configs/apt-preferences.d-backports
@@ -0,0 +1,3 @@
+Package: *
+Pin: release a=squeeze-backports
+Pin-Priority: 200
diff --git a/packages/torouter-prep/configs/armrc.sample.gz b/packages/torouter-prep/configs/armrc.sample.gz
new file mode 100644
index 0000000..c86b6f1
--- /dev/null
+++ b/packages/torouter-prep/configs/armrc.sample.gz
Binary files differ
diff --git a/packages/torouter-prep/configs/dnsmasq.conf b/packages/torouter-prep/configs/dnsmasq.conf
index 8845e80..2711486 100644
--- a/packages/torouter-prep/configs/dnsmasq.conf
+++ b/packages/torouter-prep/configs/dnsmasq.conf
@@ -83,9 +83,10 @@ no-poll
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=eth1
-#interface=uap0
+interface=uap0
# Or you can specify which interface _not_ to listen on
except-interface=eth0
+except-interface=lo
# Or which to listen on by address (remember to include 127.0.0.1 if
# you use this.)
#listen-address=
diff --git a/packages/torouter-prep/configs/inittab b/packages/torouter-prep/configs/inittab
new file mode 100644
index 0000000..98dca83
--- /dev/null
+++ b/packages/torouter-prep/configs/inittab
@@ -0,0 +1,70 @@
+# /etc/inittab: init(8) configuration.
+# $Id: inittab,v 1.91 2002/01/25 13:35:21 miquels Exp $
+
+# The default runlevel.
+id:2:initdefault:
+
+# Boot-time system configuration/initialization script.
+# This is run first except when booting in emergency (-b) mode.
+si::sysinit:/etc/init.d/rcS
+
+# What to do in single-user mode.
+~~:S:wait:/sbin/sulogin
+
+# /etc/init.d executes the S and K scripts upon change
+# of runlevel.
+#
+# Runlevel 0 is halt.
+# Runlevel 1 is single-user.
+# Runlevels 2-5 are multi-user.
+# Runlevel 6 is reboot.
+
+l0:0:wait:/etc/init.d/rc 0
+l1:1:wait:/etc/init.d/rc 1
+l2:2:wait:/etc/init.d/rc 2
+l3:3:wait:/etc/init.d/rc 3
+l4:4:wait:/etc/init.d/rc 4
+l5:5:wait:/etc/init.d/rc 5
+l6:6:wait:/etc/init.d/rc 6
+# Normally not reached, but fallthrough in case of emergency.
+z6:6:respawn:/sbin/sulogin
+
+# What to do when CTRL-ALT-DEL is pressed.
+ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
+
+# Action on special keypress (ALT-UpArrow).
+#kb::kbrequest:/bin/echo "Keyboard Request--edit /etc/inittab to let this work."
+
+# What to do when the power fails/returns.
+pf::powerwait:/etc/init.d/powerfail start
+pn::powerfailnow:/etc/init.d/powerfail now
+po::powerokwait:/etc/init.d/powerfail stop
+
+# /sbin/getty invocations for the runlevels.
+#
+# The "id" field MUST be the same as the last
+# characters of the device (after "tty").
+#
+# Format:
+# <id>:<runlevels>:<action>:<process>
+#
+# Note that on most Debian systems tty7 is used by the X Window System,
+# so if you want to add more getty's go ahead but skip tty7 if you run X.
+#
+1:2345:respawn:/sbin/getty 38400 tty1
+#2:23:respawn:/sbin/getty 38400 tty2
+#3:23:respawn:/sbin/getty 38400 tty3
+#4:23:respawn:/sbin/getty 38400 tty4
+#5:23:respawn:/sbin/getty 38400 tty5
+#6:23:respawn:/sbin/getty 38400 tty6
+
+# Example how to put a getty on a serial line (for a terminal)
+#
+#T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100
+#T1:23:respawn:/sbin/getty -L ttyS1 9600 vt100
+
+# Example how to put a getty on a modem line.
+#
+#T3:23:respawn:/sbin/mgetty -x0 -s 57600 ttyS3
+
+T0:2345:respawn:/sbin/getty -L ttyS0 115200 linux
diff --git a/packages/torouter-prep/configs/interfaces b/packages/torouter-prep/configs/interfaces
index d1a5fa6..903bdb4 100644
--- a/packages/torouter-prep/configs/interfaces
+++ b/packages/torouter-prep/configs/interfaces
@@ -30,9 +30,9 @@ iface uap0 inet static
broadcast 172.16.23.255
pre-up ifconfig uap0 hw ether 00:66:66:66:66:66
post-up /etc/init.d/tor reload
- #post-up /etc/init.d/udhcpd restart
post-up /etc/init.d/dnsmasq restart
- post-up /root/tor-wireless-firewall.sh
- post-up /root/uaputl/uaputl sys_cfg_ssid "torproject"
- post-up /root/uaputl/uaputl bss_start
- pre-down /root/uaputl/uaputl bss_stop
+ post-up /etc/init.d/ttdnsd restart
+ post-up /usr/bin/uaputl sys_cfg_ssid "torproject"
+ post-up /usr/bin/uaputl bss_start
+ post-up /usr/share/torouter-prep/example-configs/tor-wireless-firewall.sh
+ pre-down /usr/bin/uaputl bss_stop
diff --git a/packages/torouter-prep/configs/modprobe.d-blacklist.conf b/packages/torouter-prep/configs/modprobe.d-blacklist.conf
new file mode 100644
index 0000000..87c6fbe
--- /dev/null
+++ b/packages/torouter-prep/configs/modprobe.d-blacklist.conf
@@ -0,0 +1,26 @@
+# This file lists modules which will not be loaded as the result of
+# alias expansion, with the purpose of preventing the hotplug subsystem
+# to load them. It does not affect autoloading of modules by the kernel.
+# This file is provided by the udev package.
+
+# evbug is a debug tool and should be loaded explicitly
+blacklist evbug
+
+# these drivers are very simple, the HID drivers are usually preferred
+blacklist usbmouse
+blacklist usbkbd
+
+# replaced by e100
+blacklist eepro100
+
+# replaced by tulip
+blacklist de4x5
+
+# replaced by tmscsim
+blacklist am53c974
+
+# these watchdog drivers break some systems
+blacklist iTCO_wdt
+
+
+blacklist ipv6
diff --git a/packages/torouter-prep/configs/ntp.conf b/packages/torouter-prep/configs/ntp.conf
new file mode 100644
index 0000000..cb7d021
--- /dev/null
+++ b/packages/torouter-prep/configs/ntp.conf
@@ -0,0 +1,55 @@
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+
+# You do need to talk to an NTP server or two (or three).
+#server ntp.your-provider.example
+
+# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
+# pick a different set every time it starts up. Please consider joining the
+# pool: <http://www.pool.ntp.org/join.html>
+server 0.debian.pool.ntp.org iburst
+server 1.debian.pool.ntp.org iburst
+server 2.debian.pool.ntp.org iburst
+server 3.debian.pool.ntp.org iburst
+
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery
+restrict -6 default kod notrap nomodify nopeer noquery
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+#restrict 192.168.123.0 mask 255.255.255.0 notrust
+
+
+# If you want to provide time to your local subnet, change the next line.
+# (Again, the address is an example only.)
+#broadcast 192.168.123.255
+
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines. Please do this only if you trust everybody on the network!
+#disable auth
+#broadcastclient
diff --git a/packages/torouter-prep/configs/torrc b/packages/torouter-prep/configs/torrc
index b4c5de3..7a12e73 100644
--- a/packages/torouter-prep/configs/torrc
+++ b/packages/torouter-prep/configs/torrc
@@ -35,7 +35,7 @@ SocksListenAddress 127.0.0.1 # accept connections only from localhost
## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
Log notice file /var/log/tor/notices.log
## Send every possible message to /var/log/tor/debug.log
-Log debug file /var/log/tor/debug.log
+#Log debug file /var/log/tor/debug.log
## Use the system log instead of Tor's logfiles
#Log notice syslog
## To send all messages to stderr:
@@ -67,8 +67,9 @@ DataDirectory /var/lib/tor
## HiddenServicePort x y:z says to redirect requests on port x to the
## address y:z.
-HiddenServiceDir /var/lib/tor/hidden_service/
-HiddenServicePort 22 127.0.0.1:22
+# Uncomment this to allow ssh access to the Torouter over your own Hidden Service
+#HiddenServiceDir /var/lib/tor/hidden_service/
+#HiddenServicePort 22 127.0.0.1:22
#HiddenServiceDir /var/lib/tor/other_hidden_service/
#HiddenServicePort 80 127.0.0.1:80
@@ -78,16 +79,15 @@ HiddenServicePort 22 127.0.0.1:22
#
## See https://www.torproject.org/docs/tor-doc-relay for details.
-## Required: what port to advertise for incoming Tor connections.
-ORPort 9001
+### Required: what port to advertise for incoming Tor connections.
+ORPort 9001
## If you want to listen on a port other than the one advertised
## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment the
## line below too. You'll need to do ipchains or other port forwarding
## yourself to make this work.
#ORListenAddress 0.0.0.0:9090
-
-## A handle for your relay, so people don't have to refer to it by key.
-#Nickname ididnteditheconfig
+#ORListenAddress 0.0.0.0:9090
+Nickname Torouter
## The IP address or full DNS name for your relay. Leave commented out
## and Tor will guess.
@@ -150,9 +150,10 @@ ORPort 9001
## ISP is filtering connections to all the known Tor relays, they probably
## won't be able to block all the bridges. Also, websites won't treat you
## differently because they won't know you're running Tor. If you can
-## be a real relay, please do; but if not, be a bridge!
-#BridgeRelay 1
+# be a real relay, please do; but if not, be a bridge!
ExitPolicy reject *:*
+ExitPolicy accept *:*
+
AvoidDiskWrites 1
@@ -160,14 +161,16 @@ AvoidDiskWrites 1
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
-TransListenAddress 172.16.23.1
+TransListenAddress 172.16.23.1
DNSPort 5353
-DNSListenAddress 172.16.23.1
+DNSListenAddress 172.16.23.1
+DNSListenAddress 127.0.0.1:53
User debian-tor
-PortForwarding 1
-PortForwardingHelper /usr/local/bin/tor-fw-helper
+# By default we do not have PortForwarding support
+# PortForwarding 1
+# PortForwardingHelper /usr/local/bin/tor-fw-helper
PIDFile /var/run/tor/tor.pid
diff --git a/packages/torouter-prep/configs/ttdnsd-default b/packages/torouter-prep/configs/ttdnsd-default
new file mode 100755
index 0000000..0a22bc4
--- /dev/null
+++ b/packages/torouter-prep/configs/ttdnsd-default
@@ -0,0 +1,17 @@
+# /etc/default/ttdnsd
+
+# Address to bind to - usually this should be 127.0.0.1
+# unless a copy of ttdnsd runs on 127.0.0.n
+ADDR_ARG="-b 172.16.23.1"
+
+# Port to listen on - almost always this should be port 53
+# unless an additional local DNS cache (like unbound, dnscache, pdnsd)
+# listen on port 53 as system resolver and is used in front of ttdnsd
+# for caching purposes.
+PORT_ARG="-p 5354"
+
+# Debug logging
+# DEBUG_LOGGING="-l"
+
+# Glue all of it together below
+DEFAULTS="$ADDR_ARG $PORT_ARG"
diff --git a/packages/torouter-prep/src/torouter_config.sh b/packages/torouter-prep/src/torouter_config.sh
index 7c79862..aec9b48 100644
--- a/packages/torouter-prep/src/torouter_config.sh
+++ b/packages/torouter-prep/src/torouter_config.sh
@@ -1,60 +1,47 @@
#!/bin/bash -x
+export VERSION="0.1"
+
echo "This program will reconfigure your Debian system into a Torouter"
exit 0
echo "This is where we'd take over the entire Torouter system"
# For every file we touch, move it to the temp_dir and then tar it up in the end
-temp_dir="`mktemp -d`"
-config_dir="/usr/share/doc/torouter-prep/example-configs/"
+export temp_dir="`mktemp -d`"
+export config_dir="/usr/share/doc/torouter-prep/example-configs/"
-# Add a user
-ADMINUSER="toradmin"
-ADMINGROUP="toradmin"
+# Add a user to administrate the Torouter later
+export ADMINUSER="torouter"
+export ADMINGROUP="torouter"
-# Install the Tor repo key
-gpg --keyserver keys.gnupg.net --recv 886DDD89
-gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
+addgroup $ADMINGROUP
+useradd -g $ADMINGROUP -s /bin/bash $ADMINUSER
-cp /etc/hosts $temp_dir/
-# Stomp on the hosts file
-cat << EOF > /etc/hosts
-127.0.0.1 localhost
-EOF
+# Install the Tor repo key
+# gpg --keyserver keys.gnupg.net --recv 886DDD89
+# gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
+apt-get add $config_dir/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.apt-key
-cp /etc/hostname $temp_dir/
-# Set us to have a default host name
-cp /usr/share/doc/
+# Set us to have a default host name and hosts file
+cp $config_dir/hostname /etc/hostname
+cp $config_dir/hosts /etc/hosts
# We need to prep apt to understand that we want packages from other repos
-# We append to the current package list
-cat << EOF >> /etc/apt/sources.list
-# Tor's debian package repo:
-deb http://deb.torproject.org/torproject.org squeeze main
-deb http://deb.torproject.org/torproject.org experimental-squeeze main
-
-# Add Debian backports for OpenNTPD, libminiupnpc-dev, libminiupnpc5
-# http://packages.debian.org/squeeze-backports/libminiupnpc-dev
-deb http://backports.debian.org/debian-backports squeeze-backports main contrib non-free
-
-# Add Debian experimental for libnatpmp0
-# http://packages.debian.org/experimental/libnatpmp0
-deb http://ftp.debian.org/debian experimental main
-deb-src http://ftp.debian.org/debian experimental main
-
-EOF
+cp $config_dir/sources.list /etc/apt/sources.list
# We're creating this file to ensure we get updates
-cat << 'EOF' > /etc/apt/preferences.d/backports
-Package: *
-Pin: release a=squeeze-backports
-Pin-Priority: 200
-EOF
+cp $config_dir/apt-preferences.d-backports /etc/apt/preferences.d/backports
apt-get -y update
+# Remove a bunch of stuff:
+apt-get -y remove exim4-base exim4-config exim4-daemon-light dbus
+
+# Install the weird wireless control for the DreamPlug
+apt-get install -y -t sid uaputl
+
# Install some other packages here:
-apt-get -y install denyhosts ufw
+apt-get -y install denyhosts ufw
# Allow us to set the clock:
apt-get -y -t squeeze-backports install openntpd
@@ -63,6 +50,7 @@ apt-get -y -t squeeze-backports install openntpd
apt-get -y install tor tor-geoipdb
# To build with natpmp support
+apt-get -y -t experimental install libnatpmp-dev
apt-get -y -t experimental install libnatpmp0
# To build with miniupnpc support
@@ -76,6 +64,9 @@ apt-get -y -t squeeze-backports install libminiupnpc5
# Install a Tor controller:
apt-get -y install tor-arm
+# Install the ttdnsd program:
+apt-get -y install ttdnsd
+
# Install a normal dns cache for eth1
apt-get -y install dnsmasq
@@ -84,65 +75,36 @@ apt-get -y install dnsmasq
##
# Configure arm
-zcat /usr/share/doc/tor-arm/armrc.sample.gz > ~$(ADMINUSER)/.armrc
-# XXX This is where we will call torrc-takeover.py when it is packaged
+zcat $config_dir/armrc.sample.gz > ~$(ADMINUSER)/.armrc
-# XXX We should reconfigure /etc/inittab here
+# Reconfigure /etc/inittab here
+cp $config_dir/inittab /etc/inittab
# Configure the network
# eth0 is our "internet" interface with a dhcp client
-cat << 'EOF' > /etc/network/interfaces
-# The primary network interface
-allow-hotplug eth0
-iface eth0 inet dhcp
+cp $config_dir/interfaces /etc/network/interfaces
-#
-# XXX Configure eth1 and ap0 here
-#
+# Configure dnsmasq
+cp $config_dir/dnsmasq.conf /etc/dnsmasq.conf
-EOF
+# Configure ntp
+cp $config_dir/ntp.conf /etc/ntp.conf
# XXX We should configure ufw here
-# ufw allow
# XXX We should configure denyhosts
-# XXX We should configure dnsmasq
-# XXX We should configure the DHCP server here
-
-cp /etc/tor/torrc $temp_dir/
-# configure Tor and stomp on the current Tor config
-cat << 'EOF' > /etc/tor/torrc
-# Run Tor as a bridge/relay only, not as a client
-SocksPort 0
-
-# What port to advertise for incoming Tor connections
-ORPort 443
-# We're on a flash file system
-AvoidDiskWrites 1
+cp $config_dir/torrc /etc/tor/torrc
+cp $config_dir/ttdnsd-default /etc/default/ttdnsd
-# Be a bridge
-BridgeRelay 1
+# Configure sshd
+cp $config_dir/sshd_config /etc/ssh/sshd_config
-# Rate limited
-BandwidthRate 50KB
-
-# Don't allow any Tor traffic to exit
-Exitpolicy reject *:*
-
-# Allow a controller (tor-arm) on this system to configure Tor:
-ControlPort 9051
-ControlListenAddress 127.0.0.1:9051
-CookieAuthentication 1
-EOF
-
-# Remove a bunch of stuff:
-apt-get -y remove exim4-base exim4-config exim4-daemon-light dbus
+# Clean up our cache
+apt-get -y clean
-## Disable ipv6 support
-cp /etc/sysctl.d/disableipv6.conf $temp_dir/
+## Disable ipv6 support for now
+cp $config_dir/modprobe.d-blacklist.conf /etc/modprobe.d/blacklist.conf
echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf
-cp /etc/sshd_config $temp_dir/
-echo "AddressFamily inet" >> /etc/ssh/ssh_config
##
## Restart services here
@@ -150,9 +112,10 @@ echo "AddressFamily inet" >> /etc/ssh/ssh_config
/etc/init.d/ssh restart
/etc/init.d/tor restart
+/etc/init.d/ttdnsd restart
##
## Touch a stamp to show that we're now a Torouter
##
-echo "torouter" > /etc/torouter
+echo "torouter $VERSION" > /etc/torouter