1 ###### gateway.conf -- NoCatAuth Gateway Configuration.
3 # Format of this file is: <Directive> <Value>, one per
4 # line. Trailing and leading whitespace is ignored. Any
5 # line beginning with a punctuation character is assumed to
8 ###### General settings.
10 # See the bottom of this file for options for logging to syslog.
12 ##### Gateway application settings.
14 # GatewayName -- The name of this gateway, to be optionally displayed
15 # on the splash and status pages. Any short string of text will do.
17 GatewayName the NoCat Network
21 # GatewayMode -- Determines the mode of operation of the gateway. Possible
24 # Open - Simply require a user to view a splash page and accept
27 # Only Open mode is currently supported.
32 # GatewayLog -- Optional. If unset, messages will go to STDERR.
35 # GatewayLog /var/log/nocat.log
38 # LoginTimeout - Number of seconds after a client's last
39 # login/renewal to terminate their connection. Probably
40 # don't want to set this to less than 60 or a lot of
41 # bandwidth is likely to get consumed by the client's
44 # For Open Mode portals, you probably want to comment out
45 # the preceding and set LoginTimeout to
46 # something large (like 86400, for one notification
51 ###### Open Portal settings.
54 # HomePage -- The authservice's notion of a default
57 HomePage http://nocat.net/
59 # DocumentRoot -- Where all of the application templates (including
60 # SplashForm) are hiding. Can be different from Apache's DocumentRoot.
61 # Defaults to @htdocsdir@ via compile-time option.
63 # DocumentRoot @htdocsdir@
65 # SplashForm -- Form displayed to users on capture.
67 SplashForm splash.html
69 # StatusForm -- Page displaying status of logged in users.
70 # NOT YET IMPLEMENTED.
72 StatusForm status.html
74 # SplashURL -- URL to fetch remote splash page from. You must compile
75 # with --with-remote-splash for this to work. SplashTimeout specifies
76 # the reload period of the remote splash page.
78 # SplashURL http://example.com/get_splash_page.cgi?node=$NodeID
82 ###### Active/Passive Portal settings.
83 # None of these settings affect open mode operation.
85 # TrustedGroups - A list of groups registered with the auth server
86 # that a user may claim membership in order to gain Member-class
87 # access through this portal. The default magic value "Any" indicates
88 # that a member of *any* group is granted member-class access from
89 # this gateway. NOT YET IMPLEMENTED.
91 # TrustedGroups NoCat NYCWireless PersonalTelco
96 # Owners - Optional. List all local "owner" class users here, separated
97 # by spaces. Owners typically get full bandwidth, and unrestricted
98 # access to all network resources. NOT YET IMPLEMENTED.
100 # Owners rob@nocat.net schuyler@nocat.net
103 # AuthServiceAddr - Required, for captive mode. Must be set to the address of
104 # your authentication service. You must use an IP address
105 # if DNS resolution isn't available at gateway startup.
107 # AuthServiceAddr 208.201.239.21
109 AuthServiceAddr auth.nocat.net
112 # AuthServiceURL - HTTPS URL to the login script at the authservice.
114 AuthServiceURL https://auth.nocat.net/cgi-bin/login
117 # LogoutURL - HTTP URL to redirect user after logout.
119 LogoutURL https://auth.nocat.net/logout.html
122 # PGPKeyPath -- The directory in which PGP keys are stored.
123 # NoCat tries to find this in the pgp/ directory above
124 # the bin/ parent directory. Set this only if you put it
125 # somewhere that NoCat doesn't expect.
127 # PGPKeyPath @pgpdir@
132 # FirewallPath - Where to find the firewall scripts.
133 # Defaults to @pkglibexecdir@ via compile-time option.
135 # FirewallPath @pkglibexecdir@
138 # ExternalDevice - Required if and only if NoCatAuth can't figure it out
139 # from looking at your routing tables and picking the interface
140 # that carries the default route. Must be set to the interface
141 # connected to the Internet. Usually 'eth0' or 'eth1'
142 # under Linux, or maybe even 'ppp0' if you're running
145 # ExternalDevice eth0
148 # InternalDevice - Required if and only if your machine has more than two
149 # network interfaces. Must be set to the interface connected to your local
150 # network, normally your wireless card.
152 # InternalDevice eth1
155 # LocalNetwork - Required if and only if NoCatSplash can't figure it out
156 # by polling the InternalDevice. Must be set to the network
157 # address and net mask of your internal network. You
158 # can use the number of bits in the netmask (e.g. /16, /24, etc.)
159 # or the full x.x.x.x specification.
161 # LocalNetwork 10.0.1.0/24
164 # DNSAddr - Optional. *If* you choose not to run DNS on your internal network,
165 # specify the address(es) of one or more domain name server on the Internet
166 # that wireless clients can use to get out. Should be the same DNS that your
167 # DHCP server hands out.
169 # DNSAddr 111.222.333.444
172 # AllowedWebHosts - Optional. List any domains that you would like to
173 # allow web access (TCP port 80 and 443) BEFORE logging in (this is the
174 # pre-'skip' stage, so be careful about what you allow.)
176 # AllowedWebHosts nocat.net
179 # RouteOnly - Required only if you DO NOT want your gateway to act as a NAT.
180 # Uncomment this only if you're running a strictly routed network, and
181 # don't need the gateway to enable NAT for you.
186 # MembersOnly - Optional. Uncomment this if you want to disable public
187 # access (i.e. unauthenticated 'skip' button access). You'll also want to
188 # point AuthServiceURL somewhere that doesn't include a skip button (like
189 # at your own Auth server.)
194 # IncludePorts - Optional. Specify TCP ports to allow access to when
195 # public class users login. All others will be denied.
197 # For a list of common services and their respective port numbers, see
198 # your /etc/services file. Depending on your firewall, you might even
199 # be able to specify said services here, instead of using port numbers.
201 # IncludePorts 22 80 443
204 # ExcludePorts - Optional. Specify TCP ports to denied access to when
205 # public class users login. All others will be allowed.
207 # Note that you should use either IncludePorts or ExcludePorts, but not
208 # both. If neither is specified, access is granted to all ports to
209 # public class users.
211 # You should *always* exclude port 25, unless you want to run an portal
212 # for wanton spam sending. Users should have their own way of sending
213 # mail. It sucks, but that's the way it is. Comment this out *only if*
214 # you're using IncludePorts instead.
216 # ExcludePorts 23 25 111
220 ####### Syslog Options
222 # Log Facility - syslog or internal. "internal" sends log messages
223 # using STDERR. "syslog" sends all messages to the system log.
228 # SyslogIdent - The ident of the program that is calling syslog. This will
229 # be prepended to every log entry made by NoCat. Defaults to NoCat.
233 ###### Other Common Gateway Options. (stuff you probably won't have to change)
235 # ResetCmd, PermitCmd, DenyCmd -- Shell commands to reset,
236 # open and close the firewall. You probably don't need to
239 # ResetCmd initialize.fw
240 # PermitCmd access.fw permit $MAC $IP $Class
241 # DenyCmd access.fw deny $MAC $IP $Class
244 # GatewayPort - The TCP port to bind the gateway
245 # service to. 5280 is de-facto standard for NoCatAuth.
246 # Change this only if you absolutely need to.
252 # IdleTimeout -- How often to check the ARP cache, in seconds,
253 # for expiration of idle clients. NOT YET IMPLEMENTED.
255 # MaxMissedARP -- How many times a client can be missing from
256 # the ARP cache before we assume they've gone away, and log them
257 # out. Set to 0 to disable logout based on ARP cache expiration.