/alcasar.sh |
---|
1143,7 → 1143,7 |
$SED "/daemon/a \$dnsmasq -C /etc/dnsmasq-blackhole.conf \$OPTIONS" /etc/init.d/dnsmasq |
$SED "/killproc \$DAEMON_NAME/a killproc \$DAEMON_NAME" /etc/init.d/dnsmasq |
# Optionnellement on active les logs DNS des clients --> traiter les uninstall et update |
[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default |
[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.conf.default |
$SED "s?^OPTIONS=.*?OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq |
} # End dnsmasq |
1189,7 → 1189,8 |
chown -R root:apache $DIR_DEST_ETC/{alcasar-dnsfilter-available,alcasar-dnsfilter-enabled} |
# On fait pointer le black-hole sur une page interne |
$SED "s?^IP_RETOUR=.*?IP_RETOUR=\"$PRIVATE_IP\"?g" $DIR_DEST_SBIN/alcasar-bl.sh |
# On adapte la BL de Toulouse à notre structure |
# On récupère la dernière version de la BL Toulouse et on l'adapte à notre structure |
$DIR_DEST_SBIN/alcasar-bl.sh --download |
if [ "$mode" != "update" ]; then |
$DIR_DEST_SBIN/alcasar-bl.sh --adapt |
fi |
1311,7 → 1312,7 |
echo 'Admin_from_IP="0.0.0.0/0.0.0.0"' >> $CONF_FILE |
echo "QOS=off" >> $CONF_FILE |
echo "LDAP=off" >> $CONF_FILE |
echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE |
echo "LDAP_IP=0.0.0.0" >> $CONF_FILE |
echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE |
echo "DNS_FILTERING=off" >> $CONF_FILE |
echo "WEB_ANTIVIRUS=on" >> $CONF_FILE |
/conf/blacklist-MD5SUM.lst |
---|
File deleted |
/conf/blacklists.tar.gz |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
/scripts/alcasar-iptables.sh |
---|
146,13 → 146,13 |
# Accès direct aux services internes |
# Internal services access |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS non filtré # DNS without blackhole |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 8 -j ACCEPT # Réponse ping # ping responce |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT # Requête ping # ping request |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT # Pages d'authentification et MCC # authentication pages and MCC |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT # Page d'avertissement filtrage # Filtering warning pages |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT # Requêtes de deconnexion usagers # Users logout requests |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS non filtré # DNS without blackhole |
#$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT # Requête ping # ping request |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT # Réponse ping # ping reply |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT # Pages d'authentification et MCC # authentication pages and MCC |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT # Page d'avertissement filtrage # Filtering warning pages |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT # Requêtes de deconnexion usagers # Users logout requests |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server |
# SSHD rules if activate |
if [ $SSH = on ] |
/scripts/alcasar-watchdog.sh |
---|
16,11 → 16,7 |
EXTIF="eth0" |
INTIF="eth1" |
macallowed_file="/usr/local/etc/alcasar-macallowed" |
conf_file="/usr/local/etc/alcasar.conf" |
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2` |
private_ip_mask=${private_ip_mask:=192.168.182.1/24} |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
PRIVATE_IP="192.168.182.1" |
tmp_file="/tmp/watchdog.txt" |
DIR_WEB="/var/www/html" |
Index_Page="$DIR_WEB/index.php" |
113,15 → 109,8 |
arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 -w4 $noresponse_ip|grep response|cut -d" " -f2` |
if [[ $(expr $arp_reply) -eq 0 ]] |
then |
mac_allowed=`cat $macallowed_file |grep $noresponse_mac | wc -l` |
if [ $mac_allowed -eq 0 ] |
then |
logger "alcasar-watchdog $noresponse_ip ($noresponse_mac) can't be contact. Alcasar disconnects the user." |
/usr/sbin/chilli_query logout $noresponse_mac |
else |
logger "alcasar-watchdog $noresponse_ip ($noresponse_mac - macallowed) can't be contact. Alcasar release the IP address" |
/usr/sbin/chilli_query dhcp-release $noresponse_mac |
fi |
logger "alcasar-watchdog $noresponse_ip ($noresponse_mac) can't be contact. Alcasar disconnects the user." |
/usr/sbin/chilli_query logout $noresponse_mac |
fi |
done |
rm $tmp_file |
/CHANGELOG |
---|
2,7 → 2,6 |
************ CHANGELOG *********** |
---- svn ---- |
- Bug : watchdog release the ip address of macallowed equipment (insteed of logout the user) |
- Bug : reading of alcasar.conf file parameters more securely |
- Bug : don't download RPMs twice |
- Bug : allow connexion to an LDAP server on WAN side |
14,9 → 13,7 |
- Core : Authenticate user on Mysql when LDAP server is down |
- Core : import users via text file with or without password |
- Security : The 8080 (TCP) and 53 (UDP) ports are now hidden on Lan side |
- Install : control eth0 config on startup (no dhcp) |
- Install : don't dowload the last BL version |
- Install : control eth0 config on startup |
---- 2.4 ---- |
- Bug : some minor bugs (log rotate, intercept page, squid, ...) |
- Bug : ACC - correction of the Internet connectivity test flag |