openwrt nodogsplash.conf文件

## Nodogsplash Configuration File## 说明：#所在行不执行。（启用该参数需要删除执行参数前的#及空格）# 文件格式为：参数｜建议值｜参数说明｜执行参数 。# 不同参数之间空一行，同一参数中间可使用带#的空行。# 为保证规则正确运行，需要用"/etc/init.d/nodogsplash start"启动# Parameter: GatewayInterface# Default: NONE## GatewayInterface is not autodetected, has no default, and must be set here.# Set GatewayInterface to the interface on your router# that is to be managed by Nodogsplash.# Typically br0 for the wired and wireless lan on OpenWrt White Russian.# May be br-lan on OpenWrt Kamikaze.# 监测接口GatewayInterface wlan0# FirewallRuleSet: authenticated-users## Control access for users after authentication.# These rules are inserted at the beginning of the# FORWARD chain of the router's filter table, and# apply to packets that have come in to the router# over the GatewayInterface from MAC addresses that# have authenticated with Nodogsplash, and that are# destined to be routed through the router. The rules are# considered in order, and the first rule that matches# a packet applies to it.# If there are any rules in this ruleset, an authenticated# packet that does not match any rule is rejected.# N.B.: This ruleset is completely independent of# the preauthenticated-users ruleset.#防火墙规则集FirewallRuleSet authenticated-users { # You may want to open access to a machine on a local # subnet that is otherwise blocked (for example, to # serve a redirect page; see RedirectURL). If so, # allow that explicitly here, e.g: # FirewallRule allow tcp port 80 to 192.168.254.254 # Your router may have several interfaces, and you # probably want to keep them private from the GatewayInterface. # If so, you should block the entire subnets on those interfaces, e.g.:    #FirewallRule block to 192.168.0.0/16    #FirewallRule block to 10.0.0.0/8 # Typical ports you will probably want to open up include # 53 udp and tcp for DNS, # 80 for http, # 443 for https, # 22 for ssh:    #FirewallRule allow tcp port 53    #FirewallRule allow udp port 53    #FirewallRule allow tcp port 80    #FirewallRule allow tcp port 443    #FirewallRule allow tcp port 22    FirewallRule allow all}# end FirewallRuleSet authenticated-users# FirewallRuleSet: preauthenticated-users## Control access for users before authentication.# These rules are inserted in the PREROUTING chain# of the router's nat table, and in the# FORWARD chain of the router's filter table.# These rules apply to packets that have come in to the# router over the GatewayInterface from MAC addresses that# are not on the BlockedMACList or TrustedMACList,# are *not* authenticated with Nodogsplash. The rules are# considered in order, and the first rule that matches# a packet applies to it. A packet that does not match# any rule here is rejected.# N.B.: This ruleset is completely independent of# the authenticated-users and users-to-router rulesets.#FirewallRuleSet preauthenticated-users { # For preauthenticated users to resolve IP addresses in their initial # request not using the router itself as a DNS server, # you probably want to allow port 53 udp and tcp for DNS.    FirewallRule allow tcp port 53    FirewallRule allow udp port 53 # For splash page content not hosted on the router, you # will want to allow port 80 tcp to the remote host here. # Doing so circumvents the usual capture and redirect of # any port 80 request to this remote host. # Note that the remote host's numerical IP address must be known # and used here. # FirewallRule allow tcp port 80 to 123.321.123.321}# end FirewallRuleSet preauthenticated-users# FirewallRuleSet: users-to-router## Control access to the router itself from the GatewayInterface.# These rules are inserted at the beginning of the# INPUT chain of the router's filter table, and# apply to packets that have come in to the router# over the GatewayInterface from MAC addresses that# are not on the TrustedMACList, and are destined for# the router itself. The rules are# considered in order, and the first rule that matches# a packet applies to it.# If there are any rules in this ruleset, a# packet that does not match any rule is rejected.#FirewallRuleSet users-to-router { # Nodogsplash automatically allows tcp to GatewayPort, # at GatewayAddress, to serve the splash page. # However you may want to open up other ports, e.g. # 53 for DNS and 67 for DHCP if the router itself is # providing these services.    FirewallRule allow udp port 53    FirewallRule allow tcp port 53    FirewallRule allow udp port 67 # You may want to allow ssh, http, and https to the router # for administration from the GatewayInterface. If not, # comment these out.    FirewallRule allow tcp port 22    FirewallRule allow tcp port 23    FirewallRule allow tcp port 80    FirewallRule allow tcp port 443}# end FirewallRuleSet users-to-router# EmptyRuleSetPolicy directives# The FirewallRuleSets that NoDogSplash permits are:## authenticated-users# preauthenticated-users# users-to-router# trusted-users# trusted-users-to-router## For each of these, an EmptyRuleSetPolicy can be specified.# An EmptyRuleSet policy applies to a FirewallRuleSet if the# FirewallRuleSet is missing from this configuration file,# or if it exists but contains no FirewallRules.## The possible values of an EmptyRuleSetPolicy are:# allow -- packets are accepted# block -- packets are rejected# passthrough -- packets are passed through to pre-existing firewall rules## Default EmptyRuleSetPolicies are set as follows:# EmptyRuleSetPolicy authenticated-users passthrough# EmptyRuleSetPolicy preauthenticated-users block# EmptyRuleSetPolicy users-to-router block# EmptyRuleSetPolicy trusted-users allow# EmptyRuleSetPolicy trusted-users-to-router allow# Parameter: GatewayName# Default: NoDogSplash## Set GatewayName to the name of your gateway. This value# will be available as variable $gatewayname in the splash page source# and in status output from ndsctl, but otherwise doesn't matter.# If none is supplied, the value "NoDogSplash" is used.# 网关# GatewayName NoDogSplash# Parameter: GatewayAddress# Default: Discovered from GatewayInterface## This should be autodetected on an OpenWRT system, but if not:# Set GatewayAddress to the IP address of the router on# the GatewayInterface. This is the address that the Nodogsplash# server listens on.# 服务器监听# GatewayAddress 192.168.1.1# Parameter: ExternalInterface# Default: Autodetected from /proc/net/route## This should be autodetected on a OpenWRT system, but if not:# Set ExtrnalInterface to the 'external' interface on your router,# i.e. the one which provides the default route to the internet.# Typically vlan1 for OpenWRT.# 外部接口# ExternalInterface vlan1# Parameter: RedirectURL# Default: none## After authentication, normally a user is redirected# to their initially requested page.# If RedirectURL is set, the user is redirected to this URL instead.# 确认后跳转网址（默认关闭）# RedirectURL http://www.ilesansfil.org/# Parameter: GatewayPort# Default: 2050## Nodogsplash's own http server uses GatewayAddress as its IP address.# The port it listens to at that IP can be set here; default is 2050.# 网关地址监听端口# GatewayPort 2050# Parameter: MaxClients# Default: 20## Set MaxClients to the maximum number of users allowed to# connect at any time. (Does not include users on the TrustedMACList,# who do not authenticate.)# 最大用户数 （不包括trustedmaclist项里的用户－不受任何限制用户）# MaxClients 20# 用户进入欢迎界面后不进行任何操作的超时设置（分钟）# ClientIdleTimeout# Parameter: ClientIdleTimeout# Default: 10## Set ClientIdleTimeout to the desired of number of minutes# of inactivity before a user is automatically 'deauthenticated'.## ClientIdleTimeout 10# Parameter: ClientForceTimeout# Default: 360## Set ClientForceTimeout to the desired number of minutes before# a user is automatically 'deauthenticated', whether active or not# 欢迎页面弹出时间间隔（分钟）# ClientForceTimeout 360# Parameter: AuthenticateImmediately# Default: no## Set to yes (or true or 1), to immediately authenticate users# who make a http port 80 request on the GatewayInterface (that is,# do not serve a splash page, just redirect to the user's request,# or to RedirectURL if set).# 是否进行身份验证# AuthenticateImmediately no# Parameter: MACMechanism# Default: block## Either block or allow.# If 'block', MAC addresses on BlockedMACList are blocked from# authenticating, and all others are allowed.# If 'allow', MAC addresses on AllowedMACList are allowed to# authenticate, and all other (non-trusted) MAC's are blocked.# MAC过滤方式（启用黑名单阻止方式还是白名单允许方式）# MACMechanism block# Parameter: BlockedMACList# Default: none## Comma-separated list of MAC addresses who will be completely blocked# from the GatewayInterface. Ignored if MACMechanism is allow.# N.B.: weak security, since MAC addresses are easy to spoof.# MAC过滤列表黑名单（用逗号隔开）# BlockedMACList 00:00:DE:AD:BE:EF,00:00:C0:1D:F0:0D# Parameter: AllowedMACList# Default: none## Comma-separated list of MAC addresses who will not be completely# blocked from the GatewayInterface. Ignored if MACMechanism is block.# N.B.: weak security, since MAC addresses are easy to spoof.# MAC过滤列表白名单（用逗号隔开）# AllowedMACList 00:00:12:34:56:78# Parameter: TrustedMACList# Default: none## Comma-separated list of MAC addresses who are not subject to# authentication, and are not restricted by any FirewallRuleSet.# N.B.: weak security, since MAC addresses are easy to spoof.# MAC例外（不受任何限制）# TrustedMACList 00:00:CA:FE:BA:BE, 00:00:C0:01:D0:0D# Parameter: PasswordAuthentication# Default: no# Set to yes (or true or 1), to require a password matching# the Password parameter to be supplied when authenticating.#  是否启用密码保护## PasswordAuthentication no# Parameter: Password# Default: none# Whitespace delimited string that is compared to user-supplied# password when authenticating.# 启用密码保护后使用的密码## Password nodog# Parameter: UsernameAuthentication# Default: no# Set to yes (or true or 1), to require a username matching# the Username parameter to be supplied when authenticating.# 是否启用登陆用户名## UsernameAuthentication no# Parameter: Username# Default: none# Whitespace delimited string that is compared to user-supplied# username when authenticating.##  启用登陆用户名后使用的用户名# Username guest# Parameter: PasswordAttempts# Default: 5# Integer number of failed password/username entries before# a user is forced to reauthenticate.# 用户名和密码重试次数（超过规定次数后需要重新授权）## PasswordAttempts 5# Parameter: TrafficControl# Default: no## Set to yes (or true or 1), to enable traffic control in Nodogsplash.# 是否启用流量控制（流量控制总开关）# TrafficControl no# Parameter: DownloadLimit# Default: 0## If TrafficControl is enabled, this sets the maximum download# speed to the GatewayInterface, in kilobits per second.# For example if you have an ADSL connection with 768 kbit# download speed, and you want to allow about half of that# bandwidth for the GatewayInterface, set this to 384.# A value of 0 means no download limiting is done.# 最大下载流量（0 为无限制）# DownloadLimit 384# Parameter: UploadLimit# Default: 0## If TrafficControl is enabled, this sets the maximum upload# speed from the GatewayInterface, in kilobits per second.# For example if you have an ADSL connection with 128 kbit# upload speed, and you want to allow about half of that# bandwidth for the GatewayInterface, set this to 64.# A value of 0 means no upload limiting is done.# 最大上传流量（0 为无限制）# UploadLimit 64# Paramter: GatewayIPRange# Default: 0.0.0.0/0## By setting this parameter, you can specify a range of IP addresses# on the GatewayInterface that will be responded to and managed by# Nodogsplash. Addresses outside this range do not have their packets# touched by Nodogsplash at all.# Defaults to 0.0.0.0/0, that is, all addresses.# 流量控制网段设置# GatewayIPRange 0.0.0.0/0