Ver.0.8.1

[opengatem/opengatem.git] / conf / opengatemd.conf.sample

<?xml version="1.0"?>
<Opengatemd ConfigVersion="0.6.0">

        <!-- Debug dump level -->
        <!-- Set 0 to write only open/close and error messages to syslog -->
        <!-- Set 1 to write some information adding to 0 -->
        <!-- Set 2 to write many information to syslog -->
        <!-- Set 3 to write many information (including busy loop) to syslog -->
        <Debug>1</Debug>

        <!-- Syslog (local0, local1, .., local7)-->
        <Syslog>
                <Enable>1</Enable>
                <Facility>local1</Facility>
        </Syslog>

        <!-- ### MUST BE MODIFIED ## -->
        <!-- MySql database (for mac address management) parameters -->
        <MySqlDb>
                <Server>localhost</Server>
                <User>root</User>
                <Password></Password>
                <Database>opengatem</Database>
        </MySqlDb>
        
        <!-- UDP server port to receive command from managing machine -->
        <!-- Be care to set firewall properly to pass the udp packet -->
        <UdpServerPort>4989</UdpServerPort>

        <!-- ### MUST BE MODIFIED ## -->
        <!-- # Set hosts where opengateMmng are running # --> 
        <!-- OpengateMmng acts as UDP client and Md(daemon) acts as server -->
        <!-- DB update is transmitted immediately with this UDP --> 
        <!-- (If failed, update is transmitted after cache timeout) --> 
        <!-- Following set trusted UDP clients from which UDP are allowed -->
        <!-- (Local host is trusted) -->
        <!-- Be care to set firewall properly to pass the packet -->
        <!--
                <UdpClient>192.168.1.1</UdpClient>
                <UdpClient>192.168.2.1</UdpClient>
                <UdpClient>192.168.3.1</UdpClient>
        -->
        
        <!-- ### MUST BE MODIFIED ## -->
        <!--libpcap parameters -->
        <Pcap>
                <!-- device to sniff on -->
                <Device>fxp0</Device>

                <!-- snapshot length (=tcpdump defalut) -->
                <SnapLength>68</SnapLength>

                <!-- capture timeout in msec --> 
                <Timeout>200</Timeout>

                <!-- promiscuous mode(1=on) -->
                <Promiscuous>0</Promiscuous>

                <!-- pcap filter -->
                <!-- %s is replaced with mac address of this pcap device -->
                <Filter>(not ether src %s) and (not src net fe80::0/64)</Filter>
        </Pcap>

        <!-- valid initial ttl values in many systems -->
        <!-- (http://noahdavids.org/self_published/TTL_values.html) -->
        <ValidInitialTtl>30 32 60 64 128 200 255</ValidInitialTtl>

        <!-- IPFW rule number range and tag number used by opengate -->
        <IpfwRule>
                <Min>10000</Min>
                <Max>50000</Max>
                <Interval>1</Interval>
        </IpfwRule>

        <!-- IPFW Tag number used in rc.firewall -->
        <IpfwTagNumber>123</IpfwTagNumber>

        <!-- if no packet relating to the address is detected -->
        <!-- in this time length (second), -->
        <!--  close the network and remove session -->
        <UselessTimeout>3600</UselessTimeout>

        <!-- interval (second) to run procedure for above checking -->
        <UselessCheckInterval>3600</UselessCheckInterval>

        <!-- Address Pair Cache Timeout: packet check skip Interval (second) -->
        <CacheTimeout>1200</CacheTimeout>

        <!-- Mac Address Cache Timeout: MAC DB Cache Hold Time (second) -->
        <MacCacheTimeout>1200</MacCacheTimeout>

        <!-- SQLite busy timeout (milli-seconds) -->
        <SqliteBusyTimeout>100</SqliteBusyTimeout>

        <!-- SQLite database file -->
        <!-- for opengatemd work -->
        <SqliteDbMd>/tmp/opengatemd.db</SqliteDbMd>

        <!-- SQLite database file -->
        <!-- for opengate session management -->
        <SqliteDb>/tmp/opengate.db</SqliteDb>

        <!-- programs -->
        <MacCheckDaemon>opengatemd</MacCheckDaemon>

        <!-- Related command path -->
        <IpfwPath>/sbin/ipfw</IpfwPath>

        <!-- ipfw exclusive exec lock timeout (second) -->
        <LockTimeout>10</LockTimeout>

        <!-- Lock file to prevent overlapped ipfw rule number -->
        <!-- exclusive execution to opengate processes -->
        <LockFile>/tmp/opengate.lock</LockFile>

        <!-- Lock file to prevent overlapped daemon proc -->
        <DaemonLockFile>/tmp/opengatemd.lock</DaemonLockFile>

        <!-- Ipfw is opened via perl script(1) or direct from C(0) -->
        <IpfwScript>
                <Enable>0</Enable>
                <Path>/etc/opengate/ipfwctrlmd.pl</Path>
        </IpfwScript>

        <!-- Related command path -->
        <ArpPath>/usr/sbin/arp</ArpPath>
        <NdpPath>/usr/sbin/ndp</NdpPath>

        <!-- flag to write log at detecting nat/router insertion -->
        <!-- if ShowNat=1, write at detecting unknown nat/router -->
        <!-- if ShowRouter=1, write at detecting routers defined below --> 
        <ShowNat>0</ShowNat>
        <ShowRouter>0</ShowRouter>

        <!-- subnets under the gateway  -->
        <!--  use to ignore valid routers in nat detectiion --> 
        <!--  if not set, nat/router under gateway is suspected as nat -->
        <!-- [(ipv4 address)/(netmask length) (router hop count)] -->
        <!--  examples -->
        <!-- <SubnetHopCount>192.168.0.0/22 1</SubnetHopCount> -->
        <!-- <SubnetHopCount>192.168.1.0/24 2</SubnetHopCount> -->
        <!-- <SubnetHopCount>192.168.161.0/22 1</SubnetHopCount> -->
        <!-- <SubnetHopCount>192.168.240.0/22 1</SubnetHopCount> -->
        <!-- <SubnetHopCount>192.168.161.0/24 2</SubnetHopCount> -->

        <!-- Caution: ExrtaSet cannot use in opengatemd -->
        <!-- because one deamon controls all users -->

</Opengatemd> 
<!-- ## End of Configuration ## -->