Compare commits
	
		
			No commits in common. "master" and "bplein/master" have entirely different histories.
		
	
	
		
			master
			...
			bplein/mas
		
	
		
					 16 changed files with 5 additions and 820 deletions
				
			
		|  | @ -1,14 +0,0 @@ | |||
| #!/bin/csh | ||||
| #Script to grab all relevant configuration files and installed packages, and back it up to github | ||||
| /usr/sbin/pkg prime-origins > /root/fw/pkg_prime-origins | ||||
| 
 | ||||
| foreach i ( "/boot/loader.conf" "/etc/pf.conf" "/etc/rc.conf" "/etc/start_if.eth0" "/usr/local/etc/dhcpd.conf" "/usr/local/etc/namedb/named.conf" "/usr/local/etc/namedb/dynamic/example.com.db" "/var/cron/tabs/root" "/usr/local/etc/dhcp6c.conf" "/etc/rtadvd.conf" "/usr/local/etc/dhcpd6.conf" "/etc/dhclient.conf" ) | ||||
| 	echo "Backing up "$i | ||||
| 	/bin/cp $i /root/fw$i | ||||
| end | ||||
| 
 | ||||
| echo "git push" | ||||
| cd /root/fw/ | ||||
| /usr/local/bin/git add . | ||||
| /usr/local/bin/git commit -S -m "nightly backup" | ||||
| /usr/local/bin/git push -u origin main | ||||
|  | @ -1,6 +0,0 @@ | |||
| netgraph_load="YES" | ||||
| ng_ether_load="YES" | ||||
| ng_etf_load="YES" | ||||
| ng_vlan_load="YES" | ||||
| ng_eiface_load="YES" | ||||
| ng_one2many_load="YES" | ||||
|  | @ -1,10 +0,0 @@ | |||
| # $FreeBSD$ | ||||
| # | ||||
| #	This file is required by the ISC DHCP client. | ||||
| #	See ``man 5 dhclient.conf'' for details. | ||||
| # | ||||
| #	In most cases an empty file is sufficient for most people as the | ||||
| #	defaults are usually fine. | ||||
| # | ||||
| # | ||||
| supersede domain-name-servers 127.0.0.1; | ||||
|  | @ -1,60 +0,0 @@ | |||
| wan = "ngeth0" | ||||
| lan = "xxx" | ||||
| 
 | ||||
| #options | ||||
| set skip on lo0 | ||||
| set block-policy drop | ||||
| set fingerprints "/etc/pf.os" | ||||
| set ruleset-optimization basic | ||||
| set optimization normal | ||||
| set limit { states 1624000, src-nodes 1624000, frags 5000, table-entries 400000 } | ||||
| 
 | ||||
| 
 | ||||
| #scrub | ||||
| scrub on $wan all random-id fragment reassemble | ||||
| scrub on $lan all random-id fragment reassemble | ||||
| 
 | ||||
| 
 | ||||
| #NAT | ||||
| nat on $wan inet from ($lan:network) to any -> ($wan) | ||||
| 
 | ||||
| 
 | ||||
| #Filter | ||||
| 
 | ||||
| #default deny | ||||
| block drop in inet all label "Default deny rule IPv4" | ||||
| block drop out inet all label "Default deny rule IPv4" | ||||
| block drop in inet6 all label "Default deny rule IPv6" | ||||
| block drop out inet6 all label "Default deny rule IPv6" | ||||
| 
 | ||||
| #allow dhcp/dhcpv6 client | ||||
| pass in quick on $wan proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN" | ||||
| pass out quick on $wan proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN" | ||||
| pass in quick on $wan inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" | ||||
| pass in quick on $wan proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" | ||||
| pass out quick on $wan proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN" | ||||
| 
 | ||||
| #allow dhcp/dhcpv6 server | ||||
| pass in quick on $lan inet proto udp from any port = bootpc to { 255.255.255.255, ($lan), ($lan:broadcast) } port = bootps keep state label "allow access to DHCP server" | ||||
| pass out quick on $lan inet proto udp from ($lan) port = bootps to any port = bootpc keep state label "allow access to DHCP server" | ||||
| pass quick on $lan inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server" | ||||
| pass quick on $lan inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server" | ||||
| pass quick on $lan inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server" | ||||
| pass quick on $lan inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server" | ||||
| pass in quick on $lan inet6 proto udp from fe80::/10 to ($lan) port = dhcpv6-client keep state label "allow access to DHCPv6 server" | ||||
| pass out quick on $lan inet6 proto udp from ($lan) port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server" | ||||
| 
 | ||||
| #icmpv6 | ||||
| pass quick inet6 proto ipv6-icmp all icmp6-type { unreach, toobig, neighbrsol, neighbradv } keep state | ||||
| pass out quick inet6 proto ipv6-icmp from fe80::/10 to { fe80::/10, ff02::/16 } icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state | ||||
| pass in quick inet6 proto ipv6-icmp from fe80::/10 to { fe80::/10, ff02::/16 } icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state | ||||
| pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state | ||||
| pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state | ||||
| 
 | ||||
| #allow self | ||||
| pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself" | ||||
| pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" | ||||
| 
 | ||||
| #allow LAN | ||||
| pass in on $lan inet all flags S/SA keep state label "Default allow LAN to any rule" | ||||
| pass in on $lan inet6 all flags S/SA keep state label "Default allow LAN to any rule" | ||||
|  | @ -1,44 +0,0 @@ | |||
| hostname="fw" | ||||
| ifconfig_eth0="" | ||||
| ifconfig_ngeth0="DHCP" | ||||
| ifconfig_ngeth0_ipv6="inet6 accept_rtadv up" | ||||
| ipv6_cpe_wanif="ngeth0" | ||||
| ifconfig_eth2="inet 192.168.1.1 netmask 255.255.255.0" | ||||
| ifconfig_eth2_ipv6="inet6 -accept-rtadv up" | ||||
| gateway_enable="YES" | ||||
| ipv6_gateway_enable="YES" | ||||
| ipv6_activate_all_interfaces="YES" | ||||
| rtadvd_enable="YES" | ||||
| rtadvd_interfaces="eth2" | ||||
| dhcp6c_enable="YES" | ||||
| dhcp6c_interfaces="ngeth0" | ||||
| dhcpd_enable="YES" | ||||
| dhcpd_flags="-q" | ||||
| dhcpd_conf="/usr/local/etc/dhcpd.conf" | ||||
| dhcpd_ifaces="eth2" | ||||
| dhcpd_withumask="022" | ||||
| dhcpd_chuser_enable="YES" | ||||
| dhcpd_withuser="dhcpd" | ||||
| dhcpd_withgroup="dhcpd" | ||||
| dhcpd_chroot_enable="YES" | ||||
| dhcpd_devfs_enable="YES" | ||||
| dhcpd_rootdir="/var/db/dhcpd" | ||||
| dhcpd6_enable="YES" | ||||
| dhcpd6_flags="-q" | ||||
| dhcpd6_conf="/usr/local/etc/dhcpd6.conf" | ||||
| dhcpd6_ifaces="eth2" | ||||
| dhcpd6_withumask="022" | ||||
| dhcpd6_chuser_enable="YES" | ||||
| dhcpd6_withuser="dhcpd" | ||||
| dhcpd6_withgroup="dhcpd" | ||||
| dhcpd6_chroot_enable="YES" | ||||
| dhcpd6_devfs_enable="YES" | ||||
| dhcpd6_rootdir="/var/db/dhcpd" | ||||
| pf_enable="YES" | ||||
| pf_rules="/etc/pf.conf" | ||||
| pflog_enable="YES" | ||||
| pflog_logfile="/var/log/pflog" | ||||
| powerd_enable="YES" | ||||
| powerd_flags="-b hadp -n hadp -a hadp" | ||||
| ntpd_enable="YES" | ||||
| sshd_enable="YES" | ||||
|  | @ -1,2 +0,0 @@ | |||
| default:\ | ||||
| 	:raflags="m"::prefixlen#64:\ | ||||
|  | @ -1,87 +0,0 @@ | |||
| #!/bin/sh | ||||
| set -e | ||||
| 
 | ||||
| ONT_IF='eth0' | ||||
| RG_IF='eth1' | ||||
| RG_ETHER_ADDR='00:11:22:33:44' | ||||
| LOG=/var/log/freeatt.log | ||||
| 
 | ||||
| getTimestamp(){ | ||||
|     echo `date "+%Y-%m-%d %H:%M:%S :: [freeatt.sh] ::"` | ||||
| } | ||||
| 
 | ||||
| { | ||||
|     echo "$(getTimestamp) FreeBSD pf + AT&T U-verse Residential Gateway for true bridge mode" | ||||
|     echo "$(getTimestamp) Configuration: " | ||||
|     echo "$(getTimestamp)        ONT_IF: $ONT_IF" | ||||
|     echo "$(getTimestamp)         RG_IF: $RG_IF" | ||||
|     echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR" | ||||
| 
 | ||||
|     echo "$(getTimestamp) building netgraph nodes..." | ||||
| 
 | ||||
|     echo -n "$(getTimestamp)   creating ng_one2many... " | ||||
|     /usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one | ||||
|     /usr/sbin/ngctl name $ONT_IF:lower o2m | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp)   creating vlan node and interface... " | ||||
|     /usr/sbin/ngctl mkpeer o2m: vlan many0 downstream | ||||
|     /usr/sbin/ngctl name o2m:many0 vlan0 | ||||
|     /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether | ||||
| 
 | ||||
|     /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }' | ||||
|     /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp)   defining etf for $ONT_IF (ONT)... " | ||||
|     /usr/sbin/ngctl mkpeer o2m: etf many1 downstream | ||||
|     /usr/sbin/ngctl name o2m:many1 waneapfilter | ||||
|     /usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp)   defining etf for $RG_IF (RG)... " | ||||
|     /usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream | ||||
|     /usr/sbin/ngctl name $RG_IF:lower laneapfilter | ||||
|     /usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp)   bridging etf for $ONT_IF <-> $RG_IF... " | ||||
|     /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp)   defining filters for EAP traffic... " | ||||
|     /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' | ||||
|     /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp)   enabling one2many links... " | ||||
|     /usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }" | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp)   removing waneapfilter:nomatch hook... " | ||||
|     /usr/sbin/ngctl rmhook waneapfilter: nomatch | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp) enabling $RG_IF interface... " | ||||
|     /sbin/ifconfig $RG_IF up | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp) enabling $ONT_IF interface... " | ||||
|     /sbin/ifconfig $ONT_IF up | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... " | ||||
|     /sbin/ifconfig $RG_IF promisc | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... " | ||||
|     /sbin/ifconfig $ONT_IF promisc | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp) set mac address on ngeth0..." | ||||
|     /sbin/ifconfig ngeth0 ether $RG_ETHER_ADDR | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo "$(getTimestamp) ngeth0 should now be available to configure as your pf WAN" | ||||
|     echo "$(getTimestamp) done!" | ||||
| } >> $LOG | ||||
|  | @ -1,6 +0,0 @@ | |||
| dns/bind916 | ||||
| net/dhcp6 | ||||
| devel/git | ||||
| security/gnupg | ||||
| net/isc-dhcp44-server | ||||
| ports-mgmt/pkg | ||||
|  | @ -1,12 +0,0 @@ | |||
| interface ngeth0 { | ||||
|         send ia-pd 0;   # request prefix delegation | ||||
|         request domain-name-servers; | ||||
|         request domain-name; | ||||
| }; | ||||
| id-assoc pd 0 { | ||||
|         prefix ::/60 infinity; | ||||
|         prefix-interface igb1 { | ||||
|                 sla-id 1; | ||||
|                 sla-len 4; | ||||
|         }; | ||||
| }; | ||||
|  | @ -1,44 +0,0 @@ | |||
| option domain-name "example.com"; | ||||
| option ldap-server code 95 = text; | ||||
| option domain-search-list code 119 = text; | ||||
| option arch code 93 = unsigned integer 16; # RFC4578 | ||||
| 
 | ||||
| default-lease-time 7200; | ||||
| max-lease-time 86400; | ||||
| log-facility local7; | ||||
| one-lease-per-client true; | ||||
| deny duplicates; | ||||
| update-conflict-detection false; | ||||
| authoritative; | ||||
| subnet 192.168.1.0 netmask 255.255.255.0 { | ||||
|         pool { | ||||
|                 range 192.168.1.100 192.168.1.199; | ||||
|         } | ||||
| 
 | ||||
|         option routers 192.168.1.1; | ||||
|         option domain-name-servers 192.168.1.1; | ||||
|         ping-check true; | ||||
| 
 | ||||
| } | ||||
| host s_lan_0 { | ||||
|         hardware ethernet 00:11:22:33:44:55; | ||||
|         fixed-address 192.168.1.50 | ||||
|         option host-name "example-host1"; | ||||
| } | ||||
| host s_lan_1 { | ||||
|         hardware ethernet 66:77:88:99:aa:bb; | ||||
|         fixed-address 192.168.1.51; | ||||
|         option host-name "example-host2"; | ||||
| } | ||||
| 
 | ||||
| ddns-update-style interim; | ||||
| ddns-dual-stack-mixed-mode true; | ||||
| update-conflict-detection true; | ||||
| update-optimization false; | ||||
| deny client-updates; | ||||
| ddns-domainname "example.com."; | ||||
| ddns-hostname=pick(option fqdn.hostname, option host-name, concat("dyn-",binary-to-ascii(10,8,"-",leased-address))); | ||||
| 
 | ||||
| zone example.com. { | ||||
| 	primary 127.0.0.1; | ||||
| } | ||||
|  | @ -1,31 +0,0 @@ | |||
| option domain-name "example.com"; | ||||
| option ldap-server code 95 = text; | ||||
| option domain-search-list code 119 = text; | ||||
| 
 | ||||
| default-lease-time 7200; | ||||
| max-lease-time 86400; | ||||
| log-facility local7; | ||||
| one-lease-per-client true; | ||||
| deny duplicates; | ||||
| ping-check true; | ||||
| authoritative; | ||||
| subnet6 2600:1234:5678:90ab::/64 { | ||||
|         range6 2600:1234:5678:90ab::1000 2600:1234:5678:90ab::2000; | ||||
|         do-forward-updates false; | ||||
|         option dhcp6.name-servers 2600:1234:5678:90ab::1; | ||||
| 
 | ||||
| } | ||||
| 
 | ||||
| ddns-update-style interim; | ||||
| ddns-dual-stack-mixed-mode true; | ||||
| update-conflict-detection true; | ||||
| update-optimization false; | ||||
| deny client-updates; | ||||
| ddns-domainname "example.com."; | ||||
| ddns-hostname=pick(option fqdn.hostname, concat("dyn-",binary-to-ascii(16,16,"-",substring(option dhcp6.ia-na, 16, 16)))); | ||||
| 
 | ||||
| zone example.com. { | ||||
|         primary 127.0.0.1; | ||||
| } | ||||
| 
 | ||||
| 
 | ||||
|  | @ -1,385 +0,0 @@ | |||
| // Refer to the named.conf(5) and named(8) man pages, and the documentation | ||||
| // in /usr/local/share/doc/bind for more details. | ||||
| // | ||||
| // If you are going to set up an authoritative server, make sure you | ||||
| // understand the hairy details of how DNS works.  Even with | ||||
| // simple mistakes, you can break connectivity for affected parties, | ||||
| // or cause huge amounts of useless Internet traffic. | ||||
| 
 | ||||
| options { | ||||
| 	allow-query	{ any; }; | ||||
| 	recursion yes; | ||||
| 	query-source-v6 address 2600:1234:5678:90ab::1; | ||||
| 	// All file and path names are relative to the chroot directory, | ||||
| 	// if any, and should be fully qualified. | ||||
| 	directory	"/usr/local/etc/namedb/working"; | ||||
| 	pid-file	"/var/run/named/pid"; | ||||
| 	dump-file	"/var/dump/named_dump.db"; | ||||
| 	statistics-file	"/var/stats/named.stats"; | ||||
| 
 | ||||
| // If named is being used only as a local resolver, this is a safe default. | ||||
| // For named to be accessible to the network, comment this option, specify | ||||
| // the proper IP address, or delete this option. | ||||
| 	#listen-on	{ 127.0.0.1; }; | ||||
| 
 | ||||
| // If you have IPv6 enabled on this system, uncomment this option for | ||||
| // use as a local resolver.  To give access to the network, specify | ||||
| // an IPv6 address, or the keyword "any". | ||||
| //	listen-on-v6	{ ::1; }; | ||||
| 
 | ||||
| 	listen-on-v6	{ any; }; | ||||
| 
 | ||||
| // These zones are already covered by the empty zones listed below. | ||||
| // If you remove the related empty zones below, comment these lines out. | ||||
| 	disable-empty-zone "255.255.255.255.IN-ADDR.ARPA"; | ||||
| 	disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; | ||||
| 	disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; | ||||
| 
 | ||||
| // If you've got a DNS server around at your upstream provider, enter | ||||
| // its IP address here, and enable the line below.  This will make you | ||||
| // benefit from its cache, thus reduce overall DNS traffic in the Internet. | ||||
| /* | ||||
| 	forwarders { | ||||
| 		127.0.0.1; | ||||
| 	}; | ||||
| */ | ||||
| 
 | ||||
| // If the 'forwarders' clause is not empty the default is to 'forward first' | ||||
| // which will fall back to sending a query from your local server if the name | ||||
| // servers in 'forwarders' do not have the answer.  Alternatively you can | ||||
| // force your name server to never initiate queries of its own by enabling the | ||||
| // following line: | ||||
| //	forward only; | ||||
| 
 | ||||
| // If you wish to have forwarding configured automatically based on | ||||
| // the entries in /etc/resolv.conf, uncomment the following line and | ||||
| // set named_auto_forward=yes in /etc/rc.conf.  You can also enable | ||||
| // named_auto_forward_only (the effect of which is described above). | ||||
| //	include "/usr/local/etc/namedb/auto_forward.conf"; | ||||
| 
 | ||||
| 	/* | ||||
| 	   Modern versions of BIND use a random UDP port for each outgoing | ||||
| 	   query by default in order to dramatically reduce the possibility | ||||
| 	   of cache poisoning.  All users are strongly encouraged to utilize | ||||
| 	   this feature, and to configure their firewalls to accommodate it. | ||||
| 
 | ||||
| 	   AS A LAST RESORT in order to get around a restrictive firewall | ||||
| 	   policy you can try enabling the option below.  Use of this option | ||||
| 	   will significantly reduce your ability to withstand cache poisoning | ||||
| 	   attacks, and should be avoided if at all possible. | ||||
| 
 | ||||
| 	   Replace NNNNN in the example with a number between 49160 and 65530. | ||||
| 	*/ | ||||
| 	// query-source address * port NNNNN; | ||||
| }; | ||||
| 
 | ||||
| zone "thundat00th.net." { type master; allow-update { 127.0.0.1; }; file "/usr/local/etc/namedb/dynamic/example.com.db"; }; | ||||
| 
 | ||||
| // If you enable a local name server, don't forget to enter 127.0.0.1 | ||||
| // first in your /etc/resolv.conf so this server will be queried. | ||||
| // Also, make sure to enable it in /etc/rc.conf. | ||||
| 
 | ||||
| // The traditional root hints mechanism. Use this, OR the slave zones below. | ||||
| zone "." { type hint; file "/usr/local/etc/namedb/named.root"; }; | ||||
| 
 | ||||
| /*	Slaving the following zones from the root name servers has some | ||||
| 	significant advantages: | ||||
| 	1. Faster local resolution for your users | ||||
| 	2. No spurious traffic will be sent from your network to the roots | ||||
| 	3. Greater resilience to any potential root server failure/DDoS | ||||
| 
 | ||||
| 	On the other hand, this method requires more monitoring than the | ||||
| 	hints file to be sure that an unexpected failure mode has not | ||||
| 	incapacitated your server.  Name servers that are serving a lot | ||||
| 	of clients will benefit more from this approach than individual | ||||
| 	hosts.  Use with caution. | ||||
| 
 | ||||
| 	To use this mechanism, uncomment the entries below, and comment | ||||
| 	the hint zone above. | ||||
| 
 | ||||
| 	As documented at http://dns.icann.org/services/axfr/ these zones: | ||||
| 	"." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and a few others | ||||
| 	are available for AXFR from these servers on IPv4 and IPv6: | ||||
| 	xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org | ||||
| */ | ||||
| /* | ||||
| zone "." { | ||||
| 	type slave; | ||||
| 	file "/usr/local/etc/namedb/slave/root.slave"; | ||||
| 	masters { | ||||
| 		192.0.32.132;           // lax.xfr.dns.icann.org | ||||
| 		2620:0:2d0:202::132;    // lax.xfr.dns.icann.org | ||||
| 		192.0.47.132;           // iad.xfr.dns.icann.org | ||||
| 		2620:0:2830:202::132;   // iad.xfr.dns.icann.org | ||||
| 	}; | ||||
| 	notify no; | ||||
| }; | ||||
| zone "arpa" { | ||||
| 	type slave; | ||||
| 	file "/usr/local/etc/namedb/slave/arpa.slave"; | ||||
| 	masters { | ||||
| 		192.0.32.132;           // lax.xfr.dns.icann.org | ||||
| 		2620:0:2d0:202::132;    // lax.xfr.dns.icann.org | ||||
| 		192.0.47.132;           // iad.xfr.dns.icann.org | ||||
| 		2620:0:2830:202::132;   // iad.xfr.dns.icann.org | ||||
| 	}; | ||||
| 	notify no; | ||||
| }; | ||||
| zone "in-addr.arpa" { | ||||
| 	type slave; | ||||
| 	file "/usr/local/etc/namedb/slave/in-addr.arpa.slave"; | ||||
| 	masters { | ||||
| 		192.0.32.132;           // lax.xfr.dns.icann.org | ||||
| 		2620:0:2d0:202::132;    // lax.xfr.dns.icann.org | ||||
| 		192.0.47.132;           // iad.xfr.dns.icann.org | ||||
| 		2620:0:2830:202::132;   // iad.xfr.dns.icann.org | ||||
| 	}; | ||||
| 	notify no; | ||||
| }; | ||||
| zone "ip6.arpa" { | ||||
| 	type slave; | ||||
| 	file "/usr/local/etc/namedb/slave/ip6.arpa.slave"; | ||||
| 	masters { | ||||
| 		192.0.32.132;           // lax.xfr.dns.icann.org | ||||
| 		2620:0:2d0:202::132;    // lax.xfr.dns.icann.org | ||||
| 		192.0.47.132;           // iad.xfr.dns.icann.org | ||||
| 		2620:0:2830:202::132;   // iad.xfr.dns.icann.org | ||||
| 	}; | ||||
| 	notify no; | ||||
| }; | ||||
| */ | ||||
| 
 | ||||
| /*	Serving the following zones locally will prevent any queries | ||||
| 	for these zones leaving your network and going to the root | ||||
| 	name servers.  This has two significant advantages: | ||||
| 	1. Faster local resolution for your users | ||||
| 	2. No spurious traffic will be sent from your network to the roots | ||||
| */ | ||||
| // RFCs 1912, 5735 and 6303 (and BCP 32 for localhost) | ||||
| zone "localhost"	{ type master; file "/usr/local/etc/namedb/master/localhost-forward.db"; }; | ||||
| zone "127.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; }; | ||||
| zone "255.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| 
 | ||||
| // RFC 1912-style zone for IPv6 localhost address (RFC 6303) | ||||
| zone "0.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; }; | ||||
| 
 | ||||
| // "This" Network (RFCs 1912, 5735 and 6303) | ||||
| zone "0.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| 
 | ||||
| // Private Use Networks (RFCs 1918, 5735 and 6303) | ||||
| zone "10.in-addr.arpa"	   { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "16.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "17.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "18.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "19.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "20.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "21.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "22.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "23.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "24.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "25.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "26.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "27.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "28.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "29.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "30.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "31.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "168.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| 
 | ||||
| // Shared Address Space (RFC 6598) | ||||
| zone "64.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "65.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "66.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "67.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "68.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "69.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "70.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "71.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "72.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "73.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "74.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "75.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "76.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "77.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "78.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "79.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "80.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "81.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "82.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "83.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "84.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "85.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "86.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "87.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "88.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "89.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "90.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "91.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "92.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "93.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "94.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "95.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "96.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "97.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "98.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "99.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "100.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "101.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "102.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "103.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "104.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "105.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "106.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "107.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "108.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "109.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "110.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "111.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "112.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "113.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "114.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "115.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "116.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "117.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "118.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "119.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "120.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "121.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "122.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "123.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "124.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "125.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "126.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "127.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| 
 | ||||
| // Link-local/APIPA (RFCs 3927, 5735 and 6303) | ||||
| zone "254.169.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| 
 | ||||
| // IETF protocol assignments (RFCs 5735 and 5736) | ||||
| zone "0.0.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| 
 | ||||
| // TEST-NET-[1-3] for Documentation (RFCs 5735, 5737 and 6303) | ||||
| zone "2.0.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "100.51.198.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "113.0.203.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| 
 | ||||
| // IPv6 Example Range for Documentation (RFCs 3849 and 6303) | ||||
| zone "8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| 
 | ||||
| // Router Benchmark Testing (RFCs 2544 and 5735) | ||||
| zone "18.198.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "19.198.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| 
 | ||||
| // IANA Reserved - Old Class E Space (RFC 5735) | ||||
| zone "240.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "241.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "242.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "243.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "244.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "245.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "246.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "247.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "248.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "249.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "250.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "251.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "252.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "253.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "254.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| 
 | ||||
| // IPv6 Unassigned Addresses (RFC 4291) | ||||
| zone "1.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "3.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "4.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "5.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "6.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "7.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "8.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "9.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "a.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "b.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "c.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "d.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "e.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "0.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "1.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "2.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "3.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "4.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "5.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "6.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "7.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "8.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "9.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "a.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "b.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "0.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "1.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "2.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "3.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "4.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "5.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "6.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "7.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| 
 | ||||
| // IPv6 ULA (RFCs 4193 and 6303) | ||||
| zone "c.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "d.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| 
 | ||||
| // IPv6 Link Local (RFCs 4291 and 6303) | ||||
| zone "8.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "9.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "a.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "b.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| 
 | ||||
| // IPv6 Deprecated Site-Local Addresses (RFCs 3879 and 6303) | ||||
| zone "c.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "d.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "e.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| zone "f.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| 
 | ||||
| // IP6.INT is Deprecated (RFC 4159) | ||||
| zone "ip6.int"		{ type master; file "/usr/local/etc/namedb/master/empty.db"; }; | ||||
| 
 | ||||
| // NB: Do not use the IP addresses below, they are faked, and only | ||||
| // serve demonstration/documentation purposes! | ||||
| // | ||||
| // Example slave zone config entries.  It can be convenient to become | ||||
| // a slave at least for the zone your own domain is in.  Ask | ||||
| // your network administrator for the IP address of the responsible | ||||
| // master name server. | ||||
| // | ||||
| // Do not forget to include the reverse lookup zone! | ||||
| // This is named after the first bytes of the IP address, in reverse | ||||
| // order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6. | ||||
| // | ||||
| // Before starting to set up a master zone, make sure you fully | ||||
| // understand how DNS and BIND work.  There are sometimes | ||||
| // non-obvious pitfalls.  Setting up a slave zone is usually simpler. | ||||
| // | ||||
| // NB: Don't blindly enable the examples below. :-)  Use actual names | ||||
| // and addresses instead. | ||||
| 
 | ||||
| /* An example dynamic zone | ||||
| key "exampleorgkey" { | ||||
| 	algorithm hmac-md5; | ||||
| 	secret "sf87HJqjkqh8ac87a02lla=="; | ||||
| }; | ||||
| zone "example.org" { | ||||
| 	type master; | ||||
| 	allow-update { | ||||
| 		key "exampleorgkey"; | ||||
| 	}; | ||||
| 	file "/usr/local/etc/namedb/dynamic/example.org"; | ||||
| }; | ||||
| */ | ||||
| 
 | ||||
| /* Example of a slave reverse zone | ||||
| zone "1.168.192.in-addr.arpa" { | ||||
| 	type slave; | ||||
| 	file "/usr/local/etc/namedb/slave/1.168.192.in-addr.arpa"; | ||||
| 	masters { | ||||
| 		192.168.1.1; | ||||
| 	}; | ||||
| }; | ||||
| */ | ||||
|  | @ -1,8 +0,0 @@ | |||
| # DO NOT EDIT THIS FILE - edit the master and reinstall. | ||||
| # (/tmp/crontab.q40BAzenoV installed on Sun Apr 18 22:56:27 2021) | ||||
| # (Cron version -- $FreeBSD$) | ||||
| # monthly zpool scrub | ||||
| 0 2 1 * * /sbin/zpool scrub zrootmirror | ||||
| 
 | ||||
| # nightly config backup | ||||
| 0 3 * * * /root/fw/backup.sh | ||||
							
								
								
									
										20
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										20
									
								
								README.md
									
									
									
									
									
								
							|  | @ -301,7 +301,7 @@ There is a whole thread on this at [DSLreports](http://www.dslreports.com/forum/ | |||
| 
 | ||||
| However, I don't think this works for everyone. I had to explicitly tag my WAN traffic to VLAN0 which wasn't supported on my switch. | ||||
| 
 | ||||
| ## OPNSense | ||||
| ## OPNSense / FreeBSD | ||||
| For OPNSense 20.1: | ||||
| follow the pfSense instructions, EXCEPT: | ||||
| 1) use file opnatt.sh | ||||
|  | @ -310,23 +310,7 @@ follow the pfSense instructions, EXCEPT: | |||
| 4) do *NOT* modify config.xml, nor do any of the duid stuff | ||||
| 5) note: You *CAN* use IPv6 Prefix id 0, as OPNSense does *NOT* assign a routeable IPv6 address to ngeth0 | ||||
| 
 | ||||
| ## FreeBSD (tested on 13.0-RELEASE) | ||||
| For FreeBSD: | ||||
| 1) use file freeatt.sh | ||||
| 2) ng_etf.ko is not needed, standard FreeBSD includes all of the required modules | ||||
| 3) modules can be loaded from /boot/loader.conf, an example loader.conf with the modules listed is included (loading modules in the script should work, but lets do things "properly") | ||||
| 4) put the freeatt.sh script into '/etc' and rename to `start_if.$ONT_IF` in my case the file is `/etc/start_if.igb0` this will depend on your hardware | ||||
| 5) in rc.conf, add the line `ifconfig_$ONT_IF=""` this will trigger rc to run our start_if.$ONT_IF script to create the ngeth0 interface, and then do nothing else to the interface, in my case this line is `ifconfig_igb0=""` (using $RG_IF instead probably gives the same result) | ||||
| 6) configure the rest of rc.conf, an example is provided with the essentials, gateway_enable, DHCP settings etc. | ||||
| 7) configure pf, dhcpd, etc. to taste, generic examples provided | ||||
| 
 | ||||
| Once you have IPv4 connectivity you're done, unless you want IPv6 as well.  The default dhclient still does not support IPv6, so: | ||||
| 1) Install KAME dhcp6c 'pkg install dhcp6' | ||||
| 2) Configure rc.conf with 'ipv6_cpe_wanif="ngeth0"' in addition to the other ipv6, dhcp6c, and rtadvd configuration in rc.conf, filling in with your lan interface(s) | ||||
| 3) use the example configuration in `/usr/local/etc/dhcp6c.conf` to configure dhcp6c | ||||
| 4) Set some inet6 rules in pf.conf and test | ||||
| 
 | ||||
| Example configuration files are provided for bind, dhcpd, dhcpd6, rtadvd, etc. based off of a currently working dual stack router running FreeBSD 13, other versions of FreeBSD may work | ||||
| I haven't tried this with native FreeBSD, but I imagine the process is ultimately the same with netgraph. Feel free to submit a PR with notes on your experience. | ||||
| 
 | ||||
| # U-verse TV | ||||
| 
 | ||||
|  |  | |||
|  | @ -1,87 +0,0 @@ | |||
| #!/bin/sh | ||||
| set -e | ||||
| 
 | ||||
| ONT_IF='xx0' | ||||
| RG_IF='xx1' | ||||
| RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx' | ||||
| LOG=/var/log/freeatt.log | ||||
| 
 | ||||
| getTimestamp(){ | ||||
|     echo `date "+%Y-%m-%d %H:%M:%S :: [freeatt.sh] ::"` | ||||
| } | ||||
| 
 | ||||
| { | ||||
|     echo "$(getTimestamp) FreeBSD pf + AT&T U-verse Residential Gateway for true bridge mode" | ||||
|     echo "$(getTimestamp) Configuration: " | ||||
|     echo "$(getTimestamp)        ONT_IF: $ONT_IF" | ||||
|     echo "$(getTimestamp)         RG_IF: $RG_IF" | ||||
|     echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR" | ||||
| 
 | ||||
|     echo "$(getTimestamp) building netgraph nodes..." | ||||
| 
 | ||||
|     echo -n "$(getTimestamp)   creating ng_one2many... " | ||||
|     /usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one | ||||
|     /usr/sbin/ngctl name $ONT_IF:lower o2m | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp)   creating vlan node and interface... " | ||||
|     /usr/sbin/ngctl mkpeer o2m: vlan many0 downstream | ||||
|     /usr/sbin/ngctl name o2m:many0 vlan0 | ||||
|     /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether | ||||
| 
 | ||||
|     /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }' | ||||
|     /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp)   defining etf for $ONT_IF (ONT)... " | ||||
|     /usr/sbin/ngctl mkpeer o2m: etf many1 downstream | ||||
|     /usr/sbin/ngctl name o2m:many1 waneapfilter | ||||
|     /usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp)   defining etf for $RG_IF (RG)... " | ||||
|     /usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream | ||||
|     /usr/sbin/ngctl name $RG_IF:lower laneapfilter | ||||
|     /usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp)   bridging etf for $ONT_IF <-> $RG_IF... " | ||||
|     /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp)   defining filters for EAP traffic... " | ||||
|     /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' | ||||
|     /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp)   enabling one2many links... " | ||||
|     /usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }" | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp)   removing waneapfilter:nomatch hook... " | ||||
|     /usr/sbin/ngctl rmhook waneapfilter: nomatch | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp) enabling $RG_IF interface... " | ||||
|     /sbin/ifconfig $RG_IF up | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp) enabling $ONT_IF interface... " | ||||
|     /sbin/ifconfig $ONT_IF up | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... " | ||||
|     /sbin/ifconfig $RG_IF promisc | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... " | ||||
|     /sbin/ifconfig $ONT_IF promisc | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp) set mac address on ngeth0..." | ||||
|     /sbin/ifconfig ngeth0 ether $RG_ETHER_ADDR | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo "$(getTimestamp) ngeth0 should now be available to configure as your pf WAN" | ||||
|     echo "$(getTimestamp) done!" | ||||
| } >> $LOG | ||||
|  | @ -18,10 +18,8 @@ getTimestamp(){ | |||
|     echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp) attaching interfaces to ng_ether... " | ||||
|     # Only needed for older versions of pfatt. Newer versions handle this automatically. | ||||
|     # Eventually this can be remove. | ||||
|     /usr/local/bin/php -r "function_exists('pfSense_ngctl_attach') && pfSense_ngctl_attach('.', '$ONT_IF');" | ||||
|     /usr/local/bin/php -r "function_exists('pfSense_ngctl_attach') && pfSense_ngctl_attach('.', '$RG_IF');" | ||||
|     /usr/local/bin/php -r "pfSense_ngctl_attach('.', '$ONT_IF');" | ||||
|     /usr/local/bin/php -r "pfSense_ngctl_attach('.', '$RG_IF');" | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo "$(getTimestamp) building netgraph nodes..." | ||||
|  | @ -82,8 +80,7 @@ getTimestamp(){ | |||
|     echo "OK!" | ||||
| 
 | ||||
|     echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... " | ||||
|     # Updated as per https://github.com/MonkWho/pfatt/issues/65 | ||||
|     /sbin/ifconfig $ONT_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso | ||||
|     /sbin/ifconfig $ONT_IF promisc | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo "$(getTimestamp) ngeth0 should now be available to configure as your pfSense WAN" | ||||
|  |  | |||
		Loading…
	
		Reference in a new issue