options NETGRAPH # NETGRAPH
options NETGRAPH_IPFW # ng_ipfw
options LIBALIAS # ng_nat
options NETGRAPH_NAT # ng_nat
options NETGRAPH_NETFLOW # ng_netflow
### MPD ###
options NETGRAPH_SPLIT
options NETGRAPH_KSOCKET
options NETGRAPH_SOCKET
options NETGRAPH_BPF
options NETGRAPH_IFACE
options NETGRAPH_MPPC_ENCRYPTION
options NETGRAPH_PPP
options NETGRAPH_PPTPGRE
options NETGRAPH_TCPMSS
options NETGRAPH_VJC
options NETGRAPH_TEE
options NETGRAPH_CAR
### --- ###
options IPFIREWALL #ipfw.
options IPFIREWALL_VERBOSE #
options IPFIREWALL_FORWARD # transparent-proxy
options IPFIREWALL_DEFAULT_TO_ACCEPT #
/etc/rc.conf
:
gateway_enable="YES" # :)
firewall_enable="YES" # ipfw
firewall_script="/usr/scripts/ipfw_load.sh" #
/usr/script/ipfw_load.sh
with the following contents:
#!/bin/sh
fwcmd="/sbin/ipfw"
ngctl="/usr/sbin/ngctl"
ext_if="re0" #
ext_ip="1.2.3.4" # IP NAT'
# ng_nat
${ngctl} mkpeer ipfw: nat 60 out
${ngctl} name ipfw:60 nat
${ngctl} connect ipfw: nat: 61 in
${ngctl} msg nat: setaliasaddr ${ext_ip}
#
${fwcmd} -f flush #
# ( 127)
${fwcmd} table 127 flush #
${fwcmd} table 127 add 10.39.0.0/16 # ip
# loopback
${fwcmd} add 00001 allow ip from any to any via lo0
# NAT
${fwcmd} add 00003 netgraph 61 all from any to ${ext_ip} in via ${ext_if}
# - - NAT
${fwcmd} add 60021 netgraph 60 ip from "table(127)" to any
# cd /usr/local/
# cvs -d:pserver:anonymous @ abills.cvs.sourceforge.net:/cvsroot/abills login
# cvs -z3 -d:pserver:anonymous @ abills.cvs.sourceforge.net:/cvsroot/abills checkout -r rel-0-4 abills
# ln -s /usr/local/abills /usr/abills
/usr/abills
folder is often found in the config /usr/abills
while in BSD ABillS I set it in /usr/local/abills
.
libexec
folder. There we will find the file config.pl.default
which we copy into config.pl
- it will become the basis for our future configuration.
acct_users, clients.conf, eap.conf, rlm_perl.conf users
. rlm_perl.conf
don’t forget to rename the rlm_perl.conf file to radiusd.conf, and enter the IP and password for access to the radius in the clients.conf file ( In the example, the values ​​127.0.0.1 and radsecret will be used ).
VENDOR mpd 12341
ATTRIBUTE mpd-rule 1 string mpd
ATTRIBUTE mpd-pipe 2 string mpd
ATTRIBUTE mpd-queue 3 string mpd
ATTRIBUTE mpd-table 4 string mpd
ATTRIBUTE mpd-table-static 5 string mpd
ATTRIBUTE mpd-filter 6 string mpd
ATTRIBUTE mpd-limit 7 string mpd
ATTRIBUTE mpd-drop-user 154 integer mpd
radiusd -X
and carefully read the output for errors. If there are no errors, we add the magic line radiusd_enable="YES"
to /etc/rc.conf
and start the radius as a daemon.
startup:
# MPD
set user xanf somepass admin
# MPD
# ABillS
set console self 127.0.0.1 5005
set console open
# -.
set web self 0.0.0.0 5006
set web open
#IP , netflow
set netflow peer 127.0.0.1 9996
set netflow self 127.0.0.1 9990
set netflow timeouts 15 15
set netflow hook 9000
default:
load pptp_server
pptp_server:
# . IP RADIUS
set ippool add pool1 10.39.0.1 10.39.255.255
create bundle template B
set iface idle 1800
#"" TCP/IP Microsoft
set iface enable tcpmssfix
#
set iface enable netflow-in
set iface enable netflow-out
set ipcp yes vjcomp
#VPN Server IP
#
# " ".
# *nix-
# IP VPN
set ipcp ranges 172.16.0.1/32 ippool pool1
set ipcp dns 172.16.0.1
set bundle enable compression
set ccp yes mppc
set mppc yes e40
set mppc yes e128
set mppc yes stateless
set bundle yes crypt-reqd
create link template L pptp
set link action bundle B
set link enable multilink
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link yes crypt-reqd
set link mtu 1460
# IP MPD
#
set pptp self 10.37.254.253
set link enable incoming
#IP, RADIUS-
set radius server 127.0.0.1 radsecret 1812 1813
set radius timeout 10
set auth acct-update 300
set auth enable radius-auth
set auth enable radius-acct
set radius retries 3
mpd_enable="YES"
to /etc/rc.conf
# cd /usr/abills/libexec/
# ln -s ../Abills/modules/Ipn/trafdstats trafdstats
# ln -s ../Abills/modules/Ipn/traffic2sql traffic2sql
#chown flowtools /usr/local/abills/var/log/ipn/
/usr/local/abills/var/log/ipn
does not exist, create it
/etc/rc.conf
flow_capture_enable="YES"
flow_capture_datadir="/usr/local/abills/var/log/ipn/"
flow_capture_port="9996"
flow_capture_flags="-S 5 -n 1300 -N 0 -d 5"
-n 1300
- the rotation of logs will be 1300 times a day, which is about one minute.
sslcerts.sh
script in the contrib folder of ABillS.
<VirtualHost 0.0.0.0:443>
SSLEngine on
SSLOptions +StrictRequire
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLCertificateFile /usr/local/abills/Certs/server.crt
SSLCertificateKeyFile /usr/local/abills/Certs/server.key
SSLVerifyClient none
SSLProxyEngine off
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
DocumentRoot /usr/local/abills/cgi-bin
ServerName stat.example.com
#ServerAlias com
ServerAdmin xanf@example.com
ErrorLog /var/log/error_log
TransferLog /var/log/access_log
Alias / "/usr/local/abills/cgi-bin/"
<Directory "/usr/local/abills/cgi-bin">
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_CGI_AUTHORIZATION:%1]
Options Indexes ExecCGI SymLinksIfOwnerMatch
# mysql -D abills < abills.sql
# mysql -D abills < db/Ipn.sql
@MODULES = ('Dv',
'Abon',
# 'Docs',
'Sqlcmd',
'Ipn',
# 'Cards');
);
$conf{default_language}='russian'; # - :)
$conf{default_charset}='windows-1251';
$conf{periodic_check}='yes';
$conf{IPN_DEPOSIT_OPERATION}=1; # IPN
$conf{IPN_USERMENU}=1; #
$conf{IPN_FW_START_RULE}
and $conf{IPN_FW_STOP_RULE}
. Here you can specify scripts that are executed when opening and closing the connection. You can ignore any $conf{IPN_FW_FIRST_RULE}
- we will organize the cutting of speed with another method. After unsuccessful experiments, I personally refused to control the firewall from ABillS and therefore, in principle, I do not use the linkupdown
script that linkupdown
with ABillS.
mpd-limit+=out#1=all shape 64000 pass,mpd-limit+=in#1=all shape 64000 pass
$RAD_PAIRS->{"$left"} =~ s/\"//g;
$RAD_PAIRS->{"$left"}="\"". $RAD_PAIRS->{"$left"} .",$right\"";
}
else {
$RAD_PAIRS->{"$left"}="\"$right\"";
}
$RAD_PAIRS->{"$left"} =~ s/\"//g;
push( @ {$RAD_PAIRS->{"$left"} }, $right );
}
else {
$RAD_PAIRS->{"$left"}= [ $right ];
}
*/5 * * * * /usr/local/abills/libexec/traffic2sql 1
flowdir=/usr/local/abills/var/log/ipn
1 0 * * * root /usr/abills/libexec/periodic daily
1 0 * * * root /usr/abills/libexec/periodic monthly
billd -all
to Cron as recommended by management. In our case, it is not needed — and moreover, harmful — it will disassociate users at the boundaries of the time intervals.
Source: https://habr.com/ru/post/30174/