diff --git a/src/etc/Makefile b/src/etc/Makefile index b51103ae..ac1a1161 100644 --- a/src/etc/Makefile +++ b/src/etc/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.255 2007/11/05 23:46:12 merdely Exp $ +# $OpenBSD: Makefile,v 1.256 2007/12/07 17:13:35 deraadt Exp $ TZDIR= /usr/share/zoneinfo LOCALTIME= Canada/Mountain @@ -82,7 +82,7 @@ distribution-etc-root-var: distrib-dirs ${INSTALL} -c -o root -g wheel -m 600 pf.conf ${DESTDIR}/etc ${INSTALL} -c -o root -g operator -m 644 chio.conf ${DESTDIR}/etc ${INSTALL} -c -o root -g wheel -m 600 hostapd.conf ${DESTDIR}/etc - ${INSTALL} -c -o root -g wheel -m 600 hoststated.conf ${DESTDIR}/etc + ${INSTALL} -c -o root -g wheel -m 600 relayd.conf ${DESTDIR}/etc ${INSTALL} -c -o root -g wheel -m 600 ipsec.conf ${DESTDIR}/etc ${INSTALL} -c -o root -g wheel -m 600 sasyncd.conf ${DESTDIR}/etc ${INSTALL} -c -o ${BINOWN} -g ${BINGRP} -m 555 \ diff --git a/src/etc/changelist b/src/etc/changelist index 3da154c5..6e6c8647 100644 --- a/src/etc/changelist +++ b/src/etc/changelist @@ -1,4 +1,4 @@ -# $OpenBSD: changelist,v 1.54 2007/10/08 12:16:35 norby Exp $ +# $OpenBSD: changelist,v 1.55 2007/12/07 17:13:35 deraadt Exp $ # # List of files which the security script backs up and checks # for modifications. @@ -39,7 +39,7 @@ /etc/gettytab /etc/group /etc/hostapd.conf -/etc/hoststated.conf +/etc/relayd.conf /etc/hosts /etc/hosts.allow /etc/hosts.deny diff --git a/src/etc/ftpusers b/src/etc/ftpusers index d719371b..1117ecff 100644 --- a/src/etc/ftpusers +++ b/src/etc/ftpusers @@ -1,4 +1,4 @@ -# $OpenBSD: ftpusers,v 1.31 2007/10/08 11:29:58 norby Exp $ +# $OpenBSD: ftpusers,v 1.32 2007/12/07 17:13:35 deraadt Exp $ # # list of users disallowed any ftp access. # read by ftpd(8). @@ -40,5 +40,5 @@ _ospfd _hostapd _dvmrpd _ripd -_hoststated +_relayd _ospf6d diff --git a/src/etc/group b/src/etc/group index 0c8b4233..619fc663 100644 --- a/src/etc/group +++ b/src/etc/group @@ -53,7 +53,7 @@ _ospfd:*:85: _hostapd:*:86: _dvmrpd:*:87: _ripd:*:88: -_hoststated:*:89: +_relayd:*:89: _ospf6d:*:90: dialer:*:117: nogroup:*:32766: diff --git a/src/etc/hoststated.conf b/src/etc/hoststated.conf deleted file mode 100644 index 679a992c..00000000 --- a/src/etc/hoststated.conf +++ /dev/null @@ -1,119 +0,0 @@ -# $OpenBSD: hoststated.conf,v 1.9 2007/11/28 15:16:18 reyk Exp $ -# -# Macros -# -ext_addr="192.168.1.1" -webhost1="10.0.0.1" -webhost2="10.0.0.2" -sshhost1="10.0.0.3" - -# -# Global Options -# -# interval 10 -# timeout 200 -# prefork 5 - -# -# Each table will be mapped to a pf table. -# -table webhosts { - real port http - check http "/" code 200 - host $webhost1 - host $webhost2 -} - -table fallback { - real port http - check icmp - host 127.0.0.1 -} - -# -# Services will be mapped to a rdr rule. -# -service www { - virtual host $ext_addr port http interface trunk0 - - # tag every packet that goes thru the rdr rule with HOSTSTATED - tag HOSTSTATED - - table webhosts - backup table fallback -} - -# -# Relay and protocol for HTTP layer 7 loadbalancing and SSL acceleration -# -protocol httpssl { - protocol http - header append "$REMOTE_ADDR" to "X-Forwarded-For" - header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By" - header change "Connection" to "close" - - # Various TCP performance options - tcp { nodelay, sack, socket buffer 65536, backlog 128 } - -# ssl { no sslv2, sslv3, tlsv1, ciphers HIGH } -# ssl session cache disable -} - -relay wwwssl { - # Run as a SSL accelerator - listen on $ext_addr port 443 ssl - protocol httpssl - - # Forward to hosts in the webhosts table using a src/dst hash - table webhosts loadbalance -} - -# -# Relay and protocol for simple TCP forwarding on layer 7 -# -protocol sshtcp { - protocol tcp - - # The TCP_NODELAY option is required for "smooth" terminal sessions - tcp nodelay -} - -relay sshgw { - # Run as a simple TCP relay - listen on $ext_addr port 2222 - protocol sshtcp - - # Forward to the shared carp(4) address of an internal gateway - forward to $sshhost1 port 22 -} - -# -# Relay and protocol for a transparent HTTP proxy -# -protocol httpfilter { - protocol http - - # Return HTTP/HTML error pages to the client - return error - - # Block disallowed browsers - label "Please try a different Browser" - header filter "Mozilla/4.0 (compatible; MSIE *" from "User-Agent" - - # Block some well-known Instant Messengers - label "Instant messenger disallowed!" - response header filter "application/x-msn-messenger" from "Content-Type" - response header filter "app/x-hotbar-xip20" from "Content-Type" - response header filter "application/x-icq" from "Content-Type" - response header filter "AIM/HTTP" from "Content-Type" - response header filter "application/x-comet-log" from "Content-Type" -} - -relay httpproxy { - # Listen on localhost, accept redirected connections from pf(4) - listen on 127.0.0.1 port 8080 - protocol httpfilter - - # Forward to the original target host - nat lookup -} diff --git a/src/etc/master.passwd b/src/etc/master.passwd index 7be8d5b4..0e6ba598 100644 --- a/src/etc/master.passwd +++ b/src/etc/master.passwd @@ -35,6 +35,6 @@ _ospfd:*:85:85::0:0:OSPF Daemon:/var/empty:/sbin/nologin _hostapd:*:86:86::0:0:HostAP Daemon:/var/empty:/sbin/nologin _dvmrpd:*:87:87::0:0:DVMRP Daemon:/var/empty:/sbin/nologin _ripd:*:88:88::0:0:RIP Daemon:/var/empty:/sbin/nologin -_hoststated:*:89:89::0:0:HostState Daemon:/var/empty:/sbin/nologin +_relay:*:89:89::0:0:Relay Daemon:/var/empty:/sbin/nologin _ospf6d:*:90:90::0:0:OSPF6 Daemon:/var/empty:/sbin/nologin nobody:*:32767:32767::0:0:Unprivileged user:/nonexistent:/sbin/nologin diff --git a/src/etc/rc b/src/etc/rc index e6ef2a4a..6e26e727 100644 --- a/src/etc/rc +++ b/src/etc/rc @@ -1,4 +1,4 @@ -# $OpenBSD: rc,v 1.307 2007/11/11 16:12:11 jmc Exp $ +# $OpenBSD: rc,v 1.308 2007/12/07 17:13:35 deraadt Exp $ # System startup script run by init on autoboot # or after single-user. @@ -588,8 +588,8 @@ if [ X"${ifstated_flags}" != X"NO" ]; then echo -n ' ifstated'; ifstated $ifstated_flags fi -if [ X"${hoststated_flags}" != X"NO" ]; then - echo -n ' hoststated'; /usr/sbin/hoststated $hoststated_flags +if [ X"${relayd_flags}" != X"NO" ]; then + echo -n ' relayd'; /usr/sbin/relayd $relayd_flags fi if [ X"${dhcpd_flags}" != X"NO" -a -f /etc/dhcpd.conf ]; then diff --git a/src/etc/rc.conf b/src/etc/rc.conf index 1dabbb10..2a2bf5a2 100644 --- a/src/etc/rc.conf +++ b/src/etc/rc.conf @@ -1,6 +1,6 @@ #!/bin/sh - # -# $OpenBSD: rc.conf,v 1.126 2007/11/20 06:13:17 jmc Exp $ +# $OpenBSD: rc.conf,v 1.127 2007/12/07 17:13:35 deraadt Exp $ # set these to "NO" to turn them off. otherwise, they're used as flags routed_flags=NO # for normal use: "-q" @@ -40,7 +40,7 @@ watchdogd_flags=NO # for normal use: "" ftpproxy_flags=NO # for normal use: "" hostapd_flags=NO # for normal use: "" ifstated_flags=NO # for normal use: "" -hoststated_flags=NO # for normal use: "" +relayd_flags=NO # for normal use: "" # use -u to disable chroot, see httpd(8) httpd_flags=NO # for normal use: "" (or "-DSSL" after reading ssl(8))