openwrt nodogsplash.conf文件

#
# Nodogsplash Configuration File
#
# 说明：#所在行不执行。（启用该参数需要删除执行参数前的#及空格）
# 文件格式为：参数｜建议值｜参数说明｜执行参数 。
# 不同参数之间空一行，同一参数中间可使用带#的空行。
# 为保证规则正确运行，需要用"/etc/init.d/nodogsplash start"启动

# Parameter: GatewayInterface
# Default: NONE
#
# GatewayInterface is not autodetected, has no default, and must be set here.
# Set GatewayInterface to the interface on your router
# that is to be managed by Nodogsplash.
# Typically br0 for the wired and wireless lan on OpenWrt White Russian.
# May be br-lan on OpenWrt Kamikaze.
# 监测接口
GatewayInterface wlan0

# FirewallRuleSet: authenticated-users
#
# Control access for users after authentication.
# These rules are inserted at the beginning of the
# FORWARD chain of the router's filter table, and
# apply to packets that have come in to the router
# over the GatewayInterface from MAC addresses that
# have authenticated with Nodogsplash, and that are
# destined to be routed through the router. The rules are
# considered in order, and the first rule that matches
# a packet applies to it.
# If there are any rules in this ruleset, an authenticated
# packet that does not match any rule is rejected.
# N.B.: This ruleset is completely independent of
# the preauthenticated-users ruleset.
#防火墙规则集
FirewallRuleSet authenticated-users {

 # You may want to open access to a machine on a local
 # subnet that is otherwise blocked (for example, to
 # serve a redirect page; see RedirectURL). If so,
 # allow that explicitly here, e.g:
 # FirewallRule allow tcp port 80 to 192.168.254.254

 # Your router may have several interfaces, and you
 # probably want to keep them private from the GatewayInterface.
 # If so, you should block the entire subnets on those interfaces, e.g.:
    #FirewallRule block to 192.168.0.0/16
    #FirewallRule block to 10.0.0.0/8

 # Typical ports you will probably want to open up include
 # 53 udp and tcp for DNS,
 # 80 for http,
 # 443 for https,
 # 22 for ssh:
    #FirewallRule allow tcp port 53
    #FirewallRule allow udp port 53
    #FirewallRule allow tcp port 80
    #FirewallRule allow tcp port 443
    #FirewallRule allow tcp port 22
    FirewallRule allow all

}
# end FirewallRuleSet authenticated-users


# FirewallRuleSet: preauthenticated-users
#
# Control access for users before authentication.
# These rules are inserted in the PREROUTING chain
# of the router's nat table, and in the
# FORWARD chain of the router's filter table.
# These rules apply to packets that have come in to the
# router over the GatewayInterface from MAC addresses that
# are not on the BlockedMACList or TrustedMACList,
# are *not* authenticated with Nodogsplash. The rules are
# considered in order, and the first rule that matches
# a packet applies to it. A packet that does not match
# any rule here is rejected.
# N.B.: This ruleset is completely independent of
# the authenticated-users and users-to-router rulesets.
#
FirewallRuleSet preauthenticated-users {
 # For preauthenticated users to resolve IP addresses in their initial
 # request not using the router itself as a DNS server,
 # you probably want to allow port 53 udp and tcp for DNS.
    FirewallRule allow tcp port 53
    FirewallRule allow udp port 53
 # For splash page content not hosted on the router, you
 # will want to allow port 80 tcp to the remote host here.
 # Doing so circumvents the usual capture and redirect of
 # any port 80 request to this remote host.
 # Note that the remote host's numerical IP address must be known
 # and used here.
 # FirewallRule allow tcp port 80 to 123.321.123.321
}
# end FirewallRuleSet preauthenticated-users


# FirewallRuleSet: users-to-router
#
# Control access to the router itself from the GatewayInterface.
# These rules are inserted at the beginning of the
# INPUT chain of the router's filter table, and
# apply to packets that have come in to the router
# over the GatewayInterface from MAC addresses that
# are not on the TrustedMACList, and are destined for
# the router itself. The rules are
# considered in order, and the first rule that matches
# a packet applies to it.
# If there are any rules in this ruleset, a
# packet that does not match any rule is rejected.
#
FirewallRuleSet users-to-router {
 # Nodogsplash automatically allows tcp to GatewayPort,
 # at GatewayAddress, to serve the splash page.
 # However you may want to open up other ports, e.g.
 # 53 for DNS and 67 for DHCP if the router itself is
 # providing these services.
    FirewallRule allow udp port 53
    FirewallRule allow tcp port 53
    FirewallRule allow udp port 67
 # You may want to allow ssh, http, and https to the router
 # for administration from the GatewayInterface. If not,
 # comment these out.
    FirewallRule allow tcp port 22
    FirewallRule allow tcp port 23
    FirewallRule allow tcp port 80
    FirewallRule allow tcp port 443
}
# end FirewallRuleSet users-to-router

# EmptyRuleSetPolicy directives
# The FirewallRuleSets that NoDogSplash permits are:
#
# authenticated-users
# preauthenticated-users
# users-to-router
# trusted-users
# trusted-users-to-router
#
# For each of these, an EmptyRuleSetPolicy can be specified.
# An EmptyRuleSet policy applies to a FirewallRuleSet if the
# FirewallRuleSet is missing from this configuration file,
# or if it exists but contains no FirewallRules.
#
# The possible values of an EmptyRuleSetPolicy are:
# allow -- packets are accepted
# block -- packets are rejected
# passthrough -- packets are passed through to pre-existing firewall rules
#
# Default EmptyRuleSetPolicies are set as follows:
# EmptyRuleSetPolicy authenticated-users passthrough
# EmptyRuleSetPolicy preauthenticated-users block
# EmptyRuleSetPolicy users-to-router block
# EmptyRuleSetPolicy trusted-users allow
# EmptyRuleSetPolicy trusted-users-to-router allow


# Parameter: GatewayName
# Default: NoDogSplash
#
# Set GatewayName to the name of your gateway. This value
# will be available as variable $gatewayname in the splash page source
# and in status output from ndsctl, but otherwise doesn't matter.
# If none is supplied, the value "NoDogSplash" is used.
# 网关
# GatewayName NoDogSplash

# Parameter: GatewayAddress
# Default: Discovered from GatewayInterface
#
# This should be autodetected on an OpenWRT system, but if not:
# Set GatewayAddress to the IP address of the router on
# the GatewayInterface. This is the address that the Nodogsplash
# server listens on.
# 服务器监听
# GatewayAddress 192.168.1.1

# Parameter: ExternalInterface
# Default: Autodetected from /proc/net/route
#
# This should be autodetected on a OpenWRT system, but if not:
# Set ExtrnalInterface to the 'external' interface on your router,
# i.e. the one which provides the default route to the internet.
# Typically vlan1 for OpenWRT.
# 外部接口
# ExternalInterface vlan1

# Parameter: RedirectURL
# Default: none
#
# After authentication, normally a user is redirected
# to their initially requested page.
# If RedirectURL is set, the user is redirected to this URL instead.
# 确认后跳转网址（默认关闭）
# RedirectURL http://www.ilesansfil.org/

# Parameter: GatewayPort
# Default: 2050
#
# Nodogsplash's own http server uses GatewayAddress as its IP address.
# The port it listens to at that IP can be set here; default is 2050.
# 网关地址监听端口
# GatewayPort 2050

# Parameter: MaxClients
# Default: 20
#
# Set MaxClients to the maximum number of users allowed to
# connect at any time. (Does not include users on the TrustedMACList,
# who do not authenticate.)
# 最大用户数 （不包括trustedmaclist项里的用户－不受任何限制用户）
# MaxClients 20
# 用户进入欢迎界面后不进行任何操作的超时设置（分钟）
# ClientIdleTimeout
# Parameter: ClientIdleTimeout
# Default: 10
#
# Set ClientIdleTimeout to the desired of number of minutes
# of inactivity before a user is automatically 'deauthenticated'.
#
# ClientIdleTimeout 10

# Parameter: ClientForceTimeout
# Default: 360
#
# Set ClientForceTimeout to the desired number of minutes before
# a user is automatically 'deauthenticated', whether active or not
# 欢迎页面弹出时间间隔（分钟）
# ClientForceTimeout 360

# Parameter: AuthenticateImmediately
# Default: no
#
# Set to yes (or true or 1), to immediately authenticate users
# who make a http port 80 request on the GatewayInterface (that is,
# do not serve a splash page, just redirect to the user's request,
# or to RedirectURL if set).
# 是否进行身份验证
# AuthenticateImmediately no

# Parameter: MACMechanism
# Default: block
#
# Either block or allow.
# If 'block', MAC addresses on BlockedMACList are blocked from
# authenticating, and all others are allowed.
# If 'allow', MAC addresses on AllowedMACList are allowed to
# authenticate, and all other (non-trusted) MAC's are blocked.
# MAC过滤方式（启用黑名单阻止方式还是白名单允许方式）
# MACMechanism block

# Parameter: BlockedMACList
# Default: none
#
# Comma-separated list of MAC addresses who will be completely blocked
# from the GatewayInterface. Ignored if MACMechanism is allow.
# N.B.: weak security, since MAC addresses are easy to spoof.
# MAC过滤列表黑名单（用逗号隔开）
# BlockedMACList 00:00:DE:AD:BE:EF,00:00:C0:1D:F0:0D

# Parameter: AllowedMACList
# Default: none
#
# Comma-separated list of MAC addresses who will not be completely
# blocked from the GatewayInterface. Ignored if MACMechanism is block.
# N.B.: weak security, since MAC addresses are easy to spoof.
# MAC过滤列表白名单（用逗号隔开）
# AllowedMACList 00:00:12:34:56:78

# Parameter: TrustedMACList
# Default: none
#
# Comma-separated list of MAC addresses who are not subject to
# authentication, and are not restricted by any FirewallRuleSet.
# N.B.: weak security, since MAC addresses are easy to spoof.
# MAC例外（不受任何限制）
# TrustedMACList 00:00:CA:FE:BA:BE, 00:00:C0:01:D0:0D


# Parameter: PasswordAuthentication
# Default: no
# Set to yes (or true or 1), to require a password matching
# the Password parameter to be supplied when authenticating.
#  是否启用密码保护
#
# PasswordAuthentication no

# Parameter: Password
# Default: none
# Whitespace delimited string that is compared to user-supplied
# password when authenticating.
# 启用密码保护后使用的密码
#
# Password nodog

# Parameter: UsernameAuthentication
# Default: no
# Set to yes (or true or 1), to require a username matching
# the Username parameter to be supplied when authenticating.
# 是否启用登陆用户名
#
# UsernameAuthentication no

# Parameter: Username
# Default: none
# Whitespace delimited string that is compared to user-supplied
# username when authenticating.
#
#  启用登陆用户名后使用的用户名
# Username guest

# Parameter: PasswordAttempts
# Default: 5
# Integer number of failed password/username entries before
# a user is forced to reauthenticate.
# 用户名和密码重试次数（超过规定次数后需要重新授权）
#
# PasswordAttempts 5

# Parameter: TrafficControl
# Default: no
#
# Set to yes (or true or 1), to enable traffic control in Nodogsplash.
# 是否启用流量控制（流量控制总开关）
# TrafficControl no

# Parameter: DownloadLimit
# Default: 0
#
# If TrafficControl is enabled, this sets the maximum download
# speed to the GatewayInterface, in kilobits per second.
# For example if you have an ADSL connection with 768 kbit
# download speed, and you want to allow about half of that
# bandwidth for the GatewayInterface, set this to 384.
# A value of 0 means no download limiting is done.
# 最大下载流量（0 为无限制）
# DownloadLimit 384

# Parameter: UploadLimit
# Default: 0
#
# If TrafficControl is enabled, this sets the maximum upload
# speed from the GatewayInterface, in kilobits per second.
# For example if you have an ADSL connection with 128 kbit
# upload speed, and you want to allow about half of that
# bandwidth for the GatewayInterface, set this to 64.
# A value of 0 means no upload limiting is done.
# 最大上传流量（0 为无限制）
# UploadLimit 64

# Paramter: GatewayIPRange
# Default: 0.0.0.0/0
#
# By setting this parameter, you can specify a range of IP addresses
# on the GatewayInterface that will be responded to and managed by
# Nodogsplash. Addresses outside this range do not have their packets
# touched by Nodogsplash at all.
# Defaults to 0.0.0.0/0, that is, all addresses.
# 流量控制网段设置
# GatewayIPRange 0.0.0.0/0