Files in /etc/sysconfig

Some things are configurable. On this page, files and variables are listed and explained.

Backup client defaults, required if you want to automate backups.

• url = URL of the server. Defaults to https://backup.shurdix.com/cgi-bin/backup.fcgi
• login = your login on the server
• password = your password on the server
• key = your key for encryption/decryption
• cfgbackup = frequency of autosaving backups. Defaults to off. Requires login, password and key to be set. Possible values are daily, weekly (on sunday), or monthly (first sunday in the month).
• logbackup = logs will be backed up upon rotating them if this is set to 1. Defaults to off.

Configuration for firewall and some other related things like ipset (for user management)

• GWDEV = comma separated list of devices that represent the default gateway (connection to the internet). This is only necessary if you have complicated routing rules, such as more than one line. If you only have one device for the internet connection, the firewall script usually figures it out automatically. Defaults to nothing (i.e. autodetection). Also, if GATEWAY_* are set, it will set up loadbalancing between these gateways.
• LAN = comma separated list of devices that represent your local area network. defaults to eth1
• PN = comma separated list of devices that represent a remote private network (for example, for companies this could be a separate line to another branch, for dormitories this could be a separate line to the university). PN traffic isn’t measured in IP-Accounting. Other rules, such as user management, masquerading, or the chain extern, apply to PN devices the same way as for the internet connection (default gateway). Please note, this isn’t a VPN, but a real physical network.
• WEIGHT_devicename (devicename being one of the devices from GWDEV): weight for loadbalancing, in case the connections have different capacity. Try to keep as low as possible. For more information, see http://www.ssi.bg/~ja/nano.txt
• GATEWAY_devicename (devicename being one of the devices from GWDEV): default gateway for this interface

• INETCLASSES: if you have custom classes, here you can define those that have internet access. Comma-separated list. Defaults to “normal”
• PNCLASSES: if you have a device with private network and custom classes, you can define here the classes that have access to it. Defaults to “normal”.
• LANCLASSES: unused

You can set keyboard layout here. Avaialbe keymaps are located in /usr/share/keymaps.

• KEYMAP = Name of the layout (file name from /usr/share/keymaps without the .bmap extension). Defaults to none.

In order to activate changes in this file, you have to restart the httpd service.

• redirurl = url to which computers without internet access are redirected. Defaults to http://router/mac, which is handled by httpd internally.
• macformmsg = if you want to display an additional message in the http://router/mac, define this parameter. Defaults to If needed, use the form below to contact the computer administration:.
• register = set to nonzero if you want the users to be able to directly register their computers to the database. Defaults to off.
• registertimeout = If nonzero, internet access of registered users will autoblock this many days after registration. If you want this to really block the users automatically, you have to enable um/timeblock (see below). Defaults to off.
• registerfree = If zero (default), registered users will recorded as blocked. If nonzero, registered users will have immediate internet access.
• registerclass = If you want newly registered users to be members of one of your custom classes, use this. Please note that if registerfree is defined, it overrides registerclass.
• registermsg = If you want a custom block reason for the registered computers pending unblocking, you can set it here. Defaults to Activation pending
• privateacct = If you want people to only see their own IP-Accounting unless they are administrators, set this to 1. Defaults to 0.

(only for /bin/mail, not for e.g. aspe.smtp)

• maxsize = maximum allowed size for mails. In bytes. Set to 0 for unlimited. Defaults to 64kB.
• relay = comma separated list of mail relays. If missing, mail is sent to MX’s of recipient’s domain.
• root = this is root’s alias. Otherwise root gets no email.
• sender = this will be the sender of emails originating from the system
• username, password = if the relay needs SMTP-AUTH, you can set it here (will only be used if all three, relay, username and password are defined).

Lists additional (optional) system modules that are to be loaded to RAM (into /opt) and checked for updates (on service update start). Contents of this file are whitespace (e.g. space or newline) separeted list of modules. Currently there are no modules available and this is not tested yet. In the future at least squid and radius are planned.

If you use freeradius and want to authenticate clients against user management, use this file to configure the details. Currently only MAC-authentication is implemented, and no CHAP.

• nassharedsecret = shared secret for NAS. Defaults to “"
• unknownaccess = amount of seconds for unknown MACs to be given access to the local network (not internet). This allows new users to access the user management website and register. After this many seconds, access will be blocked. The MAC will be stored in a separate database. Defaults to 0, which disables this functionality and unknown MACs will be denied access to the NAS from the beginning.

If you want to have some services autostarted on boot, edit this file. htpd, httpd/stunnel, dnsmasq and sshd are always started. To activate, set to 1.

• firewall
• clamd
• ipsec (not usable at the moment yet)
• aspe.smtp
• aspe.vulncheck
• aspe.dhcpwatch
• aspe.arpflood
• tc
• umlan

• DEV_IN: internal device. Only used for detecting the maximum number of users (from the netmask of this interface). Defaults to eth1.
• DEV_OUT: outgoing interface, this one will have traffic control on it. Can be a comma-separated list. Defaults to eth0.
• BW_IN: incoming bandwidth in kbps. Set to ~95% of the real maximum capacity. Defaults to 1600.
• BW_ING: if you want to setup your ingress limit manually, you can use this. If not set, BW_ING defaults to BW_IN. Optional.
• BW_OUT: outgoing bandwidth in kbps. Set to ~98% of the real maximum capacity. Defaults to 2000.
• BW_IN_devicename, BW_OUT_devicename: if the devices have different capacities, you can set them with these parameters. Optional.
• MAX_CLASSES: if you want to set this manually (instead of being detected from the netmask of DEV_IN), you can use this. Should be a power of 2. Optional.

Following are optional too, and can be used to finetune traffic control for the users belonging to specific user classes.

• MAXWEIGHT_class: maximum weight for users in this class (float between 0 and 1). Defaults to 1.
• MINWEIGHT_class: minimum weight for users in this class. Defaults to 0.1
• GROW_class: time for the weight to grow from min to max, when no data is being transferred. Unit is seconds. Defaults to 300.
• SINK_class: time for the weight to sink from max to min, when the class bandwith is utilised fully. Unit is seconds. Defaults to 300.

Following are optional, and can be used to limit part of traffic. This is disabled by default. Although their labels say P2P, they can be used to distinguish anything that iptables can mark.

• P2PBW: limit per IP P2P bandwidth to this many kbit/s
• P2PBW_IN: same as above but only apply to incoming traffic. Overrides P2PBW
• P2PBW_OUT: same as above but only apply to outgoing traffic. Overrides P2PBW
• P2POPTIONS: iptables rule to distinguish this traffic. Defaults to -m ipp2p –ipp2p. If you want to combine multiple rules in an ”OR" fashion, define any variables that begin with the string P2POPTION.

Example:

P2PBW=100
P2POPTIONA="-m ipp2p --ipp2p -m time --timestart 18:00"
P2POPTIONB="-m ipp2p --ipp2p -m time --timestop 06:00"

This will limit P2P traffic to 100kbit/s per IP between 18:00 and 06:00.

• timeblock = if you wish to check daily for records that are beyond allowed dates (use YYYYMMDD in comment field), set this to nonzero. Defaults to off.
• timeblockreason = set block reason to this text. Can contain $day, $month, and $year which will be expanded. Defaults to Access only until $day. $month. $year
• feedbackpurge = records from feedback older than this many days will be purged. Defaults to 28.
• warndays = days before the timeblock deadline to warn the owner of the computer by email. Defaults to 0 (disabled). timeblock has to be enabled too if you want this to happen. Can be a comma separated list if you want to notify more than once.
• warnsubj = subject for the email for warning. Defaults to Message from computer administration
• warnmsg = message for the warning email. $days will be replaced by the remaining days. Defaults to Your internet access has only been paid for the next $days days.\nIt would be a prudent decision not to miss the payment deadline!\n
• classes = comma separated list of classes. There are 2 default one that will be always created: normal and blocked. Try to keep the length within 8 characters.