-
Notifications
You must be signed in to change notification settings - Fork 1
/
appliance_amd64.nano
267 lines (242 loc) · 8.89 KB
/
appliance_amd64.nano
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
#######
# NanoBSD config file for Stormshield & Netasq appliances
# NanoShield ?
# By Alexandre MONGEON | 2021
# For Netasq U70S & Stormshield SN300
# Version 0.17 | 11.04.2021
#######
NANO_NAME=appliance_12.2_amd64
NANO_SRC=/root/freebsd-src-i386-12.2/usr/src
NANO_KERNEL=/root/kernel.conf
NANO_ARCH=amd64
NANO_IMAGES=2
NANO_IMGNAME=appliance_12.2_amd64_vga.img
NANO_DRIVE=ada0
# VGA
NANO_BOOTLOADER=/boot/boot0
# SERIAL
#NANO_BOOTLOADER=/boot/boot0sio
NANO_NEWFS="-b 4096 -f 512 -i 8192 -U"
NANO_MEDIASIZE=3928176
NANO_PACKAGE_LIST="isc-dhcp44-server*.txz wget*.txz cmdwatch*.txz htop*.txz lsof*.txz"
NANO_PACKAGE_DIR=/root/packages/All/
CONF_BUILD='
WITHOUT_KLDLOAD=YES
WITHOUT_NETGRAPH=YES
WITHOUT_PAM=YES
WITHOUT_FTP=YES
WITHOUT_HYPERV=YES
WITHOUT_KERBEROS=YES
WITHOUT_EFI=YES
WITHOUT_GDB=YES
WITHOUT_NTP=YES
WITHOUT_NVME=YES
WITHOUT_PPP=YES
WITHOUT_SHAREDOCS=YES
WITHOUT_WIRELESS=YES
WITHOUT_ZFS=YES
WITHOUT_CLANG=YES
WITHOUT_ATM=YES
WITHOUT_LLD=YES
WITHOUT_LLDB=YES
WITHOUT_LLVM_TARGET_ALL=YES
WITHOUT_NVME=YES
WITHOUT_SVNLITE=YES
WITHOUT_TELNET=YES
WITHOUT_TFTP=YES
WITHOUT_TESTS=YES
'
CONF_INSTALL='
WITHOUT_ACPI=YES
WITHOUT_BLUETOOTH=YES
WITHOUT_FORTRAN=YES
WITHOUT_HTML=YES
WITHOUT_LPR=YES
WITHOUT_MAN=YES
WITHOUT_SENDMAIL=YES
WITHOUT_SHAREDOCS=YES
WITHOUT_EXAMPLES=YES
WITHOUT_INSTALLLIB=YES
WITHOUT_CALENDAR=YES
WITHOUT_MISC=YES
WITHOUT_SHARE=YES
WITHOUT_BINUTILS=YES
WITHOUT_CLANG=YES
WITHOUT_KERBEROS=YES
WITHOUT_KLDLOAD=YES
WITHOUT_NETGRAPH=YES
WITHOUT_PAM=YES
WITHOUT_FTP=YES
WITHOUT_HYPERV=YES
WITHOUT_EFI=YES
WITHOUT_GDB=YES
WITHOUT_NTP=YES
WITHOUT_NVME=YES
WITHOUT_PPP=YES
WITHOUT_SHAREDOCS=YES
WITHOUT_WIRELESS=YES
WITHOUT_ZFS=YES
WITHOUT_ATM=YES
WITHOUT_LLD=YES
WITHOUT_LLDB=YES
WITHOUT_LLVM_TARGET_ALL=YES
WITHOUT_NVME=YES
WITHOUT_SVNLITE=YES
WITHOUT_TELNET=YES
WITHOUT_TFTP=YES
WITHOUT_TESTS=YES
'
CONF_WORLD='
WITHOUT_BIND=YES
WITHOUT_MODULES=YES
WITHOUT_GAMES=YES
WITHOUT_RESCUE=YES
WITHOUT_LOCALES=YES
WITHOUT_SYSCONS=YES
WITHOUT_INFO=YES
'
# Set hostname
cust_hostname () (
echo "hostname=\"netasq-u70s\"" >> ${NANO_WORLDDIR}/etc/rc.conf
)
# Use both VGA & Console
cust_serial () (
touch ${NANO_WORLDDIR}/boot/loader.conf
echo "boot_multicons=\"YES\"" >> ${NANO_WORLDDIR}/boot/loader.conf
echo "boot_serial=\"YES\"" >> ${NANO_WORLDDIR}/boot/loader.conf
echo "console=\"comconsole, vidconsole\"" >> ${NANO_WORLDDIR}/boot/loader.conf
echo "comconsole_speed=\"9600\"" >> ${NANO_WORLDDIR}/boot/loader.conf
)
# Customize motd banner
cust_motd () (
echo "" >> ${NANO_WORLDDIR}/etc/motd
echo "Welcome to this customized FreeBSD image adjusted for Netasq & Stormshield firewalls" > ${NANO_WORLDDIR}/etc/motd
echo "" >> ${NANO_WORLDDIR}/etc/motd
echo "Based on FreeBSD 12.2/amd64" >> ${NANO_WORLDDIR}/etc/motd
echo "" >> ${NANO_WORLDDIR}/etc/motd
echo "NanoShield project v0.17 - 2021 - A.MONGEON" >> ${NANO_WORLDDIR}/etc/motd
echo "" >> ${NANO_WORLDDIR}/etc/motd
)
# Setting up ethernet interfaces
cust_interfaces () (
echo "vlans_em0=\"eth1 eth2 eth3 eth4 eth5 eth6 eth7 eth8\"" >> ${NANO_WORLDDIR}/etc/rc.conf
echo "create_args_eth1=\"vlan 1\"" >> ${NANO_WORLDDIR}/etc/rc.conf
echo "create_args_eth2=\"vlan 2\"" >> ${NANO_WORLDDIR}/etc/rc.conf
echo "create_args_eth3=\"vlan 3\"" >> ${NANO_WORLDDIR}/etc/rc.conf
echo "create_args_eth4=\"vlan 4\"" >> ${NANO_WORLDDIR}/etc/rc.conf
echo "create_args_eth5=\"vlan 5\"" >> ${NANO_WORLDDIR}/etc/rc.conf
echo "create_args_eth6=\"vlan 6\"" >> ${NANO_WORLDDIR}/etc/rc.conf
echo "create_args_eth7=\"vlan 7\"" >> ${NANO_WORLDDIR}/etc/rc.conf
echo "create_args_eth8=\"vlan 8\"" >> ${NANO_WORLDDIR}/etc/rc.conf
echo "ifconfig_eth1=\"inet 10.0.1.254 netmask 255.255.255.0\"" >> ${NANO_WORLDDIR}/etc/rc.conf
echo "ifconfig_eth2=\"inet 10.0.2.254 netmask 255.255.255.0\"" >> ${NANO_WORLDDIR}/etc/rc.conf
echo "ifconfig_eth3=\"inet 10.0.3.254 netmask 255.255.255.0\"" >> ${NANO_WORLDDIR}/etc/rc.conf
echo "ifconfig_eth4=\"inet 10.0.4.254 netmask 255.255.255.0\"" >> ${NANO_WORLDDIR}/etc/rc.conf
echo "ifconfig_eth5=\"inet 10.0.5.254 netmask 255.255.255.0\"" >> ${NANO_WORLDDIR}/etc/rc.conf
echo "ifconfig_eth6=\"inet 10.0.6.254 netmask 255.255.255.0\"" >> ${NANO_WORLDDIR}/etc/rc.conf
echo "ifconfig_eth7=\"inet 10.0.7.254 netmask 255.255.255.0\"" >> ${NANO_WORLDDIR}/etc/rc.conf
echo "ifconfig_eth8=\"inet 10.0.8.254 netmask 255.255.255.0\"" >> ${NANO_WORLDDIR}/etc/rc.conf
)
# Enable bridge support
cust_bridge () (
echo "if_bridge_load=\"YES\"" >> ${NANO_WORLDDIR}/boot/loader.conf
echo "bridgestp_load=\"YES\"" >> ${NANO_WORLDDIR}/boot/loader.conf
)
# Enable packet forwarding, IPFW, NAT daemon
cust_firewall () (
echo "gateway_enable=\"YES\"" >> ${NANO_WORLDDIR}/etc/rc.conf # Enable gateway function
echo "firewall_enable=\"YES\"" >> ${NANO_WORLDDIR}/etc/rc.conf # Enable IPFW
echo "firewall_logging=\"YES\"" >> ${NANO_WORLDDIR}/etc/rc.conf # Enable IPFW logs
echo "firewall_script=\"/etc/ipfw.rules\"" >> ${NANO_WORLDDIR}/etc/rc.conf # Tells to load this rule set
echo "natd_enable=\"YES\"" >> ${NANO_WORLDDIR}/etc/rc.conf # Enable NATD function
echo "natd_interface=\"eth1\"" >> ${NANO_WORLDDIR}/etc/rc.conf # Interface name of public Internet NIC
echo "natd_flags=\"-dynamic\"" >> ${NANO_WORLDDIR}/etc/rc.conf
echo "ipfw_load=\"YES\"" >> ${NANO_WORLDDIR}/boot/loader.conf
)
# Setup dhcpd
cust_dhcpd () (
# /etc/rc.conf
echo "dhcpd_enable=\"YES\"" >> ${NANO_WORLDDIR}/etc/rc.conf
echo "dhcpd_ifaces=\"eth2\"" >> ${NANO_WORLDDIR}/etc/rc.conf
#echo "dhcpd_chuser_enable=\"YES\"" >> ${NANO_WORLDDIR}/etc/rc.conf # runs w/o privileges
#echo "dhcpd_withuser=\"dhcpd\"" >> ${NANO_WORLDDIR}/etc/rc.conf # user name to run as
#echo "dhcpd_withgroup=\"dhcpd\"" >> ${NANO_WORLDDIR}/etc/rc.conf # group name to run as
#echo "dhcpd_chroot_enable=\"YES\"" >> ${NANO_WORLDDIR}/etc/rc.conf # runs chrooted
# /etc/local/dhcpd.conf
echo "option domain-name \"example.com\";" > ${NANO_WORLDDIR}/etc/local/dhcpd.conf
echo "option domain-name-servers 1.1.1.1, 9.9.9.9;" >> ${NANO_WORLDDIR}/etc/local/dhcpd.conf
echo "default-lease-time 3600;" >> ${NANO_WORLDDIR}/etc/local/dhcpd.conf
echo "max-lease-time 86400;" >> ${NANO_WORLDDIR}/etc/local/dhcpd.conf
echo "subnet 10.0.2.0 netmask 255.255.255.0 {" >> ${NANO_WORLDDIR}/etc/local/dhcpd.conf
echo " range 10.0.2.10 10.0.2.99;" >> ${NANO_WORLDDIR}/etc/local/dhcpd.conf
echo " option routers 10.0.2.254;" >> ${NANO_WORLDDIR}/etc/local/dhcpd.conf
echo "}" >> ${NANO_WORLDDIR}/etc/local/dhcpd.conf
)
# Create a directory for mounting the SD Card and edit fstab for auto-mount the sd card
cust_logs () (
mkdir ${NANO_WORLDDIR}/mnt/logs
#echo "/dev/mmcsd0p1 /mnt/logs ufs rw 0 0" >> ${NANO_WORLDDIR}/etc/fstab
)
# Install packages from ${NANO_PACKAGE_DIR}
cust_pkgng ( ) (
mkdir -p ${NANO_WORLDDIR}/usr/local/etc
local PKG_CONF="${NANO_WORLDDIR}/usr/local/etc/pkg.conf"
local PKGCMD="env BATCH=YES ASSUME_ALWAYS_YES=YES PKG_DBDIR=${NANO_PKG_META_BASE}/pkg SIGNATURE_TYPE=none /usr/sbin/pkg"
# Ensure pkg.conf points pkg to where the package meta data lives.
touch ${PKG_CONF}
if grep -Eiq '^PKG_DBDIR:.*' ${PKG_CONF}; then
sed -i -e "\|^PKG_DBDIR:.*|Is||PKG_DBDIR: "\"${NANO_PKG_META_BASE}/pkg\""|" ${PKG_CONF}
else
echo "PKG_DBDIR: \"${NANO_PKG_META_BASE}/pkg\"" >> ${PKG_CONF}
fi
# If the package directory doesn't exist, we're done.
if [ ! -d ${NANO_PACKAGE_DIR} ]; then
echo "DONE 0 packages"
return 0
fi
# Find a pkg-* package
for x in `find -s ${NANO_PACKAGE_DIR} -iname 'pkg-*'`; do
_NANO_PKG_PACKAGE=`basename "$x"`
done
if [ -z "${_NANO_PKG_PACKAGE}" -o ! -f "${NANO_PACKAGE_DIR}/${_NANO_PKG_PACKAGE}" ]; then
echo "FAILED: need a pkg/ package for bootstrapping"
exit 2
fi
# Mount packages into chroot
mkdir -p ${NANO_WORLDDIR}/_.p
mount -t nullfs -o noatime -o ro ${NANO_PACKAGE_DIR} ${NANO_WORLDDIR}/_.p
mount -t devfs devfs ${NANO_WORLDDIR}/dev
trap "umount ${NANO_WORLDDIR}/dev; umount ${NANO_WORLDDIR}/_.p ; rm -rf ${NANO_WORLDDIR}/_.p" 1 2 15 EXIT
# Install pkg-* package
CR "${PKGCMD} add /_.p/${_NANO_PKG_PACKAGE}"
(
# Expand any glob characters in pacakge list
cd "${NANO_PACKAGE_DIR}"
_PKGS=`find ${NANO_PACKAGE_LIST} -not -name "${_NANO_PKG_PACKAGE}" -print | sort | uniq`
# Show todo
todo=`echo "$_PKGS" | wc -l`
echo "=== TODO: $todo"
echo "$_PKGS"
echo "==="
# Install packages
for _PKG in $_PKGS; do
CR "${PKGCMD} add /_.p/${_PKG}"
done
)
CR0 "${PKGCMD} info"
trap - 1 2 15 EXIT
umount ${NANO_WORLDDIR}/dev
umount ${NANO_WORLDDIR}/_.p
rm -rf ${NANO_WORLDDIR}/_.p
)
customize_cmd cust_install_files
customize_cmd cust_allow_ssh_root
customize_cmd cust_hostname
customize_cmd cust_serial
customize_cmd cust_motd
customize_cmd cust_interfaces
customize_cmd cust_bridge
customize_cmd cust_firewall
customize_cmd cust_pkgng
customize_cmd cust_logs
customize_cmd cust_dhcpd