diff --git a/FreeBSD/backup.sh b/FreeBSD/backup.sh new file mode 100644 index 0000000..9c6f066 --- /dev/null +++ b/FreeBSD/backup.sh @@ -0,0 +1,14 @@ +#!/bin/csh +#Script to grab all relevant configuration files and installed packages, and back it up to github +/usr/sbin/pkg prime-origins > /root/fw/pkg_prime-origins + +foreach i ( "/boot/loader.conf" "/etc/pf.conf" "/etc/rc.conf" "/etc/start_if.eth0" "/usr/local/etc/dhcpd.conf" "/usr/local/etc/namedb/named.conf" "/usr/local/etc/namedb/dynamic/example.com.db" "/var/cron/tabs/root" "/usr/local/etc/dhcp6c.conf" "/etc/rtadvd.conf" "/usr/local/etc/dhcpd6.conf" "/etc/dhclient.conf" ) + echo "Backing up "$i + /bin/cp $i /root/fw$i +end + +echo "git push" +cd /root/fw/ +/usr/local/bin/git add . +/usr/local/bin/git commit -S -m "nightly backup" +/usr/local/bin/git push -u origin main diff --git a/FreeBSD/boot/loader.conf b/FreeBSD/boot/loader.conf new file mode 100644 index 0000000..9c5f7ef --- /dev/null +++ b/FreeBSD/boot/loader.conf @@ -0,0 +1,6 @@ +netgraph_load="YES" +ng_ether_load="YES" +ng_etf_load="YES" +ng_vlan_load="YES" +ng_eiface_load="YES" +ng_one2many_load="YES" diff --git a/FreeBSD/etc/dhclient.conf b/FreeBSD/etc/dhclient.conf new file mode 100644 index 0000000..5580ad9 --- /dev/null +++ b/FreeBSD/etc/dhclient.conf @@ -0,0 +1,10 @@ +# $FreeBSD$ +# +# This file is required by the ISC DHCP client. +# See ``man 5 dhclient.conf'' for details. +# +# In most cases an empty file is sufficient for most people as the +# defaults are usually fine. +# +# +supersede domain-name-servers 127.0.0.1; diff --git a/FreeBSD/etc/pf.conf b/FreeBSD/etc/pf.conf new file mode 100644 index 0000000..06cf214 --- /dev/null +++ b/FreeBSD/etc/pf.conf @@ -0,0 +1,60 @@ +wan = "ngeth0" +lan = "xxx" + +#options +set skip on lo0 +set block-policy drop +set fingerprints "/etc/pf.os" +set ruleset-optimization basic +set optimization normal +set limit { states 1624000, src-nodes 1624000, frags 5000, table-entries 400000 } + + +#scrub +scrub on $wan all random-id fragment reassemble +scrub on $lan all random-id fragment reassemble + + +#NAT +nat on $wan inet from ($lan:network) to any -> ($wan) + + +#Filter + +#default deny +block drop in inet all label "Default deny rule IPv4" +block drop out inet all label "Default deny rule IPv4" +block drop in inet6 all label "Default deny rule IPv6" +block drop out inet6 all label "Default deny rule IPv6" + +#allow dhcp/dhcpv6 client +pass in quick on $wan proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN" +pass out quick on $wan proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN" +pass in quick on $wan inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" +pass in quick on $wan proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" +pass out quick on $wan proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN" + +#allow dhcp/dhcpv6 server +pass in quick on $lan inet proto udp from any port = bootpc to { 255.255.255.255, ($lan), ($lan:broadcast) } port = bootps keep state label "allow access to DHCP server" +pass out quick on $lan inet proto udp from ($lan) port = bootps to any port = bootpc keep state label "allow access to DHCP server" +pass quick on $lan inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server" +pass quick on $lan inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server" +pass quick on $lan inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server" +pass quick on $lan inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server" +pass in quick on $lan inet6 proto udp from fe80::/10 to ($lan) port = dhcpv6-client keep state label "allow access to DHCPv6 server" +pass out quick on $lan inet6 proto udp from ($lan) port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server" + +#icmpv6 +pass quick inet6 proto ipv6-icmp all icmp6-type { unreach, toobig, neighbrsol, neighbradv } keep state +pass out quick inet6 proto ipv6-icmp from fe80::/10 to { fe80::/10, ff02::/16 } icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state +pass in quick inet6 proto ipv6-icmp from fe80::/10 to { fe80::/10, ff02::/16 } icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state +pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state +pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state + +#allow self +pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself" +pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" + +#allow LAN +pass in on $lan inet all flags S/SA keep state label "Default allow LAN to any rule" +pass in on $lan inet6 all flags S/SA keep state label "Default allow LAN to any rule" diff --git a/FreeBSD/etc/rc.conf b/FreeBSD/etc/rc.conf new file mode 100644 index 0000000..64488a2 --- /dev/null +++ b/FreeBSD/etc/rc.conf @@ -0,0 +1,44 @@ +hostname="fw" +ifconfig_eth0="" +ifconfig_ngeth0="DHCP" +ifconfig_ngeth0_ipv6="inet6 accept_rtadv up" +ipv6_cpe_wanif="ngeth0" +ifconfig_eth2="inet 192.168.1.1 netmask 255.255.255.0" +ifconfig_eth2_ipv6="inet6 -accept-rtadv up" +gateway_enable="YES" +ipv6_gateway_enable="YES" +ipv6_activate_all_interfaces="YES" +rtadvd_enable="YES" +rtadvd_interfaces="eth2" +dhcp6c_enable="YES" +dhcp6c_interfaces="ngeth0" +dhcpd_enable="YES" +dhcpd_flags="-q" +dhcpd_conf="/usr/local/etc/dhcpd.conf" +dhcpd_ifaces="eth2" +dhcpd_withumask="022" +dhcpd_chuser_enable="YES" +dhcpd_withuser="dhcpd" +dhcpd_withgroup="dhcpd" +dhcpd_chroot_enable="YES" +dhcpd_devfs_enable="YES" +dhcpd_rootdir="/var/db/dhcpd" +dhcpd6_enable="YES" +dhcpd6_flags="-q" +dhcpd6_conf="/usr/local/etc/dhcpd6.conf" +dhcpd6_ifaces="eth2" +dhcpd6_withumask="022" +dhcpd6_chuser_enable="YES" +dhcpd6_withuser="dhcpd" +dhcpd6_withgroup="dhcpd" +dhcpd6_chroot_enable="YES" +dhcpd6_devfs_enable="YES" +dhcpd6_rootdir="/var/db/dhcpd" +pf_enable="YES" +pf_rules="/etc/pf.conf" +pflog_enable="YES" +pflog_logfile="/var/log/pflog" +powerd_enable="YES" +powerd_flags="-b hadp -n hadp -a hadp" +ntpd_enable="YES" +sshd_enable="YES" diff --git a/FreeBSD/etc/rtadvd.conf b/FreeBSD/etc/rtadvd.conf new file mode 100644 index 0000000..3a628ec --- /dev/null +++ b/FreeBSD/etc/rtadvd.conf @@ -0,0 +1,2 @@ +default:\ + :raflags="m"::prefixlen#64:\ diff --git a/FreeBSD/etc/start_if.eth0 b/FreeBSD/etc/start_if.eth0 new file mode 100644 index 0000000..42b2ed2 --- /dev/null +++ b/FreeBSD/etc/start_if.eth0 @@ -0,0 +1,87 @@ +#!/bin/sh +set -e + +ONT_IF='eth0' +RG_IF='eth1' +RG_ETHER_ADDR='00:11:22:33:44' +LOG=/var/log/freeatt.log + +getTimestamp(){ + echo `date "+%Y-%m-%d %H:%M:%S :: [freeatt.sh] ::"` +} + +{ + echo "$(getTimestamp) FreeBSD pf + AT&T U-verse Residential Gateway for true bridge mode" + echo "$(getTimestamp) Configuration: " + echo "$(getTimestamp) ONT_IF: $ONT_IF" + echo "$(getTimestamp) RG_IF: $RG_IF" + echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR" + + echo "$(getTimestamp) building netgraph nodes..." + + echo -n "$(getTimestamp) creating ng_one2many... " + /usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one + /usr/sbin/ngctl name $ONT_IF:lower o2m + echo "OK!" + + echo -n "$(getTimestamp) creating vlan node and interface... " + /usr/sbin/ngctl mkpeer o2m: vlan many0 downstream + /usr/sbin/ngctl name o2m:many0 vlan0 + /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether + + /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }' + /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR + echo "OK!" + + echo -n "$(getTimestamp) defining etf for $ONT_IF (ONT)... " + /usr/sbin/ngctl mkpeer o2m: etf many1 downstream + /usr/sbin/ngctl name o2m:many1 waneapfilter + /usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper + echo "OK!" + + echo -n "$(getTimestamp) defining etf for $RG_IF (RG)... " + /usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream + /usr/sbin/ngctl name $RG_IF:lower laneapfilter + /usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper + echo "OK!" + + echo -n "$(getTimestamp) bridging etf for $ONT_IF <-> $RG_IF... " + /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout + echo "OK!" + + echo -n "$(getTimestamp) defining filters for EAP traffic... " + /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' + /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' + echo "OK!" + + echo -n "$(getTimestamp) enabling one2many links... " + /usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }" + echo "OK!" + + echo -n "$(getTimestamp) removing waneapfilter:nomatch hook... " + /usr/sbin/ngctl rmhook waneapfilter: nomatch + echo "OK!" + + echo -n "$(getTimestamp) enabling $RG_IF interface... " + /sbin/ifconfig $RG_IF up + echo "OK!" + + echo -n "$(getTimestamp) enabling $ONT_IF interface... " + /sbin/ifconfig $ONT_IF up + echo "OK!" + + echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... " + /sbin/ifconfig $RG_IF promisc + echo "OK!" + + echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... " + /sbin/ifconfig $ONT_IF promisc + echo "OK!" + + echo -n "$(getTimestamp) set mac address on ngeth0..." + /sbin/ifconfig ngeth0 ether $RG_ETHER_ADDR + echo "OK!" + + echo "$(getTimestamp) ngeth0 should now be available to configure as your pf WAN" + echo "$(getTimestamp) done!" +} >> $LOG diff --git a/FreeBSD/pkg_prime-origins b/FreeBSD/pkg_prime-origins new file mode 100644 index 0000000..44fbed4 --- /dev/null +++ b/FreeBSD/pkg_prime-origins @@ -0,0 +1,6 @@ +dns/bind916 +net/dhcp6 +devel/git +security/gnupg +net/isc-dhcp44-server +ports-mgmt/pkg diff --git a/FreeBSD/usr/local/etc/dhcp6c.conf b/FreeBSD/usr/local/etc/dhcp6c.conf new file mode 100644 index 0000000..8fd8581 --- /dev/null +++ b/FreeBSD/usr/local/etc/dhcp6c.conf @@ -0,0 +1,12 @@ +interface ngeth0 { + send ia-pd 0; # request prefix delegation + request domain-name-servers; + request domain-name; +}; +id-assoc pd 0 { + prefix ::/60 infinity; + prefix-interface igb1 { + sla-id 1; + sla-len 4; + }; +}; diff --git a/FreeBSD/usr/local/etc/dhcpd.conf b/FreeBSD/usr/local/etc/dhcpd.conf new file mode 100644 index 0000000..4c7835f --- /dev/null +++ b/FreeBSD/usr/local/etc/dhcpd.conf @@ -0,0 +1,44 @@ +option domain-name "example.com"; +option ldap-server code 95 = text; +option domain-search-list code 119 = text; +option arch code 93 = unsigned integer 16; # RFC4578 + +default-lease-time 7200; +max-lease-time 86400; +log-facility local7; +one-lease-per-client true; +deny duplicates; +update-conflict-detection false; +authoritative; +subnet 192.168.1.0 netmask 255.255.255.0 { + pool { + range 192.168.1.100 192.168.1.199; + } + + option routers 192.168.1.1; + option domain-name-servers 192.168.1.1; + ping-check true; + +} +host s_lan_0 { + hardware ethernet 00:11:22:33:44:55; + fixed-address 192.168.1.50 + option host-name "example-host1"; +} +host s_lan_1 { + hardware ethernet 66:77:88:99:aa:bb; + fixed-address 192.168.1.51; + option host-name "example-host2"; +} + +ddns-update-style interim; +ddns-dual-stack-mixed-mode true; +update-conflict-detection true; +update-optimization false; +deny client-updates; +ddns-domainname "example.com."; +ddns-hostname=pick(option fqdn.hostname, option host-name, concat("dyn-",binary-to-ascii(10,8,"-",leased-address))); + +zone example.com. { + primary 127.0.0.1; +} diff --git a/FreeBSD/usr/local/etc/dhcpd6.conf b/FreeBSD/usr/local/etc/dhcpd6.conf new file mode 100644 index 0000000..ba56d57 --- /dev/null +++ b/FreeBSD/usr/local/etc/dhcpd6.conf @@ -0,0 +1,31 @@ +option domain-name "example.com"; +option ldap-server code 95 = text; +option domain-search-list code 119 = text; + +default-lease-time 7200; +max-lease-time 86400; +log-facility local7; +one-lease-per-client true; +deny duplicates; +ping-check true; +authoritative; +subnet6 2600:1234:5678:90ab::/64 { + range6 2600:1234:5678:90ab::1000 2600:1234:5678:90ab::2000; + do-forward-updates false; + option dhcp6.name-servers 2600:1234:5678:90ab::1; + +} + +ddns-update-style interim; +ddns-dual-stack-mixed-mode true; +update-conflict-detection true; +update-optimization false; +deny client-updates; +ddns-domainname "example.com."; +ddns-hostname=pick(option fqdn.hostname, concat("dyn-",binary-to-ascii(16,16,"-",substring(option dhcp6.ia-na, 16, 16)))); + +zone example.com. { + primary 127.0.0.1; +} + + diff --git a/FreeBSD/usr/local/etc/namedb/named.conf b/FreeBSD/usr/local/etc/namedb/named.conf new file mode 100644 index 0000000..71ccf50 --- /dev/null +++ b/FreeBSD/usr/local/etc/namedb/named.conf @@ -0,0 +1,385 @@ +// Refer to the named.conf(5) and named(8) man pages, and the documentation +// in /usr/local/share/doc/bind for more details. +// +// If you are going to set up an authoritative server, make sure you +// understand the hairy details of how DNS works. Even with +// simple mistakes, you can break connectivity for affected parties, +// or cause huge amounts of useless Internet traffic. + +options { + allow-query { any; }; + recursion yes; + query-source-v6 address 2600:1234:5678:90ab::1; + // All file and path names are relative to the chroot directory, + // if any, and should be fully qualified. + directory "/usr/local/etc/namedb/working"; + pid-file "/var/run/named/pid"; + dump-file "/var/dump/named_dump.db"; + statistics-file "/var/stats/named.stats"; + +// If named is being used only as a local resolver, this is a safe default. +// For named to be accessible to the network, comment this option, specify +// the proper IP address, or delete this option. + #listen-on { 127.0.0.1; }; + +// If you have IPv6 enabled on this system, uncomment this option for +// use as a local resolver. To give access to the network, specify +// an IPv6 address, or the keyword "any". +// listen-on-v6 { ::1; }; + + listen-on-v6 { any; }; + +// These zones are already covered by the empty zones listed below. +// If you remove the related empty zones below, comment these lines out. + disable-empty-zone "255.255.255.255.IN-ADDR.ARPA"; + disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; + disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; + +// If you've got a DNS server around at your upstream provider, enter +// its IP address here, and enable the line below. This will make you +// benefit from its cache, thus reduce overall DNS traffic in the Internet. +/* + forwarders { + 127.0.0.1; + }; +*/ + +// If the 'forwarders' clause is not empty the default is to 'forward first' +// which will fall back to sending a query from your local server if the name +// servers in 'forwarders' do not have the answer. Alternatively you can +// force your name server to never initiate queries of its own by enabling the +// following line: +// forward only; + +// If you wish to have forwarding configured automatically based on +// the entries in /etc/resolv.conf, uncomment the following line and +// set named_auto_forward=yes in /etc/rc.conf. You can also enable +// named_auto_forward_only (the effect of which is described above). +// include "/usr/local/etc/namedb/auto_forward.conf"; + + /* + Modern versions of BIND use a random UDP port for each outgoing + query by default in order to dramatically reduce the possibility + of cache poisoning. All users are strongly encouraged to utilize + this feature, and to configure their firewalls to accommodate it. + + AS A LAST RESORT in order to get around a restrictive firewall + policy you can try enabling the option below. Use of this option + will significantly reduce your ability to withstand cache poisoning + attacks, and should be avoided if at all possible. + + Replace NNNNN in the example with a number between 49160 and 65530. + */ + // query-source address * port NNNNN; +}; + +zone "thundat00th.net." { type master; allow-update { 127.0.0.1; }; file "/usr/local/etc/namedb/dynamic/example.com.db"; }; + +// If you enable a local name server, don't forget to enter 127.0.0.1 +// first in your /etc/resolv.conf so this server will be queried. +// Also, make sure to enable it in /etc/rc.conf. + +// The traditional root hints mechanism. Use this, OR the slave zones below. +zone "." { type hint; file "/usr/local/etc/namedb/named.root"; }; + +/* Slaving the following zones from the root name servers has some + significant advantages: + 1. Faster local resolution for your users + 2. No spurious traffic will be sent from your network to the roots + 3. Greater resilience to any potential root server failure/DDoS + + On the other hand, this method requires more monitoring than the + hints file to be sure that an unexpected failure mode has not + incapacitated your server. Name servers that are serving a lot + of clients will benefit more from this approach than individual + hosts. Use with caution. + + To use this mechanism, uncomment the entries below, and comment + the hint zone above. + + As documented at http://dns.icann.org/services/axfr/ these zones: + "." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and a few others + are available for AXFR from these servers on IPv4 and IPv6: + xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org +*/ +/* +zone "." { + type slave; + file "/usr/local/etc/namedb/slave/root.slave"; + masters { + 192.0.32.132; // lax.xfr.dns.icann.org + 2620:0:2d0:202::132; // lax.xfr.dns.icann.org + 192.0.47.132; // iad.xfr.dns.icann.org + 2620:0:2830:202::132; // iad.xfr.dns.icann.org + }; + notify no; +}; +zone "arpa" { + type slave; + file "/usr/local/etc/namedb/slave/arpa.slave"; + masters { + 192.0.32.132; // lax.xfr.dns.icann.org + 2620:0:2d0:202::132; // lax.xfr.dns.icann.org + 192.0.47.132; // iad.xfr.dns.icann.org + 2620:0:2830:202::132; // iad.xfr.dns.icann.org + }; + notify no; +}; +zone "in-addr.arpa" { + type slave; + file "/usr/local/etc/namedb/slave/in-addr.arpa.slave"; + masters { + 192.0.32.132; // lax.xfr.dns.icann.org + 2620:0:2d0:202::132; // lax.xfr.dns.icann.org + 192.0.47.132; // iad.xfr.dns.icann.org + 2620:0:2830:202::132; // iad.xfr.dns.icann.org + }; + notify no; +}; +zone "ip6.arpa" { + type slave; + file "/usr/local/etc/namedb/slave/ip6.arpa.slave"; + masters { + 192.0.32.132; // lax.xfr.dns.icann.org + 2620:0:2d0:202::132; // lax.xfr.dns.icann.org + 192.0.47.132; // iad.xfr.dns.icann.org + 2620:0:2830:202::132; // iad.xfr.dns.icann.org + }; + notify no; +}; +*/ + +/* Serving the following zones locally will prevent any queries + for these zones leaving your network and going to the root + name servers. This has two significant advantages: + 1. Faster local resolution for your users + 2. No spurious traffic will be sent from your network to the roots +*/ +// RFCs 1912, 5735 and 6303 (and BCP 32 for localhost) +zone "localhost" { type master; file "/usr/local/etc/namedb/master/localhost-forward.db"; }; +zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; }; +zone "255.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// RFC 1912-style zone for IPv6 localhost address (RFC 6303) +zone "0.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; }; + +// "This" Network (RFCs 1912, 5735 and 6303) +zone "0.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// Private Use Networks (RFCs 1918, 5735 and 6303) +zone "10.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "16.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "17.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "18.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "19.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "20.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "21.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "22.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "23.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "24.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "25.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "26.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "27.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "28.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "29.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "30.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "31.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "168.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// Shared Address Space (RFC 6598) +zone "64.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "65.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "66.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "67.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "68.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "69.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "70.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "71.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "72.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "73.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "74.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "75.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "76.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "77.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "78.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "79.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "80.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "81.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "82.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "83.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "84.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "85.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "86.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "87.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "88.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "89.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "90.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "91.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "92.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "93.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "94.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "95.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "96.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "97.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "98.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "99.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "100.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "101.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "102.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "103.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "104.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "105.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "106.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "107.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "108.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "109.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "110.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "111.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "112.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "113.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "114.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "115.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "116.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "117.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "118.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "119.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "120.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "121.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "122.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "123.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "124.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "125.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "126.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "127.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// Link-local/APIPA (RFCs 3927, 5735 and 6303) +zone "254.169.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// IETF protocol assignments (RFCs 5735 and 5736) +zone "0.0.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// TEST-NET-[1-3] for Documentation (RFCs 5735, 5737 and 6303) +zone "2.0.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "100.51.198.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "113.0.203.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// IPv6 Example Range for Documentation (RFCs 3849 and 6303) +zone "8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// Router Benchmark Testing (RFCs 2544 and 5735) +zone "18.198.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "19.198.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// IANA Reserved - Old Class E Space (RFC 5735) +zone "240.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "241.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "242.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "243.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "244.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "245.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "246.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "247.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "248.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "249.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "250.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "251.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "252.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "253.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "254.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// IPv6 Unassigned Addresses (RFC 4291) +zone "1.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "3.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "4.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "5.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "6.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "7.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "8.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "9.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "a.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "b.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "c.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "d.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "e.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "0.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "1.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "2.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "3.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "4.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "5.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "6.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "7.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "8.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "9.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "a.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "b.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "0.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "1.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "2.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "3.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "4.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "5.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "6.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "7.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// IPv6 ULA (RFCs 4193 and 6303) +zone "c.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "d.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// IPv6 Link Local (RFCs 4291 and 6303) +zone "8.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "9.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "a.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "b.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// IPv6 Deprecated Site-Local Addresses (RFCs 3879 and 6303) +zone "c.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "d.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "e.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; +zone "f.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// IP6.INT is Deprecated (RFC 4159) +zone "ip6.int" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; + +// NB: Do not use the IP addresses below, they are faked, and only +// serve demonstration/documentation purposes! +// +// Example slave zone config entries. It can be convenient to become +// a slave at least for the zone your own domain is in. Ask +// your network administrator for the IP address of the responsible +// master name server. +// +// Do not forget to include the reverse lookup zone! +// This is named after the first bytes of the IP address, in reverse +// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6. +// +// Before starting to set up a master zone, make sure you fully +// understand how DNS and BIND work. There are sometimes +// non-obvious pitfalls. Setting up a slave zone is usually simpler. +// +// NB: Don't blindly enable the examples below. :-) Use actual names +// and addresses instead. + +/* An example dynamic zone +key "exampleorgkey" { + algorithm hmac-md5; + secret "sf87HJqjkqh8ac87a02lla=="; +}; +zone "example.org" { + type master; + allow-update { + key "exampleorgkey"; + }; + file "/usr/local/etc/namedb/dynamic/example.org"; +}; +*/ + +/* Example of a slave reverse zone +zone "1.168.192.in-addr.arpa" { + type slave; + file "/usr/local/etc/namedb/slave/1.168.192.in-addr.arpa"; + masters { + 192.168.1.1; + }; +}; +*/ diff --git a/FreeBSD/var/cron/tabs/root b/FreeBSD/var/cron/tabs/root new file mode 100644 index 0000000..437b4c5 --- /dev/null +++ b/FreeBSD/var/cron/tabs/root @@ -0,0 +1,8 @@ +# DO NOT EDIT THIS FILE - edit the master and reinstall. +# (/tmp/crontab.q40BAzenoV installed on Sun Apr 18 22:56:27 2021) +# (Cron version -- $FreeBSD$) +# monthly zpool scrub +0 2 1 * * /sbin/zpool scrub zrootmirror + +# nightly config backup +0 3 * * * /root/fw/backup.sh diff --git a/README.md b/README.md index e85ded5..f4fe29c 100644 --- a/README.md +++ b/README.md @@ -301,7 +301,7 @@ There is a whole thread on this at [DSLreports](http://www.dslreports.com/forum/ However, I don't think this works for everyone. I had to explicitly tag my WAN traffic to VLAN0 which wasn't supported on my switch. -## OPNSense / FreeBSD +## OPNSense For OPNSense 20.1: follow the pfSense instructions, EXCEPT: 1) use file opnatt.sh @@ -310,7 +310,23 @@ follow the pfSense instructions, EXCEPT: 4) do *NOT* modify config.xml, nor do any of the duid stuff 5) note: You *CAN* use IPv6 Prefix id 0, as OPNSense does *NOT* assign a routeable IPv6 address to ngeth0 -I haven't tried this with native FreeBSD, but I imagine the process is ultimately the same with netgraph. Feel free to submit a PR with notes on your experience. +## FreeBSD (tested on 13.0-RELEASE) +For FreeBSD: +1) use file freeatt.sh +2) ng_etf.ko is not needed, standard FreeBSD includes all of the required modules +3) modules can be loaded from /boot/loader.conf, an example loader.conf with the modules listed is included (loading modules in the script should work, but lets do things "properly") +4) put the freeatt.sh script into '/etc' and rename to `start_if.$ONT_IF` in my case the file is `/etc/start_if.igb0` this will depend on your hardware +5) in rc.conf, add the line `ifconfig_$ONT_IF=""` this will trigger rc to run our start_if.$ONT_IF script to create the ngeth0 interface, and then do nothing else to the interface, in my case this line is `ifconfig_igb0=""` (using $RG_IF instead probably gives the same result) +6) configure the rest of rc.conf, an example is provided with the essentials, gateway_enable, DHCP settings etc. +7) configure pf, dhcpd, etc. to taste, generic examples provided + +Once you have IPv4 connectivity you're done, unless you want IPv6 as well. The default dhclient still does not support IPv6, so: +1) Install KAME dhcp6c 'pkg install dhcp6' +2) Configure rc.conf with 'ipv6_cpe_wanif="ngeth0"' in addition to the other ipv6, dhcp6c, and rtadvd configuration in rc.conf, filling in with your lan interface(s) +3) use the example configuration in `/usr/local/etc/dhcp6c.conf` to configure dhcp6c +4) Set some inet6 rules in pf.conf and test + +Example configuration files are provided for bind, dhcpd, dhcpd6, rtadvd, etc. based off of a currently working dual stack router running FreeBSD 13, other versions of FreeBSD may work # U-verse TV diff --git a/bin/freeatt.sh b/bin/freeatt.sh new file mode 100644 index 0000000..6143f25 --- /dev/null +++ b/bin/freeatt.sh @@ -0,0 +1,87 @@ +#!/bin/sh +set -e + +ONT_IF='xx0' +RG_IF='xx1' +RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx' +LOG=/var/log/freeatt.log + +getTimestamp(){ + echo `date "+%Y-%m-%d %H:%M:%S :: [freeatt.sh] ::"` +} + +{ + echo "$(getTimestamp) FreeBSD pf + AT&T U-verse Residential Gateway for true bridge mode" + echo "$(getTimestamp) Configuration: " + echo "$(getTimestamp) ONT_IF: $ONT_IF" + echo "$(getTimestamp) RG_IF: $RG_IF" + echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR" + + echo "$(getTimestamp) building netgraph nodes..." + + echo -n "$(getTimestamp) creating ng_one2many... " + /usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one + /usr/sbin/ngctl name $ONT_IF:lower o2m + echo "OK!" + + echo -n "$(getTimestamp) creating vlan node and interface... " + /usr/sbin/ngctl mkpeer o2m: vlan many0 downstream + /usr/sbin/ngctl name o2m:many0 vlan0 + /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether + + /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }' + /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR + echo "OK!" + + echo -n "$(getTimestamp) defining etf for $ONT_IF (ONT)... " + /usr/sbin/ngctl mkpeer o2m: etf many1 downstream + /usr/sbin/ngctl name o2m:many1 waneapfilter + /usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper + echo "OK!" + + echo -n "$(getTimestamp) defining etf for $RG_IF (RG)... " + /usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream + /usr/sbin/ngctl name $RG_IF:lower laneapfilter + /usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper + echo "OK!" + + echo -n "$(getTimestamp) bridging etf for $ONT_IF <-> $RG_IF... " + /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout + echo "OK!" + + echo -n "$(getTimestamp) defining filters for EAP traffic... " + /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' + /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' + echo "OK!" + + echo -n "$(getTimestamp) enabling one2many links... " + /usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }" + echo "OK!" + + echo -n "$(getTimestamp) removing waneapfilter:nomatch hook... " + /usr/sbin/ngctl rmhook waneapfilter: nomatch + echo "OK!" + + echo -n "$(getTimestamp) enabling $RG_IF interface... " + /sbin/ifconfig $RG_IF up + echo "OK!" + + echo -n "$(getTimestamp) enabling $ONT_IF interface... " + /sbin/ifconfig $ONT_IF up + echo "OK!" + + echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... " + /sbin/ifconfig $RG_IF promisc + echo "OK!" + + echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... " + /sbin/ifconfig $ONT_IF promisc + echo "OK!" + + echo -n "$(getTimestamp) set mac address on ngeth0..." + /sbin/ifconfig ngeth0 ether $RG_ETHER_ADDR + echo "OK!" + + echo "$(getTimestamp) ngeth0 should now be available to configure as your pf WAN" + echo "$(getTimestamp) done!" +} >> $LOG