Infineon Amazon Config
From GPLdevWiki
Infineon Amazon Manuals >> System Config
Overview
System Configuration on Infineon Amazon chipset driven GPLed devices.
All devices based on the Infineon Amazon chipset share a common configuration file /etc/rc.conf which stores all user configuration (typically the web interface settings) and more. This file stores a complex set of shell variable assignments, grouped in sections by formatting comments. The file can be read by executing it, but is on some devices handled by config manager executables instead.
The idea behind sectioned variable storage is flexibility. All parts of the OS can share a single file for configuration storage without messing each others values. Most sections of this file are common for all devices, some are added by the respective device manufacturer.
- (C) 2008 Ralf Steines aka Hippie2000 - Released under GNU FDL 1.2.
- This document is actively maintained. Latest version on wiki.gpl-devices.org.
Introduction
File Format
The file rc.conf consists of tags grouping key/value pairs. If an application writes to the file it replaces an entire tag (read / modify / write). Tag names must be unique and must not be substrings of other tagnames to avoid conflicts. In the example below a tag "tag_name2" would be nuked by changing values in "tag_name". To keep the config file shell compatible key names are unique too - though some third party additions haven't cared for this.
#<< tag_name key1="<value1>" # Comments on the right side of values key2="<value2>" # are not necessarily supported but are key3="<value3>" # used here to explain things. #>> tag_name
Tags may contain lists, in which case they typically have a list member count as the first key, and a set of values iterating the number (usually starting with 0) through their keynames to keep them unique:
#<< tag_name member_count="2" member_name0="<name1>" # Comments on the right side of values member_addr0="<addr1>" # are not necessarily supported but are member_name1="<name2>" # used here to explain things. member_addr1="<addr2>" #>> tag_name
The rest should be obvious.
Access Commands
Writing one file from multiple applications in a multitasking environment is a risky task, which requires some locking or semaphore protection to avoid data loss. That is why rc.conf should not be modified directly in a running system.
For this an access executable is provided:
- FIXME
Common Settings
These settings are common on about any Amazon driven device:
System Settings
ConfigID
- Config file version, used for automatic version migration.
#<< ConfigID config_version="1" # Config file version #>> ConfigID
password_file
- Used as default to create /etc/passwd if none is present.
#<< password_file passFileLineCount='1' # Number of users, typically 1 passFileLineCount0='root:$1$YXZ$bzugbzuozgvobvuoz:0:0:root:/root:/bin/sh' #>> password_file
system_password
- Stores the password for the web interface, often not used for custom interfaces.
#<< system_password Password=admin # WebIF Password in clear text #>> system_password
system_autologout
- Specifies the automatic idle logout time for the web interface.
#<< system_autologout AutoLogoutTime=1800 # Auto Logout Time in seconds, 0=disabled #>> system_autologout
Firewall Settings
application_server
- Configures WAN and LAN port settings for some common internal services
#<< application_server WEB_WAN_ENABLE="0" # Enable HTTP WAN access, 1=enabled WEB_WAN_PORT="80" # HTTP port WEB_LAN_ENABLE="1" # Enable HTTP LAN access, 1=enabled TELNET_WAN_ENABLE="0" # Enable Telnet WAN access, 1=enabled TELNET_WAN_PORT="23" # Telnet port TELNET_LAN_ENABLE="1" # Enable Telnet LAN access, 1=enabled SSH_WAN_ENABLE="0" # Enable SSH WAN access, 1=enabled SSH_WAN_PORT="22" # SSH port SSH_LAN_ENABLE="1" # Enable SSH LAN access, 1=enabled FTP_WAN_ENABLE="0" # Enable FTP WAN access, 1=enabled FTP_WAN_PORT="21" # FTP port FTP_LAN_ENABLE="1" # Enable FTP LAN access, 1=enabled TFTP_WAN_ENABLE="0" # Enable TFTP WAN access, 1=enabled TFTP_WAN_PORT="69" # TFTP port TFTP_LAN_ENABLE="1" # Enable TFTP LAN access, 1=enabled SNMP_WAN_ENABLE="0" # Enable SNMP WAN access, 1=enabled IGMP_ENABLE="0" # Enable IGMP, 1=enabled IGMP_MODE="1" # IGMP Mode, 1=proxy 2=snooping IGMP_WAN_INTF="1" # WAN Interface 1-15 (proxy only) IGMP_LEAVE_LATENCY_ENABLE="1" # Enable Leave Latency, 1=enabled IGMP_MAXRESPTIME="10" # MaxRespTime #>> application_server
servers_acl
#<< servers_acl SERVERS_ACL_ENABLE="1" # Enable Servers ACL, 1=enabled SERVERS_ACL0="192.168.197.197" # SERVERS_ACL1="0" # SERVERS_ACL2="0" # SERVERS_ACL3="0" # SERVERS_ACL4="0" # SERVERS_ACL5="0" # SERVERS_ACL6="0" # SERVERS_ACL7="0" # SERVERS_ACL8="0" # SERVERS_ACL9="0" # SERVERS_ACL10="0" # SERVERS_ACL11="0" # SERVERS_ACL12="0" # SERVERS_ACL13="0" # SERVERS_ACL14="0" # SERVERS_ACL15="0" # #>> servers_acl
dos_main
- Controls the DOS attack protection and ping passthrough
#<< dos_main DOS_ENABLE="1" # Enable DoS Attack Protection, 1=enable PING_FORWARD="1" # Discard PING Forwarding, 1=discarded PING_GW="1" # Discard to PING the Gateway, 1=discarded #>> dos_main
dos_applications
- Configures application specific DOS attack protection.
#<< dos_applications HOTSYNC_STATUS="0" # Enable HotSync Manager protection, 1=enabled HOTSYNC_PORT="14238" # Protected port OLD_HOTSYNC_PORT="14238" # Default port for WebIF reset YAHOO_STATUS="0" # Enable Yahoo Messenger protection, 1=enabled YAHOO_PORT="5010" # Protected port OLD_YAHOO_PORT="5010" # Default port for WebIF reset MIME_STATUS="0" # Enable Malformed MIME protection, 1=enabled MIME_PORT="25" # Protected port OLD_MIME_PORT="25" # Default port for WebIF reset # Web related attacks: WEB_PORT="80" # Protected Web port OLD_WEB_PORT="80" # Default port for WebIF reset ICQ_STATUS="0" # Enable ICQ DoS protection, 1=enabled CODERED_STATUS="0" # Enable Code Red protection, 1=enabled CODERED2_STATUS="0" # Enable Code Red II protection, 1=enabled #>> dos_applications
dos_scans
- Configures scanning related DOS attack protection
#<< dos_scans TCPSYNFLOOD_STATUS="0" # Enable TCP SYN Flood protection, 1=enable TCPSYNFLOOD_LIMIT="40" # Allowed Packet Rate (packets per sec) TCPSYNFLOOD_BURST="40" # Burst Tolerance (packets) OLD_TCPSYNFLOOD_LIMIT="40" # Default Allowed Packet Rate for WebIF reset OLD_TCPSYNFLOOD_BURST="40" # Default Burst Tolerance for WebIF reset PORTSCAN_STATUS="0" # Enable Port Scan protection, 1=enable LOPORT_WEIGHT="5" # Low Port Weight (1-1024) HIPORT_WEIGHT="2" # High Port Weight (1025-65535) DELAY_THRESHOLD="20" # Delay Threshold (seconds) WEIGHT_THRESHOLD="30" # Weight Threshold OLD_LOPORT_WEIGHT="5" # Default Low Port Weight for WebIF reset OLD_HIPORT_WEIGHT="2" # Default High Port Weight for WebIF reset OLD_DELAY_THRESHOLD="20" # Default Delay Threshold for WebIF reset OLD_WEIGHT_THRESHOLD="30" # Default Weight Threshold for WebIF reset #>> dos_scans
dos_networking
- Configures networking related DOS attack protection
#<< dos_networking WINNUKE_STATUS="0" # Enable Winnuke protection, 1=enable WINNUKE_PORTS="133" # Protected port(s) OLD_WINNUKE_PORTS="133" # Default port for WebIF reset XMAS_STATUS="0" # Enable Xmas Tree protection, 1=enable UDPBOMB_STATUS="0" # Enable UDP Bomb protection, 1=enable UDPPORTLOOPBACK_STATUS="0" # Enable UDP Port Loopback protection, 1=enable LOOPBACK_PORTS="7,9" # Protected port(s) OLD_LOOPBACK_PORTS="7,9" # Default port for WebIF reset FRAGGLE_STATUS="0" # Enable Fraggle protection, 1=enable FRAGGLE_RATE="42" # Packet Rate (packets per second) OLD_FRAGGLE_RATE="42" # Default rate for WebIF reset LAND_STATUS="0" # Enable Land Attack protection, 1=enable FTPPORTRESTRICTED_STATUS="0" # Enable FTP Port Restricted protection, 1=enable TCPHIJACKING_STATUS="0" # Enable TCP Hijacking protection, 1=enable #>> dos_networking
firewall_main
- Enable the firewall
#<< firewall_main FIREWALL_ENABLE="1" # Enable Firewall, 1=enable #>> firewall_main
firewall_packetfilter
- Enables firewall packet filtering
#<< firewall_packetfilter_status PF_STATUS="1" # Enable Packet Filtering, 1=enable #>> firewall_packetfilter_status
- Configures firewall packet filters
#<< firewall_packetfilter PF_Count="1" # Number of Packet Filters, 0=none PF_F0="1" # Enable this Packet Filter, 1=enable PF_IP_SRC_IP0="*" # Source IP, *=all PF_IP_SRC_MASK0="0" # Source Netmask, 0=all PF_PORT_SRC_START0="*" # Source Port Start, *=all PF_PORT_SRC_END0="*" # Source Port End, *=all PF_IP_DST_IP0="*" # Destination IP, *=all PF_IP_DST_MASK0="0" # Destination Netmask, 0=all PF_PORT_DST_START0="*" # Destination Port Start, *=all PF_PORT_DST_END0="*" # Destination Port End, *=all PF_TYPE0="0" # Protocol, 0=all 6=tcp 17=udp 1=icmp 51=ah 50=esp PF_IN_IF0="lan4" # Ingress Interface PF_OUT_IF0="lan5" # Egress Interface #>> firewall_packetfilter
firewall_mac
- Enable firewall MAC address filtering.
#<< firewall_mac_status MAC_control="2" # Enable MAC Filtering, 1=denyall 2=permitall #>> firewall_mac_status
- Configure firewall mac filtering
#<< firewall_mac PC_Count="1" # Number of MAC Filters, 0=none PC_STATUS0="1" # Enable this filter, 1=deny 2=permit PC_MACADDR0="00:11:22:33:44:55" # MAC Address PC_DAYSELECTION0="11111xx" # Day Matrix Mon-Sun, 1=selected x=not PC_TIMESTART0="00:00" # Start Time hh:mm PC_TIMEEND0="09:00" # End Time hh:mm #>> firewall_mac
firewall_dmz
- Configures a virtual DMZ host
#<< firewall_dmz DMZ_ENABLE="1" # Enable virtual DMZ host, 1=enable DMZ_HOST="192.168.199.199" # Virtual DMZ host IP #>> firewall_dmz
nat_main
- Enable NAT / NAPT
#<< nat_main ipnat_enable="1" # Enable NAT / NAPT, 1=enable #>> nat_main
nat_portmap
- Configues NAT portmappings
#<< nat_portmap CLONE_NUM="1" # Number of NAT Portmappings, 0=none CLONE_ENABLE1="1" # Enable this Port Mapping, 1=enable CLONE_IP1="192.168.199.199" # Server IP CLONE_PORTS1="30000-40000" # Mapping Ports CLONE_PORTS1_NUM="1" CLONE_PORTS1_1="30000:40000" #>> nat_portmap
nat_virtualser
- Configures virtual server port forwardings
#<< nat_virtualser FIXME: MISSING #>> nat_virtualser
napt_algs
- Configures NAPT support for some multi port protocols (Application Layer Gateway)
#<< napt_algs ALG_SIP_ENABLE="1" # Enable SIP support, 1=enable ALG_SIP_CLIENT="10.10.10.200" # SIP Client IP, empty=none ALG_SIP_PORT="5060" # SIP Port # These are obsolete, superceded by the algs tag below: ALG_H323="1" # Enable H323 support, 1=enable ALG_PPTP="1" # Enable PPTP support, 1=enable ALG_RTSP="1" # Enable RTSP support, 1=enable ALG_CUSEEME="1" # Enable CUSeeMe support, 1=enable ALG_MMS="1" # Enable MMS support, 1=enable ALG_FTP="1" # Enable FTP support, 1=enable ALG_TALK="0" # Enable TALK support, 1=enable #>> napt_algs
algs
- Successor of the napt_algs tag above, includes bandwidth control.
#<< algs NETMEETING_STATUS="1" # Enable Netmeeting / H323 support, 1=enable NETMEETING_QOS="0" # NETMEETING_MINBW="" # NETMEETING_MAXBW="" # PPTP_STATUS="1" # Enable PPTP support, 1=enable PPTP_QOS="0" # PPTP_MINBW="" # PPTP_MAXBW="" # RTSP_STATUS="1" # Enable RTSP / Real support, 1=enable RTSP_QOS="0" # RTSP_MINBW="" # RTSP_MAXBW="" # FTP_STATUS="1" # Enable FTP support, 1=enable FTP_QOS="0" # FTP_MINBW="" # FTP_MAXBW="" # IPSEC_STATUS="1" # Enable IPsec support, 1=enable IPSEC_QOS="0" # IPSEC_MINBW="" # IPSEC_MAXBW="" # SIP_STATUS="1" # Enable SIP support, UNUSED SIP_QOS="0" # SIP_MINBW="" # SIP_MAXBW="" # ICMP_STATUS="1" # Enable ICMP support, UNUSED? ICMP_QOS="0" # ICMP_MINBW="" # ICMP_MAXBW="" # #>> algs
policy_routing
- Enables policy routing
#<< policy_routing_status PR_STATUS="1" # Enable Policy Routing, 1=enable #>> policy_routing_status
- Configures policy routing
#<< policy_routing PR_Count="1" # Number of Policies, 0=none PR_R0="1" # Enable this Policy, 1=enable PR_SRC_IP0="192.168.198.198" # Source IP PR_IP_SRC_MASK0="0" # Source Netmask PR_SRC_PORT0="40000" # Source Port PR_DST_IP0="192.168.198.199" # Destination IP PR_IP_DST_MASK0="0" # Destination Netmask PR_DST_PORT0="40000" # Destination Port PR_PROTOCOL0="6" # Protocol, 0=all 6=tcp 17=udp 1=icmp 51=ah 50=esp PR_DIFFSERV0="*" # DiffServ Mark, *=none PR_OP_IF0="lan5" # Output Interface #>> policy_routing
