~mdw / secnet / blame
| Commit | Line | Data |
|---|---|---|
| 2fe58dfd SE |
1 | # secnet configuration file |
| 2 | ||
| 3 | # This file defines a dictionary full of configuration information for | |
| 4 | # secnet. Two keys must be defined in this file for secnet to | |
| 5 | # start. One is "system", a dictionary containing systemwide control | |
| 6 | # parameters. The other is "sites", a list of all the sites that you | |
| 7 | # intend to communicate with. | |
| 8 | ||
| 9 | # Other files can be included inline by writing "include filename" at | |
| 10 | # the start of a line. | |
| 11 | ||
| 12 | # The configuration file has a fairly simple syntax: | |
| 13 | # key definition; or key = definition; (the "=" is optional) | |
| 14 | # ...sets 'key' in the current dictionary to 'definition'. | |
| 15 | # | |
| 16 | # "key" is [[:alpha:]_][[:alnum:]\-_]* | |
| 17 | # | |
| 18 | # definition may be one of the following: | |
| 19 | # a string, in quotes | |
| 20 | # a number, in decimal | |
| 21 | # a dictionary, in { } | |
| 22 | # a path to a key that already exists, to reference that definition | |
| 23 | # a "closure", followed by arguments | |
| 24 | # | |
| 25 | # paths are key1/key2/key3... (starting from wherever we find key1, i.e. in | |
| 26 | # the current dictionary or any of its parents) | |
| 27 | # alternatively /key1/key2/key3... (to start from the root) | |
| 28 | # | |
| 29 | # closures are followed by an argument list in ( ), and may return | |
| 30 | # whatever type they like (including other closures) | |
| 31 | # | |
| 32 | # closure { definitions } is short for closure({definitions}). | |
| 33 | # | |
| 34 | # Whenever secnet looks for a key it checks the (lexical) parent dictionaries | |
| 35 | # as well until it finds it or reaches the root. This is useful for setting | |
| 36 | # defaults for large collections of dictionaries (eg. defining sites). | |
| 37 | # | |
| 38 | # It is also permissible to list other dictionaries before a dictionary | |
| 39 | # definition, eg. <defaults,otherdefaults>{definitions}. These will be | |
| 40 | # searched in order for keys, before the lexical parent. (Not yet implemented) | |
| 41 | # | |
| 42 | # secnet predefines some keys in the root dictionary; some useful ones are: | |
| 43 | # yes, true, True, TRUE: the boolean value True | |
| 44 | # no, false, False, FALSE: the boolean value False | |
| 45 | # makelist: turns a dictionary (arg1) into a list (return value) | |
| 46 | # readfile: reads a file (arg1) and returns it as a string | |
| 47 | # | |
| 48 | # secnet modules also predefine keys, eg. "adns", "randomfile", etc. | |
| 49 | # See the module documentation for more information. | |
| 50 | ||
| 51 | # After the configuration file is read, secnet looks for particular keys | |
| 52 | # in configuration space to tell it what to do: | |
| 53 | # system: system-wide parameters (control, logging, etc.) | |
| 54 | # sites: a list of sites with which to communicate | |
| 55 | ||
| 56 | # Log facility | |
| 57 | log logfile("secnet","local2"); # Not yet implemented, goes to stderr | |
| 58 | ||
| 59 | # Systemwide configuration (all other configuration is per-site): | |
| 60 | # log a log facility for program messages | |
| 61 | # userid who we try to run as after setup | |
| 62 | # pidfile | |
| 63 | system { | |
| 64 | # userid "tunnel"; | |
| 65 | # pidfile "/var/run/secnet.pid"; | |
| 66 | }; | |
| 67 | ||
| 68 | # Parameters for each remote site (arguments to the site() closure): | |
| 69 | # things we configure locally | |
| 70 | # buffer buffer for constructing/sending/receiving packets | |
| 71 | # netlink user/kernel netlink device for this tunnel | |
| 72 | # comm UDP communication | |
| 73 | # resolver resolver to use for name lookups | |
| 74 | # log a log destination for this connection | |
| 75 | # log-events string list: which events we log | |
| 76 | # random a source of randomness | |
| 77 | ||
| 78 | # our local configuration visible to the outside world | |
| 79 | # local-name string: how we identify ourselves to them | |
| 80 | # local-key our own private RSA key | |
| 81 | # local-port port number we listen on | |
| 82 | ||
| 83 | # their configuration visible to us | |
| 84 | # name string: how they identify themselves | |
| 85 | # address string: use with resolver to find their IP address | |
| 86 | # networks string list: their networks for us | |
| 87 | # key the remote site's RSA public key | |
| 88 | # port port we send to to contact remote site | |
| 89 | ||
| 90 | # things both ends must agree on | |
| 91 | # transform routine for bulk encryption | |
| 92 | # dh Diffie-Hellman parameters | |
| 93 | # hash secure hash function | |
| 94 | ||
| 95 | # A buffer for all sites to share, to construct outgoing packets | |
| 96 | buffer sysbuffer(4096,{lockdown=yes;}); | |
| 97 | ||
| 4efd681a SE |
98 | netlink tun { |
| 99 | # name "foo"; # Printed in log messages from this netlink | |
| 2fe58dfd SE |
100 | # userv-path "/usr/bin/userv"; |
| 101 | # service-user "root"; | |
| 102 | # service-name "ipif"; | |
| 103 | ||
| 104 | # local networks served by this netlink device | |
| 105 | # incoming tunneled packets for other networks will be discarded | |
| 4efd681a | 106 | networks "192.168.73.74/32","192.168.73.75/32"; |
| 2fe58dfd SE |
107 | local-address "192.168.73.74"; # IP address of interface |
| 108 | secnet-address "192.168.73.75"; # IP address of secnet | |
| 109 | mtu 1400; | |
| 110 | ||
| 111 | buffer sysbuffer(); # userv/ipif needs a buffer to build incoming | |
| 112 | # packets from the netlink device before passing them | |
| 113 | # to the site layer | |
| 114 | }; | |
| 115 | comm udp { | |
| 116 | port 5678; | |
| 117 | # buffer shared with sites | |
| 118 | }; | |
| 119 | resolver adns { | |
| 120 | noenv=yes; # yes is a name for the boolean "true" | |
| 121 | nameservers "127.0.0.1","192.168.73.4"; | |
| 122 | }; | |
| 123 | # log is defined earlier - we share it with the system | |
| 124 | log-events "init","up","down"; | |
| 125 | random randomfile("/dev/urandom",no); | |
| 126 | ||
| 127 | local-name "zealot"; | |
| 128 | local-key rsa-private("private-key"); | |
| 129 | ||
| 130 | transform serpent256-cbc { | |
| 131 | max-sequence-skew 10; | |
| 132 | }; | |
| 133 | ||
| 134 | dh diffie-hellman("8db5f2c15ac96d9f3382d1ef4688fba14dc7908ae7dfd71a9cfe7f479a75d506dc53f159aeaf488bde073fe544bc91c099f101fcf60074f30c06e36263c03ca9e07931ce3fc235fe1171dc6d9316fb097bd4362891e2c36e234e7c16b038fd97b1f165c710e90537de66ee4f54001f5712b050d4e07de3fba07607b19b64f6c3","2"); | |
| 135 | hash md5; | |
| 136 | ||
| 137 | zealot { | |
| 138 | name "zealot"; | |
| 139 | address "zealot.sinister.greenend.org.uk"; | |
| 140 | port 5678; | |
| 141 | networks "192.168.73.74/32", "192.168.73.75/32"; | |
| 142 | key rsa-public("35","131453873229748492184986747327990913828179255774895541667982108408897406369168730551214152673574619385573519088922707364993860644376262000057302119569116289693520981276177337391324943049983046703853106890057346878967444626093102422836819979338760420960495059950787838142162794317002315919126174831103379472833"); | |
| 143 | }; | |
| 144 | ||
| 145 | myrddin { | |
| 146 | name "myrddin"; | |
| 147 | address "myrddin.sinister.greenend.org.uk"; | |
| 148 | port 1234; | |
| 149 | networks "192.168.73.72/32", "192.168.73.73/32"; | |
| 150 | key rsa-public("35","154107175724781677184264293617887954015562225725852111745852699493257053099810379926047345975839848434403852210573185384327420788855664167034282567346429150999373740871227795773749618022407366186555483566435251279808390618987056868368084933125373643004284007109877210578088697520329039753099981203724057693543"); | |
| 151 | }; | |
| 152 | ||
| 153 | sites site(myrddin); |