Lines 1-78
Link Here
|
1 |
--- doc/sample.config.orig 2020-04-09 20:56:20 UTC |
1 |
--- doc/sample.config.orig 2020-09-20 19:49:01 UTC |
2 |
+++ doc/sample.config |
2 |
+++ doc/sample.config |
3 |
@@ -19,7 +19,7 @@ |
3 |
@@ -19,7 +19,7 @@ |
4 |
# This enabled PAM authentication of the user. The gid-min option is used |
4 |
# This enabled PAM authentication of the user. The gid-min option is used |
5 |
# by auto-select-group option, in order to select the minimum valid group ID. |
5 |
# by auto-select-group option, in order to select the minimum valid group ID. |
6 |
# |
6 |
# |
7 |
-# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] |
7 |
-# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] |
8 |
+# plain[passwd=/usr/local/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] |
8 |
+# plain[passwd=/usr/local/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] |
9 |
# The plain option requires specifying a password file which contains |
9 |
# The plain option requires specifying a password file which contains |
10 |
# entries of the following format. |
10 |
# entries of the following format. |
11 |
# "username:groupname1,groupname2:encoded-password" |
11 |
# "username:groupname1,groupname2:encoded-password" |
12 |
@@ -106,8 +106,8 @@ udp-port = 443 |
12 |
@@ -110,8 +110,8 @@ udp-port = 443 |
13 |
|
13 |
# The user the worker processes will be run as. This should be a dedicated |
14 |
# The user the worker processes will be run as. It should be |
14 |
# unprivileged user (e.g., 'ocserv') and no other services should run as this |
15 |
# unique (no other services run as this user). |
15 |
# user. |
16 |
-run-as-user = nobody |
16 |
-run-as-user = nobody |
17 |
-run-as-group = daemon |
17 |
-run-as-group = daemon |
18 |
+run-as-user = _ocserv |
18 |
+run-as-user = _ocserv |
19 |
+run-as-group = _ocserv |
19 |
+run-as-group = _ocserv |
20 |
|
20 |
|
21 |
# socket file used for IPC with occtl. You only need to set that, |
21 |
# socket file used for IPC with occtl. You only need to set that, |
22 |
# if you use more than a single servers. |
22 |
# if you use more than a single servers. |
23 |
@@ -176,15 +176,9 @@ ca-cert = ../tests/certs/ca.pem |
23 |
@@ -180,15 +180,9 @@ ca-cert = ../tests/certs/ca.pem |
24 |
### failures during the reloading time. |
24 |
### failures during the reloading time. |
25 |
|
25 |
|
26 |
|
26 |
|
27 |
-# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of |
27 |
-# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of |
28 |
-# system calls allowed to a worker process, in order to reduce damage from a |
28 |
-# system calls allowed to a worker process, in order to reduce damage from a |
29 |
-# bug in the worker process. It is available on Linux systems at a performance cost. |
29 |
-# bug in the worker process. It is available on Linux systems at a performance cost. |
30 |
-# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). |
30 |
-# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). |
31 |
-# Note however, that process isolation is restricted to the specific libc versions |
31 |
-# Note however, that process isolation is restricted to the specific libc versions |
32 |
-# the isolation was tested at. If you get random failures on worker processes, try |
32 |
-# the isolation was tested at. If you get random failures on worker processes, try |
33 |
-# disabling that option and report the failures you, along with system and debugging |
33 |
-# disabling that option and report the failures you, along with system and debugging |
34 |
-# information at: https://gitlab.com/ocserv/ocserv/issues |
34 |
-# information at: https://gitlab.com/ocserv/ocserv/issues |
35 |
-isolate-workers = true |
35 |
-isolate-workers = true |
36 |
+# ocserv 1.0.1 on FreeBSD does not currently support process isolation, |
36 |
+# ocserv 1.1.1 on FreeBSD does not currently support process isolation, |
37 |
+# because ocserv only supports Linux's seccomp system, but not capsicum(4). |
37 |
+# because ocserv only supports Linux's seccomp system, but not capsicum(4). |
38 |
+#isolate-workers = false |
38 |
+#isolate-workers = false |
39 |
|
39 |
|
40 |
# A banner to be displayed on clients |
40 |
# A banner to be displayed on clients after connection |
41 |
#banner = "Welcome" |
41 |
#banner = "Welcome" |
42 |
@@ -535,15 +529,15 @@ no-route = 192.168.5.0/255.255.255.0 |
42 |
@@ -553,15 +547,15 @@ no-route = 192.168.5.0/255.255.255.0 |
43 |
# Note the that following two firewalling options currently are available |
43 |
# Note the that following two firewalling options currently are available |
44 |
# in Linux systems with iptables software. |
44 |
# in Linux systems with iptables software. |
45 |
|
45 |
|
46 |
-# If set, the script /usr/bin/ocserv-fw will be called to restrict |
46 |
-# If set, the script /usr/bin/ocserv-fw will be called to restrict |
47 |
+# If set, the script /usr/local/bin/ocserv-fw will be called to restrict |
47 |
+# If set, the script /usr/local/bin/ocserv-fw will be called to restrict |
48 |
# the user to its allowed routes and prevent him from accessing |
48 |
# the user to its allowed routes and prevent him from accessing |
49 |
# any other routes. In case of defaultroute, the no-routes are restricted. |
49 |
# any other routes. In case of defaultroute, the no-routes are restricted. |
50 |
-# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw |
50 |
-# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw |
51 |
+# All the routes applied by ocserv can be reverted using /usr/local/bin/ocserv-fw |
51 |
+# All the routes applied by ocserv can be reverted using /usr/local/bin/ocserv-fw |
52 |
# --removeall. This option can be set globally or in the per-user configuration. |
52 |
# --removeall. This option can be set globally or in the per-user configuration. |
53 |
#restrict-user-to-routes = true |
53 |
#restrict-user-to-routes = true |
54 |
|
54 |
|
55 |
# This option implies restrict-user-to-routes set to true. If set, the |
55 |
# This option implies restrict-user-to-routes set to true. If set, the |
56 |
-# script /usr/bin/ocserv-fw will be called to restrict the user to |
56 |
-# script /usr/bin/ocserv-fw will be called to restrict the user to |
57 |
+# script /usr/local/bin/ocserv-fw will be called to restrict the user to |
57 |
+# script /usr/local/bin/ocserv-fw will be called to restrict the user to |
58 |
# access specific ports in the network. This option can be set globally |
58 |
# access specific ports in the network. This option can be set globally |
59 |
# or in the per-user configuration. |
59 |
# or in the per-user configuration. |
60 |
#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" |
60 |
#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" |
61 |
@@ -591,13 +585,13 @@ no-route = 192.168.5.0/255.255.255.0 |
61 |
@@ -609,13 +603,13 @@ no-route = 192.168.5.0/255.255.255.0 |
62 |
# hostname to override any proposed by the user. Note also, that, any |
62 |
# hostname to override any proposed by the user. Note also, that, any |
63 |
# routes, no-routes, DNS or NBNS servers present will overwrite the global ones. |
63 |
# routes, no-routes, DNS or NBNS servers present will overwrite the global ones. |
64 |
|
64 |
|
65 |
-#config-per-user = /etc/ocserv/config-per-user/ |
65 |
-#config-per-user = /etc/ocserv/config-per-user/ |
66 |
-#config-per-group = /etc/ocserv/config-per-group/ |
66 |
-#config-per-group = /etc/ocserv/config-per-group/ |
67 |
+#config-per-user = /usr/local/etc/ocserv/config-per-user/ |
67 |
+#config-per-user = /usr/local/etc/ocserv/config-per-user/ |
68 |
+#config-per-group = /usr/local/etc/ocserv/config-per-group/ |
68 |
+#config-per-group = /usr/local/etc/ocserv/config-per-group/ |
69 |
|
69 |
|
70 |
# When config-per-xxx is specified and there is no group or user that |
70 |
# When config-per-xxx is specified and there is no group or user that |
71 |
# matches, then utilize the following configuration. |
71 |
# matches, then utilize the following configuration. |
72 |
-#default-user-config = /etc/ocserv/defaults/user.conf |
72 |
-#default-user-config = /etc/ocserv/defaults/user.conf |
73 |
-#default-group-config = /etc/ocserv/defaults/group.conf |
73 |
-#default-group-config = /etc/ocserv/defaults/group.conf |
74 |
+#default-user-config = /usr/local/etc/ocserv/defaults/user.conf |
74 |
+#default-user-config = /usr/local/etc/ocserv/defaults/user.conf |
75 |
+#default-group-config = /usr/local/etc/ocserv/defaults/group.conf |
75 |
+#default-group-config = /usr/local/etc/ocserv/defaults/group.conf |
76 |
|
76 |
|
77 |
# The system command to use to setup a route. %{R} will be replaced with the |
77 |
# The system command to use to setup a route. %{R} will be replaced with the |
78 |
# route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device. |
78 |
# route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device. |