aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--net-mgmt/chillispot/Makefile15
-rw-r--r--net-mgmt/chillispot/files/chillispot.sh.in26
-rw-r--r--net-mgmt/chillispot/files/installguide.txt435
-rw-r--r--net-mgmt/chillispot/files/ipfw-config.sample71
-rw-r--r--net-mgmt/chillispot/files/pf.conf.sample47
-rw-r--r--net-mgmt/chillispot/files/pkg-message.in8
-rw-r--r--net-mgmt/chillispot/pkg-message5
-rw-r--r--net-mgmt/chillispot/pkg-plist6
8 files changed, 602 insertions, 11 deletions
diff --git a/net-mgmt/chillispot/Makefile b/net-mgmt/chillispot/Makefile
index e6ddd4d174e7..e7b261416525 100644
--- a/net-mgmt/chillispot/Makefile
+++ b/net-mgmt/chillispot/Makefile
@@ -7,7 +7,7 @@
PORTNAME= chillispot
PORTVERSION= 1.0
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= net-mgmt
MASTER_SITES= http://www.chillispot.org/download/ \
http://www.geeklan.co.uk/files/ \
@@ -20,10 +20,12 @@ GNU_CONFIGURE= yes
USE_GETOPT_LONG=yes
CONFIGURE_TARGET=-build=${MACHINE_ARCH}-portbld-freebsd${OSREL}
CONFIGURE_ARGS=-sysconfdir=${PREFIX}/etc
+USE_RC_SUBR= chillispot.sh
+SUB_FILES= pkg-message
MAN8= chilli.8
OPTIONS= RAW "Latest Release Of Apache & mySQL" Off \
- MATURE "Stable Releases of Apache & mySQL" Off \
+ MATURE "Stable Releases of Apache with mod_ssl & MySQL" Off \
FREE "freeRADIUS" Off \
OPENR "openradius" Off
@@ -35,7 +37,7 @@ RUN_DEPENDS+= ${LOCALBASE}/sbin/httpd:${PORTSDIR}/www/apache20 \
.endif
.if defined(WITH_MATURE)
-RUN_DEPENDS+= ${LOCALBASE}/sbin/httpd:${PORTSDIR}/www/apache13 \
+RUN_DEPENDS+= ${LOCALBASE}/sbin/httpd:${PORTSDIR}/www/apache13-modssl \
${LOCALBASE}/libexec/mysqld:${PORTSDIR}/databases/mysql41-server
.endif
@@ -50,11 +52,14 @@ RUN_DEPENDS+= radiusd:${PORTSDIR}/net/openradius
post-install:
.if !defined(NOPORTDOCS)
${MKDIR} ${DATADIR}
- ${INSTALL_MAN} ${WRKSRC}/doc/chilli.conf ${DATADIR}/chilli.sample
+ ${INSTALL_MAN} ${WRKSRC}/doc/chilli.conf ${DATADIR}/chilli.conf.sample
${INSTALL_MAN} ${WRKSRC}/doc/dictionary.chillispot ${DATADIR}
${INSTALL_MAN} ${WRKSRC}/doc/freeradius.users ${DATADIR}
${INSTALL_MAN} ${WRKSRC}/doc/hotspotlogin.cgi ${DATADIR}
+ ${INSTALL_MAN} ${FILESDIR}/installguide.txt ${DATADIR}
+ ${INSTALL_MAN} ${FILESDIR}/pf.conf.sample ${DATADIR}
+ ${INSTALL_MAN} ${FILESDIR}/ipfw-config.sample ${DATADIR}
.endif
- ${CAT} ${PKGMESSAGE}
+ @${CAT} ${PKGMESSAGE}
.include <bsd.port.post.mk>
diff --git a/net-mgmt/chillispot/files/chillispot.sh.in b/net-mgmt/chillispot/files/chillispot.sh.in
new file mode 100644
index 000000000000..4c837587bac5
--- /dev/null
+++ b/net-mgmt/chillispot/files/chillispot.sh.in
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# PROVIDE: chillispot
+# REQUIRE: netif
+# BEFORE: pf ipfw ipfilter
+# KEYWORD: nojail
+
+. /etc/rc.subr
+
+chillispot_enable=${chillispot_enable-"NO"}
+chillispot_flags=${chillispot_flags-"--conf=/usr/local/etc/chilli.conf"}
+chillispot_pidfile=${utility_pidfile-"/var/run/chilli.pid"}
+
+. /etc/rc.subr
+
+name="chillispot"
+rcvar=`set_rcvar`
+command="/usr/local/sbin/chilli"
+
+load_rc_config $name
+
+pidfile="${chillipot_pidfile}"
+
+start_cmd="echo \"Starting ${name}.\"; /usr/bin/nice -5 ${command} ${chillispot_flags} ${command_args}"
+
+run_rc_command "$1"
diff --git a/net-mgmt/chillispot/files/installguide.txt b/net-mgmt/chillispot/files/installguide.txt
new file mode 100644
index 000000000000..1b9976252f1f
--- /dev/null
+++ b/net-mgmt/chillispot/files/installguide.txt
@@ -0,0 +1,435 @@
+ Installing Chillispot on FreeBSD
+ By Venture37
+ www.geeklan.co.uk
+ venture37@geekla.co.uk
+
+
+This guide will cover how to get a basic Chillispot installation going with Apache 1.3 + mod_ssl, mySQL 4.1, freeRADIUS & OpenBSD's Packet Filter PF
+
+1) Update your ports tree!!!!
+Instructions on how to do so are included in the HandBook under the Using CVSup section:
+http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html
+
+2) Once the update is complete goto {PORTSDIR}/net-mgmt/chillispot & run make install, you'll be presented with a menu, select:
+MATURE Stable Releases of Apache with mod_ssl & mySQL
+&
+FREE freeRADIUS
+& choose Ok
+
+During the build process you'll be asked what flavour of freeRADIUS you'd like to build,
+choose MYSQL With MySQL user database
+
+3) When the build & install process is complete go back to the apache directory,
+regenerate & install some new certs & optionally remove the preinstalled snakeoil test ones.
+goto {PORTSDIR}/www/apache13-modssl
+& run make certificate TYPE=custom
+Answer the questions in each step & when you're finished you'll be given a summary of files & their functions
+Now copy those files from the summary by going to work/apache_1.X.XX/conf & copy the certs to your apache config directory
+(replace X.XX with the relevant version number)
+cp work/apache_1.X.XX/conf/ssl.key/ca.key {PREFIX}/etc/apache/ssl.key/
+cp work/apache_1.XXX/conf/ssl.key/server.key {PREFIX}/etc/apache/ssl.key/
+cp work/apache_1.XXX/conf/ssl.crt/ca.crt {PREFIX}/etc/apache/ssl.crt/
+cp work/apache_1.XXX/conf/ssl.crt/server.crt {PREFIX}/etc/apache/ssl.crt/
+chmod 400 {PREFIX}/etc/apache/ssl.key/ca.key
+chmod 400 {PREFIX}/etc/apache/ssl.crt/ca.crt
+
+Optional:
+rm {PREFIX}/etc/apache/ssl.key/snakeoil-*
+rm {PREFIX}/etc/apache/ssl.crt/snakeoil-*
+then goto {PREFIX}/etc/apache/ssl.crt/ & delete the bunch of alphanumeric filenamed symbolic links
+
+4) Put Chillispots files into place:
+copy hotspotlogin.cgi from {PREFIX}/share/chillispot/ to {PREFIX}/www/cgi/
+& make it executable:
+chmod 555 {PREFIX}/www/cgi-bin/hotspotlogin.cgi
+
+put chillispot.conf file into place
+cp {PREFIX}/share/chillispot/chilli.conf.sample {PREFIX}/etc/chilli.conf
+
+freeRADIUS related files
+cp {PREFIX}/share/chillispot/dictionary.chillispot {PREFIX}/etc/raddb/
+cp {PREFIX}/share/chillispot/freeradius.users {PREFIX}/etc/raddb/
+
+PF Config file
+cp {PREFIX}/share/chillispot/pf.conf.sample /etc/pf.conf
+
+5) Setup MySQL
+run ./mysql_install_db
+& follow the onscreen instructions provided to set a new root password
+
+6) Create a Database for freeRADIUS
+at the mysql prompt issue the following:
+create database mydbname;
+grant all privileges on mydbname.* to 'dbusername'@'localhost' identified by 'mypass';
+flush privileges;
+quit;
+
+7) Import the freeRADIUS MySQL DB Schema
+by running the following:
+mysql -u dbusrname -p mydbname < {PREFIX}/share/doc/freeradius/examples/mysql.sql
+
+8) Configure freeRADIUS
+goto {PREFIX}/etc/raddb
+trim .sample from the end of the filenames off the following files:
+acct_users
+certs
+clients.conf
+dictionary , then edit if & add $INCLUDE dictionary.chillispot
+
+eap.conf
+hints
+huntgroups
+preproxy_users
+proxy.conf
+radiusd.conf
+snmp.conf
+sql.conf
+users
+
+9) Before going ahead & configuring freeRADIUS to use MySQL
+setup a basic account using the existing flatfiles to make sure everything is working so far
+edit {PREFIX}/etc/raddb/clients.conf
+& change the secret entry e.g:
+secret = s3cr3t
+
+then add the sample chillispot user by copying the contents of freeradius.users to users
+
+then run adduser to create a user which radiusd will run under
+#adduser
+Username: radiusd
+Full name: freeRADIUS
+Uid (Leave empty for default):
+Login group [radiusd]:
+Login group is radiusd. Invite radiusd into other groups? []:
+Login class [default]:
+Shell (sh csh tcsh nologin) [sh]: nologin
+Home directory [/home/radiusd]: /nonexistent
+Use password-based authentication? [yes]:
+Use an empty password? (yes/no) [no]:
+Use a random password? (yes/no) [no]: y
+Lock out the account after creation? [no]: y
+Username : radiusd
+Password : <random>
+Full Name : freeRADIUS
+Uid : 1002
+Class :
+Groups : radiusd
+Home : /nonexistent
+Shell : /usr/sbin/nologin
+Locked : yes
+OK? (yes/no): y
+adduser: INFO: Successfully added (radiusd) to the user database.
+adduser: INFO: Password for (radiusd) is: blablabla123
+adduser: INFO: Account (radiusd) is locked.
+
+now edit {PREFIX}/etc/raddb/radiusd.conf
+uncomment & change the user & group entries from
+#user = nobody to user = radiusd
+#group = nobody to group = radiusd
+ & change
+proxy_requests = yes to no
+
+10) Now fireup freeRADIUS in debug mode
+ by issuing {PREFIX}/sbin/radiusd -X
+& using the radtest tool query freeRADIUS
+radtest steve testing localhost 1812 s3cr3t
+
+you should get the following output back:
+Sending Access-Request of id 57 to 127.0.0.1 port 1812
+ User-Name = "steve"
+ User-Password = "testing"
+ NAS-IP-Address = 255.255.255.255
+ NAS-Port = 1812
+rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=57, length=74
+ Class = 0x30373032333435363738
+ Session-Timeout = 3600
+ Idle-Timeout = 600
+ Acct-Interim-Interval = 60
+ WISPr-Bandwidth-Max-Up = 128000
+ WISPr-Bandwidth-Max-Down = 512000
+
+if you're not sure if freeRADIUS is listening on port 1812/udp or 1645/udp check your /etc/services file
+$ cat /etc/services | grep radius
+# IMPORTANT NOTE: Ports 1645/1646 are the traditional radius ports used by
+#radius 1645/udp #RADIUS authentication protocol (old)
+radius 1812/udp #RADIUS authentication protocol (IANA sanctioned)
+
+If everything went along ok without any errors edit users & remove the entries you added from chillispots freeradius.users files.
+
+11) Configuring freeRADIUS to use MySQL instead of flat files
+edit {PREFIX}/etc/raddb/sql.conf &
+change the login, password & radius_db entries to those used in step 6
+then uncomment
+ #sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}"
+& comment out sql_user_name = "%{User-Name}"
+if you'd like to use shortames (username minus realm) aswell as user@realm.f00 & :-DEFAULT
+then uncomment simul_count_query
+
+edit {PREFIX}/etc/raddb/radiusd.conf
+then uncomment sql in the Authorize {
+comment out unix in Authenticate {
+comment out files in preacct {
+uncomment sql in accounting {
+comment radutmp & uncomment sql in session {
+
+freeRADIUS is now setup to use MySQL.
+
+12) You now need to setup some users for your wireless clients to use
+12.1: login to the mysql console:
+mysql -u dbusername -p
+
+12.2: choose the database you created for freeRADIUS to work on
+mysql> use mydbname;
+
+12.3: lets see what in here:
+mysql> show tables;
++----------------------+
+| Tables_in_mydbname |
++----------------------+
+| nas |
+| radacct |
+| radcheck |
+| radgroupcheck |
+| radgroupreply |
+| radpostauth |
+| radreply |
+| usergroup |
++----------------------+
+8 rows in set (0.00 sec)
+
+12.4: to see what fields you need to fill in isse:
+mysql> show columns from radcheck;
++-----------+------------------+------+-----+---------+----------------+
+| Field | Type | Null | Key | Default | Extra |
++-----------+------------------+------+-----+---------+----------------+
+| id | int(11) unsigned | | PRI | NULL | auto_increment |
+| UserName | varchar(64) | | MUL | | |
+| Attribute | varchar(32) | | | | |
+| op | char(2) | | | == | |
+| Value | varchar(253) | | | | |
++-----------+------------------+------+-----+---------+----------------+
+5 rows in set (0.01 sec)
+
+12.5: lets add our first username:
+mysql> insert into radcheck (Username, Attribute, Value) VALUES ('fry', 'Password', 'walkingonsunshine');
+Query OK, 1 row affected (0.00 sec)
+
+12.6: is it there?
+mysql> select * from radcheck;
++----+----------+-----------+----+-------------------+
+| id | UserName | Attribute | op | Value |
++----+----------+-----------+----+-------------------+
+| 1 | fry | Password | == | walkingonsunshine |
++----+----------+-----------+----+-------------------+
+1 row in set (0.00 sec)
+
+12.7: assign the user to a group:
+mysql> show columns from usergroup;
++-----------+-------------+------+-----+---------+-------+
+| Field | Type | Null | Key | Default | Extra |
++-----------+-------------+------+-----+---------+-------+
+| UserName | varchar(64) | | MUL | | |
+| GroupName | varchar(64) | | | | |
+| priority | int(11) | | | 1 | |
++-----------+-------------+------+-----+---------+-------+
+3 rows in set (0.01 sec)
+
+mysql> insert into usergroup (UserName, GroupName, Priority) VALUES ('fry', 'dynamic', 1);
+Query OK, 1 row affected (0.00 sec)
+
+mysql> select * from usergroup;
++----------+-----------+----------+
+| UserName | GroupName | priority |
++----------+-----------+----------+
+| fry | dynamic | 1 |
++----------+-----------+----------+
+1 row in set (0.01 sec)
+
+12.8) Authorization Type:
+mysql> show columns from radgroupcheck;
++-----------+------------------+------+-----+---------+----------------+
+| Field | Type | Null | Key | Default | Extra |
++-----------+------------------+------+-----+---------+----------------+
+| id | int(11) unsigned | | PRI | NULL | auto_increment |
+| GroupName | varchar(64) | | MUL | | |
+| Attribute | varchar(32) | | | | |
+| op | char(2) | | | == | |
+| Value | varchar(253) | | | | |
++-----------+------------------+------+-----+---------+----------------+
+5 rows in set (0.00 sec)
+
+mysql> insert into radgroupcheck (GroupName, Attribute, Value) VALUES ('dynamic', 'Auth-Type', 'Local');
+Query OK, 1 row affected (0.00 sec)
+
+mysql> select * from radgroupcheck;
++----+-----------+-----------+----+-------+
+| id | GroupName | Attribute | op | Value |
++----+-----------+-----------+----+-------+
+| 1 | dynamic | Auth-Type | == | Local |
++----+-----------+-----------+----+-------+
+1 row in set (0.00 sec)
+
+
+mysql> show columns from radgroupcheck;
++-----------+------------------+------+-----+---------+----------------+
+| Field | Type | Null | Key | Default | Extra |
++-----------+------------------+------+-----+---------+----------------+
+| id | int(11) unsigned | | PRI | NULL | auto_increment |
+| GroupName | varchar(64) | | MUL | | |
+| Attribute | varchar(32) | | | | |
+| op | char(2) | | | == | |
+| Value | varchar(253) | | | | |
++-----------+------------------+------+-----+---------+----------------+
+5 rows in set (0.00 sec)
+
+12.9) User & Group Attribute settings
+User specific attributes:
+mysql> show columns from radreply;
++-----------+------------------+------+-----+---------+----------------+
+| Field | Type | Null | Key | Default | Extra |
++-----------+------------------+------+-----+---------+----------------+
+| id | int(11) unsigned | | PRI | NULL | auto_increment |
+| UserName | varchar(64) | | MUL | | |
+| Attribute | varchar(32) | | | | |
+| op | char(2) | | | = | |
+| Value | varchar(253) | | | | |
++-----------+------------------+------+-----+---------+----------------+
+5 rows in set (0.00 sec)
+
+mysql> insert into radreply (UserName, Attribute, Value) VALUES ('fry', 'Class', '0702345678');
+Query OK, 1 row affected (0.01 sec)
+
+mysql> select * from radreply;
++----+----------+-----------+----+------------+
+| id | UserName | Attribute | op | Value |
++----+----------+-----------+----+------------+
+| 1 | fry | Class | = | 0702345678 |
++----+----------+-----------+----+------------+
+1 row in set (0.00 sec)
+
+Group specific settings:
+mysql> show columns from radgroupreply;
++-----------+------------------+------+-----+---------+----------------+
+| Field | Type | Null | Key | Default | Extra |
++-----------+------------------+------+-----+---------+----------------+
+| id | int(11) unsigned | | PRI | NULL | auto_increment |
+| GroupName | varchar(64) | | MUL | | |
+| Attribute | varchar(32) | | | | |
+| op | char(2) | | | = | |
+| Value | varchar(253) | | | | |
++-----------+------------------+------+-----+---------+----------------+
+5 rows in set (0.00 sec)
+
+mysql> insert into radgroupreply (GroupName, Attribute, Value) VALUES ('dynamic', 'Session-Timeout', '3600');
+Query OK, 1 row affected (0.00 sec)
+
+mysql> insert into radgroupreply (GroupName, Attribute, Value) VALUES ('dynamic', 'Idle-Timeout', '600');
+Query OK, 1 row affected (0.00 sec)
+
+mysql> insert into radgroupreply (GroupName, Attribute, Value) VALUES ('dynamic', 'Acct-Interim-Interval', '60');
+Query OK, 1 row affected (0.01 sec)
+
+mysql> insert into radgroupreply (GroupName, Attribute, Value) VALUES ('dynamic', 'WISPr-Redirection-URL', 'http://www.geeklan.co.uk');
+Query OK, 1 row affected (0.00 sec)
+
+mysql> insert into radgroupreply (GroupName, Attribute, Value) VALUES ('dynamic', 'WISPr-Bandwidth-Max-Up', '128000');
+Query OK, 1 row affected (0.01 sec)
+
+mysql> insert into radgroupreply (GroupName, Attribute, Value) VALUES ('dynamic', 'WISPr-Bandwidth-Max-Down', '512000');
+Query OK, 1 row affected (0.01 sec)
+
+mysql> select * from radgroupreply;
++----+-----------+--------------------------+----+--------------------------+
+| id | GroupName | Attribute | op | Value |
++----+-----------+--------------------------+----+--------------------------+
+| 1 | dynamic | Session-Timeout | = | 3600 |
+| 2 | dynamic | Idle-Timeout | = | 600 |
+| 3 | dynamic | Acct-Interim-Interval | = | 60 |
+| 4 | dynamic | WISPr-Redirection-URL | = | http://www.geeklan.co.uk |
+| 5 | dynamic | WISPr-Bandwidth-Max-Up | = | 128000 |
+| 6 | dynamic | WISPr-Bandwidth-Max-Down | = | 512000 |
++----+-----------+--------------------------+----+--------------------------+
+6 rows in set (0.00 sec)
+
+Test:
+{PREFIX}/bin/radtest fry walkingonsunshine localhost 1812 s3cr3t
+Sending Access-Request of id 250 to 127.0.0.1 port 1812
+ User-Name = "fry"
+ User-Password = "walkingonsunshine"
+ NAS-IP-Address = 255.255.255.255
+ NAS-Port = 1812
+rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=250, length=106
+ Class = 0x30373032333435363738
+ Session-Timeout = 3600
+ Idle-Timeout = 600
+ Acct-Interim-Interval = 60
+ WISPr-Redirection-URL = "http://www.geeklan.co.uk"
+ WISPr-Bandwidth-Max-Up = 128000
+ WISPr-Bandwidth-Max-Down = 512000
+
+13) Nearly There
+edit {PREFIX}/etc/chilli.conf
+& change the dns1 & dns2 entries to your dns servers
+(note, if you're not running a dns server locally you'll need to uncomment uamanydns)
+change radiusserver1 & radiusserver2 to localhost
+set radiussecret to whatever you selected in step 9
+e.g s3cr3t
+set dhcpif to your wifi card e.g ral0
+change uamserver to https://192.168.182.1/cgi-bin/hotspotlogin.cgi
+(if you're not running a dns server locally, if you are use the fqdn)
+change the uamsecret to another value, then edit {PREFIX}/www/cgi-bin/hotspotlogin.cgi & add the same value to $uamsecret
+
+14) Finishing Stage
+Edit /etc/pf.conf & make sure the $ext_if & $int_if are correct
+Edit /etc/rc.conf & add the following:
+chillispot_enable="YES"
+apache_enable="YES"
+radiusd_enale="YES"
+mysql_enable="YES"
+pf_enable="YES" # Enable PF (load module if required)
+pf_rules="/etc/pf.conf" # rules definition file for pf
+pf_flags="" # additional flags for pfctl startup
+pflog_enable="YES" # start pflogd(8)
+pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
+pflog_flags="" # additional flags for pflogd startup
+gateway_enable="YES"
+
+& remove any IP addresses assigned to your wifi card
+this is enough for chilli to work:
+ifconfig_ral0="ssid chilli mediaopt hostap mode 11b"
+
+save & reboot or quit to back to the shell & run the following to get everything started
+{PREFIX}/etc/rc.d/chillispot start
+{PREFIX}/etc/rc.d/apache.sh start you'll be asked for the password that you assigned whilst generating the certs in the step 3
+{PREFIX}/etc/rc.d/mysql-server start
+{PREFIX}/etc/rc.d/radiusd start
+pfctl -e
+pfctl -f /etc/pf.conf
+
+
+
+THE END!!!
+
+
+
+Original Sources for info:
+OpenBSD PF FAQ
+http://www.openbsd.org/faq/
+
+The FreeBSD HandBook
+http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html
+
+SB's very rough notes to FreeRadius and MySQL
+http://www.frontios.com/freeradius.html
+
+ONLamp Getting Started with FreeRADIUS
+http://www.onlamp.com/pub/a/onlamp/excerpt/radius_5/index1.html?page=1
+
+
+TAASC MySQL Basics
+http://www.analysisandsolutions.com/code/mybasic.htm
+
+This work is licensed under the Creative Commons Attribution-Share Alike 2.5 License. To view a copy of this license, visit
+http://creativecommons.org/licenses/by-sa/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California,
+94105, USA.
+
diff --git a/net-mgmt/chillispot/files/ipfw-config.sample b/net-mgmt/chillispot/files/ipfw-config.sample
new file mode 100644
index 000000000000..93829e8f4912
--- /dev/null
+++ b/net-mgmt/chillispot/files/ipfw-config.sample
@@ -0,0 +1,71 @@
+network inetrface
+
+fxp0 : 11.11.11.1
+fxp1 : 10.14.1.254
+
+/etc/ipnat.rules
+
+# NAT
+#
+map fxp0 192.168.182.0/24 -> 11.11.11.1/32 portmap tcp/udp auto
+
+--------------------------------------------------------
+
+/usr/local/etc/rc.d/ipfw.sh
+
+#!/bin/sh
+
+RULENO="1500"
+
+EXT_IF="fxp0"
+INT_IF="fxp1"
+
+EXT_IP="11.11.11.1"
+#INT_IP="10.14.1.0/24"
+
+# flush rules
+#
+ipfw -f flush
+
+## setup loopback
+##
+ipfw $RULENO add pass all from any to any via lo0
+ipfw add deny all from any to 127.0.0.0/8
+ipfw add deny ip from 127.0.0.0/8 to any
+
+# allow related and established on all interfaces
+#
+ipfw add pass ip from any to any established
+
+# allow SA connect to me , deny any others use ssh
+#
+ipfw add pass tcp from 11.11.11.5 to any setup
+ipfw add deny tcp from any to ${EXT_IP} 22
+
+## allow me (firewall) to access anywhere
+##
+ipfw add pass tcp from ${EXT_IP} to any setup
+ipfw add pass udp from ${EXT_IP} to any keep-state
+
+## allow tun0 device to connect to anywhere
+##
+ipfw add pass tcp from any to any via tun0 setup
+ipfw add pass udp from any to any via tun0 keep-state
+
+# allow icmp
+#
+ipfw add pass icmp from any to any icmptypes 0,3,8,11
+
+# allow http , https and dns on internal interface
+#
+ipfw add pass tcp from any to any 80 via ${INT_IF} setup
+ipfw add pass tcp from any to any 443 via ${INT_IF} setup
+ipfw add pass udp from any to any 53 via ${INT_IF} keep-state
+
+# allow tcp port 3990 on internal interface for chillispot redirection
+#
+ipfw add pass tcp from any to any 3990 via ${INT_IF} setup
+
+# except for any condition above , reject everything on all interfaces
+#
+ipfw add deny all from any to any
diff --git a/net-mgmt/chillispot/files/pf.conf.sample b/net-mgmt/chillispot/files/pf.conf.sample
new file mode 100644
index 000000000000..73a3d9cd2ab2
--- /dev/null
+++ b/net-mgmt/chillispot/files/pf.conf.sample
@@ -0,0 +1,47 @@
+#
+# Basic Chillispot PF Config
+# A tweak of Example 1 from the PF FAQ
+# http://www.openbsd.org/faq/pf/example1.html
+# By Venture37
+# venture37@geeklan.co.uk
+# http://www.geeklan.co.uk
+
+# macros
+int_if = "ral0"
+ext_if = "fxp0"
+chilli_if = "tun0"
+
+tcp_services = "{ 22, 113 }"
+icmp_types = "echoreq"
+
+priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
+
+# options
+set block-policy return
+set loginterface $ext_if
+
+# scrub
+scrub in all
+
+# nat/rdr
+nat on $ext_if from $chilli_if:network to any -> ($ext_if)
+
+# filter rules
+block all
+
+pass quick on lo0 all
+
+block drop in quick on $ext_if from $priv_nets to any
+block drop out quick on $ext_if from any to $priv_nets
+block drop on $int_if all
+
+pass in on $ext_if inet proto tcp from any to ($ext_if) \
+ port $tcp_services flags S/SA keep state
+
+pass in inet proto icmp all icmp-type $icmp_types keep state
+
+pass in on $chilli_if from $chilli_if:network to any keep state
+pass out on $chilli_if from any to $chilli_if:network keep state
+
+pass out on $ext_if proto tcp all modulate state flags S/SA
+pass out on $ext_if proto { udp, icmp } all keep state
diff --git a/net-mgmt/chillispot/files/pkg-message.in b/net-mgmt/chillispot/files/pkg-message.in
new file mode 100644
index 000000000000..ea7cd10b5287
--- /dev/null
+++ b/net-mgmt/chillispot/files/pkg-message.in
@@ -0,0 +1,8 @@
+|
+| OK, everything you're going to need is going to be in %%DATADIR%%
+| This update includes a sample ipfw config files, a sample pf config file and
+| a installation guide which covers how to get a basic hotspot up & running
+| with chillispot, freeRADIUS & Apache+mod_ssl
+|
+| For further config info/help check out the chillispot forum & mailing list
+|
diff --git a/net-mgmt/chillispot/pkg-message b/net-mgmt/chillispot/pkg-message
deleted file mode 100644
index b427e44bf791..000000000000
--- a/net-mgmt/chillispot/pkg-message
+++ /dev/null
@@ -1,5 +0,0 @@
-A bit of post install work needs to be done to get everything rolling
-rename & copy chillspot.sample from ${PREFIX}/share/chillispot/ to ${PREFIX}/etc/chillispot.conf
-& hotspotlogin.cgi from ${PREFIX}/share/chillispot/ to your apache cgi-bin directory
-
-For further config info/help check out the chillispot forum & mailing list
diff --git a/net-mgmt/chillispot/pkg-plist b/net-mgmt/chillispot/pkg-plist
index 30558537e1bc..022be5f5d91c 100644
--- a/net-mgmt/chillispot/pkg-plist
+++ b/net-mgmt/chillispot/pkg-plist
@@ -1,6 +1,10 @@
+@unexec %D/etc/rc.d/chillispot forcestop 2>/dev/null || true
sbin/chilli
-%%DATADIR%%/chilli.sample
+%%DATADIR%%/chilli.conf.sample
%%DATADIR%%/dictionary.chillispot
%%DATADIR%%/freeradius.users
%%DATADIR%%/hotspotlogin.cgi
+%%DATADIR%%/pf.conf.sample
+%%DATADIR%%/ipfw-config.sample
+%%DATADIR%%/installguide.txt
@dirrm %%DATADIR%%