aboutsummaryrefslogtreecommitdiffstats
path: root/config/pf-blocker
diff options
context:
space:
mode:
authorPiBa-NL <pba_2k3@yahoo.com>2014-03-19 17:10:49 +0100
committerPiBa-NL <pba_2k3@yahoo.com>2014-03-19 17:10:49 +0100
commit39b3fe5d22482d16a161193167c00af90390343a (patch)
tree53b19691d90440731195eb2325db2ecd8511feb2 /config/pf-blocker
parent2a4f986325ccd3a08273bee285993415da12aeb2 (diff)
parentfd710b1c45207f551d7b0a38eb95b5b5e353ac77 (diff)
downloadpfsense-packages-39b3fe5d22482d16a161193167c00af90390343a.tar.gz
pfsense-packages-39b3fe5d22482d16a161193167c00af90390343a.tar.bz2
pfsense-packages-39b3fe5d22482d16a161193167c00af90390343a.zip
Merge branch 'master' of https://github.com/pfsense/pfsense-packages into hap_de-install_logging
Conflicts: config/haproxy-devel/haproxy.inc
Diffstat (limited to 'config/pf-blocker')
-rw-r--r--config/pf-blocker/pfBlocker.widget.php2
-rwxr-xr-xconfig/pf-blocker/pfblocker.inc36
-rwxr-xr-xconfig/pf-blocker/pfblocker.xml28
-rwxr-xr-xconfig/pf-blocker/pfblocker_lists.xml40
4 files changed, 54 insertions, 52 deletions
diff --git a/config/pf-blocker/pfBlocker.widget.php b/config/pf-blocker/pfBlocker.widget.php
index 60b0c754..6550ff57 100644
--- a/config/pf-blocker/pfBlocker.widget.php
+++ b/config/pf-blocker/pfBlocker.widget.php
@@ -2,7 +2,7 @@
/*
Copyright 2011 Thomas Schaefer - Tomschaefer.org
Copyright 2011 Marcello Coutinho
- Part of pfSense widgets (www.pfsense.com)
+ Part of pfSense widgets (www.pfsense.org)
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
diff --git a/config/pf-blocker/pfblocker.inc b/config/pf-blocker/pfblocker.inc
index c40d742e..9740dce5 100755
--- a/config/pf-blocker/pfblocker.inc
+++ b/config/pf-blocker/pfblocker.inc
@@ -167,15 +167,6 @@ function sync_package_pfblocker($cron="") {
#Create rule if action permits
switch($continent_config['action']){
case "Deny_Both":
- $rule = $base_rule;
- $rule["type"] = $deny_action_inbound;
- $rule["descr"]= "$pfb_alias auto rule";
- $rule["source"]= array("address"=> $pfb_alias);
- $rule["destination"]=array("any"=>"");
- if ($pfblocker_config['enable_log']){
- $rule["log"]="";
- }
- $deny_inbound[]=$rule;
case "Deny_Outbound":
$rule = $base_rule;
$rule["type"] = $deny_action_outbound;
@@ -185,8 +176,9 @@ function sync_package_pfblocker($cron="") {
if ($pfblocker_config['enable_log']){
$rule["log"]="";
}
- $deny_outbound[]=$rule;
- break;
+ $deny_outbound[]=$rule;
+ if ($continent_config['action'] != "Deny_Both")
+ break;
case "Deny_Inbound":
$rule = $base_rule;
$rule["type"] = $deny_action_inbound;
@@ -198,6 +190,7 @@ function sync_package_pfblocker($cron="") {
}
$deny_inbound[]=$rule;
break;
+ case "Permit_Both":
case "Permit_Outbound":
$rule = $base_rule;
$rule["type"] = "pass";
@@ -208,7 +201,8 @@ function sync_package_pfblocker($cron="") {
$rule["log"]="";
}
$permit_outbound[]=$rule;
- break;
+ if ($continent_config['action'] != "Permit_Both")
+ break;
case "Permit_Inbound":
$rule = $base_rule;
$rule["type"] = "pass";
@@ -317,15 +311,6 @@ function sync_package_pfblocker($cron="") {
#Create rule if action permits
switch($list['action']){
case "Deny_Both":
- $rule = $base_rule;
- $rule["type"] = $deny_action_inbound;
- $rule["descr"]= "$alias auto rule";
- $rule["source"]= array("address"=> $alias);
- $rule["destination"]=array("any"=>"");
- if ($pfblocker_config['enable_log']){
- $rule["log"]="";
- }
- $deny_inbound[]=$rule;
case "Deny_Outbound":
$rule = $base_rule;
$rule["type"] = $deny_action_outbound;
@@ -335,8 +320,9 @@ function sync_package_pfblocker($cron="") {
if ($pfblocker_config['enable_log']){
$rule["log"]="";
}
- $deny_outbound[]=$rule;
- break;
+ $deny_outbound[]=$rule;
+ if ($list['action'] != "Deny_Both")
+ break;
case "Deny_Inbound":
$rule = $base_rule;
$rule["type"] = $deny_action_inbound;
@@ -348,6 +334,7 @@ function sync_package_pfblocker($cron="") {
}
$deny_inbound[]=$rule;
break;
+ case "Permit_Both":
case "Permit_Outbound":
$rule = $base_rule;
$rule["type"] = "pass";
@@ -358,7 +345,8 @@ function sync_package_pfblocker($cron="") {
$rule["log"]="";
}
$permit_outbound[]=$rule;
- break;
+ if ($list['action'] != "Permit_Both")
+ break;
case "Permit_Inbound":
$rule = $base_rule;
$rule["type"] = "pass";
diff --git a/config/pf-blocker/pfblocker.xml b/config/pf-blocker/pfblocker.xml
index b4da539c..44658bcb 100755
--- a/config/pf-blocker/pfblocker.xml
+++ b/config/pf-blocker/pfblocker.xml
@@ -53,62 +53,62 @@
<url>/pkg_edit.php?xml=pfblocker.xml</url>
</menu>
<additional_files_needed>
- <item>http://www.pfsense.org/packages/config/pf-blocker/pfblocker.inc</item>
+ <item>https://packages.pfsense.org/packages/config/pf-blocker/pfblocker.inc</item>
<prefix>/usr/local/pkg/</prefix>
<chmod>0755</chmod>
</additional_files_needed>
<additional_files_needed>
- <item>http://www.pfsense.org/packages/config/pf-blocker/pfblocker.php</item>
+ <item>https://packages.pfsense.org/packages/config/pf-blocker/pfblocker.php</item>
<prefix>/usr/local/www/</prefix>
<chmod>0755</chmod>
</additional_files_needed>
<additional_files_needed>
- <item>http://www.pfsense.org/packages/config/pf-blocker/pfBlocker.widget.php</item>
+ <item>https://packages.pfsense.org/packages/config/pf-blocker/pfBlocker.widget.php</item>
<prefix>/usr/local/www/widgets/widgets/</prefix>
<chmod>0755</chmod>
</additional_files_needed>
<additional_files_needed>
- <item>http://www.pfsense.org/packages/config/pf-blocker/pfblocker_topspammers.xml</item>
+ <item>https://packages.pfsense.org/packages/config/pf-blocker/pfblocker_topspammers.xml</item>
<prefix>/usr/local/pkg/</prefix>
<chmod>0755</chmod>
</additional_files_needed>
<additional_files_needed>
- <item>http://www.pfsense.org/packages/config/pf-blocker/pfblocker_lists.xml</item>
+ <item>https://packages.pfsense.org/packages/config/pf-blocker/pfblocker_lists.xml</item>
<prefix>/usr/local/pkg/</prefix>
<chmod>0755</chmod>
</additional_files_needed>
<additional_files_needed>
- <item>http://www.pfsense.org/packages/config/pf-blocker/pfblocker_sync.xml</item>
+ <item>https://packages.pfsense.org/packages/config/pf-blocker/pfblocker_sync.xml</item>
<prefix>/usr/local/pkg/</prefix>
<chmod>0755</chmod>
</additional_files_needed>
<additional_files_needed>
- <item>http://www.pfsense.org/packages/config/pf-blocker/lists/Africa_cidr.txt</item>
+ <item>https://packages.pfsense.org/packages/config/pf-blocker/lists/Africa_cidr.txt</item>
<prefix>/usr/local/pkg/</prefix>
<chmod>0555</chmod>
</additional_files_needed>
<additional_files_needed>
- <item>http://www.pfsense.org/packages/config/pf-blocker/lists/Asia_cidr.txt</item>
+ <item>https://packages.pfsense.org/packages/config/pf-blocker/lists/Asia_cidr.txt</item>
<prefix>/usr/local/pkg/</prefix>
<chmod>0555</chmod>
</additional_files_needed>
<additional_files_needed>
- <item>http://www.pfsense.org/packages/config/pf-blocker/lists/Europe_cidr.txt</item>
+ <item>https://packages.pfsense.org/packages/config/pf-blocker/lists/Europe_cidr.txt</item>
<prefix>/usr/local/pkg/</prefix>
<chmod>0555</chmod>
</additional_files_needed>
<additional_files_needed>
- <item>http://www.pfsense.org/packages/config/pf-blocker/lists/North_America_cidr.txt</item>
+ <item>https://packages.pfsense.org/packages/config/pf-blocker/lists/North_America_cidr.txt</item>
<prefix>/usr/local/pkg/</prefix>
<chmod>0555</chmod>
</additional_files_needed>
<additional_files_needed>
- <item>http://www.pfsense.org/packages/config/pf-blocker/lists/Oceania_cidr.txt</item>
+ <item>https://packages.pfsense.org/packages/config/pf-blocker/lists/Oceania_cidr.txt</item>
<prefix>/usr/local/pkg/</prefix>
<chmod>0555</chmod>
</additional_files_needed>
<additional_files_needed>
- <item>http://www.pfsense.org/packages/config/pf-blocker/lists/South_America_cidr.txt</item>
+ <item>https://packages.pfsense.org/packages/config/pf-blocker/lists/South_America_cidr.txt</item>
<prefix>/usr/local/pkg/</prefix>
<chmod>0555</chmod>
</additional_files_needed>
@@ -224,13 +224,13 @@
<type>checkbox</type>
<description><![CDATA[Continent Lists are provided by <a target=_new href='http://www.countryipblocks.net/'>countryipblocks.net</a>.<br>
Dynamic rules can be found in <a target=_new href='http://www.iblocklist.com/'>I-Blocklist.com</a>.</br>
- Created by <a target=_new href='http://forum.pfsense.org/index.php?action=profile;u=4710'>Marcello Coutinho</a> and <a target=_new href='http://www.tomschaefer.org/pfsense'>TomSchaefer</a>.<br>]]></description>
+ Created by <a target=_new href='https://forum.pfsense.org/index.php?action=profile;u=4710'>Marcello Coutinho</a> and <a target=_new href='http://www.tomschaefer.org/pfsense'>TomSchaefer</a>.<br>]]></description>
</field>
<field>
<fielddescr>Donation</fielddescr>
<fieldname>donation</fieldname>
<type>checkbox</type>
- <description><![CDATA[If you like this package, please <a target=_new href='http://www.pfsense.org/index.php?option=com_content&task=view&id=47&Itemid=77'>donate to the pfSense project</a>.<br>
+ <description><![CDATA[If you like this package, please <a target=_new href='https://www.pfsense.org/index.php?option=com_content&task=view&id=47&Itemid=77'>donate to the pfSense project</a>.<br>
If you want your donation to go to these package developers, make a note on the donation forwarding it to us.<br>]]></description>
</field>
</fields>
diff --git a/config/pf-blocker/pfblocker_lists.xml b/config/pf-blocker/pfblocker_lists.xml
index 4bde4b49..f1798d36 100755
--- a/config/pf-blocker/pfblocker_lists.xml
+++ b/config/pf-blocker/pfblocker_lists.xml
@@ -18,13 +18,16 @@
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
+
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
+
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
+
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
@@ -63,20 +66,24 @@
<active/>
</tab>
+
<tab>
<text>Top Spammers</text>
<url>/pkg_edit.php?xml=pfblocker_topspammers.xml&amp;id=0</url>
</tab>
-
+
+
<tab>
<text>Africa</text>
<url>/pkg_edit.php?xml=pfblocker_Africa.xml&amp;id=0</url>
-
+
+
</tab>
<tab>
<text>Asia</text>
<url>/pkg_edit.php?xml=pfblocker_Asia.xml&amp;id=0</url>
-
+
+
</tab>
<tab>
<text>Europe</text>
@@ -109,6 +116,7 @@
<fieldname>description</fieldname>
</columnitem>
+
<columnitem>
<fielddescr>Action</fielddescr>
<fieldname>action</fieldname>
@@ -176,15 +184,19 @@
<fielddescr>List Action</fielddescr>
<description><![CDATA[Default:<strong>Deny Inbound</strong><br>
Select action for network on lists you have selected.<br><br>
- <strong>Note: </strong><br>'Deny Both' - Will deny access on Both directions.<br>
- 'Deny Inbound' - Will deny access from selected lists to your network.<br>
- 'Deny Outbound' - Will deny access from your users to ip lists you selected to block.<br>
- 'Permit Inbound' - Will allow access from selected lists to your network.<br>
- 'Permit Outbound' - Will allow access from your users to ip lists you selected to block.<br>
- 'Disabled' - Will just keep selection and do nothing to selected Lists.<br>
- 'Alias Only' - Will create an alias with selected Lists to help custom rule assignments.<br><br>
- <strong>While creating rules with this list, keep aliasname in the beggining of rule description and do not end description with 'rule'.<br></strong>
- custom rules with 'Aliasname something rule' description will be removed by package.]]></description>
+ <strong>'Deny' Rules:</strong><br>
+ 'Deny' rules create high priority 'block' or 'reject' rules on the stated interfaces. They don't change the 'pass' rules on other interfaces. Typical uses of 'Deny' rules are:<br>
+ <ul><li><strong>Deny Both</strong> - blocks all traffic in both directions, if the source or destination IP is in the block list</li>
+ <li><strong>Deny Inbound/Deny Outbound</strong> - blocks all traffic in one direction <u>unless</u> it is part of a session started by traffic sent in the other direction. Does not affect traffic in the other direction. </li>
+ <li>One way 'Deny' rules can be used to selectively block <u>unsolicited</u> incoming (new session) packets in one direction, while still allowing <u>deliberate</u> outgoing sessions to be created in the other direction.</li></ul>
+ <strong>'Permit' Rules:</strong><br>
+ 'Permit' rules create high priority 'pass' rules on the stated interfaces. They are not the opposite of Deny rules, and don't create any 'blocking' effect anywhere. They have priority over all Deny rules. Typical uses of 'Permit' rules are:<br>
+ <ul><li><strong>To ensure</strong> that traffic to/from the listed IPs will <u>always</u> be allowed in the stated directions. They override <u>almost all other</u> Firewall rules on the stated interfaces.</li>
+ <li><strong>To act as a whitelist</strong> for Deny rule exceptions, for example if a large IP range or pre-created blocklist blocks a few IPs that should be accessible.</li></ul>
+ <strong>'Alias' and 'Disabled' Rules:</strong><br>
+ <ul><li><strong>'Alias'</strong> rules create an <a href="/firewall_aliases.php">alias</a> for the list (and do nothing else). This enables a Pfblocker list to be used by name, in any firewall rule or Pfsense function, as desired.</li>
+ <li><strong>'Disabled'</strong> rules are kept for future use, but nothing is done with them.</li></ul><br>
+ <strong>While creating rules with this list, keep aliasname in the beginning of rule description and do not end description with 'rule'.</strong> Custom rules with 'Aliasname something rule' description will be removed by package.]]></description>
<fieldname>action</fieldname>
<type>select</type>
<options>
@@ -193,6 +205,7 @@
<option><name>Deny Both</name><value>Deny_Both</value></option>
<option><name>Permit Inbound</name><value>Permit_Inbound</value></option>
<option><name>Permit Outbound</name><value>Permit_Outbound</value></option>
+ <option><name>Permit Both</name><value>Permit_Both</value></option>
<option><name>Alias only</name><value>Alias_only</value></option>
<option><name>Disabled</name><value>Disabled</value></option>
</options>
@@ -238,4 +251,5 @@
<custom_php_resync_config_command>
sync_package_pfblocker();
</custom_php_resync_config_command>
-</packagegui> \ No newline at end of file
+</packagegui>
+