diff options
author | Renato Botelho <garga@FreeBSD.org> | 2015-02-13 16:20:59 -0200 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2015-02-13 16:20:59 -0200 |
commit | 0feb19d9aa015ca9ca1065b12d116af755493ea6 (patch) | |
tree | 0d75946aa40c2e46e7c006eeb7d07fdca47da32f /config/pfblockerng/pfblockerng.inc | |
parent | dcf3d32ea371e21b7c7f200df5532dcb8faa55bc (diff) | |
parent | af2c372454cae89f2311269f5858e66ebe6d3417 (diff) | |
download | pfsense-packages-0feb19d9aa015ca9ca1065b12d116af755493ea6.tar.gz pfsense-packages-0feb19d9aa015ca9ca1065b12d116af755493ea6.tar.bz2 pfsense-packages-0feb19d9aa015ca9ca1065b12d116af755493ea6.zip |
Merge pull request #818 from BBcan177/pfBlockerNG_021015_1
Diffstat (limited to 'config/pfblockerng/pfblockerng.inc')
-rw-r--r-- | config/pfblockerng/pfblockerng.inc | 265 |
1 files changed, 140 insertions, 125 deletions
diff --git a/config/pfblockerng/pfblockerng.inc b/config/pfblockerng/pfblockerng.inc index 793bf7a4..a1ee6abc 100644 --- a/config/pfblockerng/pfblockerng.inc +++ b/config/pfblockerng/pfblockerng.inc @@ -48,9 +48,11 @@ require_once("services.inc"); # [ $pfb ] pfBlockerNG Global Array for Paths and Variables. This needs to be called to get the Updated Settings. function pfb_global() { - global $g,$config,$pfb; + # Collect pfSense Version + $pfb['pfsenseversion'] = substr(trim(file_get_contents("/etc/version")),0,3); + # Folders $pfb['dbdir'] = "{$g['vardb_path']}/pfblockerng"; $pfb['aliasdir'] = "{$g['vardb_path']}/aliastables"; @@ -77,9 +79,6 @@ function pfb_global() { $pfb['supptxt'] = "{$pfb['dbdir']}/pfbsuppression.txt"; $pfb['script'] = 'sh /usr/local/pkg/pfblockerng/pfblockerng.sh'; - # Collect pfSense Version - $pfb['pfsenseversion'] = substr(trim(file_get_contents("/etc/version")),0,3); - # General Variables $pfb['config'] = $config['installedpackages']['pfblockerng']['config'][0]; @@ -461,9 +460,9 @@ function sync_package_pfblockerng($cron = "") { } - ############################################# - # Configure ARRAYS # - ############################################# + ################################# + # Configure ARRAYS # + ################################# $continents = array ( "Africa" => "pfB_Africa", "Antartica" => "pfB_Antartica", @@ -522,9 +521,9 @@ function sync_package_pfblockerng($cron = "") { ); - ############################################# - # Configure Rule Suffix # - ############################################# + ######################################### + # Configure Rule Suffix # + ######################################### # Discover if any Rules are AutoRules (If no AutoRules found, $pfb['autorules'] is FALSE, Skip Rules Re-Order ) # To configure Auto Rule Suffix. pfBlockerNG must be disabled to change Suffix and to avoid Duplicate Rules @@ -594,9 +593,9 @@ function sync_package_pfblockerng($cron = "") { } - ############################################# - # Configure INBOUND/OUTBOUND INTERFACES # - ############################################# + ######################################################### + # Configure INBOUND/OUTBOUND INTERFACES # + ######################################################### # Collect pfSense Interface Order $ifaces = get_configured_interface_list(); @@ -660,9 +659,9 @@ function sync_package_pfblockerng($cron = "") { } - ############################################# - # Clear Removed Lists from Masterfiles # - ############################################# + ################################################# + # Clear Removed Lists from Masterfiles # + ################################################# # Process to keep Masterfiles in Sync with Valid Lists from config.conf file. $pfb['sync_master'] = TRUE; @@ -886,9 +885,9 @@ function sync_package_pfblockerng($cron = "") { } } - ############################################## - # Clear Match/Pass/ET/Original Files/Folders # - ############################################## + ######################################################### + # Clear Match/Pass/ET/Original Files/Folders # + ######################################################### # When pfBlockerNG is Disabled and 'Keep Blocklists' is Disabled. if ($pfb['enable'] == "" && $pfb['keep'] == "" && !$pfb['install']) { @@ -907,17 +906,17 @@ function sync_package_pfblockerng($cron = "") { } - ############################################# - # Create Suppression Txt File # - ############################################# + ######################################### + # Create Suppression Txt File # + ######################################### if ($pfb['enable'] == "on" && $pfb['supp'] == "on") pfb_create_suppression_file(); - ############################################# - # Assign Countries # - ############################################# + ################################# + # Assign Countries # + ################################# foreach ($continents as $continent => $pfb_alias) { if (is_array($config['installedpackages']['pfblockerng' . strtolower(preg_replace('/ /','',$continent))]['config'])) { @@ -1143,9 +1142,9 @@ function sync_package_pfblockerng($cron = "") { # UNSET variables unset ($continent, $continent_existing, $continent_new); - ############################################# - # Download and Collect IPv4/IPv6 lists # - ############################################# + ################################################# + # Download and Collect IPv4/IPv6 lists # + ################################################# # IPv4 REGEX Definitions $pfb['range'] = '/((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))-((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))/'; @@ -1156,21 +1155,25 @@ function sync_package_pfblockerng($cron = "") { # IPv4 preg_replace Regex Filter array $pfb_ipreg = array(); - $pfb_ipreg[0] = '/\b0+(?=\d)/'; # Remove any Leading Zeros in each Octet - $pfb_ipreg[1] = '/\s/'; # Remove any Whitespaces - $pfb_ipreg[2] = '/127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/'; # Remove any Loopback Addresses 127/8 - $pfb_ipreg[3] = '/0\.0\.0\.0/'; # Remove 0.0.0.0 + $pfb_ipreg[0] = '/\b0+(?=\d)/'; # Remove any Leading Zeros in each Octet + $pfb_ipreg[1] = '/\s/'; # Remove any Whitespaces + $pfb_ipreg[2] = '/127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/'; # Remove any Loopback Addresses 127/8 + $pfb_ipreg[3] = '/0\.0\.0\.0\/32/'; # Remove 0.0.0.0/32 + $pfb_ipreg[4] = '/0\.0\.0\.0/'; # Remove 0.0.0.0 # IPv6 REGEX Definitions -- ** Still Needs some Adjustment on Regex Definition for IPv6 ** # https://mebsd.com/coding-snipits/php-regex-ipv6-with-preg_match.html $pattern1 = '([A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}'; - $pattern2 = '([A-Fa-f0-9]{1,4}::([A-Fa-f0-9]{1,4}:){0,5}[A-Fa-f0-9]{1,4}'; + $pattern2 = '[A-Fa-f0-9]{1,4}::([A-Fa-f0-9]{1,4}:){0,5}[A-Fa-f0-9]{1,4}'; $pattern3 = '([A-Fa-f0-9]{1,4}:){2}:([A-Fa-f0-9]{1,4}:){0,4}[A-Fa-f0-9]{1,4}'; $pattern4 = '([A-Fa-f0-9]{1,4}:){3}:([A-Fa-f0-9]{1,4}:){0,3}[A-Fa-f0-9]{1,4}'; $pattern5 = '([A-Fa-f0-9]{1,4}:){4}:([A-Fa-f0-9]{1,4}:){0,2}[A-Fa-f0-9]{1,4}'; $pattern6 = '([A-Fa-f0-9]{1,4}:){5}:([A-Fa-f0-9]{1,4}:){0,1}[A-Fa-f0-9]{1,4}'; $pattern7 = '([A-Fa-f0-9]{1,4}:){6}:[A-Fa-f0-9]{1,4}'; - $pfb['ipv6'] = "/^($pattern1)$|^($pattern2)$|^($pattern3)$|^($pattern4)$|^($pattern5)$|^($pattern6)$|^($pattern7)$/"; + $pattern8 = '[A-Fa-f0-9]{1,4}:[A-Fa-f0-9]{1,4}:[A-Fa-f0-9]{1,4}::\/[0-9]{2}'; + $pattern9 = '[A-Fa-f0-9]{1,4}:([A-Fa-f0-9]{1,4}::)\/[0-9]{2}'; + $pattern10 = '[A-Fa-f0-9]{1,4}::\/[0-9]{2}'; + $pfb['ipv6'] = "/^($pattern1)$|^($pattern2)$|^($pattern3)$|^($pattern4)$|^($pattern5)$|^($pattern6)$|^($pattern7)$|^($pattern8)$|^($pattern9)$|^($pattern10)$/"; $pfb['supp_update'] = FALSE; $list_type = array ("pfblockernglistsv4" => "_v4", "pfblockernglistsv6" => "_v6"); @@ -1230,7 +1233,7 @@ function sync_package_pfblockerng($cron = "") { $host = @parse_url($row['url']); $list_url = "{$row['url']}"; if ($row['format'] != "rsync" || $row['format'] != "html") { - if ($host['host'] == "127.0.0.1" || $host['host'] == $pfb['iplocal'] || empty($host['host'])) { + if ($host['host'] == "127.0.0.1" || $host['host'] == $pfb['iplocal'] || empty($host['host'])) { $remote_tds = "local"; } else { $remote_tds = @implode(preg_grep("/Last-Modified/", get_headers($list_url))); @@ -1382,12 +1385,14 @@ function sync_package_pfblockerng($cron = "") { if (!empty($url_list)) { if ($row['format'] == "gz" && $vtype == "_v4") { foreach ($url_list as $line) { - # Network range 192.168.0.0-192.168.0.254 - if (preg_match($pfb['range'],$line,$matches)) { - $a_cidr = ip_range_to_subnet_array_temp2($matches[1],$matches[2]); - if (!empty($a_cidr)) { - foreach ($a_cidr as $cidr) { - $new_file .= preg_replace($pfb_ipreg,'',$cidr) . "\n"; + if (!preg_match("/^#/", $line)) { + # Network range 192.168.0.0-192.168.0.254 + if (preg_match($pfb['range'],$line,$matches)) { + $a_cidr = ip_range_to_subnet_array_temp2($matches[1],$matches[2]); + if (!empty($a_cidr)) { + foreach ($a_cidr as $cidr) { + $new_file .= preg_replace($pfb_ipreg,'',$cidr) . "\n"; + } } } } @@ -1396,44 +1401,52 @@ function sync_package_pfblockerng($cron = "") { elseif ($row['format'] == "block" && $vtype == "_v4") { foreach ($url_list as $line) { - # Block Type '218.77.79.0 218.77.79.255 24' - if (preg_match($pfb['block'],$line,$matches)) { - $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "/24\n"; + if (!preg_match("/^#/", $line)) { + # Block Type '218.77.79.0 218.77.79.255 24' + if (preg_match($pfb['block'],$line,$matches)) { + $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "/24\n"; + } } } } elseif ($row['format'] == "html" && $vtype == "_v4") { foreach ($url_list as $line) { - # CIDR format 192.168.0.0/16 - if (preg_match($pfb['cidr'],$line,$matches)) { - $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; - } - # Single ip addresses - elseif (preg_match($pfb['s_html'],$line,$matches)) { - $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; + if (!preg_match("/^#/", $line)) { + # CIDR format 192.168.0.0/16 + if (preg_match($pfb['cidr'],$line,$matches)) { + $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; + } + # Single ip addresses + elseif (preg_match($pfb['s_html'],$line,$matches)) { + $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; + } } } } elseif ($vtype == "_v6") { foreach ($url_list as $line) { - # IPv6 Regex Match - if (preg_match($pfb['ipv6'],$line,$matches)) { - $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; + if (!preg_match("/^#/", $line)) { + # IPv6 Regex Match + if (preg_match($pfb['ipv6'],$line,$matches)) { + $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; + } } } } else { foreach ($url_list as $line) { - # CIDR format 192.168.0.0/16 - if (preg_match($pfb['cidr'],$line,$matches)) { - $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; - } - # Single ip addresses - elseif (preg_match($pfb['single'],$line,$matches)) { - $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; + if (!preg_match("/^#/", $line)) { + # CIDR format 192.168.0.0/16 + if (preg_match($pfb['cidr'],$line,$matches)) { + $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; + } + # Single ip addresses + elseif (preg_match($pfb['single'],$line,$matches)) { + $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; + } } } } @@ -1510,7 +1523,7 @@ function sync_package_pfblockerng($cron = "") { $ip2 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", "\"^$1\.$2\.$3\.\"", $ip); # Only Perform these Checks if they are not "localfiles" - if ($host['host'] == "127.0.0.1" || $host['host'] == $pfb['iplocal'] || empty($host['host'])) { + if ($host['host'] == "127.0.0.1" || $host['host'] == $pfb['iplocal'] || empty($host['host'])) { $log = " [ {$alias} {$header_url} ] Local File Failure \n"; pfb_logger("{$log}","2"); } else { @@ -1646,9 +1659,9 @@ function sync_package_pfblockerng($cron = "") { } - ############################################# - # REPUTATION PROCESSES # - ############################################# + ################################# + # REPUTATION PROCESSES # + ################################# # IP Reputation processes (pdup and ddup) if ($pfb['pdup'] == "on" && $pfb['dupcheck'] && !$pfb['save'] && $pfb['enable'] == "on") { @@ -1660,9 +1673,9 @@ function sync_package_pfblockerng($cron = "") { exec ("{$pfb['script']} dedup x {$pfb['dmax']} {$pfb['dedup']} {$pfb['ccexclude']} {$pfb['ccwhite']} {$pfb['ccblack']} >> {$pfb['log']} 2>&1"); } - ############################################# - # CONFIGURE ALIASES # - ############################################# + ################################# + # CONFIGURE ALIASES # + ################################# $list_type = array ("pfblockernglistsv4" => "_v4", "pfblockernglistsv6" => "_v6"); foreach ($list_type as $ip_type => $vtype) { @@ -1871,9 +1884,9 @@ function sync_package_pfblockerng($cron = "") { ${$alias} = ""; - ############################################# - # UPDATE PfSENSE ALIAS TABLES # - ############################################# + ######################################### + # UPDATE pfSense ALIAS TABLES # + ######################################### #update pfsense alias table if (is_array($config['aliases']['alias'])) { @@ -1910,9 +1923,9 @@ function sync_package_pfblockerng($cron = "") { unset($new_aliases, $cbalias); - ############################################# - # Assign rules # - ############################################# + ######################### + # Assign Rules # + ######################### # Only Execute if AutoRules are defined or if an Alias has been removed. if ($pfb['autorules'] || $pfb['enable'] == "" || $pfb['remove']) { @@ -2178,50 +2191,9 @@ function sync_package_pfblockerng($cron = "") { unset ($other_rules,$fother_rules,$permit_rules,$fpermit_rules,$match_rules,$fmatch_rules); } - ############################################# - # Define/Apply CRON Jobs # - ############################################# - - # Clear any existing pfBlockerNG Cron Jobs - install_cron_job("pfblockerng.php cron", false); - - # Replace Cron job with any User Changes to $pfb_min - if ($pfb['enable'] == "on") { - # Define pfBlockerNG CRON Job - $pfb_cmd = "/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> {$pfb['log']} 2>&1"; - # $pfb['min'] ( User Defined Variable. Variable defined at start of Script ) - $pfb_hour = "*"; - $pfb_mday = "*"; - $pfb_month = "*"; - $pfb_wday = "*"; - $pfb_who = "root"; - - install_cron_job($pfb_cmd, true, $pfb['min'], $pfb_hour, $pfb_mday, $pfb_month, $pfb_wday, $pfb_who); - } - - # Clear any existing pfBlockerNG MaxMind CRON Job - install_cron_job("pfblockerng.php dc", false); - - if ($pfb['enable'] == "on") { - # Define pfBlockerNG MaxMind CRON Job - $pfb_gcmd = "/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php dc >> {$pfb['geolog']} 2>&1"; - - # MaxMind GeoIP Cron Hour is randomized between 0-23 Hour to minimize effect on MaxMind Website - - $pfb_gmin = "0"; - $pfb_ghour = rand(0,23); - $pfb_gmday = "1,2,3,4,5,6,7"; - $pfb_gmonth = "*"; - $pfb_gwday = "2"; - $pfb_gwho = "root"; - - install_cron_job($pfb_gcmd, true, $pfb_gmin, $pfb_ghour, $pfb_gmday, $pfb_gmonth, $pfb_gwday, $pfb_gwho); - } - - - ############################################# - # Closing Processes # - ############################################# + ################################# + # Closing Processes # + ################################# #uncheck Reusing Existing Downloads Check box if (!$pfb['save'] && $pfb['enable'] == "on") @@ -2234,11 +2206,13 @@ function sync_package_pfblockerng($cron = "") { if ($pfb['autorules'] && $rules != $new_rules || $pfb['enable'] == "" || $pfb['remove']) { require_once("filter.inc"); - $log = "\n===[ Aliastables / Rules ]================================\n\n"; - pfb_logger("{$log}","1"); + if (!$pfb['save']) { + $log = "\n===[ Aliastables / Rules ]================================\n\n"; + pfb_logger("{$log}","1"); - $log = "Firewall Rule Changes Found, Applying Filter Reload \n"; - pfb_logger("{$log}","1"); + $log = "Firewall Rule Changes Found, Applying Filter Reload \n"; + pfb_logger("{$log}","1"); + } # Remove all pfBlockerNG Alias tables if (!empty($aliases_list)) { @@ -2291,9 +2265,9 @@ function sync_package_pfblockerng($cron = "") { #sync config pfblockerng_sync_on_changes(); - ############################################# - # FINAL REPORTING # - ############################################# + ################################# + # FINAL REPORTING # + ################################# # Only run with CRON or Force Invoked Process if ((!$pfb['save'] && $pfb['dupcheck'] && $pfb['enable'] == "on") || $pfb['summary']) { @@ -2305,6 +2279,47 @@ function sync_package_pfblockerng($cron = "") { $log = "\n\n UPDATE PROCESS ENDED [ NOW ]\n"; pfb_logger("{$log}","1"); } + + + ######################################### + # Define/Apply CRON Jobs # + ######################################### + + # Clear any existing pfBlockerNG Cron Jobs + install_cron_job("pfblockerng.php cron", false); + + # Replace Cron job with any User Changes to $pfb_min + if ($pfb['enable'] == "on") { + # Define pfBlockerNG CRON Job + $pfb_cmd = "/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> {$pfb['log']} 2>&1"; + # $pfb['min'] ( User Defined Variable. Variable defined at start of Script ) + $pfb_hour = "*"; + $pfb_mday = "*"; + $pfb_month = "*"; + $pfb_wday = "*"; + $pfb_who = "root"; + + install_cron_job($pfb_cmd, true, $pfb['min'], $pfb_hour, $pfb_mday, $pfb_month, $pfb_wday, $pfb_who); + } + + # Clear any existing pfBlockerNG MaxMind CRON Job + install_cron_job("pfblockerng.php dc", false); + + if ($pfb['enable'] == "on") { + # Define pfBlockerNG MaxMind CRON Job + $pfb_gcmd = "/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php dc >> {$pfb['geolog']} 2>&1"; + + # MaxMind GeoIP Cron Hour is randomized between 0-23 Hour to minimize effect on MaxMind Website + + $pfb_gmin = "0"; + $pfb_ghour = rand(0,23); + $pfb_gmday = "1,2,3,4,5,6,7"; + $pfb_gmonth = "*"; + $pfb_gwday = "2"; + $pfb_gwho = "root"; + + install_cron_job($pfb_gcmd, true, $pfb_gmin, $pfb_ghour, $pfb_gmday, $pfb_gmonth, $pfb_gwday, $pfb_gwho); + } } |