aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
authorBBcan177 <bbcan177@gmail.com>2015-08-30 22:19:30 -0400
committerBBcan177 <bbcan177@gmail.com>2015-08-30 22:19:30 -0400
commite0acf9ae6217557b2e77152ca498b2f73a08f624 (patch)
tree061c80d97556235c52f6ab5778417d109b1a4c90 /config
parentfe1f8e57ce57b879157ec264028248c31efd09a6 (diff)
downloadpfsense-packages-e0acf9ae6217557b2e77152ca498b2f73a08f624.tar.gz
pfsense-packages-e0acf9ae6217557b2e77152ca498b2f73a08f624.tar.bz2
pfsense-packages-e0acf9ae6217557b2e77152ca498b2f73a08f624.zip
pfBlockerNG mods
Diffstat (limited to 'config')
-rw-r--r--config/pfblockerng/pfblockerng.inc49
-rw-r--r--config/pfblockerng/pfblockerng.php2
-rw-r--r--config/pfblockerng/pfblockerng.sh8
-rw-r--r--config/pfblockerng/pfblockerng.xml10
-rw-r--r--config/pfblockerng/pfblockerng_alerts.php5
-rw-r--r--config/pfblockerng/pfblockerng_install.inc82
-rw-r--r--config/pfblockerng/pfblockerng_top20.xml11
-rw-r--r--config/pfblockerng/pfblockerng_update.php89
8 files changed, 145 insertions, 111 deletions
diff --git a/config/pfblockerng/pfblockerng.inc b/config/pfblockerng/pfblockerng.inc
index 379ce223..646e54ca 100644
--- a/config/pfblockerng/pfblockerng.inc
+++ b/config/pfblockerng/pfblockerng.inc
@@ -2724,53 +2724,6 @@ function pfblockerng_validate_input($post, &$input_errors) {
}
}
-
-function pfblockerng_php_install_command() {
- require_once("/usr/local/www/pfblockerng/pfblockerng.php");
- global $config,$pfb;
- pfb_global();
-
- // Remove previously used CC folder location if exists
- @rmdir_recursive("{$pfb['dbdir']}/cc");
-
- // Uncompress Country Code File
- @copy("{$pfb['dbdir']}/countrycodes.tar.bz2", "{$pfb['ccdir']}/countrycodes.tar.bz2");
- exec("/usr/bin/tar -jx -C {$pfb['ccdir']} -f {$pfb['ccdir']}/countrycodes.tar.bz2");
- // Download MaxMind Files and Create Country Code files and Build Continent XML Files
- update_output_window(gettext("Downloading MaxMind Country Databases. This may take a minute..."));
- exec("/bin/sh /usr/local/pkg/pfblockerng/geoipupdate.sh all >> {$pfb['geolog']} 2>&1");
-
- update_output_window(gettext("MaxMind Country Database downloads completed..."));
- update_output_window(gettext("Converting MaxMind Country Databases for pfBlockerNG. This may take a few minutes..."));
- pfblockerng_uc_countries();
- update_output_window(gettext("Creating pfBlockerNG Continenet XML Files..."));
- pfblockerng_get_countries();
- update_output_window(gettext("Completed Creating pfBlockerNG Continenet XML Files..."));
-
- // Remove Original Maxmind Database Files
- @unlink_if_exists("{$pfb['dbdir']}/GeoIPCountryCSV.zip");
- @unlink_if_exists("{$pfb['dbdir']}/GeoIPCountryWhois.csv");
- @unlink_if_exists("{$pfb['dbdir']}/GeoIPv6.csv");
- @unlink_if_exists("{$pfb['dbdir']}/country_continent.csv");
-
- // Add Widget to Dashboard
- update_output_window(gettext("Adding pfBlockerNG Widget to Dashboard."));
- if ($pfb['keep'] == "on" && !empty($pfb['widgets'])) {
- // Restore previous Widget setting if "Keep" is enabled.
- $config['widgets']['sequence'] = $pfb['widgets'];
- } else {
- $widgets = $config['widgets']['sequence'];
- if (!preg_match("/pfblockerng-container/", $widgets)) {
- if (empty($widgets)) {
- $config['widgets']['sequence'] = "pfblockerng-container:col2:show";
- } else {
- $config['widgets']['sequence'] .= ",pfblockerng-container:col2:show";
- }
- }
- }
-}
-
-
function pfblockerng_php_deinstall_command() {
require_once("config.inc");
global $config,$pfb;
@@ -3030,4 +2983,4 @@ function pfblockerng_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $p
}
return $success;
}
-?> \ No newline at end of file
+?>
diff --git a/config/pfblockerng/pfblockerng.php b/config/pfblockerng/pfblockerng.php
index f69983e2..83b0ed8d 100644
--- a/config/pfblockerng/pfblockerng.php
+++ b/config/pfblockerng/pfblockerng.php
@@ -189,7 +189,7 @@ function pfb_update_check($header_url, $list_url, $url_format, $pfbfolder) {
if (file_exists($local_file)) {
// Determine if URL is Remote or Local
if ($host['host'] == "127.0.0.1" || $host['host'] == $pfb['iplocal'] || empty($host['host'])) {
- $remote_tds = gmdate ("D, d M Y H:i:s T", filemtime($local_file));
+ $remote_tds = gmdate ("D, d M Y H:i:s T", filemtime($list_url));
} else {
$remote_tds = @implode(preg_grep("/Last-Modified/", get_headers($list_url)));
$remote_tds = preg_replace("/^Last-Modified: /","", $remote_tds);
diff --git a/config/pfblockerng/pfblockerng.sh b/config/pfblockerng/pfblockerng.sh
index 13e14760..a5a47058 100644
--- a/config/pfblockerng/pfblockerng.sh
+++ b/config/pfblockerng/pfblockerng.sh
@@ -252,6 +252,8 @@ dupcheck=yes
hcheck=$(grep -c ^ $masterfile); if [ "$hcheck" -eq "0" ]; then dupcheck=no; fi
# Check if Alias exists in Masterfile
lcheck=$(grep -m 1 "$alias " $masterfile ); if [ "$lcheck" == "" ]; then dupcheck=no; fi
+# Check for single alias in masterfile
+aliaslist=$(cut -d' ' -f1 $masterfile | sort | uniq); if [ "$alias" == "$aliaslist" ]; then hcheck="0"; fi
if [ "$dupcheck" == "yes" ]; then
# Grep Alias with a trailing Space character
@@ -424,6 +426,8 @@ dupcheck=yes
hcheck=$(grep -cv "^$" $masterfile); if [ "$hcheck" -eq "0" ]; then dupcheck=no; fi
# Check if Alias exists in Masterfile
lcheck=$(grep -m1 "$alias " $masterfile); if [ "$lcheck" == "" ]; then dupcheck=no; fi
+# Check for single alias in masterfile
+aliaslist=$(cut -d' ' -f1 $masterfile | sort | uniq); if [ "$alias" == "$aliaslist" ]; then hcheck="0"; fi
if [ "$dupcheck" == "yes" ]; then
# Grep Alias with a trailing Space character
@@ -478,7 +482,7 @@ fi
> $tempfile; > $tempfile2; > $dupfile; > $addfile; > $dedupfile; > $matchfile; > $tempmatchfile; count=0; dcount=0; mcount=0; mmcount=0
echo; echo "Querying for Repeat Offenders"
-data="$(find $pfbdeny ! -name "pfB*.txt" ! -name "*_v6.txt" -type f | cut -d '.' -f 1-3 $pfbdeny*.txt |
+data="$(find $pfbdeny ! -name "pfB*.txt" ! -name "*_v6.txt" -type f | xargs cut -d '.' -f 1-3 |
awk -v max="$max" '{a[$0]++}END{for(i in a){if(a[i] > max){print i}}}' | grep -v "^1\.1\.1")"
count=$(echo "$data" | grep -c ^)
if [ "$data" == "" ]; then count=0; fi
@@ -605,7 +609,7 @@ fi
> $tempfile; > $tempfile2; > $dupfile; > $addfile; > $dedupfile; count=0; dcount=0
echo; echo "====================================================================="
echo; echo "Querying for Repeat Offenders"
-data="$(find $pfbdeny ! -name "pfB*.txt" ! -name "*_v6.txt" -type f | cut -d '.' -f 1-3 $pfbdeny*.txt |
+data="$(find $pfbdeny ! -name "pfB*.txt" ! -name "*_v6.txt" -type f | xargs cut -d '.' -f 1-3 |
awk -v max="$max" '{a[$0]++}END{for(i in a){if(a[i] > max){print i}}}' | grep -v "^1\.1\.1")"
count=$(echo "$data" | grep -c ^)
if [ "$data" == "" ]; then count=0; fi
diff --git a/config/pfblockerng/pfblockerng.xml b/config/pfblockerng/pfblockerng.xml
index 218b22e1..d3b2cb16 100644
--- a/config/pfblockerng/pfblockerng.xml
+++ b/config/pfblockerng/pfblockerng.xml
@@ -71,6 +71,10 @@
<chmod>0644</chmod>
</additional_files_needed>
<additional_files_needed>
+ <item>https://packages.pfsense.org/packages/config/pfblockerng/pfblockerng_install.inc</item>
+ <prefix>/usr/local/pkg/pfblockerng/</prefix>
+ </additional_files_needed>
+ <additional_files_needed>
<item>https://packages.pfsense.org/packages/config/pfblockerng/pfblockerng.php</item>
<prefix>/usr/local/www/pfblockerng/</prefix>
<chmod>0644</chmod>
@@ -542,10 +546,14 @@
</field>
</fields>
<custom_php_install_command>
- pfblockerng_php_install_command();
+ <![CDATA[
+ include_once('/usr/local/pkg/pfblockerng/pfblockerng_install.inc');
+ ]]>
</custom_php_install_command>
<custom_php_deinstall_command>
+ <![CDATA[
pfblockerng_php_deinstall_command();
+ ]]>
</custom_php_deinstall_command>
<custom_php_validation_command>
pfblockerng_validate_input($_POST, $input_errors);
diff --git a/config/pfblockerng/pfblockerng_alerts.php b/config/pfblockerng/pfblockerng_alerts.php
index bfb15c07..7253d04d 100644
--- a/config/pfblockerng/pfblockerng_alerts.php
+++ b/config/pfblockerng/pfblockerng_alerts.php
@@ -451,7 +451,7 @@ function conv_log_filter_lite($logfile, $nentries, $tail, $pfbdenycnt, $pfbpermi
}
// Skip Repeated Alerts
- if (($pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_dstip || ($pfbalert[3] . $pfbalert[7] . $pfbalert[9]) == $previous_srcip) {
+ if (($pfbalert[1] . $pfbalert[3] . $pfbalert[7] . $pfbalert[8] . $pfbalert[10]) == $previous_alert) {
continue;
}
@@ -489,8 +489,7 @@ function conv_log_filter_lite($logfile, $nentries, $tail, $pfbdenycnt, $pfbpermi
}
// Collect Details for Repeated Alert Comparison
- $previous_srcip = $pfbalert[3] . $pfbalert[7] . $pfbalert[9];
- $previous_dstip = $pfbalert[3] . $pfbalert[8] . $pfbalert[10];
+ $previous_alert = $pfbalert[1] . $pfbalert[3] . $pfbalert[7] . $pfbalert[8] . $pfbalert[10];
}
unset ($pfbalert, $logarr);
return $fields_array;
diff --git a/config/pfblockerng/pfblockerng_install.inc b/config/pfblockerng/pfblockerng_install.inc
new file mode 100644
index 00000000..4dfba49f
--- /dev/null
+++ b/config/pfblockerng/pfblockerng_install.inc
@@ -0,0 +1,82 @@
+<?php
+/*
+ pfBlockerNG_install.inc
+
+ pfBlockerNG
+ Copyright (C) 2015 BBcan177@gmail.com
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+*/
+
+// Install pfBlockerNG package, launched from pfblockerng.xml
+
+require_once('/usr/local/pkg/pfblockerng/pfblockerng.inc');
+require_once('/usr/local/www/pfblockerng/pfblockerng.php');
+
+global $config, $pfb;
+pfb_global();
+
+// Remove previously used CC folder location if exists
+@rmdir_recursive("{$pfb['dbdir']}/cc");
+
+// Uncompress Country Code File
+@copy("{$pfb['dbdir']}/countrycodes.tar.bz2", "{$pfb['ccdir']}/countrycodes.tar.bz2");
+exec("/usr/bin/tar -jx -C {$pfb['ccdir']} -f {$pfb['ccdir']}/countrycodes.tar.bz2");
+// Download MaxMind Files and Create Country Code files and Build Continent XML Files
+update_output_window(gettext("Downloading MaxMind Country Databases. This may take a minute..."));
+exec("/bin/sh /usr/local/pkg/pfblockerng/geoipupdate.sh all >> {$pfb['geolog']} 2>&1");
+
+update_output_window(gettext("MaxMind Country Database downloads completed..."));
+update_output_window(gettext("Converting MaxMind Country Databases for pfBlockerNG. This may take a few minutes..."));
+pfblockerng_uc_countries();
+update_output_window(gettext("Creating pfBlockerNG Continenet XML Files..."));
+pfblockerng_get_countries();
+update_output_window(gettext("Completed Creating pfBlockerNG Continenet XML Files..."));
+
+// Remove Original Maxmind Database Files
+@unlink_if_exists("{$pfb['dbdir']}/GeoIPCountryCSV.zip");
+@unlink_if_exists("{$pfb['dbdir']}/GeoIPCountryWhois.csv");
+@unlink_if_exists("{$pfb['dbdir']}/GeoIPv6.csv");
+@unlink_if_exists("{$pfb['dbdir']}/country_continent.csv");
+
+// Add Widget to Dashboard
+update_output_window(gettext("Adding pfBlockerNG Widget to Dashboard."));
+if ($pfb['keep'] == "on" && !empty($pfb['widgets'])) {
+ // Restore previous Widget setting if "Keep" is enabled.
+ $config['widgets']['sequence'] = $pfb['widgets'];
+} else {
+ $widgets = $config['widgets']['sequence'];
+ if (!preg_match("/pfblockerng-container/", $widgets)) {
+ if (empty($widgets)) {
+ $config['widgets']['sequence'] = "pfblockerng-container:col2:show";
+ } else {
+ $config['widgets']['sequence'] .= ",pfblockerng-container:col2:show";
+ }
+ }
+}
+return TRUE;
+
+?> \ No newline at end of file
diff --git a/config/pfblockerng/pfblockerng_top20.xml b/config/pfblockerng/pfblockerng_top20.xml
index 32ed52e8..030c1385 100644
--- a/config/pfblockerng/pfblockerng_top20.xml
+++ b/config/pfblockerng/pfblockerng_top20.xml
@@ -132,6 +132,17 @@
<type>listtopic</type>
</field>
<field>
+ <description><![CDATA[<font color='red'>Note:</font> pfSense by default implicitly blocks all unsolicited inbound traffic to the WAN
+ interface. Therefore adding GeoIP based firewall rules to the WAN will <strong>not</strong> provide any benefit, unless there are
+ open WAN ports. Also consider protecting just the specific open WAN ports. It's also <strong>not</strong> recommended to
+ block the 'world', instead consider rules to 'Permit' traffic from selected Countries only. Finally, it's just as important
+ to protect the outbound LAN traffic.]]>
+ </description>
+ <type>info</type>
+ <dontdisplayname/>
+ <usecolspan2/>
+ </field>
+ <field>
<fielddescr>LINKS</fielddescr>
<description><![CDATA[<a href="/firewall_aliases.php">Firewall Alias</a> &nbsp;&nbsp;&nbsp;
<a href="/firewall_rules.php">Firewall Rules</a> &nbsp;&nbsp;&nbsp; <a href="diag_logs_filter.php">Firewall Logs</a>]]>
diff --git a/config/pfblockerng/pfblockerng_update.php b/config/pfblockerng/pfblockerng_update.php
index e63d04dc..7911a4e6 100644
--- a/config/pfblockerng/pfblockerng_update.php
+++ b/config/pfblockerng/pfblockerng_update.php
@@ -207,9 +207,9 @@ include_once("head.inc");
<tr>
<td colspan="2" class="listr">
<?php
- if ($pfb['enable'] == "on") {
+ if ($pfb['enable'] == 'on') {
- /* Legend - Time Variables
+ /* Legend - Time variables
$pfb['interval'] Hour interval setting (1,2,3,4,6,8,12,24)
$pfb['min'] Cron minute start time (0-23)
@@ -218,92 +218,70 @@ include_once("head.inc");
$currenthour Current hour
$currentmin Current minute
+ $currentsec Current second
+ $currentdaysec Total number of seconds elapsed so far in the day
$cron_hour_begin First cron hour setting (interval 2-24)
$cron_hour_next Next cron hour setting (interval 2-24)
- $max_min_remain Max minutes to next cron (not including currentmin)
- $min_remain Total minutes remaining to next cron
- $min_final The minute component in hour:min
-
$nextcron Next cron event in hour:mins
- $cronreal Time remaining to next cron in hours:mins */
+ $cronreal Time remaining to next cron in hours:mins:secs */
$currenthour = date('G');
$currentmin = date('i');
+ $currentsec = date('s');
+ $currentdaysec = ($currenthour * 3600) + ($currentmin * 60) + $currentsec;
if ($pfb['interval'] == 1) {
- if (($currenthour + ($currentmin/60)) <= ($pfb['hour'] + ($pfb['min']/60))) {
+ if ($currentmin < $pfb['min']) {
$cron_hour_next = $currenthour;
} else {
- $cron_hour_next = $currenthour + 1;
- }
- if (($currenthour + ($pfb['min']/60)) >= 24) {
- $cron_hour_next = $pfb['hour'];
+ $cron_hour_next = ($currenthour + 1) % 24;
}
- $max_min_remain = 60 + $pfb['min'];
}
elseif ($pfb['interval'] == 24) {
- $cron_hour_next = $cron_hour_begin = $pfb['24hour'] != '' ? $pfb['24hour'] : '00';
+ $cron_hour_next = $cron_hour_begin = !empty($pfb['24hour']) ?: '00';
}
else {
- // Find Next Cron hour schedule
+ // Find next cron hour schedule
$crondata = pfb_cron_base_hour();
+ $cron_hour_begin = 0;
+ $cron_hour_next = '';
if (!empty($crondata)) {
foreach ($crondata as $key => $line) {
if ($key == 0) {
$cron_hour_begin = $line;
}
- if ($line > $currenthour) {
+ if (($line * 3600) + ($pfb['min'] * 60) > $currentdaysec) {
$cron_hour_next = $line;
break;
}
}
}
-
- // Roll over to First cron hour setting
- if (!isset($cron_hour_next)) {
- if (empty($cron_hour_begin)) {
- // $cron_hour_begin is hour '0'
- $cron_hour_next = (24 - $currenthour);
- } else {
- $cron_hour_next = $cron_hour_begin;
- }
- }
- }
-
- if ($pfb['interval'] != 1) {
- if (($currenthour + ($currentmin/60)) <= ($cron_hour_next + ($pfb['min']/60))) {
- $max_min_remain = (($cron_hour_next - $currenthour) * 60) + $pfb['min'];
- } else {
- $max_min_remain = ((24 - $currenthour + $cron_hour_begin) * 60) + $pfb['min'];
+ // Roll over to the first cron hour setting
+ if (empty($cron_hour_next)) {
$cron_hour_next = $cron_hour_begin;
}
}
- $min_remain = ($max_min_remain - $currentmin);
- $min_final = ($min_remain % 60);
- $sec_final = (60 - date('s'));
-
- if (strlen($sec_final) == 1) {
- $sec_final = '0' . $sec_final;
- }
- if (strlen($min_final) == 1) {
- $min_final = '0' . $min_final;
- }
- if (strlen($cron_hour_next) == 1) {
- $cron_hour_next = '0' . $cron_hour_next;
- }
-
- if ($min_remain > 59) {
- $nextcron = floor($min_remain / 60) . ':' . $min_final . ':' . $sec_final;
+ $cron_seconds_next = ($cron_hour_next * 3600) + ($pfb['min'] * 60);
+ if ($currentdaysec < $cron_seconds_next) {
+ // The next cron job is ahead of us in the day
+ $sec_remain = $cron_seconds_next - $currentdaysec;
} else {
- $nextcron = '00:' . $min_final . ':' . $sec_final;
+ // The next cron job is tomorrow
+ $sec_remain = (24*60*60) + $cron_seconds_next - $currentdaysec;
}
- if ($pfb['min'] == 0) {
- $pfb['min'] = '00';
- }
+ // Ensure hour:min:sec variables are two digit
+ $pfb['min'] = str_pad($pfb['min'], 2, '0', STR_PAD_LEFT);
+ $sec_final = str_pad(($sec_remain % 60), 2, '0', STR_PAD_LEFT);
+ $min_remain = str_pad(floor($sec_remain / 60), 2, '0', STR_PAD_LEFT);
+ $min_final = str_pad(($min_remain % 60), 2, '0', STR_PAD_LEFT);
+ $hour_final = str_pad(floor($min_remain / 60), 2, '0', STR_PAD_LEFT);
+ $cron_hour_next = str_pad($cron_hour_next, 2, '0', STR_PAD_LEFT);
+
$cronreal = "{$cron_hour_next}:{$pfb['min']}";
+ $nextcron = "{$hour_final}:{$min_final}:{$sec_final}";
}
if (empty($pfb['enable']) || empty($cron_hour_next)) {
@@ -314,9 +292,8 @@ include_once("head.inc");
echo "NEXT Scheduled CRON Event will run at <font size=\"3\">&nbsp;{$cronreal}</font>&nbsp; with
<font size=\"3\"><span class=\"red\">&nbsp;{$nextcron}&nbsp;</span></font> time remaining.";
- // Query for any Active pfBlockerNG CRON Jobs
- $result_cron = array();
- $cron_event = exec ("/bin/ps -wax", $result_cron);
+ // Query for any active pfBlockerNG CRON jobs
+ exec ('/bin/ps -wax', $result_cron);
if (preg_grep("/pfblockerng[.]php\s+cron/", $result_cron)) {
echo "<font size=\"2\"><span class=\"red\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Active pfBlockerNG CRON Job </span></font>&nbsp;&nbsp;";