diff options
author | Seth Mos <seth.mos@xs4all.nl> | 2007-01-09 16:07:19 +0000 |
---|---|---|
committer | Seth Mos <seth.mos@xs4all.nl> | 2007-01-09 16:07:19 +0000 |
commit | ca0c95bd660bbc2780d933f50f47de3524d7dc10 (patch) | |
tree | 9e3d1aaa74cb2e5f8506d7f2a24efeea4c6091ea /packages/squid/squid.inc | |
parent | f8d35721054ac1108ad544ee75b976a54d649ef6 (diff) | |
download | pfsense-packages-ca0c95bd660bbc2780d933f50f47de3524d7dc10.tar.gz pfsense-packages-ca0c95bd660bbc2780d933f50f47de3524d7dc10.tar.bz2 pfsense-packages-ca0c95bd660bbc2780d933f50f47de3524d7dc10.zip |
Enter version p8. first attempt at a working black and whitelisting scheme.
The previous version had a http_access allow on both GET and POST request.
Which ends up being the world. Has this ever worked?
Removed the mac acl backend since it is not supported.
Next step squidguard or danguardian
Diffstat (limited to 'packages/squid/squid.inc')
-rw-r--r-- | packages/squid/squid.inc | 53 |
1 files changed, 29 insertions, 24 deletions
diff --git a/packages/squid/squid.inc b/packages/squid/squid.inc index a3c2b5d8..5a716747 100644 --- a/packages/squid/squid.inc +++ b/packages/squid/squid.inc @@ -369,7 +369,8 @@ function squid_resync_general() { global $g, $config, $valid_acls; $settings = $config['installedpackages']['squid']['config'][0]; - $conf = ''; + $conf = "# This file is automatically generated by pfSense\n"; + $conf = "# Do not edit manually!\n"; $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $ifaces = ($settings['active_interface'] ? $settings['active_interface'] : 'lan'); @@ -407,7 +408,7 @@ error_directory $errordir visible_hostname $hostname cache_mgr $email -cache_access_log $logdir_access +access_log $logdir_access cache_log $logdir_cache cache_store_log none shutdown_lifetime 3 seconds @@ -421,16 +422,9 @@ EOD; $ip = long2ip(ip2long($ip) & ip2long($mask)); $src .= " $ip/$mask"; } + $conf .= "Allow local network(s) on interface(s)\n"; $conf .= "acl localnet src $src\n"; $valid_acls[] = 'localnet'; - $conf .= <<<EOD -acl get method GET -http_access allow get -acl post method POST -http_access allow post - -EOD; - } return $conf; @@ -493,9 +487,12 @@ function squid_resync_redirector() { global $config; $httpav_enabled = ($config['installedpackages']['clamav']['config'][0]['scan_http'] == 'on'); - if ($httpav_enabled) - return ('redirect_program /usr/local/bin/squirm'); - return '# No redirector configured'; + if ($httpav_enabled) { + $conf = "redirect_program /usr/local/bin/squirm\n"; + } else { + $conf = "# No redirector configured\n"; + } + return $conf; } function squid_resync_nac() { @@ -505,6 +502,8 @@ function squid_resync_nac() { $webgui_port = $config['system']['webgui']['port']; $conf = <<<EOD + +# Setup some default acls acl all src 0.0.0.0/0 acl localhost src 127.0.0.1 acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 $webgui_port 1025-65535 @@ -523,11 +522,9 @@ EOD; } $options = array( 'unrestricted_hosts' => 'src', - 'unrestricted_macs' => 'arp', 'banned_hosts' => 'src', - 'banned_macs' => 'arp', - 'whitelist' => 'url_regex -i', - 'blacklist' => 'url_regex -i', + 'whitelist' => 'dstdom_regex -i', + 'blacklist' => 'dstdom_regex -i', ); foreach ($options as $option => $directive) { $contents = trim(implode("\n", array_map('trim', explode(',', $settings[$option])))); @@ -539,7 +536,7 @@ EOD; } $conf .= <<<EOD -no_cache deny dynamic +cache deny dynamic http_access allow manager localhost http_access deny manager http_access allow purge localhost @@ -547,6 +544,7 @@ http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports +# Always allow localhost connections http_access allow localhost EOD; @@ -587,7 +585,7 @@ delay_initial_bucket_level 100 EOD; - foreach (array('unrestricted_hosts', 'unrestricted_macs') as $item) { + foreach (array('unrestricted_hosts') as $item) { if (in_array($item, $valid_acls)) $conf .= "delay_access 1 deny $item\n"; } @@ -613,7 +611,8 @@ EOD; $contents .= "\.$ext\$\n"; file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents); - $conf .= "acl throttle_exts url_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n"; + $conf .= "# Throttle extensions matched in the url\n"; + $conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n"; $conf .= "delay_access 1 allow throttle_exts\n"; $conf .= "delay_access 1 deny all\n"; } @@ -631,7 +630,6 @@ function squid_resync_auth() { // Deny the banned guys before allowing the good guys $banned = array( 'banned_hosts', - 'banned_macs', ); $banned = array_filter($banned, 'squid_is_valid_acl'); foreach ($banned as $acl) @@ -639,15 +637,22 @@ function squid_resync_auth() { // Unrestricted hosts take precendence over blacklist if (squid_is_valid_acl('unrestricted_hosts')) + $conf .= "# These hosts do not have any ACL\n"; $conf .= "http_access allow unrestricted_hosts\n"; - if (squid_is_valid_acl('unrestricted_macs')) - $conf .= "http_access allow unrestricted_macs\n"; + // Whitelist and blacklist also take precendence if (squid_is_valid_acl('whitelist')) + $conf .= "# Always allow access to whitelist domains\n"; $conf .= "http_access allow whitelist\n"; if (squid_is_valid_acl('blacklist')) + $conf .= "# Block access to blacklist domains\n"; $conf .= "http_access deny blacklist\n"; + // Allow locanet if it is enabled and defined + if (squid_is_valid_acl('localnet')) + $conf .= "# Allow local network(s) on interface(s)\n"; + $conf .= "http_access allow localnet\n"; + $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); $auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none'); @@ -717,7 +722,7 @@ EOD; $conf .= "http_access allow password $acl\n"; } - + $conf .= "# Default block all to be sure\n"; $conf .= "http_access deny all\n"; return $conf; |