Enter version p8. first attempt at a working black and whitelisting scheme.

The previous version had a http_access allow on both GET and POST request.
Which ends up being the world. Has this ever worked?
Removed the mac acl backend since it is not supported.
Next step squidguard or danguardian

2 files changed, 30 insertions, 25 deletions

diff --git a/packages/squid/squid.inc b/packages/squid/squid.inc
index a3c2b5d8..5a716747 100644
--- a/packages/squid/squid.inc
+++ b/packages/squid/squid.inc
@@ -369,7 +369,8 @@ function squid_resync_general() {
 	global $g, $config, $valid_acls;
 
 	$settings = $config['installedpackages']['squid']['config'][0];
-	$conf = '';
+	$conf = "# This file is automatically generated by pfSense\n";
+	$conf = "# Do not edit manually!\n";
 
 	$port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
 	$ifaces = ($settings['active_interface'] ? $settings['active_interface'] : 'lan');
@@ -407,7 +408,7 @@ error_directory $errordir
 visible_hostname $hostname
 cache_mgr $email
 
-cache_access_log $logdir_access
+access_log $logdir_access
 cache_log $logdir_cache
 cache_store_log none
 shutdown_lifetime 3 seconds
@@ -421,16 +422,9 @@ EOD;
 			$ip = long2ip(ip2long($ip) & ip2long($mask));
 			$src .= " $ip/$mask";
 		}
+		$conf .= "Allow local network(s) on interface(s)\n";
 		$conf .= "acl localnet src $src\n";
 		$valid_acls[] = 'localnet';
-		$conf .= <<<EOD
-acl get method GET
-http_access allow get
-acl post method POST
-http_access allow post
-
-EOD;
-
 	}
 
 	return $conf;
@@ -493,9 +487,12 @@ function squid_resync_redirector() {
 	global $config;
 
 	$httpav_enabled = ($config['installedpackages']['clamav']['config'][0]['scan_http'] == 'on');
-	if ($httpav_enabled)
-		return ('redirect_program /usr/local/bin/squirm');
-	return '# No redirector configured';
+	if ($httpav_enabled) {
+		$conf = "redirect_program /usr/local/bin/squirm\n";
+	} else {
+		$conf = "# No redirector configured\n";
+	}
+	return $conf;
 }
 
 function squid_resync_nac() {
@@ -505,6 +502,8 @@ function squid_resync_nac() {
 	$webgui_port = $config['system']['webgui']['port'];
 
 	$conf = <<<EOD
+
+# Setup some default acls
 acl all src 0.0.0.0/0
 acl localhost src 127.0.0.1
 acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 $webgui_port 1025-65535
@@ -523,11 +522,9 @@ EOD;
 	}
 
 	$options = array(	'unrestricted_hosts' => 'src',
-				'unrestricted_macs' => 'arp',
 				'banned_hosts' => 'src',
-				'banned_macs' => 'arp',
-				'whitelist' => 'url_regex -i',
-				'blacklist' => 'url_regex -i',
+				'whitelist' => 'dstdom_regex -i',
+				'blacklist' => 'dstdom_regex -i',
 	);
 	foreach ($options as $option => $directive) {
 		$contents = trim(implode("\n", array_map('trim', explode(',', $settings[$option]))));
@@ -539,7 +536,7 @@ EOD;
 	}
 
 	$conf .= <<<EOD
-no_cache deny dynamic
+cache deny dynamic
 http_access allow manager localhost
 http_access deny manager
 http_access allow purge localhost
@@ -547,6 +544,7 @@ http_access deny purge
 http_access deny !safeports
 http_access deny CONNECT !sslports
 
+# Always allow localhost connections
 http_access allow localhost
 
 EOD;
@@ -587,7 +585,7 @@ delay_initial_bucket_level 100
 
 EOD;
 
-	foreach (array('unrestricted_hosts', 'unrestricted_macs') as $item) {
+	foreach (array('unrestricted_hosts') as $item) {
 		if (in_array($item, $valid_acls))
 			$conf .= "delay_access 1 deny $item\n";
 	}
@@ -613,7 +611,8 @@ EOD;
 			$contents .= "\.$ext\$\n";
 		file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents);
 
-		$conf .= "acl throttle_exts url_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n";
+		$conf .= "# Throttle extensions matched in the url\n";
+		$conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n";
 		$conf .= "delay_access 1 allow throttle_exts\n";
 		$conf .= "delay_access 1 deny all\n";
 	}
@@ -631,7 +630,6 @@ function squid_resync_auth() {
 
 	// Deny the banned guys before allowing the good guys
 	$banned = array(	'banned_hosts',
-				'banned_macs',
 	);
 	$banned = array_filter($banned, 'squid_is_valid_acl');
 	foreach ($banned as $acl)
@@ -639,15 +637,22 @@ function squid_resync_auth() {
 
 	// Unrestricted hosts take precendence over blacklist
 	if (squid_is_valid_acl('unrestricted_hosts'))
+		$conf .= "# These hosts do not have any ACL\n";
 		$conf .= "http_access allow unrestricted_hosts\n";
-	if (squid_is_valid_acl('unrestricted_macs'))
-		$conf .= "http_access allow unrestricted_macs\n";
+
 	// Whitelist and blacklist also take precendence
 	if (squid_is_valid_acl('whitelist'))
+		$conf .= "# Always allow access to whitelist domains\n";
 		$conf .= "http_access allow whitelist\n";
 	if (squid_is_valid_acl('blacklist'))
+		$conf .= "# Block access to blacklist domains\n";
 		$conf .= "http_access deny blacklist\n";
 
+	// Allow locanet if it is enabled and defined
+	if (squid_is_valid_acl('localnet'))
+		$conf .= "# Allow local network(s) on interface(s)\n";
+		$conf .= "http_access allow localnet\n";
+
 	$transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on');
 	$auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none');
 
@@ -717,7 +722,7 @@ EOD;
 			$conf .= "http_access allow password $acl\n";
 	}
 
-
+	$conf .= "# Default block all to be sure\n";
 	$conf .= "http_access deny all\n";
 
 	return $conf;
diff --git a/packages/squid/squid.xml b/packages/squid/squid.xml
index 5d44ade0..b75abb8a 100644
--- a/packages/squid/squid.xml
+++ b/packages/squid/squid.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <packagegui>
 	<name>squid</name>
-	<version>2.6.5_1-p7</version>
+	<version>2.6.5_1-p8</version>
 
 	<include_file>/usr/local/pkg/squid.inc</include_file>
 	<!-- Installation -->