aboutsummaryrefslogtreecommitdiffstats
path: root/packages
diff options
context:
space:
mode:
authorSeth Mos <seth.mos@xs4all.nl>2007-01-09 16:07:19 +0000
committerSeth Mos <seth.mos@xs4all.nl>2007-01-09 16:07:19 +0000
commitca0c95bd660bbc2780d933f50f47de3524d7dc10 (patch)
tree9e3d1aaa74cb2e5f8506d7f2a24efeea4c6091ea /packages
parentf8d35721054ac1108ad544ee75b976a54d649ef6 (diff)
downloadpfsense-packages-ca0c95bd660bbc2780d933f50f47de3524d7dc10.tar.gz
pfsense-packages-ca0c95bd660bbc2780d933f50f47de3524d7dc10.tar.bz2
pfsense-packages-ca0c95bd660bbc2780d933f50f47de3524d7dc10.zip
Enter version p8. first attempt at a working black and whitelisting scheme.
The previous version had a http_access allow on both GET and POST request. Which ends up being the world. Has this ever worked? Removed the mac acl backend since it is not supported. Next step squidguard or danguardian
Diffstat (limited to 'packages')
-rw-r--r--packages/squid/squid.inc53
-rw-r--r--packages/squid/squid.xml2
2 files changed, 30 insertions, 25 deletions
diff --git a/packages/squid/squid.inc b/packages/squid/squid.inc
index a3c2b5d8..5a716747 100644
--- a/packages/squid/squid.inc
+++ b/packages/squid/squid.inc
@@ -369,7 +369,8 @@ function squid_resync_general() {
global $g, $config, $valid_acls;
$settings = $config['installedpackages']['squid']['config'][0];
- $conf = '';
+ $conf = "# This file is automatically generated by pfSense\n";
+ $conf = "# Do not edit manually!\n";
$port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
$ifaces = ($settings['active_interface'] ? $settings['active_interface'] : 'lan');
@@ -407,7 +408,7 @@ error_directory $errordir
visible_hostname $hostname
cache_mgr $email
-cache_access_log $logdir_access
+access_log $logdir_access
cache_log $logdir_cache
cache_store_log none
shutdown_lifetime 3 seconds
@@ -421,16 +422,9 @@ EOD;
$ip = long2ip(ip2long($ip) & ip2long($mask));
$src .= " $ip/$mask";
}
+ $conf .= "Allow local network(s) on interface(s)\n";
$conf .= "acl localnet src $src\n";
$valid_acls[] = 'localnet';
- $conf .= <<<EOD
-acl get method GET
-http_access allow get
-acl post method POST
-http_access allow post
-
-EOD;
-
}
return $conf;
@@ -493,9 +487,12 @@ function squid_resync_redirector() {
global $config;
$httpav_enabled = ($config['installedpackages']['clamav']['config'][0]['scan_http'] == 'on');
- if ($httpav_enabled)
- return ('redirect_program /usr/local/bin/squirm');
- return '# No redirector configured';
+ if ($httpav_enabled) {
+ $conf = "redirect_program /usr/local/bin/squirm\n";
+ } else {
+ $conf = "# No redirector configured\n";
+ }
+ return $conf;
}
function squid_resync_nac() {
@@ -505,6 +502,8 @@ function squid_resync_nac() {
$webgui_port = $config['system']['webgui']['port'];
$conf = <<<EOD
+
+# Setup some default acls
acl all src 0.0.0.0/0
acl localhost src 127.0.0.1
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 $webgui_port 1025-65535
@@ -523,11 +522,9 @@ EOD;
}
$options = array( 'unrestricted_hosts' => 'src',
- 'unrestricted_macs' => 'arp',
'banned_hosts' => 'src',
- 'banned_macs' => 'arp',
- 'whitelist' => 'url_regex -i',
- 'blacklist' => 'url_regex -i',
+ 'whitelist' => 'dstdom_regex -i',
+ 'blacklist' => 'dstdom_regex -i',
);
foreach ($options as $option => $directive) {
$contents = trim(implode("\n", array_map('trim', explode(',', $settings[$option]))));
@@ -539,7 +536,7 @@ EOD;
}
$conf .= <<<EOD
-no_cache deny dynamic
+cache deny dynamic
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
@@ -547,6 +544,7 @@ http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports
+# Always allow localhost connections
http_access allow localhost
EOD;
@@ -587,7 +585,7 @@ delay_initial_bucket_level 100
EOD;
- foreach (array('unrestricted_hosts', 'unrestricted_macs') as $item) {
+ foreach (array('unrestricted_hosts') as $item) {
if (in_array($item, $valid_acls))
$conf .= "delay_access 1 deny $item\n";
}
@@ -613,7 +611,8 @@ EOD;
$contents .= "\.$ext\$\n";
file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents);
- $conf .= "acl throttle_exts url_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n";
+ $conf .= "# Throttle extensions matched in the url\n";
+ $conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n";
$conf .= "delay_access 1 allow throttle_exts\n";
$conf .= "delay_access 1 deny all\n";
}
@@ -631,7 +630,6 @@ function squid_resync_auth() {
// Deny the banned guys before allowing the good guys
$banned = array( 'banned_hosts',
- 'banned_macs',
);
$banned = array_filter($banned, 'squid_is_valid_acl');
foreach ($banned as $acl)
@@ -639,15 +637,22 @@ function squid_resync_auth() {
// Unrestricted hosts take precendence over blacklist
if (squid_is_valid_acl('unrestricted_hosts'))
+ $conf .= "# These hosts do not have any ACL\n";
$conf .= "http_access allow unrestricted_hosts\n";
- if (squid_is_valid_acl('unrestricted_macs'))
- $conf .= "http_access allow unrestricted_macs\n";
+
// Whitelist and blacklist also take precendence
if (squid_is_valid_acl('whitelist'))
+ $conf .= "# Always allow access to whitelist domains\n";
$conf .= "http_access allow whitelist\n";
if (squid_is_valid_acl('blacklist'))
+ $conf .= "# Block access to blacklist domains\n";
$conf .= "http_access deny blacklist\n";
+ // Allow locanet if it is enabled and defined
+ if (squid_is_valid_acl('localnet'))
+ $conf .= "# Allow local network(s) on interface(s)\n";
+ $conf .= "http_access allow localnet\n";
+
$transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on');
$auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none');
@@ -717,7 +722,7 @@ EOD;
$conf .= "http_access allow password $acl\n";
}
-
+ $conf .= "# Default block all to be sure\n";
$conf .= "http_access deny all\n";
return $conf;
diff --git a/packages/squid/squid.xml b/packages/squid/squid.xml
index 5d44ade0..b75abb8a 100644
--- a/packages/squid/squid.xml
+++ b/packages/squid/squid.xml
@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<packagegui>
<name>squid</name>
- <version>2.6.5_1-p7</version>
+ <version>2.6.5_1-p8</version>
<include_file>/usr/local/pkg/squid.inc</include_file>
<!-- Installation -->